Trojaner-Board - Nach DETEKT-Check und 4 Staatstrojaner auf meinen Computer entdecken!

Code:

2014-11-24 16:25:18,648 - detector - INFO - Starting with process ID 6256

2014-11-24 16:25:18,651 - detector - ERROR - The user is not an Administrator, aborting

2014-11-24 16:26:01,507 - detector - INFO - Starting with process ID 6628

2014-11-24 16:26:01,533 - detector - INFO - Selected Profile Name: Win7SP1x64

2014-11-24 16:26:01,536 - detector - INFO - Selected Driver: C:\Users\superior\AppData\Local\Temp\_MEI62962\drivers\winpmem64.sys

2014-11-24 16:26:01,536 - detector.service - INFO - Launching service destroyer...

2014-11-24 16:26:01,542 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.')

2014-11-24 16:26:01,542 - detector.service - INFO - Trying to stop the winpmem service...

2014-11-24 16:26:01,542 - detector.service - INFO - Trying to delete the winpmem service...

2014-11-24 16:26:01,542 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.')

2014-11-24 16:26:02,048 - detector.service - INFO - Trying to start the winpmem service...

2014-11-24 16:26:02,096 - detector - INFO - Service started

2014-11-24 16:26:02,098 - detector - INFO - Selected Yara signature file at C:\Users\superior\AppData\Local\Temp\_MEI62962\rules\signatures.yar

2014-11-24 16:26:02,098 - detector - INFO - Obtaining address space and generating config for volatility

2014-11-24 16:26:05,229 - detector - INFO - Address space: <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x08BAC9F0>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x07F45B50>

2014-11-24 16:26:05,229 - detector - INFO - Profile: <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at 0x07F4D190>, DTB: 0x187000

2014-11-24 16:26:05,230 - detector - INFO - Starting yara scanner...

2014-11-24 19:19:35,884 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52921A3, Value:
 

46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 FromBase64String

00 46 72 65 65 48 53 74 72 69 6e 67 00 50 74 72 .FreeHString.Ptr

54 6f 53 74 72 69 6e 67 48 53 74 72 69 6e 67 00 ToStringHString.

53 74 72 69 6e 67 54 6f 48 53 74 72 69 6e 67 00 StringToHString.

67 65 74 5f 53 74 72 69 6e 67 00 73 65 74 5f 53 get_String.set_S

74 72 69 6e 67 00 47 65 74 52 61 77 43 65 72 74 tring.GetRawCert

44 61 74 61 53 74 72 69 6e 67 00 4d 75 69 52 65 DataString.MuiRe

73 6f 75 72 63 65 4d 61 70 5f 52 65 73 6f 75 72 sourceMap_Resour

63 65 54 79 70 65 49 64 53 74 72 69 6e 67 00 67 ceTypeIdString.g

65 74 5f 52 65 73 6f 75 72 63 65 54 79 70 65 49 et_ResourceTypeI

64 53 74 72 69 6e 67 00 52 65 61 64 53 74 72 69 dString.ReadStri

6e 67 00 41 64 64 53 74 72 69 6e 67 00 46 72 6f ng.AddString.Fro

6d 53 65 72 69 61 6c 69 7a 65 64 53 74 72 69 6e mSerializedStrin

67 00 54 6f 53 65 72 69 61 6c 69 7a 65 64 53 74 g.ToSerializedSt

72 69 6e 67 00 47 65 74 53 65 72 69 61 6c 69 7a ring.GetSerializ

65 64 53 74 72 69 6e 67 00 45 78 70 61 6e 64 53 edString.ExpandS
 

2014-11-24 19:19:35,887 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF527F2A3, Value:
 

42 61 73 65 36 34 53 74 72 69 6e 67 00 47 65 74 Base64String.Get

43 6f 6d 49 55 6e 6b 6e 6f 77 6e 00 53 69 7a 65 ComIUnknown.Size

64 52 65 66 65 72 65 6e 63 65 00 45 76 69 64 65 dReference.Evide

6e 63 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 50 72 nceCollection.Pr

6f 76 69 64 65 64 53 65 63 75 72 69 74 79 49 6e ovidedSecurityIn

66 6f 00 43 72 65 61 74 6f 72 73 53 65 63 75 72 fo.CreatorsSecur

69 74 79 49 6e 66 6f 00 4f 6e 53 65 72 69 61 6c ityInfo.OnSerial

69 7a 69 6e 67 41 74 74 72 69 62 75 74 65 00 73 izingAttribute.s

65 63 75 72 69 74 79 45 76 69 64 65 6e 63 65 00 ecurityEvidence.

53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e System.Security.

50 6f 6c 69 63 79 00 6d 5f 65 76 69 64 65 6e 63 Policy.m_evidenc

65 00 6d 5f 64 65 73 65 72 69 61 6c 69 7a 65 64 e.m_deserialized

54 61 72 67 65 74 45 76 69 64 65 6e 63 65 00 6d TargetEvidence.m

5f 68 6f 73 74 4c 69 73 74 00 6d 5f 61 73 73 65 _hostList.m_asse

6d 62 6c 79 4c 69 73 74 00 6d 5f 6c 6f 63 6b 65 mblyList.m_locke

64 00 47 65 74 45 76 69 64 65 6e 63 65 54 79 70 d.GetEvidenceTyp
 

2014-11-24 19:19:35,892 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52921A7, Value:
 

42 61 73 65 36 34 53 74 72 69 6e 67 00 46 72 65 Base64String.Fre

65 48 53 74 72 69 6e 67 00 50 74 72 54 6f 53 74 eHString.PtrToSt

72 69 6e 67 48 53 74 72 69 6e 67 00 53 74 72 69 ringHString.Stri

6e 67 54 6f 48 53 74 72 69 6e 67 00 67 65 74 5f ngToHString.get_

53 74 72 69 6e 67 00 73 65 74 5f 53 74 72 69 6e String.set_Strin

67 00 47 65 74 52 61 77 43 65 72 74 44 61 74 61 g.GetRawCertData

53 74 72 69 6e 67 00 4d 75 69 52 65 73 6f 75 72 String.MuiResour

63 65 4d 61 70 5f 52 65 73 6f 75 72 63 65 54 79 ceMap_ResourceTy

70 65 49 64 53 74 72 69 6e 67 00 67 65 74 5f 52 peIdString.get_R

65 73 6f 75 72 63 65 54 79 70 65 49 64 53 74 72 esourceTypeIdStr

69 6e 67 00 52 65 61 64 53 74 72 69 6e 67 00 41 ing.ReadString.A

64 64 53 74 72 69 6e 67 00 46 72 6f 6d 53 65 72 ddString.FromSer

69 61 6c 69 7a 65 64 53 74 72 69 6e 67 00 54 6f ializedString.To

53 65 72 69 61 6c 69 7a 65 64 53 74 72 69 6e 67 SerializedString

00 47 65 74 53 65 72 69 61 6c 69 7a 65 64 53 74 .GetSerializedSt

72 69 6e 67 00 45 78 70 61 6e 64 53 74 72 69 6e ring.ExpandStrin
 

2014-11-24 19:19:35,898 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52B832B, Value:
 

43 6f 6e 6e 65 63 74 65 64 00 53 65 74 46 75 6c Connected.SetFul

6c 79 43 6f 6e 6e 65 63 74 65 64 00 49 73 52 65 lyConnected.IsRe

6d 6f 74 65 44 69 73 63 6f 6e 6e 65 63 74 65 64 moteDisconnected

00 49 73 44 69 73 63 6f 6e 6e 65 63 74 65 64 00 .IsDisconnected.

49 73 46 75 6c 6c 79 44 69 73 63 6f 6e 6e 65 63 IsFullyDisconnec

74 65 64 00 49 73 48 61 6e 64 6c 65 52 65 64 69 ted.IsHandleRedi

72 65 63 74 65 64 00 5f 69 73 53 74 64 49 6e 52 rected._isStdInR

65 64 69 72 65 63 74 65 64 00 5f 69 73 45 72 72 edirected._isErr

6f 72 54 65 78 74 57 72 69 74 65 72 52 65 64 69 orTextWriterRedi

72 65 63 74 65 64 00 5f 69 73 4f 75 74 54 65 78 rected._isOutTex

74 57 72 69 74 65 72 52 65 64 69 72 65 63 74 65 tWriterRedirecte

64 00 5f 69 73 53 74 64 45 72 72 52 65 64 69 72 d._isStdErrRedir

65 63 74 65 64 00 5f 69 73 53 74 64 4f 75 74 52 ected._isStdOutR

65 64 69 72 65 63 74 65 64 00 62 4f 6c 64 46 6f edirected.bOldFo

72 6d 61 74 44 65 74 65 63 74 65 64 00 6d 5f 70 rmatDetected.m_p

72 6f 74 65 63 74 65 64 00 73 5f 50 65 72 6d 55 rotected.s_PermU
 

2014-11-24 19:19:35,903 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52B833D, Value:
 

43 6f 6e 6e 65 63 74 65 64 00 49 73 52 65 6d 6f Connected.IsRemo

74 65 44 69 73 63 6f 6e 6e 65 63 74 65 64 00 49 teDisconnected.I

73 44 69 73 63 6f 6e 6e 65 63 74 65 64 00 49 73 sDisconnected.Is

46 75 6c 6c 79 44 69 73 63 6f 6e 6e 65 63 74 65 FullyDisconnecte

64 00 49 73 48 61 6e 64 6c 65 52 65 64 69 72 65 d.IsHandleRedire

63 74 65 64 00 5f 69 73 53 74 64 49 6e 52 65 64 cted._isStdInRed

69 72 65 63 74 65 64 00 5f 69 73 45 72 72 6f 72 irected._isError

54 65 78 74 57 72 69 74 65 72 52 65 64 69 72 65 TextWriterRedire

63 74 65 64 00 5f 69 73 4f 75 74 54 65 78 74 57 cted._isOutTextW

72 69 74 65 72 52 65 64 69 72 65 63 74 65 64 00 riterRedirected.

5f 69 73 53 74 64 45 72 72 52 65 64 69 72 65 63 _isStdErrRedirec

74 65 64 00 5f 69 73 53 74 64 4f 75 74 52 65 64 ted._isStdOutRed

69 72 65 63 74 65 64 00 62 4f 6c 64 46 6f 72 6d irected.bOldForm

61 74 44 65 74 65 63 74 65 64 00 6d 5f 70 72 6f atDetected.m_pro

74 65 63 74 65 64 00 73 5f 50 65 72 6d 55 6e 72 tected.s_PermUnr

65 73 74 72 69 63 74 65 64 00 47 65 74 55 6e 72 estricted.GetUnr
 

2014-11-24 19:19:35,904 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52798C1, Value:
 

52 65 63 65 69 76 65 72 00 44 61 74 65 54 69 6d Receiver.DateTim

65 50 61 72 73 65 00 46 75 73 69 6f 6e 00 54 69 eParse.Fusion.Ti

6d 65 53 70 61 6e 54 68 72 6f 77 53 74 79 6c 65 meSpanThrowStyle

00 53 79 6e 63 48 61 73 68 74 61 62 6c 65 00 52 .SyncHashtable.R

53 41 50 4b 43 53 31 53 48 41 31 53 69 67 6e 61 SAPKCS1SHA1Signa

74 75 72 65 44 65 73 63 72 69 70 74 69 6f 6e 00 tureDescription.

5f 53 74 72 6f 6e 67 4e 61 6d 65 4b 65 79 50 61 _StrongNameKeyPa

69 72 00 50 61 64 64 69 6e 67 4d 6f 64 65 00 4d ir.PaddingMode.M

65 74 68 6f 64 49 6d 70 6c 4f 70 74 69 6f 6e 73 ethodImplOptions

00 63 5f 74 69 63 6b 73 50 65 72 44 61 79 52 61 .c_ticksPerDayRa

6e 67 65 00 44 6f 6d 61 69 6e 53 70 65 63 69 66 nge.DomainSpecif

69 63 52 65 6d 6f 74 69 6e 67 44 61 74 61 00 41 icRemotingData.A

72 67 75 6d 65 6e 74 5f 49 6e 76 61 6c 69 64 52 rgument_InvalidR

65 67 69 73 74 72 79 4b 65 79 50 65 72 6d 69 73 egistryKeyPermis

73 69 6f 6e 43 68 65 63 6b 00 53 74 6f 72 65 54 sionCheck.StoreT

72 61 6e 73 61 63 74 69 6f 6e 00 3c 52 65 61 64 ransaction.<Read
 

2014-11-24 19:19:35,917 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF527BEE9, Value:
 

52 65 63 65 69 76 65 72 48 6f 6f 6b 00 49 73 6f ReceiverHook.Iso

6c 61 74 65 64 53 74 6f 72 61 67 65 46 69 6c 65 latedStorageFile

00 74 79 70 65 6f 66 53 6f 61 70 49 64 72 65 66 .typeofSoapIdref

73 00 52 65 67 69 73 74 65 72 65 64 43 68 61 6e s.RegisteredChan

6e 65 6c 00 61 73 73 65 6d 62 6c 79 52 65 73 6f nel.assemblyReso

6c 76 65 72 00 4f 62 6a 65 63 74 49 44 47 65 6e lver.ObjectIDGen

65 72 61 74 6f 72 00 44 69 63 74 69 6f 6e 61 72 erator.Dictionar

79 45 6e 75 6d 65 72 61 74 6f 72 42 79 4b 65 79 yEnumeratorByKey

73 00 42 69 74 43 6f 6e 76 65 72 74 65 72 00 45 s.BitConverter.E

76 65 6e 74 4c 69 73 74 65 6e 65 72 00 47 65 74 ventListener.Get

4d 6f 64 75 6c 65 48 61 6e 64 6c 65 00 53 74 64 ModuleHandle.Std

43 6f 6e 55 6e 69 63 6f 64 65 45 6e 63 6f 64 69 ConUnicodeEncodi

6e 67 00 49 6e 74 65 72 6e 61 6c 47 65 74 53 6f ng.InternalGetSo

72 74 56 65 72 73 69 6f 6e 00 52 53 41 4f 41 45 rtVersion.RSAOAE

50 4b 65 79 45 78 63 68 61 6e 67 65 46 6f 72 6d PKeyExchangeForm

61 74 74 65 72 00 54 79 70 65 4c 69 62 56 61 72 atter.TypeLibVar
 

2014-11-24 19:19:35,920 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF5291242, Value:
 

52 65 63 65 69 76 65 00 41 72 63 68 69 76 65 00 Receive.Archive.

67 65 74 5f 4b 65 65 70 41 6c 69 76 65 00 3c 3e get_KeepAlive.<>

33 5f 5f 66 72 6f 6d 49 6e 63 6c 75 73 69 76 65 3__fromInclusive

00 67 65 74 5f 53 63 68 65 64 75 6c 65 64 45 78 .get_ScheduledEx

63 6c 75 73 69 76 65 00 3c 3e 33 5f 5f 74 6f 45 clusive.<>3__toE

78 63 6c 75 73 69 76 65 00 4d 61 72 73 68 61 6c xclusive.Marshal

4d 61 6e 61 67 65 64 54 6f 4e 61 74 69 76 65 00 ManagedToNative.

50 61 63 6b 46 6f 72 4e 61 74 69 76 65 00 53 65 PackForNative.Se

74 50 72 69 6f 72 69 74 79 4e 61 74 69 76 65 00 tPriorityNative.

41 73 73 75 6d 65 4e 65 67 61 74 69 76 65 00 53 AssumeNegative.S

65 6c 66 52 65 6c 61 74 69 76 65 00 53 65 74 54 elfRelative.SetT

68 72 6f 77 4f 6e 52 65 6c 61 74 69 76 65 00 4e hrowOnRelative.N

61 74 69 76 65 52 65 67 69 73 74 65 72 52 65 6c ativeRegisterRel

61 74 69 76 65 00 49 73 43 75 72 72 65 6e 74 41 ative.IsCurrentA

63 74 69 76 69 74 79 41 63 74 69 76 65 00 67 65 ctivityActive.ge

74 5f 55 73 65 72 49 6e 74 65 72 61 63 74 69 76 t_UserInteractiv
 

2014-11-24 19:19:35,921 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52AEA28, Value:
 

52 65 63 65 69 76 65 72 43 6f 75 6e 74 00 6e 6f ReceiverCount.no

64 65 73 43 6f 75 6e 74 00 5f 6f 75 74 41 72 67 desCount._outArg

73 43 6f 75 6e 74 00 72 65 70 6c 61 63 65 6d 65 sCount.replaceme

6e 74 73 43 6f 75 6e 74 00 70 72 65 76 69 6f 75 ntsCount.previou

73 43 6f 75 6e 74 00 72 65 70 65 61 74 43 6f 75 sCount.repeatCou

6e 74 00 74 61 72 67 65 74 43 6f 75 6e 74 00 62 nt.targetCount.b

75 63 6b 65 74 43 6f 75 6e 74 00 72 69 67 68 74 ucketCount.right

42 69 74 53 68 69 66 74 43 6f 75 6e 74 00 65 6c BitShiftCount.el

65 6d 65 6e 74 43 6f 75 6e 74 00 67 65 74 5f 41 ementCount.get_A

72 67 75 6d 65 6e 74 43 6f 75 6e 74 00 44 65 66 rgumentCount.Def

61 75 6c 74 43 6f 6d 70 6f 6e 65 6e 74 43 6f 75 aultComponentCou

6e 74 00 5f 74 6f 6b 65 6e 4c 69 73 74 43 6f 75 nt._tokenListCou

6e 74 00 6d 65 74 68 6f 64 49 6e 73 74 43 6f 75 nt.methodInstCou

6e 74 00 74 79 70 65 49 6e 73 74 43 6f 75 6e 74 nt.typeInstCount

00 69 6e 70 75 74 43 6f 75 6e 74 00 6d 5f 6d 61 .inputCount.m_ma

78 43 6f 75 6e 74 00 6b 65 79 43 6f 75 6e 74 00 xCount.keyCount.
 

2014-11-24 19:19:35,924 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52C73E8, Value:
 

52 65 63 65 69 76 65 72 00 47 65 74 52 65 73 6f Receiver.GetReso

6c 76 65 72 00 47 65 74 55 6e 77 72 61 70 70 65 lver.GetUnwrappe

64 53 65 72 76 65 72 00 44 65 74 61 63 68 53 65 dServer.DetachSe

72 76 65 72 00 41 74 74 61 63 68 53 65 72 76 65 rver.AttachServe

72 00 5f 73 65 72 76 65 72 00 53 65 74 45 72 72 r._server.SetErr

6f 72 4d 6f 64 65 5f 57 69 6e 37 41 6e 64 4e 65 orMode_Win7AndNe

77 65 72 00 4d 61 6b 65 55 52 49 4b 65 79 4e 6f wer.MakeURIKeyNo

4c 6f 77 65 72 00 52 75 6e 49 6e 69 74 69 61 6c Lower.RunInitial

69 7a 65 72 00 4c 65 61 73 65 54 69 6d 65 41 6e izer.LeaseTimeAn

61 6c 79 7a 65 72 00 5f 6c 6f 63 61 6c 44 61 74 alyzer._localDat

61 53 74 6f 72 65 4d 67 72 00 6d 5f 49 73 43 6f aStoreMgr.m_IsCo

72 72 65 6c 61 74 69 6f 6e 4d 67 72 00 53 79 73 rrelationMgr.Sys

74 65 6d 52 65 73 4d 67 72 00 6d 5f 6d 67 72 00 temResMgr.m_mgr.

73 5f 61 70 70 44 61 74 61 44 69 72 00 6d 5f 53 s_appDataDir.m_S

75 62 44 69 72 00 6d 5f 6e 53 75 62 44 69 72 00 ubDir.m_nSubDir.

47 65 74 44 65 6d 61 6e 64 44 69 72 00 64 65 6d GetDemandDir.dem
 

2014-11-24 19:19:35,926 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF5023007, Value:
 

53 65 6e 64 54 6f 00 53 74 61 72 74 4d 65 6e 75 SendTo.StartMenu

00 4d 79 4d 75 73 69 63 00 4d 79 56 69 64 65 6f .MyMusic.MyVideo

73 00 44 65 73 6b 74 6f 70 44 69 72 65 63 74 6f s.DesktopDirecto

72 79 00 4d 79 43 6f 6d 70 75 74 65 72 00 4e 65 ry.MyComputer.Ne

74 77 6f 72 6b 53 68 6f 72 74 63 75 74 73 00 46 tworkShortcuts.F

6f 6e 74 73 00 54 65 6d 70 6c 61 74 65 73 00 43 onts.Templates.C

6f 6d 6d 6f 6e 53 74 61 72 74 4d 65 6e 75 00 43 ommonStartMenu.C

6f 6d 6d 6f 6e 50 72 6f 67 72 61 6d 73 00 43 6f ommonPrograms.Co

6d 6d 6f 6e 53 74 61 72 74 75 70 00 43 6f 6d 6d mmonStartup.Comm

6f 6e 44 65 73 6b 74 6f 70 44 69 72 65 63 74 6f onDesktopDirecto

72 79 00 41 70 70 6c 69 63 61 74 69 6f 6e 44 61 ry.ApplicationDa

74 61 00 50 72 69 6e 74 65 72 53 68 6f 72 74 63 ta.PrinterShortc

75 74 73 00 4c 6f 63 61 6c 41 70 70 6c 69 63 61 uts.LocalApplica

74 69 6f 6e 44 61 74 61 00 49 6e 74 65 72 6e 65 tionData.Interne

74 43 61 63 68 65 00 43 6f 6f 6b 69 65 73 00 48 tCache.Cookies.H

69 73 74 6f 72 79 00 43 6f 6d 6d 6f 6e 41 70 70 istory.CommonApp
 

2014-11-24 19:19:35,930 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF5263340, Value:
 

53 00 65 00 6e 00 64 00 00 17 77 00 69 00 6e 00 S.e.n.d...w.i.n.

3a 00 52 00 65 00 63 00 65 00 69 00 76 00 65 00 :.R.e.c.e.i.v.e.

00 11 20 00 3c 00 74 00 61 00 73 00 6b 00 73 00 ....<.t.a.s.k.s.

3e 00 00 1d 20 00 20 00 3c 00 74 00 61 00 73 00 >.......<.t.a.s.

6b 00 20 00 6e 00 61 00 6d 00 65 00 3d 00 22 00 k...n.a.m.e.=.".

00 13 22 00 20 00 76 00 61 00 6c 00 75 00 65 00 .."...v.a.l.u.e.

3d 00 22 00 00 07 22 00 2f 00 3e 00 00 13 20 00 =."..."./.>.....

3c 00 2f 00 74 00 61 00 73 00 6b 00 73 00 3e 00 <./.t.a.s.k.s.>.

00 0f 20 00 3c 00 6d 00 61 00 70 00 73 00 3e 00 ....<.m.a.p.s.>.

00 11 76 00 61 00 6c 00 75 00 65 00 4d 00 61 00 ..v.a.l.u.e.M.a.

70 00 00 0d 62 00 69 00 74 00 4d 00 61 00 70 00 p...b.i.t.M.a.p.

00 07 20 00 20 00 3c 00 00 0f 20 00 6e 00 61 00 ......<.....n.a.

6d 00 65 00 3d 00 22 00 00 03 78 00 00 23 20 00 m.e.=."...x..#..

20 00 20 00 3c 00 6d 00 61 00 70 00 20 00 76 00 ....<.m.a.p...v.

61 00 6c 00 75 00 65 00 3d 00 22 00 30 00 78 00 a.l.u.e.=.".0.x.

00 07 6d 00 61 00 70 00 00 09 20 00 20 00 3c 00 ..m.a.p.......<.
 

2014-11-24 19:19:35,931 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF5274F93, Value:
 

53 65 6e 64 65 72 00 50 72 6f 63 65 73 73 53 69 Sender.ProcessSi

6e 6b 50 72 6f 76 69 64 65 72 44 61 74 61 00 41 nkProviderData.A

70 70 6c 69 63 61 74 69 6f 6e 54 72 75 73 74 45 pplicationTrustE

6e 75 6d 65 72 61 74 6f 72 00 53 61 66 65 56 69 numerator.SafeVi

65 77 4f 66 46 69 6c 65 48 61 6e 64 6c 65 00 42 ewOfFileHandle.B

69 6e 61 72 79 4f 62 6a 65 63 74 57 69 74 68 4d inaryObjectWithM

61 70 54 79 70 65 64 00 73 65 74 5f 44 61 74 65 apTyped.set_Date

54 69 6d 65 46 6f 72 6d 61 74 00 49 64 6e 4d 61 TimeFormat.IdnMa

70 70 69 6e 67 00 43 6f 6d 45 76 65 6e 74 49 6e pping.ComEventIn

74 65 72 66 61 63 65 41 74 74 72 69 62 75 74 65 terfaceAttribute

00 53 74 6f 72 65 54 72 61 6e 73 61 63 74 69 6f .StoreTransactio

6e 4f 70 65 72 61 74 69 6f 6e 00 4d 61 6e 69 66 nOperation.Manif

65 73 74 45 6e 76 65 6c 6f 70 65 00 3c 57 72 69 estEnvelope.<Wri

74 65 41 73 79 6e 63 49 6e 74 65 72 6e 61 6c 3e teAsyncInternal>

64 5f 5f 65 00 49 6e 74 65 72 6e 61 6c 45 6e 63 d__e.InternalEnc

6f 64 69 6e 67 44 61 74 61 49 74 65 6d 00 54 68 odingDataItem.Th
 

2014-11-24 19:19:35,934 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF527C538, Value:
 

53 65 6e 64 4f 72 50 6f 73 74 43 61 6c 6c 62 61 SendOrPostCallba

63 6b 00 41 73 73 65 6d 62 6c 79 41 74 74 72 69 ck.AssemblyAttri

62 75 74 65 73 47 6f 48 65 72 65 00 49 45 6e 75 butesGoHere.IEnu

6d 44 65 66 69 6e 69 74 69 6f 6e 49 64 65 6e 74 mDefinitionIdent

69 74 79 00 53 79 73 74 65 6d 5f 4c 61 7a 79 44 ity.System_LazyD

65 62 75 67 56 69 65 77 60 31 00 73 5f 63 72 65 ebugView`1.s_cre

61 74 65 43 6f 6e 74 69 6e 67 65 6e 74 50 72 6f ateContingentPro

70 65 72 74 69 65 73 00 49 53 74 72 75 63 74 75 perties.IStructu

72 61 6c 43 6f 6d 70 61 72 61 62 6c 65 00 6d 5f ralComparable.m_

6e 65 77 4d 75 74 65 78 00 73 65 74 5f 44 65 63 newMutex.set_Dec

6f 64 65 72 46 61 6c 6c 62 61 63 6b 00 52 65 6d oderFallback.Rem

6f 74 69 6e 67 54 79 70 65 43 61 63 68 65 64 44 otingTypeCachedD

61 74 61 00 4d 75 69 52 65 73 6f 75 72 63 65 4d ata.MuiResourceM

61 70 45 6e 74 72 79 46 69 65 6c 64 49 64 00 44 apEntryFieldId.D

65 73 63 72 69 70 74 69 6f 6e 4d 65 74 61 64 61 escriptionMetada

74 61 45 6e 74 72 79 46 69 65 6c 64 49 64 00 44 taEntryFieldId.D
 

2014-11-24 19:19:35,936 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF527FB8A, Value:
 

53 65 6e 64 4d 61 6e 69 66 65 73 74 00 45 6e 73 SendManifest.Ens

75 72 65 49 6e 69 74 69 61 6c 69 7a 65 64 00 41 ureInitialized.A

6e 79 45 76 65 6e 74 45 6e 61 62 6c 65 64 00 56 nyEventEnabled.V

61 6c 69 64 61 74 65 45 76 65 6e 74 4f 70 63 6f alidateEventOpco

64 65 46 6f 72 54 72 61 6e 73 66 65 72 00 49 73 deForTransfer.Is

45 6e 61 62 6c 65 64 42 79 44 65 66 61 75 6c 74 EnabledByDefault

00 57 72 69 74 65 53 74 72 69 6e 67 54 6f 41 6c .WriteStringToAl

6c 4c 69 73 74 65 6e 65 72 73 00 57 72 69 74 65 lListeners.Write

45 76 65 6e 74 53 74 72 69 6e 67 00 57 72 69 74 EventString.Writ

65 54 6f 41 6c 6c 4c 69 73 74 65 6e 65 72 73 00 eToAllListeners.

57 72 69 74 65 45 76 65 6e 74 56 61 72 61 72 67 WriteEventVararg

73 00 47 65 74 44 69 73 70 61 74 63 68 65 72 00 s.GetDispatcher.

44 65 63 6f 64 65 4f 62 6a 65 63 74 00 47 65 6e DecodeObject.Gen

65 72 61 74 65 47 75 69 64 46 72 6f 6d 4e 61 6d erateGuidFromNam

65 00 52 65 70 6f 72 74 4f 75 74 4f 66 42 61 6e e.ReportOutOfBan

64 4d 65 73 73 61 67 65 00 4f 75 74 70 75 74 44 dMessage.OutputD
 

2014-11-24 19:19:35,940 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF527FD07, Value:
 

53 65 6e 64 43 6f 6d 6d 61 6e 64 00 57 72 69 74 SendCommand.Writ

65 45 76 65 6e 74 57 69 74 68 52 65 6c 61 74 65 eEventWithRelate

64 41 63 74 69 76 69 74 79 49 64 00 57 72 69 74 dActivityId.Writ

65 45 76 65 6e 74 00 57 72 69 74 65 45 76 65 6e eEvent.WriteEven

74 57 69 74 68 52 65 6c 61 74 65 64 41 63 74 69 tWithRelatedActi

76 69 74 79 49 64 43 6f 72 65 00 57 72 69 74 65 vityIdCore.Write

45 76 65 6e 74 43 6f 72 65 00 57 72 69 74 65 53 EventCore.WriteS

74 72 69 6e 67 54 6f 4c 69 73 74 65 6e 65 72 00 tringToListener.

45 76 65 6e 74 57 72 69 74 65 53 74 72 69 6e 67 EventWriteString

00 67 65 74 5f 43 6f 6e 73 74 72 75 63 74 69 6f .get_Constructio

6e 45 78 63 65 70 74 69 6f 6e 00 67 65 74 5f 46 nException.get_F

61 6c 6c 62 61 63 6b 41 63 74 69 76 69 74 79 49 allbackActivityI

64 00 67 65 74 5f 49 6e 74 65 72 6e 61 6c 43 75 d.get_InternalCu

72 72 65 6e 74 54 68 72 65 61 64 41 63 74 69 76 rrentThreadActiv

69 74 79 49 64 00 67 65 74 5f 43 75 72 72 65 6e ityId.get_Curren

74 54 68 72 65 61 64 41 63 74 69 76 69 74 79 49 tThreadActivityI
 

2014-11-24 19:19:35,941 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF528C9BD, Value:
 

53 65 6e 64 00 67 65 74 5f 41 70 70 65 6e 64 00 Send.get_Append.

73 65 74 5f 41 70 70 65 6e 64 00 53 75 73 70 65 set_Append.Suspe

6e 64 00 46 52 65 76 65 72 73 65 42 69 6e 64 00 nd.FReverseBind.

46 49 6d 6d 65 64 69 61 74 65 42 69 6e 64 00 46 FImmediateBind.F

44 65 66 61 75 6c 74 42 69 6e 64 00 46 44 69 73 DefaultBind.FDis

70 6c 61 79 42 69 6e 64 00 47 65 74 50 45 4b 69 playBind.GetPEKi

6e 64 00 67 65 74 5f 4b 69 6e 64 00 41 72 67 5f nd.get_Kind.Arg_

52 65 67 53 65 74 4d 69 73 6d 61 74 63 68 65 64 RegSetMismatched

4b 69 6e 64 00 67 65 74 5f 46 61 69 6c 75 72 65 Kind.get_Failure

4b 69 6e 64 00 47 65 74 56 61 6c 75 65 4b 69 6e Kind.GetValueKin

64 00 47 65 74 43 6f 72 72 65 73 70 6f 6e 64 69 d.GetCorrespondi

6e 67 4b 69 6e 64 00 52 6f 75 6e 64 74 72 69 70 ngKind.Roundtrip

4b 69 6e 64 00 67 65 74 5f 41 64 64 72 65 73 73 Kind.get_Address

4b 69 6e 64 00 53 70 65 63 69 66 79 4b 69 6e 64 Kind.SpecifyKind

00 66 75 6e 63 6b 69 6e 64 00 74 79 70 65 6b 69 .funckind.typeki

6e 64 00 76 61 72 6b 69 6e 64 00 73 79 73 6b 69 nd.varkind.syski
 

2014-11-24 19:19:35,944 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF5296AB1, Value:
 

53 65 6e 64 54 6f 00 4d 6f 76 65 54 6f 00 52 65 SendTo.MoveTo.Re

6c 61 74 69 76 65 50 61 74 68 54 6f 00 45 71 75 lativePathTo.Equ

61 6c 54 6f 00 67 65 74 5f 45 78 74 72 61 49 6e alTo.get_ExtraIn

66 6f 00 73 65 74 5f 45 78 74 72 61 49 6e 66 6f fo.set_ExtraInfo

00 46 6f 72 6d 61 74 53 74 75 62 49 6e 66 6f 00 .FormatStubInfo.

49 6e 74 65 72 6e 61 6c 47 65 74 43 6f 6d 53 6c InternalGetComSl

6f 74 46 6f 72 4d 65 74 68 6f 64 49 6e 66 6f 00 otForMethodInfo.

47 65 74 4d 65 74 68 6f 64 49 6e 66 6f 00 47 65 GetMethodInfo.Ge

74 44 65 73 65 72 69 61 6c 69 7a 65 64 54 69 6d tDeserializedTim

65 5a 6f 6e 65 49 6e 66 6f 00 67 65 74 5f 54 79 eZoneInfo.get_Ty

70 65 49 6e 66 6f 00 73 65 74 5f 54 79 70 65 49 peInfo.set_TypeI

6e 66 6f 00 43 72 65 61 74 65 54 79 70 65 49 6e nfo.CreateTypeIn

66 6f 00 47 65 74 52 65 66 54 79 70 65 49 6e 66 fo.GetRefTypeInf

6f 00 52 65 66 6c 65 63 74 69 6f 6e 54 79 70 65 o.ReflectionType

49 6e 66 6f 00 53 79 73 74 65 6d 2e 52 75 6e 74 Info.System.Runt

69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 ime.InteropServi
 

2014-11-24 19:19:35,946 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52AF093, Value:
 

53 65 6e 64 4d 65 73 73 61 67 65 54 69 6d 65 6f SendMessageTimeo

75 74 00 73 5f 69 73 53 70 6f 6e 73 6f 72 73 68 ut.s_isSponsorsh

69 70 54 69 6d 65 6f 75 74 00 5f 73 70 6f 6e 73 ipTimeout._spons

6f 72 73 68 69 70 54 69 6d 65 6f 75 74 00 6f 72 orshipTimeout.or

69 67 69 6e 61 6c 57 61 69 74 4d 69 6c 6c 69 73 iginalWaitMillis

65 63 6f 6e 64 73 54 69 6d 65 6f 75 74 00 74 69 econdsTimeout.ti

6d 65 6f 75 74 00 73 73 6f 75 74 00 53 65 74 43 meout.ssout.SetC

6c 61 73 73 4c 61 79 6f 75 74 00 56 61 6c 69 64 lassLayout.Valid

61 74 65 50 75 73 68 50 6f 70 52 61 6e 67 65 49 atePushPopRangeI

6e 70 75 74 00 52 65 61 64 43 6f 6e 73 6f 6c 65 nput.ReadConsole

49 6e 70 75 74 00 68 43 6f 6e 73 6f 6c 65 49 6e Input.hConsoleIn

70 75 74 00 50 65 65 6b 43 6f 6e 73 6f 6c 65 49 put.PeekConsoleI

6e 70 75 74 00 73 74 72 49 6e 70 75 74 00 64 77 nput.strInput.dw

49 6e 70 75 74 00 69 6e 70 75 74 00 52 65 61 64 Input.input.Read

43 6f 6e 73 6f 6c 65 4f 75 74 70 75 74 00 57 72 ConsoleOutput.Wr

69 74 65 43 6f 6e 73 6f 6c 65 4f 75 74 70 75 74 iteConsoleOutput
 

2014-11-24 19:19:35,947 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52BA3D4, Value:
 

53 65 6e 64 69 6e 67 4d 65 73 73 61 67 65 00 43 SendingMessage.C

4f 52 50 72 6f 66 69 6c 65 72 52 65 6d 6f 74 69 ORProfilerRemoti

6e 67 53 65 72 76 65 72 52 65 63 65 69 76 69 6e ngServerReceivin

67 4d 65 73 73 61 67 65 00 41 63 74 69 76 61 74 gMessage.Activat

65 57 69 74 68 4d 65 73 73 61 67 65 00 5f 6e 75 eWithMessage._nu

6c 6c 4d 65 73 73 61 67 65 00 53 65 74 43 61 6c llMessage.SetCal

6c 43 6f 6e 74 65 78 74 49 6e 4d 65 73 73 61 67 lContextInMessag

65 00 46 6f 72 6d 61 74 46 69 6c 65 4c 6f 61 64 e.FormatFileLoad

45 78 63 65 70 74 69 6f 6e 4d 65 73 73 61 67 65 ExceptionMessage

00 48 61 6e 64 6c 65 52 65 74 75 72 6e 4d 65 73 .HandleReturnMes

73 61 67 65 00 50 72 6f 70 61 67 61 74 65 43 61 sage.PropagateCa

6c 6c 43 6f 6e 74 65 78 74 46 72 6f 6d 54 68 72 llContextFromThr

65 61 64 54 6f 4d 65 73 73 61 67 65 00 50 72 6f eadToMessage.Pro

70 61 67 61 74 65 4f 75 74 67 6f 69 6e 67 48 65 pagateOutgoingHe

61 64 65 72 73 54 6f 4d 65 73 73 61 67 65 00 67 adersToMessage.g

65 74 5f 43 6f 6e 73 74 72 75 63 74 6f 72 4d 65 et_ConstructorMe
 

2014-11-24 19:19:35,950 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52C3857, Value:
 

53 65 6e 64 43 72 6f 73 73 44 6f 6d 61 69 6e 00 SendCrossDomain.

6d 5f 69 73 53 61 66 65 43 72 6f 73 73 44 6f 6d m_isSafeCrossDom

61 69 6e 00 6d 5f 74 61 72 67 65 74 44 6f 6d 61 ain.m_targetDoma

69 6e 00 47 65 74 44 65 66 61 75 6c 74 44 6f 6d in.GetDefaultDom

61 69 6e 00 49 6e 64 69 63 42 65 67 69 6e 00 52 ain.IndicBegin.R

65 61 64 42 65 67 69 6e 00 57 72 69 74 65 42 65 eadBegin.WriteBe

67 69 6e 00 4d 75 6c 74 69 42 79 74 65 42 65 67 gin.MultiByteBeg

69 6e 00 41 70 70 65 6e 64 4f 72 69 67 69 6e 00 in.AppendOrigin.

45 6e 74 65 72 4d 79 4c 6f 63 6b 53 70 69 6e 00 EnterMyLockSpin.

73 5f 52 63 6f 6e 00 67 65 74 5f 52 65 67 69 6f s_Rcon.get_Regio

6e 00 47 65 74 43 75 6c 74 75 72 65 44 61 74 61 n.GetCultureData

46 6f 72 52 65 67 69 6f 6e 00 41 64 64 41 63 63 ForRegion.AddAcc

65 73 73 45 6e 74 72 79 41 6e 64 55 6e 69 6f 6e essEntryAndUnion

00 5f 74 79 70 65 55 6e 69 6f 6e 00 6d 5f 69 67 ._typeUnion.m_ig

6e 6f 72 65 50 65 72 73 69 73 74 65 64 44 65 63 norePersistedDec

69 73 69 6f 6e 00 55 49 6e 74 33 32 50 72 65 63 ision.UInt32Prec
 

2014-11-24 19:19:35,956 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52C6472, Value:
 

53 65 6e 64 65 72 00 5f 74 79 70 65 4c 69 6d 69 Sender._typeLimi

74 69 6e 67 42 69 6e 64 65 72 00 73 5f 46 6f 72 tingBinder.s_For

77 61 72 64 43 61 6c 6c 42 69 6e 64 65 72 00 64 wardCallBinder.d

65 66 61 75 6c 74 42 69 6e 64 65 72 00 6d 5f 62 efaultBinder.m_b

69 6e 64 65 72 00 53 65 72 69 61 6c 69 7a 65 44 inder.SerializeD

65 63 6f 64 65 72 00 62 55 73 65 64 45 6e 63 6f ecoder.bUsedEnco

64 65 72 00 53 65 72 69 61 6c 69 7a 65 45 6e 63 der.SerializeEnc

6f 64 65 72 00 47 65 74 59 65 61 72 4d 6f 6e 74 oder.GetYearMont

68 4f 72 64 65 72 00 43 72 65 61 74 65 50 61 72 hOrder.CreatePar

61 6d 4f 72 64 65 72 00 47 65 74 59 65 61 72 4d amOrder.GetYearM

6f 6e 74 68 44 61 79 4f 72 64 65 72 00 41 72 67 onthDayOrder.Arg

5f 41 72 72 61 79 4c 65 6e 67 74 68 73 44 69 66 _ArrayLengthsDif

66 65 72 00 46 6c 75 73 68 4f 53 42 75 66 66 65 fer.FlushOSBuffe

72 00 6d 5f 64 65 70 61 64 42 75 66 66 65 72 00 r.m_depadBuffer.

41 6c 6c 6f 63 61 74 65 42 75 66 66 65 72 00 5f AllocateBuffer._

6c 61 72 67 65 42 79 74 65 42 75 66 66 65 72 00 largeByteBuffer.
 

2014-11-24 19:19:35,960 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52D00BF, Value:
 

53 65 6e 64 69 6e 67 52 65 70 6c 79 00 43 4f 52 SendingReply.COR

50 72 6f 66 69 6c 65 72 52 65 6d 6f 74 69 6e 67 ProfilerRemoting

43 6c 69 65 6e 74 52 65 63 65 69 76 69 6e 67 52 ClientReceivingR

65 70 6c 79 00 43 61 6e 53 6d 75 67 67 6c 65 4f eply.CanSmuggleO

62 6a 65 63 74 44 69 72 65 63 74 6c 79 00 49 73 bjectDirectly.Is

44 75 6d 6d 79 00 53 65 74 44 75 6d 6d 79 00 53 Dummy.SetDummy.S

65 74 44 65 6e 79 00 4d 65 6d 63 70 79 00 43 68 etDeny.Memcpy.Ch

65 63 6b 4d 75 6c 74 69 43 6f 6e 74 69 6e 75 61 eckMultiContinua

74 69 6f 6e 54 61 73 6b 73 41 6e 64 43 6f 70 79 tionTasksAndCopy

00 54 68 72 65 61 64 53 61 66 65 43 6f 70 79 00 .ThreadSafeCopy.

55 6e 73 61 66 65 43 6f 70 79 00 43 72 65 61 74 UnsafeCopy.Creat

65 53 6d 75 67 67 6c 65 61 62 6c 65 43 6f 70 79 eSmuggleableCopy

00 47 65 74 49 6e 64 65 78 50 61 72 61 6d 65 74 .GetIndexParamet

65 72 73 4e 6f 43 6f 70 79 00 47 65 74 50 65 72 ersNoCopy.GetPer

6d 69 73 73 69 6f 6e 53 65 74 4e 6f 43 6f 70 79 missionSetNoCopy

00 53 65 74 50 65 72 6d 69 73 73 69 6f 6e 53 65 .SetPermissionSe
 

2014-11-24 19:19:35,963 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF528D9EC, Value:
 

44 65 6c 65 74 65 53 75 62 4b 65 79 54 72 65 65 DeleteSubKeyTree

00 67 65 74 5f 43 6f 6e 73 69 73 74 65 6e 63 79 .get_Consistency

47 75 61 72 61 6e 74 65 65 00 54 72 65 61 74 41 Guarantee.TreatA

73 53 61 66 65 00 53 79 73 74 65 6d 2e 54 68 72 sSafe.System.Thr

65 61 64 69 6e 67 2e 54 61 73 6b 73 2e 49 50 72 eading.Tasks.IPr

6f 64 75 63 65 72 43 6f 6e 73 75 6d 65 72 51 75 oducerConsumerQu

65 75 65 3c 54 3e 2e 47 65 74 43 6f 75 6e 74 53 eue<T>.GetCountS

61 66 65 00 44 65 70 6c 6f 79 6d 65 6e 74 4d 65 afe.DeploymentMe

74 61 64 61 74 61 5f 4d 61 78 69 6d 75 6d 41 67 tadata_MaximumAg

65 00 67 65 74 5f 4d 61 78 69 6d 75 6d 41 67 65 e.get_MaximumAge

00 42 67 65 00 67 65 74 5f 45 42 43 44 49 43 43 .Bge.get_EBCDICC

6f 64 65 50 61 67 65 00 67 65 74 5f 41 4e 53 49 odePage.get_ANSI

43 6f 64 65 50 61 67 65 00 67 65 74 5f 4f 45 4d CodePage.get_OEM

43 6f 64 65 50 61 67 65 00 67 65 74 5f 43 6f 64 CodePage.get_Cod

65 50 61 67 65 00 67 65 74 5f 4d 61 63 43 6f 64 ePage.get_MacCod

65 50 61 67 65 00 67 65 74 5f 57 69 6e 64 6f 77 ePage.get_Window
 

2014-11-24 19:19:35,964 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF529E130, Value:
 

44 65 6c 65 74 65 53 75 62 4b 65 79 00 49 6e 76 DeleteSubKey.Inv

61 6c 69 64 4f 70 65 72 61 74 69 6f 6e 5f 52 65 alidOperation_Re

67 52 65 6d 6f 76 65 53 75 62 4b 65 79 00 73 65 gRemoveSubKey.se

74 5f 50 75 62 6c 69 63 4b 65 79 00 53 74 72 6f t_PublicKey.Stro

6e 67 4e 61 6d 65 54 6f 6b 65 6e 46 72 6f 6d 50 ngNameTokenFromP

75 62 6c 69 63 4b 65 79 00 53 74 72 6f 6e 67 4e ublicKey.StrongN

61 6d 65 47 65 74 50 75 62 6c 69 63 4b 65 79 00 ameGetPublicKey.

53 65 74 50 75 62 6c 69 63 4b 65 79 00 52 65 61 SetPublicKey.Rea

64 4b 65 79 00 45 6e 68 61 6e 63 65 64 4b 65 79 dKey.EnhancedKey

00 55 73 65 55 73 65 72 50 72 6f 74 65 63 74 65 .UseUserProtecte

64 4b 65 79 00 47 65 6e 65 72 61 74 65 52 65 66 dKey.GenerateRef

65 72 65 6e 63 65 4b 65 79 00 55 73 65 4e 6f 6e erenceKey.UseNon

45 78 70 6f 72 74 61 62 6c 65 4b 65 79 00 55 73 ExportableKey.Us

65 41 72 63 68 69 76 61 62 6c 65 4b 65 79 00 4f eArchivableKey.O

70 65 6e 52 65 6d 6f 74 65 42 61 73 65 4b 65 79 penRemoteBaseKey

00 4f 70 65 6e 42 61 73 65 4b 65 79 00 5f 47 65 .OpenBaseKey._Ge
 

2014-11-24 19:19:35,967 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52C1E0C, Value:
 

44 65 6c 65 74 65 53 75 62 4b 65 79 54 72 65 65 DeleteSubKeyTree

49 6e 74 65 72 6e 61 6c 00 47 65 74 45 76 65 6e Internal.GetEven

74 52 65 67 69 73 74 72 61 74 69 6f 6e 54 6f 6b tRegistrationTok

65 6e 54 61 62 6c 65 49 6e 74 65 72 6e 61 6c 00 enTableInternal.

52 65 73 6f 6c 76 65 46 69 65 6c 64 48 61 6e 64 ResolveFieldHand

6c 65 49 6e 74 65 72 6e 61 6c 00 52 65 73 6f 6c leInternal.Resol

76 65 4d 65 74 68 6f 64 48 61 6e 64 6c 65 49 6e veMethodHandleIn

74 65 72 6e 61 6c 00 52 65 73 6f 6c 76 65 54 79 ternal.ResolveTy

70 65 48 61 6e 64 6c 65 49 6e 74 65 72 6e 61 6c peHandleInternal

00 44 65 66 69 6e 65 44 79 6e 61 6d 69 63 4d 6f .DefineDynamicMo

64 75 6c 65 49 6e 74 65 72 6e 61 6c 00 67 65 74 duleInternal.get

5f 4e 61 6d 65 49 6e 74 65 72 6e 61 6c 00 47 65 _NameInternal.Ge

74 54 79 70 65 4c 69 62 4e 61 6d 65 49 6e 74 65 tTypeLibNameInte

72 6e 61 6c 00 4c 6f 61 64 57 69 74 68 50 61 72 rnal.LoadWithPar

74 69 61 6c 4e 61 6d 65 49 6e 74 65 72 6e 61 6c tialNameInternal

00 47 65 74 4d 61 6e 61 67 65 64 54 79 70 65 49 .GetManagedTypeI
 

2014-11-24 19:19:35,969 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF528E950, Value:
 

67 65 74 5f 4d 61 63 68 69 6e 65 4e 61 6d 65 00 get_MachineName.

67 65 74 5f 53 63 6f 70 65 4e 61 6d 65 00 73 65 get_ScopeName.se

74 5f 54 79 70 65 4e 61 6d 65 00 67 65 74 5f 56 t_TypeName.get_V

69 73 75 61 6c 69 7a 65 72 4f 62 6a 65 63 74 53 isualizerObjectS

6f 75 72 63 65 54 79 70 65 4e 61 6d 65 00 67 65 ourceTypeName.ge

74 5f 46 75 6c 6c 54 79 70 65 4e 61 6d 65 00 73 t_FullTypeName.s

65 74 5f 46 75 6c 6c 54 79 70 65 4e 61 6d 65 00 et_FullTypeName.

67 65 74 5f 58 6d 6c 54 79 70 65 4e 61 6d 65 00 get_XmlTypeName.

73 65 74 5f 58 6d 6c 54 79 70 65 4e 61 6d 65 00 set_XmlTypeName.

43 61 6e 43 61 73 74 54 6f 58 6d 6c 54 79 70 65 CanCastToXmlType

4e 61 6d 65 00 67 65 74 5f 41 63 74 69 76 61 74 Name.get_Activat

69 6f 6e 54 79 70 65 4e 61 6d 65 00 46 69 6c 74 ionTypeName.Filt

65 72 54 79 70 65 4e 61 6d 65 00 67 65 74 5f 56 erTypeName.get_V

69 73 75 61 6c 69 7a 65 72 54 79 70 65 4e 61 6d isualizerTypeNam

65 00 67 65 74 5f 49 6e 76 61 6c 69 64 43 75 6c e.get_InvalidCul

74 75 72 65 4e 61 6d 65 00 6c 61 73 74 43 75 6c tureName.lastCul
 

2014-11-24 19:19:35,973 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52706CF, Value:
 

67 65 74 5f 55 73 65 72 4e 61 6d 65 00 41 64 64 get_UserName.Add

50 65 72 6d 69 73 73 69 6f 6e 00 49 73 53 75 62 Permission.IsSub

63 6c 61 73 73 4f 66 00 47 65 74 50 72 6f 70 65 classOf.GetPrope

72 74 79 49 6d 70 6c 00 47 65 74 49 6e 74 65 72 rtyImpl.GetInter

66 61 63 65 73 00 67 65 74 5f 54 61 72 67 65 74 faces.get_Target

00 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e .System.Runtime.

49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 2e InteropServices.

5f 54 79 70 65 2e 47 65 74 54 79 70 65 49 6e 66 _Type.GetTypeInf

6f 43 6f 75 6e 74 00 49 73 49 6e 73 74 61 6e 63 oCount.IsInstanc

65 4f 66 54 79 70 65 00 73 65 74 5f 46 6f 72 65 eOfType.set_Fore

67 72 6f 75 6e 64 43 6f 6c 6f 72 00 73 65 74 5f groundColor.set_

42 61 63 6b 67 72 6f 75 6e 64 43 6f 6c 6f 72 00 BackgroundColor.

67 65 74 5f 45 72 72 6f 72 00 73 65 74 5f 4c 65 get_Error.set_Le

61 73 65 54 69 6d 65 00 73 65 74 5f 4c 65 61 73 aseTime.set_Leas

65 4d 61 6e 61 67 65 72 50 6f 6c 6c 54 69 6d 65 eManagerPollTime

00 47 65 74 43 61 6c 6c 69 6e 67 41 73 73 65 6d .GetCallingAssem
 

2014-11-24 19:19:35,974 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF527D84F, Value:
 

67 65 74 5f 4c 61 73 74 57 72 69 74 65 54 69 6d get_LastWriteTim

65 00 67 65 74 5f 54 69 6d 65 4f 66 44 61 79 00 e.get_TimeOfDay.

41 64 64 53 65 63 6f 6e 64 73 00 6d 5f 72 65 73 AddSeconds.m_res

6f 75 72 63 65 73 00 43 6f 70 79 45 6e 74 72 69 ources.CopyEntri

65 73 00 67 65 74 5f 49 74 65 6d 32 00 67 65 74 es.get_Item2.get

5f 49 74 65 6d 31 00 6d 5f 49 74 65 6d 32 00 6d _Item1.m_Item2.m

5f 49 74 65 6d 31 00 47 65 74 47 65 74 4d 65 74 _Item1.GetGetMet

68 6f 64 00 49 6e 74 65 72 6e 61 6c 47 65 74 53 hod.InternalGetS

79 73 74 65 6d 44 65 66 61 75 6c 74 55 49 4c 61 ystemDefaultUILa

6e 67 75 61 67 65 00 67 65 74 5f 55 73 65 72 44 nguage.get_UserD

65 66 61 75 6c 74 43 75 6c 74 75 72 65 00 67 65 efaultCulture.ge

74 5f 50 61 72 65 6e 74 00 49 6e 74 65 72 6e 61 t_Parent.Interna

6c 47 65 74 52 65 73 6f 75 72 63 65 53 65 74 00 lGetResourceSet.

53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f System.Collectio

6e 73 2e 49 53 74 72 75 63 74 75 72 61 6c 45 71 ns.IStructuralEq

75 61 74 61 62 6c 65 2e 45 71 75 61 6c 73 00 53 uatable.Equals.S
 

2014-11-24 19:19:35,976 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52813D2, Value:
 

67 65 74 5f 4c 61 73 74 57 72 69 74 65 54 69 6d get_LastWriteTim

65 55 74 63 00 67 65 74 5f 43 72 65 61 74 69 6f eUtc.get_Creatio

6e 54 69 6d 65 55 74 63 00 47 65 74 4f 6e 65 59 nTimeUtc.GetOneY

65 61 72 4c 6f 63 61 6c 46 72 6f 6d 55 74 63 00 earLocalFromUtc.

6d 5f 6f 6e 65 59 65 61 72 4c 6f 63 61 6c 46 72 m_oneYearLocalFr

6f 6d 55 74 63 00 47 65 74 49 73 44 61 79 6c 69 omUtc.GetIsDayli

67 68 74 53 61 76 69 6e 67 73 46 72 6f 6d 55 74 ghtSavingsFromUt

63 00 47 65 74 44 61 74 65 54 69 6d 65 4e 6f 77 c.GetDateTimeNow

55 74 63 4f 66 66 73 65 74 46 72 6f 6d 55 74 63 UtcOffsetFromUtc

00 43 6f 6e 76 65 72 74 54 69 6d 65 54 6f 55 74 .ConvertTimeToUt

63 00 67 65 74 5f 49 64 00 47 65 74 4c 6f 67 6f c.get_Id.GetLogo

6e 41 75 74 68 49 64 00 49 6e 74 65 72 6e 61 6c nAuthId.Internal

47 65 74 49 64 00 6d 5f 64 00 54 72 69 6d 48 65 GetId.m_d.TrimHe

61 64 00 49 6e 74 65 72 6e 61 6c 45 6d 75 6c 61 ad.InternalEmula

74 65 52 65 61 64 00 6d 5f 72 65 61 64 00 49 73 teRead.m_read.Is

46 69 6e 61 6c 69 7a 69 6e 67 46 6f 72 55 6e 6c FinalizingForUnl
 

2014-11-24 19:19:35,979 - detector - WARNING - Process BoxSync.exe (pid: 3632) matched: Njrat at address: 0x7FEF52A8776, Value:
 

47 65 74 56 6f 6c 75 6d 65 49 6e 66 6f 72 6d 61 GetVolumeInforma

74 69 6f 6e 00 6c 70 44 79 6e 61 6d 69 63 54 69 tion.lpDynamicTi

6d 65 5a 6f 6e 65 49 6e 66 6f 72 6d 61 74 69 6f meZoneInformatio

6e 00 6c 70 54 69 6d 65 5a 6f 6e 65 49 6e 66 6f n.lpTimeZoneInfo

72 6d 61 74 69 6f 6e 00 47 65 74 54 69 6d 65 5a rmation.GetTimeZ

6f 6e 65 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 64 oneInformation.d

65 66 61 75 6c 74 54 69 6d 65 5a 6f 6e 65 49 6e efaultTimeZoneIn

66 6f 72 6d 61 74 69 6f 6e 00 74 69 6d 65 5a 6f formation.timeZo

6e 65 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 74 79 neInformation.ty

70 65 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 6c 70 peInformation.lp

4e 6c 73 56 65 72 73 69 6f 6e 49 6e 66 6f 72 6d NlsVersionInform

61 74 69 6f 6e 00 41 75 74 68 65 6e 74 69 63 61 ation.Authentica

74 69 6f 6e 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 tionInformation.

47 65 74 55 73 65 72 4f 62 6a 65 63 74 49 6e 66 GetUserObjectInf

6f 72 6d 61 74 69 6f 6e 00 73 65 63 75 72 69 74 ormation.securit

79 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 6d 65 74 yInformation.met
 

2014-11-24 20:39:55,796 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01AEA, Value:
 

6d 6f 64 41 50 49 24 6d 6f 64 32 00 6d 6f 64 41 modAPI$mod2.modA

75 64 69 6f 24 6d 6f 64 33 00 6d 6f 64 42 74 4b udio$mod3.modBtK

69 6c 6c 65 72 24 6d 6f 64 34 00 6d 6f 64 43 72 iller$mod4.modCr

79 70 74 24 6d 6f 64 35 00 6d 6f 64 46 75 63 74 ypt$mod5.modFuct

69 6f 6e 73 24 6d 6f 64 36 00 6d 6f 64 48 69 6a ions$mod6.modHij

61 63 6b 24 6d 6f 64 37 00 6d 6f 64 49 43 61 6c ack$mod7.modICal

6c 42 61 63 6b 24 6d 6f 64 38 00 6d 6f 64 49 49 lBack$mod8.modII

6e 65 74 24 6d 6f 64 39 00 6d 6f 64 49 6e 66 65 net$mod9.modInfe

63 74 24 6d 6f 64 31 30 00 6d 6f 64 49 6e 6a 50 ct$mod10.modInjP

45 24 6d 6f 64 31 31 00 6d 6f 64 4c 61 75 6e 63 E$mod11.modLaunc

68 57 65 62 24 6d 6f 64 31 32 00 6d 6f 64 4f 53 hWeb$mod12.modOS

24 6d 6f 64 31 33 00 6d 6f 64 50 57 73 24 6d 6f $mod13.modPWs$mo

64 31 34 00 6d 6f 64 52 65 67 69 73 74 72 79 24 d14.modRegistry$

6d 6f 64 31 35 00 6d 6f 64 53 63 72 65 65 6e 63 mod15.modScreenc

61 70 24 6d 6f 64 31 36 00 6d 6f 64 53 6e 69 66 ap$mod16.modSnif

66 24 6d 6f 64 31 37 00 6d 6f 64 53 6f 63 6b 65 f$mod17.modSocke
 

2014-11-24 20:39:55,798 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01AF6, Value:
 

6d 6f 64 41 75 64 69 6f 24 6d 6f 64 33 00 6d 6f modAudio$mod3.mo

64 42 74 4b 69 6c 6c 65 72 24 6d 6f 64 34 00 6d dBtKiller$mod4.m

6f 64 43 72 79 70 74 24 6d 6f 64 35 00 6d 6f 64 odCrypt$mod5.mod

46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 00 6d 6f Fuctions$mod6.mo

64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d 6f 64 dHijack$mod7.mod

49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 00 6d ICallBack$mod8.m

6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d 6f 64 odIInet$mod9.mod

49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d 6f 64 Infect$mod10.mod

49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f 64 4c InjPE$mod11.modL

61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 00 6d aunchWeb$mod12.m

6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 57 odOS$mod13.modPW

73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 73 s$mod14.modRegis

74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 72 try$mod15.modScr

65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f 64 eencap$mod16.mod

53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 53 Sniff$mod17.modS

6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 31 ocketMaster$mod1
 

2014-11-24 20:39:55,799 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B04, Value:
 

6d 6f 64 42 74 4b 69 6c 6c 65 72 24 6d 6f 64 34 modBtKiller$mod4

00 6d 6f 64 43 72 79 70 74 24 6d 6f 64 35 00 6d .modCrypt$mod5.m

6f 64 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 00 odFuctions$mod6.

6d 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d modHijack$mod7.m

6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 odICallBack$mod8

00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d .modIInet$mod9.m

6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d odInfect$mod10.m

6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f odInjPE$mod11.mo

64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 dLaunchWeb$mod12

00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 .modOS$mod13.mod

50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 PWs$mod14.modReg

69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 istry$mod15.modS

63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d creencap$mod16.m

6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f odSniff$mod17.mo

64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f dSocketMaster$mo

64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f d18.modSpread$mo
 

2014-11-24 20:39:55,803 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B15, Value:
 

6d 6f 64 43 72 79 70 74 24 6d 6f 64 35 00 6d 6f modCrypt$mod5.mo

64 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 00 6d dFuctions$mod6.m

6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d 6f odHijack$mod7.mo

64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 00 dICallBack$mod8.

6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d 6f modIInet$mod9.mo

64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d 6f dInfect$mod10.mo

64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f 64 dInjPE$mod11.mod

4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 00 LaunchWeb$mod12.

6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 modOS$mod13.modP

57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 Ws$mod14.modRegi

73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 stry$mod15.modSc

72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f reencap$mod16.mo

64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 dSniff$mod17.mod

53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 SocketMaster$mod

31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 18.modSpread$mod

31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 19.modSqueezer$m
 

2014-11-24 20:39:55,805 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B23, Value:
 

6d 6f 64 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 modFuctions$mod6

00 6d 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 .modHijack$mod7.

6d 6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 modICallBack$mod

38 00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 8.modIInet$mod9.

6d 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 modInfect$mod10.

6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m

6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1

32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo

64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe

67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod

53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16.

6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m

6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m

6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m

6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer

24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod
 

2014-11-24 20:39:55,808 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B34, Value:
 

6d 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d modHijack$mod7.m

6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 odICallBack$mod8

00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d .modIInet$mod9.m

6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d odInfect$mod10.m

6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f odInjPE$mod11.mo

64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 dLaunchWeb$mod12

00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 .modOS$mod13.mod

50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 PWs$mod14.modReg

69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 istry$mod15.modS

63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d creencap$mod16.m

6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f odSniff$mod17.mo

64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f dSocketMaster$mo

64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f d18.modSpread$mo

64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 d19.modSqueezer$

6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 32 mod20.modSS$mod2

31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 1.modTorrentSeed
 

2014-11-24 20:39:55,809 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B43, Value:
 

6d 6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 modICallBack$mod

38 00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 8.modIInet$mod9.

6d 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 modInfect$mod10.

6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m

6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1

32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo

64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe

67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod

53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16.

6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m

6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m

6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m

6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer

24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod

32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee

64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms
 

2014-11-24 20:39:55,812 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B55, Value:
 

6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d 6f modIInet$mod9.mo

64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d 6f dInfect$mod10.mo

64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f 64 dInjPE$mod11.mod

4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 00 LaunchWeb$mod12.

6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 modOS$mod13.modP

57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 Ws$mod14.modRegi

73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 stry$mod15.modSc

72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f reencap$mod16.mo

64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 dSniff$mod17.mod

53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 SocketMaster$mod

31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 18.modSpread$mod

31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 19.modSqueezer$m

6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 od20.modSS$mod21

00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 24 .modTorrentSeed$

74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 tmr1.tmrAlarms$t

6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 mr2.tmrAlive$tmr
 

2014-11-24 20:39:55,813 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B63, Value:
 

6d 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 modInfect$mod10.

6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m

6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1

32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo

64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe

67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod

53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16.

6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m

6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m

6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m

6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer

24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod

32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee

64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms

24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 $tmr2.tmrAlive$t

6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d mr3.tmrAnslut$tm
 

2014-11-24 20:39:55,815 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B73, Value:
 

6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m

6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1

32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo

64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe

67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod

53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16.

6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m

6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m

6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m

6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer

24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod

32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee

64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms

24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 $tmr2.tmrAlive$t

6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d mr3.tmrAnslut$tm

72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 r4.tmrAudio$tmr5
 

2014-11-24 20:39:55,818 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B82, Value:
 

6d 6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 modLaunchWeb$mod

31 32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 12.modOS$mod13.m

6f 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 odPWs$mod14.modR

65 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f egistry$mod15.mo

64 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 dScreencap$mod16

00 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 .modSniff$mod17.

6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 modSocketMaster$

6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 mod18.modSpread$

6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 mod19.modSqueeze

72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f r$mod20.modSS$mo

64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 d21.modTorrentSe

65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d ed$tmr1.tmrAlarm

73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 s$tmr2.tmrAlive$

74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 tmr3.tmrAnslut$t

6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 mr4.tmrAudio$tmr

35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 5.tmrBlink$tmr6.
 

2014-11-24 20:39:55,819 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01B95, Value:
 

6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 modOS$mod13.modP

57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 Ws$mod14.modRegi

73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 stry$mod15.modSc

72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f reencap$mod16.mo

64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 dSniff$mod17.mod

53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 SocketMaster$mod

31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 18.modSpread$mod

31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 19.modSqueezer$m

6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 od20.modSS$mod21

00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 24 .modTorrentSeed$

74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 tmr1.tmrAlarms$t

6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 mr2.tmrAlive$tmr

33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 3.tmrAnslut$tmr4

00 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 .tmrAudio$tmr5.t

6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 mrBlink$tmr6.tmr

43 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f Check$tmr7.tmrCo
 

2014-11-24 20:39:55,822 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01BA1, Value:
 

6d 6f 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 modPWs$mod14.mod

52 65 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d Registry$mod15.m

6f 64 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 odScreencap$mod1

36 00 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 6.modSniff$mod17

00 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 .modSocketMaster

24 6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 $mod18.modSpread

24 6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a $mod19.modSqueez

65 72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d er$mod20.modSS$m

6f 64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 od21.modTorrentS

65 65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 eed$tmr1.tmrAlar

6d 73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 ms$tmr2.tmrAlive

24 74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 $tmr3.tmrAnslut$

74 6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d tmr4.tmrAudio$tm

72 35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 r5.tmrBlink$tmr6

00 74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 .tmrCheck$tmr7.t

6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 mrCountdown$tmr8
 

2014-11-24 20:39:55,823 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01BAE, Value:
 

6d 6f 64 52 65 67 69 73 74 72 79 24 6d 6f 64 31 modRegistry$mod1

35 00 6d 6f 64 53 63 72 65 65 6e 63 61 70 24 6d 5.modScreencap$m

6f 64 31 36 00 6d 6f 64 53 6e 69 66 66 24 6d 6f od16.modSniff$mo

64 31 37 00 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 d17.modSocketMas

74 65 72 24 6d 6f 64 31 38 00 6d 6f 64 53 70 72 ter$mod18.modSpr

65 61 64 24 6d 6f 64 31 39 00 6d 6f 64 53 71 75 ead$mod19.modSqu

65 65 7a 65 72 24 6d 6f 64 32 30 00 6d 6f 64 53 eezer$mod20.modS

53 24 6d 6f 64 32 31 00 6d 6f 64 54 6f 72 72 65 S$mod21.modTorre

6e 74 53 65 65 64 24 74 6d 72 31 00 74 6d 72 41 ntSeed$tmr1.tmrA

6c 61 72 6d 73 24 74 6d 72 32 00 74 6d 72 41 6c larms$tmr2.tmrAl

69 76 65 24 74 6d 72 33 00 74 6d 72 41 6e 73 6c ive$tmr3.tmrAnsl

75 74 24 74 6d 72 34 00 74 6d 72 41 75 64 69 6f ut$tmr4.tmrAudio

24 74 6d 72 35 00 74 6d 72 42 6c 69 6e 6b 24 74 $tmr5.tmrBlink$t

6d 72 36 00 74 6d 72 43 68 65 63 6b 24 74 6d 72 mr6.tmrCheck$tmr

37 00 74 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 7.tmrCountdown$t

6d 72 38 00 74 6d 72 43 72 61 7a 79 24 74 6d 72 mr8.tmrCrazy$tmr
 

2014-11-24 20:39:55,825 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01BC0, Value:
 

6d 6f 64 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 modScreencap$mod

31 36 00 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 16.modSniff$mod1

37 00 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 7.modSocketMaste

72 24 6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 r$mod18.modSprea

64 24 6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 d$mod19.modSquee

7a 65 72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 zer$mod20.modSS$

6d 6f 64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 mod21.modTorrent

53 65 65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 Seed$tmr1.tmrAla

72 6d 73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 rms$tmr2.tmrAliv

65 24 74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 e$tmr3.tmrAnslut

24 74 6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 $tmr4.tmrAudio$t

6d 72 35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 mr5.tmrBlink$tmr

36 00 74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 6.tmrCheck$tmr7.

74 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 tmrCountdown$tmr

38 00 74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 8.tmrCrazy$tmr9.

74 6d 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 tmrDOS$tmr10.tmr
 

2014-11-24 20:39:55,832 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01BD3, Value:
 

6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m

6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m

6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m

6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer

24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod

32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee

64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms

24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 $tmr2.tmrAlive$t

6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d mr3.tmrAnslut$tm

72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 r4.tmrAudio$tmr5

00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 .tmrBlink$tmr6.t

6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 mrCheck$tmr7.tmr

43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 Countdown$tmr8.t

6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d 72 mrCrazy$tmr9.tmr

44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f 57 DOS$tmr10.tmrDoW

6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f 63 ork$tmr11.tmrFoc
 

2014-11-24 20:39:55,835 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01BE2, Value:
 

6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 modSocketMaster$

6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 mod18.modSpread$

6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 mod19.modSqueeze

72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f r$mod20.modSS$mo

64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 d21.modTorrentSe

65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d ed$tmr1.tmrAlarm

73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 s$tmr2.tmrAlive$

74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 tmr3.tmrAnslut$t

6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 mr4.tmrAudio$tmr

35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 5.tmrBlink$tmr6.

74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d tmrCheck$tmr7.tm

72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 rCountdown$tmr8.

74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d tmrCrazy$tmr9.tm

72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f rDOS$tmr10.tmrDo

57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f Work$tmr11.tmrFo

63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 cus$tmr12.tmrGra
 

2014-11-24 20:39:55,836 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01BF8, Value:
 

6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 31 39 00 modSpread$mod19.

6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 6f 64 32 modSqueezer$mod2

30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 00 6d 6f 0.modSS$mod21.mo

64 54 6f 72 72 65 6e 74 53 65 65 64 24 74 6d 72 dTorrentSeed$tmr

31 00 74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 1.tmrAlarms$tmr2

00 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 .tmrAlive$tmr3.t

6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d mrAnslut$tmr4.tm

72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 rAudio$tmr5.tmrB

6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 link$tmr6.tmrChe

63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 ck$tmr7.tmrCount

64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 down$tmr8.tmrCra

7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 zy$tmr9.tmrDOS$t

6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 mr10.tmrDoWork$t

6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d mr11.tmrFocus$tm

72 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 r12.tmrGrabber$t

6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 mr13.tmrInaktivi
 

2014-11-24 20:39:55,842 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C08, Value:
 

6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 6f 64 32 modSqueezer$mod2

30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 00 6d 6f 0.modSS$mod21.mo

64 54 6f 72 72 65 6e 74 53 65 65 64 24 74 6d 72 dTorrentSeed$tmr

31 00 74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 1.tmrAlarms$tmr2

00 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 .tmrAlive$tmr3.t

6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d mrAnslut$tmr4.tm

72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 rAudio$tmr5.tmrB

6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 link$tmr6.tmrChe

63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 ck$tmr7.tmrCount

64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 down$tmr8.tmrCra

7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 zy$tmr9.tmrDOS$t

6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 mr10.tmrDoWork$t

6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d mr11.tmrFocus$tm

72 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 r12.tmrGrabber$t

6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 mr13.tmrInaktivi

74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 tet$tmr14.tmrInf
 

2014-11-24 20:39:55,846 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C1A, Value:
 

6d 6f 64 53 53 24 6d 6f 64 32 31 00 6d 6f 64 54 modSS$mod21.modT

6f 72 72 65 6e 74 53 65 65 64 24 74 6d 72 31 00 orrentSeed$tmr1.

74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 00 74 tmrAlarms$tmr2.t

6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 6d 72 mrAlive$tmr3.tmr

41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d 72 41 Anslut$tmr4.tmrA

75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 6c 69 udio$tmr5.tmrBli

6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 63 6b nk$tmr6.tmrCheck

24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 64 6f $tmr7.tmrCountdo

77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 7a 79 wn$tmr8.tmrCrazy

24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 6d 72 $tmr9.tmrDOS$tmr

31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 6d 72 10.tmrDoWork$tmr

31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d 72 31 11.tmrFocus$tmr1

32 00 74 6d 72 47 72 61 62 62 65 72 24 74 6d 72 2.tmrGrabber$tmr

31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 13.tmrInaktivite

74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 t$tmr14.tmrInfoT

4f 24 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 O$tmr15.tmrInter
 

2014-11-24 20:39:55,848 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C26, Value:
 

6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 24 74 modTorrentSeed$t

6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 6d mr1.tmrAlarms$tm

72 32 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 r2.tmrAlive$tmr3

00 74 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 .tmrAnslut$tmr4.

74 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d tmrAudio$tmr5.tm

72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 rBlink$tmr6.tmrC

68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 heck$tmr7.tmrCou

6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 ntdown$tmr8.tmrC

72 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 razy$tmr9.tmrDOS

24 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b $tmr10.tmrDoWork

24 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 $tmr11.tmrFocus$

74 6d 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 tmr12.tmrGrabber

24 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 $tmr13.tmrInakti

76 69 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 vitet$tmr14.tmrI

6e 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 nfoTO$tmr15.tmrI

6e 74 65 72 76 61 6c 55 70 64 61 74 65 24 74 6d ntervalUpdate$tm
 

2014-11-24 20:39:55,851 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C3A, Value:
 

74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 00 74 tmrAlarms$tmr2.t

6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 6d 72 mrAlive$tmr3.tmr

41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d 72 41 Anslut$tmr4.tmrA

75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 6c 69 udio$tmr5.tmrBli

6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 63 6b nk$tmr6.tmrCheck

24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 64 6f $tmr7.tmrCountdo

77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 7a 79 wn$tmr8.tmrCrazy

24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 6d 72 $tmr9.tmrDOS$tmr

31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 6d 72 10.tmrDoWork$tmr

31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d 72 31 11.tmrFocus$tmr1

32 00 74 6d 72 47 72 61 62 62 65 72 24 74 6d 72 2.tmrGrabber$tmr

31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 13.tmrInaktivite

74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 t$tmr14.tmrInfoT

4f 24 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 O$tmr15.tmrInter

76 61 6c 55 70 64 61 74 65 24 74 6d 72 31 36 00 valUpdate$tmr16.

74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d tmrLiveLogger$tm
 

2014-11-24 20:39:55,855 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C49, Value:
 

74 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 6d tmrAlive$tmr3.tm

72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d 72 rAnslut$tmr4.tmr

41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 6c Audio$tmr5.tmrBl

69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 63 ink$tmr6.tmrChec

6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 64 k$tmr7.tmrCountd

6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 7a own$tmr8.tmrCraz

79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 6d y$tmr9.tmrDOS$tm

72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 6d r10.tmrDoWork$tm

72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d 72 r11.tmrFocus$tmr

31 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 6d 12.tmrGrabber$tm

72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 r13.tmrInaktivit

65 74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f et$tmr14.tmrInfo

54 4f 24 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 TO$tmr15.tmrInte

72 76 61 6c 55 70 64 61 74 65 24 74 6d 72 31 36 rvalUpdate$tmr16

00 74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 .tmrLiveLogger$t

6d 72 31 37 00 74 6d 72 50 65 72 73 69 73 74 61 mr17.tmrPersista
 

2014-11-24 20:39:55,857 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C57, Value:
 

74 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 tmrAnslut$tmr4.t

6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 mrAudio$tmr5.tmr

42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 Blink$tmr6.tmrCh

65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e eck$tmr7.tmrCoun

74 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 tdown$tmr8.tmrCr

61 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 azy$tmr9.tmrDOS$

74 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 tmr10.tmrDoWork$

74 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 tmr11.tmrFocus$t

6d 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 mr12.tmrGrabber$

74 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 tmr13.tmrInaktiv

69 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 6e itet$tmr14.tmrIn

66 6f 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 6e foTO$tmr15.tmrIn

74 65 72 76 61 6c 55 70 64 61 74 65 24 74 6d 72 tervalUpdate$tmr

31 36 00 74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 16.tmrLiveLogger

24 74 6d 72 31 37 00 74 6d 72 50 65 72 73 69 73 $tmr17.tmrPersis

74 61 6e 74 24 74 6d 72 31 38 00 74 6d 72 53 63 tant$tmr18.tmrSc
 

2014-11-24 20:39:55,858 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C66, Value:
 

74 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d tmrAudio$tmr5.tm

72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 rBlink$tmr6.tmrC

68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 heck$tmr7.tmrCou

6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 ntdown$tmr8.tmrC

72 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 razy$tmr9.tmrDOS

24 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b $tmr10.tmrDoWork

24 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 $tmr11.tmrFocus$

74 6d 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 tmr12.tmrGrabber

24 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 $tmr13.tmrInakti

76 69 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 vitet$tmr14.tmrI

6e 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 nfoTO$tmr15.tmrI

6e 74 65 72 76 61 6c 55 70 64 61 74 65 24 74 6d ntervalUpdate$tm

72 31 36 00 74 6d 72 4c 69 76 65 4c 6f 67 67 65 r16.tmrLiveLogge

72 24 74 6d 72 31 37 00 74 6d 72 50 65 72 73 69 r$tmr17.tmrPersi

73 74 61 6e 74 24 74 6d 72 31 38 00 74 6d 72 53 stant$tmr18.tmrS

63 72 65 65 6e 73 68 6f 74 24 74 6d 72 31 39 00 creenshot$tmr19.
 

2014-11-24 20:39:55,861 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C74, Value:
 

74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d tmrBlink$tmr6.tm

72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 rCheck$tmr7.tmrC

6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d ountdown$tmr8.tm

72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 rCrazy$tmr9.tmrD

4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f OS$tmr10.tmrDoWo

72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 rk$tmr11.tmrFocu

73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 62 62 s$tmr12.tmrGrabb

65 72 24 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b er$tmr13.tmrInak

74 69 76 69 74 65 74 24 74 6d 72 31 34 00 74 6d tivitet$tmr14.tm

72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d rInfoTO$tmr15.tm

72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 65 24 rIntervalUpdate$

74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c 6f 67 tmr16.tmrLiveLog

67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 65 72 ger$tmr17.tmrPer

73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 74 6d sistant$tmr18.tm

72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d 72 31 rScreenshot$tmr1

39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 32 30 9.tmrSpara$tmr20
 

2014-11-24 20:39:55,865 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C82, Value:
 

74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d tmrCheck$tmr7.tm

72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 rCountdown$tmr8.

74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d tmrCrazy$tmr9.tm

72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f rDOS$tmr10.tmrDo

57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f Work$tmr11.tmrFo

63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 cus$tmr12.tmrGra

62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 49 6e bber$tmr13.tmrIn

61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 34 00 aktivitet$tmr14.

74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 tmrInfoTO$tmr15.

74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat

65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL

6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP

65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18.

74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm

72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr

32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2
 

2014-11-24 20:39:55,867 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01C90, Value:
 

74 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 tmrCountdown$tmr

38 00 74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 8.tmrCrazy$tmr9.

74 6d 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 tmrDOS$tmr10.tmr

44 6f 57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 DoWork$tmr11.tmr

46 6f 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 Focus$tmr12.tmrG

72 61 62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 rabber$tmr13.tmr

49 6e 61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 Inaktivitet$tmr1

34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 4.tmrInfoTO$tmr1

35 00 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 5.tmrIntervalUpd

61 74 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 ate$tmr16.tmrLiv

65 4c 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d eLogger$tmr17.tm

72 50 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 rPersistant$tmr1

38 00 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 8.tmrScreenshot$

74 6d 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 tmr19.tmrSpara$t

6d 72 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d mr20.tmrSprid$tm

72 32 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 r21.tmrTCP$tmr22
 

2014-11-24 20:39:55,868 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01CA2, Value:
 

74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d tmrCrazy$tmr9.tm

72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f rDOS$tmr10.tmrDo

57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f Work$tmr11.tmrFo

63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 cus$tmr12.tmrGra

62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 49 6e bber$tmr13.tmrIn

61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 34 00 aktivitet$tmr14.

74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 tmrInfoTO$tmr15.

74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat

65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL

6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP

65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18.

74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm

72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr

32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2

31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t

6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW
 

2014-11-24 20:39:55,871 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01CB0, Value:
 

74 6d 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 tmrDOS$tmr10.tmr

44 6f 57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 DoWork$tmr11.tmr

46 6f 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 Focus$tmr12.tmrG

72 61 62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 rabber$tmr13.tmr

49 6e 61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 Inaktivitet$tmr1

34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 4.tmrInfoTO$tmr1

35 00 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 5.tmrIntervalUpd

61 74 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 ate$tmr16.tmrLiv

65 4c 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d eLogger$tmr17.tm

72 50 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 rPersistant$tmr1

38 00 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 8.tmrScreenshot$

74 6d 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 tmr19.tmrSpara$t

6d 72 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d mr20.tmrSprid$tm

72 32 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 r21.tmrTCP$tmr22

00 74 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d .tmrUDP$tmr23.tm

72 57 65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 rWebHideBlackSha
 

2014-11-24 20:39:55,872 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01CBD, Value:
 

74 6d 72 44 6f 57 6f 72 6b 24 74 6d 72 31 31 00 tmrDoWork$tmr11.

74 6d 72 46 6f 63 75 73 24 74 6d 72 31 32 00 74 tmrFocus$tmr12.t

6d 72 47 72 61 62 62 65 72 24 74 6d 72 31 33 00 mrGrabber$tmr13.

74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 74 tmrInaktivitet$t

6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 mr14.tmrInfoTO$t

6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 6c mr15.tmrInterval

55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d 72 Update$tmr16.tmr

4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 LiveLogger$tmr17

00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 .tmrPersistant$t

6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 mr18.tmrScreensh

6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 ot$tmr19.tmrSpar

61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 a$tmr20.tmrSprid

24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d $tmr21.tmrTCP$tm

72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 r22.tmrUDP$tmr23

00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b .tmrWebHideBlack

53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e Shades.detection
 

2014-11-24 20:39:55,875 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01CCD, Value:
 

74 6d 72 46 6f 63 75 73 24 74 6d 72 31 32 00 74 tmrFocus$tmr12.t

6d 72 47 72 61 62 62 65 72 24 74 6d 72 31 33 00 mrGrabber$tmr13.

74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 74 tmrInaktivitet$t

6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 mr14.tmrInfoTO$t

6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 6c mr15.tmrInterval

55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d 72 Update$tmr16.tmr

4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 LiveLogger$tmr17

00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 .tmrPersistant$t

6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 mr18.tmrScreensh

6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 ot$tmr19.tmrSpar

61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 a$tmr20.tmrSprid

24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d $tmr21.tmrTCP$tm

72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 r22.tmrUDP$tmr23

00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b .tmrWebHideBlack

53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e Shades.detection

00 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 .DarkComet.RAT.$
 

2014-11-24 20:39:55,875 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01CDC, Value:
 

74 6d 72 47 72 61 62 62 65 72 24 74 6d 72 31 33 tmrGrabber$tmr13

00 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 .tmrInaktivitet$

74 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 tmr14.tmrInfoTO$

74 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 tmr15.tmrInterva

6c 55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d lUpdate$tmr16.tm

72 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 rLiveLogger$tmr1

37 00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 7.tmrPersistant$

74 6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 tmr18.tmrScreens

68 6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 hot$tmr19.tmrSpa

72 61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 ra$tmr20.tmrSpri

64 24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 d$tmr21.tmrTCP$t

6d 72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 mr22.tmrUDP$tmr2

33 00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 3.tmrWebHideBlac

6b 53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f kShades.detectio

6e 00 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 n.DarkComet.RAT.

24 62 6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 $bot1.#BOT#OpenU
 

2014-11-24 20:39:55,878 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01CED, Value:
 

74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 74 tmrInaktivitet$t

6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 mr14.tmrInfoTO$t

6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 6c mr15.tmrInterval

55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d 72 Update$tmr16.tmr

4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 LiveLogger$tmr17

00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 .tmrPersistant$t

6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 mr18.tmrScreensh

6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 ot$tmr19.tmrSpar

61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 a$tmr20.tmrSprid

24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d $tmr21.tmrTCP$tm

72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 r22.tmrUDP$tmr23

00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b .tmrWebHideBlack

53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e Shades.detection

00 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 .DarkComet.RAT.$

62 6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 72 bot1.#BOT#OpenUr

6c 24 62 6f 74 32 00 23 42 4f 54 23 50 69 6e 67 l$bot2.#BOT#Ping
 

2014-11-24 20:39:55,880 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D02, Value:
 

74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 tmrInfoTO$tmr15.

74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat

65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL

6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP

65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18.

74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm

72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr

32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2

31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t

6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW

65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 ebHideBlackShade

73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b s.detection.Dark

43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 Comet.RAT.$bot1.

23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot

32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3

00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$
 

2014-11-24 20:39:55,881 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D12, Value:
 

74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat

65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL

6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP

65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18.

74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm

72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr

32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2

31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t

6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW

65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 ebHideBlackShade

73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b s.detection.Dark

43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 Comet.RAT.$bot1.

23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot

32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3

00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$

62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 bot4.#BOT#SvrUni
 

2014-11-24 20:39:55,884 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D2A, Value:
 

74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d tmrLiveLogger$tm

72 31 37 00 74 6d 72 50 65 72 73 69 73 74 61 6e r17.tmrPersistan

74 24 74 6d 72 31 38 00 74 6d 72 53 63 72 65 65 t$tmr18.tmrScree

6e 73 68 6f 74 24 74 6d 72 31 39 00 74 6d 72 53 nshot$tmr19.tmrS

70 61 72 61 24 74 6d 72 32 30 00 74 6d 72 53 70 para$tmr20.tmrSp

72 69 64 24 74 6d 72 32 31 00 74 6d 72 54 43 50 rid$tmr21.tmrTCP

24 74 6d 72 32 32 00 74 6d 72 55 44 50 24 74 6d $tmr22.tmrUDP$tm

72 32 33 00 74 6d 72 57 65 62 48 69 64 65 42 6c r23.tmrWebHideBl

61 63 6b 53 68 61 64 65 73 00 64 65 74 65 63 74 ackShades.detect

69 6f 6e 00 44 61 72 6b 43 6f 6d 65 74 20 52 41 ion.DarkComet.RA

54 00 24 62 6f 74 31 00 23 42 4f 54 23 4f 70 65 T.$bot1.#BOT#Ope

6e 55 72 6c 24 62 6f 74 32 00 23 42 4f 54 23 50 nUrl$bot2.#BOT#P

69 6e 67 24 62 6f 74 33 00 23 42 4f 54 23 52 75 ing$bot3.#BOT#Ru

6e 50 72 6f 6d 70 74 24 62 6f 74 34 00 23 42 4f nPrompt$bot4.#BO

54 23 53 76 72 55 6e 69 6e 73 74 61 6c 6c 24 62 T#SvrUninstall$b

6f 74 35 00 23 42 4f 54 23 55 52 4c 44 6f 77 6e ot5.#BOT#URLDown
 

2014-11-24 20:39:55,888 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D3E, Value:
 

74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 6d tmrPersistant$tm

72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 6f r18.tmrScreensho

74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 61 t$tmr19.tmrSpara

24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 24 $tmr20.tmrSprid$

74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d 72 tmr21.tmrTCP$tmr

32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 00 22.tmrUDP$tmr23.

74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b 53 tmrWebHideBlackS

68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e 00 hades.detection.

44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 62 DarkComet.RAT.$b

6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 72 6c ot1.#BOT#OpenUrl

24 62 6f 74 32 00 23 42 4f 54 23 50 69 6e 67 24 $bot2.#BOT#Ping$

62 6f 74 33 00 23 42 4f 54 23 52 75 6e 50 72 6f bot3.#BOT#RunPro

6d 70 74 24 62 6f 74 34 00 23 42 4f 54 23 53 76 mpt$bot4.#BOT#Sv

72 55 6e 69 6e 73 74 61 6c 6c 24 62 6f 74 35 00 rUninstall$bot5.

23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 #BOT#URLDownload

24 62 6f 74 36 00 23 42 4f 54 23 55 52 4c 55 70 $bot6.#BOT#URLUp
 

2014-11-24 20:39:55,890 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D52, Value:
 

74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm

72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr

32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2

31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t

6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW

65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 ebHideBlackShade

73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b s.detection.Dark

43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 Comet.RAT.$bot1.

23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot

32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3

00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$

62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 bot4.#BOT#SvrUni

6e 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 nstall$bot5.#BOT

23 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 #URLDownload$bot

36 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 6.#BOT#URLUpdate

24 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 $bot7.#BOT#Visit
 

2014-11-24 20:39:55,891 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D66, Value:
 

74 6d 72 53 70 61 72 61 24 74 6d 72 32 30 00 74 tmrSpara$tmr20.t

6d 72 53 70 72 69 64 24 74 6d 72 32 31 00 74 6d mrSprid$tmr21.tm

72 54 43 50 24 74 6d 72 32 32 00 74 6d 72 55 44 rTCP$tmr22.tmrUD

50 24 74 6d 72 32 33 00 74 6d 72 57 65 62 48 69 P$tmr23.tmrWebHi

64 65 42 6c 61 63 6b 53 68 61 64 65 73 00 64 65 deBlackShades.de

74 65 63 74 69 6f 6e 00 44 61 72 6b 43 6f 6d 65 tection.DarkCome

74 20 52 41 54 00 24 62 6f 74 31 00 23 42 4f 54 t.RAT.$bot1.#BOT

23 4f 70 65 6e 55 72 6c 24 62 6f 74 32 00 23 42 #OpenUrl$bot2.#B

4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 42 4f OT#Ping$bot3.#BO

54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f 74 34 T#RunPrompt$bot4

00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 61 .#BOT#SvrUninsta

6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 52 4c ll$bot5.#BOT#URL

44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 23 42 Download$bot6.#B

4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 6f 74 OT#URLUpdate$bot

37 00 23 42 4f 54 23 56 69 73 69 74 55 72 6c 24 7.#BOT#VisitUrl$

62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 53 bot8.#BOT#CloseS
 

2014-11-24 20:39:55,894 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D75, Value:
 

74 6d 72 53 70 72 69 64 24 74 6d 72 32 31 00 74 tmrSprid$tmr21.t

6d 72 54 43 50 24 74 6d 72 32 32 00 74 6d 72 55 mrTCP$tmr22.tmrU

44 50 24 74 6d 72 32 33 00 74 6d 72 57 65 62 48 DP$tmr23.tmrWebH

69 64 65 42 6c 61 63 6b 53 68 61 64 65 73 00 64 ideBlackShades.d

65 74 65 63 74 69 6f 6e 00 44 61 72 6b 43 6f 6d etection.DarkCom

65 74 20 52 41 54 00 24 62 6f 74 31 00 23 42 4f et.RAT.$bot1.#BO

54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 32 00 23 T#OpenUrl$bot2.#

42 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 42 BOT#Ping$bot3.#B

4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f 74 OT#RunPrompt$bot

34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 4.#BOT#SvrUninst

61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 52 all$bot5.#BOT#UR

4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 23 LDownload$bot6.#

42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 6f BOT#URLUpdate$bo

74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 6c t7.#BOT#VisitUrl

24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 $bot8.#BOT#Close

53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 4f Server$ddos1.DDO
 

2014-11-24 20:39:55,900 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D84, Value:
 

74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 6d 72 tmrTCP$tmr22.tmr

55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 65 62 UDP$tmr23.tmrWeb

48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 73 00 HideBlackShades.

64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b 43 6f detection.DarkCo

6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 23 42 met.RAT.$bot1.#B

4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 32 00 OT#OpenUrl$bot2.

23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 #BOT#Ping$bot3.#

42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f BOT#RunPrompt$bo

74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 t4.#BOT#SvrUnins

74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 tall$bot5.#BOT#U

52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 RLDownload$bot6.

23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 #BOT#URLUpdate$b

6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 ot7.#BOT#VisitUr

6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 l$bot8.#BOT#Clos

65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 eServer$ddos1.DD

4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 OSHTTPFLOOD$ddos
 

2014-11-24 20:39:55,901 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D91, Value:
 

74 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 tmrUDP$tmr23.tmr

57 65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 WebHideBlackShad

65 73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 es.detection.Dar

6b 43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 kComet.RAT.$bot1

00 23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f .#BOT#OpenUrl$bo

74 32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 t2.#BOT#Ping$bot

33 00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 3.#BOT#RunPrompt

24 62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e $bot4.#BOT#SvrUn

69 6e 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f install$bot5.#BO

54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f T#URLDownload$bo

74 36 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 t6.#BOT#URLUpdat

65 24 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 e$bot7.#BOT#Visi

74 55 72 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 tUrl$bot8.#BOT#C

6c 6f 73 65 53 65 72 76 65 72 24 64 64 6f 73 31 loseServer$ddos1

00 44 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 .DDOSHTTPFLOOD$d

64 6f 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f dos2.DDOSSYNFLOO
 

2014-11-24 20:39:55,905 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: BlackShades at address: 0x7FEEAE01D9E, Value:
 

74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b 53 tmrWebHideBlackS

68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e 00 hades.detection.

44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 62 DarkComet.RAT.$b

6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 72 6c ot1.#BOT#OpenUrl

24 62 6f 74 32 00 23 42 4f 54 23 50 69 6e 67 24 $bot2.#BOT#Ping$

62 6f 74 33 00 23 42 4f 54 23 52 75 6e 50 72 6f bot3.#BOT#RunPro

6d 70 74 24 62 6f 74 34 00 23 42 4f 54 23 53 76 mpt$bot4.#BOT#Sv

72 55 6e 69 6e 73 74 61 6c 6c 24 62 6f 74 35 00 rUninstall$bot5.

23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 #BOT#URLDownload

24 62 6f 74 36 00 23 42 4f 54 23 55 52 4c 55 70 $bot6.#BOT#URLUp

64 61 74 65 24 62 6f 74 37 00 23 42 4f 54 23 56 date$bot7.#BOT#V

69 73 69 74 55 72 6c 24 62 6f 74 38 00 23 42 4f isitUrl$bot8.#BO

54 23 43 6c 6f 73 65 53 65 72 76 65 72 24 64 64 T#CloseServer$dd

6f 73 31 00 44 44 4f 53 48 54 54 50 46 4c 4f 4f os1.DDOSHTTPFLOO

44 24 64 64 6f 73 32 00 44 44 4f 53 53 59 4e 46 D$ddos2.DDOSSYNF

4c 4f 4f 44 24 64 64 6f 73 33 00 44 44 4f 53 55 LOOD$ddos3.DDOSU
 

2014-11-24 20:39:55,907 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01DD2, Value:
 

23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot

32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3

00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$

62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 bot4.#BOT#SvrUni

6e 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 nstall$bot5.#BOT

23 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 #URLDownload$bot

36 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 6.#BOT#URLUpdate

24 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 $bot7.#BOT#Visit

55 72 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c Url$bot8.#BOT#Cl

6f 73 65 53 65 72 76 65 72 24 64 64 6f 73 31 00 oseServer$ddos1.

44 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 DDOSHTTPFLOOD$dd

6f 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 os2.DDOSSYNFLOOD

24 64 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c $ddos3.DDOSUDPFL

4f 4f 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 OOD$keylogger1.A

63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f ctiveOnlineKeylo

67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 gger$keylogger2.
 

2014-11-24 20:39:55,910 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01DE4, Value:
 

23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 #BOT#Ping$bot3.#

42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f BOT#RunPrompt$bo

74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 t4.#BOT#SvrUnins

74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 tall$bot5.#BOT#U

52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 RLDownload$bot6.

23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 #BOT#URLUpdate$b

6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 ot7.#BOT#VisitUr

6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 l$bot8.#BOT#Clos

65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 eServer$ddos1.DD

4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 OSHTTPFLOOD$ddos

32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 2.DDOSSYNFLOOD$d

64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f dos3.DDOSUDPFLOO

44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 74 D$keylogger1.Act

69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 iveOnlineKeylogg

65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e er$keylogger2.Un

41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl
 

2014-11-24 20:39:55,914 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01DF3, Value:
 

23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 #BOT#RunPrompt$b

6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e ot4.#BOT#SvrUnin

73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 stall$bot5.#BOT#

55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 URLDownload$bot6

00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 .#BOT#URLUpdate$

62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 bot7.#BOT#VisitU

72 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f rl$bot8.#BOT#Clo

73 65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 seServer$ddos1.D

44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f DOSHTTPFLOOD$ddo

73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 s2.DDOSSYNFLOOD$

64 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c 4f ddos3.DDOSUDPFLO

4f 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 OD$keylogger1.Ac

74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 tiveOnlineKeylog

67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 ger$keylogger2.U

6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 nActiveOnlineKey

6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 logger$keylogger
 

2014-11-24 20:39:55,915 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E07, Value:
 

23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 61 6c #BOT#SvrUninstal

6c 24 62 6f 74 35 00 23 42 4f 54 23 55 52 4c 44 l$bot5.#BOT#URLD

6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 23 42 4f ownload$bot6.#BO

54 23 55 52 4c 55 70 64 61 74 65 24 62 6f 74 37 T#URLUpdate$bot7

00 23 42 4f 54 23 56 69 73 69 74 55 72 6c 24 62 .#BOT#VisitUrl$b

6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 53 65 ot8.#BOT#CloseSe

72 76 65 72 24 64 64 6f 73 31 00 44 44 4f 53 48 rver$ddos1.DDOSH

54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 32 00 44 TTPFLOOD$ddos2.D

44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 64 6f 73 DOSSYNFLOOD$ddos

33 00 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 3.DDOSUDPFLOOD$k

65 79 6c 6f 67 67 65 72 31 00 41 63 74 69 76 65 eylogger1.Active

4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 OnlineKeylogger$

6b 65 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 74 keylogger2.UnAct

69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 iveOnlineKeylogg

65 72 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 63 er$keylogger3.Ac

74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f tiveOfflineKeylo
 

2014-11-24 20:39:55,917 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E1E, Value:
 

23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 #BOT#URLDownload

24 62 6f 74 36 00 23 42 4f 54 23 55 52 4c 55 70 $bot6.#BOT#URLUp

64 61 74 65 24 62 6f 74 37 00 23 42 4f 54 23 56 date$bot7.#BOT#V

69 73 69 74 55 72 6c 24 62 6f 74 38 00 23 42 4f isitUrl$bot8.#BO

54 23 43 6c 6f 73 65 53 65 72 76 65 72 24 64 64 T#CloseServer$dd

6f 73 31 00 44 44 4f 53 48 54 54 50 46 4c 4f 4f os1.DDOSHTTPFLOO

44 24 64 64 6f 73 32 00 44 44 4f 53 53 59 4e 46 D$ddos2.DDOSSYNF

4c 4f 4f 44 24 64 64 6f 73 33 00 44 44 4f 53 55 LOOD$ddos3.DDOSU

44 50 46 4c 4f 4f 44 24 6b 65 79 6c 6f 67 67 65 DPFLOOD$keylogge

72 31 00 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b r1.ActiveOnlineK

65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 eylogger$keylogg

65 72 32 00 55 6e 41 63 74 69 76 65 4f 6e 6c 69 er2.UnActiveOnli

6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c neKeylogger$keyl

6f 67 67 65 72 33 00 41 63 74 69 76 65 4f 66 66 ogger3.ActiveOff

6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 lineKeylogger$ke

79 6c 6f 67 67 65 72 34 00 55 6e 41 63 74 69 76 ylogger4.UnActiv
 

2014-11-24 20:39:55,918 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E34, Value:
 

23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 #BOT#URLUpdate$b

6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 ot7.#BOT#VisitUr

6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 l$bot8.#BOT#Clos

65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 eServer$ddos1.DD

4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 OSHTTPFLOOD$ddos

32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 2.DDOSSYNFLOOD$d

64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f dos3.DDOSUDPFLOO

44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 74 D$keylogger1.Act

69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 iveOnlineKeylogg

65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e er$keylogger2.Un

41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl

6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 ogger$keylogger3

00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 .ActiveOfflineKe

79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge

72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 r4.UnActiveOffli

6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c neKeylogger$shel
 

2014-11-24 20:39:55,921 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E48, Value:
 

23 42 4f 54 23 56 69 73 69 74 55 72 6c 24 62 6f #BOT#VisitUrl$bo

74 38 00 23 42 4f 54 23 43 6c 6f 73 65 53 65 72 t8.#BOT#CloseSer

76 65 72 24 64 64 6f 73 31 00 44 44 4f 53 48 54 ver$ddos1.DDOSHT

54 50 46 4c 4f 4f 44 24 64 64 6f 73 32 00 44 44 TPFLOOD$ddos2.DD

4f 53 53 59 4e 46 4c 4f 4f 44 24 64 64 6f 73 33 OSSYNFLOOD$ddos3

00 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 65 .DDOSUDPFLOOD$ke

79 6c 6f 67 67 65 72 31 00 41 63 74 69 76 65 4f ylogger1.ActiveO

6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b nlineKeylogger$k

65 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 74 69 eylogger2.UnActi

76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 veOnlineKeylogge

72 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 63 74 r$keylogger3.Act

69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 iveOfflineKeylog

67 65 72 24 6b 65 79 6c 6f 67 67 65 72 34 00 55 ger$keylogger4.U

6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 nActiveOfflineKe

79 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 41 ylogger$shell1.A

43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c CTIVEREMOTESHELL
 

2014-11-24 20:39:55,923 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E5B, Value:
 

23 42 4f 54 23 43 6c 6f 73 65 53 65 72 76 65 72 #BOT#CloseServer

24 64 64 6f 73 31 00 44 44 4f 53 48 54 54 50 46 $ddos1.DDOSHTTPF

4c 4f 4f 44 24 64 64 6f 73 32 00 44 44 4f 53 53 LOOD$ddos2.DDOSS

59 4e 46 4c 4f 4f 44 24 64 64 6f 73 33 00 44 44 YNFLOOD$ddos3.DD

4f 53 55 44 50 46 4c 4f 4f 44 24 6b 65 79 6c 6f OSUDPFLOOD$keylo

67 67 65 72 31 00 41 63 74 69 76 65 4f 6e 6c 69 gger1.ActiveOnli

6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c neKeylogger$keyl

6f 67 67 65 72 32 00 55 6e 41 63 74 69 76 65 4f ogger2.UnActiveO

6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b nlineKeylogger$k

65 79 6c 6f 67 67 65 72 33 00 41 63 74 69 76 65 eylogger3.Active

4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 OfflineKeylogger

24 6b 65 79 6c 6f 67 67 65 72 34 00 55 6e 41 63 $keylogger4.UnAc

74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f tiveOfflineKeylo

67 67 65 72 24 73 68 65 6c 6c 31 00 41 43 54 49 gger$shell1.ACTI

56 45 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 VEREMOTESHELL$sh

65 6c 6c 32 00 53 55 42 4d 52 45 4d 4f 54 45 53 ell2.SUBMREMOTES
 

2014-11-24 20:39:55,924 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E72, Value:
 

44 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 DDOSHTTPFLOOD$dd

6f 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 os2.DDOSSYNFLOOD

24 64 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c $ddos3.DDOSUDPFL

4f 4f 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 OOD$keylogger1.A

63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f ctiveOnlineKeylo

67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 gger$keylogger2.

55 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 UnActiveOnlineKe

79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge

72 33 00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 r3.ActiveOffline

4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 Keylogger$keylog

67 65 72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 ger4.UnActiveOff

6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 lineKeylogger$sh

65 6c 6c 31 00 41 43 54 49 56 45 52 45 4d 4f 54 ell1.ACTIVEREMOT

45 53 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 ESHELL$shell2.SU

42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 BMREMOTESHELL$sh

65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 ell3.KILLREMOTES
 

2014-11-24 20:39:55,928 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E86, Value:
 

44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 64 6f DDOSSYNFLOOD$ddo

73 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 s3.DDOSUDPFLOOD$

6b 65 79 6c 6f 67 67 65 72 31 00 41 63 74 69 76 keylogger1.Activ

65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 eOnlineKeylogger

24 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 $keylogger2.UnAc

74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 tiveOnlineKeylog

67 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 ger$keylogger3.A

63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c ctiveOfflineKeyl

6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 34 ogger$keylogger4

00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 .UnActiveOffline

4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 Keylogger$shell1

00 41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 .ACTIVEREMOTESHE

4c 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 LL$shell2.SUBMRE

4d 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 MOTESHELL$shell3

00 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c .KILLREMOTESHELL

44 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 DarkComet.detect
 

2014-11-24 20:39:55,930 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01E99, Value:
 

44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 65 79 DDOSUDPFLOOD$key

6c 6f 67 67 65 72 31 00 41 63 74 69 76 65 4f 6e logger1.ActiveOn

6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 lineKeylogger$ke

79 6c 6f 67 67 65 72 32 00 55 6e 41 63 74 69 76 ylogger2.UnActiv

65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 eOnlineKeylogger

24 6b 65 79 6c 6f 67 67 65 72 33 00 41 63 74 69 $keylogger3.Acti

76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 67 veOfflineKeylogg

65 72 24 6b 65 79 6c 6f 67 67 65 72 34 00 55 6e er$keylogger4.Un

41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 ActiveOfflineKey

6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 41 43 logger$shell1.AC

54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c 24 TIVEREMOTESHELL$

73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d 4f 54 shell2.SUBMREMOT

45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 4b 49 ESHELL$shell3.KI

4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 61 72 LLREMOTESHELLDar

6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 6f 6e kComet.detection

00 58 74 72 65 6d 65 20 52 41 54 00 24 73 74 72 .Xtreme.RAT.$str
 

2014-11-24 20:39:55,933 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01EB1, Value:
 

41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl

6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 ogger$keylogger2

00 55 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b .UnActiveOnlineK

65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 eylogger$keylogg

65 72 33 00 41 63 74 69 76 65 4f 66 66 6c 69 6e er3.ActiveOfflin

65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f eKeylogger$keylo

67 67 65 72 34 00 55 6e 41 63 74 69 76 65 4f 66 gger4.UnActiveOf

66 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 flineKeylogger$s

68 65 6c 6c 31 00 41 43 54 49 56 45 52 45 4d 4f hell1.ACTIVEREMO

54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 TESHELL$shell2.S

55 42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 UBMREMOTESHELL$s

68 65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 hell3.KILLREMOTE

53 48 45 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 64 SHELLDarkComet.d

65 74 65 63 74 69 6f 6e 00 58 74 72 65 6d 65 20 etection.Xtreme.

52 41 54 00 24 73 74 72 69 6e 67 31 00 58 74 72 RAT.$string1.Xtr

65 6d 65 4b 65 79 6c 6f 67 67 65 72 24 73 74 72 emeKeylogger$str
 

2014-11-24 20:39:55,934 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01ED4, Value:
 

41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl

6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 ogger$keylogger3

00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 .ActiveOfflineKe

79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge

72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 r4.UnActiveOffli

6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c neKeylogger$shel

6c 31 00 41 43 54 49 56 45 52 45 4d 4f 54 45 53 l1.ACTIVEREMOTES

48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d HELL$shell2.SUBM

52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c REMOTESHELL$shel

6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 l3.KILLREMOTESHE

4c 4c 44 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 LLDarkComet.dete

63 74 69 6f 6e 00 58 74 72 65 6d 65 20 52 41 54 ction.Xtreme.RAT

00 24 73 74 72 69 6e 67 31 00 58 74 72 65 6d 65 .$string1.Xtreme

4b 65 79 6c 6f 67 67 65 72 24 73 74 72 69 6e 67 Keylogger$string

32 00 58 74 72 65 6d 65 52 41 54 24 73 74 72 69 2.XtremeRAT$stri

6e 67 33 00 58 54 52 45 4d 45 55 50 44 41 54 45 ng3.XTREMEUPDATE
 

2014-11-24 20:39:55,940 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01ED2, Value:
 

55 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 UnActiveOnlineKe

79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge

72 33 00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 r3.ActiveOffline

4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 Keylogger$keylog

67 65 72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 ger4.UnActiveOff

6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 lineKeylogger$sh

65 6c 6c 31 00 41 43 54 49 56 45 52 45 4d 4f 54 ell1.ACTIVEREMOT

45 53 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 ESHELL$shell2.SU

42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 BMREMOTESHELL$sh

65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 ell3.KILLREMOTES

48 45 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 64 65 HELLDarkComet.de

74 65 63 74 69 6f 6e 00 58 74 72 65 6d 65 20 52 tection.Xtreme.R

41 54 00 24 73 74 72 69 6e 67 31 00 58 74 72 65 AT.$string1.Xtre

6d 65 4b 65 79 6c 6f 67 67 65 72 24 73 74 72 69 meKeylogger$stri

6e 67 32 00 58 74 72 65 6d 65 52 41 54 24 73 74 ng2.XtremeRAT$st

72 69 6e 67 33 00 58 54 52 45 4d 45 55 50 44 41 ring3.XTREMEUPDA
 

2014-11-24 20:39:55,943 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01EF5, Value:
 

41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 ActiveOfflineKey

6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 logger$keylogger

34 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 4.UnActiveOfflin

65 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c eKeylogger$shell

31 00 41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 1.ACTIVEREMOTESH

45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 ELL$shell2.SUBMR

45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c EMOTESHELL$shell

33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 3.KILLREMOTESHEL

4c 44 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 LDarkComet.detec

74 69 6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 tion.Xtreme.RAT.

24 73 74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b $string1.XtremeK

65 79 6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 eylogger$string2

00 58 74 72 65 6d 65 52 41 54 24 73 74 72 69 6e .XtremeRAT$strin

67 33 00 58 54 52 45 4d 45 55 50 44 41 54 45 24 g3.XTREMEUPDATE$

73 74 72 69 6e 67 34 00 53 54 55 42 58 54 52 45 string4.STUBXTRE

4d 45 49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 MEINJECTED$unit1
 

2014-11-24 20:39:55,947 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01F19, Value:
 

41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 ActiveOfflineKey

6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 41 43 logger$shell1.AC

54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c 24 TIVEREMOTESHELL$

73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d 4f 54 shell2.SUBMREMOT

45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 4b 49 ESHELL$shell3.KI

4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 61 72 LLREMOTESHELLDar

6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 6f 6e kComet.detection

00 58 74 72 65 6d 65 20 52 41 54 00 24 73 74 72 .Xtreme.RAT.$str

69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 6c 6f ing1.XtremeKeylo

67 67 65 72 24 73 74 72 69 6e 67 32 00 58 74 72 gger$string2.Xtr

65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 00 58 emeRAT$string3.X

54 52 45 4d 45 55 50 44 41 54 45 24 73 74 72 69 TREMEUPDATE$stri

6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 49 4e ng4.STUBXTREMEIN

4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 6e 69 JECTED$unit1.Uni

74 43 6f 6e 66 69 67 00 00 00 00 00 00 80 00 b1 tConfig.........

b4 88 07 00 00 00 00 b0 7f 5d 07 00 00 00 00 8f .........]......
 

2014-11-24 20:39:55,948 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01F17, Value:
 

55 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b UnActiveOfflineK

65 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 eylogger$shell1.

41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c ACTIVEREMOTESHEL

4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d L$shell2.SUBMREM

4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 OTESHELL$shell3.

4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 KILLREMOTESHELLD

61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 arkComet.detecti

6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 on.Xtreme.RAT.$s

74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 tring1.XtremeKey

6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 logger$string2.X

74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 tremeRAT$string3

00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 .XTREMEUPDATE$st

72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 ring4.STUBXTREME

49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 INJECTED$unit1.U

6e 69 74 43 6f 6e 66 69 67 00 00 00 00 00 00 80 nitConfig.......

00 b1 b4 88 07 00 00 00 00 b0 7f 5d 07 00 00 00 ...........]....
 

2014-11-24 20:39:55,950 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01F37, Value:
 

41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c ACTIVEREMOTESHEL

4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d L$shell2.SUBMREM

4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 OTESHELL$shell3.

4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 KILLREMOTESHELLD

61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 arkComet.detecti

6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 on.Xtreme.RAT.$s

74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 tring1.XtremeKey

6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 logger$string2.X

74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 tremeRAT$string3

00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 .XTREMEUPDATE$st

72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 ring4.STUBXTREME

49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 INJECTED$unit1.U

6e 69 74 43 6f 6e 66 69 67 00 00 00 00 00 00 80 nitConfig.......

00 b1 b4 88 07 00 00 00 00 b0 7f 5d 07 00 00 00 ...........]....

00 8f ed ee ec 05 00 01 06 00 00 00 00 00 00 00 ................

00 00 01 01 00 00 00 00 00 d8 1f 76 0a 00 00 00 ...........v....
 

2014-11-24 20:39:55,953 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01F50, Value:
 

53 55 42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 SUBMREMOTESHELL$

73 68 65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 shell3.KILLREMOT

45 53 48 45 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 ESHELLDarkComet.

64 65 74 65 63 74 69 6f 6e 00 58 74 72 65 6d 65 detection.Xtreme

20 52 41 54 00 24 73 74 72 69 6e 67 31 00 58 74 .RAT.$string1.Xt

72 65 6d 65 4b 65 79 6c 6f 67 67 65 72 24 73 74 remeKeylogger$st

72 69 6e 67 32 00 58 74 72 65 6d 65 52 41 54 24 ring2.XtremeRAT$

73 74 72 69 6e 67 33 00 58 54 52 45 4d 45 55 50 string3.XTREMEUP

44 41 54 45 24 73 74 72 69 6e 67 34 00 53 54 55 DATE$string4.STU

42 58 54 52 45 4d 45 49 4e 4a 45 43 54 45 44 24 BXTREMEINJECTED$

75 6e 69 74 31 00 55 6e 69 74 43 6f 6e 66 69 67 unit1.UnitConfig

00 00 00 00 00 00 80 00 b1 b4 88 07 00 00 00 00 ................

b0 7f 5d 07 00 00 00 00 8f ed ee ec 05 00 01 06 ..].............

00 00 00 00 00 00 00 00 00 01 01 00 00 00 00 00 ................

d8 1f 76 0a 00 00 00 00 e7 91 1d 4e 83 be a1 ed ..v........N....

01 00 00 00 88 00 00 00 50 c5 21 07 00 00 00 00 ........P.!.....
 

2014-11-24 20:39:55,957 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: DarkComet at address: 0x7FEEAE01F67, Value:
 

4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 KILLREMOTESHELLD

61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 arkComet.detecti

6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 on.Xtreme.RAT.$s

74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 tring1.XtremeKey

6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 logger$string2.X

74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 tremeRAT$string3

00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 .XTREMEUPDATE$st

72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 ring4.STUBXTREME

49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 INJECTED$unit1.U

6e 69 74 43 6f 6e 66 69 67 00 00 00 00 00 00 80 nitConfig.......

00 b1 b4 88 07 00 00 00 00 b0 7f 5d 07 00 00 00 ...........]....

00 8f ed ee ec 05 00 01 06 00 00 00 00 00 00 00 ................

00 00 01 01 00 00 00 00 00 d8 1f 76 0a 00 00 00 ...........v....

00 e7 91 1d 4e 83 be a1 ed 01 00 00 00 88 00 00 ....N...........

00 50 c5 21 07 00 00 00 00 04 00 00 00 00 00 00 .P.!............

21 00 00 00 00 00 00 80 00 41 17 70 0b 00 00 00 !........A.p....
 

2014-11-24 20:39:55,963 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: Xtreme at address: 0x7FEEAE01F9E, Value:
 

58 74 72 65 6d 65 4b 65 79 6c 6f 67 67 65 72 24 XtremeKeylogger$

73 74 72 69 6e 67 32 00 58 74 72 65 6d 65 52 41 string2.XtremeRA

54 24 73 74 72 69 6e 67 33 00 58 54 52 45 4d 45 T$string3.XTREME

55 50 44 41 54 45 24 73 74 72 69 6e 67 34 00 53 UPDATE$string4.S

54 55 42 58 54 52 45 4d 45 49 4e 4a 45 43 54 45 TUBXTREMEINJECTE

44 24 75 6e 69 74 31 00 55 6e 69 74 43 6f 6e 66 D$unit1.UnitConf

69 67 00 00 00 00 00 00 80 00 b1 b4 88 07 00 00 ig..............

00 00 b0 7f 5d 07 00 00 00 00 8f ed ee ec 05 00 ....]...........

01 06 00 00 00 00 00 00 00 00 00 01 01 00 00 00 ................

00 00 d8 1f 76 0a 00 00 00 00 e7 91 1d 4e 83 be ....v........N..

a1 ed 01 00 00 00 88 00 00 00 50 c5 21 07 00 00 ..........P.!...

00 00 04 00 00 00 00 00 00 21 00 00 00 00 00 00 .........!......

80 00 41 17 70 0b 00 00 00 00 b0 7f 5d 07 00 00 ..A.p.......]...

00 00 90 ed 8f ed 02 00 03 00 00 00 00 00 00 00 ................

00 00 00 01 00 00 00 00 00 00 c1 7f 5d 07 00 00 ............]...

00 00 83 d1 8e 4c 3a 27 f8 90 01 00 00 00 88 00 .....L:'........
 

2014-11-24 20:39:55,966 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: Xtreme at address: 0x7FEEAE01FB6, Value:
 

58 74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 XtremeRAT$string

33 00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 3.XTREMEUPDATE$s

74 72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d tring4.STUBXTREM

45 49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 EINJECTED$unit1.

55 6e 69 74 43 6f 6e 66 69 67 00 00 00 00 00 00 UnitConfig......

80 00 b1 b4 88 07 00 00 00 00 b0 7f 5d 07 00 00 ............]...

00 00 8f ed ee ec 05 00 01 06 00 00 00 00 00 00 ................

00 00 00 01 01 00 00 00 00 00 d8 1f 76 0a 00 00 ............v...

00 00 e7 91 1d 4e 83 be a1 ed 01 00 00 00 88 00 .....N..........

00 00 50 c5 21 07 00 00 00 00 04 00 00 00 00 00 ..P.!...........

00 21 00 00 00 00 00 00 80 00 41 17 70 0b 00 00 .!........A.p...

00 00 b0 7f 5d 07 00 00 00 00 90 ed 8f ed 02 00 ....]...........

03 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 ................

00 00 c1 7f 5d 07 00 00 00 00 83 d1 8e 4c 3a 27 ....]........L:'

f8 90 01 00 00 00 88 00 00 00 d0 c3 21 07 00 00 ............!...

00 00 04 00 00 00 00 00 00 01 00 00 00 00 00 00 ................
 

2014-11-24 20:39:55,967 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: Xtreme at address: 0x7FEEAE01FC8, Value:
 

58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 72 XTREMEUPDATE$str

69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 49 ing4.STUBXTREMEI

4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 6e NJECTED$unit1.Un

69 74 43 6f 6e 66 69 67 00 00 00 00 00 00 80 00 itConfig........

b1 b4 88 07 00 00 00 00 b0 7f 5d 07 00 00 00 00 ..........].....

8f ed ee ec 05 00 01 06 00 00 00 00 00 00 00 00 ................

00 01 01 00 00 00 00 00 d8 1f 76 0a 00 00 00 00 ..........v.....

e7 91 1d 4e 83 be a1 ed 01 00 00 00 88 00 00 00 ...N............

50 c5 21 07 00 00 00 00 04 00 00 00 00 00 00 21 P.!............!

00 00 00 00 00 00 80 00 41 17 70 0b 00 00 00 00 ........A.p.....

b0 7f 5d 07 00 00 00 00 90 ed 8f ed 02 00 03 00 ..].............

00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 ................

c1 7f 5d 07 00 00 00 00 83 d1 8e 4c 3a 27 f8 90 ..]........L:'..

01 00 00 00 88 00 00 00 d0 c3 21 07 00 00 00 00 ..........!.....

04 00 00 00 00 00 00 01 00 00 00 00 00 00 80 00 ................

b1 c1 5d 07 00 00 00 00 b0 7f 5d 07 00 00 00 00 ..].......].....
 

2014-11-24 20:39:55,970 - detector - WARNING - Process wmpnetwk.exe (pid: 3628) matched: Xtreme at address: 0x7FEEAE01FDD, Value:
 

53 54 55 42 58 54 52 45 4d 45 49 4e 4a 45 43 54 STUBXTREMEINJECT

45 44 24 75 6e 69 74 31 00 55 6e 69 74 43 6f 6e ED$unit1.UnitCon

66 69 67 00 00 00 00 00 00 80 00 b1 b4 88 07 00 fig.............

00 00 00 b0 7f 5d 07 00 00 00 00 8f ed ee ec 05 .....]..........

00 01 06 00 00 00 00 00 00 00 00 00 01 01 00 00 ................

00 00 00 d8 1f 76 0a 00 00 00 00 e7 91 1d 4e 83 .....v........N.

be a1 ed 01 00 00 00 88 00 00 00 50 c5 21 07 00 ...........P.!..

00 00 00 04 00 00 00 00 00 00 21 00 00 00 00 00 ..........!.....

00 80 00 41 17 70 0b 00 00 00 00 b0 7f 5d 07 00 ...A.p.......]..

00 00 00 90 ed 8f ed 02 00 03 00 00 00 00 00 00 ................

00 00 00 00 01 00 00 00 00 00 00 c1 7f 5d 07 00 .............]..

00 00 00 83 d1 8e 4c 3a 27 f8 90 01 00 00 00 88 ......L:'.......

00 00 00 d0 c3 21 07 00 00 00 00 04 00 00 00 00 .....!..........

00 00 01 00 00 00 00 00 00 80 00 b1 c1 5d 07 00 .............]..

00 00 00 b0 7f 5d 07 00 00 00 00 8f ed ee ec 04 .....]..........

00 01 06 00 00 00 00 00 00 00 00 00 01 01 00 00 ................
 

2014-11-24 21:22:27,375 - detector - INFO - Scanning finished

2014-11-24 21:22:27,375 - detector.service - INFO - Trying to stop the winpmem service...

2014-11-24 21:22:27,387 - detector.service - INFO - Trying to delete the winpmem service...

2014-11-24 21:22:27,388 - detector - INFO - Service stopped

2014-11-24 21:22:27,388 - detector - INFO - Analysis finished

und wie schlimm ist das? Hmm...

Habe selbst logfile durchschauen. Was fällt mir auf, ist nur zwei Prozesse Boxsync.exe und wmpnetwk.exe. Hat man (BKA oder was??) Trojaner in beiden Prozesse injiziert, oder!??

Guten Tag, Schrauber!

hier zwei Anhänge:

FRST Logfile:

FRST Logfile:

FRST Logfile:

Code:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-11-2014 01

Ran by superior (administrator) on HOME-PC on 26-11-2014 10:16:54

Running from T:\FRST64

Loaded Profile: superior (Available profiles: superior & muad'dib)

Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)

Internet Explorer Version 11

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 

==================== Processes (Whitelisted) =================
 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(The Within Network, LLC) C:\Windows\UnsignedThemesSvc.exe

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe

(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe

(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe

(CyberLink) C:\Software\PowerDVD Ultra\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe

(CyberLink) C:\Software\PowerDVD Ultra\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe

(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccsvchst.exe

(O&O Software GmbH) C:\Software\O&O Defrag Professional\oodag.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe

(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccsvchst.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe

(TuneUp Software) C:\Software\TuneUp Utilities\TuneUpUtilitiesService64.exe

(VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe

(VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe

(TuneUp Software) C:\Software\TuneUp Utilities\TuneUpUtilitiesApp64.exe

() C:\Program Files (x86)\Acronis\DiskDirector\OSS\reinstall_svc.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe

(VMware, Inc.) C:\Software\VMware Workstation\vmware-authd.exe

(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe

(O&O Software GmbH) C:\Software\O&O Defrag Professional\oodtray.exe

(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe

(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe

(XemiComputers ltd.) C:\Software\Active Desktop Calendar\ADC.exe

(Stardock Corporation) C:\Software\CursorFX\Stardock\CursorFX\CursorFX.exe

(Microsoft Corporation) C:\Users\superior\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe

(Dropbox, Inc.) C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\Dropbox.exe

() C:\Windows\Samsung\PanelMgr\SSMMgr.exe

(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe

(Stardock) C:\Software\Stardock\ObjectDock Plus\ObjectDockPlus2\ObjectDock.exe

(Babylon Ltd.) C:\Software\Babylon Pro\Babylon.exe

() C:\Windows\Samsung\PanelMgr\caller64.exe

(Stardock) C:\Software\Stardock\ObjectDock Plus\ObjectDockPlus2\Dock64.exe

(Stardock) C:\Software\Stardock\ObjectDock Plus\ObjectDockPlus2\ObjectDockTray.exe

(EXLADE, Inc.) C:\Software\Cryptic Disk Pro\Exlade Cryptic Disk 3\CrypticDisk3Console.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe

(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe

(Acronis International GmbH) C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe

(Acronis) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe

(SWE Sven Ritter) C:\Software\SpeedCommander\SpeedCommander.exe
 
 

==================== Registry (Whitelisted) ==================
 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 

HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [1609296 2010-06-26] (Logitech, Inc.)

HKLM\...\Run: [Windows Mobile Device Center] => C:\Windows\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation)

HKLM\...\Run: [Fences] => C:\Software\Stardock\Fences\Fences.exe [3993744 2014-05-22] (Stardock Corporation)

HKLM\...\Run: [OODefragTray] => C:\Software\O&O Defrag Professional\oodtray.exe [4465448 2014-05-12] (O&O Software GmbH)

HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [519408 2013-07-18] (Acronis)

HKLM\...\Run: [BoxSync] => C:\Program Files\Box\Box Sync\BoxSync.exe [5609176 2014-11-13] (Box, Inc.)

HKLM-x32\...\Run: [Samsung PanelMgr] => C:\Windows\Samsung\PanelMgr\SSMMgr.exe [614400 2009-08-15] ()

HKLM-x32\...\Run: [Babylon Client] => C:\Software\Babylon Pro\Babylon.exe [3551456 2010-10-17] (Babylon Ltd.)

HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)

HKLM-x32\...\Run: [ExladeCrypticDisk3] => C:\Software\Cryptic Disk Pro\Exlade Cryptic Disk 3\CrypticDisk3Console.exe [9779280 2010-10-01] (EXLADE, Inc.)

HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101584 2014-04-25] (Safer-Networking Ltd.)

HKLM-x32\...\Run: [TrueImageMonitor.exe] => C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [7843744 2014-02-04] (Acronis)

HKLM-x32\...\Run: [AcronisTibMounterMonitor] => C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [1104616 2013-10-10] (Acronis International GmbH)

HKLM-x32\...\Run: [UXTheme Launcher] => C:\Program Files (x86)\UXTheme Multi-Patcher\themeengine.exe [239887 2014-07-29] (Windows X)

HKLM\...\Winlogon: [Shell] C:\Windows\system32\explorer.exe [89088 2010-11-23] ()

Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]

HKLM\...\Policies\Explorer: [NoRecentDocsHistory] 1

HKLM\...\Policies\Explorer: [NoInternetOpenWith] 1

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Run: [Active Desktop Calendar] => C:\Software\Active Desktop Calendar\ADC.exe [9143296 2011-11-23] (XemiComputers ltd.)

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Run: [CursorFX] => C:\Software\CursorFX\Stardock\CursorFX\CursorFX.exe [416768 2008-07-07] (Stardock Corporation)

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Run: [SkyDrive] => C:\Users\superior\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe [277672 2014-10-09] (Microsoft Corporation)

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Run: [PeerBlock] => C:\Software\PeerBlock\peerblock.exe [2513992 2014-01-14] (PeerBlock, LLC)

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Run: [Spybot-S&D Cleaning] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [4566984 2014-04-25] (Safer-Networking Ltd.)

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\16.4.6003.0710\amd64"

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\16.4.6006.0718\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\16.4.6006.0718\amd64"

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727\amd64"

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64"

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.4029.0217\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.4029.0217\amd64"

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64"

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.4041.0512_1\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.0.4041.0512_1\amd64"

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\RunOnce: [Uninstall C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64"

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\MountPoints2: F - F:\setup.exe

HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\MountPoints2: {b420fb11-de78-11df-9cc9-005056c00008} - D:\LaunchU3.exe -a

AppInit_DLLs: acaptuser64.dll => C:\windows\system32\acaptuser64.dll [119160 2008-06-11] (Adobe Systems, Inc.)

IFEO\Acrobat.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\acrodist.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\chrome.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\excel.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\formdesigner.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\hd-apkhandler.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\hd-runapp.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\hd-startlauncher.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\infopath.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\misc.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\msaccess.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\msoxmled.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\mspub.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\mstore.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\ois.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\onenote.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\onenotem.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\powerpnt.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\snagit32.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\snagiteditor.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\Winword.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

IFEO\wmdc.exe: [Debugger] "C:\Software\TuneUp Utilities\TUAutoReactivator64.exe"

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\O&O Defrag Tray.lnk

ShortcutTarget: O&O Defrag Tray.lnk -> C:\Windows\Installer\{A5168EBB-F8E1-4B62-8805-C25684DB9E86}\app_icon.ico ()

Startup: C:\Users\muad'dib\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> C:\Users\superior\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

Startup: C:\Users\muad'dib\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk

ShortcutTarget: OneNote 2010 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

Startup: C:\Users\muad'dib\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stardock ObjectDock.lnk

ShortcutTarget: Stardock ObjectDock.lnk -> C:\Software\Stardock\ObjectDock Plus\ObjectDockPlus2\ObjectDock.exe (Stardock)

Startup: C:\Users\superior\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled ()

Startup: C:\Users\superior\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk

ShortcutTarget: Dropbox.lnk -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

Startup: C:\Users\superior\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fences.lnk

ShortcutTarget: Fences.lnk -> C:\Software\Stardock\Fences\Fences.exe (Stardock Corporation)

Startup: C:\Users\superior\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stardock ObjectDock.lnk

ShortcutTarget: Stardock ObjectDock.lnk -> C:\Software\Stardock\ObjectDock Plus\ObjectDockPlus2\ObjectDock.exe (Stardock)

SSODL-x32: EldosMountNotificator - {C28617FD-4FE7-4043-AD51-C8132CE90106} -  No File

ShellIconOverlayIdentifiers: [    BoxSyncFileLocked] -> {9a216f5d-3530-3b1a-8006-9a1233402fba} => C:\windows\system32\mscoree.dll (Microsoft Corporation)

ShellIconOverlayIdentifiers: [    BoxSyncNotSynced] -> {4c3d7a5e-7476-3c21-9717-0614ce209c44} => C:\windows\system32\mscoree.dll (Microsoft Corporation)

ShellIconOverlayIdentifiers: [    BoxSyncProblem] -> {aa0bacc8-a5df-34b0-acd8-e6739d92010e} => C:\windows\system32\mscoree.dll (Microsoft Corporation)

ShellIconOverlayIdentifiers: [    BoxSyncSynced] -> {0f20db5b-365d-3cc6-82eb-41207f77bb71} => C:\windows\system32\mscoree.dll (Microsoft Corporation)

ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll ()

ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll ()

ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll ()

ShellIconOverlayIdentifiers-x32: [EldosIconOverlay] -> {69925D1B-6A0F-4413-861A-81AB98039DB9} =>  No File

BootExecute: autocheck autochk * sdnclean64.exe
 

==================== Internet (Whitelisted) ====================
 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage

HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://search.msn.com/spbasic.htm

HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage

HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://search.msn.com/spbasic.htm

HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage

HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\S-1-5-21-306363081-4155975274-668329838-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\S-1-5-21-306363081-4155975274-668329838-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.de/

HKU\S-1-5-21-306363081-4155975274-668329838-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp

HKU\S-1-5-21-306363081-4155975274-668329838-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x34640E279963CB01

HKU\S-1-5-21-306363081-4155975274-668329838-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de

HKU\S-1-5-21-306363081-4155975274-668329838-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://search.msn.com/spbasic.htm

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

BHO-x32: Symantec NCO BHO -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coIEPlg.dll (Symantec Corporation)

BHO-x32: Symantec Intrusion Prevention -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\IPSBHO.DLL (Symantec Corporation)

BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)

BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\coIEPlg.dll (Symantec Corporation)

Toolbar: HKU\S-1-5-21-306363081-4155975274-668329838-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File

Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
 

FireFox:

========

FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_223.dll ()

FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF Plugin: @microsoft.com/GENUINE -> disabled No File

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)

FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_223.dll ()

FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1211151.dll (Adobe Systems, Inc.)

FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Software\iTunes\Mozilla Plugins\npitunes.dll ()

FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File

FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)

FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)

FF Plugin HKU\S-1-5-21-306363081-4155975274-668329838-1001: @acestream.net/acestreamplugin,version=2.2.0-next -> C:\Users\superior\AppData\Roaming\ACEStream\player\npace_plugin.dll (Innovative Digital Technologies)

FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn_2010_9_0_6

FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn_2010_9_0_6 [2014-11-26]
 

Chrome: 

=======

CHR Plugin: (Widevine Content Decryption Module) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.2.464\_platform_specific\win_x86\widevinecdmadapter.dll No File

CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\PepperFlash\pepflashplayer.dll ()

CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer

CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\ppGoogleNaClPluginChrome.dll No File

CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\pdf.dll ()

CHR Plugin: (Mixesoft Click&Clean Plug-In) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgabhipcejejjmhhchfonmamedcbeod\8.3_0\plugin/npccch32.dll (Vlad & Serge Strukoff © 2013)

CHR Plugin: (Bitdefender QuickScan) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgabhipcejejjmhhchfonmamedcbeod\8.3_0\plugin/npqscan.dll (Bitdefender LLC)

CHR Plugin: (DjVu Plugin Viewer) - C:\Software\Firefox\plugins\npdjvu.dll No File

CHR Plugin: (Adobe Acrobat) - C:\Software\Firefox\plugins\nppdf32.dll No File

CHR Plugin: (QuickTime Plug-in 7.7.5) - C:\Software\Firefox\plugins\npqtplugin.dll No File

CHR Plugin: (QuickTime Plug-in 7.7.5) - C:\Software\Firefox\plugins\npqtplugin2.dll No File

CHR Plugin: (QuickTime Plug-in 7.7.5) - C:\Software\Firefox\plugins\npqtplugin3.dll No File

CHR Plugin: (QuickTime Plug-in 7.7.5) - C:\Software\Firefox\plugins\npqtplugin4.dll No File

CHR Plugin: (QuickTime Plug-in 7.7.5) - C:\Software\Firefox\plugins\npqtplugin5.dll No File

CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)

CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)

CHR Plugin: (Google Earth Plugin) - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)

CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll No File

CHR Plugin: (Java Deployment Toolkit 7.0.550.14) - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

CHR Plugin: (Java(TM) Platform SE 7 U55) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll No File

CHR Plugin: (iTunes Application Detector) - C:\Software\iTunes\Mozilla Plugins\npitunes.dll ()

CHR Plugin: (Ace Stream P2P Multimedia Plug-in) - C:\Users\superior\AppData\Roaming\ACEStream\player\npace_plugin.dll (Innovative Digital Technologies)

CHR Plugin: (Shockwave for Director) - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1211151.dll (Adobe Systems, Inc.)

CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll No File

CHR Profile: C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (Google*Übersetzer) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2014-05-26]

CHR Extension: (ChromeAccess) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\aeoigbhkilbllfomkmmilbfochhlgdmh [2014-05-25]

CHR Extension: (TV) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\beobeededemalmllhkmnkinmfembdimh [2014-05-24]

CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-11-20]

CHR Extension: (Tampermonkey) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2014-05-23]

CHR Extension: (Black Menu for Google™) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\eignhdfgaldabilaaegmdfbajngjmoke [2014-05-23]

CHR Extension: (Video Downloader professional) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil [2014-05-24]

CHR Extension: (ZenMate) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdcgdnkidjaadafnichfpabhfomcebme [2014-05-26]

CHR Extension: (Deaktivierungs-Add-on von Google Analytics) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\fllaojicojecljbmefodhfapmkghcbnh [2014-05-24]

CHR Extension: (AdBlock Premium) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\fndlhnanhedoklpdaacidomdnplcjcpj [2014-05-23]

CHR Extension: (Click&Clean) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgabhipcejejjmhhchfonmamedcbeod [2014-05-24]

CHR Extension: (Vanilla Cookie Manager) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\gieohaicffldbmiilohhggbidhephnjj [2014-05-25]

CHR Extension: (avast! Online Security) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-05-23]

CHR Extension: (Nimbus Notes) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\haafigbapbpbpnmgcknnmilaaaimggpk [2014-05-23]

CHR Extension: (SearchPreview) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcjdanpjacpeeppdjkppebobilhaglfo [2014-05-23]

CHR Extension: (EverSync - Sync bookmarks, backup favorites) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\iohcojnlgnfbmjfjfkbhahhmppcggdog [2014-05-25]

CHR Extension: (GData Centers 1 Council Bluffs, Iowa) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\jeonacmfdmkgfmmdejlinolgjomhcbmh [2014-05-23]

CHR Extension: (IP Whois & Flags Chrome & Websites Rating) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmdfbacgombndnllogoijhnggalgmkon [2014-05-23]

CHR Extension: (Magic Player) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpckgflgdapkpabemgkielbefdildaio [2014-03-05]

CHR Extension: (Währung Konverter) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbhghjdcfghfhlogkgdklfgmpodeglno [2014-05-24]

CHR Extension: (IP Address and Domain Information) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhgkegeccnckoiliokondpaaalbhafoa [2014-05-24]

CHR Extension: (Speed Dial [FVD] - New Tab Page, 3D, Sync...) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\llaficoajjainaijghjlofdfmbjpebpa [2014-05-23]

CHR Extension: (AS Magic Player) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfhnkgpdlogbknkhlgdjlejeljbhflim [2014-09-30]

CHR Extension: (Ghostery) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2014-05-23]

CHR Extension: (Google Wallet) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-01]

CHR Extension: (YouTube Unblocker) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\npnkeeiehehhefofiekoflfedgehcdhl [2014-05-25]

CHR Extension: (New Tab Bookmark Speed Dial | Papaly) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdcohkhhjbifkmpakaiopnllnddofbbn [2014-05-23]

CHR Extension: (Context Menus) - C:\Users\superior\AppData\Local\Google\Chrome\User Data\Default\Extensions\phlfmkfpmphogkomddckmggcfpmfchpn [2014-05-23]
 

==================== Services (Whitelisted) =================
 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 

S3 BoxSyncUpdateService; C:\Program Files\Box\Box Sync\SyncUpdaterService.exe [28696 2014-09-24] (Box, Inc.)

S4 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [402192 2014-05-21] (BlueStack Systems, Inc.)

S4 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [385808 2014-05-21] (BlueStack Systems, Inc.)

S4 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [774928 2014-05-21] (BlueStack Systems, Inc.)

R2 CyberLink PowerDVD 13 Media Server Monitor Service; C:\Software\PowerDVD Ultra\PowerDVD13\Kernel\DMS\CLMSMonitorServicePDVD13.exe [77576 2013-07-05] (CyberLink)

R2 CyberLink PowerDVD 13 Media Server Service; C:\Software\PowerDVD Ultra\PowerDVD13\Kernel\DMS\CLMSServerPDVD13.exe [327432 2013-07-05] (CyberLink)

R2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\ccSvcHst.exe [126400 2011-08-04] (Symantec Corporation)

R2 OODefragAgent; C:\Software\O&O Defrag Professional\oodag.exe [1657640 2014-05-12] (O&O Software GmbH)

R2 OS Selector; C:\Program Files (x86)\Acronis\DiskDirector\OSS\reinstall_svc.exe [2155848 2011-11-15] ()

R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738200 2014-04-25] (Safer-Networking Ltd.)

R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2081752 2014-04-25] (Safer-Networking Ltd.)

R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)

S4 SkypeUpdate; C:\Software\Skype\Updater\Updater.exe [172192 2013-10-23] (Skype Technologies)

R2 TuneUp.UtilitiesSvc; C:\Software\TuneUp Utilities\TuneUpUtilitiesService64.exe [2140984 2014-04-15] (TuneUp Software)

R2 UnsignedThemes; C:\Windows\UnsignedThemesSvc.exe [24168 2009-07-13] (The Within Network, LLC)

R2 VMAuthdService; C:\Software\VMware Workstation\vmware-authd.exe [86744 2014-04-14] (VMware, Inc.)

S2 VMwareHostd; C:\Software\VMware Workstation\vmware-hostd.exe [14407384 2014-04-14] ()

S3 vncserver; C:\Program Files\RealVNC\VNC Server\vncservice.exe [638272 2014-08-18] (RealVNC Ltd)
 

==================== Drivers (Whitelisted) ====================
 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 

R1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20141118.001\BHDrvx64.sys [1587416 2014-10-03] (Symantec Corporation)

R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [123152 2014-05-21] (BlueStack Systems)

R3 cbfs3; C:\Windows\System32\DRIVERS\cbfs3.sys [352448 2013-02-11] (EldoS Corporation)

R1 ccHP; C:\Windows\system32\drivers\NISx64\1109000.00C\ccHPx64.sys [593544 2011-08-04] (Symantec Corporation)

R2 DgiVecp; C:\Windows\system32\Drivers\DgiVecp.sys [53816 2009-06-09] (Samsung Electronics Co., Ltd.)

R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-09-09] (Symantec Corporation)

R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-09-09] (Symantec Corporation)

R1 ExCrDisk3Drv; C:\Windows\SysWOW64\drivers\CrDisk3.sys [182352 2010-09-23] (EXLADE, Inc.)

R1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20141121.001\IDSvia64.sys [637656 2014-11-14] (Symantec Corporation)

S3 LVPr2M64; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30304 2010-05-07] ()

S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30304 2010-05-07] ()

R3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20141123.021\ENG64.SYS [129752 2014-11-03] (Symantec Corporation)

R3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20141123.021\EX64.SYS [2137304 2014-11-03] (Symantec Corporation)

S3 OXSDIDRV_x64; C:\Windows\System32\DRIVERS\OXSDIDRV_x64.sys [51760 2009-09-28] ()

S3 phaudlwr; C:\Windows\System32\DRIVERS\phaudlwr.sys [114608 2009-10-20] (Philips Applied Technologies)

S3 ptun0901; C:\Windows\System32\DRIVERS\ptun0901.sys [27136 2014-04-24] (The OpenVPN Project)

S3 SPC1300; C:\Windows\System32\DRIVERS\spc1300.sys [3251968 2010-01-26] ()

R0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-10-06] () [File not signed]

R1 SRTSP; C:\Windows\System32\Drivers\NISx64\1109000.00C\SRTSP64.SYS [505392 2010-04-22] (Symantec Corporation)

R1 SRTSPX; C:\Windows\system32\drivers\NISx64\1109000.00C\SRTSPX64.SYS [32304 2010-04-22] (Symantec Corporation)

R0 SymDS; C:\Windows\System32\drivers\NISx64\1109000.00C\SYMDS64.SYS [433200 2009-08-30] (Symantec Corporation)

R0 SymEFA; C:\Windows\System32\drivers\NISx64\1109000.00C\SYMEFA64.SYS [221304 2011-08-22] (Symantec Corporation)

R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [173104 2010-10-03] (Symantec Corporation)

R1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [53808 2010-05-06] (Symantec Corporation)

R1 SymIRON; C:\Windows\system32\drivers\NISx64\1109000.00C\Ironx64.SYS [150064 2010-04-29] (Symantec Corporation)

R1 SYMTDIv; C:\Windows\System32\Drivers\NISx64\1109000.00C\SYMTDIV.SYS [451704 2011-08-22] (Symantec Corporation)

R0 tib; C:\Windows\System32\DRIVERS\tib.sys [1120032 2014-05-23] (Acronis International GmbH)

R0 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [198432 2014-05-23] (Acronis International GmbH)

R3 TuneUpUtilitiesDrv; C:\Software\TuneUp Utilities\TuneUpUtilitiesDriver64.sys [14112 2013-08-21] (TuneUp Software)

R2 uxpatch; C:\Windows\system32\drivers\uxpatch.sys [30568 2009-07-13] ()

R0 vidsflt; C:\Windows\System32\DRIVERS\vidsflt.sys [117024 2014-05-23] (Acronis International GmbH)

R2 VMparport; C:\Windows\system32\drivers\VMparport.sys [32472 2014-04-14] (VMware, Inc.)

R0 vsock; C:\Windows\System32\drivers\vsock.sys [73296 2013-10-08] (VMware, Inc.)

R2 vstor2-mntapi20-shared; C:\Windows\SysWow64\drivers\vstor2-mntapi20-shared.sys [33872 2013-02-22] (VMware, Inc.)

R2 {09F57980-3432-4AFC-957D-27AC45FAE1F5}; C:\Software\PowerDVD Ultra\PowerDVD13\Common\NavFilter\000.fcl [130320 2013-07-05] (CyberLink Corp.)

U3 arcec16i; C:\Windows\System32\Drivers\arcec16i.sys [0 ] (Microsoft Corporation)

U4 Messenger; No ImagePath
 

==================== NetSvcs (Whitelisted) ===================
 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 

==================== One Month Created Files and Folders ========
 

(If an entry is included in the fixlist, the file\folder will be moved.)
 

2014-11-26 10:16 - 2014-11-26 10:16 - 00000000 ____D () C:\FRST

2014-11-26 10:03 - 2014-11-26 10:03 - 00000416 _____ () C:\Windows\PFRO.log

2014-11-26 10:03 - 2014-11-26 10:03 - 00000056 _____ () C:\Windows\setupact.log

2014-11-26 10:03 - 2014-11-26 10:03 - 00000000 _____ () C:\Windows\setuperr.log

2014-11-20 09:10 - 2014-11-11 04:08 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll

2014-11-20 09:10 - 2014-11-11 04:08 - 00241152 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll

2014-11-20 09:10 - 2014-11-11 03:44 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll

2014-11-20 09:10 - 2014-11-11 03:44 - 00186880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll

2014-11-12 10:20 - 2014-11-07 20:23 - 00341168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll

2014-11-12 10:20 - 2014-11-06 05:04 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2014-11-12 10:20 - 2014-11-06 04:46 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll

2014-11-12 10:20 - 2014-11-06 04:35 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll

2014-11-12 10:20 - 2014-11-06 04:30 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe

2014-11-12 10:20 - 2014-11-06 04:28 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2014-11-12 10:20 - 2014-11-06 04:13 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2014-11-12 10:20 - 2014-11-06 04:12 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll

2014-11-12 10:20 - 2014-11-06 04:10 - 19781632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2014-11-12 10:20 - 2014-11-06 04:07 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll

2014-11-12 10:20 - 2014-11-06 04:03 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2014-11-12 10:20 - 2014-11-06 03:42 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll

2014-11-12 10:20 - 2014-11-06 03:41 - 00716800 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe

2014-11-12 10:20 - 2014-11-06 03:36 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2014-11-12 10:20 - 2014-11-06 03:34 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll

2014-11-12 10:20 - 2014-11-06 03:22 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2014-11-12 10:20 - 2014-11-06 02:48 - 01310208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2014-11-12 10:20 - 2014-11-05 18:56 - 00304640 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll

2014-11-12 10:20 - 2014-11-05 18:56 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll

2014-11-12 10:20 - 2014-11-05 18:52 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll

2014-11-12 10:20 - 2014-10-14 03:16 - 00155064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys

2014-11-12 10:20 - 2014-10-14 03:13 - 00683520 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll

2014-11-12 10:20 - 2014-10-14 03:12 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll

2014-11-12 10:20 - 2014-10-14 03:09 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll

2014-11-12 10:20 - 2014-10-14 03:07 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll

2014-11-12 10:20 - 2014-10-14 02:50 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll

2014-11-12 10:20 - 2014-10-14 02:49 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

2014-11-12 10:20 - 2014-10-14 02:47 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll

2014-11-12 10:20 - 2014-10-14 02:46 - 00681984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll

2014-11-12 10:19 - 2014-11-07 20:49 - 00388272 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll

2014-11-12 10:19 - 2014-11-06 05:03 - 25110016 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2014-11-12 10:19 - 2014-11-06 05:03 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll

2014-11-12 10:19 - 2014-11-06 04:47 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll

2014-11-12 10:19 - 2014-11-06 04:46 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll

2014-11-12 10:19 - 2014-11-06 04:44 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll

2014-11-12 10:19 - 2014-11-06 04:43 - 02884096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll

2014-11-12 10:19 - 2014-11-06 04:36 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll

2014-11-12 10:19 - 2014-11-06 04:31 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll

2014-11-12 10:19 - 2014-11-06 04:30 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe

2014-11-12 10:19 - 2014-11-06 04:29 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll

2014-11-12 10:19 - 2014-11-06 04:23 - 06040064 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll

2014-11-12 10:19 - 2014-11-06 04:20 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe

2014-11-12 10:19 - 2014-11-06 04:16 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll

2014-11-12 10:19 - 2014-11-06 04:13 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2014-11-12 10:19 - 2014-11-06 04:10 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll

2014-11-12 10:19 - 2014-11-06 04:05 - 02277376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2014-11-12 10:19 - 2014-11-06 04:04 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2014-11-12 10:19 - 2014-11-06 04:02 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll

2014-11-12 10:19 - 2014-11-06 04:00 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2014-11-12 10:19 - 2014-11-06 04:00 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll

2014-11-12 10:19 - 2014-11-06 03:59 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2014-11-12 10:19 - 2014-11-06 03:58 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll

2014-11-12 10:19 - 2014-11-06 03:57 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll

2014-11-12 10:19 - 2014-11-06 03:48 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll

2014-11-12 10:19 - 2014-11-06 03:41 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll

2014-11-12 10:19 - 2014-11-06 03:39 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll

2014-11-12 10:19 - 2014-11-06 03:38 - 02124288 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl

2014-11-12 10:19 - 2014-11-06 03:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll

2014-11-12 10:19 - 2014-11-06 03:30 - 14390272 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll

2014-11-12 10:19 - 2014-11-06 03:21 - 04298240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2014-11-12 10:19 - 2014-11-06 03:21 - 02051072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2014-11-12 10:19 - 2014-11-06 03:20 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll

2014-11-12 10:19 - 2014-11-06 03:17 - 02365440 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll

2014-11-12 10:19 - 2014-11-06 03:04 - 01550336 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll

2014-11-12 10:19 - 2014-11-06 03:03 - 12819456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2014-11-12 10:19 - 2014-11-06 02:53 - 00799232 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll

2014-11-12 10:19 - 2014-11-06 02:52 - 01892864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2014-11-12 10:19 - 2014-11-06 02:47 - 00708096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll

2014-11-12 10:18 - 2014-10-25 02:57 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll

2014-11-12 10:18 - 2014-10-25 02:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll

2014-11-12 10:18 - 2014-10-14 03:13 - 03241984 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll

2014-11-12 10:18 - 2014-10-14 02:50 - 02363904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll

2014-11-12 10:18 - 2014-10-10 01:57 - 03198976 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

2014-11-12 10:18 - 2014-10-03 03:12 - 00500224 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll

2014-11-12 10:18 - 2014-10-03 03:11 - 00680960 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll

2014-11-12 10:18 - 2014-10-03 03:11 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll

2014-11-12 10:18 - 2014-10-03 03:11 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll

2014-11-12 10:18 - 2014-10-03 03:11 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll

2014-11-12 10:18 - 2014-10-03 02:44 - 00442880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll

2014-11-12 10:18 - 2014-10-03 02:44 - 00374784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll

2014-11-12 10:18 - 2014-10-03 02:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll

2014-11-12 10:18 - 2014-09-19 10:42 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll

2014-11-12 10:18 - 2014-09-19 10:42 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll

2014-11-12 10:18 - 2014-09-19 10:42 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll

2014-11-12 10:18 - 2014-09-19 10:42 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll

2014-11-12 10:18 - 2014-09-19 10:42 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll

2014-11-12 10:18 - 2014-09-19 10:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll

2014-11-12 10:18 - 2014-09-19 10:23 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll

2014-11-12 10:18 - 2014-09-19 10:23 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll

2014-11-12 10:18 - 2014-09-19 10:23 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

2014-11-12 10:18 - 2014-09-19 10:23 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll

2014-11-12 10:18 - 2014-09-19 10:23 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll

2014-11-12 10:18 - 2014-09-19 10:23 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll

2014-11-12 10:18 - 2014-08-21 07:43 - 01882624 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll

2014-11-12 10:18 - 2014-08-21 07:40 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll

2014-11-12 10:18 - 2014-08-21 07:26 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2014-11-12 10:18 - 2014-08-21 07:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll

2014-11-12 10:18 - 2014-08-12 03:02 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL

2014-11-12 10:18 - 2014-08-12 02:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10K.DLL

2014-11-12 10:17 - 2014-10-18 03:05 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll

2014-11-12 10:17 - 2014-10-18 02:33 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll

2014-11-08 21:28 - 2014-11-08 21:28 - 06057862 _____ (Tim Kosse) C:\Users\superior\Downloads\FileZilla_3.9.0.5_win32-setup.exe

2014-11-08 21:28 - 2014-11-08 21:28 - 06004615 _____ (Tim Kosse) C:\Users\superior\Downloads\FileZilla_3.9.0.2_win32-setup.exe

2014-11-07 08:53 - 2014-11-18 03:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Box Sync

2014-11-03 15:02 - 2014-11-03 15:02 - 00000000 ____D () C:\Users\superior\AppData\Local\VS Revo Group

2014-11-03 15:02 - 2014-11-03 15:02 - 00000000 ____D () C:\ProgramData\VS Revo Group

2014-11-03 15:02 - 2009-12-30 11:21 - 00031800 _____ (VS Revo Group) C:\Windows\system32\Drivers\revoflt.sys

2014-11-03 14:45 - 2014-11-03 14:45 - 00000000 ____D () C:\Users\superior\AppData\Roaming\ProductData

2014-11-03 14:44 - 2014-11-03 14:45 - 00000000 ____D () C:\ProgramData\ProductData

2014-11-03 14:44 - 2014-11-03 14:45 - 00000000 ____D () C:\ProgramData\IObit

2014-11-03 14:44 - 2014-11-03 14:44 - 00000000 ____D () C:\Users\superior\AppData\Roaming\IObit

2014-10-30 12:00 - 2014-10-30 12:00 - 00000000 ____D () C:\Users\superior\AppData\Local\Aegisub

2014-10-30 10:50 - 2014-11-16 11:44 - 00000000 ____D () C:\Users\superior\AppData\Roaming\Subtitle Edit

2014-10-30 09:53 - 2014-10-30 09:53 - 00000590 _____ () C:\Users\superior\Documents\SnagItDebug.log

2014-10-30 09:53 - 2014-10-30 09:53 - 00000000 ____D () C:\Users\superior\AppData\Roaming\TechSmith
 

==================== One Month Modified Files and Folders =======
 

(If an entry is included in the fixlist, the file\folder will be moved.)
 

2014-11-26 10:13 - 2009-07-14 05:45 - 00025232 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2014-11-26 10:13 - 2009-07-14 05:45 - 00025232 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2014-11-26 10:10 - 2012-03-01 16:21 - 01765026 _____ () C:\Windows\WindowsUpdate.log

2014-11-26 10:08 - 2010-12-13 13:45 - 00000000 ____D () C:\ProgramData\Babylon

2014-11-26 10:03 - 2010-11-07 20:54 - 00000000 _____ () C:\Windows\system32\Drivers\lvuvc.hs

2014-11-26 10:03 - 2010-10-05 09:50 - 00000000 ____D () C:\ProgramData\VMware

2014-11-26 10:03 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-11-25 20:28 - 2012-04-12 15:36 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job

2014-11-25 18:21 - 2009-07-14 18:58 - 00702154 _____ () C:\Windows\system32\perfh007.dat

2014-11-25 18:21 - 2009-07-14 18:58 - 00150820 _____ () C:\Windows\system32\perfc007.dat

2014-11-25 18:21 - 2009-07-14 06:13 - 01628962 _____ () C:\Windows\system32\PerfStringBackup.INI

2014-11-25 12:51 - 2010-10-05 08:34 - 00000000 ____D () C:\ProgramData\TuneUp Software

2014-11-24 16:23 - 2010-10-04 16:46 - 00000000 ____D () C:\Users\superior\AppData\Roaming\Canon

2014-11-24 12:03 - 2014-07-27 13:47 - 00000000 ____D () C:\Users\superior\AppData\Local\Box Sync

2014-11-24 12:02 - 2010-11-16 13:04 - 00000000 ____D () C:\Users\superior\AppData\Roaming\Dropbox

2014-11-23 10:48 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\rescache

2014-11-21 09:48 - 2011-05-25 10:04 - 00001110 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2014-11-21 09:48 - 2011-05-25 10:04 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2014-11-20 20:21 - 2011-05-25 10:04 - 00004118 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA

2014-11-20 20:21 - 2011-05-25 10:04 - 00003866 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

2014-11-20 20:15 - 2012-08-01 15:37 - 00000000 ____D () C:\Users\superior\AppData\Roaming\iFunbox_UserCache

2014-11-20 14:03 - 2013-09-02 08:17 - 00000000 ____D () C:\Users\superior\AppData\Roaming\uTorrent

2014-11-19 14:09 - 2010-10-06 18:44 - 00000000 ____D () C:\Users\superior\AppData\Roaming\DAEMON Tools Lite

2014-11-19 14:08 - 2010-10-05 18:23 - 00000000 ____D () C:\Users\superior\AppData\Local\CrashDumps

2014-11-18 14:05 - 2010-10-29 20:38 - 00003794 _____ () C:\Windows\System32\Tasks\Adobe-Online-Aktualisierungsprogramm

2014-11-18 11:51 - 2014-06-05 17:38 - 00003828 _____ () C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1379079645

2014-11-14 14:46 - 2010-10-06 18:26 - 00000000 ____D () C:\Users\superior\AppData\Roaming\FileZilla

2014-11-14 09:37 - 2010-11-22 12:37 - 00001373 _____ () C:\Users\superior\Desktop\Dropbox.lnk

2014-11-13 11:54 - 2013-09-11 15:15 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2

2014-11-12 19:20 - 2009-07-14 05:45 - 00403992 _____ () C:\Windows\system32\FNTCACHE.DAT

2014-11-12 19:16 - 2014-05-13 12:33 - 00000000 ___SD () C:\Windows\system32\CompatTel

2014-11-12 17:19 - 2010-10-03 16:55 - 00108936 _____ () C:\Users\superior\AppData\Local\GDIPFONTCACHEV1.DAT

2014-11-12 16:24 - 2010-10-05 17:39 - 00000000 ____D () C:\ProgramData\Microsoft Help

2014-11-12 16:08 - 2013-07-23 08:13 - 00000000 ____D () C:\Windows\system32\MRT

2014-11-12 15:53 - 2010-10-04 09:51 - 103374192 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

2014-11-12 14:52 - 2012-07-02 13:56 - 00000000 ____D () C:\Users\superior\AppData\Roaming\vlc

2014-11-12 14:28 - 2012-04-12 15:36 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2014-11-12 14:28 - 2012-04-12 15:36 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater

2014-11-12 14:28 - 2011-05-16 08:04 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2014-11-10 10:35 - 2013-09-13 16:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cloud Computing

2014-11-06 11:16 - 2010-10-26 13:49 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools

2014-11-04 08:15 - 2011-05-10 12:01 - 00003704 _____ () C:\Windows\System32\Tasks\Java Update Scheduler

2014-11-03 15:00 - 2010-10-03 16:07 - 00000000 ____D () C:\Software

2014-10-30 13:47 - 2012-11-05 18:16 - 00000000 ____D () C:\Users\superior\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Media Player

2014-10-30 13:47 - 2010-10-26 13:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Player

2014-10-30 13:38 - 2014-07-25 13:56 - 00003810 _____ () C:\Windows\System32\Tasks\TechSmith Updater

2014-10-29 14:54 - 2011-08-11 13:25 - 00000000 ____D () C:\Users\superior\AppData\Roaming\XBMC

2014-10-28 15:05 - 2014-06-19 16:42 - 00000000 ____D () C:\Users\superior\AppData\Local\Adobe
 

Some content of TEMP:

====================

C:\Users\superior\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpx2_j3u.dll

C:\Users\superior\AppData\Local\Temp\proxy_vole3541240850102408752.dll
 
 

==================== Bamital & volsnap Check =================
 

(There is no automatic fix for files that do not pass verification.)
 

C:\Windows\System32\winlogon.exe => File is digitally signed

C:\Windows\System32\wininit.exe => File is digitally signed

C:\Windows\SysWOW64\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\System32\services.exe => File is digitally signed

C:\Windows\System32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\System32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 

LastRegBack: 2014-11-25 14:50
 

==================== End Of Log ============================

--- --- ---

--- --- ---

--- --- ---

Hier Addition.txt

Code:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 23-11-2014 01

Ran by superior at 2014-11-26 10:18:52

Running from T:\FRST64

Boot Mode: Normal

==========================================================
 
 

==================== Security Center ========================
 

(If an entry is included in the fixlist, it will be removed.)
 

AV: Norton Internet Security (Enabled - Up to date) {63DF5164-9100-186D-2187-8DC619EFD8BF}

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

AS: Norton Internet Security (Enabled - Up to date) {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Internet Security (Enabled) {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
 

==================== Installed Programs ======================
 

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 

µTorrent (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\uTorrent) (Version: 3.4.2.32239 - BitTorrent Inc.)

7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)

ACDSee Pro 7 (64-bit) (HKLM\...\{D2A6EC54-CB46-49E4-A6FC-A9179F9D9D12}) (Version: 7.1.164 - ACD Systems International Inc.)

Ace Stream Media 2.2.0-next (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\AceStream) (Version: 2.2.0-next - Ace Stream Media)

Acronis True Image 2014 (HKLM-x32\...\{3ECDD663-5AF8-489B-9E3C-561F33A271BD}Visible) (Version: 17.0.6673 - Acronis)

Acronis True Image 2014 (x32 Version: 17.0.6673 - Acronis) Hidden

Acronis True Image 2014 Media Add-on (HKLM-x32\...\{F38F5AD2-39A7-414A-A4D4-5EC7E42D266F}) (Version: 17.0.6673 - Acronis)

Active Desktop Calendar 7.96 (HKLM\...\Active Desktop Calendar_is1) (Version:  - XemiComputers)

Adobe Acrobat 9 Pro Extended 64-bit Add-On (HKLM\...\{AC76BA86-1033-0000-0064-0003D0000004}) (Version: 9.0.0 - Adobe Systems Incorporated)

Adobe Acrobat X Pro - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.0.0 - Adobe Systems)

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 13.0.0.111 - Adobe Systems Incorporated)

Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.223 - Adobe Systems Incorporated)

Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.223 - Adobe Systems Incorporated)

Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.1.151 - Adobe Systems, Inc.)

AIDA64 Extreme v4.50 (HKLM-x32\...\AIDA64 Extreme_is1) (Version: 4.50 - FinalWire Ltd.)

Anti-reCAPTCHA v4.01 JD (HKLM-x32\...\{74252365-7BB1-437A-8D61-5B0BD1D9AFAA}) (Version: 4.01 - SONY-TEAM)

Apple Application Support (HKLM-x32\...\{D9DAD0FF-495A-472B-9F10-BAE430A26682}) (Version: 3.0.3 - Apple Inc.)

Apple Mobile Device Support (HKLM\...\{787136D2-F0F8-4625-AA3F-72D7795AC842}) (Version: 7.1.1.3 - Apple Inc.)

Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)

Babylon (HKLM-x32\...\Babylon) (Version:  - )

BlueStacks App Player (HKLM-x32\...\BlueStacks App Player) (Version: 0.8.10.3096 - BlueStack Systems, Inc.)

BlueStacks Notification Center (HKLM-x32\...\{0BED0B96-70B8-4893-884B-DC485DC8C1B7}) (Version: 0.8.10.3096 - BlueStack Systems, Inc.)

Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)

Box Sync (HKLM\...\{09C53B19-C578-4803-95EF-DDEDF89D080C}) (Version: 4.0.5693.0 - Box, Inc.)

Box Sync (x32 Version: 4.0.5116.0 - Box Inc.) Hidden

BS.Player FREE (HKLM-x32\...\BSPlayerf) (Version: 2.67.1076 - AB Team, d.o.o.)

BS.Player PRO (HKLM-x32\...\BSPlayerp) (Version: 2.67.1076 - AB Team, d.o.o.)

CameraHelperMsi (x32 Version: 13.25.1010.0 - Logitech) Hidden

Canon MP Navigator 2.2 (HKLM-x32\...\MP Navigator 2.2) (Version:  - )

Canon MP530 (HKLM\...\{3215EBED-1D06-42fb-A05C-A752A46FB24C}) (Version:  - )

CCleaner (HKLM\...\CCleaner) (Version: 4.16 - Piriform)

CloneDVD2 (HKLM-x32\...\CloneDVD2) (Version: 2.9.3.0 - Elaborate Bytes)

Cryptic Disk Professional 3.0.29.569 (HKLM-x32\...\Exlade.CrypticDisk.3_is1) (Version: 3.0.29.569 - Exlade)

CursorFX (x32 Version: 2.00 - Stardock Corporation) Hidden

CyberLink PowerDVD 13 (HKLM-x32\...\InstallShield_{3CFDF154-7E60-4E98-A8DF-C693A4F8E6B6}) (Version: 13.0.3105.58 - CyberLink Corp.)

D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden

Document Express DjVu Plug-in (HKLM-x32\...\{EF4A5105-384A-4EEA-AD4A-857054586FFA}) (Version: 6.1.26155 - Caminova, Inc.)

DomDomSoft Manga Downloader (remove only) (HKLM-x32\...\DomDomSoft Manga Downloader) (Version:  - )

Dropbox (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Dropbox) (Version: 2.10.52 - Dropbox, Inc.)

erLT (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden

Fences 2 (HKLM-x32\...\Fences 22.01) (Version: 2.01 - Stardock Corporation)

FireArc Arcade (HKLM-x32\...\{00BF5357-F404-4FE9-981D-119E4F5CF9FC}) (Version: 0.6.1 - FireArc.com)

Google Chrome (HKLM-x32\...\Google Chrome) (Version: 38.0.2125.111 - Google Inc.)

Google Earth (HKLM-x32\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)

Google Translator (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Google Translator) (Version:  - Dimox)

Google Update Helper (x32 Version: 1.3.25.5 - Google Inc.) Hidden

iCloud (HKLM\...\{81E20D41-C277-4526-934D-F2380AF91B78}) (Version: 3.1.0.40 - Apple Inc.)

iExplorer 3.2.5.6 (HKLM-x32\...\{7FD8B0C1-CDDA-4B4D-A577-B2E3570EA3A3}_is1) (Version:  - Macroplant LLC)

iFunbox (v1.99.958.697), iFunbox DevTeam (HKLM-x32\...\iFunbox_is1) (Version: v1.99.958.697 - )

infonoteSMSManager (HKLM-x32\...\{3E904B8A-71C2-4777-ADED-8FC07E5AAEF0}) (Version: 2.0.1 - infonote)

iPhone-Konfigurationsprogramm (HKLM-x32\...\{B90FCEB7-2B0C-4D27-95B5-54238DF059ED}) (Version: 3.6.2.300 - Apple Inc.)

iTunes (HKLM\...\{1CF5754A-545B-4360-BFDE-2847BC728DFC}) (Version: 11.2.0.115 - Apple Inc.)

iTwin 3.5 Final (HKLM-x32\...\iTwin_is1) (Version: 3.5 Final - Stefan Moka)

Java 7 Update 71 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)

Java(TM) 6 Update 21 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416021FF}) (Version: 6.0.210 - Oracle)

JDownloader 2.0 (HKLM-x32\...\jdownloader2) (Version: 2.0 - AppWork GmbH)

jv16 PowerTools 2014 (HKLM-x32\...\jv16 PowerTools 2014) (Version:  - Macecraft Software)

K-Lite Codec Pack 10.0.0 Standard (HKLM-x32\...\KLiteCodecPack_is1) (Version: 10.0.0 - )

Logitech SetPoint 6.15 (HKLM\...\SP6) (Version: 6.15.25 - Logitech)

Logitech Webcam Software (HKLM-x32\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.0 - Logitech Inc.)

LWS VideoEffects (Version: 13.25.1005.0 - Logitech) Hidden

Microsoft .NET Compact Framework 3.5 (HKLM-x32\...\{72CCBEA1-8D57-4981-A337-81019F28C5BA}) (Version: 3.5.7283 - Microsoft Corporation)

Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)

Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)

Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)

Microsoft OneDrive (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\OneDriveSetup.exe) (Version: 17.3.1229.0918 - Microsoft Corporation)

Microsoft Primary Interoperability Assemblies 2005 (HKLM-x32\...\{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}) (Version: 8.0.50727.42 - Microsoft Corporation)

Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)

Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 (HKLM\...\{EE936C7A-EA40-31D5-9B65-8E3E089C3828}) (Version: 9.0.30729.4148 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (HKLM\...\{8338783A-0968-3B85-AFC7-BAAE0A63DC50}) (Version: 9.0.30729.5570 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM-x32\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)

Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)

Mozilla Thunderbird (3.1.20) (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\Mozilla Thunderbird (3.1.20)) (Version: 3.1.20 (de) - Mozilla)

MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)

MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)

multiWeather (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\multiWeather) (Version:  - Isidoro Russo)

Norton Internet Security (HKLM-x32\...\NIS) (Version: 17.9.0.12 - Symantec Corporation)

Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.4.5 - Notepad++ Team)

NVIDIA Display Control Panel (HKLM\...\NVIDIA Display Control Panel) (Version: 6.14.12.5896 - NVIDIA Corporation)

NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.10.62.40 - NVIDIA Corporation)

O&O Defrag Professional (HKLM\...\{A5168EBB-F8E1-4B62-8805-C25684DB9E86}) (Version: 17.5.559 - O&O Software GmbH)

O&O DiskRecovery (HKLM\...\{34FE244C-868A-49C3-B378-05FA23244076}) (Version: 9.0.248 - O&O Software GmbH)

ooVoo (HKLM-x32\...\{FAA7F8FF-3C05-4A61-8F14-D8A6E9ED6623}) (Version: 3.6.5001 - ooVoo LLC.)

Opera 12.17 (HKLM-x32\...\Opera 12.17.1863) (Version: 12.17.1863 - Opera Software ASA)

Opera Stable 25.0.1614.71 (HKLM-x32\...\Opera 25.0.1614.71) (Version: 25.0.1614.71 - Opera Software ASA)

Origin (HKLM-x32\...\Origin) (Version: 9.4.22.2815 - Electronic Arts, Inc.)

PDF Password Remover v3.1 (HKLM-x32\...\PDF Password Remover v3.1_is1) (Version:  - VeryPDF.com Inc)

PeerBlock 1.2 (r693) (HKLM\...\{015C5B35-B678-451C-9AEE-821E8D69621C}_is1) (Version: 1.2.0.693 - PeerBlock, LLC)

PhoneClean 3.3.2 (HKLM-x32\...\{2FAFFE02-4D6B-4C0A-906B-1B33DAF0DD14}}_is1) (Version: 3.3.2 - iMobie Inc.)

Photo Transfer App (HKLM-x32\...\com.erclab.air.phototransferapp) (Version: 2.1.0 - UNKNOWN)

Photo Transfer App (x32 Version: 2.1.0 - UNKNOWN) Hidden

PhotoSync (HKLM\...\{3F96040E-35BB-4EE2-89F6-8948F3B4514A}) (Version: 2.2.1 - touchbyte GmbH)

PocketSMS (HKLM-x32\...\{FAF45451-474A-4DC6-A6BB-7866BCBE0C55}) (Version: 1.1.2 - thbi)

QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)

RemoteComms driver (HKLM-x32\...\{43BEEE26-01A8-4EEE-8632-2353261E3B55}) (Version: 1.25.0000 - Oxford Semiconductor)

Revo Uninstaller Pro 3.1.1 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 3.1.1 - VS Revo Group, Ltd.)

Samsung ML-1640 Series (HKLM-x32\...\Samsung ML-1640 Series) (Version:  - Samsung Electronics CO.,LTD)

Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)

Skype™ 6.18 (HKLM-x32\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.18.105 - Skype Technologies S.A.)

Snagit 11 (HKLM-x32\...\{A7E2223E-4AE4-45C8-9B6C-1C893EDF11BD}) (Version: 11.4.0 - TechSmith Corporation)

Snagit 11 (HKLM-x32\...\{D0CC22F6-A67A-4083-A043-E0640CB7A4DF}) (Version: 11.2.1 - TechSmith Corporation)

SopCast 3.8.3 (HKLM-x32\...\SopCast) (Version: 3.8.3 - www.sopcast.com)

SpeedCommander 15 (x64) (HKLM\...\SpeedCommander 15 (x64)) (Version: 15.30.7600 - SWE Sven Ritter)

Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.3.39 - Safer-Networking Ltd.)

Stardock Fences 2 (HKLM-x32\...\Stardock Fences 2) (Version: 2.13 - Stardock Software, Inc.)

Stardock ObjectDock (HKLM-x32\...\Stardock ObjectDock) (Version: 2.10 - Stardock Software, Inc.)

Stardock Software (x32 Version: 1.00 - Stardock Corporation) Hidden

Subtitle Edit 3.4.3 (HKLM-x32\...\SubtitleEdit_is1) (Version: 3.4.3.0 - Nikse)

Subtitle Workshop 2.51 (HKLM-x32\...\SubtitleWorkshop) (Version:  - )

swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden

System.Data.SQLite v1.0.81.0 (HKLM-x32\...\{02E43EC2-6B1C-45B5-9E48-941C3E1B204A}_is1) (Version: 1.0.81.0 - System.Data.SQLite Team)

Trillian (HKLM-x32\...\Trillian) (Version:  - Cerulean Studios, LLC)

TuneUp Utilities 2014 (de-DE) (x32 Version: 14.0.1000.296 - TuneUp Software) Hidden

TuneUp Utilities 2014 (HKLM-x32\...\TuneUp Utilities) (Version: 14.0.1000.296 - TuneUp Software)

TuneUp Utilities 2014 (x32 Version: 14.0.1000.296 - TuneUp Software) Hidden

TuneUp Utilities Language Pack (de-DE) (x32 Version: 10.0.4410.1 - TuneUp Software) Hidden

TuneUp Utilities Language Pack (de-DE) (x32 Version: 9.0.2000.15 - TuneUp Software) Hidden

TweakMe! (HKLM-x32\...\{709D0207-B1F8-4ADC-BB2F-CDBE2367A475}_is1) (Version: 1.3.0.0 - pXc-coding.com)

Tweaks for Skype (HKLM-x32\...\{2FB1052B-2F3D-48CE-A65D-006240516ECE}_is1) (Version: 1.0.0.2 - pXc-coding.com)

TWIN PS TO PC CONVERTER (HKLM-x32\...\TWIN PS TO PC CONVERTER) (Version:  - )

UxStyle Core Beta (HKLM\...\{8E363055-15E5-4D8A-9C69-A0A9DE9A3337}) (Version: 0.2.1.1 - The Within Network, LLC)

VMware Workstation (HKLM-x32\...\VMware_Workstation) (Version: 10.0.2 - VMware, Inc)

VMware Workstation (Version: 10.0.2 - VMware, Inc.) Hidden

VNC Server 5.2.1 (HKLM\...\{D6443B72-BA51-4465-86DB-4AD2392CBC8E}) (Version: 5.2.1 - RealVNC Ltd)

VNC Viewer 5.2.1 (HKLM\...\{9AF9B020-3266-42E1-9CE9-89C8CD98FB9C}) (Version: 5.2.1 - RealVNC Ltd)

Windows Mobile-Gerätecenter (HKLM\...\{626672CD-BFCF-49A9-AEFE-AB0FED3BFC5B}) (Version: 6.1.6965.0 - Microsoft Corporation)

Windows Mobile-Gerätecenter: Treiberupdate (HKLM\...\{92DBCA36-9B41-4DD1-941A-AED149DD37F0}) (Version: 6.1.6965.0 - Microsoft Corporation)

WinMend Folder Hidden 1.5.0 (HKLM-x32\...\WinMend Folder Hidden_is1) (Version:  - WinMend.com)

WinRAR 5.00 (64-Bit) (HKLM\...\WinRAR archiver) (Version: 5.00.0 - win.rar GmbH)

Wondershare Dr.Fone für iOS(Build 4.5.1.6) (HKLM-x32\...\{A26F8BBD-EC10-4bdc-8AD8-F146825A8A63}_is1) (Version: 4.5.1.6 - Wondershare Software Co.,Ltd.)

XBMC (HKU\S-1-5-21-306363081-4155975274-668329838-1001\...\XBMC) (Version:  - Team XBMC)

Zona (HKLM-x32\...\Zona) (Version:  - Zona Team)
 

==================== Custom CLSID (selected items): ==========================
 

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{4ED64402-CABA-4CD3-943E-B43E0F006016}\InprocServer32 -> C:\Users\superior\AppData\Local\Microsoft\Windows Sidebar\Gadgets\CoreMeter 1.5.0.gadget\cm64.dll (-)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{6538FE62-139F-4136-AEA4-621D4883EB02}\InprocServer32 -> C:\Users\superior\AppData\Local\Microsoft\Windows Sidebar\Gadgets\CoreMeter 1.5.0.gadget\CM64.dll (-)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\amd64\SkyDriveShell64.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\amd64\SkyDriveShell64.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\amd64\SkyDriveShell64.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\amd64\SkyDriveShell64.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\amd64\FileSyncApi64.dll (Microsoft Corporation)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

CustomCLSID: HKU\S-1-5-21-306363081-4155975274-668329838-1001_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
 

==================== Restore Points  =========================
 
 

==================== Hosts content: ==========================
 

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 

2014-11-20 10:16 - 2014-10-22 12:05 - 00455068 ___RA C:\Windows\system32\Drivers\etc\hosts

127.0.0.1        activation.acronis.com

127.0.0.1        ds.serving-sys.com

127.0.0.1        googlesyndication.com

127.0.0.1        img-cdn.mediaplex.com

127.0.0.1        live.rads.msn.com

127.0.0.1        ads1.msn.com

127.0.0.1        static.2mdn.net

127.0.0.1        g.msn.com

127.0.0.1        a.ads2.msads.net

127.0.0.1        b.ads2.msads.net

127.0.0.1        ad.doubleclick.net

127.0.0.1        ac3.msn.com

127.0.0.1        rad.msn.com

127.0.0.1        msntest.serving-sys.com

127.0.0.1        bs.serving-sys.com

127.0.0.1        flex.msn.com

127.0.0.1        ec.atdmt.com

127.0.0.1        cdn.atdmt.com

127.0.0.1        db3aqu.atdmt.com

127.0.0.1        cds26.ams9.msecn.net

127.0.0.1        sO.2mdn.net

127.0.0.1        aka-cdn-ns.adtech.de

127.0.0.1        secure.flashtalking.com

127.0.0.1        adnexus.net

127.0.0.1        adnxs.com

127.0.0.1        *.rad.msn.com

127.0.0.1        *.msads.net

127.0.0.1        *.msecn.net

127.0.0.1        secure.tune-up.com
 

There are 1000 more lines.
 
 

==================== Scheduled Tasks (whitelisted) =============
 

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 

Task: {05523ABB-7B2B-4575-940B-1F456EC3C844} - System32\Tasks\TechSmith Updater => C:\Program Files (x86)\Common Files\TechSmith Shared\Updater\TSCUpdClt.exe [2013-10-04] (TechSmith Corporation)

Task: {0C0C61F3-0B83-4E2C-BF7B-34B3C62AEA2C} - System32\Tasks\{8EC7710C-AA27-481F-AA29-958F3DAFAA91} => c:\software\opera\opera.exe [2014-04-24] (Opera Software)

Task: {1AA5C656-54EE-4A64-93DF-480DBA5CBD38} - System32\Tasks\Divx-Online-Aktualisierungsprogramm => C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe

Task: {1FE4DCF9-529D-4850-947C-81EA35AFE33E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-11-08] (Google Inc.)

Task: {27137393-D7F0-4A38-8F3E-E65D86A2D4FA} - System32\Tasks\TuneUpUtilities_Task_BkGndMaintenance2013 => C:\Software\TuneUp Utilities\OneClick.exe [2014-04-15] (TuneUp Software)

Task: {37C24CA7-5132-4FE6-8227-CA560B7FBED0} - System32\Tasks\CCleanerSkipUAC => C:\Software\CCleaner\CCleaner.exe [2014-07-23] (Piriform Ltd)

Task: {4934B5DA-7CCF-487A-A432-C250B85F7BD0} - System32\Tasks\{5654C332-57E8-47A3-B5AD-49DF4DE31DE1} => C:\Program Files (x86)\thbi\PocketSMS\PocketSMS.exe

Task: {4BA86D6E-2A20-4AF1-905C-CC163746F163} - System32\Tasks\Java Update Scheduler => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2014-09-26] (Oracle Corporation)

Task: {4D0ACD21-3228-434D-81A6-81DDC93FEAC6} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc

Task: {4D96E9E0-8649-4ABD-A962-F0D06C99E33E} - System32\Tasks\Norton Internet Security - superior - Work C => C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\navw32.exe [2011-09-19] (Symantec Corporation)

Task: {5034040A-EBB5-4671-9E4B-65137B192949} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-12] (Adobe Systems Incorporated)

Task: {6DA2E70F-2E36-46CC-B71E-77470476A3C7} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)

Task: {8A136EC4-A6DC-4140-8312-241B5E263BB9} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search &amp; Destroy 2\SDUpdate.exe

Task: {8AC19292-820C-4BA9-9B40-CC57C05BF44B} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search &amp; Destroy 2\SDImmunize.exe

Task: {90F67DD7-2401-4ABB-8327-8136AFBE7E4A} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-11-08] (Google Inc.)

Task: {9B0EF232-94AE-4C13-BFC6-6037F5849BD2} - System32\Tasks\Opera scheduled Autoupdate 1379079645 => C:\Software\Opera\launcher.exe [2014-11-14] (Opera Software)

Task: {AE938D1E-7FD5-4905-B4F4-76C3CBC496A8} - System32\Tasks\{842F8698-D47D-461B-9C45-9D52B1233EAF} => c:\software\opera\opera.exe [2014-04-24] (Opera Software)

Task: {AFB01180-B87A-441A-8A49-F9347D2CD802} - System32\Tasks\Adobe-Online-Aktualisierungsprogramm => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-10-25] (Adobe Systems Incorporated)

Task: {B7A79FA1-F812-4F30-9681-8A22133D1DC1} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search &amp; Destroy 2\SDScan.exe

Task: {D6BF3786-A84F-4952-B263-21EE5555B292} - System32\Tasks\{C00879C7-9663-43C3-97C6-1660731F899F} => C:\Program Files (x86)\thbi\PocketSMS\PocketSMS.exe

Task: {D8A31332-4D33-4010-B5EE-3D33AAFBFAAA} - System32\Tasks\{D5A604F5-3011-45C4-86AC-76DED61DF203} => C:\Software\Skype\Phone\Skype.exe [2014-07-02] (Skype Technologies S.A.)

Task: {EEE0B1A6-5DD1-44D6-994B-C7DA64385E10} - System32\Tasks\TuneUpUtilities_Task_BkGndMaintenance2011 => C:\Software\TuneUp Utilities\OneClick.exe [2014-04-15] (TuneUp Software)

Task: {FB203881-70B9-4601-B79B-F469C1DEF1A0} - System32\Tasks\{EF228AEF-23C0-4A72-BC2E-022725514757} => C:\Program Files (x86)\thbi\PocketSMS\PocketSMS.exe

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\Norton Internet Security - superior - Work C.job => C:\Program Files (x86)\Norton Internet Security\Engine\17.9.0.12\navw32.exe
 

==================== Loaded Modules (whitelisted) =============
 

2010-10-04 16:26 - 2008-01-11 05:19 - 00022016 _____ () C:\Windows\System32\ssp2ml6.dll

2010-10-05 16:23 - 2010-06-14 13:34 - 00043008 _____ () C:\Software\Active Desktop Calendar\MouseHook.dll

2013-10-01 09:32 - 2013-10-01 09:32 - 02818216 _____ () C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll

2014-04-15 14:59 - 2014-04-15 14:59 - 00675640 _____ () C:\Software\TuneUp Utilities\avgrepliba.dll

2011-11-15 17:44 - 2011-11-15 17:44 - 02155848 _____ () C:\Program Files (x86)\Acronis\DiskDirector\OSS\reinstall_svc.exe

2010-10-04 16:26 - 2009-08-15 05:38 - 00614400 _____ () C:\Windows\Samsung\PanelMgr\SSMMgr.exe

2010-10-04 16:26 - 2008-01-11 06:39 - 00327168 _____ () C:\Windows\Samsung\PanelMgr\caller64.exe

2012-06-18 16:24 - 2012-06-18 16:24 - 00222720 _____ () C:\Software\Notepad++\NppShell_05.dll

2014-02-12 19:58 - 2014-02-12 19:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll

2014-02-12 19:58 - 2014-02-12 19:58 - 01044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll

2014-05-21 07:00 - 2014-04-25 13:11 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl

2014-05-21 07:00 - 2014-04-25 13:11 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl

2014-05-21 07:00 - 2014-04-25 13:11 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl

2014-05-21 07:00 - 2012-08-23 09:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll

2014-05-21 07:00 - 2012-04-03 16:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll

2014-04-14 15:41 - 2014-04-14 15:41 - 01261272 _____ () C:\Software\VMware Workstation\libxml2.dll

2008-03-12 21:00 - 2008-03-12 21:00 - 00059904 _____ () C:\Software\CursorFX\Stardock\CursorFX\zlib1.dll

2014-10-09 09:08 - 2014-10-09 09:08 - 00081056 _____ () C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\LoggingPlatform.dll

2014-11-26 10:05 - 2014-11-26 10:05 - 00043008 _____ () c:\users\superior\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpx2_j3u.dll

2013-08-23 20:01 - 2013-08-23 20:01 - 25100288 _____ () C:\Users\muad'dib\AppData\Roaming\Dropbox\bin\libcef.dll

2014-10-09 09:08 - 2014-10-09 09:08 - 00081056 _____ () C:\Users\superior\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\LoggingPlatform.DLL

2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF

2014-02-04 17:25 - 2014-02-04 17:25 - 00036672 _____ () C:\Program Files (x86)\Acronis\TrueImageHome\qt_icontray_ex.dll

2014-02-04 17:25 - 2014-02-04 17:25 - 00028992 _____ () C:\Program Files (x86)\Common Files\Acronis\Home\thread_pool.dll

2013-10-10 11:02 - 2013-10-10 11:02 - 00013120 _____ () C:\Program Files (x86)\Common Files\Acronis\TibMounter\icudt38.dll

2014-02-04 17:28 - 2014-02-04 17:28 - 00420160 _____ () C:\Program Files (x86)\Common Files\Acronis\Home\ulxmlrpcpp.dll
 

==================== Alternate Data Streams (whitelisted) =========
 

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 

AlternateDataStreams: C:\ProgramData\CLDShowX.ini:Update.CL
 

==================== Safe Mode (whitelisted) ===================
 

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\UnsignedThemes => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UnsignedThemes => ""="Service"
 

==================== EXE Association (whitelisted) =============
 

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 

==================== MSCONFIG/TASK MANAGER disabled items =========
 

(Currently there is no automatic fix for this section.)
 
 

========================= Accounts: ==========================
 

Administrator (S-1-5-21-306363081-4155975274-668329838-500 - Administrator - Disabled)

Gast (S-1-5-21-306363081-4155975274-668329838-501 - Limited - Disabled)

HomeGroupUser$ (S-1-5-21-306363081-4155975274-668329838-1002 - Limited - Enabled)

muad'dib (S-1-5-21-306363081-4155975274-668329838-1003 - Limited - Enabled) => C:\Users\muad'dib

superior (S-1-5-21-306363081-4155975274-668329838-1001 - Administrator - Enabled) => C:\Users\superior
 

==================== Faulty Device Manager Devices =============
 

Name: NVIDIA nForce-Netzwerkcontroller

Description: NVIDIA nForce-Netzwerkcontroller

Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}

Manufacturer: NVIDIA

Service: NVENETFD

Problem: : This device is disabled. (Code 22)

Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 

Name: StorLib bus (virtual storages support)

Description: StorLib bus (virtual storages support)

Class Guid: {1378e71b-ab4d-4348-af26-cba56b12969e}

Manufacturer: SugarSync

Service: SSCBFS3

Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)

Resolution: A registry problem was detected.

 This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:

On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.
 
 

==================== Event log errors: =========================
 

Application errors:

==================

Error: (11/25/2014 02:57:56 PM) (Source: System Restore) (EventID: 8193) (User: )

Description: Fehler beim Erstellen des Wiederherstellungspunkts (Prozess = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Beschreibung = Geplanter Prüfpunkt; Fehler = 0x80070422).
 

Error: (11/24/2014 04:25:48 PM) (Source: SideBySide) (EventID: 33) (User: )

Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".

Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.

Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".
 

Error: (11/24/2014 04:24:40 PM) (Source: SideBySide) (EventID: 33) (User: )

Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".

Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.

Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".
 

Error: (11/24/2014 04:23:45 PM) (Source: SideBySide) (EventID: 33) (User: )

Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".

Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.

Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".
 

Error: (11/23/2014 10:47:15 AM) (Source: System Restore) (EventID: 8193) (User: )

Description: Fehler beim Erstellen des Wiederherstellungspunkts (Prozess = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Beschreibung = Geplanter Prüfpunkt; Fehler = 0x80070422).
 

Error: (11/20/2014 02:07:07 PM) (Source: System Restore) (EventID: 8193) (User: )

Description: Fehler beim Erstellen des Wiederherstellungspunkts (Prozess = C:\Windows\servicing\TrustedInstaller.exe; Beschreibung = Windows Modules Installer; Fehler = 0x80070422).
 

Error: (11/20/2014 02:07:05 PM) (Source: System Restore) (EventID: 8193) (User: )

Description: Fehler beim Erstellen des Wiederherstellungspunkts (Prozess = C:\Windows\system32\svchost.exe -k netsvcs; Beschreibung = Windows Update; Fehler = 0x80070422).
 

Error: (11/17/2014 05:12:28 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: Name der fehlerhaften Anwendung: bsplayer.exe, Version: 2.6.7.1076, Zeitstempel: 0x2a425e19

Name des fehlerhaften Moduls: bsrendv2.dll, Version: 2.0.0.0, Zeitstempel: 0x52132b86

Ausnahmecode: 0xc0000005

Fehleroffset: 0x000956cc

ID des fehlerhaften Prozesses: 0x66c

Startzeit der fehlerhaften Anwendung: 0xbsplayer.exe0

Pfad der fehlerhaften Anwendung: bsplayer.exe1

Pfad des fehlerhaften Moduls: bsplayer.exe2

Berichtskennung: bsplayer.exe3
 

Error: (11/16/2014 00:34:55 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: Name der fehlerhaften Anwendung: bsplayer.exe, Version: 2.6.7.1076, Zeitstempel: 0x2a425e19

Name des fehlerhaften Moduls: bsrendv2.dll, Version: 2.0.0.0, Zeitstempel: 0x52132b86

Ausnahmecode: 0xc0000005

Fehleroffset: 0x00096266

ID des fehlerhaften Prozesses: 0x1640

Startzeit der fehlerhaften Anwendung: 0xbsplayer.exe0

Pfad der fehlerhaften Anwendung: bsplayer.exe1

Pfad des fehlerhaften Moduls: bsplayer.exe2

Berichtskennung: bsplayer.exe3
 

Error: (11/12/2014 03:37:24 PM) (Source: System Restore) (EventID: 8193) (User: )

Description: Fehler beim Erstellen des Wiederherstellungspunkts (Prozess = C:\Windows\servicing\TrustedInstaller.exe; Beschreibung = Windows Modules Installer; Fehler = 0x80070422).
 
 

System errors:

=============

Error: (11/26/2014 10:15:15 AM) (Source: Microsoft-Windows-BitLocker-Driver) (EventID: 24620) (User: NT-AUTORITÄT)

Description: Überprüfung des verschlüsselten Volumes: Die Volumeinformationen auf "" können nicht gelesen werden.
 

Error: (11/26/2014 10:15:14 AM) (Source: Disk) (EventID: 11) (User: )

Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR3 gefunden.
 

Error: (11/26/2014 10:05:48 AM) (Source: Service Control Manager) (EventID: 7024) (User: )

Description: Der Dienst "VMware Workstation Server" wurde mit folgendem dienstspezifischem Fehler beendet: %%-1.
 

Error: (11/25/2014 07:01:52 PM) (Source: Disk) (EventID: 11) (User: )

Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR8 gefunden.
 

Error: (11/25/2014 07:01:52 PM) (Source: Disk) (EventID: 11) (User: )

Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR8 gefunden.
 

Error: (11/25/2014 07:01:51 PM) (Source: Disk) (EventID: 11) (User: )

Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR8 gefunden.
 

Error: (11/25/2014 07:01:51 PM) (Source: Disk) (EventID: 11) (User: )

Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR8 gefunden.
 

Error: (11/25/2014 07:01:50 PM) (Source: Disk) (EventID: 11) (User: )

Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR8 gefunden.
 

Error: (11/25/2014 07:01:47 PM) (Source: Microsoft-Windows-BitLocker-Driver) (EventID: 24620) (User: NT-AUTORITÄT)

Description: Überprüfung des verschlüsselten Volumes: Die Volumeinformationen auf "" können nicht gelesen werden.
 

Error: (11/25/2014 07:01:47 PM) (Source: Disk) (EventID: 11) (User: )

Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk3\DR8 gefunden.
 
 

Microsoft Office Sessions:

=========================

Error: (11/25/2014 02:57:56 PM) (Source: System Restore) (EventID: 8193) (User: )

Description: C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationGeplanter Prüfpunkt0x80070422
 

Error: (11/24/2014 04:25:48 PM) (Source: SideBySide) (EventID: 33) (User: )

Description: Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\Users\superior\AppData\Local\Temp\_MEI62962\detekt.exe.manifest
 

Error: (11/24/2014 04:24:40 PM) (Source: SideBySide) (EventID: 33) (User: )

Description: Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\Users\superior\AppData\Local\Temp\_MEI38962\detekt.exe.manifest
 

Error: (11/24/2014 04:23:45 PM) (Source: SideBySide) (EventID: 33) (User: )

Description: Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\Users\superior\AppData\Local\Temp\_MEI58202\detekt.exe.manifest
 

Error: (11/23/2014 10:47:15 AM) (Source: System Restore) (EventID: 8193) (User: )

Description: C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationGeplanter Prüfpunkt0x80070422
 

Error: (11/20/2014 02:07:07 PM) (Source: System Restore) (EventID: 8193) (User: )

Description: C:\Windows\servicing\TrustedInstaller.exeWindows Modules Installer0x80070422
 

Error: (11/20/2014 02:07:05 PM) (Source: System Restore) (EventID: 8193) (User: )

Description: C:\Windows\system32\svchost.exe -k netsvcsWindows Update0x80070422
 

Error: (11/17/2014 05:12:28 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: bsplayer.exe2.6.7.10762a425e19bsrendv2.dll2.0.0.052132b86c0000005000956cc66c01d002813d38ec93C:\Software\BSPlayer Pro\BSplayerPro\bsplayer.exeC:\Software\BSPlayer Pro\BSplayerPro\bsrendv2.dll865ae9ba-6e74-11e4-99ee-005056c00008
 

Error: (11/16/2014 00:34:55 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: bsplayer.exe2.6.7.10762a425e19bsrendv2.dll2.0.0.052132b86c000000500096266164001d001913a427ea6C:\Software\BSPlayer Pro\BSplayerPro\bsplayer.exeC:\Software\BSPlayer Pro\BSplayerPro\bsrendv2.dll959433d1-6d84-11e4-82e1-005056c00008
 

Error: (11/12/2014 03:37:24 PM) (Source: System Restore) (EventID: 8193) (User: )

Description: C:\Windows\servicing\TrustedInstaller.exeWindows Modules Installer0x80070422
 
 

CodeIntegrity Errors:

===================================

  Date: 2013-01-12 14:14:22.908

  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
 

  Date: 2013-01-12 14:14:22.640

  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
 

  Date: 2013-01-12 14:14:16.486

  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
 

  Date: 2013-01-12 14:14:16.199

  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
 

  Date: 2013-01-12 14:13:52.003

  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
 

  Date: 2013-01-12 14:13:51.697

  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
 

  Date: 2013-01-12 14:13:28.455

  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
 

  Date: 2013-01-12 14:13:28.132

  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
 

  Date: 2013-01-12 14:12:09.055

  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
 

  Date: 2013-01-12 14:12:08.784

  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\superior\AppData\Local\Temp\ListOpenedFileDrv_64.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.
 
 

==================== Memory info =========================== 
 

Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+

Percentage of memory in use: 43%

Total physical RAM: 4095.55 MB

Available physical RAM: 2312.93 MB

Total Pagefile: 8189.29 MB

Available Pagefile: 6286.14 MB

Total Virtual: 8192 MB

Available Virtual: 8191.82 MB
 

==================== Drives ================================
 

Drive c: (Host) (Fixed) (Total:150 GB) (Free:78.06 GB) NTFS

Drive d: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS

Drive e: (CRUZER) (Removable) (Total:7.48 GB) (Free:7.41 GB) NTFS

Drive t: (Daten) (Fixed) (Total:71.41 GB) (Free:33.17 GB) NTFS

Drive y: (Backup) (Fixed) (Total:360 GB) (Free:232.58 GB) NTFS
 

==================== MBR & Partition Table ==================
 

========================================================

Disk: 0 (Size: 372.6 GB) (Disk ID: 93937C56)

Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=150 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=70 GB) - (Type=07 NTFS)

Partition 4: (Not Active) - (Size=152.5 GB) - (Type=05)
 

========================================================

Disk: 1 (Size: 931.5 GB) (Disk ID: ADE50C3E)

Partition 1: (Active) - (Size=500.1 GB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=71.4 GB) - (Type=OF Extended)

Partition 3: (Not Active) - (Size=360 GB) - (Type=07 NTFS)
 

========================================================

Disk: 2 (Size: 931.5 GB) (Disk ID: 0AA42E08)

Partition 2: (Active) - (Size=931.5 GB) - (Type=05)
 

========================================================

Disk: 3 (Size: 7.5 GB) (Disk ID: CA75C652)

Partition 1: (Not Active) - (Size=7.5 GB) - (Type=07 NTFS)
 

==================== End Of Log ============================