Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   detect meldet njrat. fehlalarm? (https://www.trojaner-board.de/162796-detect-meldet-njrat-fehlalarm.html)

DAU³ 15.01.2015 07:45
detect meldet njrat. fehlalarm?
 
Code:
Following is what I discovered:

Njrat
This is a common trojan which is free to download from the Internet and available to just about anyone. It should be normally detected and quarantined by major AntiVirus software. Although it is impossible to guess who might be targeting you, you should seek for assistance nevertheless.
alle andern fanden den nicht (fehlalarm?). komisch mein taskmanager funxt nicht mehr, auch das repairprog brachte nix.... + mein cdrom funxt nicht mehr, wird nitmal mehr im winexplorer dargestellt


FRST Logfile:

FRST Logfile:

FRST Logfile:
Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-01-2015 02
Ran by Admin (administrator) on LENOVOT500 on 14-01-2015 23:03:06
Running from C:\Users\Admin\Desktop
Loaded Profile: Admin (Available profiles: Admin)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Lenovo.) C:\Windows\System32\ibmpmsvc.exe
(Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Broadcom Corporation.) C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
() C:\Program Files (x86)\DiskBoss\bin\diskbsa.exe
(Microsoft Corporation) C:\Windows\ehome\ehsched.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\CamMute.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWIdlMon.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Károly Pados) C:\Program Files (x86)\TinyWall\TinyWall.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Lenovo.) C:\Windows\System32\TpShocks.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
(Károly Pados) C:\Program Files (x86)\TinyWall\TinyWall.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\GfxUI.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Microsoft Corporation) C:\Windows\ehome\ehrec.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tphkload.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\shtctky.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ZOOM\TpScrex.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GlassWire.exe
(Broadcom Corporation.) C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Avanquest Software ) C:\Program Files (x86)\Digital Line Detect\DLG.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\ACTray.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\ACWLIcon.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
(Lenovo) C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe
(Lenovo Group Limited) C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.EXE
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Broadcom Corporation.) C:\Program Files\ThinkPad\Bluetooth Software\BTStackServer.exe
(Broadcom Corporation.) C:\Program Files\ThinkPad\Bluetooth Software\BluetoothHeadsetProxy.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\ehome\ehprivjob.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [TpShocks] => C:\Windows\system32\TpShocks.exe [382248 2013-02-12] (Lenovo.)
HKLM\...\Run: [LENOVO.TPKNRRES] => C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe [62312 2010-07-27] (Lenovo Group Limited)
HKLM\...\Run: [AcWin7Hlpr] => C:\Program Files (x86)\Lenovo\Access Connections\AcTBenabler.exe [63784 2013-03-18] (Lenovo)
HKLM\...\Run: [picon] => C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PIconStartup.exe [111640 2010-02-04] ()
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [307768 2009-11-19] ()
HKLM\...\Run: [TinyWall Controller] => C:\Program Files (x86)\TinyWall\TinyWall.exe [649176 2013-07-14] (Károly Pados)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2963184 2013-04-17] (Synaptics Incorporated)
HKLM-x32\...\Run: [PWMTRV] => rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [3830224 2013-05-16] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [702768 2014-12-04] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [ACTray] => C:\Program Files (x86)\Lenovo\Access Connections\ACTray.exe [432424 2013-03-18] (Lenovo)
HKLM-x32\...\Run: [ACWLIcon] => C:\Program Files (x86)\Lenovo\Access Connections\ACWLIcon.exe [194856 2013-03-18] (Lenovo)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [126200 2014-11-20] (Avira Operations GmbH & Co. KG)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\...\Run: [AviraSpeedup] => C:\Program Files (x86)\Avira\AviraSpeedup\avira_system_speedup.exe [5395192 2014-10-19] (Avira)
HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\...\Run: [GlassWire] => C:\Program Files (x86)\GlassWire\glasswire.exe [10387752 2014-12-26] (SecureMix LLC)
HKU\S-1-5-18\...\Run: [AviraSpeedup] => C:\Program Files (x86)\Avira\AviraSpeedup\avira_system_speedup.exe [5395192 2014-10-19] (Avira)
Lsa: [Notification Packages] scecli ACGina
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files (x86)\Digital Line Detect\DLG.exe (Avanquest Software )
ShellIconOverlayIdentifiers: [    BoxSyncFileLocked] -> {9a216f5d-3530-3b1a-8006-9a1233402fba} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [    BoxSyncNotSynced] -> {4c3d7a5e-7476-3c21-9717-0614ce209c44} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [    BoxSyncProblem] -> {aa0bacc8-a5df-34b0-acd8-e6739d92010e} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [    BoxSyncSynced] -> {0f20db5b-365d-3cc6-82eb-41207f77bb71} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Microsoft-Konto-Anmelde-Hilfsprogramm -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default
FF DefaultSearchEngine: DuckDuckGo
FF SelectedSearchEngine: Amazon.de
FF NetworkProxy: "autoconfig_url", "https://mediahint.com/default.pac"
FF NetworkProxy: "ftp", "41.75.201.146"
FF NetworkProxy: "ftp_port", 8080
FF NetworkProxy: "http", "41.75.201.146"
FF NetworkProxy: "http_port", 8080
FF NetworkProxy: "no_proxies_on", "localhost, 127.0.0.1, stealthy.co"
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", "41.75.201.146"
FF NetworkProxy: "socks_port", 8080
FF NetworkProxy: "ssl", "41.75.201.146"
FF NetworkProxy: "ssl_port", 8080
FF NetworkProxy: "type", 2
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_246.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @Skype Technologies S.A..com/Skype Web Plugin -> C:\Program Files (x86)\SkypeWebPlugin\npSkypeWebPlugin64.dll (Skype)
FF Plugin: @videolan.org/vlc,version=2.1.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_246.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3522.0110 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Reader 3\npnitromozilla.dll (Nitro PDF)
FF Plugin-x32: @Skype Technologies S.A..com/Skype Web Plugin -> C:\Program Files (x86)\SkypeWebPlugin\npSkypeWebPlugin.dll (Skype)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.7 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\searchplugins\alle-preise---guenstigerde.xml
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\searchplugins\billigerde.xml
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\searchplugins\dawanda.xml
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\searchplugins\duckduckgo.xml
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\searchplugins\the-pirate-bay.xml
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\searchplugins\thepiratebayorg.xml
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\searchplugins\youtube-videosuche.xml
FF Extension: Ghostery - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\firefox@ghostery.com.xpi [2013-08-17]
FF Extension: DuckDuckGo Plus - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi [2013-11-10]
FF Extension: Media Hint - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\mediahint@jetpack.xpi [2013-08-13]
FF Extension: Stealthy - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\stealthyextension@gmail.com.xpi [2013-07-16]
FF Extension: Ebay Negs! - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\{265b0520-499e-11d9-9669-0800200c9a66}.xpi [2013-07-11]
FF Extension: NoScript - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2013-07-04]
FF Extension: IMDB  Search - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\{c4080853-c699-4120-b8e0-618bff8a4474}.xpi [2014-10-20]
FF Extension: Adblock Edge - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\{fe272bd1-5f76-4ea4-8501-a05d35d823fc}.xpi [2013-07-04]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-08-17] (SUPERAntiSpyware.com)
R2 a2AntiMalware; C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [4920104 2014-12-31] (Emsisoft GmbH)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-12-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-12-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [993584 2014-12-04] (Avira Operations GmbH & Co. KG)
R2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [166192 2014-11-20] (Avira Operations GmbH & Co. KG)
S3 BoxSyncUpdateService; C:\Program Files\Box\Box Sync\SyncUpdaterService.exe [28696 2014-11-13] (Box, Inc.)
R2 DiskBoss Service; C:\Program Files (x86)\DiskBoss\bin\diskbsa.exe [114688 2014-02-27] () [File not signed]
S3 DozeSvc; C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [320576 2013-04-23] (Lenovo.)
R2 GlassWire; C:\Program Files (x86)\GlassWire\GWCtlSrv.exe [6296872 2014-12-26] (SecureMix LLC)
R2 LMS; C:\Program Files (x86)\Intel\AMT\LMS.exe [174616 2010-02-04] (Intel Corporation)
S3 LSCWinService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [1663880 2014-05-06] ()
R2 NitroReaderDriverReadSpool3; C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [230416 2013-06-18] (Nitro PDF Software)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [22376 2013-06-26] ()
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5426448 2014-12-15] (TeamViewer GmbH)
R2 TinyWall; C:\Program Files (x86)\TinyWall\TinyWall.exe [649176 2013-07-14] (Károly Pados) [File not signed]
R2 UNS; C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2058776 2010-02-04] (Intel Corporation)
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [71472 2014-05-12] (Emsisoft GmbH)
R1 A2DDA; C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [26176 2013-03-28] (Emsisoft GmbH)
R1 a2injectiondriver; C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys [45208 2013-09-30] (Emsisoft GmbH)
R1 a2util; C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys [23088 2014-05-12] (Emsisoft GmbH)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-10-07] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-10-07] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-10-31] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [43064 2014-10-07] (Avira Operations GmbH & Co. KG)
S3 cleanhlp; C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [57024 2013-12-04] (Emsisoft GmbH)
R1 gwdrv; C:\Windows\System32\DRIVERS\gwdrv.sys [33296 2014-12-25] (SecureMix LLC)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [44784 2013-04-17] (Synaptics Incorporated)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-14 23:03 - 2015-01-14 23:05 - 00022048 _____ () C:\Users\Admin\Desktop\FRST.txt
2015-01-14 22:53 - 2015-01-14 22:53 - 00000329 _____ () C:\Users\Admin\Desktop\detct.txt
2015-01-14 15:26 - 2015-01-14 15:26 - 00035969 _____ () C:\Users\Admin\Downloads\Antw RE Umrechnungsbitte Notenspiegel.zip
2015-01-13 23:30 - 2015-01-13 23:30 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-LENOVOT500-Microsoft-Windows-7-Professional-(64-bit).dat
2015-01-13 23:30 - 2015-01-13 23:30 - 00000000 ____D () C:\RegBackup
2015-01-13 22:59 - 2015-01-13 22:59 - 00000982 _____ () C:\Users\Admin\Desktop\AdwCleaner[S1].txt
2015-01-13 20:33 - 2015-01-13 20:33 - 00000000 ____D () C:\Program Files (x86)\ESET
2015-01-13 20:29 - 2015-01-13 20:32 - 00000758 _____ () C:\Users\Admin\Desktop\JRT.txt
2015-01-13 20:19 - 2015-01-13 20:19 - 00000000 ____D () C:\Windows\ERUNT
2015-01-13 19:30 - 2015-01-13 20:18 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-01-13 19:28 - 2015-01-13 20:18 - 00000000 ____D () C:\Users\Admin\Desktop\mbar
2015-01-13 19:26 - 2015-01-13 18:53 - 01707939 _____ (Thisisu) C:\Users\Admin\Desktop\JRT.exe
2015-01-13 19:26 - 2015-01-13 17:10 - 16448208 _____ (Malwarebytes Corp.) C:\Users\Admin\Desktop\mbar-1.08.2.1001.exe
2015-01-13 19:25 - 2015-01-13 15:32 - 02347384 _____ (ESET) C:\Users\Admin\Desktop\esetsmartinstaller_deu.exe
2015-01-13 19:25 - 2015-01-13 02:29 - 02191360 _____ () C:\Users\Admin\Desktop\adwcleaner_4.107.exe
2015-01-13 19:14 - 2015-01-13 19:14 - 00000000 ____D () C:\ProgramData\Emsisoft
2015-01-13 18:41 - 2015-01-13 18:47 - 00000000 ____D () C:\Users\Admin\Desktop\unsortiere bilder
2015-01-13 16:55 - 2015-01-14 23:04 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware
2015-01-13 16:55 - 2015-01-13 16:55 - 00001095 _____ () C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2015-01-13 16:55 - 2015-01-13 16:55 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2015-01-13 16:46 - 2015-01-13 16:46 - 00093944 _____ () C:\Users\Admin\Documents\cc_20150113_164634.reg
2015-01-13 15:36 - 2015-01-13 15:36 - 00112430 _____ () C:\Users\Admin\Desktop\otl.txt
2015-01-13 14:24 - 2015-01-13 14:24 - 00001056 _____ () C:\Users\Admin\Desktop\mabm.txt
2015-01-13 13:51 - 2015-01-13 19:30 - 00135384 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-13 13:50 - 2015-01-13 19:28 - 00096472 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-13 13:50 - 2015-01-13 13:50 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-13 13:50 - 2015-01-13 13:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-13 13:50 - 2015-01-13 13:50 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-13 13:50 - 2015-01-13 13:50 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-13 13:50 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-13 13:50 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-13 13:49 - 2015-01-13 13:49 - 00001685 _____ () C:\Users\Admin\Desktop\AdwCleaner[S0].txt
2015-01-13 13:31 - 2015-01-13 22:55 - 00000000 ____D () C:\AdwCleaner
2015-01-13 13:29 - 2015-01-13 13:29 - 09434846 _____ () C:\Users\Admin\Desktop\AVSCAN-20150113-012006-75647876.LOG
2015-01-13 01:12 - 2015-01-14 23:03 - 00000000 ____D () C:\FRST
2015-01-13 01:12 - 2015-01-13 00:59 - 02124288 _____ (Farbar) C:\Users\Admin\Desktop\FRST64.exe
2015-01-09 17:38 - 2015-01-09 17:38 - 00000000 __SHD () C:\Users\Admin\AppData\Local\EmieUserList
2015-01-09 17:38 - 2015-01-09 17:38 - 00000000 __SHD () C:\Users\Admin\AppData\Local\EmieSiteList
2015-01-09 17:38 - 2015-01-09 17:38 - 00000000 __SHD () C:\Users\Admin\AppData\Local\EmieBrowserModeList
2015-01-05 17:36 - 2015-01-05 17:36 - 00000000 ____D () C:\Users\Admin\AppData\Local\TeamViewer
2015-01-05 17:02 - 2015-01-05 17:02 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\TeamViewer
2015-01-05 16:50 - 2015-01-13 15:09 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2015-01-05 16:50 - 2015-01-05 16:50 - 00001047 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 10.lnk
2015-01-05 16:49 - 2015-01-05 16:49 - 07718224 _____ (TeamViewer GmbH) C:\Users\Admin\Downloads\TeamViewer_Setup_de.exe
2015-01-05 16:22 - 2015-01-05 16:22 - 00001905 _____ () C:\Users\Admin\Desktop\GlassWire.lnk
2015-01-05 16:22 - 2015-01-05 16:22 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GlassWire 1.0
2015-01-05 16:22 - 2015-01-05 16:22 - 00000000 ____D () C:\Program Files (x86)\GlassWire
2015-01-05 16:22 - 2014-12-26 09:42 - 00008704 _____ () C:\Windows\system32\Drivers\gwdrv.cat
2015-01-05 16:22 - 2014-12-25 12:28 - 00033296 _____ (SecureMix LLC) C:\Windows\system32\Drivers\gwdrv.sys
2015-01-05 16:20 - 2015-01-05 16:20 - 16644584 _____ (SecureMix LLC) C:\Users\Admin\Downloads\GlassWireSetup(1).exe
2015-01-04 10:42 - 2015-01-05 11:33 - 01054912 _____ (Adobe) C:\Users\Admin\Downloads\install_flashplayer16x32au_mssd_aaa_aih.exe
2014-12-31 00:55 - 2014-12-31 00:55 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2014-12-27 14:38 - 2014-12-27 14:38 - 00002195 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\WinZip.lnk
2014-12-27 14:38 - 2014-12-27 14:38 - 00000000 ____D () C:\Users\Admin\AppData\Local\WinZip
2014-12-27 14:38 - 2014-12-27 14:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip
2014-12-27 14:36 - 2014-12-27 14:38 - 00000000 ____D () C:\ProgramData\WinZip
2014-12-27 14:36 - 2014-12-27 14:37 - 00000000 ____D () C:\Program Files\WinZip
2014-12-27 14:34 - 2014-12-27 14:35 - 62967296 _____ () C:\Users\Admin\Downloads\wz190gev-64.msi
2014-12-18 12:49 - 2014-12-13 06:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-12-18 12:49 - 2014-12-13 04:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-14 23:05 - 2009-07-14 05:45 - 00031504 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-14 23:05 - 2009-07-14 05:45 - 00031504 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-14 23:03 - 2010-11-21 07:50 - 00685480 _____ () C:\Windows\system32\perfh007.dat
2015-01-14 23:03 - 2010-11-21 07:50 - 00145280 _____ () C:\Windows\system32\perfc007.dat
2015-01-14 23:03 - 2009-07-14 06:13 - 01619284 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-14 22:58 - 2014-12-01 04:34 - 00021333 _____ () C:\Windows\setupact.log
2015-01-14 22:58 - 2013-12-01 20:37 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-14 22:58 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-14 22:55 - 2013-06-08 19:36 - 02054956 _____ () C:\Windows\WindowsUpdate.log
2015-01-14 22:54 - 2014-03-06 00:25 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Skype
2015-01-14 22:54 - 2013-11-17 03:36 - 00000000 ____D () C:\Users\Admin\Documents\Calibre-Bibliothek
2015-01-14 22:52 - 2014-11-20 09:41 - 00084996 _____ () C:\Users\Admin\Downloads\detekt.log
2015-01-14 22:50 - 2013-12-01 20:37 - 00001110 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-14 22:09 - 2014-03-21 09:40 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-14 00:02 - 2010-11-21 08:00 - 00000000 ___RD () C:\Users\Public\Recorded TV
2015-01-14 00:01 - 2013-11-12 10:59 - 00437430 _____ () C:\Windows\PFRO.log
2015-01-14 00:01 - 2010-11-21 08:00 - 00000000 ____D () C:\Windows\CSC
2015-01-14 00:01 - 2009-07-14 05:45 - 04958544 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-13 23:58 - 2013-06-08 19:43 - 00064424 _____ () C:\Users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-13 23:56 - 2009-07-14 03:34 - 00000439 _____ () C:\Windows\win.ini
2015-01-13 23:22 - 2014-04-19 22:13 - 00000000 ____D () C:\Users\Admin\Documents\Wessling, Kathrin - Drüberleben - Depressionen sind doch kein Grund traurig zu sein
2015-01-13 23:02 - 2011-10-24 13:35 - 00000000 ____D () C:\Users\Admin\Desktop\Tweaking.com - Windows Repair
2015-01-13 18:41 - 2014-11-30 17:51 - 00000000 ____D () C:\Users\Admin\Desktop\bitcoin
2015-01-13 16:42 - 2014-03-16 08:32 - 00000000 ____D () C:\Users\Admin\Tracing
2015-01-13 16:42 - 2013-11-11 00:13 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\uTorrent
2015-01-13 16:22 - 2013-06-08 20:02 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2015-01-13 16:18 - 2013-07-08 09:48 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Nitro PDF
2015-01-13 15:49 - 2013-10-30 16:59 - 00000000 ____D () C:\Windows\system32\appmgmt
2015-01-13 15:38 - 2013-07-08 06:51 - 00000000 ____D () C:\Program Files (x86)\R-Studio
2015-01-13 14:26 - 2009-07-14 06:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-01-13 14:25 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\LiveKernelReports
2015-01-13 13:44 - 2013-06-08 19:41 - 00000000 ____D () C:\Users\Admin
2015-01-12 11:14 - 2014-11-28 17:40 - 00000000 ____D () C:\Users\Admin\AppData\Local\Box Sync
2015-01-11 08:25 - 2014-08-13 19:56 - 00000439 _____ () C:\Windows\system32\Drivers\etc\hosts.ics
2015-01-09 04:55 - 2014-11-28 17:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Box Sync
2014-12-23 19:43 - 2013-12-08 22:18 - 00000000 ____D () C:\Users\Admin\Documents\Einzelheiten zum eBay-Kauf-Dateien

Some content of TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\avgnt.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-14 02:59

==================== End Of Log ============================
--- --- ---

--- --- ---

--- --- ---


Code:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-01-2015 02
Ran by Admin at 2015-01-14 23:06:06
Running from C:\Users\Admin\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Emsisoft Anti-Malware (Enabled - Up to date) {8504DEEF-CC04-1F76-2137-F1A5F4A659DA}
AS: Avira Desktop (Disabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
AS: Emsisoft Anti-Malware (Enabled - Up to date) {3E653F0B-EA3E-10F8-1B87-CAD78F211367}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 15.0.0.249 - Adobe Systems Incorporated)
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Photoshop 7.0.1 (HKLM-x32\...\Adobe Photoshop 7.0.1) (Version: 7.0.1 - Adobe Systems, Inc.)
Adobe Reader XI (11.0.10) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Anzeige am Bildschirm (HKLM\...\OnScreenDisplay) (Version: 6.70.00 - )
Avira (HKLM-x32\...\{e7c7c227-b742-4878-9425-f09bbf9951db}) (Version: 1.1.27.25527 - Avira Operations & Co. KG)
Avira (x32 Version: 1.1.27.25527 - Avira Operations & Co. KG) Hidden
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.7.468 - Avira)
Avira System Speedup (HKLM-x32\...\AviraSpeedup) (Version: 1.3.1.9970 - Avira System Speedup)
Bitcoin Core (64-bit) (HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\...\Bitcoin Core (64-bit)) (Version: 0.9.3 - Bitcoin Core project)
Box Sync (HKLM\...\{D755A205-DD3A-414E-9037-CD476673FCB0}) (Version: 4.0.5955.0 - Box, Inc.)
Box Sync (x32 Version: 4.0.5693.0 - Box Inc.) Hidden
calibre 64bit (HKLM\...\{7DAFBA8E-9BBB-4411-80EF-3AF43C80B017}) (Version: 1.11.0 - Kovid Goyal)
Capture NX-D (HKLM\...\{794529D3-D489-4CF2-B2ED-CF241809E5EC}) (Version: 1.0.0 - Nikon)
CCleaner (HKLM\...\CCleaner) (Version: 4.07 - Piriform)
Conexant 20561 SmartAudio HD (HKLM\...\CNXT_AUDIO_HDA) (Version: 4.92.12.0 - Conexant)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DHTML Editing Component (HKLM-x32\...\{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation)
Dienstprogramm "ThinkPad UltraNav" (HKLM-x32\...\{17CBC505-D1AE-459D-B445-3D2000A85842}) (Version: 2.13.0 - Lenovo)
DiskBoss 4.3.18 (HKLM-x32\...\DiskBoss) (Version: 4.3.18 - Flexense Computing Systems Ltd.)
Dropbox (HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\...\Dropbox) (Version: 2.10.51 - Dropbox, Inc.)
Emsisoft Anti-Malware (HKLM-x32\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 9.0 - Emsisoft Ltd.)
Energie-Manager (HKLM-x32\...\{DAC01CEE-5BAE-42D5-81FC-B687E84E8405}) (Version: 6.54 - )
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
Fotogalerie (x32 Version: 16.4.3522.0110 - Microsoft Corporation) Hidden
GlassWire 1.0 (remove only) (HKLM-x32\...\GlassWire 1.0) (Version: 1.0.35 - SecureMix LLC)
GoGet 1.1.0 (HKLM-x32\...\GoGet) (Version: 1.1.0 - Sound Doctrine Ministries)
Google Earth Plug-in (HKLM-x32\...\{4AB54F11-2F8C-11E3-B09F-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
HDR projects elements (64-Bit) (HKLM\...\HDR projects elements_is1) (Version: 1.22 - Franzis Verlag GmbH)
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Graphics Media Accelerator Driver (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2555 - Intel Corporation)
Intel(R) Management Engine Interface (HKLM\...\HECI) (Version:  - Intel Corporation)
Intel(R) Network Connections Drivers (HKLM\...\PROSet) (Version: 16.1 - Intel)
Intel® Active-Management-Technologie (HKLM\...\MESOL) (Version:  - Intel Corporation)
ISO to USB (HKLM-x32\...\{D08A30AC-A663-4EA8-8D81-B98E17F19F1C}_is1) (Version:  - isotousb.com)
Java 7 Update 71 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)
Junk Mail filter update (x32 Version: 16.4.3522.0110 - Microsoft Corporation) Hidden
Lenovo Patch Utility (x32 Version: 1.3.2.6 - Lenovo Group Limited) Hidden
Lenovo Patch Utility 64 bit (Version: 1.3.2.6 - Lenovo Group Limited) Hidden
Lenovo Power Management Driver (HKLM\...\Power Management Driver) (Version: 1.67.04.05 - )
Lenovo Solution Center (HKLM\...\{2F45A217-E9C7-4984-B0AC-5BE31FF4712B}) (Version: 2.4.003.00 - Lenovo Group Limited)
Lenovo System Interface Driver (HKLM\...\LENOVO.SMIIF) (Version: 1.05 - )
Lenovo System Update (HKLM-x32\...\{25C64847-B900-48AD-A164-1B4F9B774650}) (Version: 5.02.0018 - Lenovo)
Lidl-Fotos (HKLM-x32\...\Lidl-Fotos_is1) (Version:  - )
Malwarebytes Anti-Malware Version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft LifeCam (HKLM\...\{5CE7E3F5-9803-4F32-AA89-2D8848A80109}) (Version: 3.60.253.0 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\...\OneDriveSetup.exe) (Version: 17.0.4024.1220 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729 (HKLM\...\{D285FC5F-3021-32E9-9C59-24CA325BDC5C}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{d07b0db5-8dad-40e1-be90-88026298a46b}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
mIRC (HKLM-x32\...\mIRC) (Version: 7.32 - mIRC Co. Ltd.)
Movie Maker (x32 Version: 16.4.3522.0110 - Microsoft Corporation) Hidden
Mozilla Firefox 34.0.5 (x86 de) (HKLM-x32\...\Mozilla Firefox 34.0.5 (x86 de)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Nero BackItUp 11 Essentials CDPack (HKLM-x32\...\{BD0516DD-705C-441F-A30D-1CC289895309}) (Version: 11.0.00200 - Nero AG)
Nero Backup Drivers (HKLM\...\{D600D357-5CB9-4DE9-8FD4-14E208BD1970}) (Version: 1.0.11100.8.0 - Nero AG)
Nikon Message Center 2 (HKLM-x32\...\{B014EE44-9197-4513-9613-71E6EB1B514E}) (Version: 2.1.1 - Nikon)
Nitro Reader 3 (HKLM\...\{F6478CC2-B1B3-497E-9BEA-94C1676637DF}) (Version: 3.5.5.2 - Nitro)
O&O DiskRecovery (HKLM\...\{E1EC311E-EB1A-461E-A0BE-FA796852436D}) (Version: 7.1.183 - O&O Software GmbH)
OpenOffice 4.0.1 (HKLM-x32\...\{0AEC308E-7EB3-47F7-BB59-F2C9C6166B27}) (Version: 4.01.9714 - Apache Software Foundation)
Picture Control Utility 2 (HKLM\...\{D4893C47-704F-4B84-8486-9DE4974ACA6F}) (Version: 2.0.0 - Nikon)
Pidgin (HKLM-x32\...\Pidgin) (Version: 2.10.7 - )
pidgin-otr 4.0.0-1 (HKLM-x32\...\pidgin-otr) (Version: 4.0.0-1 - Cypherpunks CA)
RarZilla Free Unrar (HKLM-x32\...\RarZilla Free Unrar) (Version: 5.10 - Philipp Winterberg)
RICOH R5U8xx Media Driver ver.3.64.02 (HKLM-x32\...\{59F6A514-9813-47A3-948C-8A155460CC2A}) (Version: 3.64.02 - RICOH)
Skype Web Plugin (HKLM-x32\...\{B51DD93B-3CB5-4D9D-BFF2-FD19DBBBFD9A}) (Version: 2.9.13008.18866 - Skype Technologies S.A.)
Skype™ 6.20 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.20.104 - Skype Technologies S.A.)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.1.19 - Safer-Networking Ltd.)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.7.1026 - SUPERAntiSpyware.com)
TeamViewer 10 (HKLM-x32\...\TeamViewer) (Version: 10.0.36897 - TeamViewer)
ThinkPad Bluetooth with Enhanced Data Rate Software (HKLM\...\{9E9D49A4-1DF4-4138-B7DB-5D87A893088E}) (Version: 6.2.1.3100 - Broadcom Corporation)
ThinkPad FullScreen Magnifier (HKLM\...\ThinkPad FullScreen Magnifier) (Version: 2.40 - )
ThinkPad Modem Adapter (HKLM\...\CNXT_MODEM_HDA_HSF) (Version: 7.80.5.0 - Conexant Systems)
ThinkPad UltraNav Driver (HKLM\...\SynTPDeinstKey) (Version: 16.2.19.7 - )
ThinkVantage Access Connections (HKLM-x32\...\{8E537894-A559-4D60-B3CB-F4485E3D24E3}) (Version: 6.01 - Lenovo)
ThinkVantage Communications Utility (HKLM\...\{88C6A6D9-324C-46E8-BA87-563D14021442}_is1) (Version: 1.42 - Lenovo)
ThinkVantage System für aktiven Festplattenschutz (HKLM\...\{46A84694-59EC-48F0-964C-7E76E9F8A2ED}) (Version: 1.77.0.11 - Lenovo)
TinyWall (HKLM-x32\...\{E87F67CD-B72A-4B47-A01D-28CD16AC0711}) (Version: 2.1.4.0 - Károly Pados)
Turbo Lister 2 (HKLM-x32\...\{8927E07C-97F7-4A54-88FB-D976F50DD46E}) (Version: 2.00.0000 - eBay Inc.)
VLC media player 2.1.0 (HKLM\...\VLC media player) (Version: 2.1.0 - VideoLAN)
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
Windows Driver Package - Broadcom (BTHUSB) Bluetooth  (04/08/2010 6.3.5.430) (HKLM\...\DE7217D2A8B057F15EC6E52329FDAB84231521E8) (Version: 04/08/2010 6.3.5.430 - Broadcom)
Windows Driver Package - Broadcom HIDClass  (07/28/2009 6.2.0.9800) (HKLM\...\3BA80AB4C7E9F8497C115C844953A3D4BEB84D21) (Version: 07/28/2009 6.2.0.9800 - Broadcom)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3522.0110 - Microsoft Corporation)
WinZip 19.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240E5}) (Version: 19.0.11293 - WinZip Computing, S.L. )
Zattoo Live TV (HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\...\6d7aa3e3bf931c56) (Version: 1.0.0.44 - Zattoo Europa AG)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\17.0.4024.1220\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\17.0.4024.1220\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\17.0.4024.1220\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\17.0.4024.1220\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\17.0.4024.1220\amd64\FileSyncApi64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

==================== Restore Points  =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2015-01-13 23:57 - 00000855 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1      localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0ED24211-4A89-4CDD-8A81-52F8128488C2} - System32\Tasks\{8F63ACD8-AA1E-4AE1-8232-651C778325E9} => Firefox.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&amp;ver=6.11.0.102&amp;LastError=502
Task: {1B57820C-B5FB-4D3E-811C-7BFF2496A270} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-10-22] (Piriform Ltd)
Task: {1BAFB76D-2B97-414B-813E-082C55D386C1} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search &amp; Destroy 2\SDScan.exe
Task: {38C50108-6AEF-4E7E-9E34-28AA56990E2C} - System32\Tasks\{9825C987-ACC2-4137-9E34-1FC89E22AA6F} => pcalua.exe -a "C:\Program Files (x86)\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe" -c REMOVESERIALNUMBER="XM2C-50A9-HH4M-0ZM8-4X06-9P25-5A46-618P-AH19-6647"
Task: {3BDE7EAB-67BB-4F2D-B0B0-8AD69C840117} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-12-01] (Google Inc.)
Task: {3BF21FF8-C064-4D6C-8525-F8D0711E23C2} - System32\Tasks\Lenovo\LSC\LSCHardwareScan => C:\Program Files\Lenovo\Lenovo Solution Center\LSC.exe [2014-05-06] ()
Task: {4F8D5981-44B7-40E0-A187-3981EE6A0BB1} - System32\Tasks\Lenovo\LSC\LSCHardwareScanPostpone => C:\Program Files\Lenovo\Lenovo Solution Center\LSC.exe [2014-05-06] ()
Task: {6F255CB8-B7D0-4C5D-8904-2F1A39F6B503} - System32\Tasks\{B740E12A-3822-4035-B764-9E23FEBA09E7} => Firefox.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&amp;ver=6.11.0.102&amp;LastError=502
Task: {74BE5CA3-7BDF-49AF-B8BC-FD2B0BB6E2CB} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-12-01] (Google Inc.)
Task: {74FC90F5-29C2-4333-986A-190929198EEE} - System32\Tasks\Lenovo\Lenovo Solution Center Launcher => C:\Program Files\lenovo\lenovo solution center\App\LSCService.exe [2014-05-06] (Lenovo)
Task: {8AF2E676-F1C1-421F-B7B1-1C59E7C4547A} - System32\Tasks\{2B8E2C3E-3969-455D-BB4F-63AB522ED860} => D:\Autoplay.exe
Task: {8DE0C9C7-B3EB-4A82-8217-C414D79BCBB7} - System32\Tasks\TVT\TVSUUpdateTask => C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe [2013-06-26] ()
Task: {92E6D1DF-985A-4551-A130-5E50CA59093E} - System32\Tasks\{F125F12C-3B41-445C-ADCB-25B8A97CF9DF} => C:\Program Files (x86)\Zattoo4\Zattoo.exe
Task: {A22A35DD-E30B-4922-AD01-72DE43911778} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search &amp; Destroy 2\SDImmunize.exe
Task: {A472BB1C-824A-4F8D-B36E-AC71756BA266} - System32\Tasks\{37A1F0EC-8525-420B-896A-BFD398AA0219} => C:\Program Files (x86)\Zattoo4\Zattoo.exe
Task: {ACD9F49A-6690-4A7B-BB4E-127D8411101C} - System32\Tasks\Admin => C:\Program Files (x86)\Nero\Nero 11\Nero BackItUp\NBCore.exe [2011-11-18] (Nero AG)
Task: {B7D8C91F-3C09-4B67-8D55-D2DC1E013EEF} - System32\Tasks\{FF896C6B-CC22-4A1E-ACCE-6484D5957278} => C:\Program Files (x86)\Zattoo4\Zattoo.exe
Task: {BED2C05C-40A7-4C3D-B7C1-643A319AD5DF} - System32\Tasks\AviraSpeedup => C:\Program Files (x86)\Avira\AviraSpeedup\avira_system_speedup.exe [2014-10-19] (Avira)
Task: {BF633798-696B-4D4A-A3EC-30CE11845CB8} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-10] (Adobe Systems Incorporated)
Task: {C4FAE52B-5CD7-43DF-A207-4EB94A7774FA} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search &amp; Destroy 2\SDUpdate.exe
Task: {DCA46843-79D1-4F21-B4D2-DB93989023CC} - System32\Tasks\{221D8DD5-4F07-4662-BA14-F36BB888979B} => C:\Program Files (x86)\Zattoo4\Zattoo.exe
Task: {DDFFF8C4-3293-49D0-83FE-0D7E7231435D} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {E27B9481-BF77-49EB-B4D9-EF0DBF6AFE73} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program => C:\Program Files\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2014-05-06] (Lenovo)
Task: {E7B28417-994C-4A24-A872-6BACFA4DB6D0} - System32\Tasks\{7D5F82AA-49E4-4CB2-8301-9F3ABFA0B3F2} => Firefox.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&amp;ver=6.11.0.102&amp;LastError=502
Task: {F12592FE-4E9D-4937-9F22-9099361A7501} - System32\Tasks\{8DEA707D-33A9-4FC6-B37A-169A63448B16} => Firefox.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&amp;ver=6.11.0.102&amp;LastError=502
Task: {F5E51EFA-5D95-4217-B7AE-165FA92C1042} - System32\Tasks\Lenovo\LSC\LSCTaskService => C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCTaskService.exe [2014-05-06] ()
Task: {F7527116-B41B-496D-BE95-8BDB9CEAEF82} - System32\Tasks\{066231E1-926A-44E6-B53A-2DBA7B9694EE} => C:\Program Files (x86)\Zattoo4\Zattoo.exe
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-06-08 20:10 - 2013-04-23 05:54 - 00104960 _____ () C:\Program Files (x86)\ThinkPad\Utilities\GR\PWMRT64V.DLL
2011-01-24 12:28 - 2011-01-24 12:28 - 00173344 _____ () C:\Program Files\ThinkPad\Bluetooth Software\btkeyind.dll
2014-02-27 10:30 - 2014-02-27 10:30 - 00114688 _____ () C:\Program Files (x86)\DiskBoss\bin\diskbsa.exe
2013-12-06 01:24 - 2013-12-06 01:24 - 00084952 _____ () C:\Windows\assembly\GAC_MSIL\TinyWall.XmlSerializers\2.1.4.0__d9a8adbcd0c171b3\TinyWall.XmlSerializers.dll
2014-02-27 10:23 - 2014-02-27 10:23 - 02306048 _____ () C:\Program Files (x86)\DiskBoss\bin\libdbs.dll
2014-02-27 10:20 - 2014-02-27 10:20 - 00700416 _____ () C:\Program Files (x86)\DiskBoss\bin\libpal.dll
2013-07-04 19:47 - 2013-05-16 09:55 - 00113496 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2013-07-04 19:47 - 2013-05-16 09:55 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2013-07-04 19:47 - 2013-05-16 09:55 - 00161112 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2013-07-04 19:47 - 2012-08-23 09:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2013-07-04 19:47 - 2012-04-03 16:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2013-03-18 16:26 - 2013-03-18 16:26 - 00092456 _____ () C:\Program Files (x86)\Lenovo\Access Connections\AcWrpc.dll
2014-12-26 09:51 - 2014-12-26 09:51 - 00893224 _____ () C:\Program Files (x86)\GlassWire\platforms\qwindows.dll
2014-12-26 09:51 - 2014-12-26 09:51 - 00030504 _____ () C:\Program Files (x86)\GlassWire\imageformats\qico.dll
2014-12-26 09:51 - 2014-12-26 09:51 - 00248104 _____ () C:\Program Files (x86)\GlassWire\imageformats\qjpeg.dll
2014-12-09 14:00 - 2014-12-09 14:01 - 03758192 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\Admin\Desktop\00000.MTS:com.dropbox.attributes

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: BoxSync => "C:\Program Files\Box\Box Sync\BoxSync.exe" -m
MSCONFIG\startupreg: LifeCam => "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
MSCONFIG\startupreg: NBAgent => "C:\Program Files (x86)\Nero\Nero 11\Nero BackItUp\NBAgent.exe" /WinStart
MSCONFIG\startupreg: Nikon Message Center 2 => C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s

========================= Accounts: ==========================

Admin (S-1-5-21-3899542576-3065808786-2114398330-1000 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-3899542576-3065808786-2114398330-500 - Administrator - Disabled)
Gast (S-1-5-21-3899542576-3065808786-2114398330-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3899542576-3065808786-2114398330-1002 - Limited - Enabled)

==================== Faulty Device Manager Devices =============

Name: Microsoft-Adapter für Miniports virtueller WiFis
Description: Microsoft-Adapter für Miniports virtueller WiFis
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: vwifimp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/14/2015 05:59:15 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (01/14/2015 05:21:49 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (01/14/2015 01:22:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: TinyWall.exe, Version: 2.1.4.0, Zeitstempel: 0x51e2dfe8
Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.1.7601.18409, Zeitstempel: 0x5315a05a
Ausnahmecode: 0xe0434352
Fehleroffset: 0x000000000000940d
ID des fehlerhaften Prozesses: 0x1398
Startzeit der fehlerhaften Anwendung: 0xTinyWall.exe0
Pfad der fehlerhaften Anwendung: TinyWall.exe1
Pfad des fehlerhaften Moduls: TinyWall.exe2
Berichtskennung: TinyWall.exe3

Error: (01/14/2015 01:22:43 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Anwendung: TinyWall.exe
Frameworkversion: v4.0.30319
Beschreibung: Der Prozess wurde aufgrund eines Ausnahmefehlers beendet.
Ausnahmeinformationen: System.NullReferenceException
Stapel:
  bei System.Windows.Forms.Control.MarshaledInvoke(System.Windows.Forms.Control, System.Delegate, System.Object[], Boolean)
  bei System.Windows.Forms.Control.Invoke(System.Delegate, System.Object[])
  bei System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
  bei System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
  bei System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
  bei System.Threading.ThreadPoolWorkQueue.Dispatch()

Error: (01/14/2015 03:06:16 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Fehler beim Erstellen des Wiederherstellungspunkts (Prozess = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Beschreibung = Geplanter Prüfpunkt; Fehler = 0x80070422).

Error: (01/14/2015 01:09:19 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (01/14/2015 00:06:14 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (01/14/2015 00:05:05 AM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (01/14/2015 00:05:05 AM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (01/13/2015 11:59:04 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.


System errors:
=============
Error: (01/14/2015 11:03:21 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Microsoft .NET Framework NGEN v4.0.30319_X64 erreicht.

Error: (01/14/2015 11:00:54 PM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
Description: Dienst "WMPNetworkSvc" konnte nicht ordnungsgemäß gestartet werden, da ein Fehler "0x80004005" in "CoCreateInstance(CLSID_UPnPDeviceFinder)" aufgetreten ist. Überprüfen Sie, ob der Dienst "UPnPHost" ausgeführt wird und ob die Windows-Komponente "UPnPHost" richtig installiert ist.

Error: (01/14/2015 11:00:52 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
cdrom

Error: (01/14/2015 11:00:21 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Spybot-S&D 2 Updating Service" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1053

Error: (01/14/2015 11:00:21 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Spybot-S&D 2 Updating Service erreicht.

Error: (01/14/2015 01:08:08 AM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
Description: Dienst "WMPNetworkSvc" konnte nicht ordnungsgemäß gestartet werden, da ein Fehler "0x80004005" in "CoCreateInstance(CLSID_UPnPDeviceFinder)" aufgetreten ist. Überprüfen Sie, ob der Dienst "UPnPHost" ausgeführt wird und ob die Windows-Komponente "UPnPHost" richtig installiert ist.

Error: (01/14/2015 01:07:58 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
cdrom

Error: (01/14/2015 01:06:55 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Spybot-S&D 2 Scanner Service" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1053

Error: (01/14/2015 01:06:55 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Spybot-S&D 2 Scanner Service erreicht.

Error: (01/14/2015 01:05:19 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: Das System wurde zuvor am ‎14.‎01.‎2015 um 01:02:57 unerwartet heruntergefahren.


Microsoft Office Sessions:
=========================
Error: (01/14/2015 05:59:15 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\Users\Admin\AppData\Local\Temp\_MEI79842\detekt.exe.manifest

Error: (01/14/2015 05:21:49 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\Users\Admin\AppData\Local\Temp\_MEI71242\detekt.exe.manifest

Error: (01/14/2015 01:22:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: TinyWall.exe2.1.4.051e2dfe8KERNELBASE.dll6.1.7601.184095315a05ae0434352000000000000940d139801d02f8e40257ba0C:\Program Files (x86)\TinyWall\TinyWall.exeC:\Windows\system32\KERNELBASE.dll0aae8cfd-9be8-11e4-87de-00234df2700e

Error: (01/14/2015 01:22:43 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Anwendung: TinyWall.exe
Frameworkversion: v4.0.30319
Beschreibung: Der Prozess wurde aufgrund eines Ausnahmefehlers beendet.
Ausnahmeinformationen: System.NullReferenceException
Stapel:
  bei System.Windows.Forms.Control.MarshaledInvoke(System.Windows.Forms.Control, System.Delegate, System.Object[], Boolean)
  bei System.Windows.Forms.Control.Invoke(System.Delegate, System.Object[])
  bei System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
  bei System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
  bei System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
  bei System.Threading.ThreadPoolWorkQueue.Dispatch()

Error: (01/14/2015 03:06:16 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationGeplanter Prüfpunkt0x80070422

Error: (01/14/2015 01:09:19 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Admin\Desktop\esetsmartinstaller_deu.exe

Error: (01/14/2015 00:06:14 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Admin\Desktop\esetsmartinstaller_deu.exe

Error: (01/14/2015 00:05:05 AM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (01/14/2015 00:05:05 AM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (01/13/2015 11:59:04 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Admin\Desktop\esetsmartinstaller_deu.exe


CodeIntegrity Errors:
===================================
  Date: 2014-08-14 14:02:34.474
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-08-14 14:02:34.297
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-08-14 14:02:34.194
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-08-14 14:02:34.052
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-05-15 17:50:41.121
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-05-15 17:50:41.058
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-05-15 17:50:40.995
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-05-15 17:50:40.906
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-12-07 23:27:13.855
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-12-07 23:27:13.805
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.


==================== Memory info ===========================

Processor: Intel(R) Core(TM)2 Duo CPU P8400 @ 2.26GHz
Percentage of memory in use: 60%
Total physical RAM: 3992.03 MB
Available physical RAM: 1582.97 MB
Total Pagefile: 7982.23 MB
Available Pagefile: 4958.12 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:148.95 GB) (Free:13.29 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: 98652D98)
Partition 1: (Active) - (Size=103 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=148.9 GB) - (Type=07 NTFS)

==================== End Of Log ============================
Code:
Emsisoft Anti-Malware - Version 9.0
Letztes Update: N/A
Benutzerkonto: LenovoT500\Admin

Scan Einstellungen:

Scan Methode: Detail Scan
Objekte: Rootkits, Speicher, Traces, C:\

PUPs-Erkennung: An
Archiv Scan: An
ADS Scan: An
Dateitypen-Filter: Aus
Erweitertes Caching: An
Direkter Festplattenzugriff: Aus

Scan Beginn:        13.01.2015 16:57:13
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\0d2eaf4f.qua -> (Quarantine-8)        gefunden: Gen:Variant.Kazy.140456 (B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\11019c0a.qua -> (Quarantine-8)        gefunden: Gen:Variant.Adware.NewNextMe.1 (B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\50f0e327.qua -> (Quarantine-8)        gefunden: Gen:Variant.Adware.NewNextMe.1 (B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\546fb842.qua -> (Quarantine-8)        gefunden: Gen:Variant.Application.Bundler.OptimumInstaller.3 (B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\559bf49c.qua -> (Quarantine-8)        gefunden: Gen:Variant.Application.Bundler.OptimumInstaller.3 (B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\655a8479.qua -> (Quarantine-8)        gefunden: Gen:Variant.Adware.NewNextMe.1 (B)

Gescannt        215725
Gefunden        6

Scan Ende:        13.01.2015 19:14:55
Scan Zeit:        2:17:42

C:\ProgramData\Avira\AntiVir Desktop\INFECTED\655a8479.qua        Quarantäne Gen:Variant.Adware.NewNextMe.1 (B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\559bf49c.qua        Quarantäne Gen:Variant.Application.Bundler.OptimumInstaller.3 (B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\546fb842.qua        Quarantäne Gen:Variant.Application.Bundler.OptimumInstaller.3 (B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\50f0e327.qua        Quarantäne Gen:Variant.Adware.NewNextMe.1 (B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\11019c0a.qua        Quarantäne Gen:Variant.Adware.NewNextMe.1 (B)
C:\ProgramData\Avira\AntiVir Desktop\INFECTED\0d2eaf4f.qua        Quarantäne Gen:Variant.Kazy.140456 (B)

Quarantäne        6
Code:
# AdwCleaner v4.107 - Bericht erstellt am 13/01/2015 um 22:55:03
# Aktualisiert 07/01/2015 von Xplode
# Database : 2014-12-21.4 [Local]
# Betriebssystem : Windows 7 Professional Service Pack 1 (64 bits)
# Benutzername : Admin - LENOVOT500
# Gestartet von : C:\Users\Admin\Desktop\adwcleaner_4.107.exe
# Option : Löschen

***** [ Dienste ] *****


***** [ Dateien / Ordner ] *****


***** [ Tasks ] *****


***** [ Verknüpfungen ] *****


***** [ Registrierungsdatenbank ] *****


***** [ Browser ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Mozilla Firefox v34.0.5 (x86 de)


-\\ Chromium v


*************************

AdwCleaner[R0].txt - [1670 octets] - [13/01/2015 13:31:29]
AdwCleaner[R1].txt - [922 octets] - [13/01/2015 22:24:48]
AdwCleaner[S0].txt - [1685 octets] - [13/01/2015 13:43:59]
AdwCleaner[S1].txt - [844 octets] - [13/01/2015 22:55:03]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [903 octets] ##########
Code:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Professional x64
Ran by Admin on 13.01.2015 at 20:19:20,71
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\Admin\AppData\Roaming\mozilla\firefox\profiles\juoq6e0y.default\minidumps [129 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 13.01.2015 at 20:29:20,08
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Code:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 14.01.2015
Scan Time: 23:14:57
Logfile:
Administrator: No

Version: 2.00.4.1028
Malware Database: v2015.01.14.10
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Admin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 332629
Time Elapsed: 20 min, 44 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

schrauber 15.01.2015 08:17
Hi,

Logfile von DETEKT bitte.

DAU³ 15.01.2015 08:42
owe, wieder aviara... und box war mir noch nie geheuer....

Code:
2014-11-20 09:41:29,948 - detector - INFO - Starting with process ID 5628
2014-11-20 09:41:29,948 - detector - ERROR - The user is not an Administrator, aborting
2014-11-20 09:42:31,293 - detector - INFO - Starting with process ID 6148
2014-11-20 09:42:31,299 - detector - INFO - Selected Profile Name: Win7SP1x64
2014-11-20 09:42:31,299 - detector - INFO - Selected Driver: C:\Users\Admin\AppData\Local\Temp\_MEI65162\drivers\winpmem64.sys
2014-11-20 09:42:31,301 - detector.service - INFO - Launching service destroyer...
2014-11-20 09:42:31,345 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.')
2014-11-20 09:42:31,345 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-20 09:42:31,345 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-20 09:42:31,346 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.')
2014-11-20 09:42:31,364 - detector.service - INFO - Trying to start the winpmem service...
2014-11-20 09:42:31,380 - detector - INFO - Service started
2014-11-20 09:42:31,380 - detector - INFO - Selected Yara signature file at C:\Users\Admin\AppData\Local\Temp\_MEI65162\rules\signatures.yar
2014-11-20 09:42:31,381 - detector - INFO - Obtaining address space and generating config for volatility
2014-11-20 09:42:33,740 - detector - INFO - Address space: <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x086B3690>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x07A10C30>
2014-11-20 09:42:33,740 - detector - INFO - Profile: <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at 0x07A10DB0>, DTB: 0x187000
2014-11-20 09:42:33,743 - detector - INFO - Starting yara scanner...
2014-11-20 13:46:17,088 - detector - INFO - Scanning finished
2014-11-20 13:46:17,089 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-20 13:46:17,091 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-20 13:46:17,092 - detector - INFO - Service stopped
2014-11-20 13:46:17,092 - detector - INFO - Analysis finished
2015-01-12 17:12:01,976 - detector - INFO - Starting with process ID 5704
2015-01-12 17:12:02,023 - detector - ERROR - The user is not an Administrator, aborting
2015-01-12 19:17:19,019 - detector - INFO - Starting with process ID 4464
2015-01-12 19:17:19,019 - detector - INFO - Selected Profile Name: Win7SP1x64
2015-01-12 19:17:19,019 - detector - INFO - Selected Driver: C:\Users\Admin\AppData\Local\Temp\_MEI40162\drivers\winpmem64.sys
2015-01-12 19:17:19,019 - detector.service - INFO - Launching service destroyer...
2015-01-12 19:17:19,019 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.')
2015-01-12 19:17:19,019 - detector.service - INFO - Trying to stop the winpmem service...
2015-01-12 19:17:19,019 - detector.service - INFO - Trying to delete the winpmem service...
2015-01-12 19:17:19,019 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.')
2015-01-12 19:17:19,035 - detector.service - INFO - Trying to start the winpmem service...
2015-01-12 19:17:19,112 - detector - INFO - Service started
2015-01-12 19:17:19,112 - detector - INFO - Selected Yara signature file at C:\Users\Admin\AppData\Local\Temp\_MEI40162\rules\signatures.yar
2015-01-12 19:17:19,112 - detector - INFO - Obtaining address space and generating config for volatility
2015-01-12 19:17:20,877 - detector - INFO - Address space: <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x089605F0>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x07BEAA70>
2015-01-12 19:17:20,877 - detector - INFO - Profile: <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at 0x07BEACF0>, DTB: 0x187000
2015-01-12 19:17:20,877 - detector - INFO - Starting yara scanner...
2015-01-12 20:13:04,266 - detector - WARNING - Process avguard.exe (pid: 1976) matched: Xtreme at address: 0x46D4B86, Value:

58 74 72 65 6d 65 52 41 54 2e 54 52 2f 47 72 61 XtremeRAT.TR/Gra
66 74 6f 72 2e 31 34 31 36 30 31 2e 54 52 2f 5a ftor.141601.TR/Z
75 73 79 2e 36 32 34 33 37 2e 54 52 2f 53 79 6d usy.62437.TR/Sym
6d 69 2e 34 30 36 31 37 2e 54 52 2f 4b 61 7a 79 mi.40617.TR/Kazy
2e 33 38 31 33 37 32 2e 41 50 50 4c 2f 53 65 76 .381372.APPL/Sev
61 73 2e 54 52 2f 53 74 72 69 63 74 6f 72 2e 35 as.TR/Strictor.5
31 38 32 37 2e 54 52 2f 53 70 79 2e 31 34 34 33 1827.TR/Spy.1443
38 34 2e 54 52 2f 4b 61 7a 79 2e 31 35 35 30 38 84.TR/Kazy.15508
36 2e 41 50 50 4c 2f 42 75 6e 64 6c 65 72 2e 41 6.APPL/Bundler.A
50 50 4c 2f 42 75 6e 64 6c 65 72 2e 41 67 65 6e PPL/Bundler.Agen
74 2e 54 52 2f 52 6f 67 75 65 2e 31 31 32 35 33 t.TR/Rogue.11253
39 34 39 2e 41 50 50 4c 2f 4f 75 74 42 72 6f 77 949.APPL/OutBrow
73 65 2e 41 6e 64 72 6f 69 64 2f 47 65 64 6d 61 se.Android/Gedma
2e 54 52 2f 53 74 72 69 63 74 6f 72 2e 34 30 35 .TR/Strictor.405
36 33 2e 41 50 50 4c 2f 53 6f 66 74 33 32 44 6f 63.APPL/Soft32Do
77 6e 2e 41 50 50 4c 2f 4f 70 74 49 6e 73 74 61 wn.APPL/OptInsta

2015-01-12 20:43:55,970 - detector - WARNING - Process Avira.OE.Servi (pid: 2892) matched: Xtreme at address: 0x6AE31FA4, Value:

58 74 72 65 6d 65 52 41 54 2e 54 52 2f 47 72 61 XtremeRAT.TR/Gra
0a 36 36 20 37 34 20 36 66 20 37 32 20 32 65 20 .66.74.6f.72.2e.
33 31 20 33 34 20 33 31 20 33 36 20 33 30 20 33 31.34.31.36.30.3
31 20 32 65 20 35 34 20 35 32 20 32 66 20 35 61 1.2e.54.52.2f.5a
20 66 74 6f 72 2e 31 34 31 36 30 31 2e 54 52 2f .ftor.141601.TR/
5a 0a 37 35 20 37 33 20 37 39 20 32 05 d0 a3 6f Z.75.73.79.2...o
00 00 a0 83 00 00 00 00 00 00 00 00 05 30 d4 64 .............0.d
00 00 c0 82 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 05 f0 63 70 00 00 80 b3 00 00 00 00 ......cp........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 05 20 7b 6f 00 00 00 b6 05 30 97 6e ......{o.....0.n
00 00 90 ea 05 40 6f 6e 00 00 10 b6 05 50 bf 6e .....@on.....P.n
00 00 20 b6 05 70 e3 6f 00 00 10 af 00 00 00 00 .....p.o........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 05 60 83 6f .............`.o

2015-01-12 22:23:11,983 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF61121A3, Value:

46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 FromBase64String
00 46 72 65 65 48 53 74 72 69 6e 67 00 50 74 72 .FreeHString.Ptr
54 6f 53 74 72 69 6e 67 48 53 74 72 69 6e 67 00 ToStringHString.
53 74 72 69 6e 67 54 6f 48 53 74 72 69 6e 67 00 StringToHString.
67 65 74 5f 53 74 72 69 6e 67 00 73 65 74 5f 53 get_String.set_S
74 72 69 6e 67 00 47 65 74 52 61 77 43 65 72 74 tring.GetRawCert
44 61 74 61 53 74 72 69 6e 67 00 4d 75 69 52 65 DataString.MuiRe
73 6f 75 72 63 65 4d 61 70 5f 52 65 73 6f 75 72 sourceMap_Resour
63 65 54 79 70 65 49 64 53 74 72 69 6e 67 00 67 ceTypeIdString.g
65 74 5f 52 65 73 6f 75 72 63 65 54 79 70 65 49 et_ResourceTypeI
64 53 74 72 69 6e 67 00 52 65 61 64 53 74 72 69 dString.ReadStri
6e 67 00 41 64 64 53 74 72 69 6e 67 00 46 72 6f ng.AddString.Fro
6d 53 65 72 69 61 6c 69 7a 65 64 53 74 72 69 6e mSerializedStrin
67 00 54 6f 53 65 72 69 61 6c 69 7a 65 64 53 74 g.ToSerializedSt
72 69 6e 67 00 47 65 74 53 65 72 69 61 6c 69 7a ring.GetSerializ
65 64 53 74 72 69 6e 67 00 45 78 70 61 6e 64 53 edString.ExpandS

2015-01-12 22:23:11,983 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF60FF2A3, Value:

42 61 73 65 36 34 53 74 72 69 6e 67 00 47 65 74 Base64String.Get
43 6f 6d 49 55 6e 6b 6e 6f 77 6e 00 53 69 7a 65 ComIUnknown.Size
64 52 65 66 65 72 65 6e 63 65 00 45 76 69 64 65 dReference.Evide
6e 63 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 50 72 nceCollection.Pr
6f 76 69 64 65 64 53 65 63 75 72 69 74 79 49 6e ovidedSecurityIn
66 6f 00 43 72 65 61 74 6f 72 73 53 65 63 75 72 fo.CreatorsSecur
69 74 79 49 6e 66 6f 00 4f 6e 53 65 72 69 61 6c ityInfo.OnSerial
69 7a 69 6e 67 41 74 74 72 69 62 75 74 65 00 73 izingAttribute.s
65 63 75 72 69 74 79 45 76 69 64 65 6e 63 65 00 ecurityEvidence.
53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e System.Security.
50 6f 6c 69 63 79 00 6d 5f 65 76 69 64 65 6e 63 Policy.m_evidenc
65 00 6d 5f 64 65 73 65 72 69 61 6c 69 7a 65 64 e.m_deserialized
54 61 72 67 65 74 45 76 69 64 65 6e 63 65 00 6d TargetEvidence.m
5f 68 6f 73 74 4c 69 73 74 00 6d 5f 61 73 73 65 _hostList.m_asse
6d 62 6c 79 4c 69 73 74 00 6d 5f 6c 6f 63 6b 65 mblyList.m_locke
64 00 47 65 74 45 76 69 64 65 6e 63 65 54 79 70 d.GetEvidenceTyp

2015-01-12 22:23:11,983 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF61121A7, Value:

42 61 73 65 36 34 53 74 72 69 6e 67 00 46 72 65 Base64String.Fre
65 48 53 74 72 69 6e 67 00 50 74 72 54 6f 53 74 eHString.PtrToSt
72 69 6e 67 48 53 74 72 69 6e 67 00 53 74 72 69 ringHString.Stri
6e 67 54 6f 48 53 74 72 69 6e 67 00 67 65 74 5f ngToHString.get_
53 74 72 69 6e 67 00 73 65 74 5f 53 74 72 69 6e String.set_Strin
67 00 47 65 74 52 61 77 43 65 72 74 44 61 74 61 g.GetRawCertData
53 74 72 69 6e 67 00 4d 75 69 52 65 73 6f 75 72 String.MuiResour
63 65 4d 61 70 5f 52 65 73 6f 75 72 63 65 54 79 ceMap_ResourceTy
70 65 49 64 53 74 72 69 6e 67 00 67 65 74 5f 52 peIdString.get_R
65 73 6f 75 72 63 65 54 79 70 65 49 64 53 74 72 esourceTypeIdStr
69 6e 67 00 52 65 61 64 53 74 72 69 6e 67 00 41 ing.ReadString.A
64 64 53 74 72 69 6e 67 00 46 72 6f 6d 53 65 72 ddString.FromSer
69 61 6c 69 7a 65 64 53 74 72 69 6e 67 00 54 6f ializedString.To
53 65 72 69 61 6c 69 7a 65 64 53 74 72 69 6e 67 SerializedString
00 47 65 74 53 65 72 69 61 6c 69 7a 65 64 53 74 .GetSerializedSt
72 69 6e 67 00 45 78 70 61 6e 64 53 74 72 69 6e ring.ExpandStrin

2015-01-12 22:23:11,983 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF613832B, Value:

43 6f 6e 6e 65 63 74 65 64 00 53 65 74 46 75 6c Connected.SetFul
6c 79 43 6f 6e 6e 65 63 74 65 64 00 49 73 52 65 lyConnected.IsRe
6d 6f 74 65 44 69 73 63 6f 6e 6e 65 63 74 65 64 moteDisconnected
00 49 73 44 69 73 63 6f 6e 6e 65 63 74 65 64 00 .IsDisconnected.
49 73 46 75 6c 6c 79 44 69 73 63 6f 6e 6e 65 63 IsFullyDisconnec
74 65 64 00 49 73 48 61 6e 64 6c 65 52 65 64 69 ted.IsHandleRedi
72 65 63 74 65 64 00 5f 69 73 53 74 64 49 6e 52 rected._isStdInR
65 64 69 72 65 63 74 65 64 00 5f 69 73 45 72 72 edirected._isErr
6f 72 54 65 78 74 57 72 69 74 65 72 52 65 64 69 orTextWriterRedi
72 65 63 74 65 64 00 5f 69 73 4f 75 74 54 65 78 rected._isOutTex
74 57 72 69 74 65 72 52 65 64 69 72 65 63 74 65 tWriterRedirecte
64 00 5f 69 73 53 74 64 45 72 72 52 65 64 69 72 d._isStdErrRedir
65 63 74 65 64 00 5f 69 73 53 74 64 4f 75 74 52 ected._isStdOutR
65 64 69 72 65 63 74 65 64 00 62 4f 6c 64 46 6f edirected.bOldFo
72 6d 61 74 44 65 74 65 63 74 65 64 00 6d 5f 70 rmatDetected.m_p
72 6f 74 65 63 74 65 64 00 73 5f 50 65 72 6d 55 rotected.s_PermU

2015-01-12 22:23:11,983 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF613833D, Value:

43 6f 6e 6e 65 63 74 65 64 00 49 73 52 65 6d 6f Connected.IsRemo
74 65 44 69 73 63 6f 6e 6e 65 63 74 65 64 00 49 teDisconnected.I
73 44 69 73 63 6f 6e 6e 65 63 74 65 64 00 49 73 sDisconnected.Is
46 75 6c 6c 79 44 69 73 63 6f 6e 6e 65 63 74 65 FullyDisconnecte
64 00 49 73 48 61 6e 64 6c 65 52 65 64 69 72 65 d.IsHandleRedire
63 74 65 64 00 5f 69 73 53 74 64 49 6e 52 65 64 cted._isStdInRed
69 72 65 63 74 65 64 00 5f 69 73 45 72 72 6f 72 irected._isError
54 65 78 74 57 72 69 74 65 72 52 65 64 69 72 65 TextWriterRedire
63 74 65 64 00 5f 69 73 4f 75 74 54 65 78 74 57 cted._isOutTextW
72 69 74 65 72 52 65 64 69 72 65 63 74 65 64 00 riterRedirected.
5f 69 73 53 74 64 45 72 72 52 65 64 69 72 65 63 _isStdErrRedirec
74 65 64 00 5f 69 73 53 74 64 4f 75 74 52 65 64 ted._isStdOutRed
69 72 65 63 74 65 64 00 62 4f 6c 64 46 6f 72 6d irected.bOldForm
61 74 44 65 74 65 63 74 65 64 00 6d 5f 70 72 6f atDetected.m_pro
74 65 63 74 65 64 00 73 5f 50 65 72 6d 55 6e 72 tected.s_PermUnr
65 73 74 72 69 63 74 65 64 00 47 65 74 55 6e 72 estricted.GetUnr

2015-01-12 22:23:11,983 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF60F98C1, Value:

52 65 63 65 69 76 65 72 00 44 61 74 65 54 69 6d Receiver.DateTim
65 50 61 72 73 65 00 46 75 73 69 6f 6e 00 54 69 eParse.Fusion.Ti
6d 65 53 70 61 6e 54 68 72 6f 77 53 74 79 6c 65 meSpanThrowStyle
00 53 79 6e 63 48 61 73 68 74 61 62 6c 65 00 52 .SyncHashtable.R
53 41 50 4b 43 53 31 53 48 41 31 53 69 67 6e 61 SAPKCS1SHA1Signa
74 75 72 65 44 65 73 63 72 69 70 74 69 6f 6e 00 tureDescription.
5f 53 74 72 6f 6e 67 4e 61 6d 65 4b 65 79 50 61 _StrongNameKeyPa
69 72 00 50 61 64 64 69 6e 67 4d 6f 64 65 00 4d ir.PaddingMode.M
65 74 68 6f 64 49 6d 70 6c 4f 70 74 69 6f 6e 73 ethodImplOptions
00 63 5f 74 69 63 6b 73 50 65 72 44 61 79 52 61 .c_ticksPerDayRa
6e 67 65 00 44 6f 6d 61 69 6e 53 70 65 63 69 66 nge.DomainSpecif
69 63 52 65 6d 6f 74 69 6e 67 44 61 74 61 00 41 icRemotingData.A
72 67 75 6d 65 6e 74 5f 49 6e 76 61 6c 69 64 52 rgument_InvalidR
65 67 69 73 74 72 79 4b 65 79 50 65 72 6d 69 73 egistryKeyPermis
73 69 6f 6e 43 68 65 63 6b 00 53 74 6f 72 65 54 sionCheck.StoreT
72 61 6e 73 61 63 74 69 6f 6e 00 3c 52 65 61 64 ransaction.<Read

2015-01-12 22:23:11,999 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF60FBEE9, Value:

52 65 63 65 69 76 65 72 48 6f 6f 6b 00 49 73 6f ReceiverHook.Iso
6c 61 74 65 64 53 74 6f 72 61 67 65 46 69 6c 65 latedStorageFile
00 74 79 70 65 6f 66 53 6f 61 70 49 64 72 65 66 .typeofSoapIdref
73 00 52 65 67 69 73 74 65 72 65 64 43 68 61 6e s.RegisteredChan
6e 65 6c 00 61 73 73 65 6d 62 6c 79 52 65 73 6f nel.assemblyReso
6c 76 65 72 00 4f 62 6a 65 63 74 49 44 47 65 6e lver.ObjectIDGen
65 72 61 74 6f 72 00 44 69 63 74 69 6f 6e 61 72 erator.Dictionar
79 45 6e 75 6d 65 72 61 74 6f 72 42 79 4b 65 79 yEnumeratorByKey
73 00 42 69 74 43 6f 6e 76 65 72 74 65 72 00 45 s.BitConverter.E
76 65 6e 74 4c 69 73 74 65 6e 65 72 00 47 65 74 ventListener.Get
4d 6f 64 75 6c 65 48 61 6e 64 6c 65 00 53 74 64 ModuleHandle.Std
43 6f 6e 55 6e 69 63 6f 64 65 45 6e 63 6f 64 69 ConUnicodeEncodi
6e 67 00 49 6e 74 65 72 6e 61 6c 47 65 74 53 6f ng.InternalGetSo
72 74 56 65 72 73 69 6f 6e 00 52 53 41 4f 41 45 rtVersion.RSAOAE
50 4b 65 79 45 78 63 68 61 6e 67 65 46 6f 72 6d PKeyExchangeForm
61 74 74 65 72 00 54 79 70 65 4c 69 62 56 61 72 atter.TypeLibVar

2015-01-12 22:23:11,999 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF6111242, Value:

52 65 63 65 69 76 65 00 41 72 63 68 69 76 65 00 Receive.Archive.
67 65 74 5f 4b 65 65 70 41 6c 69 76 65 00 3c 3e get_KeepAlive.<>
33 5f 5f 66 72 6f 6d 49 6e 63 6c 75 73 69 76 65 3__fromInclusive
00 67 65 74 5f 53 63 68 65 64 75 6c 65 64 45 78 .get_ScheduledEx
63 6c 75 73 69 76 65 00 3c 3e 33 5f 5f 74 6f 45 clusive.<>3__toE
78 63 6c 75 73 69 76 65 00 4d 61 72 73 68 61 6c xclusive.Marshal
4d 61 6e 61 67 65 64 54 6f 4e 61 74 69 76 65 00 ManagedToNative.
50 61 63 6b 46 6f 72 4e 61 74 69 76 65 00 53 65 PackForNative.Se
74 50 72 69 6f 72 69 74 79 4e 61 74 69 76 65 00 tPriorityNative.
41 73 73 75 6d 65 4e 65 67 61 74 69 76 65 00 53 AssumeNegative.S
65 6c 66 52 65 6c 61 74 69 76 65 00 53 65 74 54 elfRelative.SetT
68 72 6f 77 4f 6e 52 65 6c 61 74 69 76 65 00 4e hrowOnRelative.N
61 74 69 76 65 52 65 67 69 73 74 65 72 52 65 6c ativeRegisterRel
61 74 69 76 65 00 49 73 43 75 72 72 65 6e 74 41 ative.IsCurrentA
63 74 69 76 69 74 79 41 63 74 69 76 65 00 67 65 ctivityActive.ge
74 5f 55 73 65 72 49 6e 74 65 72 61 63 74 69 76 t_UserInteractiv

2015-01-12 22:23:11,999 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF612EA28, Value:

52 65 63 65 69 76 65 72 43 6f 75 6e 74 00 6e 6f ReceiverCount.no
64 65 73 43 6f 75 6e 74 00 5f 6f 75 74 41 72 67 desCount._outArg
73 43 6f 75 6e 74 00 72 65 70 6c 61 63 65 6d 65 sCount.replaceme
6e 74 73 43 6f 75 6e 74 00 70 72 65 76 69 6f 75 ntsCount.previou
73 43 6f 75 6e 74 00 72 65 70 65 61 74 43 6f 75 sCount.repeatCou
6e 74 00 74 61 72 67 65 74 43 6f 75 6e 74 00 62 nt.targetCount.b
75 63 6b 65 74 43 6f 75 6e 74 00 72 69 67 68 74 ucketCount.right
42 69 74 53 68 69 66 74 43 6f 75 6e 74 00 65 6c BitShiftCount.el
65 6d 65 6e 74 43 6f 75 6e 74 00 67 65 74 5f 41 ementCount.get_A
72 67 75 6d 65 6e 74 43 6f 75 6e 74 00 44 65 66 rgumentCount.Def
61 75 6c 74 43 6f 6d 70 6f 6e 65 6e 74 43 6f 75 aultComponentCou
6e 74 00 5f 74 6f 6b 65 6e 4c 69 73 74 43 6f 75 nt._tokenListCou
6e 74 00 6d 65 74 68 6f 64 49 6e 73 74 43 6f 75 nt.methodInstCou
6e 74 00 74 79 70 65 49 6e 73 74 43 6f 75 6e 74 nt.typeInstCount
00 69 6e 70 75 74 43 6f 75 6e 74 00 6d 5f 6d 61 .inputCount.m_ma
78 43 6f 75 6e 74 00 6b 65 79 43 6f 75 6e 74 00 xCount.keyCount.

2015-01-12 22:23:11,999 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF61473E8, Value:

52 65 63 65 69 76 65 72 00 47 65 74 52 65 73 6f Receiver.GetReso
6c 76 65 72 00 47 65 74 55 6e 77 72 61 70 70 65 lver.GetUnwrappe
64 53 65 72 76 65 72 00 44 65 74 61 63 68 53 65 dServer.DetachSe
72 76 65 72 00 41 74 74 61 63 68 53 65 72 76 65 rver.AttachServe
72 00 5f 73 65 72 76 65 72 00 53 65 74 45 72 72 r._server.SetErr
6f 72 4d 6f 64 65 5f 57 69 6e 37 41 6e 64 4e 65 orMode_Win7AndNe
77 65 72 00 4d 61 6b 65 55 52 49 4b 65 79 4e 6f wer.MakeURIKeyNo
4c 6f 77 65 72 00 52 75 6e 49 6e 69 74 69 61 6c Lower.RunInitial
69 7a 65 72 00 4c 65 61 73 65 54 69 6d 65 41 6e izer.LeaseTimeAn
61 6c 79 7a 65 72 00 5f 6c 6f 63 61 6c 44 61 74 alyzer._localDat
61 53 74 6f 72 65 4d 67 72 00 6d 5f 49 73 43 6f aStoreMgr.m_IsCo
72 72 65 6c 61 74 69 6f 6e 4d 67 72 00 53 79 73 rrelationMgr.Sys
74 65 6d 52 65 73 4d 67 72 00 6d 5f 6d 67 72 00 temResMgr.m_mgr.
73 5f 61 70 70 44 61 74 61 44 69 72 00 6d 5f 53 s_appDataDir.m_S
75 62 44 69 72 00 6d 5f 6e 53 75 62 44 69 72 00 ubDir.m_nSubDir.
47 65 74 44 65 6d 61 6e 64 44 69 72 00 64 65 6d GetDemandDir.dem

2015-01-12 22:23:11,999 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF5EA3007, Value:

53 65 6e 64 54 6f 00 53 74 61 72 74 4d 65 6e 75 SendTo.StartMenu
00 4d 79 4d 75 73 69 63 00 4d 79 56 69 64 65 6f .MyMusic.MyVideo
73 00 44 65 73 6b 74 6f 70 44 69 72 65 63 74 6f s.DesktopDirecto
72 79 00 4d 79 43 6f 6d 70 75 74 65 72 00 4e 65 ry.MyComputer.Ne
74 77 6f 72 6b 53 68 6f 72 74 63 75 74 73 00 46 tworkShortcuts.F
6f 6e 74 73 00 54 65 6d 70 6c 61 74 65 73 00 43 onts.Templates.C
6f 6d 6d 6f 6e 53 74 61 72 74 4d 65 6e 75 00 43 ommonStartMenu.C
6f 6d 6d 6f 6e 50 72 6f 67 72 61 6d 73 00 43 6f ommonPrograms.Co
6d 6d 6f 6e 53 74 61 72 74 75 70 00 43 6f 6d 6d mmonStartup.Comm
6f 6e 44 65 73 6b 74 6f 70 44 69 72 65 63 74 6f onDesktopDirecto
72 79 00 41 70 70 6c 69 63 61 74 69 6f 6e 44 61 ry.ApplicationDa
74 61 00 50 72 69 6e 74 65 72 53 68 6f 72 74 63 ta.PrinterShortc
75 74 73 00 4c 6f 63 61 6c 41 70 70 6c 69 63 61 uts.LocalApplica
74 69 6f 6e 44 61 74 61 00 49 6e 74 65 72 6e 65 tionData.Interne
74 43 61 63 68 65 00 43 6f 6f 6b 69 65 73 00 48 tCache.Cookies.H
69 73 74 6f 72 79 00 43 6f 6d 6d 6f 6e 41 70 70 istory.CommonApp

2015-01-12 22:23:11,999 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF60E3340, Value:

53 00 65 00 6e 00 64 00 00 17 77 00 69 00 6e 00 S.e.n.d...w.i.n.
3a 00 52 00 65 00 63 00 65 00 69 00 76 00 65 00 :.R.e.c.e.i.v.e.
00 11 20 00 3c 00 74 00 61 00 73 00 6b 00 73 00 ....<.t.a.s.k.s.
3e 00 00 1d 20 00 20 00 3c 00 74 00 61 00 73 00 >.......<.t.a.s.
6b 00 20 00 6e 00 61 00 6d 00 65 00 3d 00 22 00 k...n.a.m.e.=.".
00 13 22 00 20 00 76 00 61 00 6c 00 75 00 65 00 .."...v.a.l.u.e.
3d 00 22 00 00 07 22 00 2f 00 3e 00 00 13 20 00 =."..."./.>.....
3c 00 2f 00 74 00 61 00 73 00 6b 00 73 00 3e 00 <./.t.a.s.k.s.>.
00 0f 20 00 3c 00 6d 00 61 00 70 00 73 00 3e 00 ....<.m.a.p.s.>.
00 11 76 00 61 00 6c 00 75 00 65 00 4d 00 61 00 ..v.a.l.u.e.M.a.
70 00 00 0d 62 00 69 00 74 00 4d 00 61 00 70 00 p...b.i.t.M.a.p.
00 07 20 00 20 00 3c 00 00 0f 20 00 6e 00 61 00 ......<.....n.a.
6d 00 65 00 3d 00 22 00 00 03 78 00 00 23 20 00 m.e.=."...x..#..
20 00 20 00 3c 00 6d 00 61 00 70 00 20 00 76 00 ....<.m.a.p...v.
61 00 6c 00 75 00 65 00 3d 00 22 00 30 00 78 00 a.l.u.e.=.".0.x.
00 07 6d 00 61 00 70 00 00 09 20 00 20 00 3c 00 ..m.a.p.......<.

2015-01-12 22:23:11,999 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF60F4F93, Value:

53 65 6e 64 65 72 00 50 72 6f 63 65 73 73 53 69 Sender.ProcessSi
6e 6b 50 72 6f 76 69 64 65 72 44 61 74 61 00 41 nkProviderData.A
70 70 6c 69 63 61 74 69 6f 6e 54 72 75 73 74 45 pplicationTrustE
6e 75 6d 65 72 61 74 6f 72 00 53 61 66 65 56 69 numerator.SafeVi
65 77 4f 66 46 69 6c 65 48 61 6e 64 6c 65 00 42 ewOfFileHandle.B
69 6e 61 72 79 4f 62 6a 65 63 74 57 69 74 68 4d inaryObjectWithM
61 70 54 79 70 65 64 00 73 65 74 5f 44 61 74 65 apTyped.set_Date
54 69 6d 65 46 6f 72 6d 61 74 00 49 64 6e 4d 61 TimeFormat.IdnMa
70 70 69 6e 67 00 43 6f 6d 45 76 65 6e 74 49 6e pping.ComEventIn
74 65 72 66 61 63 65 41 74 74 72 69 62 75 74 65 terfaceAttribute
00 53 74 6f 72 65 54 72 61 6e 73 61 63 74 69 6f .StoreTransactio
6e 4f 70 65 72 61 74 69 6f 6e 00 4d 61 6e 69 66 nOperation.Manif
65 73 74 45 6e 76 65 6c 6f 70 65 00 3c 57 72 69 estEnvelope.<Wri
74 65 41 73 79 6e 63 49 6e 74 65 72 6e 61 6c 3e teAsyncInternal>
64 5f 5f 65 00 49 6e 74 65 72 6e 61 6c 45 6e 63 d__e.InternalEnc
6f 64 69 6e 67 44 61 74 61 49 74 65 6d 00 54 68 odingDataItem.Th

2015-01-12 22:23:11,999 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF60FC538, Value:

53 65 6e 64 4f 72 50 6f 73 74 43 61 6c 6c 62 61 SendOrPostCallba
63 6b 00 41 73 73 65 6d 62 6c 79 41 74 74 72 69 ck.AssemblyAttri
62 75 74 65 73 47 6f 48 65 72 65 00 49 45 6e 75 butesGoHere.IEnu
6d 44 65 66 69 6e 69 74 69 6f 6e 49 64 65 6e 74 mDefinitionIdent
69 74 79 00 53 79 73 74 65 6d 5f 4c 61 7a 79 44 ity.System_LazyD
65 62 75 67 56 69 65 77 60 31 00 73 5f 63 72 65 ebugView`1.s_cre
61 74 65 43 6f 6e 74 69 6e 67 65 6e 74 50 72 6f ateContingentPro
70 65 72 74 69 65 73 00 49 53 74 72 75 63 74 75 perties.IStructu
72 61 6c 43 6f 6d 70 61 72 61 62 6c 65 00 6d 5f ralComparable.m_
6e 65 77 4d 75 74 65 78 00 73 65 74 5f 44 65 63 newMutex.set_Dec
6f 64 65 72 46 61 6c 6c 62 61 63 6b 00 52 65 6d oderFallback.Rem
6f 74 69 6e 67 54 79 70 65 43 61 63 68 65 64 44 otingTypeCachedD
61 74 61 00 4d 75 69 52 65 73 6f 75 72 63 65 4d ata.MuiResourceM
61 70 45 6e 74 72 79 46 69 65 6c 64 49 64 00 44 apEntryFieldId.D
65 73 63 72 69 70 74 69 6f 6e 4d 65 74 61 64 61 escriptionMetada
74 61 45 6e 74 72 79 46 69 65 6c 64 49 64 00 44 taEntryFieldId.D

2015-01-12 22:23:12,013 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF60FFB8A, Value:

53 65 6e 64 4d 61 6e 69 66 65 73 74 00 45 6e 73 SendManifest.Ens
75 72 65 49 6e 69 74 69 61 6c 69 7a 65 64 00 41 ureInitialized.A
6e 79 45 76 65 6e 74 45 6e 61 62 6c 65 64 00 56 nyEventEnabled.V
61 6c 69 64 61 74 65 45 76 65 6e 74 4f 70 63 6f alidateEventOpco
64 65 46 6f 72 54 72 61 6e 73 66 65 72 00 49 73 deForTransfer.Is
45 6e 61 62 6c 65 64 42 79 44 65 66 61 75 6c 74 EnabledByDefault
00 57 72 69 74 65 53 74 72 69 6e 67 54 6f 41 6c .WriteStringToAl
6c 4c 69 73 74 65 6e 65 72 73 00 57 72 69 74 65 lListeners.Write
45 76 65 6e 74 53 74 72 69 6e 67 00 57 72 69 74 EventString.Writ
65 54 6f 41 6c 6c 4c 69 73 74 65 6e 65 72 73 00 eToAllListeners.
57 72 69 74 65 45 76 65 6e 74 56 61 72 61 72 67 WriteEventVararg
73 00 47 65 74 44 69 73 70 61 74 63 68 65 72 00 s.GetDispatcher.
44 65 63 6f 64 65 4f 62 6a 65 63 74 00 47 65 6e DecodeObject.Gen
65 72 61 74 65 47 75 69 64 46 72 6f 6d 4e 61 6d erateGuidFromNam
65 00 52 65 70 6f 72 74 4f 75 74 4f 66 42 61 6e e.ReportOutOfBan
64 4d 65 73 73 61 67 65 00 4f 75 74 70 75 74 44 dMessage.OutputD

2015-01-12 22:23:12,013 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF60FFD07, Value:

53 65 6e 64 43 6f 6d 6d 61 6e 64 00 57 72 69 74 SendCommand.Writ
65 45 76 65 6e 74 57 69 74 68 52 65 6c 61 74 65 eEventWithRelate
64 41 63 74 69 76 69 74 79 49 64 00 57 72 69 74 dActivityId.Writ
65 45 76 65 6e 74 00 57 72 69 74 65 45 76 65 6e eEvent.WriteEven
74 57 69 74 68 52 65 6c 61 74 65 64 41 63 74 69 tWithRelatedActi
76 69 74 79 49 64 43 6f 72 65 00 57 72 69 74 65 vityIdCore.Write
45 76 65 6e 74 43 6f 72 65 00 57 72 69 74 65 53 EventCore.WriteS
74 72 69 6e 67 54 6f 4c 69 73 74 65 6e 65 72 00 tringToListener.
45 76 65 6e 74 57 72 69 74 65 53 74 72 69 6e 67 EventWriteString
00 67 65 74 5f 43 6f 6e 73 74 72 75 63 74 69 6f .get_Constructio
6e 45 78 63 65 70 74 69 6f 6e 00 67 65 74 5f 46 nException.get_F
61 6c 6c 62 61 63 6b 41 63 74 69 76 69 74 79 49 allbackActivityI
64 00 67 65 74 5f 49 6e 74 65 72 6e 61 6c 43 75 d.get_InternalCu
72 72 65 6e 74 54 68 72 65 61 64 41 63 74 69 76 rrentThreadActiv
69 74 79 49 64 00 67 65 74 5f 43 75 72 72 65 6e ityId.get_Curren
74 54 68 72 65 61 64 41 63 74 69 76 69 74 79 49 tThreadActivityI

2015-01-12 22:23:12,013 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF610C9BD, Value:

53 65 6e 64 00 67 65 74 5f 41 70 70 65 6e 64 00 Send.get_Append.
73 65 74 5f 41 70 70 65 6e 64 00 53 75 73 70 65 set_Append.Suspe
6e 64 00 46 52 65 76 65 72 73 65 42 69 6e 64 00 nd.FReverseBind.
46 49 6d 6d 65 64 69 61 74 65 42 69 6e 64 00 46 FImmediateBind.F
44 65 66 61 75 6c 74 42 69 6e 64 00 46 44 69 73 DefaultBind.FDis
70 6c 61 79 42 69 6e 64 00 47 65 74 50 45 4b 69 playBind.GetPEKi
6e 64 00 67 65 74 5f 4b 69 6e 64 00 41 72 67 5f nd.get_Kind.Arg_
52 65 67 53 65 74 4d 69 73 6d 61 74 63 68 65 64 RegSetMismatched
4b 69 6e 64 00 67 65 74 5f 46 61 69 6c 75 72 65 Kind.get_Failure
4b 69 6e 64 00 47 65 74 56 61 6c 75 65 4b 69 6e Kind.GetValueKin
64 00 47 65 74 43 6f 72 72 65 73 70 6f 6e 64 69 d.GetCorrespondi
6e 67 4b 69 6e 64 00 52 6f 75 6e 64 74 72 69 70 ngKind.Roundtrip
4b 69 6e 64 00 67 65 74 5f 41 64 64 72 65 73 73 Kind.get_Address
4b 69 6e 64 00 53 70 65 63 69 66 79 4b 69 6e 64 Kind.SpecifyKind
00 66 75 6e 63 6b 69 6e 64 00 74 79 70 65 6b 69 .funckind.typeki
6e 64 00 76 61 72 6b 69 6e 64 00 73 79 73 6b 69 nd.varkind.syski

2015-01-12 22:23:12,013 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF6116AB1, Value:

53 65 6e 64 54 6f 00 4d 6f 76 65 54 6f 00 52 65 SendTo.MoveTo.Re
6c 61 74 69 76 65 50 61 74 68 54 6f 00 45 71 75 lativePathTo.Equ
61 6c 54 6f 00 67 65 74 5f 45 78 74 72 61 49 6e alTo.get_ExtraIn
66 6f 00 73 65 74 5f 45 78 74 72 61 49 6e 66 6f fo.set_ExtraInfo
00 46 6f 72 6d 61 74 53 74 75 62 49 6e 66 6f 00 .FormatStubInfo.
49 6e 74 65 72 6e 61 6c 47 65 74 43 6f 6d 53 6c InternalGetComSl
6f 74 46 6f 72 4d 65 74 68 6f 64 49 6e 66 6f 00 otForMethodInfo.
47 65 74 4d 65 74 68 6f 64 49 6e 66 6f 00 47 65 GetMethodInfo.Ge
74 44 65 73 65 72 69 61 6c 69 7a 65 64 54 69 6d tDeserializedTim
65 5a 6f 6e 65 49 6e 66 6f 00 67 65 74 5f 54 79 eZoneInfo.get_Ty
70 65 49 6e 66 6f 00 73 65 74 5f 54 79 70 65 49 peInfo.set_TypeI
6e 66 6f 00 43 72 65 61 74 65 54 79 70 65 49 6e nfo.CreateTypeIn
66 6f 00 47 65 74 52 65 66 54 79 70 65 49 6e 66 fo.GetRefTypeInf
6f 00 52 65 66 6c 65 63 74 69 6f 6e 54 79 70 65 o.ReflectionType
49 6e 66 6f 00 53 79 73 74 65 6d 2e 52 75 6e 74 Info.System.Runt
69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 ime.InteropServi

2015-01-12 22:23:12,013 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF612F093, Value:

53 65 6e 64 4d 65 73 73 61 67 65 54 69 6d 65 6f SendMessageTimeo
75 74 00 73 5f 69 73 53 70 6f 6e 73 6f 72 73 68 ut.s_isSponsorsh
69 70 54 69 6d 65 6f 75 74 00 5f 73 70 6f 6e 73 ipTimeout._spons
6f 72 73 68 69 70 54 69 6d 65 6f 75 74 00 6f 72 orshipTimeout.or
69 67 69 6e 61 6c 57 61 69 74 4d 69 6c 6c 69 73 iginalWaitMillis
65 63 6f 6e 64 73 54 69 6d 65 6f 75 74 00 74 69 econdsTimeout.ti
6d 65 6f 75 74 00 73 73 6f 75 74 00 53 65 74 43 meout.ssout.SetC
6c 61 73 73 4c 61 79 6f 75 74 00 56 61 6c 69 64 lassLayout.Valid
61 74 65 50 75 73 68 50 6f 70 52 61 6e 67 65 49 atePushPopRangeI
6e 70 75 74 00 52 65 61 64 43 6f 6e 73 6f 6c 65 nput.ReadConsole
49 6e 70 75 74 00 68 43 6f 6e 73 6f 6c 65 49 6e Input.hConsoleIn
70 75 74 00 50 65 65 6b 43 6f 6e 73 6f 6c 65 49 put.PeekConsoleI
6e 70 75 74 00 73 74 72 49 6e 70 75 74 00 64 77 nput.strInput.dw
49 6e 70 75 74 00 69 6e 70 75 74 00 52 65 61 64 Input.input.Read
43 6f 6e 73 6f 6c 65 4f 75 74 70 75 74 00 57 72 ConsoleOutput.Wr
69 74 65 43 6f 6e 73 6f 6c 65 4f 75 74 70 75 74 iteConsoleOutput

2015-01-12 22:23:12,013 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF613A3D4, Value:

53 65 6e 64 69 6e 67 4d 65 73 73 61 67 65 00 43 SendingMessage.C
4f 52 50 72 6f 66 69 6c 65 72 52 65 6d 6f 74 69 ORProfilerRemoti
6e 67 53 65 72 76 65 72 52 65 63 65 69 76 69 6e ngServerReceivin
67 4d 65 73 73 61 67 65 00 41 63 74 69 76 61 74 gMessage.Activat
65 57 69 74 68 4d 65 73 73 61 67 65 00 5f 6e 75 eWithMessage._nu
6c 6c 4d 65 73 73 61 67 65 00 53 65 74 43 61 6c llMessage.SetCal
6c 43 6f 6e 74 65 78 74 49 6e 4d 65 73 73 61 67 lContextInMessag
65 00 46 6f 72 6d 61 74 46 69 6c 65 4c 6f 61 64 e.FormatFileLoad
45 78 63 65 70 74 69 6f 6e 4d 65 73 73 61 67 65 ExceptionMessage
00 48 61 6e 64 6c 65 52 65 74 75 72 6e 4d 65 73 .HandleReturnMes
73 61 67 65 00 50 72 6f 70 61 67 61 74 65 43 61 sage.PropagateCa
6c 6c 43 6f 6e 74 65 78 74 46 72 6f 6d 54 68 72 llContextFromThr
65 61 64 54 6f 4d 65 73 73 61 67 65 00 50 72 6f eadToMessage.Pro
70 61 67 61 74 65 4f 75 74 67 6f 69 6e 67 48 65 pagateOutgoingHe
61 64 65 72 73 54 6f 4d 65 73 73 61 67 65 00 67 adersToMessage.g
65 74 5f 43 6f 6e 73 74 72 75 63 74 6f 72 4d 65 et_ConstructorMe

2015-01-12 22:23:12,013 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF6143857, Value:

53 65 6e 64 43 72 6f 73 73 44 6f 6d 61 69 6e 00 SendCrossDomain.
6d 5f 69 73 53 61 66 65 43 72 6f 73 73 44 6f 6d m_isSafeCrossDom
61 69 6e 00 6d 5f 74 61 72 67 65 74 44 6f 6d 61 ain.m_targetDoma
69 6e 00 47 65 74 44 65 66 61 75 6c 74 44 6f 6d in.GetDefaultDom
61 69 6e 00 49 6e 64 69 63 42 65 67 69 6e 00 52 ain.IndicBegin.R
65 61 64 42 65 67 69 6e 00 57 72 69 74 65 42 65 eadBegin.WriteBe
67 69 6e 00 4d 75 6c 74 69 42 79 74 65 42 65 67 gin.MultiByteBeg
69 6e 00 41 70 70 65 6e 64 4f 72 69 67 69 6e 00 in.AppendOrigin.
45 6e 74 65 72 4d 79 4c 6f 63 6b 53 70 69 6e 00 EnterMyLockSpin.
73 5f 52 63 6f 6e 00 67 65 74 5f 52 65 67 69 6f s_Rcon.get_Regio
6e 00 47 65 74 43 75 6c 74 75 72 65 44 61 74 61 n.GetCultureData
46 6f 72 52 65 67 69 6f 6e 00 41 64 64 41 63 63 ForRegion.AddAcc
65 73 73 45 6e 74 72 79 41 6e 64 55 6e 69 6f 6e essEntryAndUnion
00 5f 74 79 70 65 55 6e 69 6f 6e 00 6d 5f 69 67 ._typeUnion.m_ig
6e 6f 72 65 50 65 72 73 69 73 74 65 64 44 65 63 norePersistedDec
69 73 69 6f 6e 00 55 49 6e 74 33 32 50 72 65 63 ision.UInt32Prec

2015-01-12 22:23:12,013 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF6146472, Value:

53 65 6e 64 65 72 00 5f 74 79 70 65 4c 69 6d 69 Sender._typeLimi
74 69 6e 67 42 69 6e 64 65 72 00 73 5f 46 6f 72 tingBinder.s_For
77 61 72 64 43 61 6c 6c 42 69 6e 64 65 72 00 64 wardCallBinder.d
65 66 61 75 6c 74 42 69 6e 64 65 72 00 6d 5f 62 efaultBinder.m_b
69 6e 64 65 72 00 53 65 72 69 61 6c 69 7a 65 44 inder.SerializeD
65 63 6f 64 65 72 00 62 55 73 65 64 45 6e 63 6f ecoder.bUsedEnco
64 65 72 00 53 65 72 69 61 6c 69 7a 65 45 6e 63 der.SerializeEnc
6f 64 65 72 00 47 65 74 59 65 61 72 4d 6f 6e 74 oder.GetYearMont
68 4f 72 64 65 72 00 43 72 65 61 74 65 50 61 72 hOrder.CreatePar
61 6d 4f 72 64 65 72 00 47 65 74 59 65 61 72 4d amOrder.GetYearM
6f 6e 74 68 44 61 79 4f 72 64 65 72 00 41 72 67 onthDayOrder.Arg
5f 41 72 72 61 79 4c 65 6e 67 74 68 73 44 69 66 _ArrayLengthsDif
66 65 72 00 46 6c 75 73 68 4f 53 42 75 66 66 65 fer.FlushOSBuffe
72 00 6d 5f 64 65 70 61 64 42 75 66 66 65 72 00 r.m_depadBuffer.
41 6c 6c 6f 63 61 74 65 42 75 66 66 65 72 00 5f AllocateBuffer._
6c 61 72 67 65 42 79 74 65 42 75 66 66 65 72 00 largeByteBuffer.

2015-01-12 22:23:12,013 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF61500BF, Value:

53 65 6e 64 69 6e 67 52 65 70 6c 79 00 43 4f 52 SendingReply.COR
50 72 6f 66 69 6c 65 72 52 65 6d 6f 74 69 6e 67 ProfilerRemoting
43 6c 69 65 6e 74 52 65 63 65 69 76 69 6e 67 52 ClientReceivingR
65 70 6c 79 00 43 61 6e 53 6d 75 67 67 6c 65 4f eply.CanSmuggleO
62 6a 65 63 74 44 69 72 65 63 74 6c 79 00 49 73 bjectDirectly.Is
44 75 6d 6d 79 00 53 65 74 44 75 6d 6d 79 00 53 Dummy.SetDummy.S
65 74 44 65 6e 79 00 4d 65 6d 63 70 79 00 43 68 etDeny.Memcpy.Ch
65 63 6b 4d 75 6c 74 69 43 6f 6e 74 69 6e 75 61 eckMultiContinua
74 69 6f 6e 54 61 73 6b 73 41 6e 64 43 6f 70 79 tionTasksAndCopy
00 54 68 72 65 61 64 53 61 66 65 43 6f 70 79 00 .ThreadSafeCopy.
55 6e 73 61 66 65 43 6f 70 79 00 43 72 65 61 74 UnsafeCopy.Creat
65 53 6d 75 67 67 6c 65 61 62 6c 65 43 6f 70 79 eSmuggleableCopy
00 47 65 74 49 6e 64 65 78 50 61 72 61 6d 65 74 .GetIndexParamet
65 72 73 4e 6f 43 6f 70 79 00 47 65 74 50 65 72 ersNoCopy.GetPer
6d 69 73 73 69 6f 6e 53 65 74 4e 6f 43 6f 70 79 missionSetNoCopy
00 53 65 74 50 65 72 6d 69 73 73 69 6f 6e 53 65 .SetPermissionSe

2015-01-12 22:23:12,013 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF610D9EC, Value:

44 65 6c 65 74 65 53 75 62 4b 65 79 54 72 65 65 DeleteSubKeyTree
00 67 65 74 5f 43 6f 6e 73 69 73 74 65 6e 63 79 .get_Consistency
47 75 61 72 61 6e 74 65 65 00 54 72 65 61 74 41 Guarantee.TreatA
73 53 61 66 65 00 53 79 73 74 65 6d 2e 54 68 72 sSafe.System.Thr
65 61 64 69 6e 67 2e 54 61 73 6b 73 2e 49 50 72 eading.Tasks.IPr
6f 64 75 63 65 72 43 6f 6e 73 75 6d 65 72 51 75 oducerConsumerQu
65 75 65 3c 54 3e 2e 47 65 74 43 6f 75 6e 74 53 eue<T>.GetCountS
61 66 65 00 44 65 70 6c 6f 79 6d 65 6e 74 4d 65 afe.DeploymentMe
74 61 64 61 74 61 5f 4d 61 78 69 6d 75 6d 41 67 tadata_MaximumAg
65 00 67 65 74 5f 4d 61 78 69 6d 75 6d 41 67 65 e.get_MaximumAge
00 42 67 65 00 67 65 74 5f 45 42 43 44 49 43 43 .Bge.get_EBCDICC
6f 64 65 50 61 67 65 00 67 65 74 5f 41 4e 53 49 odePage.get_ANSI
43 6f 64 65 50 61 67 65 00 67 65 74 5f 4f 45 4d CodePage.get_OEM
43 6f 64 65 50 61 67 65 00 67 65 74 5f 43 6f 64 CodePage.get_Cod
65 50 61 67 65 00 67 65 74 5f 4d 61 63 43 6f 64 ePage.get_MacCod
65 50 61 67 65 00 67 65 74 5f 57 69 6e 64 6f 77 ePage.get_Window

2015-01-12 22:23:12,029 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF611E130, Value:

44 65 6c 65 74 65 53 75 62 4b 65 79 00 49 6e 76 DeleteSubKey.Inv
61 6c 69 64 4f 70 65 72 61 74 69 6f 6e 5f 52 65 alidOperation_Re
67 52 65 6d 6f 76 65 53 75 62 4b 65 79 00 73 65 gRemoveSubKey.se
74 5f 50 75 62 6c 69 63 4b 65 79 00 53 74 72 6f t_PublicKey.Stro
6e 67 4e 61 6d 65 54 6f 6b 65 6e 46 72 6f 6d 50 ngNameTokenFromP
75 62 6c 69 63 4b 65 79 00 53 74 72 6f 6e 67 4e ublicKey.StrongN
61 6d 65 47 65 74 50 75 62 6c 69 63 4b 65 79 00 ameGetPublicKey.
53 65 74 50 75 62 6c 69 63 4b 65 79 00 52 65 61 SetPublicKey.Rea
64 4b 65 79 00 45 6e 68 61 6e 63 65 64 4b 65 79 dKey.EnhancedKey
00 55 73 65 55 73 65 72 50 72 6f 74 65 63 74 65 .UseUserProtecte
64 4b 65 79 00 47 65 6e 65 72 61 74 65 52 65 66 dKey.GenerateRef
65 72 65 6e 63 65 4b 65 79 00 55 73 65 4e 6f 6e erenceKey.UseNon
45 78 70 6f 72 74 61 62 6c 65 4b 65 79 00 55 73 ExportableKey.Us
65 41 72 63 68 69 76 61 62 6c 65 4b 65 79 00 4f eArchivableKey.O
70 65 6e 52 65 6d 6f 74 65 42 61 73 65 4b 65 79 penRemoteBaseKey
00 4f 70 65 6e 42 61 73 65 4b 65 79 00 5f 47 65 .OpenBaseKey._Ge

2015-01-12 22:23:12,029 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF6141E0C, Value:

44 65 6c 65 74 65 53 75 62 4b 65 79 54 72 65 65 DeleteSubKeyTree
49 6e 74 65 72 6e 61 6c 00 47 65 74 45 76 65 6e Internal.GetEven
74 52 65 67 69 73 74 72 61 74 69 6f 6e 54 6f 6b tRegistrationTok
65 6e 54 61 62 6c 65 49 6e 74 65 72 6e 61 6c 00 enTableInternal.
52 65 73 6f 6c 76 65 46 69 65 6c 64 48 61 6e 64 ResolveFieldHand
6c 65 49 6e 74 65 72 6e 61 6c 00 52 65 73 6f 6c leInternal.Resol
76 65 4d 65 74 68 6f 64 48 61 6e 64 6c 65 49 6e veMethodHandleIn
74 65 72 6e 61 6c 00 52 65 73 6f 6c 76 65 54 79 ternal.ResolveTy
70 65 48 61 6e 64 6c 65 49 6e 74 65 72 6e 61 6c peHandleInternal
00 44 65 66 69 6e 65 44 79 6e 61 6d 69 63 4d 6f .DefineDynamicMo
64 75 6c 65 49 6e 74 65 72 6e 61 6c 00 67 65 74 duleInternal.get
5f 4e 61 6d 65 49 6e 74 65 72 6e 61 6c 00 47 65 _NameInternal.Ge
74 54 79 70 65 4c 69 62 4e 61 6d 65 49 6e 74 65 tTypeLibNameInte
72 6e 61 6c 00 4c 6f 61 64 57 69 74 68 50 61 72 rnal.LoadWithPar
74 69 61 6c 4e 61 6d 65 49 6e 74 65 72 6e 61 6c tialNameInternal
00 47 65 74 4d 61 6e 61 67 65 64 54 79 70 65 49 .GetManagedTypeI

2015-01-12 22:23:12,029 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF610E950, Value:

67 65 74 5f 4d 61 63 68 69 6e 65 4e 61 6d 65 00 get_MachineName.
67 65 74 5f 53 63 6f 70 65 4e 61 6d 65 00 73 65 get_ScopeName.se
74 5f 54 79 70 65 4e 61 6d 65 00 67 65 74 5f 56 t_TypeName.get_V
69 73 75 61 6c 69 7a 65 72 4f 62 6a 65 63 74 53 isualizerObjectS
6f 75 72 63 65 54 79 70 65 4e 61 6d 65 00 67 65 ourceTypeName.ge
74 5f 46 75 6c 6c 54 79 70 65 4e 61 6d 65 00 73 t_FullTypeName.s
65 74 5f 46 75 6c 6c 54 79 70 65 4e 61 6d 65 00 et_FullTypeName.
67 65 74 5f 58 6d 6c 54 79 70 65 4e 61 6d 65 00 get_XmlTypeName.
73 65 74 5f 58 6d 6c 54 79 70 65 4e 61 6d 65 00 set_XmlTypeName.
43 61 6e 43 61 73 74 54 6f 58 6d 6c 54 79 70 65 CanCastToXmlType
4e 61 6d 65 00 67 65 74 5f 41 63 74 69 76 61 74 Name.get_Activat
69 6f 6e 54 79 70 65 4e 61 6d 65 00 46 69 6c 74 ionTypeName.Filt
65 72 54 79 70 65 4e 61 6d 65 00 67 65 74 5f 56 erTypeName.get_V
69 73 75 61 6c 69 7a 65 72 54 79 70 65 4e 61 6d isualizerTypeNam
65 00 67 65 74 5f 49 6e 76 61 6c 69 64 43 75 6c e.get_InvalidCul
74 75 72 65 4e 61 6d 65 00 6c 61 73 74 43 75 6c tureName.lastCul

2015-01-12 22:23:12,029 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF60F06CF, Value:

67 65 74 5f 55 73 65 72 4e 61 6d 65 00 41 64 64 get_UserName.Add
50 65 72 6d 69 73 73 69 6f 6e 00 49 73 53 75 62 Permission.IsSub
63 6c 61 73 73 4f 66 00 47 65 74 50 72 6f 70 65 classOf.GetPrope
72 74 79 49 6d 70 6c 00 47 65 74 49 6e 74 65 72 rtyImpl.GetInter
66 61 63 65 73 00 67 65 74 5f 54 61 72 67 65 74 faces.get_Target
00 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e .System.Runtime.
49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 2e InteropServices.
5f 54 79 70 65 2e 47 65 74 54 79 70 65 49 6e 66 _Type.GetTypeInf
6f 43 6f 75 6e 74 00 49 73 49 6e 73 74 61 6e 63 oCount.IsInstanc
65 4f 66 54 79 70 65 00 73 65 74 5f 46 6f 72 65 eOfType.set_Fore
67 72 6f 75 6e 64 43 6f 6c 6f 72 00 73 65 74 5f groundColor.set_
42 61 63 6b 67 72 6f 75 6e 64 43 6f 6c 6f 72 00 BackgroundColor.
67 65 74 5f 45 72 72 6f 72 00 73 65 74 5f 4c 65 get_Error.set_Le
61 73 65 54 69 6d 65 00 73 65 74 5f 4c 65 61 73 aseTime.set_Leas
65 4d 61 6e 61 67 65 72 50 6f 6c 6c 54 69 6d 65 eManagerPollTime
00 47 65 74 43 61 6c 6c 69 6e 67 41 73 73 65 6d .GetCallingAssem

2015-01-12 22:23:12,029 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF60FD84F, Value:

67 65 74 5f 4c 61 73 74 57 72 69 74 65 54 69 6d get_LastWriteTim
65 00 67 65 74 5f 54 69 6d 65 4f 66 44 61 79 00 e.get_TimeOfDay.
41 64 64 53 65 63 6f 6e 64 73 00 6d 5f 72 65 73 AddSeconds.m_res
6f 75 72 63 65 73 00 43 6f 70 79 45 6e 74 72 69 ources.CopyEntri
65 73 00 67 65 74 5f 49 74 65 6d 32 00 67 65 74 es.get_Item2.get
5f 49 74 65 6d 31 00 6d 5f 49 74 65 6d 32 00 6d _Item1.m_Item2.m
5f 49 74 65 6d 31 00 47 65 74 47 65 74 4d 65 74 _Item1.GetGetMet
68 6f 64 00 49 6e 74 65 72 6e 61 6c 47 65 74 53 hod.InternalGetS
79 73 74 65 6d 44 65 66 61 75 6c 74 55 49 4c 61 ystemDefaultUILa
6e 67 75 61 67 65 00 67 65 74 5f 55 73 65 72 44 nguage.get_UserD
65 66 61 75 6c 74 43 75 6c 74 75 72 65 00 67 65 efaultCulture.ge
74 5f 50 61 72 65 6e 74 00 49 6e 74 65 72 6e 61 t_Parent.Interna
6c 47 65 74 52 65 73 6f 75 72 63 65 53 65 74 00 lGetResourceSet.
53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f System.Collectio
6e 73 2e 49 53 74 72 75 63 74 75 72 61 6c 45 71 ns.IStructuralEq
75 61 74 61 62 6c 65 2e 45 71 75 61 6c 73 00 53 uatable.Equals.S

2015-01-12 22:23:12,029 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF61013D2, Value:

67 65 74 5f 4c 61 73 74 57 72 69 74 65 54 69 6d get_LastWriteTim
65 55 74 63 00 67 65 74 5f 43 72 65 61 74 69 6f eUtc.get_Creatio
6e 54 69 6d 65 55 74 63 00 47 65 74 4f 6e 65 59 nTimeUtc.GetOneY
65 61 72 4c 6f 63 61 6c 46 72 6f 6d 55 74 63 00 earLocalFromUtc.
6d 5f 6f 6e 65 59 65 61 72 4c 6f 63 61 6c 46 72 m_oneYearLocalFr
6f 6d 55 74 63 00 47 65 74 49 73 44 61 79 6c 69 omUtc.GetIsDayli
67 68 74 53 61 76 69 6e 67 73 46 72 6f 6d 55 74 ghtSavingsFromUt
63 00 47 65 74 44 61 74 65 54 69 6d 65 4e 6f 77 c.GetDateTimeNow
55 74 63 4f 66 66 73 65 74 46 72 6f 6d 55 74 63 UtcOffsetFromUtc
00 43 6f 6e 76 65 72 74 54 69 6d 65 54 6f 55 74 .ConvertTimeToUt
63 00 67 65 74 5f 49 64 00 47 65 74 4c 6f 67 6f c.get_Id.GetLogo
6e 41 75 74 68 49 64 00 49 6e 74 65 72 6e 61 6c nAuthId.Internal
47 65 74 49 64 00 6d 5f 64 00 54 72 69 6d 48 65 GetId.m_d.TrimHe
61 64 00 49 6e 74 65 72 6e 61 6c 45 6d 75 6c 61 ad.InternalEmula
74 65 52 65 61 64 00 6d 5f 72 65 61 64 00 49 73 teRead.m_read.Is
46 69 6e 61 6c 69 7a 69 6e 67 46 6f 72 55 6e 6c FinalizingForUnl

2015-01-12 22:23:12,029 - detector - WARNING - Process BoxSync.exe (pid: 4912) matched: Njrat at address: 0x7FEF6128776, Value:

47 65 74 56 6f 6c 75 6d 65 49 6e 66 6f 72 6d 61 GetVolumeInforma
74 69 6f 6e 00 6c 70 44 79 6e 61 6d 69 63 54 69 tion.lpDynamicTi
6d 65 5a 6f 6e 65 49 6e 66 6f 72 6d 61 74 69 6f meZoneInformatio
6e 00 6c 70 54 69 6d 65 5a 6f 6e 65 49 6e 66 6f n.lpTimeZoneInfo
72 6d 61 74 69 6f 6e 00 47 65 74 54 69 6d 65 5a rmation.GetTimeZ
6f 6e 65 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 64 oneInformation.d
65 66 61 75 6c 74 54 69 6d 65 5a 6f 6e 65 49 6e efaultTimeZoneIn
66 6f 72 6d 61 74 69 6f 6e 00 74 69 6d 65 5a 6f formation.timeZo
6e 65 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 74 79 neInformation.ty
70 65 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 6c 70 peInformation.lp
4e 6c 73 56 65 72 73 69 6f 6e 49 6e 66 6f 72 6d NlsVersionInform
61 74 69 6f 6e 00 41 75 74 68 65 6e 74 69 63 61 ation.Authentica
74 69 6f 6e 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 tionInformation.
47 65 74 55 73 65 72 4f 62 6a 65 63 74 49 6e 66 GetUserObjectInf
6f 72 6d 61 74 69 6f 6e 00 73 65 63 75 72 69 74 ormation.securit
79 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 6d 65 74 yInformation.met

2015-01-12 22:34:23,118 - detector - INFO - Scanning finished
2015-01-12 22:34:23,118 - detector.service - INFO - Trying to stop the winpmem service...
2015-01-12 22:34:23,118 - detector.service - INFO - Trying to delete the winpmem service...
2015-01-12 22:34:23,118 - detector - INFO - Service stopped
2015-01-12 22:34:23,118 - detector - INFO - Analysis finished
2015-01-14 17:22:21,693 - detector - INFO - Starting with process ID 696
2015-01-14 17:22:21,753 - detector - ERROR - The user is not an Administrator, aborting
2015-01-14 17:59:36,236 - detector - INFO - Starting with process ID 4080
2015-01-14 17:59:36,236 - detector - INFO - Selected Profile Name: Win7SP1x64
2015-01-14 17:59:36,236 - detector - INFO - Selected Driver: C:\Users\Admin\AppData\Local\Temp\_MEI79842\drivers\winpmem64.sys
2015-01-14 17:59:36,246 - detector.service - INFO - Launching service destroyer...
2015-01-14 17:59:36,246 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.')
2015-01-14 17:59:36,246 - detector.service - INFO - Trying to stop the winpmem service...
2015-01-14 17:59:36,246 - detector.service - INFO - Trying to delete the winpmem service...
2015-01-14 17:59:36,246 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.')
2015-01-14 17:59:36,446 - detector.service - INFO - Trying to start the winpmem service...
2015-01-14 17:59:36,635 - detector - INFO - Service started
2015-01-14 17:59:36,635 - detector - INFO - Selected Yara signature file at C:\Users\Admin\AppData\Local\Temp\_MEI79842\rules\signatures.yar
2015-01-14 17:59:36,635 - detector - INFO - Obtaining address space and generating config for volatility
2015-01-14 17:59:40,375 - detector - INFO - Address space: <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x08820710>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x07BCD050>
2015-01-14 17:59:40,375 - detector - INFO - Profile: <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at 0x07BCD030>, DTB: 0x187000
2015-01-14 17:59:40,378 - detector - INFO - Starting yara scanner...
2015-01-14 19:48:13,690 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA6E62B6, Value:

46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 FromBase64String
00 54 6f 42 61 73 65 36 34 53 74 72 69 6e 67 00 .ToBase64String.
55 6e 65 73 63 61 70 65 44 61 74 61 53 74 72 69 UnescapeDataStri
6e 67 00 67 65 74 5f 54 79 70 65 4f 66 53 74 72 ng.get_TypeOfStr
69 6e 67 00 75 72 69 53 74 72 69 6e 67 00 67 65 ing.uriString.ge
74 5f 4f 72 69 67 69 6e 61 6c 53 74 72 69 6e 67 t_OriginalString
00 67 65 74 5f 4f 62 6a 65 63 74 54 6f 53 74 72 .get_ObjectToStr
69 6e 67 00 67 65 74 5f 4d 61 78 4f 63 63 75 72 ing.get_MaxOccur
73 53 74 72 69 6e 67 00 73 65 74 5f 4d 61 78 4f sString.set_MaxO
63 63 75 72 73 53 74 72 69 6e 67 00 66 6f 72 6d ccursString.form
61 74 53 74 72 69 6e 67 00 67 65 74 5f 41 73 73 atString.get_Ass
65 6d 62 6c 79 53 74 72 69 6e 67 00 61 73 73 65 emblyString.asse
6d 62 6c 79 53 74 72 69 6e 67 00 75 72 69 44 69 mblyString.uriDi
63 74 69 6f 6e 61 72 79 53 74 72 69 6e 67 00 53 ctionaryString.S
75 62 73 74 72 69 6e 67 00 58 6d 6c 53 63 68 65 ubstring.XmlSche
6d 61 43 6f 6e 74 65 6e 74 50 72 6f 63 65 73 73 maContentProcess

2015-01-14 19:48:13,700 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA71063F, Value:

46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 FromBase64String
00 54 6f 42 61 73 65 36 34 53 74 72 69 6e 67 00 .ToBase64String.
74 79 70 65 53 74 72 69 6e 67 00 57 72 69 74 65 typeString.Write
41 74 74 72 69 62 75 74 65 53 74 72 69 6e 67 00 AttributeString.
67 65 74 5f 4c 6f 63 61 74 69 6f 6e 54 61 67 58 get_LocationTagX
6d 6c 53 74 72 69 6e 67 00 46 72 6f 6d 58 6d 6c mlString.FromXml
53 74 72 69 6e 67 00 54 6f 58 6d 6c 53 74 72 69 String.ToXmlStri
6e 67 00 5f 70 72 6f 70 43 6f 6e 6e 65 63 74 69 ng._propConnecti
6f 6e 53 74 72 69 6e 67 00 63 6f 6e 6e 65 63 74 onString.connect
69 6f 6e 53 74 72 69 6e 67 00 72 65 73 6f 6c 75 ionString.resolu
74 69 6f 6e 41 73 53 74 72 69 6e 67 00 43 6f 6e tionAsString.Con
76 65 72 74 46 72 6f 6d 49 6e 76 61 72 69 61 6e vertFromInvarian
74 53 74 72 69 6e 67 00 43 6f 6e 76 65 72 74 54 tString.ConvertT
6f 49 6e 76 61 72 69 61 6e 74 53 74 72 69 6e 67 oInvariantString
00 53 75 62 73 74 72 69 6e 67 00 74 68 72 6f 77 .Substring.throw
49 66 4d 69 73 73 69 6e 67 00 73 65 74 5f 46 6f IfMissing.set_Fo

2015-01-14 19:48:13,700 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA733BC5, Value:

46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 FromBase64String
00 54 6f 42 61 73 65 36 34 53 74 72 69 6e 67 00 .ToBase64String.
71 75 6f 74 61 45 78 63 65 65 64 65 64 53 74 72 quotaExceededStr
69 6e 67 00 57 72 69 74 65 41 74 74 72 69 62 75 ing.WriteAttribu
74 65 53 74 72 69 6e 67 00 49 73 57 65 6c 6c 46 teString.IsWellF
6f 72 6d 65 64 55 72 69 53 74 72 69 6e 67 00 75 ormedUriString.u
72 69 53 74 72 69 6e 67 00 67 65 74 5f 4f 72 69 riString.get_Ori
67 69 6e 61 6c 53 74 72 69 6e 67 00 46 72 6f 6d ginalString.From
58 6d 6c 53 74 72 69 6e 67 00 54 6f 58 6d 6c 53 XmlString.ToXmlS
74 72 69 6e 67 00 5f 74 6f 6b 65 6e 53 74 72 69 tring._tokenStri
6e 67 00 52 65 61 64 45 6c 65 6d 65 6e 74 43 6f ng.ReadElementCo
6e 74 65 6e 74 41 73 53 74 72 69 6e 67 00 66 6f ntentAsString.fo
72 6d 61 74 53 74 72 69 6e 67 00 57 72 69 74 65 rmatString.Write
45 6c 65 6d 65 6e 74 53 74 72 69 6e 67 00 6f 75 ElementString.ou
74 70 75 74 53 74 72 69 6e 67 00 68 65 78 53 74 tputString.hexSt
72 69 6e 67 00 73 69 67 6e 61 74 75 72 65 4d 65 ring.signatureMe

2015-01-14 19:48:13,700 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA74B7FF, Value:

46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 FromBase64String
00 53 65 63 75 72 65 53 74 72 69 6e 67 00 45 76 .SecureString.Ev
65 6e 74 57 72 69 74 65 53 74 72 69 6e 67 00 57 entWriteString.W
72 69 74 65 41 74 74 72 69 62 75 74 65 53 74 72 riteAttributeStr
69 6e 67 00 5f 78 6d 6c 53 74 72 69 6e 67 00 70 ing._xmlString.p
69 70 65 48 61 6e 64 6c 65 41 73 53 74 72 69 6e ipeHandleAsStrin
67 00 41 72 67 75 6d 65 6e 74 5f 4d 61 70 4e 61 g.Argument_MapNa
6d 65 45 6d 70 74 79 53 74 72 69 6e 67 00 53 75 meEmptyString.Su
62 73 74 72 69 6e 67 00 64 69 73 70 6f 73 69 6e bstring.disposin
67 00 73 65 74 5f 44 74 64 50 72 6f 63 65 73 73 g.set_DtdProcess
69 6e 67 00 67 65 74 5f 43 6f 6c 6c 65 63 74 69 ing.get_Collecti
6f 6e 4d 6f 64 69 66 69 65 64 57 68 69 6c 65 45 onModifiedWhileE
6e 75 6d 65 72 61 74 69 6e 67 00 6d 5f 70 72 6f numerating.m_pro
64 75 63 65 72 49 73 57 61 69 74 69 6e 67 00 6d ducerIsWaiting.m
5f 63 6f 6e 73 75 6d 65 72 49 73 57 61 69 74 69 _consumerIsWaiti
6e 67 00 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d ng.System.Runtim

2015-01-14 19:48:13,700 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA6E62BA, Value:

42 61 73 65 36 34 53 74 72 69 6e 67 00 54 6f 42 Base64String.ToB
61 73 65 36 34 53 74 72 69 6e 67 00 55 6e 65 73 ase64String.Unes
63 61 70 65 44 61 74 61 53 74 72 69 6e 67 00 67 capeDataString.g
65 74 5f 54 79 70 65 4f 66 53 74 72 69 6e 67 00 et_TypeOfString.
75 72 69 53 74 72 69 6e 67 00 67 65 74 5f 4f 72 uriString.get_Or
69 67 69 6e 61 6c 53 74 72 69 6e 67 00 67 65 74 iginalString.get
5f 4f 62 6a 65 63 74 54 6f 53 74 72 69 6e 67 00 _ObjectToString.
67 65 74 5f 4d 61 78 4f 63 63 75 72 73 53 74 72 get_MaxOccursStr
69 6e 67 00 73 65 74 5f 4d 61 78 4f 63 63 75 72 ing.set_MaxOccur
73 53 74 72 69 6e 67 00 66 6f 72 6d 61 74 53 74 sString.formatSt
72 69 6e 67 00 67 65 74 5f 41 73 73 65 6d 62 6c ring.get_Assembl
79 53 74 72 69 6e 67 00 61 73 73 65 6d 62 6c 79 yString.assembly
53 74 72 69 6e 67 00 75 72 69 44 69 63 74 69 6f String.uriDictio
6e 61 72 79 53 74 72 69 6e 67 00 53 75 62 73 74 naryString.Subst
72 69 6e 67 00 58 6d 6c 53 63 68 65 6d 61 43 6f ring.XmlSchemaCo
6e 74 65 6e 74 50 72 6f 63 65 73 73 69 6e 67 00 ntentProcessing.

2015-01-14 19:48:13,710 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA6E62C9, Value:

42 61 73 65 36 34 53 74 72 69 6e 67 00 55 6e 65 Base64String.Une
73 63 61 70 65 44 61 74 61 53 74 72 69 6e 67 00 scapeDataString.
67 65 74 5f 54 79 70 65 4f 66 53 74 72 69 6e 67 get_TypeOfString
00 75 72 69 53 74 72 69 6e 67 00 67 65 74 5f 4f .uriString.get_O
72 69 67 69 6e 61 6c 53 74 72 69 6e 67 00 67 65 riginalString.ge
74 5f 4f 62 6a 65 63 74 54 6f 53 74 72 69 6e 67 t_ObjectToString
00 67 65 74 5f 4d 61 78 4f 63 63 75 72 73 53 74 .get_MaxOccursSt
72 69 6e 67 00 73 65 74 5f 4d 61 78 4f 63 63 75 ring.set_MaxOccu
72 73 53 74 72 69 6e 67 00 66 6f 72 6d 61 74 53 rsString.formatS
74 72 69 6e 67 00 67 65 74 5f 41 73 73 65 6d 62 tring.get_Assemb
6c 79 53 74 72 69 6e 67 00 61 73 73 65 6d 62 6c lyString.assembl
79 53 74 72 69 6e 67 00 75 72 69 44 69 63 74 69 yString.uriDicti
6f 6e 61 72 79 53 74 72 69 6e 67 00 53 75 62 73 onaryString.Subs
74 72 69 6e 67 00 58 6d 6c 53 63 68 65 6d 61 43 tring.XmlSchemaC
6f 6e 74 65 6e 74 50 72 6f 63 65 73 73 69 6e 67 ontentProcessing
00 49 6e 76 6f 6b 65 4f 6e 53 65 72 69 61 6c 69 .InvokeOnSeriali

2015-01-14 19:48:13,710 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA6FB264, Value:

42 61 73 65 36 34 53 74 72 69 6e 67 00 57 72 69 Base64String.Wri
74 65 45 6e 64 45 6c 65 6d 65 6e 74 00 67 65 74 teEndElement.get
5f 52 61 6e 6b 00 53 79 6e 63 68 72 6f 6e 69 7a _Rank.Synchroniz
65 64 00 67 65 74 5f 42 61 73 65 54 79 70 65 00 ed.get_BaseType.
47 65 74 49 6e 74 65 72 66 61 63 65 73 00 53 79 GetInterfaces.Sy
73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 52 65 6d stem.Runtime.Rem
6f 74 69 6e 67 00 52 65 6d 6f 74 69 6e 67 53 65 oting.RemotingSe
72 76 69 63 65 73 00 4f 62 6a 52 65 66 00 44 69 rvices.ObjRef.Di
73 63 6f 6e 6e 65 63 74 00 67 65 74 5f 44 79 6e sconnect.get_Dyn
61 6d 69 63 44 69 72 65 63 74 6f 72 79 00 67 65 amicDirectory.ge
74 5f 4c 6f 63 61 6c 4e 61 6d 65 00 47 65 74 41 t_LocalName.GetA
74 74 72 69 62 75 74 65 00 67 65 74 5f 43 68 69 ttribute.get_Chi
6c 64 4e 6f 64 65 73 00 58 6d 6c 4e 6f 64 65 54 ldNodes.XmlNodeT
79 70 65 00 67 65 74 5f 4e 6f 64 65 54 79 70 65 ype.get_NodeType
00 67 65 74 5f 4f 77 6e 65 72 44 6f 63 75 6d 65 .get_OwnerDocume
6e 74 00 50 72 6f 70 65 72 74 79 49 6e 66 6f 00 nt.PropertyInfo.

2015-01-14 19:48:13,710 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA710643, Value:

42 61 73 65 36 34 53 74 72 69 6e 67 00 54 6f 42 Base64String.ToB
61 73 65 36 34 53 74 72 69 6e 67 00 74 79 70 65 ase64String.type
53 74 72 69 6e 67 00 57 72 69 74 65 41 74 74 72 String.WriteAttr
69 62 75 74 65 53 74 72 69 6e 67 00 67 65 74 5f ibuteString.get_
4c 6f 63 61 74 69 6f 6e 54 61 67 58 6d 6c 53 74 LocationTagXmlSt
72 69 6e 67 00 46 72 6f 6d 58 6d 6c 53 74 72 69 ring.FromXmlStri
6e 67 00 54 6f 58 6d 6c 53 74 72 69 6e 67 00 5f ng.ToXmlString._
70 72 6f 70 43 6f 6e 6e 65 63 74 69 6f 6e 53 74 propConnectionSt
72 69 6e 67 00 63 6f 6e 6e 65 63 74 69 6f 6e 53 ring.connectionS
74 72 69 6e 67 00 72 65 73 6f 6c 75 74 69 6f 6e tring.resolution
41 73 53 74 72 69 6e 67 00 43 6f 6e 76 65 72 74 AsString.Convert
46 72 6f 6d 49 6e 76 61 72 69 61 6e 74 53 74 72 FromInvariantStr
69 6e 67 00 43 6f 6e 76 65 72 74 54 6f 49 6e 76 ing.ConvertToInv
61 72 69 61 6e 74 53 74 72 69 6e 67 00 53 75 62 ariantString.Sub
73 74 72 69 6e 67 00 74 68 72 6f 77 49 66 4d 69 string.throwIfMi
73 73 69 6e 67 00 73 65 74 5f 46 6f 72 6d 61 74 ssing.set_Format

2015-01-14 19:48:13,710 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA710652, Value:

42 61 73 65 36 34 53 74 72 69 6e 67 00 74 79 70 Base64String.typ
65 53 74 72 69 6e 67 00 57 72 69 74 65 41 74 74 eString.WriteAtt
72 69 62 75 74 65 53 74 72 69 6e 67 00 67 65 74 ributeString.get
5f 4c 6f 63 61 74 69 6f 6e 54 61 67 58 6d 6c 53 _LocationTagXmlS
74 72 69 6e 67 00 46 72 6f 6d 58 6d 6c 53 74 72 tring.FromXmlStr
69 6e 67 00 54 6f 58 6d 6c 53 74 72 69 6e 67 00 ing.ToXmlString.
5f 70 72 6f 70 43 6f 6e 6e 65 63 74 69 6f 6e 53 _propConnectionS
74 72 69 6e 67 00 63 6f 6e 6e 65 63 74 69 6f 6e tring.connection
53 74 72 69 6e 67 00 72 65 73 6f 6c 75 74 69 6f String.resolutio
6e 41 73 53 74 72 69 6e 67 00 43 6f 6e 76 65 72 nAsString.Conver
74 46 72 6f 6d 49 6e 76 61 72 69 61 6e 74 53 74 tFromInvariantSt
72 69 6e 67 00 43 6f 6e 76 65 72 74 54 6f 49 6e ring.ConvertToIn
76 61 72 69 61 6e 74 53 74 72 69 6e 67 00 53 75 variantString.Su
62 73 74 72 69 6e 67 00 74 68 72 6f 77 49 66 4d bstring.throwIfM
69 73 73 69 6e 67 00 73 65 74 5f 46 6f 72 6d 61 issing.set_Forma
74 74 69 6e 67 00 67 65 74 5f 4f 76 65 72 72 69 tting.get_Overri

2015-01-14 19:48:13,710 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA733BC9, Value:

42 61 73 65 36 34 53 74 72 69 6e 67 00 54 6f 42 Base64String.ToB
61 73 65 36 34 53 74 72 69 6e 67 00 71 75 6f 74 ase64String.quot
61 45 78 63 65 65 64 65 64 53 74 72 69 6e 67 00 aExceededString.
57 72 69 74 65 41 74 74 72 69 62 75 74 65 53 74 WriteAttributeSt
72 69 6e 67 00 49 73 57 65 6c 6c 46 6f 72 6d 65 ring.IsWellForme
64 55 72 69 53 74 72 69 6e 67 00 75 72 69 53 74 dUriString.uriSt
72 69 6e 67 00 67 65 74 5f 4f 72 69 67 69 6e 61 ring.get_Origina
6c 53 74 72 69 6e 67 00 46 72 6f 6d 58 6d 6c 53 lString.FromXmlS
74 72 69 6e 67 00 54 6f 58 6d 6c 53 74 72 69 6e tring.ToXmlStrin
67 00 5f 74 6f 6b 65 6e 53 74 72 69 6e 67 00 52 g._tokenString.R
65 61 64 45 6c 65 6d 65 6e 74 43 6f 6e 74 65 6e eadElementConten
74 41 73 53 74 72 69 6e 67 00 66 6f 72 6d 61 74 tAsString.format
53 74 72 69 6e 67 00 57 72 69 74 65 45 6c 65 6d String.WriteElem
65 6e 74 53 74 72 69 6e 67 00 6f 75 74 70 75 74 entString.output
53 74 72 69 6e 67 00 68 65 78 53 74 72 69 6e 67 String.hexString
00 73 69 67 6e 61 74 75 72 65 4d 65 74 68 6f 64 .signatureMethod

2015-01-14 19:48:13,720 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA733BD8, Value:

42 61 73 65 36 34 53 74 72 69 6e 67 00 71 75 6f Base64String.quo
74 61 45 78 63 65 65 64 65 64 53 74 72 69 6e 67 taExceededString
00 57 72 69 74 65 41 74 74 72 69 62 75 74 65 53 .WriteAttributeS
74 72 69 6e 67 00 49 73 57 65 6c 6c 46 6f 72 6d tring.IsWellForm
65 64 55 72 69 53 74 72 69 6e 67 00 75 72 69 53 edUriString.uriS
74 72 69 6e 67 00 67 65 74 5f 4f 72 69 67 69 6e tring.get_Origin
61 6c 53 74 72 69 6e 67 00 46 72 6f 6d 58 6d 6c alString.FromXml
53 74 72 69 6e 67 00 54 6f 58 6d 6c 53 74 72 69 String.ToXmlStri
6e 67 00 5f 74 6f 6b 65 6e 53 74 72 69 6e 67 00 ng._tokenString.
52 65 61 64 45 6c 65 6d 65 6e 74 43 6f 6e 74 65 ReadElementConte
6e 74 41 73 53 74 72 69 6e 67 00 66 6f 72 6d 61 ntAsString.forma
74 53 74 72 69 6e 67 00 57 72 69 74 65 45 6c 65 tString.WriteEle
6d 65 6e 74 53 74 72 69 6e 67 00 6f 75 74 70 75 mentString.outpu
74 53 74 72 69 6e 67 00 68 65 78 53 74 72 69 6e tString.hexStrin
67 00 73 69 67 6e 61 74 75 72 65 4d 65 74 68 6f g.signatureMetho
64 44 69 63 74 69 6f 6e 61 72 79 53 74 72 69 6e dDictionaryStrin

2015-01-14 19:48:13,720 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA74B803, Value:

42 61 73 65 36 34 53 74 72 69 6e 67 00 53 65 63 Base64String.Sec
75 72 65 53 74 72 69 6e 67 00 45 76 65 6e 74 57 ureString.EventW
72 69 74 65 53 74 72 69 6e 67 00 57 72 69 74 65 riteString.Write
41 74 74 72 69 62 75 74 65 53 74 72 69 6e 67 00 AttributeString.
5f 78 6d 6c 53 74 72 69 6e 67 00 70 69 70 65 48 _xmlString.pipeH
61 6e 64 6c 65 41 73 53 74 72 69 6e 67 00 41 72 andleAsString.Ar
67 75 6d 65 6e 74 5f 4d 61 70 4e 61 6d 65 45 6d gument_MapNameEm
70 74 79 53 74 72 69 6e 67 00 53 75 62 73 74 72 ptyString.Substr
69 6e 67 00 64 69 73 70 6f 73 69 6e 67 00 73 65 ing.disposing.se
74 5f 44 74 64 50 72 6f 63 65 73 73 69 6e 67 00 t_DtdProcessing.
67 65 74 5f 43 6f 6c 6c 65 63 74 69 6f 6e 4d 6f get_CollectionMo
64 69 66 69 65 64 57 68 69 6c 65 45 6e 75 6d 65 difiedWhileEnume
72 61 74 69 6e 67 00 6d 5f 70 72 6f 64 75 63 65 rating.m_produce
72 49 73 57 61 69 74 69 6e 67 00 6d 5f 63 6f 6e rIsWaiting.m_con
73 75 6d 65 72 49 73 57 61 69 74 69 6e 67 00 53 sumerIsWaiting.S
79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 52 65 ystem.Runtime.Re

2015-01-14 19:48:13,720 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA7431DB, Value:

43 6f 6e 6e 65 63 74 65 64 00 49 6e 76 61 6c 69 Connected.Invali
64 4f 70 65 72 61 74 69 6f 6e 5f 50 69 70 65 41 dOperation_PipeA
6c 72 65 61 64 79 43 6f 6e 6e 65 63 74 65 64 00 lreadyConnected.
49 6e 76 61 6c 69 64 4f 70 65 72 61 74 69 6f 6e InvalidOperation
5f 50 69 70 65 41 6c 72 65 61 64 79 44 69 73 63 _PipeAlreadyDisc
6f 6e 6e 65 63 74 65 64 00 67 65 74 5f 49 73 43 onnected.get_IsC
6f 6d 70 6c 65 74 65 64 00 67 65 74 5f 49 73 4c ompleted.get_IsL
69 66 74 65 64 00 45 76 74 43 68 61 6e 6e 65 6c ifted.EvtChannel
52 65 66 65 72 65 6e 63 65 49 6d 70 6f 72 74 65 ReferenceImporte
64 00 67 65 74 5f 49 73 49 6d 70 6f 72 74 65 64 d.get_IsImported
00 48 6f 69 73 74 65 64 00 43 65 72 74 69 66 69 .Hoisted.Certifi
63 61 74 65 4e 6f 74 45 78 70 6c 69 63 69 74 6c cateNotExplicitl
79 54 72 75 73 74 65 64 00 55 6e 74 72 75 73 74 yTrusted.Untrust
65 64 00 43 65 72 74 69 66 69 63 61 74 65 45 78 ed.CertificateEx
70 6c 69 63 69 74 6c 79 44 69 73 74 72 75 73 74 plicitlyDistrust
65 64 00 42 61 73 69 63 43 6f 6e 73 74 72 61 69 ed.BasicConstrai

2015-01-14 19:48:13,720 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA743201, Value:

43 6f 6e 6e 65 63 74 65 64 00 49 6e 76 61 6c 69 Connected.Invali
64 4f 70 65 72 61 74 69 6f 6e 5f 50 69 70 65 41 dOperation_PipeA
6c 72 65 61 64 79 44 69 73 63 6f 6e 6e 65 63 74 lreadyDisconnect
65 64 00 67 65 74 5f 49 73 43 6f 6d 70 6c 65 74 ed.get_IsComplet
65 64 00 67 65 74 5f 49 73 4c 69 66 74 65 64 00 ed.get_IsLifted.
45 76 74 43 68 61 6e 6e 65 6c 52 65 66 65 72 65 EvtChannelRefere
6e 63 65 49 6d 70 6f 72 74 65 64 00 67 65 74 5f nceImported.get_
49 73 49 6d 70 6f 72 74 65 64 00 48 6f 69 73 74 IsImported.Hoist
65 64 00 43 65 72 74 69 66 69 63 61 74 65 4e 6f ed.CertificateNo
74 45 78 70 6c 69 63 69 74 6c 79 54 72 75 73 74 tExplicitlyTrust
65 64 00 55 6e 74 72 75 73 74 65 64 00 43 65 72 ed.Untrusted.Cer
74 69 66 69 63 61 74 65 45 78 70 6c 69 63 69 74 tificateExplicit
6c 79 44 69 73 74 72 75 73 74 65 64 00 42 61 73 lyDistrusted.Bas
69 63 43 6f 6e 73 74 72 61 69 6e 74 73 4e 6f 74 icConstraintsNot
4f 62 73 65 72 76 65 64 00 72 65 73 65 72 76 65 Observed.reserve
64 00 43 65 72 74 69 66 69 63 61 74 65 55 73 61 d.CertificateUsa

2015-01-14 19:48:13,720 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA749016, Value:

43 6f 6e 6e 65 63 74 65 64 00 69 73 43 6f 6e 6e Connected.isConn
65 63 74 65 64 00 69 73 49 6e 68 65 72 69 74 65 ected.isInherite
64 00 49 73 50 61 74 68 52 6f 6f 74 65 64 00 67 d.IsPathRooted.g
65 74 5f 50 4c 49 4e 51 5f 43 6f 6d 6d 6f 6e 45 et_PLINQ_CommonE
6e 75 6d 65 72 61 74 6f 72 5f 43 75 72 72 65 6e numerator_Curren
74 5f 4e 6f 74 53 74 61 72 74 65 64 00 69 73 49 t_NotStarted.isI
6d 70 6f 72 74 65 64 00 67 65 74 5f 42 43 72 79 mported.get_BCry
70 74 53 75 70 70 6f 72 74 65 64 00 67 65 74 5f ptSupported.get_
4e 43 72 79 70 74 53 75 70 70 6f 72 74 65 64 00 NCryptSupported.
67 65 74 5f 50 4c 49 4e 51 5f 44 69 73 70 6f 73 get_PLINQ_Dispos
65 52 65 71 75 65 73 74 65 64 00 67 65 74 5f 50 eRequested.get_P
4c 49 4e 51 5f 45 78 74 65 72 6e 61 6c 43 61 6e LINQ_ExternalCan
63 65 6c 6c 61 74 69 6f 6e 52 65 71 75 65 73 74 cellationRequest
65 64 00 67 65 74 5f 49 73 43 61 6e 63 65 6c 6c ed.get_IsCancell
61 74 69 6f 6e 52 65 71 75 65 73 74 65 64 00 65 ationRequested.e
78 69 73 74 65 64 00 57 72 61 70 50 61 72 74 69 xisted.WrapParti

2015-01-14 19:48:13,730 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA749022, Value:

43 6f 6e 6e 65 63 74 65 64 00 69 73 49 6e 68 65 Connected.isInhe
72 69 74 65 64 00 49 73 50 61 74 68 52 6f 6f 74 rited.IsPathRoot
65 64 00 67 65 74 5f 50 4c 49 4e 51 5f 43 6f 6d ed.get_PLINQ_Com
6d 6f 6e 45 6e 75 6d 65 72 61 74 6f 72 5f 43 75 monEnumerator_Cu
72 72 65 6e 74 5f 4e 6f 74 53 74 61 72 74 65 64 rrent_NotStarted
00 69 73 49 6d 70 6f 72 74 65 64 00 67 65 74 5f .isImported.get_
42 43 72 79 70 74 53 75 70 70 6f 72 74 65 64 00 BCryptSupported.
67 65 74 5f 4e 43 72 79 70 74 53 75 70 70 6f 72 get_NCryptSuppor
74 65 64 00 67 65 74 5f 50 4c 49 4e 51 5f 44 69 ted.get_PLINQ_Di
73 70 6f 73 65 52 65 71 75 65 73 74 65 64 00 67 sposeRequested.g
65 74 5f 50 4c 49 4e 51 5f 45 78 74 65 72 6e 61 et_PLINQ_Externa
6c 43 61 6e 63 65 6c 6c 61 74 69 6f 6e 52 65 71 lCancellationReq
75 65 73 74 65 64 00 67 65 74 5f 49 73 43 61 6e uested.get_IsCan
63 65 6c 6c 61 74 69 6f 6e 52 65 71 75 65 73 74 cellationRequest
65 64 00 65 78 69 73 74 65 64 00 57 72 61 70 50 ed.existed.WrapP
61 72 74 69 74 69 6f 6e 65 64 53 74 72 65 61 6d artitionedStream

2015-01-14 19:48:13,730 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA6DB752, Value:

52 65 63 65 69 76 65 00 50 72 69 76 61 74 65 50 Receive.PrivateP
72 69 6d 69 74 69 76 65 00 4f 74 68 65 72 46 72 rimitive.OtherFr
61 6d 65 77 6f 72 6b 50 72 69 6d 69 74 69 76 65 ameworkPrimitive
00 4f 74 68 65 72 49 6e 74 65 72 6e 61 6c 50 72 .OtherInternalPr
69 6d 69 74 69 76 65 00 53 79 73 74 65 6d 2e 43 imitive.System.C
6f 6c 6c 65 63 74 69 6f 6e 73 2e 49 44 69 63 74 ollections.IDict
69 6f 6e 61 72 79 2e 52 65 6d 6f 76 65 00 67 65 ionary.Remove.ge
74 5f 42 75 66 66 65 72 53 69 7a 65 00 52 65 69 t_BufferSize.Rei
6e 69 74 69 61 6c 69 7a 65 00 43 6f 6d 6d 75 6e nitialize.Commun
69 63 61 74 69 6f 6e 4f 62 6a 65 63 74 54 68 72 icationObjectThr
6f 77 49 66 00 4d 65 73 73 61 67 65 4c 6f 67 67 owIf.MessageLogg
69 6e 67 4f 66 66 00 57 61 69 74 41 6e 64 42 61 ingOff.WaitAndBa
63 6b 6f 66 66 00 50 65 72 66 00 45 76 65 6e 74 ckoff.Perf.Event
54 6f 6f 42 69 67 00 46 61 69 6c 65 64 54 6f 53 TooBig.FailedToS
65 74 75 70 54 72 61 63 69 6e 67 00 53 69 67 6e etupTracing.Sign
61 6c 50 65 6e 64 69 6e 67 00 4d 65 73 73 61 67 alPending.Messag

2015-01-14 19:48:13,730 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA7264F5, Value:

52 65 63 65 69 76 65 72 53 65 63 75 72 69 74 79 ReceiverSecurity
54 6f 6b 65 6e 00 57 69 66 53 69 67 6e 65 64 49 Token.WifSignedI
6e 66 6f 00 44 65 6c 65 67 61 74 69 6e 67 58 6d nfo.DelegatingXm
6c 44 69 63 74 69 6f 6e 61 72 79 57 72 69 74 65 lDictionaryWrite
72 00 49 6e 76 61 6c 69 64 4e 74 4d 61 70 70 69 r.InvalidNtMappi
6e 67 00 53 61 66 65 43 65 72 74 53 74 6f 72 65 ng.SafeCertStore
48 61 6e 64 6c 65 00 57 72 69 74 65 42 69 6e 61 Handle.WriteBina
72 79 45 78 63 68 61 6e 67 65 00 73 65 74 5f 55 ryExchange.set_U
73 65 4b 65 79 00 45 78 63 6c 75 73 69 76 65 43 seKey.ExclusiveC
31 34 4e 53 74 72 69 6e 67 73 00 41 73 79 6e 63 14NStrings.Async
68 72 6f 6e 6f 75 73 4f 70 65 72 61 74 69 6f 6e hronousOperation
45 78 63 65 70 74 69 6f 6e 00 4c 69 66 65 53 70 Exception.LifeSp
61 6e 5f 53 74 72 75 63 74 00 4c 6f 63 61 6c 69 an_Struct.Locali
7a 65 64 45 6e 74 72 79 00 57 72 69 74 65 53 75 zedEntry.WriteSu
62 6a 65 63 74 4b 65 79 49 6e 66 6f 00 55 73 65 bjectKeyInfo.Use
72 4e 61 6d 65 43 6c 61 69 6d 53 65 74 00 53 61 rNameClaimSet.Sa

2015-01-14 19:48:13,730 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA727AFB, Value:

52 65 63 65 69 76 65 64 45 6e 63 72 79 70 74 69 ReceivedEncrypti
6e 67 43 72 65 64 65 6e 74 69 61 6c 73 00 49 53 ngCredentials.IS
69 67 6e 61 74 75 72 65 56 61 6c 75 65 53 65 63 ignatureValueSec
75 72 69 74 79 45 6c 65 6d 65 6e 74 00 53 61 6d urityElement.Sam
6c 53 65 63 75 72 69 74 79 54 6f 6b 65 6e 00 2e lSecurityToken..
63 74 6f 72 00 44 65 62 75 67 67 69 6e 67 4d 6f ctor.DebuggingMo
64 65 73 00 53 65 63 75 72 69 74 79 52 75 6c 65 des.SecurityRule
53 65 74 00 53 79 73 74 65 6d 2e 49 64 65 6e 74 Set.System.Ident
69 74 79 4d 6f 64 65 6c 2e 43 6c 61 69 6d 73 00 ityModel.Claims.
54 72 79 43 72 65 61 74 65 57 69 6e 64 6f 77 73 TryCreateWindows
53 69 64 43 6c 61 69 6d 00 53 79 73 74 65 6d 2e SidClaim.System.
53 65 63 75 72 69 74 79 2e 50 72 69 6e 63 69 70 Security.Princip
61 6c 00 53 65 63 75 72 69 74 79 49 64 65 6e 74 al.SecurityIdent
69 66 69 65 72 00 3c 50 72 69 76 61 74 65 49 6d ifier.<PrivateIm
70 6c 65 6d 65 6e 74 61 74 69 6f 6e 44 65 74 61 plementationDeta
69 6c 73 3e 7b 31 44 43 41 32 30 41 34 2d 45 35 ils>{1DCA20A4-E5

2015-01-14 19:48:13,730 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA7446D4, Value:

52 65 63 65 69 76 65 00 41 73 73 6f 63 69 61 74 Receive.Associat
69 76 65 00 41 64 6d 69 6e 69 73 74 72 61 74 69 ive.Administrati
76 65 00 41 73 73 6f 63 69 61 74 69 76 65 43 6f ve.AssociativeCo
6d 6d 75 74 61 74 69 76 65 00 4d 75 6c 74 69 54 mmutative.MultiT
69 6d 65 72 50 65 72 63 65 6e 74 61 67 65 41 63 imerPercentageAc
74 69 76 65 00 4d 75 6c 74 69 54 69 6d 65 72 50 tive.MultiTimerP
65 72 63 65 6e 74 61 67 65 4e 6f 74 41 63 74 69 ercentageNotActi
76 65 00 63 62 53 69 7a 65 00 53 69 6e 67 6c 65 ve.cbSize.Single
46 69 6c 65 42 6f 75 6e 64 65 64 53 69 7a 65 00 FileBoundedSize.
53 69 6e 67 6c 65 46 69 6c 65 55 6e 62 6f 75 6e SingleFileUnboun
64 65 64 53 69 7a 65 00 67 65 74 5f 46 69 6c 65 dedSize.get_File
53 69 7a 65 00 45 76 74 4c 6f 67 46 69 6c 65 53 Size.EvtLogFileS
69 7a 65 00 67 65 74 5f 4d 61 78 69 6d 75 6d 46 ize.get_MaximumF
69 6c 65 53 69 7a 65 00 67 65 74 5f 42 61 74 63 ileSize.get_Batc
68 53 69 7a 65 00 73 65 74 5f 42 61 74 63 68 53 hSize.set_BatchS
69 7a 65 00 48 61 73 68 53 69 7a 65 00 67 65 74 ize.HashSize.get

2015-01-14 19:48:13,740 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA6DAB51, Value:

53 65 6e 64 00 53 75 73 70 65 6e 64 00 67 65 74 Send.Suspend.get
5f 4b 69 6e 64 00 73 65 74 5f 4b 69 6e 64 00 54 _Kind.set_Kind.T
68 75 6d 62 50 72 69 6e 74 4e 6f 74 46 6f 75 6e humbPrintNotFoun
64 00 67 65 74 5f 52 65 6c 65 61 73 65 4d 65 74 d.get_ReleaseMet
68 6f 64 00 73 65 74 5f 52 65 6c 65 61 73 65 4d hod.set_ReleaseM
65 74 68 6f 64 00 67 65 74 5f 43 61 6e 63 65 6c ethod.get_Cancel
4d 65 74 68 6f 64 00 73 65 74 5f 43 61 6e 63 65 Method.set_Cance
6c 4d 65 74 68 6f 64 00 43 6f 6c 6c 65 63 74 69 lMethod.Collecti
6f 6e 73 53 68 6f 75 6c 64 49 6d 70 6c 65 6d 65 onsShouldImpleme
6e 74 47 65 6e 65 72 69 63 49 6e 74 65 72 66 61 ntGenericInterfa
63 65 00 67 65 74 5f 54 72 61 63 65 00 53 68 6f ce.get_Trace.Sho
75 6c 64 54 72 61 63 65 00 53 68 61 72 69 6e 67 uldTrace.Sharing
53 65 72 76 69 63 65 00 50 65 72 66 6f 72 6d 61 Service.Performa
6e 63 65 00 54 72 79 41 64 64 52 65 66 65 72 65 nce.TryAddRefere
6e 63 65 00 49 6e 74 65 72 6e 61 6c 52 65 6c 65 nce.InternalRele
61 73 65 52 65 66 65 72 65 6e 63 65 00 67 65 74 aseReference.get

2015-01-14 19:48:13,740 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA6DEDDB, Value:

53 65 6e 64 4f 72 50 6f 73 74 43 61 6c 6c 62 61 SendOrPostCallba
63 6b 00 69 6e 76 6f 6b 65 57 69 74 68 6f 75 74 ck.invokeWithout
43 6f 6e 74 65 78 74 43 61 6c 6c 62 61 63 6b 00 ContextCallback.
65 74 77 43 61 6c 6c 62 61 63 6b 00 66 75 6c 6c etwCallback.full
43 68 65 63 6b 00 67 65 74 5f 54 68 69 73 4c 6f Check.get_ThisLo
63 6b 00 74 68 69 73 4c 6f 63 6b 00 67 65 74 5f ck.thisLock.get_
52 61 6e 6b 00 68 69 67 68 57 61 74 65 72 6d 61 Rank.highWaterma
72 6b 00 6c 6f 77 57 61 74 65 72 6d 61 72 6b 00 rk.lowWatermark.
77 61 74 65 72 6d 61 72 6b 00 67 65 74 5f 53 6c watermark.get_Sl
6f 74 4d 61 73 6b 00 4d 61 72 73 68 61 6c 00 44 otMask.Marshal.D
65 63 69 6d 61 6c 00 53 79 73 74 65 6d 2e 53 65 ecimal.System.Se
63 75 72 69 74 79 2e 50 72 69 6e 63 69 70 61 6c curity.Principal
00 6f 70 5f 47 72 65 61 74 65 72 54 68 61 6e 4f .op_GreaterThanO
72 45 71 75 61 6c 00 6f 70 5f 4c 65 73 73 54 68 rEqual.op_LessTh
61 6e 4f 72 45 71 75 61 6c 00 53 79 73 74 65 6d anOrEqual.System
2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 2e 4f 62 6a .Collections.Obj

2015-01-14 19:48:13,740 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA6E1D31, Value:

53 65 6e 64 4f 72 50 6f 73 74 54 68 75 6e 6b 00 SendOrPostThunk.
4f 6e 44 6f 57 6f 72 6b 00 64 6f 57 6f 72 6b 00 OnDoWork.doWork.
61 6c 6c 4b 65 79 77 6f 72 64 4d 61 73 6b 00 61 allKeywordMask.a
6e 79 4b 65 79 77 6f 72 64 4d 61 73 6b 00 55 72 nyKeywordMask.Ur
6c 44 65 63 6f 64 65 53 74 72 69 6e 67 46 72 6f lDecodeStringFro
6d 53 74 72 69 6e 67 49 6e 74 65 72 6e 61 6c 00 mStringInternal.
55 72 6c 45 6e 63 6f 64 65 55 6e 69 63 6f 64 65 UrlEncodeUnicode
53 74 72 69 6e 67 54 6f 53 74 72 69 6e 67 49 6e StringToStringIn
74 65 72 6e 61 6c 00 55 72 6c 45 6e 63 6f 64 65 ternal.UrlEncode
42 79 74 65 73 54 6f 42 79 74 65 73 49 6e 74 65 BytesToBytesInte
72 6e 61 6c 00 4f 6e 43 61 6e 63 65 6c 00 54 72 rnal.OnCancel.Tr
61 63 65 43 68 61 6e 6e 65 6c 00 63 75 72 72 65 aceChannel.curre
6e 74 54 72 61 63 65 4c 65 76 65 6c 00 55 70 64 ntTraceLevel.Upd
61 74 65 4c 65 76 65 6c 00 4f 6e 53 65 74 4c 65 ateLevel.OnSetLe
76 65 6c 00 54 72 61 63 65 45 76 65 6e 74 4c 65 vel.TraceEventLe
76 65 6c 00 68 65 61 64 54 61 69 6c 00 46 69 6e vel.headTail.Fin

2015-01-14 19:48:13,740 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA72C32F, Value:

53 65 6e 64 65 72 56 6f 75 63 68 65 73 53 74 72 SenderVouchesStr
69 6e 67 00 58 6b 6d 73 53 74 72 69 6e 67 00 4b ing.XkmsString.K
65 72 62 65 72 6f 73 53 74 72 69 6e 67 00 45 6d erberosString.Em
61 69 6c 41 64 64 72 65 73 73 53 74 72 69 6e 67 ailAddressString
00 57 69 6e 64 6f 77 73 53 74 72 69 6e 67 00 4d .WindowsString.M
6f 62 69 6c 65 4f 6e 65 46 61 63 74 6f 72 43 6f obileOneFactorCo
6e 74 72 61 63 74 53 74 72 69 6e 67 00 4d 6f 62 ntractString.Mob
69 6c 65 54 77 6f 46 61 63 74 6f 72 43 6f 6e 74 ileTwoFactorCont
72 61 63 74 53 74 72 69 6e 67 00 47 65 74 53 74 ractString.GetSt
72 69 6e 67 00 54 6c 73 43 6c 69 65 6e 74 53 74 ring.TlsClientSt
72 69 6e 67 00 54 72 61 6e 73 69 65 6e 74 53 74 ring.TransientSt
72 69 6e 67 00 52 65 61 64 45 6c 65 6d 65 6e 74 ring.ReadElement
53 74 72 69 6e 67 00 50 65 72 73 69 73 74 65 6e String.Persisten
74 53 74 72 69 6e 67 00 50 61 73 73 77 6f 72 64 tString.Password
50 72 6f 74 65 63 74 65 64 54 72 61 6e 73 70 6f ProtectedTranspo
72 74 53 74 72 69 6e 67 00 55 6e 69 78 53 74 72 rtString.UnixStr

2015-01-14 19:48:13,740 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA72F4B0, Value:

53 65 6e 64 65 72 56 6f 75 63 68 65 73 00 67 65 SenderVouches.ge
74 5f 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 50 t_AuthorizationP
6f 6c 69 63 69 65 73 00 50 6f 70 75 6c 61 74 65 olicies.Populate
4b 65 79 49 64 65 6e 74 69 66 69 65 72 43 6c 61 KeyIdentifierCla
75 73 65 45 6e 74 72 69 65 73 00 50 6f 70 75 6c useEntries.Popul
61 74 65 54 6f 6b 65 6e 45 6e 74 72 69 65 73 00 ateTokenEntries.
50 6f 70 75 6c 61 74 65 4b 65 79 49 64 65 6e 74 PopulateKeyIdent
69 66 69 65 72 45 6e 74 72 69 65 73 00 50 6f 70 ifierEntries.Pop
75 6c 61 74 65 53 74 72 45 6e 74 72 69 65 73 00 ulateStrEntries.
67 65 74 5f 41 75 74 68 6f 72 69 74 69 65 73 00 get_Authorities.
67 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 get_Authenticati
6e 67 41 75 74 68 6f 72 69 74 69 65 73 00 67 65 ngAuthorities.ge
74 5f 43 68 69 6c 64 45 6e 74 69 74 69 65 73 00 t_ChildEntities.
67 65 74 5f 49 64 65 6e 74 69 74 69 65 73 00 47 get_Identities.G
65 74 49 64 65 6e 74 69 74 69 65 73 00 67 65 74 etIdentities.get
5f 50 72 6f 70 65 72 74 69 65 73 00 67 65 74 5f _Properties.get_

2015-01-14 19:48:13,750 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA7328E4, Value:

53 65 6e 64 53 69 64 65 00 74 72 61 63 65 43 6f SendSide.traceCo
64 65 00 5f 61 75 64 69 65 6e 63 65 4d 6f 64 65 de._audienceMode
00 50 61 64 64 69 6e 67 4d 6f 64 65 00 70 61 64 .PaddingMode.pad
64 69 6e 67 4d 6f 64 65 00 61 75 64 69 65 6e 63 dingMode.audienc
65 55 72 69 4d 6f 64 65 00 42 43 72 79 70 74 47 eUriMode.BCryptG
65 74 46 69 70 73 41 6c 67 6f 72 69 74 68 6d 4d etFipsAlgorithmM
6f 64 65 00 43 6f 6d 70 72 65 73 73 69 6f 6e 4d ode.CompressionM
6f 64 65 00 44 65 66 61 75 6c 74 58 35 30 39 52 ode.DefaultX509R
65 76 6f 63 61 74 69 6f 6e 4d 6f 64 65 00 64 65 evocationMode.de
66 61 75 6c 74 52 65 76 6f 63 61 74 69 6f 6e 4d faultRevocationM
6f 64 65 00 72 65 76 6f 63 61 74 69 6f 6e 4d 6f ode.revocationMo
64 65 00 63 65 72 74 69 66 69 63 61 74 65 56 61 de.certificateVa
6c 69 64 61 74 69 6f 6e 4d 6f 64 65 00 76 61 6c lidationMode.val
69 64 61 74 69 6f 6e 4d 6f 64 65 00 43 69 70 68 idationMode.Ciph
65 72 4d 6f 64 65 00 52 65 61 64 4e 6f 64 65 00 erMode.ReadNode.
6f 72 69 67 69 6e 61 6c 4e 6f 64 65 00 58 6d 6c originalNode.Xml

2015-01-14 19:48:13,750 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA7434AF, Value:

53 65 6e 64 00 67 65 74 5f 53 65 63 72 65 74 50 Send.get_SecretP
72 65 70 65 6e 64 00 73 65 74 5f 53 65 63 72 65 repend.set_Secre
74 50 72 65 70 65 6e 64 00 4b 64 66 53 65 63 72 tPrepend.KdfSecr
65 74 50 72 65 70 65 6e 64 00 67 65 74 5f 53 65 etPrepend.get_Se
63 72 65 74 41 70 70 65 6e 64 00 73 65 74 5f 53 cretAppend.set_S
65 63 72 65 74 41 70 70 65 6e 64 00 4b 64 66 53 ecretAppend.KdfS
65 63 72 65 74 41 70 70 65 6e 64 00 53 75 73 70 ecretAppend.Susp
65 6e 64 00 4d 65 6d 62 65 72 42 69 6e 64 00 4c end.MemberBind.L
69 73 74 42 69 6e 64 00 67 65 74 5f 4b 69 6e 64 istBind.get_Kind
00 67 65 74 5f 53 65 63 6f 6e 64 00 73 65 74 5f .get_Second.set_
53 65 63 6f 6e 64 00 6d 5f 62 65 67 75 6e 53 65 Second.m_begunSe
63 6f 6e 64 00 3c 3e 33 5f 5f 73 65 63 6f 6e 64 cond.<>3__second
00 6d 5f 73 65 63 6f 6e 64 00 4f 62 6a 65 63 74 .m_second.Object
4e 61 6d 65 4e 6f 74 46 6f 75 6e 64 00 50 65 72 NameNotFound.Per
66 6c 69 62 5f 41 72 67 75 6d 65 6e 74 5f 50 72 flib_Argument_Pr
6f 76 69 64 65 72 4e 6f 74 46 6f 75 6e 64 00 67 oviderNotFound.g

2015-01-14 19:48:13,750 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA70EF3D, Value:

44 6f 77 6e 6c 6f 61 64 44 61 74 61 00 45 6e 63 DownloadData.Enc
72 79 70 74 65 64 44 61 74 61 00 67 65 74 5f 43 ryptedData.get_C
69 70 68 65 72 44 61 74 61 00 73 65 74 5f 43 69 ipherData.set_Ci
70 68 65 72 44 61 74 61 00 73 74 72 44 61 74 61 pherData.strData
00 43 72 79 70 74 50 72 6f 74 65 63 74 44 61 74 .CryptProtectDat
61 00 43 72 79 70 74 55 6e 70 72 6f 74 65 63 74 a.CryptUnprotect
44 61 74 61 00 47 65 74 44 61 74 61 00 45 6e 63 Data.GetData.Enc
72 79 70 74 44 61 74 61 00 69 6e 70 75 74 44 61 ryptData.inputDa
74 61 00 6f 75 74 70 75 74 44 61 74 61 00 43 6f ta.outputData.Co
6e 66 69 67 5f 62 61 73 65 5f 73 65 63 74 69 6f nfig_base_sectio
6e 5f 63 61 6e 6e 6f 74 5f 63 6f 6e 74 61 69 6e n_cannot_contain
5f 63 64 61 74 61 00 53 79 73 74 65 6d 2e 57 65 _cdata.System.We
62 00 61 74 74 72 69 62 00 53 74 72 6f 6e 67 4e b.attrib.StrongN
61 6d 65 50 75 62 6c 69 63 4b 65 79 42 6c 6f 62 amePublicKeyBlob
00 73 62 00 53 79 73 74 65 6d 2e 43 6f 6c 6c 65 .sb.System.Colle
63 74 69 6f 6e 73 2e 47 65 6e 65 72 69 63 00 67 ctions.Generic.g

2015-01-14 19:48:13,750 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA6FA6A0, Value:

44 65 6c 65 74 65 53 75 62 4b 65 79 00 43 6f 6d DeleteSubKey.Com
62 69 6e 65 00 44 65 6c 65 74 65 00 6b 65 72 6e bine.Delete.kern
65 6c 33 32 00 53 68 61 72 70 53 68 65 6c 6c 2e el32.SharpShell.
53 68 61 72 70 50 72 6f 70 65 72 74 79 53 68 65 SharpPropertyShe
65 74 2e 53 68 61 72 70 50 72 6f 70 65 72 74 79 et.SharpProperty
50 61 67 65 2e 72 65 73 6f 75 72 63 65 73 00 53 Page.resources.S
68 61 72 70 53 68 65 6c 6c 2e 4e 61 74 69 76 65 harpShell.Native
42 72 69 64 67 65 2e 53 68 61 72 70 53 68 65 6c Bridge.SharpShel
6c 4e 61 74 69 76 65 42 72 69 64 67 65 36 34 2e lNativeBridge64.
64 6c 6c 00 53 68 61 72 70 53 68 65 6c 6c 2e 4e dll.SharpShell.N
61 74 69 76 65 42 72 69 64 67 65 2e 53 68 61 72 ativeBridge.Shar
70 53 68 65 6c 6c 4e 61 74 69 76 65 42 72 69 64 pShellNativeBrid
67 65 33 32 2e 64 6c 6c 00 53 68 61 72 70 53 68 ge32.dll.SharpSh
65 6c 6c 2e 53 68 61 72 70 50 72 65 76 69 65 77 ell.SharpPreview
48 61 6e 64 6c 65 72 2e 50 72 65 76 69 65 77 48 Handler.PreviewH
61 6e 64 6c 65 72 48 6f 73 74 2e 72 65 73 6f 75 andlerHost.resou

2015-01-14 19:48:13,750 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA743CA5, Value:

67 65 74 5f 4d 61 63 68 69 6e 65 4e 61 6d 65 00 get_MachineName.
49 6e 76 61 6c 69 64 43 65 72 74 69 66 69 63 61 InvalidCertifica
74 65 4e 61 6d 65 00 67 65 74 5f 55 6e 69 71 75 teName.get_Uniqu
65 4e 61 6d 65 00 67 65 74 5f 4c 6f 67 4e 61 6d eName.get_LogNam
65 00 45 76 74 50 75 62 6c 69 73 68 65 72 4d 65 e.EvtPublisherMe
74 61 64 61 74 61 54 61 73 6b 4e 61 6d 65 00 43 tadataTaskName.C
68 61 6e 6e 65 6c 4e 61 6d 65 00 45 76 74 50 75 hannelName.EvtPu
62 6c 69 73 68 65 72 4d 65 74 61 64 61 74 61 4c blisherMetadataL
65 76 65 6c 4e 61 6d 65 00 67 65 74 5f 50 72 6f evelName.get_Pro
76 69 64 65 72 4e 61 6d 65 00 67 65 74 5f 4f 77 viderName.get_Ow
6e 69 6e 67 50 72 6f 76 69 64 65 72 4e 61 6d 65 ningProviderName
00 45 76 74 53 79 73 74 65 6d 50 72 6f 76 69 64 .EvtSystemProvid
65 72 4e 61 6d 65 00 45 76 74 46 6f 72 6d 61 74 erName.EvtFormat
4d 65 73 73 61 67 65 52 65 6e 64 65 72 4e 61 6d MessageRenderNam
65 00 47 65 74 49 6d 70 65 72 73 6f 6e 61 74 69 e.GetImpersonati
6f 6e 55 73 65 72 4e 61 6d 65 00 43 6f 6d 70 75 onUserName.Compu

2015-01-14 19:48:13,760 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA7297D0, Value:

67 65 74 5f 55 73 65 72 4e 61 6d 65 4e 61 6d 65 get_UserNameName
73 70 61 63 65 00 41 74 74 72 69 62 75 74 65 4e space.AttributeN
61 6d 65 73 70 61 63 65 00 67 65 74 5f 45 6d 61 amespace.get_Ema
69 6c 4e 61 6d 65 73 70 61 63 65 00 67 65 74 5f ilNamespace.get_
41 63 74 69 6f 6e 4e 61 6d 65 73 70 61 63 65 00 ActionNamespace.
4c 6f 6f 6b 75 70 4e 61 6d 65 73 70 61 63 65 00 LookupNamespace.
67 65 74 5f 45 78 63 6c 75 64 65 64 45 6c 65 6d get_ExcludedElem
65 6e 74 4e 61 6d 65 73 70 61 63 65 00 65 6c 65 entNamespace.ele
6d 65 6e 74 4e 61 6d 65 73 70 61 63 65 00 57 72 mentNamespace.Wr
69 74 65 57 68 69 74 65 73 70 61 63 65 00 49 73 iteWhitespace.Is
57 68 69 74 65 73 70 61 63 65 00 67 65 74 5f 54 Whitespace.get_T
72 61 63 65 00 67 65 74 5f 41 64 76 69 63 65 00 race.get_Advice.
73 65 74 5f 41 64 76 69 63 65 00 53 41 4d 4c 55 set_Advice.SAMLU
6e 61 62 6c 65 54 6f 4c 6f 61 64 41 64 76 69 63 nableToLoadAdvic
65 00 73 61 6d 6c 41 64 76 69 63 65 00 53 69 6e e.samlAdvice.Sin
67 6c 65 53 69 67 6e 4f 6e 53 65 72 76 69 63 65 gleSignOnService

2015-01-14 19:48:13,760 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA72A573, Value:

67 65 74 5f 55 73 65 72 4e 61 6d 65 00 6c 70 73 get_UserName.lps
7a 55 73 65 72 4e 61 6d 65 00 58 35 30 39 49 73 zUserName.X509Is
73 75 65 72 4e 61 6d 65 00 67 65 74 5f 49 73 73 suerName.get_Iss
75 65 72 4e 61 6d 65 00 67 65 74 5f 54 6f 6b 65 uerName.get_Toke
6e 49 73 73 75 65 72 4e 61 6d 65 00 73 65 74 5f nIssuerName.set_
54 6f 6b 65 6e 49 73 73 75 65 72 4e 61 6d 65 00 TokenIssuerName.
47 65 74 57 69 6e 64 6f 77 73 49 73 73 75 65 72 GetWindowsIssuer
4e 61 6d 65 00 47 65 74 49 73 73 75 65 72 4e 61 Name.GetIssuerNa
6d 65 00 67 65 74 5f 44 6e 73 4e 61 6d 65 00 73 me.get_DnsName.s
65 74 5f 44 6e 73 4e 61 6d 65 00 58 35 30 39 53 et_DnsName.X509S
75 62 6a 65 63 74 4e 61 6d 65 00 67 65 74 5f 43 ubjectName.get_C
6f 6f 6b 69 65 45 6c 65 6d 65 6e 74 4e 61 6d 65 ookieElementName
00 44 65 66 61 75 6c 74 43 6f 6e 66 69 67 75 72 .DefaultConfigur
61 74 69 6f 6e 45 6c 65 6d 65 6e 74 4e 61 6d 65 ationElementName
00 50 61 73 73 77 6f 72 64 54 65 78 74 4e 61 6d .PasswordTextNam
65 00 67 65 74 5f 53 65 72 76 69 63 65 44 69 73 e.get_ServiceDis

2015-01-14 19:48:13,760 - detector - WARNING - Process avguard.exe (pid: 1728) matched: Njrat at address: 0xA743ED9, Value:

67 65 74 5f 4c 61 73 74 57 72 69 74 65 54 69 6d get_LastWriteTim
65 00 45 76 74 4c 6f 67 4c 61 73 74 57 72 69 74 e.EvtLogLastWrit
65 54 69 6d 65 00 67 65 74 5f 43 72 65 61 74 69 eTime.get_Creati
6f 6e 54 69 6d 65 00 45 76 74 4c 6f 67 43 72 65 onTime.EvtLogCre
61 74 69 6f 6e 54 69 6d 65 00 67 65 74 5f 4c 61 ationTime.get_La
73 74 41 63 63 65 73 73 54 69 6d 65 00 45 76 74 stAccessTime.Evt
4c 6f 67 4c 61 73 74 41 63 63 65 73 73 54 69 6d LogLastAccessTim
65 00 45 76 74 56 61 72 54 79 70 65 53 79 73 54 e.EvtVarTypeSysT
69 6d 65 00 51 75 65 75 65 4c 65 6e 67 74 68 4f ime.QueueLengthO
62 6a 65 63 74 54 69 6d 65 00 52 65 73 75 6d 65 bjectTime.Resume
00 67 65 74 5f 45 6e 64 4c 69 6e 65 00 57 72 69 .get_EndLine.Wri
74 65 4c 69 6e 65 00 67 65 74 5f 53 74 61 72 74 teLine.get_Start
4c 69 6e 65 00 4e 65 77 4c 69 6e 65 00 43 6f 6d Line.NewLine.Com
62 69 6e 65 00 6d 5f 70 72 6f 64 75 63 65 72 44 bine.m_producerD
6f 6e 65 00 4e 6f 6e 65 00 57 61 69 74 4e 61 6d one.None.WaitNam
65 64 50 69 70 65 00 67 65 74 5f 53 63 6f 70 65 edPipe.get_Scope

2015-01-14 22:52:09,046 - detector - INFO - Scanning finished
2015-01-14 22:52:09,046 - detector.service - INFO - Trying to stop the winpmem service...
2015-01-14 22:52:09,046 - detector.service - INFO - Trying to delete the winpmem service...
2015-01-14 22:52:09,046 - detector - INFO - Service stopped
2015-01-14 22:52:09,046 - detector - INFO - Analysis finished

schrauber 15.01.2015 10:26

ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset


Downloade Dir bitte SecurityCheck und:

  • Speichere es auf dem Desktop.
  • Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
  • Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.
Poste den Inhalt bitte hier.

und ein frisches FRST log bitte. Noch Probleme? :)

DAU³ 15.01.2015 18:28
Code:
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
Can not extract cabC:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScanner.cabErr:Der Vorgang wurde erfolgreich beendet.
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=dffb3ce32064b34c95b8de4a8b9724a0
# engine=21950
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2015-01-13 09:24:11
# local_time=2015-01-13 10:24:11 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Avira Desktop'
# compatibility_mode=1810 16777213 100 100 117913 37943933 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 36948931 172814101 0 0
# compatibility_mode_1='Emsisoft Anti-Malware'
# compatibility_mode=16642 16777213 100 100 9786 222426539 0 0
# scanned=163706
# found=0
# cleaned=0
# scan_time=4913
ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetESETSmartInstaller@High as downloader log:
Can not open internetCan not open internetesets_scanner_update returned -1 esets_gle=1
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=dffb3ce32064b34c95b8de4a8b9724a0
# engine=21980
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2015-01-15 05:10:09
# local_time=2015-01-15 06:10:09 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Avira Desktop'
# compatibility_mode=1810 16777213 100 100 15952 38101491 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 37106489 172971659 0 0
# scanned=243167
# found=0
# cleaned=0
# scan_time=8387
Code:
Results of screen317's Security Check version 0.99.93 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
Emsisoft Anti-Malware 
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 Java 7 Update 71 
  Adobe Flash Player 15.0.0.246 Flash Player out of Date! 
 Adobe Reader XI 
 Mozilla Firefox (34.0.5)
````````Process Check: objlist.exe by Laurent```````` 
 Spybot Teatimer.exe is disabled!
 Avira Antivir avgnt.exe
 Avira Antivir avguard.exe
 Emsisoft Anti-Malware a2service.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 
````````````````````End of Log``````````````````````
 Results of screen317's Security Check version 0.99.93 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
Emsisoft Anti-Malware 
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 Java 7 Update 71 
  Adobe Flash Player 15.0.0.246 Flash Player out of Date! 
 Adobe Reader XI 
 Mozilla Firefox (34.0.5)
````````Process Check: objlist.exe by Laurent```````` 
 Spybot Teatimer.exe is disabled!
 Avira Antivir avgnt.exe
 Avira Antivir avguard.exe
 Emsisoft Anti-Malware a2service.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 
````````````````````End of Log``````````````````````

FRST Logfile:
Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-01-2015 02
Ran by Admin (administrator) on LENOVOT500 on 15-01-2015 18:19:47
Running from C:\Users\Admin\Desktop
Loaded Profile: Admin (Available profiles: Admin)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Lenovo.) C:\Windows\System32\ibmpmsvc.exe
(Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Broadcom Corporation.) C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
() C:\Program Files (x86)\DiskBoss\bin\diskbsa.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\CamMute.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Károly Pados) C:\Program Files (x86)\TinyWall\TinyWall.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tphkload.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\shtctky.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ZOOM\TpScrex.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Lenovo.) C:\Windows\System32\TpShocks.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Broadcom Corporation.) C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\ACTray.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\ACWLIcon.exe
(Avanquest Software ) C:\Program Files (x86)\Digital Line Detect\DLG.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
(Lenovo) C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Lenovo Group Limited) C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.EXE
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Broadcom Corporation.) C:\Program Files\ThinkPad\Bluetooth Software\BTStackServer.exe
(Broadcom Corporation.) C:\Program Files\ThinkPad\Bluetooth Software\BluetoothHeadsetProxy.exe
(Intel Corporation) C:\Program Files (x86)\Intel\AMT\LMS.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(Intel Corporation) C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWIdlMon.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [TpShocks] => C:\Windows\system32\TpShocks.exe [382248 2013-02-12] (Lenovo.)
HKLM\...\Run: [LENOVO.TPKNRRES] => C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe [62312 2010-07-27] (Lenovo Group Limited)
HKLM\...\Run: [AcWin7Hlpr] => C:\Program Files (x86)\Lenovo\Access Connections\AcTBenabler.exe [63784 2013-03-18] (Lenovo)
HKLM\...\Run: [picon] => C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PIconStartup.exe [111640 2010-02-04] ()
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [307768 2009-11-19] ()
HKLM\...\Run: [TinyWall Controller] => C:\Program Files (x86)\TinyWall\TinyWall.exe [649176 2013-07-14] (Károly Pados)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2963184 2013-04-17] (Synaptics Incorporated)
HKLM-x32\...\Run: [PWMTRV] => rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [3830224 2013-05-16] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [702768 2014-12-04] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [ACTray] => C:\Program Files (x86)\Lenovo\Access Connections\ACTray.exe [432424 2013-03-18] (Lenovo)
HKLM-x32\...\Run: [ACWLIcon] => C:\Program Files (x86)\Lenovo\Access Connections\ACWLIcon.exe [194856 2013-03-18] (Lenovo)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [126200 2014-11-20] (Avira Operations GmbH & Co. KG)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\...\Run: [AviraSpeedup] => C:\Program Files (x86)\Avira\AviraSpeedup\avira_system_speedup.exe [5395192 2014-10-19] (Avira)
HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\...\Run: [GlassWire] => C:\Program Files (x86)\GlassWire\glasswire.exe [10387752 2014-12-26] (SecureMix LLC)
HKU\S-1-5-18\...\Run: [AviraSpeedup] => C:\Program Files (x86)\Avira\AviraSpeedup\avira_system_speedup.exe [5395192 2014-10-19] (Avira)
Lsa: [Notification Packages] scecli ACGina
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files (x86)\Digital Line Detect\DLG.exe (Avanquest Software )
ShellIconOverlayIdentifiers: [    BoxSyncFileLocked] -> {9a216f5d-3530-3b1a-8006-9a1233402fba} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [    BoxSyncNotSynced] -> {4c3d7a5e-7476-3c21-9717-0614ce209c44} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [    BoxSyncProblem] -> {aa0bacc8-a5df-34b0-acd8-e6739d92010e} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [    BoxSyncSynced] -> {0f20db5b-365d-3cc6-82eb-41207f77bb71} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://de.msn.com/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Microsoft-Konto-Anmelde-Hilfsprogramm -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default
FF DefaultSearchEngine: DuckDuckGo
FF SelectedSearchEngine: Amazon.de
FF NetworkProxy: "autoconfig_url", "https://mediahint.com/default.pac"
FF NetworkProxy: "ftp", "41.75.201.146"
FF NetworkProxy: "ftp_port", 8080
FF NetworkProxy: "http", "41.75.201.146"
FF NetworkProxy: "http_port", 8080
FF NetworkProxy: "no_proxies_on", "localhost, 127.0.0.1, stealthy.co"
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", "41.75.201.146"
FF NetworkProxy: "socks_port", 8080
FF NetworkProxy: "ssl", "41.75.201.146"
FF NetworkProxy: "ssl_port", 8080
FF NetworkProxy: "type", 2
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_246.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @Skype Technologies S.A..com/Skype Web Plugin -> C:\Program Files (x86)\SkypeWebPlugin\npSkypeWebPlugin64.dll (Skype)
FF Plugin: @videolan.org/vlc,version=2.1.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_246.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3522.0110 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Reader 3\npnitromozilla.dll (Nitro PDF)
FF Plugin-x32: @Skype Technologies S.A..com/Skype Web Plugin -> C:\Program Files (x86)\SkypeWebPlugin\npSkypeWebPlugin.dll (Skype)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.7 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\searchplugins\alle-preise---guenstigerde.xml
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\searchplugins\billigerde.xml
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\searchplugins\dawanda.xml
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\searchplugins\duckduckgo.xml
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\searchplugins\the-pirate-bay.xml
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\searchplugins\thepiratebayorg.xml
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\searchplugins\youtube-videosuche.xml
FF Extension: Ghostery - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\firefox@ghostery.com.xpi [2013-08-17]
FF Extension: DuckDuckGo Plus - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi [2013-11-10]
FF Extension: Media Hint - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\mediahint@jetpack.xpi [2013-08-13]
FF Extension: Stealthy - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\stealthyextension@gmail.com.xpi [2013-07-16]
FF Extension: Ebay Negs! - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\{265b0520-499e-11d9-9669-0800200c9a66}.xpi [2013-07-11]
FF Extension: NoScript - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2013-07-04]
FF Extension: IMDB  Search - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\{c4080853-c699-4120-b8e0-618bff8a4474}.xpi [2014-10-20]
FF Extension: Adblock Edge - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\juoq6e0y.default\Extensions\{fe272bd1-5f76-4ea4-8501-a05d35d823fc}.xpi [2013-07-04]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-08-17] (SUPERAntiSpyware.com)
R2 a2AntiMalware; C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [4920104 2014-12-31] (Emsisoft GmbH)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-12-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-12-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [993584 2014-12-04] (Avira Operations GmbH & Co. KG)
R2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [166192 2014-11-20] (Avira Operations GmbH & Co. KG)
S3 BoxSyncUpdateService; C:\Program Files\Box\Box Sync\SyncUpdaterService.exe [28696 2014-11-13] (Box, Inc.)
R2 DiskBoss Service; C:\Program Files (x86)\DiskBoss\bin\diskbsa.exe [114688 2014-02-27] () [File not signed]
S3 DozeSvc; C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [320576 2013-04-23] (Lenovo.)
R2 GlassWire; C:\Program Files (x86)\GlassWire\GWCtlSrv.exe [6296872 2014-12-26] (SecureMix LLC)
R2 LMS; C:\Program Files (x86)\Intel\AMT\LMS.exe [174616 2010-02-04] (Intel Corporation)
S3 LSCWinService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [1663880 2014-05-06] ()
R2 NitroReaderDriverReadSpool3; C:\Program Files\Common Files\Nitro\Reader\3.0\NitroPDFReaderDriverService3x64.exe [230416 2013-06-18] (Nitro PDF Software)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [22376 2013-06-26] ()
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5426448 2014-12-15] (TeamViewer GmbH)
R2 TinyWall; C:\Program Files (x86)\TinyWall\TinyWall.exe [649176 2013-07-14] (Károly Pados) [File not signed]
R2 UNS; C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2058776 2010-02-04] (Intel Corporation)
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [71472 2014-05-12] (Emsisoft GmbH)
R1 A2DDA; C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [26176 2013-03-28] (Emsisoft GmbH)
R1 a2injectiondriver; C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys [45208 2013-09-30] (Emsisoft GmbH)
R1 a2util; C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys [23088 2014-05-12] (Emsisoft GmbH)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-10-07] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-10-07] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-10-31] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [43064 2014-10-07] (Avira Operations GmbH & Co. KG)
R3 cleanhlp; C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [57024 2013-12-04] (Emsisoft GmbH)
R1 gwdrv; C:\Windows\System32\DRIVERS\gwdrv.sys [33296 2014-12-25] (SecureMix LLC)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [44784 2013-04-17] (Synaptics Incorporated)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-15 18:17 - 2015-01-15 18:18 - 00000916 _____ () C:\Users\Admin\Desktop\checkup.txt
2015-01-15 18:10 - 2015-01-15 18:11 - 00000000 _____ () C:\Users\Admin\Downloads\SecurityCheck.exe
2015-01-15 18:10 - 2015-01-15 18:10 - 00852505 _____ () C:\Users\Admin\Desktop\SecurityCheck.exe
2015-01-15 15:36 - 2015-01-15 15:36 - 02347384 _____ (ESET) C:\Users\Admin\Downloads\esetsmartinstaller_deu.exe
2015-01-14 23:40 - 2015-01-14 23:41 - 00001047 _____ () C:\Users\Admin\Desktop\mbam.txt
2015-01-14 23:10 - 2015-01-14 23:10 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Admin\Downloads\mbam-setup-2.0.4.1028.exe
2015-01-14 23:06 - 2015-01-14 23:07 - 00043170 _____ () C:\Users\Admin\Desktop\Addition.txt
2015-01-14 23:03 - 2015-01-15 18:19 - 00022327 _____ () C:\Users\Admin\Desktop\FRST.txt
2015-01-14 22:53 - 2015-01-14 22:53 - 00000329 _____ () C:\Users\Admin\Desktop\detct.txt
2015-01-14 15:26 - 2015-01-14 15:26 - 00035969 _____ () C:\Users\Admin\Downloads\Antw RE Umrechnungsbitte Notenspiegel.zip
2015-01-14 06:23 - 2014-12-19 04:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 06:23 - 2014-12-19 02:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 06:23 - 2014-12-12 06:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 06:23 - 2014-12-12 06:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-14 06:23 - 2014-12-12 06:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-14 06:23 - 2014-12-12 06:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-14 06:23 - 2014-12-12 06:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-14 06:23 - 2014-12-12 06:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-14 06:23 - 2014-12-12 06:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-14 06:23 - 2014-12-11 18:47 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-14 06:23 - 2014-12-06 05:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 06:23 - 2014-12-06 04:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-14 06:23 - 2014-12-06 04:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-13 23:30 - 2015-01-13 23:30 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-LENOVOT500-Microsoft-Windows-7-Professional-(64-bit).dat
2015-01-13 23:30 - 2015-01-13 23:30 - 00000000 ____D () C:\RegBackup
2015-01-13 22:59 - 2015-01-13 22:59 - 00000982 _____ () C:\Users\Admin\Desktop\AdwCleaner[S1].txt
2015-01-13 20:33 - 2015-01-13 20:33 - 00000000 ____D () C:\Program Files (x86)\ESET
2015-01-13 20:29 - 2015-01-13 20:32 - 00000758 _____ () C:\Users\Admin\Desktop\JRT.txt
2015-01-13 20:19 - 2015-01-13 20:19 - 00000000 ____D () C:\Windows\ERUNT
2015-01-13 19:30 - 2015-01-13 20:18 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-01-13 19:28 - 2015-01-13 20:18 - 00000000 ____D () C:\Users\Admin\Desktop\mbar
2015-01-13 19:26 - 2015-01-13 18:53 - 01707939 _____ (Thisisu) C:\Users\Admin\Desktop\JRT.exe
2015-01-13 19:26 - 2015-01-13 17:10 - 16448208 _____ (Malwarebytes Corp.) C:\Users\Admin\Desktop\mbar-1.08.2.1001.exe
2015-01-13 19:25 - 2015-01-13 15:32 - 02347384 _____ (ESET) C:\Users\Admin\Desktop\esetsmartinstaller_deu.exe
2015-01-13 19:25 - 2015-01-13 02:29 - 02191360 _____ () C:\Users\Admin\Desktop\adwcleaner_4.107.exe
2015-01-13 19:14 - 2015-01-13 19:14 - 00000000 ____D () C:\ProgramData\Emsisoft
2015-01-13 18:41 - 2015-01-13 18:47 - 00000000 ____D () C:\Users\Admin\Desktop\unsortiere bilder
2015-01-13 16:55 - 2015-01-15 03:24 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware
2015-01-13 16:55 - 2015-01-13 16:55 - 00001095 _____ () C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2015-01-13 16:55 - 2015-01-13 16:55 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2015-01-13 16:46 - 2015-01-13 16:46 - 00093944 _____ () C:\Users\Admin\Documents\cc_20150113_164634.reg
2015-01-13 15:36 - 2015-01-13 15:36 - 00112430 _____ () C:\Users\Admin\Desktop\otl.txt
2015-01-13 14:24 - 2015-01-13 14:24 - 00001056 _____ () C:\Users\Admin\Desktop\mabm.txt
2015-01-13 13:51 - 2015-01-14 23:41 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-13 13:50 - 2015-01-14 23:12 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-13 13:50 - 2015-01-14 23:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-13 13:50 - 2015-01-14 23:12 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-13 13:50 - 2015-01-13 13:50 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-13 13:50 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-13 13:50 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-13 13:50 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-13 13:49 - 2015-01-13 13:49 - 00001685 _____ () C:\Users\Admin\Desktop\AdwCleaner[S0].txt
2015-01-13 13:31 - 2015-01-13 22:55 - 00000000 ____D () C:\AdwCleaner
2015-01-13 13:29 - 2015-01-13 13:29 - 09434846 _____ () C:\Users\Admin\Desktop\AVSCAN-20150113-012006-75647876.LOG
2015-01-13 01:12 - 2015-01-15 18:20 - 00000000 ____D () C:\FRST
2015-01-13 01:12 - 2015-01-13 00:59 - 02124288 _____ (Farbar) C:\Users\Admin\Desktop\FRST64.exe
2015-01-09 17:38 - 2015-01-09 17:38 - 00000000 __SHD () C:\Users\Admin\AppData\Local\EmieUserList
2015-01-09 17:38 - 2015-01-09 17:38 - 00000000 __SHD () C:\Users\Admin\AppData\Local\EmieSiteList
2015-01-09 17:38 - 2015-01-09 17:38 - 00000000 __SHD () C:\Users\Admin\AppData\Local\EmieBrowserModeList
2015-01-05 17:36 - 2015-01-05 17:36 - 00000000 ____D () C:\Users\Admin\AppData\Local\TeamViewer
2015-01-05 17:02 - 2015-01-05 17:02 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\TeamViewer
2015-01-05 16:50 - 2015-01-13 15:09 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2015-01-05 16:50 - 2015-01-05 16:50 - 00001047 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 10.lnk
2015-01-05 16:49 - 2015-01-05 16:49 - 07718224 _____ (TeamViewer GmbH) C:\Users\Admin\Downloads\TeamViewer_Setup_de.exe
2015-01-05 16:22 - 2015-01-05 16:22 - 00001905 _____ () C:\Users\Admin\Desktop\GlassWire.lnk
2015-01-05 16:22 - 2015-01-05 16:22 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GlassWire 1.0
2015-01-05 16:22 - 2015-01-05 16:22 - 00000000 ____D () C:\Program Files (x86)\GlassWire
2015-01-05 16:22 - 2014-12-26 09:42 - 00008704 _____ () C:\Windows\system32\Drivers\gwdrv.cat
2015-01-05 16:22 - 2014-12-25 12:28 - 00033296 _____ (SecureMix LLC) C:\Windows\system32\Drivers\gwdrv.sys
2015-01-05 16:20 - 2015-01-05 16:20 - 16644584 _____ (SecureMix LLC) C:\Users\Admin\Downloads\GlassWireSetup(1).exe
2015-01-04 10:42 - 2015-01-05 11:33 - 01054912 _____ (Adobe) C:\Users\Admin\Downloads\install_flashplayer16x32au_mssd_aaa_aih.exe
2014-12-31 00:55 - 2014-12-31 00:55 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2014-12-27 14:38 - 2014-12-27 14:38 - 00002195 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\WinZip.lnk
2014-12-27 14:38 - 2014-12-27 14:38 - 00000000 ____D () C:\Users\Admin\AppData\Local\WinZip
2014-12-27 14:38 - 2014-12-27 14:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip
2014-12-27 14:36 - 2014-12-27 14:38 - 00000000 ____D () C:\ProgramData\WinZip
2014-12-27 14:36 - 2014-12-27 14:37 - 00000000 ____D () C:\Program Files\WinZip
2014-12-27 14:34 - 2014-12-27 14:35 - 62967296 _____ () C:\Users\Admin\Downloads\wz190gev-64.msi
2014-12-18 12:49 - 2014-12-13 06:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-12-18 12:49 - 2014-12-13 04:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-15 18:09 - 2014-03-21 09:40 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-15 17:49 - 2013-12-01 20:37 - 00001110 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-15 16:30 - 2014-03-12 01:29 - 00000000 ____D () C:\Users\Admin\AppData\Local\Deployment
2015-01-15 15:34 - 2014-12-01 04:34 - 00021836 _____ () C:\Windows\setupact.log
2015-01-15 08:49 - 2014-12-09 14:00 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-15 07:49 - 2013-12-01 20:37 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-15 03:29 - 2009-07-14 05:45 - 00031504 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-15 03:29 - 2009-07-14 05:45 - 00031504 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-15 03:27 - 2013-06-08 19:36 - 01102113 _____ () C:\Windows\WindowsUpdate.log
2015-01-15 03:27 - 2010-11-21 07:50 - 00685480 _____ () C:\Windows\system32\perfh007.dat
2015-01-15 03:27 - 2010-11-21 07:50 - 00145280 _____ () C:\Windows\system32\perfc007.dat
2015-01-15 03:27 - 2009-07-14 06:13 - 01619284 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-15 03:22 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-14 22:54 - 2014-03-06 00:25 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Skype
2015-01-14 22:54 - 2013-11-17 03:36 - 00000000 ____D () C:\Users\Admin\Documents\Calibre-Bibliothek
2015-01-14 22:52 - 2014-11-20 09:41 - 00084996 _____ () C:\Users\Admin\Downloads\detekt.log
2015-01-14 00:02 - 2010-11-21 08:00 - 00000000 ___RD () C:\Users\Public\Recorded TV
2015-01-14 00:01 - 2013-11-12 10:59 - 00437430 _____ () C:\Windows\PFRO.log
2015-01-14 00:01 - 2010-11-21 08:00 - 00000000 ____D () C:\Windows\CSC
2015-01-14 00:01 - 2009-07-14 05:45 - 04958544 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-13 23:58 - 2013-06-08 19:43 - 00064424 _____ () C:\Users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-13 23:56 - 2009-07-14 03:34 - 00000439 _____ () C:\Windows\win.ini
2015-01-13 23:22 - 2014-04-19 22:13 - 00000000 ____D () C:\Users\Admin\Documents\Wessling, Kathrin - Drüberleben - Depressionen sind doch kein Grund traurig zu sein
2015-01-13 23:02 - 2011-10-24 13:35 - 00000000 ____D () C:\Users\Admin\Desktop\Tweaking.com - Windows Repair
2015-01-13 18:41 - 2014-11-30 17:51 - 00000000 ____D () C:\Users\Admin\Desktop\bitcoin
2015-01-13 16:42 - 2014-03-16 08:32 - 00000000 ____D () C:\Users\Admin\Tracing
2015-01-13 16:42 - 2013-11-11 00:13 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\uTorrent
2015-01-13 16:22 - 2013-06-08 20:02 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2015-01-13 16:18 - 2013-07-08 09:48 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Nitro PDF
2015-01-13 15:49 - 2013-10-30 16:59 - 00000000 ____D () C:\Windows\system32\appmgmt
2015-01-13 15:38 - 2013-07-08 06:51 - 00000000 ____D () C:\Program Files (x86)\R-Studio
2015-01-13 14:26 - 2009-07-14 06:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-01-13 14:25 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\LiveKernelReports
2015-01-13 13:44 - 2013-06-08 19:41 - 00000000 ____D () C:\Users\Admin
2015-01-12 11:14 - 2014-11-28 17:40 - 00000000 ____D () C:\Users\Admin\AppData\Local\Box Sync
2015-01-11 08:25 - 2014-08-13 19:56 - 00000439 _____ () C:\Windows\system32\Drivers\etc\hosts.ics
2015-01-09 04:55 - 2014-11-28 17:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Box Sync
2014-12-23 19:43 - 2013-12-08 22:18 - 00000000 ____D () C:\Users\Admin\Documents\Einzelheiten zum eBay-Kauf-Dateien

Some content of TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\avgnt.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-14 02:59

==================== End Of Log ============================
--- --- ---


Code:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-01-2015 02
Ran by Admin at 2015-01-14 23:06:06
Running from C:\Users\Admin\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Emsisoft Anti-Malware (Enabled - Up to date) {8504DEEF-CC04-1F76-2137-F1A5F4A659DA}
AS: Avira Desktop (Disabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
AS: Emsisoft Anti-Malware (Enabled - Up to date) {3E653F0B-EA3E-10F8-1B87-CAD78F211367}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 15.0.0.249 - Adobe Systems Incorporated)
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Photoshop 7.0.1 (HKLM-x32\...\Adobe Photoshop 7.0.1) (Version: 7.0.1 - Adobe Systems, Inc.)
Adobe Reader XI (11.0.10) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Anzeige am Bildschirm (HKLM\...\OnScreenDisplay) (Version: 6.70.00 - )
Avira (HKLM-x32\...\{e7c7c227-b742-4878-9425-f09bbf9951db}) (Version: 1.1.27.25527 - Avira Operations & Co. KG)
Avira (x32 Version: 1.1.27.25527 - Avira Operations & Co. KG) Hidden
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.7.468 - Avira)
Avira System Speedup (HKLM-x32\...\AviraSpeedup) (Version: 1.3.1.9970 - Avira System Speedup)
Bitcoin Core (64-bit) (HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\...\Bitcoin Core (64-bit)) (Version: 0.9.3 - Bitcoin Core project)
Box Sync (HKLM\...\{D755A205-DD3A-414E-9037-CD476673FCB0}) (Version: 4.0.5955.0 - Box, Inc.)
Box Sync (x32 Version: 4.0.5693.0 - Box Inc.) Hidden
calibre 64bit (HKLM\...\{7DAFBA8E-9BBB-4411-80EF-3AF43C80B017}) (Version: 1.11.0 - Kovid Goyal)
Capture NX-D (HKLM\...\{794529D3-D489-4CF2-B2ED-CF241809E5EC}) (Version: 1.0.0 - Nikon)
CCleaner (HKLM\...\CCleaner) (Version: 4.07 - Piriform)
Conexant 20561 SmartAudio HD (HKLM\...\CNXT_AUDIO_HDA) (Version: 4.92.12.0 - Conexant)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DHTML Editing Component (HKLM-x32\...\{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation)
Dienstprogramm "ThinkPad UltraNav" (HKLM-x32\...\{17CBC505-D1AE-459D-B445-3D2000A85842}) (Version: 2.13.0 - Lenovo)
DiskBoss 4.3.18 (HKLM-x32\...\DiskBoss) (Version: 4.3.18 - Flexense Computing Systems Ltd.)
Dropbox (HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\...\Dropbox) (Version: 2.10.51 - Dropbox, Inc.)
Emsisoft Anti-Malware (HKLM-x32\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 9.0 - Emsisoft Ltd.)
Energie-Manager (HKLM-x32\...\{DAC01CEE-5BAE-42D5-81FC-B687E84E8405}) (Version: 6.54 - )
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
Fotogalerie (x32 Version: 16.4.3522.0110 - Microsoft Corporation) Hidden
GlassWire 1.0 (remove only) (HKLM-x32\...\GlassWire 1.0) (Version: 1.0.35 - SecureMix LLC)
GoGet 1.1.0 (HKLM-x32\...\GoGet) (Version: 1.1.0 - Sound Doctrine Ministries)
Google Earth Plug-in (HKLM-x32\...\{4AB54F11-2F8C-11E3-B09F-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
HDR projects elements (64-Bit) (HKLM\...\HDR projects elements_is1) (Version: 1.22 - Franzis Verlag GmbH)
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Graphics Media Accelerator Driver (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2555 - Intel Corporation)
Intel(R) Management Engine Interface (HKLM\...\HECI) (Version:  - Intel Corporation)
Intel(R) Network Connections Drivers (HKLM\...\PROSet) (Version: 16.1 - Intel)
Intel® Active-Management-Technologie (HKLM\...\MESOL) (Version:  - Intel Corporation)
ISO to USB (HKLM-x32\...\{D08A30AC-A663-4EA8-8D81-B98E17F19F1C}_is1) (Version:  - isotousb.com)
Java 7 Update 71 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)
Junk Mail filter update (x32 Version: 16.4.3522.0110 - Microsoft Corporation) Hidden
Lenovo Patch Utility (x32 Version: 1.3.2.6 - Lenovo Group Limited) Hidden
Lenovo Patch Utility 64 bit (Version: 1.3.2.6 - Lenovo Group Limited) Hidden
Lenovo Power Management Driver (HKLM\...\Power Management Driver) (Version: 1.67.04.05 - )
Lenovo Solution Center (HKLM\...\{2F45A217-E9C7-4984-B0AC-5BE31FF4712B}) (Version: 2.4.003.00 - Lenovo Group Limited)
Lenovo System Interface Driver (HKLM\...\LENOVO.SMIIF) (Version: 1.05 - )
Lenovo System Update (HKLM-x32\...\{25C64847-B900-48AD-A164-1B4F9B774650}) (Version: 5.02.0018 - Lenovo)
Lidl-Fotos (HKLM-x32\...\Lidl-Fotos_is1) (Version:  - )
Malwarebytes Anti-Malware Version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft LifeCam (HKLM\...\{5CE7E3F5-9803-4F32-AA89-2D8848A80109}) (Version: 3.60.253.0 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\...\OneDriveSetup.exe) (Version: 17.0.4024.1220 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729 (HKLM\...\{D285FC5F-3021-32E9-9C59-24CA325BDC5C}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{d07b0db5-8dad-40e1-be90-88026298a46b}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
mIRC (HKLM-x32\...\mIRC) (Version: 7.32 - mIRC Co. Ltd.)
Movie Maker (x32 Version: 16.4.3522.0110 - Microsoft Corporation) Hidden
Mozilla Firefox 34.0.5 (x86 de) (HKLM-x32\...\Mozilla Firefox 34.0.5 (x86 de)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Nero BackItUp 11 Essentials CDPack (HKLM-x32\...\{BD0516DD-705C-441F-A30D-1CC289895309}) (Version: 11.0.00200 - Nero AG)
Nero Backup Drivers (HKLM\...\{D600D357-5CB9-4DE9-8FD4-14E208BD1970}) (Version: 1.0.11100.8.0 - Nero AG)
Nikon Message Center 2 (HKLM-x32\...\{B014EE44-9197-4513-9613-71E6EB1B514E}) (Version: 2.1.1 - Nikon)
Nitro Reader 3 (HKLM\...\{F6478CC2-B1B3-497E-9BEA-94C1676637DF}) (Version: 3.5.5.2 - Nitro)
O&O DiskRecovery (HKLM\...\{E1EC311E-EB1A-461E-A0BE-FA796852436D}) (Version: 7.1.183 - O&O Software GmbH)
OpenOffice 4.0.1 (HKLM-x32\...\{0AEC308E-7EB3-47F7-BB59-F2C9C6166B27}) (Version: 4.01.9714 - Apache Software Foundation)
Picture Control Utility 2 (HKLM\...\{D4893C47-704F-4B84-8486-9DE4974ACA6F}) (Version: 2.0.0 - Nikon)
Pidgin (HKLM-x32\...\Pidgin) (Version: 2.10.7 - )
pidgin-otr 4.0.0-1 (HKLM-x32\...\pidgin-otr) (Version: 4.0.0-1 - Cypherpunks CA)
RarZilla Free Unrar (HKLM-x32\...\RarZilla Free Unrar) (Version: 5.10 - Philipp Winterberg)
RICOH R5U8xx Media Driver ver.3.64.02 (HKLM-x32\...\{59F6A514-9813-47A3-948C-8A155460CC2A}) (Version: 3.64.02 - RICOH)
Skype Web Plugin (HKLM-x32\...\{B51DD93B-3CB5-4D9D-BFF2-FD19DBBBFD9A}) (Version: 2.9.13008.18866 - Skype Technologies S.A.)
Skype™ 6.20 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.20.104 - Skype Technologies S.A.)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.1.19 - Safer-Networking Ltd.)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.7.1026 - SUPERAntiSpyware.com)
TeamViewer 10 (HKLM-x32\...\TeamViewer) (Version: 10.0.36897 - TeamViewer)
ThinkPad Bluetooth with Enhanced Data Rate Software (HKLM\...\{9E9D49A4-1DF4-4138-B7DB-5D87A893088E}) (Version: 6.2.1.3100 - Broadcom Corporation)
ThinkPad FullScreen Magnifier (HKLM\...\ThinkPad FullScreen Magnifier) (Version: 2.40 - )
ThinkPad Modem Adapter (HKLM\...\CNXT_MODEM_HDA_HSF) (Version: 7.80.5.0 - Conexant Systems)
ThinkPad UltraNav Driver (HKLM\...\SynTPDeinstKey) (Version: 16.2.19.7 - )
ThinkVantage Access Connections (HKLM-x32\...\{8E537894-A559-4D60-B3CB-F4485E3D24E3}) (Version: 6.01 - Lenovo)
ThinkVantage Communications Utility (HKLM\...\{88C6A6D9-324C-46E8-BA87-563D14021442}_is1) (Version: 1.42 - Lenovo)
ThinkVantage System für aktiven Festplattenschutz (HKLM\...\{46A84694-59EC-48F0-964C-7E76E9F8A2ED}) (Version: 1.77.0.11 - Lenovo)
TinyWall (HKLM-x32\...\{E87F67CD-B72A-4B47-A01D-28CD16AC0711}) (Version: 2.1.4.0 - Károly Pados)
Turbo Lister 2 (HKLM-x32\...\{8927E07C-97F7-4A54-88FB-D976F50DD46E}) (Version: 2.00.0000 - eBay Inc.)
VLC media player 2.1.0 (HKLM\...\VLC media player) (Version: 2.1.0 - VideoLAN)
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
Windows Driver Package - Broadcom (BTHUSB) Bluetooth  (04/08/2010 6.3.5.430) (HKLM\...\DE7217D2A8B057F15EC6E52329FDAB84231521E8) (Version: 04/08/2010 6.3.5.430 - Broadcom)
Windows Driver Package - Broadcom HIDClass  (07/28/2009 6.2.0.9800) (HKLM\...\3BA80AB4C7E9F8497C115C844953A3D4BEB84D21) (Version: 07/28/2009 6.2.0.9800 - Broadcom)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3522.0110 - Microsoft Corporation)
WinZip 19.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240E5}) (Version: 19.0.11293 - WinZip Computing, S.L. )
Zattoo Live TV (HKU\S-1-5-21-3899542576-3065808786-2114398330-1000\...\6d7aa3e3bf931c56) (Version: 1.0.0.44 - Zattoo Europa AG)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\17.0.4024.1220\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\17.0.4024.1220\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\17.0.4024.1220\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\17.0.4024.1220\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\Admin\AppData\Local\Microsoft\SkyDrive\17.0.4024.1220\amd64\FileSyncApi64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3899542576-3065808786-2114398330-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

==================== Restore Points  =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2015-01-13 23:57 - 00000855 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1      localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0ED24211-4A89-4CDD-8A81-52F8128488C2} - System32\Tasks\{8F63ACD8-AA1E-4AE1-8232-651C778325E9} => Firefox.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&amp;ver=6.11.0.102&amp;LastError=502
Task: {1B57820C-B5FB-4D3E-811C-7BFF2496A270} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-10-22] (Piriform Ltd)
Task: {1BAFB76D-2B97-414B-813E-082C55D386C1} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search &amp; Destroy 2\SDScan.exe
Task: {38C50108-6AEF-4E7E-9E34-28AA56990E2C} - System32\Tasks\{9825C987-ACC2-4137-9E34-1FC89E22AA6F} => pcalua.exe -a "C:\Program Files (x86)\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe" -c REMOVESERIALNUMBER="XM2C-50A9-HH4M-0ZM8-4X06-9P25-5A46-618P-AH19-6647"
Task: {3BDE7EAB-67BB-4F2D-B0B0-8AD69C840117} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-12-01] (Google Inc.)
Task: {3BF21FF8-C064-4D6C-8525-F8D0711E23C2} - System32\Tasks\Lenovo\LSC\LSCHardwareScan => C:\Program Files\Lenovo\Lenovo Solution Center\LSC.exe [2014-05-06] ()
Task: {4F8D5981-44B7-40E0-A187-3981EE6A0BB1} - System32\Tasks\Lenovo\LSC\LSCHardwareScanPostpone => C:\Program Files\Lenovo\Lenovo Solution Center\LSC.exe [2014-05-06] ()
Task: {6F255CB8-B7D0-4C5D-8904-2F1A39F6B503} - System32\Tasks\{B740E12A-3822-4035-B764-9E23FEBA09E7} => Firefox.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&amp;ver=6.11.0.102&amp;LastError=502
Task: {74BE5CA3-7BDF-49AF-B8BC-FD2B0BB6E2CB} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-12-01] (Google Inc.)
Task: {74FC90F5-29C2-4333-986A-190929198EEE} - System32\Tasks\Lenovo\Lenovo Solution Center Launcher => C:\Program Files\lenovo\lenovo solution center\App\LSCService.exe [2014-05-06] (Lenovo)
Task: {8AF2E676-F1C1-421F-B7B1-1C59E7C4547A} - System32\Tasks\{2B8E2C3E-3969-455D-BB4F-63AB522ED860} => D:\Autoplay.exe
Task: {8DE0C9C7-B3EB-4A82-8217-C414D79BCBB7} - System32\Tasks\TVT\TVSUUpdateTask => C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe [2013-06-26] ()
Task: {92E6D1DF-985A-4551-A130-5E50CA59093E} - System32\Tasks\{F125F12C-3B41-445C-ADCB-25B8A97CF9DF} => C:\Program Files (x86)\Zattoo4\Zattoo.exe
Task: {A22A35DD-E30B-4922-AD01-72DE43911778} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search &amp; Destroy 2\SDImmunize.exe
Task: {A472BB1C-824A-4F8D-B36E-AC71756BA266} - System32\Tasks\{37A1F0EC-8525-420B-896A-BFD398AA0219} => C:\Program Files (x86)\Zattoo4\Zattoo.exe
Task: {ACD9F49A-6690-4A7B-BB4E-127D8411101C} - System32\Tasks\Admin => C:\Program Files (x86)\Nero\Nero 11\Nero BackItUp\NBCore.exe [2011-11-18] (Nero AG)
Task: {B7D8C91F-3C09-4B67-8D55-D2DC1E013EEF} - System32\Tasks\{FF896C6B-CC22-4A1E-ACCE-6484D5957278} => C:\Program Files (x86)\Zattoo4\Zattoo.exe
Task: {BED2C05C-40A7-4C3D-B7C1-643A319AD5DF} - System32\Tasks\AviraSpeedup => C:\Program Files (x86)\Avira\AviraSpeedup\avira_system_speedup.exe [2014-10-19] (Avira)
Task: {BF633798-696B-4D4A-A3EC-30CE11845CB8} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-10] (Adobe Systems Incorporated)
Task: {C4FAE52B-5CD7-43DF-A207-4EB94A7774FA} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search &amp; Destroy 2\SDUpdate.exe
Task: {DCA46843-79D1-4F21-B4D2-DB93989023CC} - System32\Tasks\{221D8DD5-4F07-4662-BA14-F36BB888979B} => C:\Program Files (x86)\Zattoo4\Zattoo.exe
Task: {DDFFF8C4-3293-49D0-83FE-0D7E7231435D} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {E27B9481-BF77-49EB-B4D9-EF0DBF6AFE73} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program => C:\Program Files\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2014-05-06] (Lenovo)
Task: {E7B28417-994C-4A24-A872-6BACFA4DB6D0} - System32\Tasks\{7D5F82AA-49E4-4CB2-8301-9F3ABFA0B3F2} => Firefox.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&amp;ver=6.11.0.102&amp;LastError=502
Task: {F12592FE-4E9D-4937-9F22-9099361A7501} - System32\Tasks\{8DEA707D-33A9-4FC6-B37A-169A63448B16} => Firefox.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&amp;ver=6.11.0.102&amp;LastError=502
Task: {F5E51EFA-5D95-4217-B7AE-165FA92C1042} - System32\Tasks\Lenovo\LSC\LSCTaskService => C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCTaskService.exe [2014-05-06] ()
Task: {F7527116-B41B-496D-BE95-8BDB9CEAEF82} - System32\Tasks\{066231E1-926A-44E6-B53A-2DBA7B9694EE} => C:\Program Files (x86)\Zattoo4\Zattoo.exe
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-06-08 20:10 - 2013-04-23 05:54 - 00104960 _____ () C:\Program Files (x86)\ThinkPad\Utilities\GR\PWMRT64V.DLL
2011-01-24 12:28 - 2011-01-24 12:28 - 00173344 _____ () C:\Program Files\ThinkPad\Bluetooth Software\btkeyind.dll
2014-02-27 10:30 - 2014-02-27 10:30 - 00114688 _____ () C:\Program Files (x86)\DiskBoss\bin\diskbsa.exe
2013-12-06 01:24 - 2013-12-06 01:24 - 00084952 _____ () C:\Windows\assembly\GAC_MSIL\TinyWall.XmlSerializers\2.1.4.0__d9a8adbcd0c171b3\TinyWall.XmlSerializers.dll
2014-02-27 10:23 - 2014-02-27 10:23 - 02306048 _____ () C:\Program Files (x86)\DiskBoss\bin\libdbs.dll
2014-02-27 10:20 - 2014-02-27 10:20 - 00700416 _____ () C:\Program Files (x86)\DiskBoss\bin\libpal.dll
2013-07-04 19:47 - 2013-05-16 09:55 - 00113496 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2013-07-04 19:47 - 2013-05-16 09:55 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2013-07-04 19:47 - 2013-05-16 09:55 - 00161112 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2013-07-04 19:47 - 2012-08-23 09:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2013-07-04 19:47 - 2012-04-03 16:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2013-03-18 16:26 - 2013-03-18 16:26 - 00092456 _____ () C:\Program Files (x86)\Lenovo\Access Connections\AcWrpc.dll
2014-12-26 09:51 - 2014-12-26 09:51 - 00893224 _____ () C:\Program Files (x86)\GlassWire\platforms\qwindows.dll
2014-12-26 09:51 - 2014-12-26 09:51 - 00030504 _____ () C:\Program Files (x86)\GlassWire\imageformats\qico.dll
2014-12-26 09:51 - 2014-12-26 09:51 - 00248104 _____ () C:\Program Files (x86)\GlassWire\imageformats\qjpeg.dll
2014-12-09 14:00 - 2014-12-09 14:01 - 03758192 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\Admin\Desktop\00000.MTS:com.dropbox.attributes

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: BoxSync => "C:\Program Files\Box\Box Sync\BoxSync.exe" -m
MSCONFIG\startupreg: LifeCam => "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
MSCONFIG\startupreg: NBAgent => "C:\Program Files (x86)\Nero\Nero 11\Nero BackItUp\NBAgent.exe" /WinStart
MSCONFIG\startupreg: Nikon Message Center 2 => C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s

========================= Accounts: ==========================

Admin (S-1-5-21-3899542576-3065808786-2114398330-1000 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-3899542576-3065808786-2114398330-500 - Administrator - Disabled)
Gast (S-1-5-21-3899542576-3065808786-2114398330-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3899542576-3065808786-2114398330-1002 - Limited - Enabled)

==================== Faulty Device Manager Devices =============

Name: Microsoft-Adapter für Miniports virtueller WiFis
Description: Microsoft-Adapter für Miniports virtueller WiFis
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: vwifimp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/14/2015 05:59:15 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (01/14/2015 05:21:49 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (01/14/2015 01:22:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: TinyWall.exe, Version: 2.1.4.0, Zeitstempel: 0x51e2dfe8
Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.1.7601.18409, Zeitstempel: 0x5315a05a
Ausnahmecode: 0xe0434352
Fehleroffset: 0x000000000000940d
ID des fehlerhaften Prozesses: 0x1398
Startzeit der fehlerhaften Anwendung: 0xTinyWall.exe0
Pfad der fehlerhaften Anwendung: TinyWall.exe1
Pfad des fehlerhaften Moduls: TinyWall.exe2
Berichtskennung: TinyWall.exe3

Error: (01/14/2015 01:22:43 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Anwendung: TinyWall.exe
Frameworkversion: v4.0.30319
Beschreibung: Der Prozess wurde aufgrund eines Ausnahmefehlers beendet.
Ausnahmeinformationen: System.NullReferenceException
Stapel:
  bei System.Windows.Forms.Control.MarshaledInvoke(System.Windows.Forms.Control, System.Delegate, System.Object[], Boolean)
  bei System.Windows.Forms.Control.Invoke(System.Delegate, System.Object[])
  bei System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
  bei System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
  bei System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
  bei System.Threading.ThreadPoolWorkQueue.Dispatch()

Error: (01/14/2015 03:06:16 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Fehler beim Erstellen des Wiederherstellungspunkts (Prozess = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Beschreibung = Geplanter Prüfpunkt; Fehler = 0x80070422).

Error: (01/14/2015 01:09:19 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (01/14/2015 00:06:14 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (01/14/2015 00:05:05 AM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (01/14/2015 00:05:05 AM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (01/13/2015 11:59:04 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.


System errors:
=============
Error: (01/14/2015 11:03:21 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Microsoft .NET Framework NGEN v4.0.30319_X64 erreicht.

Error: (01/14/2015 11:00:54 PM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
Description: Dienst "WMPNetworkSvc" konnte nicht ordnungsgemäß gestartet werden, da ein Fehler "0x80004005" in "CoCreateInstance(CLSID_UPnPDeviceFinder)" aufgetreten ist. Überprüfen Sie, ob der Dienst "UPnPHost" ausgeführt wird und ob die Windows-Komponente "UPnPHost" richtig installiert ist.

Error: (01/14/2015 11:00:52 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
cdrom

Error: (01/14/2015 11:00:21 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Spybot-S&D 2 Updating Service" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1053

Error: (01/14/2015 11:00:21 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Spybot-S&D 2 Updating Service erreicht.

Error: (01/14/2015 01:08:08 AM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
Description: Dienst "WMPNetworkSvc" konnte nicht ordnungsgemäß gestartet werden, da ein Fehler "0x80004005" in "CoCreateInstance(CLSID_UPnPDeviceFinder)" aufgetreten ist. Überprüfen Sie, ob der Dienst "UPnPHost" ausgeführt wird und ob die Windows-Komponente "UPnPHost" richtig installiert ist.

Error: (01/14/2015 01:07:58 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen:
cdrom

Error: (01/14/2015 01:06:55 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Spybot-S&D 2 Scanner Service" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1053

Error: (01/14/2015 01:06:55 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Spybot-S&D 2 Scanner Service erreicht.

Error: (01/14/2015 01:05:19 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: Das System wurde zuvor am ‎14.‎01.‎2015 um 01:02:57 unerwartet heruntergefahren.


Microsoft Office Sessions:
=========================
Error: (01/14/2015 05:59:15 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\Users\Admin\AppData\Local\Temp\_MEI79842\detekt.exe.manifest

Error: (01/14/2015 05:21:49 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\Users\Admin\AppData\Local\Temp\_MEI71242\detekt.exe.manifest

Error: (01/14/2015 01:22:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: TinyWall.exe2.1.4.051e2dfe8KERNELBASE.dll6.1.7601.184095315a05ae0434352000000000000940d139801d02f8e40257ba0C:\Program Files (x86)\TinyWall\TinyWall.exeC:\Windows\system32\KERNELBASE.dll0aae8cfd-9be8-11e4-87de-00234df2700e

Error: (01/14/2015 01:22:43 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Anwendung: TinyWall.exe
Frameworkversion: v4.0.30319
Beschreibung: Der Prozess wurde aufgrund eines Ausnahmefehlers beendet.
Ausnahmeinformationen: System.NullReferenceException
Stapel:
  bei System.Windows.Forms.Control.MarshaledInvoke(System.Windows.Forms.Control, System.Delegate, System.Object[], Boolean)
  bei System.Windows.Forms.Control.Invoke(System.Delegate, System.Object[])
  bei System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
  bei System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
  bei System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
  bei System.Threading.ThreadPoolWorkQueue.Dispatch()

Error: (01/14/2015 03:06:16 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreationGeplanter Prüfpunkt0x80070422

Error: (01/14/2015 01:09:19 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Admin\Desktop\esetsmartinstaller_deu.exe

Error: (01/14/2015 00:06:14 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Admin\Desktop\esetsmartinstaller_deu.exe

Error: (01/14/2015 00:05:05 AM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (01/14/2015 00:05:05 AM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (01/13/2015 11:59:04 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Admin\Desktop\esetsmartinstaller_deu.exe


CodeIntegrity Errors:
===================================
  Date: 2014-08-14 14:02:34.474
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-08-14 14:02:34.297
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-08-14 14:02:34.194
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-08-14 14:02:34.052
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-05-15 17:50:41.121
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-05-15 17:50:41.058
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-05-15 17:50:40.995
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-05-15 17:50:40.906
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-12-07 23:27:13.855
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-12-07 23:27:13.805
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Users\Admin\Downloads\testdisk-6.13.win (1)\testdisk-6.13\recup_dir.61\f2094583_SDWSCSvc.exe" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.


==================== Memory info ===========================

Processor: Intel(R) Core(TM)2 Duo CPU P8400 @ 2.26GHz
Percentage of memory in use: 60%
Total physical RAM: 3992.03 MB
Available physical RAM: 1582.97 MB
Total Pagefile: 7982.23 MB
Available Pagefile: 4958.12 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:148.95 GB) (Free:13.29 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: 98652D98)
Partition 1: (Active) - (Size=103 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=148.9 GB) - (Type=07 NTFS)

==================== End Of Log ============================
das cdrom funxt wieder, nachdem ich es raus und reinsteckte.
der taskmanager funxt immer noch nicht, er zeigt nur den "benutzertab" an, lässt sich nicht umschalten...

schrauber 15.01.2015 18:47
Screenshot vom Taskmanager bitte.

DAU³ 15.01.2015 19:39
Liste der Anhänge anzeigen (Anzahl: 1)
leider nur als anhang, da hochladen bie imgur igwie nich funxte...

schrauber 16.01.2015 07:19
Bei dem Feld Benutzer, bitte mal in dem Feld ganz an den Linken Rand gehen, klicken und halten, aufziehen nach Rechts. Du hast die andern Spalten nur eingeklappt.

DAU³ 16.01.2015 07:40
Liste der Anhänge anzeigen (Anzahl: 1)
da ist leider nix mehr, noch links voch rechts von "benutzer"

schrauber 16.01.2015 07:47
Du hast aber jetzt die rechte Seite des Felds Benutzer aufgezogen. Am linken Rand ist wirklich nix?

Du bist der dritte mit diesem Problem, bis jetzt war es immer nur eingeklappt. Es gibt nämlich keine andere technische Erklärung. Die Oberfläche des Taskmanager kann nicht einzeln zerballert werden :)

DAU³ 16.01.2015 09:06
sorry, ich hab mich grad nomma totgeklickt, da geht nix per touchpad, evtl mit ner 60000 dpi maus?
kann dich gern per teamviewer dran lassen, falls du mir nit glaubst.....

btw, was hatten den die anderen 2 für viren?

schrauber 16.01.2015 09:49
Da ging es speziell nur im das Taskmanager Problem, dort war bei beiden einfach nur eingeklappt.

Schick mir bitte mal ab 19 Uhr ne PM, dann schau ich mal drauf.

DAU³ 16.01.2015 09:51
ok, danke schon ma... bis dann

schrauber 16.01.2015 10:46
ok :)


Alle Zeitangaben in WEZ +1. Es ist jetzt 02:23 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131