Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   G Data meldet wiederholt Problem mit rpcnetp.exe (https://www.trojaner-board.de/166608-g-data-meldet-wiederholt-problem-rpcnetp-exe.html)

writeoff 02.05.2015 10:33
G Data meldet wiederholt Problem mit rpcnetp.exe
 
Hallo zusammen,

ich habe hier einen neuen Lenovo-PC stehen (E73, i5-4460s, 10DR001DGE, W7Prof. 64).
Als Schutzsoftware läuft G DATA Internet Security.

Die Verhaltensüberwachung von G DATA meldet wiederholt einen vermeintlichen Befall der Datei rpcnetp.exe. Hier das Log-File:

Code:
*** Prozess ***

Prozess: 2200
Dateiname: rpcnetp.exe
Pfad: c:\windows\system32\rpcnetp.exe

Herausgeber: Unbekannter Herausgeber
Erstelldatum: 04/22/15 17:40:06
Änderungsdatum: 05/01/15 18:06:34

Gestartet von: services.exe
Herausgeber: Microsoft Windows


*** Aktionen ***

Das Programm hat Aktionen im Namen eines anderen Programmes ausgeführt.
Das Programm stellt eine Verbindung über ein Netzwerk her.
Das Programm hat Dateien im Systemordner gespeichert.
Das Programm hat eine ausführbare Datei angelegt oder manipuliert.
Eine Netzwerkverbindung wurde im Kontext eines anderen Programmes geöffnet.
Das Programm hat eine Kopie von sich selbst angelegt.
Das Programm hat versucht die eigene Programmdatei zu löschen.
Das Programm hat sich selbst gelöscht indem es die Kontrolle über ein anderes Programm übernimmt.
Das Programm hat sich in den Windows Ordner kopiert.
Das Programm hat eine ausführbare Datei im Windows-Ordner angelegt oder manipuliert.


*** Quarantäne ***

Folgende Dateien wurden in Quarantäne verschoben:
C:\Windows\System32\rpcnetp.exe
c:\windows\system32\rpcnetp.exe
c:\windows\syswow64\config\systemprofile\appdata\local\intel\icls client\iclsclient.log
c:\windows\syswow64\ntagent.exe
c:\windows\syswow64\rpcnet.dll
c:\windows\syswow64\upgrd.bat
c:\windows\temp\instb64.sys

Folgende Registry Einträge wurden gelöscht:
\REGISTRY\MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

\REGISTRY\USER\S-1-5-21-1668834982-245352921-3405046034-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-12-bf-d7-ef-e4 || WpadDetectedUrl

YGLR2rLPCSsn++1ygtkoJ8nGwHJyLSctJ2fQcnIpJy0nDC4nvycn1ysn3QynQicndHJiYnArJycnJyYGuHJycnJiYpArFq0tdw7pcpIrJiYnuaAmJyonKScHynKCYmJygqAtJyonKCcI7HJyJycsJwv8ctJyonKS0CgnKCYmJwidcpIqJycnmdAqJ63gLCcqJygnCI9ycmJicnLwLCcoJiYnCGcmJycmJicHZygnJyYmJwd3KScoJiYnCHcvJygnJycHhysnd3LCcrJw2HKCcnJycnD5cnItJy0nZ3CKcrJiYnKycLpy0VpjprJy0VpjpnJy0VpjpqJw2nKiYmJyonB7coJiYnKCcIty8nKycqJwm3KScnJygnCrcnIMxy8nuWJicpIL1yknKCcnJwfnKCeXcN5ygmJicoKAlnLCD2grJygnJycHeConCwA
Version der Regeln: 5.0.30
OS: Windows 6.1 Service Pack 1.0 Build: 7601 - Workstation 64bit OS
Version der dll: 51504

C:\Windows\System32\rpcnetp.exe
MD5: 9A66E27C59C804A376A72831B5B771C5
C:\Windows\system32\services.exe
MD5:
Ich habe die Verschiebung der Datei in Quarantäne gewählt, aber das Problem taucht immer wieder auf.
Die betroffene Datei rpcnetp.exe scheint sogar vom System immer wieder neu erzeugt zu werden, zumindest kann ich über die Systemwiederherstellung nachvollziehen, dass es von der Datei immer wieder neue Versionen zu geben scheint. Inzwischen sind mehrere Versionen der Datei in Quarantäne.

Eine der in Quarantäne verschobenen Dateien hat etwas mit dem icls Client zu tun. Dieser ist lt. Web Bestandteil der Intel Management Engine, die auf meinem System installiert ist. Möglicherweise handelt es sich um einen Fehlalarm, aber ich würde gerne auf Nummer sicher gehen, bevor ich Aktivitäten dauerhaft erlaube, die G Data beanstandet.

Natürlich habe ich zuerst den Kontakt zu G Data gesucht. Die haben mir gestern auch bestätigt, dass sie alle erforderlichen Informationen vor einer Woche erhalten haben. Allerdings gibt es bei den Kollegen so viel zu tun, dass man mir nicht sagen kann, bis wann man sich mit meinem Problem beschäftigen wird. Darum bitte ich Euch, mir Eure Unterstützung zu gewähren, damit ich in der Sache weiter komme und ein mögliches Risiko beseitigen kann.

Vielen Dank vorab für Eure Hilfe.
writeoff

schrauber 02.05.2015 22:49
hi,

Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST Download FRST 32-Bit | FRST 64-Bit
(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)
  • Starte jetzt FRST.
  • Ändere ungefragt keine der Checkboxen und klicke auf Untersuchen.
  • Die Logdateien werden nun erstellt und befinden sich danach auf deinem Desktop.
  • Poste mir die FRST.txt und nach dem ersten Scan auch die Addition.txt in deinem Thread (#-Symbol im Eingabefenster der Webseite anklicken)


writeoff 03.05.2015 08:53
Hi schrauber,

danke, dass Du mir hilfst.

Der Download hat geklappt.

Beim Start von FRST meldete die GData VErhaltensüberwachung ein neues Problem

Code:
*** Prozess ***

Prozess: 4852
Dateiname: erunt.exe
Pfad: c:\windows\erunt.exe

Herausgeber: Unbekannter Herausgeber
Erstelldatum: 02/22/13 15:05:21
Änderungsdatum: 02/22/13 02:04:50

Gestartet von: cmd.exe
Herausgeber: Microsoft Windows


*** Aktionen ***

Ein Packer wurde auf die Programmdatei angewandt. Möglicherweise um schädliche Inhalte zu verbergen.
Das Programm hat in Dateien oder Ordnern geschrieben, die genutzt werden können, um das System zu gefährden.
Das Programm hat Werte in der System-Registrierung verändert die genutzt werden können um das System zu gefährden.

YGLRtuLAcnJycmJi0HJycnJiYuByciYnZ2JicCp0ckInJyYGt3JycnJiYnAsJycnJyYGaHJycnJiYoArJycnJyYGmXJykCsWbSsJyXJycKdycnB4cnJycmJicJlycnJyYmJwunKxXmO2cnKxXmO2cmJicI5ycgAA
Version der Regeln: 5.0.30
OS: Windows 6.1 Service Pack 1.0 Build: 7601 - Workstation 64bit OS
Version der dll: 51504

ERUNT.exe  C:\FRST\HIVES silent sysreg curuser /noconfirmdelete /noprogresswindow
MD5: 2E0323A94915FAAB10A25F3BABF82584
C:\Windows\system32\cmd.exe /c ERUNT.exe C:\FRST\HIVES silent sysreg curuser /noconfirmdelete /noprogresswindow
MD5:
Ich habe den Programmzugriff dann einmalig erlaubt, damit wir weiterkommen.


Hier die Ergebnisse:

1. Addition.txt

Code:
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02-05-2015
Ran by XXXXXX XXXXXX at 2015-05-03 09:43:02
Running from C:\Users\XXXXXX XXXXXX\Desktop
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1668834982-245352921-3405046034-500 - Administrator - Disabled)
Backup (S-1-5-21-1668834982-245352921-3405046034-1004 - Limited - Enabled)
Gast (S-1-5-21-1668834982-245352921-3405046034-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1668834982-245352921-3405046034-1003 - Limited - Enabled)
XXXXXX XXXXXX (S-1-5-21-1668834982-245352921-3405046034-1001 - Administrator - Enabled) => C:\Users\XXXXXX XXXXXX

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: G DATA INTERNET SECURITY (Enabled - Up to date) {545C8713-0744-B079-87F8-349A6D5C8CF0}
AS: G DATA INTERNET SECURITY (Enabled - Up to date) {EF3D66F7-217E-BFF7-BD48-0FE816DBC64D}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: G*DATA Personal Firewall (Enabled) {6C670636-4D2B-B121-ACA7-9DAF938FCB8B}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
AAVUpdateManager (HKLM-x32\...\{AFA42FE1-A5C3-485F-9180-BFCF5BF1F1C3}) (Version: 18.00.0000 - Wolters Kluwer Deutschland GmbH)
Adobe Acrobat Reader DC - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AC0F074E4100}) (Version: 15.007.20033 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 17.0.0.144 - Adobe Systems Incorporated)
Adobe Flash Player 17 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 17.0.0.169 - Adobe Systems Incorporated)
Adobe Flash Player 17 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 17.0.0.169 - Adobe Systems Incorporated)
ANT Drivers Installer x64 (Version: 2.3.4 - Garmin Ltd or its subsidiaries) Hidden
CameraHelperMsi (x32 Version: 13.51.815.0 - Logitech) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.04 - Piriform)
Create Recovery Media (HKLM-x32\...\{50DC5136-21E8-48BC-97E5-1AD055F6B0B6}) (Version: 1.20.0.00 - Lenovo Group Limited)
DisplayLink Core Software (HKLM\...\{58F4C39B-D946-4A45-A314-DEFC2AFDF397}) (Version: 7.5.54609.0 - DisplayLink Corp.)
Elevated Installer (x32 Version: 4.0.17.0 - Garmin Ltd or its subsidiaries) Hidden
Energie-Manager (HKLM-x32\...\{DAC01CEE-5BAE-42D5-81FC-B687E84E8405}_is1) (Version: 3.20.0008 - Lenovo Group Limited)
erLT (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
G DATA INTERNET SECURITY (HKLM-x32\...\{AC68D2FF-1674-4C16-A536-A69FC11BBD82}) (Version: 25.1.0.4 - G DATA Software AG)
Garmin Express (HKLM-x32\...\{9e8d8fbd-a697-491e-b887-99b98b6463e4}) (Version: 4.0.17.0 - Garmin Ltd or its subsidiaries)
Garmin Express (x32 Version: 4.0.17.0 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express Tray (x32 Version: 4.0.17.0 - Garmin Ltd or its subsidiaries) Hidden
GTR 2 (HKLM-x32\...\GTR 2_is1) (Version:  - SimBin)
HP Officejet Pro 8500 A910 - Grundlegende Software für das Gerät (HKLM\...\{0A8BEF69-0DD7-4A8F-9AED-0CB91BEBCB58}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Officejet Pro 8500 A910 Hilfe (HKLM-x32\...\{871B2A9D-0F12-44B3-88C1-E0CB10A232E4}) (Version: 140.0.2.2 - Hewlett Packard)
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.0.0.1323 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 13.0.0.1098 - Intel Corporation)
Intel(R) USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 2.5.0.19 - Intel Corporation)
Intel® Chipsatz-Gerätesoftware (x32 Version: 10.0.13 - Intel(R) Corporation) Hidden
Java 8 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418045F0}) (Version: 8.0.450 - Oracle Corporation)
KeePass Password Safe 2.28 (HKLM-x32\...\KeePassPasswordSafe2_is1) (Version: 2.28 - Dominik Reichl)
Lenovo Patch Utility 64 bit (HKLM\...\{ABE4638D-D208-4061-9F26-E3E11E3A1E0C}) (Version: 1.3.1.1 - Lenovo Group Limited)
Lenovo Registration (HKLM-x32\...\{6707C034-ED6B-4B6A-B21F-969B3606FBDE}) (Version: 1.0.3 - Lenovo Inc.)
Lenovo SHAREit (HKLM-x32\...\Lenovo SHAREit_is1) (Version: 1.0.10.0 - Lenovo Group Limited)
Lenovo Solution Center (HKLM\...\{1CA74803-5CB2-4C03-BDBE-061EDC81CC7F}) (Version: 2.8.004.00 - Lenovo Group Limited)
Lenovo System Update (HKLM-x32\...\{25C64847-B900-48AD-A164-1B4F9B774650}) (Version: 5.06.0034 - Lenovo)
Lenovo USB Graphics (HKLM\...\{E6B1FE9A-CB1E-4096-A0AF-163419CB971C}) (Version: 7.5.54614.0 - Lenovo)
Lenovo USB3.0 to DVI VGA Monitor Adapter (HKLM-x32\...\{454D32AD-C149-49BE-9F2E-8C089C3D6620}) (Version: 1.07.17 - Lenovo)
Lenovo User Guide (HKLM-x32\...\{13F59938-C595-479C-B479-F171AB9AF64F}) (Version: 1.0.0008.00 - Ihr Firmenname)
Logitech Gaming Software 5.10 (HKLM\...\{1444D2EE-C7AD-44A8-844F-2634B49353D1}) (Version: 5.10.127 - Logitech)
Logitech Webcam-Software (HKLM-x32\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.51 - Logitech Inc.)
Message Center Plus (HKLM\...\{3849486C-FF09-4F5D-B491-3E179D58EE15}) (Version: 3.1.0004.00 - Lenovo Group Limited)
Metric Collection SDK (x32 Version: 1.1.0005.00 - Lenovo Group Limited) Hidden
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Project Professional 2010 (HKLM-x32\...\Office14.PRJPROR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visio Premium 2010 (HKLM-x32\...\Office14.VISIOR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft Visual Studio 2010-Tools für Office-Laufzeit (x64) Language Pack - DEU (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Language Pack - DEU) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft-Maus- und Tastatur-Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.3.188.0 - Microsoft Corporation)
Mindjet (HKLM-x32\...\{EAFBFF2D-5553-474A-85FA-863A82F00900}) (Version: 11.3.305 - Mindjet)
Mozilla Firefox 37.0.2 (x86 de) (HKLM-x32\...\Mozilla Firefox 37.0.2 (x86 de)) (Version: 37.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 37.0.1 - Mozilla)
Nitro Pro 9 (HKLM\...\{237990BC-415C-4CE8-B279-37892516D9F2}) (Version: 9.0.6.20 - Nitro)
NVIDIA Grafiktreiber 347.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 347.52 - NVIDIA Corporation)
NVIDIA HD-Audiotreiber 1.3.33.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.33.0 - NVIDIA Corporation)
NVIDIA PhysX-Systemsoftware 9.14.0702 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.14.0702 - NVIDIA Corporation)
NVIDIA Update 10.4.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 10.4.0 - NVIDIA Corporation)
OBELISK top2 (HKLM-x32\...\OBELISK top2_is1) (Version:  - Theben AG)
PDF-XChange 2012 (HKLM\...\{504022CD-6A58-42D5-ACC9-966F695AAD93}_is1) (Version: 5.0.266.0 - Tracker Software Products Ltd)
Personal Backup 5.6 (HKLM\...\Personal Backup 5_is1) (Version: 5.6.8.2 - Dr. J. Rathlev)
PowerDVD Create (HKLM-x32\...\InstallShield_{DE485075-8CD3-4A1E-9ABC-6412EBA44872}) (Version: 10.0 - CyberLink Corp.)
PowerDVD Create 10 (x32 Version: 10.0.1.3710 - CyberLink Corp.) Hidden
Realtek Card Reader (HKLM-x32\...\{F0A8BF4A-972F-41E0-9800-1EFE3BF28266}) (Version: 6.2.9200.30158 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller All-In-One Windows Driver (HKLM-x32\...\{F7E7F0CB-AA41-4D5A-B6F2-8E6738EB063F}) (Version: 7.67.1226.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7116 - Realtek Semiconductor Corp.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-003B-0000-0000-0000000FF1CE}_Office14.PRJPROR_{58FA40EF-ABA9-4FED-AD3D-318A6073934D}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-0057-0000-0000-0000000FF1CE}_Office14.VISIOR_{359ADBEC-068A-4CC9-9174-77AB8EDB867A}) (Version:  - Microsoft)
Simple Sudoku 4.2 (HKLM-x32\...\Simple Sudoku_is1) (Version:  - )
Skype™ 7.3 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.3.101 - Skype Technologies S.A.)
SteuerSparErklärung 2015 (HKLM-x32\...\{312C0E08-8F94-4536-AAF6-3413F784AC5F}) (Version: 20.32.155 - Akademische Arbeitsgemeinschaft)
Synergy (64-bit) (HKLM\...\{FDD88467-9C61-4E2D-BA69-2A89735A21CC}) (Version: 1.5.0 - The Synergy Project)
Teachmaster 4.3 (nur Entfernen) (HKLM-x32\...\Teachmaster 4.3) (Version:  - )
ThinkVantage Communications Utility (HKLM\...\{88C6A6D9-324C-46E8-BA87-563D14021442}_is1) (Version: 3.0.42.0 - Lenovo)
USB Enhanced Performance Keyboard (HKLM\...\{989DC5D9-A776-430D-9E16-D36E5B81CD86}) (Version: 2.0.2.2 - Lenovo)
View Management Utility (HKLM\...\View Management Utility_is1) (Version: 3.0.1.20120921 - Lenovo Inc.)
WaveEditor (HKLM-x32\...\InstallShield_{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}) (Version: 1.0.1.4514 - CyberLink Corp.)
WaveEditor (x32 Version: 1.0.1.4514 - CyberLink Corp.) Hidden
Windows-Treiberpaket - Dynastream Innovations, Inc. ANT LibUSB Drivers (04/11/2012 1.2.40.201) (HKLM\...\F9D2A789F9CFF8CEC36B544F53877C80F1F73C46) (Version: 04/11/2012 1.2.40.201 - Dynastream Innovations, Inc.)
Windows-Treiberpaket - NVIDIA (nvlddmkm) Display  (01/10/2014 9.18.13.3238) (HKLM\...\E9A4B47F71DBAB00739515AD85C58A7593BACBEA) (Version: 01/10/2014 9.18.13.3238 - NVIDIA)
Windows-Treiberpaket - Silicon Labs Software (DSI_SiUSBXp_3_1) USB  (02/06/2007 3.1) (HKLM\...\D1506E0025B5A3F9EB8270FE81C1EEDD9388B8A2) (Version: 02/06/2007 3.1 - Silicon Labs Software)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

16-04-2015 09:11:49 20150417 vor lenovo updates
16-04-2015 10:56:47 20150417 nach lenovo, nvidia, firefox, g25  vor gtr2
16-04-2015 10:59:22 DirectX wurde installiert
16-04-2015 11:16:38 20150417 nach gtr2 vor syncmaster
16-04-2015 11:40:12 20150417 nach syncmaster
16-04-2015 11:42:44 Installed Microsoft Office Professional Plus 2010
16-04-2015 11:52:51 Removed Microsoft Office
16-04-2015 11:55:28 20150417 nach office vor project
16-04-2015 11:57:50 Installed Microsoft Project Professional 2010
16-04-2015 12:03:59 Installed Microsoft Visio Premium 2010
16-04-2015 12:07:49 20150417nach Project, VIsio vor Windows update
16-04-2015 12:37:09 Windows Update
16-04-2015 13:13:41 Windows Update
16-04-2015 13:24:16 20150417 office komplett
16-04-2015 13:34:02 Windows Update
16-04-2015 14:18:23 20150417nach skype, silverlight, mouse  vor mindmanager
16-04-2015 14:20:34 Installed Mindjet.
16-04-2015 14:51:23 20150417 nach MIndmanager
16-04-2015 18:26:39 20150417 nach MIndmanager vor Drucker
16-04-2015 18:57:13 SteuerSparErklärung 2015 wurde installiert.
16-04-2015 18:58:38 Installed AAVUpdateManager.
16-04-2015 19:06:59 20150417 nach drucker, keepass und steuer; vor adobe
16-04-2015 19:10:04 Removed Adobe Reader X (10.1.7) MUI.
16-04-2015 19:58:08 20150417 nach adobe vor kleinzeugs
16-04-2015 19:59:14 Installed Synergy (64-bit)
16-04-2015 20:00:42 Windows Modules Installer
16-04-2015 20:07:36 Installed 7-Zip 9.20 (x64 edition)
16-04-2015 20:24:09 20150417 nach kleinzeugs vor garmin
16-04-2015 20:57:55 20150417 Basisrechner ohne GArmin
16-04-2015 21:12:33 Windows-Sicherung
17-04-2015 15:04:28 20150418 nach Outlook und firefox vor garmin
17-04-2015 15:29:13 Sprachpaketdeinstallation
17-04-2015 16:08:04 Garmin Express
17-04-2015 21:07:58 20150417 Komplette Installation
17-04-2015 22:25:41 Windows Update
22-04-2015 19:08:10 20150421 vor virus quarantäne
02-05-2015 12:49:06 Geplanter Prüfpunkt

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {028D016B-AEB9-401C-AF9F-041A2C4D6DDF} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {0D4E6746-882E-42C0-B262-2B3BDC76C667} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxcontent => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-25] (Microsoft Corporation)
Task: {2F2FF5A7-4EB8-479D-B8B9-6A377DAE7DB8} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {397C821B-11B3-4230-AB0F-5E51B33EA316} - System32\Tasks\RtHDVBg_LENOVO_MICPKEY => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2013-11-13] (Realtek Semiconductor)
Task: {3C09831B-FAF8-4FF1-A0B1-81D5A3838EAA} - System32\Tasks\TVT\TVSUUpdateTask => C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe [2015-03-27] ()
Task: {3DD7CAC4-43A3-4E37-AFBA-19FCDAA6B7CA} - System32\Tasks\{5C755EAB-2069-42B3-82FA-14707930F6C8} => pcalua.exe -a "C:\Users\XXXXXX XXXXXX\Downloads\Games\lgs510.exe" -d "C:\Users\XXXXXX XXXXXX\Downloads\Games"
Task: {3ED8BCAD-0D52-4509-B2A1-0E9909C0D53A} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2014-03-19] (Microsoft)
Task: {4BEFA616-F68B-46C6-BA77-1E2D5BF8CCFF} - System32\Tasks\Lenovo\Message Center Plus Launcher => C:\Program Files (x86)\Lenovo\message center plus\mcplaunch.exe [2012-05-15] (Lenovo)
Task: {4E391E70-CF01-4931-BF8B-70F07E113667} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)
Task: {5DE76225-9DAB-4A21-849B-8503B39F3939} - System32\Tasks\Lenovo\Lenovo Solution Center Launcher => C:\Program Files\lenovo\lenovo solution center\App\LSCService.exe [2015-03-09] (Lenovo)
Task: {70E0B315-E816-4A44-90A1-2F11695D676D} - System32\Tasks\Microsoft\Windows\Setup\gwx\launchtrayprocess => C:\Windows\system32\GWX\GWX.exe [2015-03-25] (Microsoft Corporation)
Task: {7CEB4B03-13B6-4AF4-AD41-9FBD91A8FC00} - System32\Tasks\PMTask => C:\Program Files (x86)\Lenovo\PowerMgr\PwmIdTsv.exe [2014-03-05] (Lenovo Group Limited)
Task: {85C4DEBE-C483-40A8-8AAE-87DFBA4EA8FB} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-04-16] (Adobe Systems Incorporated)
Task: {8D3BF5B1-7D64-49AA-B4ED-3454953828CE} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program => C:\Program Files\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe
Task: {9E064A0C-B6B6-446B-B5D3-466238EAD512} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 => C:\Program Files (x86)\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2014-02-13] (Lenovo)
Task: {A04A2D3B-C1E8-4D38-9AC0-9FC61F1C34CB} - System32\Tasks\Lenovo\LSC\LSCTaskService => C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCTaskService.exe [2015-03-09] (Lenovo)
Task: {ABCF8661-794A-4238-86BD-A368B2EFC154} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-25] (Microsoft Corporation)
Task: {B7F3A3B4-8EAC-46A9-92A5-4446D0D61218} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {BC490265-B4E6-4636-AEB2-4980CDEF3F8E} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)
Task: {BC78E8EB-863E-41DA-B5CC-658FB042B54F} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2013-12-17] (Realtek Semiconductor)
Task: {C199D663-3941-4551-9F4E-E8E127F9600A} - System32\Tasks\Lenovo\LSC\Lenovo Solution Center Notifications => C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe [2015-03-09] (Lenovo)
Task: {CC6B33CF-9DAC-4FE1-BA71-88723C5766EC} - System32\Tasks\GarminUpdaterTask => C:\Program Files (x86)\Garmin\Express Self Updater\ExpressSelfUpdater.exe [2015-04-12] ()
Task: {D0647402-7FCD-4A93-9F8A-15DC1C65754B} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-03-13] (Piriform Ltd)
Task: {DD947DFE-4912-4E97-AE7D-91F8DF5CB124} - System32\Tasks\CLMLSvc => C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe [2013-03-06] (CyberLink)
Task: {DF20D329-10B6-40FA-9B46-C66BB493A2ED} - System32\Tasks\Microsoft\Windows\Setup\gwx\runappraiser => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-25] (Microsoft Corporation)
Task: {F0DBCA59-82C7-4205-A499-3CFB5995872F} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-03-07] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) ==============

2014-08-14 17:51 - 2015-02-05 21:07 - 00117576 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2008-10-24 16:35 - 2008-10-24 16:35 - 00128296 _____ () C:\Programme (x86)\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe
2014-05-23 17:02 - 2014-05-23 17:02 - 00298496 _____ () C:\Program Files\Synergy\synergyd.exe
2015-02-20 05:42 - 2015-02-20 05:42 - 00382072 ____N () C:\Program Files (x86)\Common Files\G Data\AVKProxy\PktIcpt2x64.dll
2014-05-23 17:02 - 2014-05-23 17:02 - 00011264 _____ () C:\Program Files\Synergy\synwinhk.DLL
2013-09-05 00:17 - 2013-09-05 00:17 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2014-05-23 17:02 - 2014-05-23 17:02 - 01050112 _____ () C:\Program Files\Synergy\synergys.exe
2013-03-06 21:49 - 2013-03-06 21:49 - 00626240 _____ () C:\Program Files (x86)\CyberLink\Power2Go\CLMediaLibrary.dll
2013-03-06 21:52 - 2013-03-06 21:52 - 00015424 _____ () C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvcPS.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, the associated entry will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1668834982-245352921-3405046034-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\XXXXXX XXXXXX\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.2.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: DisplayLinkService => 2
MSCONFIG\Services: Garmin Device Interaction Service => 3
MSCONFIG\Services: Lenovo EasyPlus Hotspot => 3
MSCONFIG\Services: LENOVO.CAMMUTE => 2
MSCONFIG\Services: LENOVO.TPKNRSVC => 2
MSCONFIG\Services: LMS => 2
MSCONFIG\Services: LSCWinService => 3
MSCONFIG\Services: nlsX86cc => 2
MSCONFIG\Services: Power Manager DBC Service => 3
MSCONFIG\Services: PwmEWSvc => 3
MSCONFIG\Services: rpcnet => 2
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\Services: SUService => 3
MSCONFIG\startupfolder: C:^Users^XXXXXX XXXXXX^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Produktregistrierung.lnk => C:\Windows\pss\Logitech . Produktregistrierung.lnk.Startup
MSCONFIG\startupreg: BCSSync => "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
MSCONFIG\startupreg: Enhanced Performance Keyboard => C:\Program Files\Lenovo\USB Enhanced Performance Keyboard\SKDaemon.exe
MSCONFIG\startupreg: GarminExpressTrayApp => "C:\Program Files (x86)\Garmin\Express Tray\tray.exe"
MSCONFIG\startupreg: HP Officejet Pro 8500 A910 (NET) => "C:\Program Files\HP\HP Officejet Pro 8500 A910\Bin\ScanToPCActivationApp.exe" -deviceID "CN0BCAM1Q6:NW" -scfn "HP Officejet Pro 8500 A910 (NET)" -AutoStart 1
MSCONFIG\startupreg: KeePass 2 PreLoad => "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
MSCONFIG\startupreg: Lenovo Registration => C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe /boot
MSCONFIG\startupreg: LENOVO.TPKNRRES => C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
MSCONFIG\startupreg: LWS => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
MSCONFIG\startupreg: MMReminderService => C:\Program Files (x86)\Mindjet\MindManager 11\MMReminderService.exe
MSCONFIG\startupreg: NvBackend => "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
MSCONFIG\startupreg: Power Manager Startup Utility => C:\Program Files (x86)\Lenovo\PowerMgr\DPMHost.exe
MSCONFIG\startupreg: Start WingMan Profiler => C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: USB3MON => "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"

==================== FirewallRules (whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

FirewallRules: [{91E39B68-F022-4A9C-A064-B5BAB3BC84C0}] => (Allow) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{E9DD5C50-86FE-4C73-AE97-CFCF0EAFAA09}] => (Allow) C:\Program Files (x86)\lenovo\SHAREit\SHAREit.exe
FirewallRules: [{94157D23-2C86-46BA-B0D9-DC484CAAB162}] => (Allow) C:\Program Files (x86)\lenovo\SHAREit\SHAREit.exe
FirewallRules: [{373615F2-BA43-4D57-AACE-4B0B494C99A9}] => (Allow) C:\Program Files (x86)\Lenovo\System Update\uncserver.exe
FirewallRules: [{B1FA88B5-2D43-411E-8BD8-F8ED6AF3E1DF}] => (Allow) C:\Program Files (x86)\Lenovo\System Update\uncserver.exe
FirewallRules: [{9BF9D313-D91F-4953-837E-511FFE5676E1}] => (Allow) C:\Users\XXXXXX XXXXXX\AppData\Local\Temp\7zS6EF7.tmp\SymNRT.exe
FirewallRules: [{F0CD1910-BEE8-48D6-A4B9-9A16D446EA2E}] => (Allow) C:\Users\XXXXXX XXXXXX\AppData\Local\Temp\7zS6EF7.tmp\SymNRT.exe
FirewallRules: [{6BA94245-AA81-48A4-81F1-81A9B6AE88E7}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{F7597BA0-363F-4B8B-A447-19C8626F7BAE}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{EF2F5E02-DE9A-42A0-8A80-0C7925B68A9B}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
FirewallRules: [{0CFB4973-F2BD-4AF6-A264-B3CE5DBA3913}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
FirewallRules: [{AF9AD2B1-51F4-4EA5-9A44-D9BAC22D269F}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
FirewallRules: [{DD2012EF-5FC9-4F7C-9DA5-619BDE2F7F4F}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
FirewallRules: [{BDC2BDD1-7CD2-4B5D-B1D6-19859297AA9E}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office14\outlook.exe
FirewallRules: [{750F24C1-681B-461B-AFC5-75466901F70E}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{A42D7995-E6BA-4329-9B45-BFDEFE5BB783}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8500 A910\bin\FaxApplications.exe
FirewallRules: [{117646AB-E3F1-49DF-9DB1-EB3C52C8F312}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8500 A910\bin\DigitalWizards.exe
FirewallRules: [{264F3E4C-D8E6-4807-AEF0-BBDD110FD559}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8500 A910\bin\SendAFax.exe
FirewallRules: [{CB4B6D53-93C7-47CF-A060-F8E2A33E6AC2}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8500 A910\Bin\DeviceSetup.exe
FirewallRules: [{DCE64E96-91BB-497B-8C85-070E65F6460D}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8500 A910\Bin\HPNetworkCommunicator.exe
FirewallRules: [{82EE2663-F1E9-42AE-8520-CD8177EB0BFC}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8500 A910\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{9BCFC4BC-EEA9-457F-927D-F491844477E7}] => (Allow) C:\Program Files\Synergy\synergys.exe

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (05/03/2015 09:32:43 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/02/2015 10:48:49 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/02/2015 10:39:16 AM) (Source: Adobe Reader) (EventID: 16) (User: )
Description:

Error: (05/02/2015 10:32:00 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/02/2015 09:57:29 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/02/2015 09:46:32 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/01/2015 09:47:57 PM) (Source: Microsoft Office 14) (EventID: 2000) (User: )
Description: Microsoft Outlook: Accepted Safe Mode action : Schwerwiegender Fehler in Outlook beim g data outlook add-in-Add-In. Falls diese Fehlermeldung mehrmals angezeigt wurde, sollten Sie dieses Add-In deaktivieren und überprüfen, ob ein Update verfügbar ist. Möchten Sie dieses Add-In deaktivieren?.
Accepted Safe Mode action : Microsoft Outlook.

Error: (05/01/2015 09:47:51 PM) (Source: Microsoft Office 14) (EventID: 2000) (User: )
Description: Microsoft Outlook: Accepted Safe Mode action : Schwerwiegender Fehler in Outlook beim g data outlook add-in-Add-In. Falls diese Fehlermeldung mehrmals angezeigt wurde, sollten Sie dieses Add-In deaktivieren und überprüfen, ob ein Update verfügbar ist. Möchten Sie dieses Add-In deaktivieren?.
Accepted Safe Mode action : Microsoft Outlook.

Error: (05/01/2015 08:36:49 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/01/2015 08:09:48 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: GTR2.exe, Version: 1.1.0.0, Zeitstempel: 0x452c9f16
Name des fehlerhaften Moduls: GTR2.exe, Version: 1.1.0.0, Zeitstempel: 0x452c9f16
Ausnahmecode: 0xc0000005
Fehleroffset: 0x001fde06
ID des fehlerhaften Prozesses: 0x14a4
Startzeit der fehlerhaften Anwendung: 0xGTR2.exe0
Pfad der fehlerhaften Anwendung: GTR2.exe1
Pfad des fehlerhaften Moduls: GTR2.exe2
Berichtskennung: GTR2.exe3


System errors:
=============
Error: (05/02/2015 03:27:05 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1053TrustedInstaller{752073A1-23F2-4396-85F0-8FDB879ED0ED}

Error: (05/02/2015 03:27:04 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "Windows Modules Installer" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1053

Error: (05/02/2015 03:27:04 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Windows Modules Installer erreicht.

Error: (05/02/2015 09:55:48 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Funktionssuche-Ressourcenveröffentlichung" wurde mit folgendem Fehler beendet:
%%-2147014847

Error: (05/01/2015 08:35:15 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "rpcnetp" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2

Error: (04/27/2015 07:16:48 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows Update" wurde mit folgendem Fehler beendet:
%%-2147467243

Error: (04/27/2015 07:14:03 AM) (Source: Application Popup) (EventID: 877) (User: )
Description: Fehler [DATABASE OPEN FAILED] beim Verarbeiten der Treiberdatenbank.

Error: (04/26/2015 06:45:59 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst lmhosts erreicht.

Error: (04/19/2015 00:53:16 PM) (Source: Microsoft-Windows-Time-Service) (EventID: 34) (User: NT-AUTORITÄT)
Description: Der Zeitdienst hat festgestellt, dass die Systemzeit um 86392 Sekunden geändert werden muss. Die Systemzeit kann durch den Zeitdienst um maximal 54000 Sekunden geändert werden. Stellen Sie sicher, dass die Uhrzeit und Zeitzone richtig sind und dass die Zeitquelle time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->23.99.222.162:123) ordnungsgemäß ausgeführt wird.

Error: (04/17/2015 08:23:06 PM) (Source: srv) (EventID: 2017) (User: )
Description: Der Server konnte keinen nicht-ausgelagerten Poolspeicher reservieren, da die konfigurierte Grenze für die Reservierung von nicht-ausgelagertem Poolspeicher erreicht wurde.


Microsoft Office Sessions:
=========================
Error: (05/03/2015 09:32:43 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/02/2015 10:48:49 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/02/2015 10:39:16 AM) (Source: Adobe Reader) (EventID: 16) (User: )
Description:

Error: (05/02/2015 10:32:00 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/02/2015 09:57:29 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/02/2015 09:46:32 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/01/2015 09:47:57 PM) (Source: Microsoft Office 14) (EventID: 2000) (User: )
Description: Microsoft OutlookSchwerwiegender Fehler in Outlook beim g data outlook add-in-Add-In. Falls diese Fehlermeldung mehrmals angezeigt wurde, sollten Sie dieses Add-In deaktivieren und überprüfen, ob ein Update verfügbar ist. Möchten Sie dieses Add-In deaktivieren?

Error: (05/01/2015 09:47:51 PM) (Source: Microsoft Office 14) (EventID: 2000) (User: )
Description: Microsoft OutlookSchwerwiegender Fehler in Outlook beim g data outlook add-in-Add-In. Falls diese Fehlermeldung mehrmals angezeigt wurde, sollten Sie dieses Add-In deaktivieren und überprüfen, ob ein Update verfügbar ist. Möchten Sie dieses Add-In deaktivieren?

Error: (05/01/2015 08:36:49 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/01/2015 08:09:48 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: GTR2.exe1.1.0.0452c9f16GTR2.exe1.1.0.0452c9f16c0000005001fde0614a401d0843947160262C:\SimBin\P&G 3.1\GTR2.exeC:\SimBin\P&G 3.1\GTR2.exe40446a0f-f02d-11e4-b7fa-448a5bc5dc44


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i5-4460S CPU @ 2.90GHz
Percentage of memory in use: 44%
Total physical RAM: 4043.07 MB
Available physical RAM: 2234.04 MB
Total Pagefile: 8084.34 MB
Available Pagefile: 5685.9 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: (Windows7_OS) (Fixed) (Total:910.52 GB) (Free:543.96 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive q: (Lenovo_Recovery) (Fixed) (Total:19.53 GB) (Free:7.69 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 81F2BA25)
Partition 1: (Active) - (Size=1.5 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=910.5 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=19.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================

FRST.txt kommt in weiterem Post.


Beste Grüße

writeoff

writeoff 03.05.2015 08:56
... und jetzt der erste Teil der FRST.txt:

Code:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-05-2015
Ran by XXXXXX XXXXXX (administrator) on E73 on 03-05-2015 09:42:11
Running from C:\Users\XXXXXX XXXXXX\Desktop
Loaded Profiles: XXXXXX XXXXXX (Available profiles: XXXXXX XXXXXX)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(G Data Software AG) C:\Program Files (x86)\Common Files\G Data\GDScan\GDScan.exe
(G Data Software AG) C:\Program Files (x86)\G DATA\InternetSecurity\AVK\AVKWCtlx64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
() C:\Programme (x86)\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe
(G Data Software AG) C:\Program Files (x86)\Common Files\G Data\AVKProxy\AVKProxy.exe
(G Data Software AG) C:\Program Files (x86)\G DATA\InternetSecurity\AVK\AVKService.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe
() C:\Program Files\Synergy\synergyd.exe
(G Data Software AG) C:\Program Files (x86)\G DATA\InternetSecurity\Firewall\GDFwSvcx64.exe
(G Data Software AG) C:\Program Files (x86)\Common Files\G Data\AVKProxy\AVKBap64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(G Data Software AG) C:\Program Files (x86)\G DATA\InternetSecurity\AVKTray\AVKTray.exe
(G Data Software AG) C:\Program Files (x86)\Common Files\G Data\AVKProxy\GDKBFltExe32.exe
(G DATA Software AG) C:\Program Files (x86)\G DATA\InternetSecurity\Firewall\GDFirewallTray.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
() C:\Program Files\Synergy\synergys.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [GDFirewallTray] => C:\Program Files (x86)\G DATA\InternetSecurity\Firewall\GDFirewallTray.exe [1855608 2015-02-20] (G DATA Software AG)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\Program Files (x86)\G DATA\InternetSecurity\AVKTray\AVKTray.exe
HKU\S-1-5-21-1668834982-245352921-3405046034-1001\...\Run: [Power2GoExpress] => NA
HKU\S-1-5-21-1668834982-245352921-3405046034-1001\...\MountPoints2: {a438ebc5-e483-11e4-b50f-806e6f6e6963} - Q:\LenovoQDrive.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1668834982-245352921-3405046034-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://lenovo13-comm.msn.com/?pc=LNJB
HKU\S-1-5-21-1668834982-245352921-3405046034-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13-comm.msn.com/?pc=LNJB
HKU\S-1-5-21-1668834982-245352921-3405046034-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com/welcome/thinkcentre
HKU\S-1-5-21-1668834982-245352921-3405046034-1001\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.lenovo.com/welcome/thinkcentre
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1668834982-245352921-3405046034-1001 -> DefaultScope {7EF566CC-A607-4F01-A850-3B859A49212D} URL =
SearchScopes: HKU\S-1-5-21-1668834982-245352921-3405046034-1001 -> {7EF566CC-A607-4F01-A850-3B859A49212D} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-04-16] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-04-16] (Oracle Corporation)
BHO-x32: CmjBrowserHelperObject Object -> {6FE6A929-59D1-4763-91AD-29B61CFFB35B} -> C:\Program Files (x86)\Mindjet\MindManager 11\Mm8InternetExplorer.dll [2013-05-14] (Mindjet)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF ProfilePath: C:\Users\XXXXXX XXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\qa1my9yv.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_169.dll [2015-04-16] ()
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-04-16] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-04-16] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_169.dll [2015-04-16] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=3.0.72 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-03-12] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-03-12] (Intel Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 9\npnitromozilla.dll [2014-02-14] (Nitro PDF)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-03-17] (Adobe Systems Inc.)
FF Extension: Adblock Plus Pop-up Addon - C:\Users\XXXXXX XXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\qa1my9yv.default\Extensions\adblockpopups@jessehakanen.net.xpi [2015-04-16]
FF Extension: Ghostery - C:\Users\XXXXXX XXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\qa1my9yv.default\Extensions\firefox@ghostery.com.xpi [2015-04-16]
FF Extension: NoScript - C:\Users\XXXXXX XXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\qa1my9yv.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2015-04-16]
FF Extension: Adblock Plus - C:\Users\XXXXXX XXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\qa1my9yv.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-04-16]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AAV UpdateService; C:\Programme (x86)\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe [128296 2008-10-24] ()
R2 AVKProxy; C:\Program Files (x86)\Common Files\G Data\AVKProxy\AVKProxy.exe [2528888 2015-04-16] (G Data Software AG)
R2 AVKService; C:\Program Files (x86)\G DATA\InternetSecurity\AVK\AVKService.exe [965240 2015-02-20] (G Data Software AG)
R2 AVKWCtl; C:\Program Files (x86)\G DATA\InternetSecurity\AVK\AVKWCtlx64.exe [3672560 2015-04-07] (G Data Software AG)
S4 DisplayLinkService; C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [9954096 2014-03-31] (DisplayLink Corp.)
S4 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [708104 2015-04-12] (Garmin Ltd. or its subsidiaries)
R3 GDFwSvc; C:\Program Files (x86)\G DATA\InternetSecurity\Firewall\GDFwSvcx64.exe [3193080 2015-02-20] (G Data Software AG)
R3 GDScan; C:\Program Files (x86)\Common Files\G Data\GDScan\GDScan.exe [789112 2015-03-04] (G Data Software AG)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-02-26] (Intel Corporation)
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [731648 2013-02-13] (Intel(R) Corporation) [File not signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [820184 2013-02-13] (Intel(R) Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-03-12] (Intel Corporation)
S4 Lenovo EasyPlus Hotspot; C:\Program Files (x86)\Common Files\lenovo\easyplussdk\bin\EPHotspot64.exe [532224 2014-04-22] (Lenovo)
S4 LSCWinService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [272440 2015-03-09] (Lenovo)
R2 NitroDriverReadSpool9; C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe [230920 2014-02-14] (Nitro PDF Software)
S4 Power Manager DBC Service; C:\Program Files (x86)\Lenovo\PowerMgr\PWMDBSVC.EXE [63848 2014-03-05] (Lenovo)
S4 PwmEWSvc; C:\Program Files (x86)\Lenovo\PowerMgr\PWMEWSVC.EXE [186728 2014-03-05] (Lenovo Group Limited)
S4 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [49136 2015-03-27] ()
R2 Synergy; C:\Program Files\Synergy\synergyd.exe [298496 2014-05-23] () [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 GDBehave; C:\Windows\System32\drivers\GDBehave.sys [150016 2015-04-16] (G Data Software AG)
R3 GDKBB; C:\Windows\system32\drivers\GDKBB64.sys [27648 2015-04-16] (G Data Software AG)
R3 GDKBFlt; C:\Windows\system32\drivers\GDKBFlt64.sys [20992 2015-04-16] (G Data Software AG)
R1 GDMnIcpt; C:\Windows\system32\drivers\MiniIcpt.sys [230400 2015-04-16] (G Data Software AG)
R3 GDPkIcpt; C:\Windows\system32\drivers\PktIcpt.sys [75776 2015-04-16] (G Data Software AG)
R1 gdwfpcd; C:\Windows\System32\drivers\gdwfpcd64.sys [64512 2015-04-22] (G Data Software AG)
R1 GRD; C:\Windows\system32\drivers\GRD.sys [106272 2015-05-02] (G Data Software)
R1 HookCentre; C:\Windows\system32\drivers\HookCentre.sys [124928 2015-04-16] (G Data Software AG)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28008 2014-02-06] (Intel Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-05-03 09:42 - 2015-05-03 09:42 - 00013216 _____ () C:\Users\XXXXXX XXXXXX\Desktop\FRST.txt
2015-05-03 09:34 - 2015-05-03 09:42 - 00000000 ____D () C:\FRST
2015-05-03 09:32 - 2015-05-03 09:33 - 02101248 _____ (Farbar) C:\Users\XXXXXX XXXXXX\Desktop\FRST64.exe
2015-05-02 14:06 - 2015-05-02 14:06 - 00106272 _____ (G Data Software) C:\Windows\system32\Drivers\GRD.sys
2015-05-02 14:06 - 2015-05-02 14:06 - 00018160 _____ (G Data Software) C:\Windows\system32\Drivers\GdPhyMem.sys
2015-05-02 11:14 - 2015-05-02 11:14 - 00002322 _____ () C:\Users\XXXXXX XXXXXX\Documents\G*DATA Protokoll ID 110.txt
2015-04-23 10:57 - 2015-04-23 10:57 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\CyberLink
2015-04-23 10:55 - 2015-04-23 10:57 - 00000000 ____D () C:\Users\Public\CyberLink
2015-04-23 10:19 - 2015-04-23 10:19 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Intel Corporation
2015-04-23 09:23 - 2015-04-23 09:23 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2015-04-23 09:16 - 2015-04-23 09:21 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\Microsoft Games
2015-04-22 19:48 - 2015-04-22 19:48 - 00623208 _____ () C:\Users\XXXXXX XXXXXX\Downloads\FP.exe
2015-04-22 19:48 - 2015-04-22 19:48 - 00002035 _____ () C:\Users\XXXXXX XXXXXX\Documents\G*DATA Protokoll ID 69.txt
2015-04-22 18:37 - 2015-04-22 18:37 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-04-22 18:34 - 2015-04-22 18:34 - 00003530 _____ () C:\Users\XXXXXX XXXXXX\Desktop\Stromverbrauchssteuerung - Verknüpfung.lnk
2015-04-22 18:31 - 2015-04-22 18:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G DATA INTERNET SECURITY
2015-04-19 17:47 - 2015-03-24 19:10 - 00027371 _____ () C:\Users\XXXXXX XXXXXX\Documents\config(1).bin
2015-04-19 17:47 - 2013-12-20 19:03 - 00008704 ___SH () C:\Users\XXXXXX XXXXXX\Documents\Thumbs.db
2015-04-19 15:59 - 2015-04-19 16:04 - 417659040 _____ () C:\Users\XXXXXX XXXXXX\Downloads\br2014Free101.exe
2015-04-19 12:53 - 2015-04-19 12:53 - 00000000 ____D () C:\Backups
2015-04-17 18:13 - 2015-04-17 18:13 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Documents\Garmin
2015-04-17 16:09 - 2015-04-17 16:09 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Garmin
2015-04-17 16:09 - 2015-04-17 16:09 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\Garmin_Ltd._or_its_subsid
2015-04-17 16:08 - 2015-04-22 20:05 - 00003558 _____ () C:\Windows\System32\Tasks\GarminUpdaterTask
2015-04-17 16:08 - 2015-04-17 16:09 - 00000000 ____D () C:\Program Files (x86)\Garmin
2015-04-17 16:08 - 2015-04-17 16:08 - 00001901 _____ () C:\Users\Public\Desktop\Garmin Express.lnk
2015-04-17 16:08 - 2015-04-17 16:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Garmin
2015-04-17 16:08 - 2015-04-17 16:08 - 00000000 ____D () C:\ProgramData\Garmin
2015-04-17 16:07 - 2015-04-17 16:07 - 40383568 _____ (Garmin Ltd or its subsidiaries) C:\Users\XXXXXX XXXXXX\Downloads\GarminExpressInstaller.exe
2015-04-17 16:05 - 2015-04-17 16:05 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2015-04-17 14:13 - 2015-04-17 14:13 - 00153777 _____ () C:\Users\XXXXXX XXXXXX\Downloads\bookmarks-2015-04-18.json
2015-04-17 13:16 - 2015-05-03 09:35 - 00049536 _____ (Absolute Software Corp.) C:\Windows\SysWOW64\agremove.exe
2015-04-17 13:14 - 2015-04-17 13:14 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\G DATA
2015-04-17 13:12 - 2015-04-17 13:12 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\G Data
2015-04-17 00:41 - 2015-04-17 00:42 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Documents\Steuerfälle
2015-04-17 00:34 - 2015-04-20 18:24 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Documents\PRIVAT
2015-04-17 00:05 - 2015-05-02 15:16 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Documents\Outlook-Dateien
2015-04-17 00:05 - 2015-04-17 00:05 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Documents\OneNote-Notizbücher
2015-04-17 00:05 - 2015-04-17 00:05 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Documents\MoTeC Projects
2015-04-17 00:04 - 2015-04-17 00:05 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Documents\LEGO Creations
2015-04-16 23:59 - 2015-04-16 23:59 - 00000000 ____D () C:\Windows\CSC
2015-04-16 23:36 - 2015-04-17 00:01 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Documents\JOB
2015-04-16 23:36 - 2015-04-16 23:36 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Documents\Englisch_Basis_v02
2015-04-16 23:32 - 2015-04-08 09:32 - 00020862 _____ () C:\Users\XXXXXX XXXXXX\Documents\NewDatabase.kdbx
2015-04-16 23:32 - 2015-01-23 15:30 - 00019502 _____ () C:\Users\XXXXXX XXXXXX\Documents\NewDatabase.old
2015-04-16 22:53 - 2015-04-17 22:52 - 00300488 _____ () C:\Users\XXXXXX XXXXXX\Downloads\outlook.reg
2015-04-16 20:39 - 2015-05-01 20:09 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\CrashDumps
2015-04-16 20:35 - 2015-04-16 20:37 - 00001900 _____ () C:\Users\XXXXXX XXXXXX\Desktop\P&G 3.1.lnk
2015-04-16 20:35 - 2015-04-16 20:35 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Documents\GTR2
2015-04-16 20:26 - 2015-04-16 20:26 - 00000000 ____D () C:\Windows\pss
2015-04-16 20:14 - 2015-04-16 20:14 - 00933622 _____ () C:\Users\XXXXXX XXXXXX\Downloads\teachmaster_4-3_setup.exe
2015-04-16 20:14 - 2015-04-16 20:14 - 00001114 _____ () C:\Users\XXXXXX XXXXXX\Desktop\Teachmaster 4.3.lnk
2015-04-16 20:14 - 2015-04-16 20:14 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Teachmaster 4.3
2015-04-16 20:14 - 2015-04-16 20:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Teachmaster 4.3
2015-04-16 20:14 - 2015-04-16 20:14 - 00000000 ____D () C:\Program Files (x86)\Teachmaster 4.3
2015-04-16 20:11 - 2015-05-02 17:04 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Documents\PersBackup
2015-04-16 20:11 - 2015-05-02 16:12 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\PersBackup5
2015-04-16 20:11 - 2015-04-16 20:11 - 00000896 _____ () C:\Users\Public\Desktop\Personal Backup 5.lnk
2015-04-16 20:11 - 2015-04-16 20:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Personal Backup
2015-04-16 20:11 - 2015-04-16 20:11 - 00000000 ____D () C:\Program Files\Personal Backup 5
2015-04-16 20:10 - 2015-04-16 20:10 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Downloads\pb5682
2015-04-16 20:09 - 2015-04-16 20:10 - 22355444 _____ () C:\Users\XXXXXX XXXXXX\Downloads\pb5682.zip
2015-04-16 20:08 - 2015-04-16 20:08 - 00001039 _____ () C:\Users\XXXXXX XXXXXX\Desktop\OBELISK top2.lnk
2015-04-16 20:08 - 2015-04-16 20:08 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Theben
2015-04-16 20:08 - 2015-04-16 20:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OBELISK top2
2015-04-16 20:08 - 2015-04-16 20:08 - 00000000 ____D () C:\Program Files (x86)\OBELISK top2
2015-04-16 20:07 - 2015-04-16 20:07 - 01376768 _____ () C:\Users\XXXXXX XXXXXX\Downloads\7z920-x64.msi
2015-04-16 20:07 - 2015-04-16 20:07 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2015-04-16 20:07 - 2015-04-16 20:07 - 00000000 ____D () C:\Program Files\7-Zip
2015-04-16 20:06 - 2015-04-27 18:32 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Simple Sudoku
2015-04-16 20:06 - 2015-04-16 20:06 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Simple Sudoku
2015-04-16 20:06 - 2015-04-16 20:06 - 00000000 ____D () C:\Program Files (x86)\Simple Sudoku
2015-04-16 20:01 - 2015-04-16 20:01 - 00000000 ____D () C:\Program Files\Microsoft Games
2015-04-16 19:59 - 2015-04-17 19:10 - 00000000 ____D () C:\Program Files\Synergy
2015-04-16 19:59 - 2015-04-16 19:59 - 00002427 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Synergy.lnk
2015-04-16 19:22 - 2015-04-22 20:06 - 00002798 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2015-04-16 19:22 - 2015-04-16 19:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-04-16 19:22 - 2015-04-16 19:22 - 00000000 ____D () C:\Program Files\CCleaner
2015-04-16 19:21 - 2015-04-16 19:21 - 04218880 _____ (Piriform Ltd) C:\Users\XXXXXX XXXXXX\Downloads\ccsetup504_slim.exe
2015-04-16 19:20 - 2015-04-16 19:20 - 00000000 ____D () C:\ProgramData\Sun
2015-04-16 19:20 - 2015-04-16 19:19 - 00111016 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2015-04-16 19:19 - 2015-04-16 19:19 - 43159464 _____ (Oracle Corporation) C:\Users\XXXXXX XXXXXX\Downloads\jre-8u45-windows-x64.exe
2015-04-16 19:19 - 2015-04-16 19:19 - 00000000 ____D () C:\ProgramData\Oracle
2015-04-16 19:19 - 2015-04-16 19:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-04-16 19:19 - 2015-04-16 19:19 - 00000000 ____D () C:\Program Files\Java
2015-04-16 19:18 - 2015-04-16 19:18 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\Macromedia
2015-04-16 19:17 - 2015-05-02 17:05 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-16 19:17 - 2015-04-16 19:18 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-04-16 19:17 - 2015-04-16 19:18 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-04-16 19:17 - 2015-04-16 19:18 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-04-16 19:17 - 2015-04-16 19:17 - 00000000 ____D () C:\Windows\SysWOW64\Macromed
2015-04-16 19:17 - 2015-04-16 19:17 - 00000000 ____D () C:\Windows\system32\Macromed
2015-04-16 19:15 - 2015-04-22 20:04 - 00003888 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-04-16 19:14 - 2015-04-16 19:14 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-04-16 18:58 - 2015-04-16 18:58 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\AAV
2015-04-16 18:58 - 2015-04-16 18:58 - 00000000 ____D () C:\Programme (x86)
2015-04-16 18:58 - 2015-04-16 18:58 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steuertipps
2015-04-16 18:50 - 2015-04-16 18:59 - 00000000 ____D () C:\ProgramData\AAV
2015-04-16 18:45 - 2015-04-16 18:45 - 00000968 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\I.R.I.S. OCR-Registrierung.lnk
2015-04-16 18:45 - 2015-04-16 18:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2015-04-16 18:45 - 2015-04-16 18:45 - 00000000 ____D () C:\ProgramData\HP
2015-04-16 18:45 - 2015-04-16 18:45 - 00000000 ____D () C:\Program Files\HP
2015-04-16 18:45 - 2015-04-16 18:45 - 00000000 ____D () C:\Program Files (x86)\HP
2015-04-16 18:45 - 2012-10-17 04:31 - 00741480 ____N (Hewlett-Packard Co.) C:\Windows\system32\HPDiscoPM5312.dll
2015-04-16 18:44 - 2015-04-16 18:45 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\HP
2015-04-16 18:44 - 2015-04-16 18:44 - 00000057 _____ () C:\ProgramData\Ament.ini
2015-04-16 18:42 - 2015-05-02 09:47 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\KeePass
2015-04-16 18:41 - 2015-04-16 18:41 - 00001128 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeePass 2.lnk
2015-04-16 18:41 - 2015-04-16 18:41 - 00000000 ____D () C:\Program Files (x86)\KeePass Password Safe 2
2015-04-16 18:21 - 2015-04-16 18:21 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Tracing
2015-04-16 14:58 - 2015-04-16 14:58 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\Logitech® Webcam-Software
2015-04-16 14:56 - 2015-04-16 14:56 - 00000000 ____D () C:\ProgramData\LogiShrd
2015-04-16 14:54 - 2015-04-19 12:49 - 00000000 _____ () C:\Windows\system32\Drivers\lvuvc.hs
2015-04-16 14:54 - 2015-04-16 14:55 - 00017119 _____ () C:\Windows\system32\lvcoinst.log
2015-04-16 14:54 - 2015-04-16 14:55 - 00004758 _____ () C:\Windows\LDPINST.LOG
2015-04-16 14:54 - 2015-04-16 14:55 - 00000000 ____D () C:\Program Files\Common Files\logishrd
2015-04-16 14:54 - 2015-04-16 14:55 - 00000000 ____D () C:\Program Files (x86)\Logitech
2015-04-16 14:22 - 2015-04-16 14:22 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\Mindjet
2015-04-16 14:21 - 2015-04-16 14:22 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Documents\Eigene Maps
2015-04-16 14:21 - 2015-04-16 14:21 - 00002898 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Mindjet.lnk
2015-04-16 14:21 - 2015-04-16 14:21 - 00000000 ____D () C:\ProgramData\Mindjet
2015-04-16 14:21 - 2015-04-16 14:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mindjet
2015-04-16 14:21 - 2015-04-16 14:21 - 00000000 ____D () C:\Program Files (x86)\Mindjet
2015-04-16 14:21 - 2012-11-12 22:00 - 00057472 _____ (Tracker Software Products (Canada) Ltd.) C:\Windows\system32\pxc50pm.dll
2015-04-16 14:20 - 2015-04-16 14:20 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\{943B7A3D-5366-460D-8966-748D70185DF7}
2015-04-16 13:38 - 2015-04-16 13:38 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\Skype
2015-04-16 13:38 - 2015-04-16 13:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-04-16 13:38 - 2015-04-16 13:38 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2015-04-16 13:38 - 2015-04-16 13:38 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2015-04-16 13:37 - 2015-04-16 18:25 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Skype
2015-04-16 13:37 - 2015-04-16 18:21 - 00000000 ___RD () C:\Program Files (x86)\Skype
2015-04-16 13:37 - 2015-04-16 18:21 - 00000000 ____D () C:\ProgramData\Skype
2015-04-16 13:37 - 2015-04-16 13:37 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-04-16 13:36 - 2015-04-16 13:36 - 00003118 _____ () C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe
2015-04-16 13:36 - 2015-04-16 13:36 - 00003092 _____ () C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe
2015-04-16 13:36 - 2015-04-16 13:36 - 00003090 _____ () C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_itype_exe
2015-04-16 13:36 - 2015-04-16 13:36 - 00003062 _____ () C:\Windows\System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe
2015-04-16 13:36 - 2015-04-16 13:36 - 00003060 _____ () C:\Windows\System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe
2015-04-16 13:36 - 2015-04-16 13:36 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_point64_01011.Wdf
2015-04-16 13:36 - 2015-04-16 13:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft-Maus- und Tastatur-Center
2015-04-16 13:36 - 2015-04-16 13:36 - 00000000 ____D () C:\Program Files\Microsoft Mouse and Keyboard Center
2015-04-16 13:35 - 2015-04-16 13:35 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_dc3d_01011.Wdf
2015-04-16 13:34 - 2015-04-16 13:34 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_dc3d_01009.Wdf
2015-04-16 13:19 - 2015-04-16 13:19 - 02118222 _____ () C:\Users\XXXXXX XXXXXX\Downloads\AnyBurn_v2.7.zip
2015-04-16 13:18 - 2015-04-16 13:18 - 00303239 _____ () C:\Users\XXXXXX XXXXXX\Downloads\ZoomIt_4.5.zip
2015-04-16 12:41 - 2015-04-16 12:41 - 00000000 ____D () C:\Users\Default\AppData\Local\Microsoft Help
2015-04-16 12:41 - 2015-04-16 12:41 - 00000000 ____D () C:\Users\Default User\AppData\Local\Microsoft Help
2015-04-16 12:29 - 2014-11-30 19:28 - 23652676 _____ () C:\Users\XXXXXX XXXXXX\Downloads\Software_OBELISK_top2_V3.6.1_de.ZIP
2015-04-16 12:29 - 2013-07-11 10:09 - 129180128 _____ () C:\Users\XXXXXX XXXXXX\Downloads\Mindjet_11.3.305_DE.exe
2015-04-16 12:28 - 2013-12-20 23:33 - 122415248 _____ () C:\Users\XXXXXX XXXXXX\Downloads\OJ8500_A910_1315.exe
2015-04-16 12:22 - 2015-04-16 12:22 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\WindowsUpdate
2015-04-16 12:06 - 2015-04-17 00:31 - 00000000 ___SD () C:\Users\XXXXXX XXXXXX\Documents\Meine Shapes
2015-04-16 12:05 - 2015-04-16 13:17 - 00000039 _____ () C:\Windows\vbaddin.ini
2015-04-16 12:01 - 2015-04-16 12:01 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Downloads\Visio
2015-04-16 11:53 - 2015-04-16 11:53 - 00000000 ____D () C:\Windows\system32\appmgmt
2015-04-16 11:46 - 2015-04-16 12:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2015-04-16 11:46 - 2015-04-16 11:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SharePoint
2015-04-16 11:46 - 2015-04-16 11:46 - 00000000 ____D () C:\Program Files (x86)\Microsoft Synchronization Services
2015-04-16 11:45 - 2015-04-16 11:45 - 00000000 ____D () C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform
2015-04-16 11:45 - 2015-04-16 11:45 - 00000000 ____D () C:\Windows\PCHEALTH
2015-04-16 11:45 - 2015-04-16 11:45 - 00000000 ____D () C:\Program Files (x86)\Microsoft Sync Framework
2015-04-16 11:45 - 2015-04-16 11:45 - 00000000 ____D () C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2015-04-16 11:44 - 2015-04-16 11:44 - 00000000 ____D () C:\Program Files\Microsoft Office
2015-04-16 11:44 - 2015-04-16 11:44 - 00000000 ____D () C:\Program Files (x86)\Microsoft Visual Studio 8
2015-04-16 11:43 - 2015-04-16 13:21 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-04-16 11:43 - 2015-04-16 12:12 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\Microsoft Help
2015-04-16 11:43 - 2015-04-16 11:43 - 00000000 ____D () C:\Program Files (x86)\Microsoft Analysis Services
2015-04-16 11:42 - 2015-04-16 11:42 - 00000000 __RHD () C:\MSOCache
2015-04-16 11:05 - 2015-04-17 21:21 - 00000764 _____ () C:\Users\XXXXXX XXXXXX\Desktop\GTR 2.lnk
2015-04-16 11:05 - 2015-04-16 11:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SimBin
2015-04-16 11:01 - 2015-04-16 11:01 - 00000000 ____D () C:\Program Files (x86)\SimBin
2015-04-16 11:01 - 2008-10-27 10:04 - 00518480 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_3.dll
2015-04-16 11:01 - 2008-10-27 10:04 - 00514384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_3.dll
2015-04-16 11:01 - 2008-10-27 10:04 - 00235856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_3.dll
2015-04-16 11:01 - 2008-10-27 10:04 - 00175440 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_3.dll
2015-04-16 11:01 - 2008-10-27 10:04 - 00074576 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_2.dll
2015-04-16 11:01 - 2008-10-27 10:04 - 00070992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_2.dll
2015-04-16 11:01 - 2008-10-27 10:04 - 00025936 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_5.dll
2015-04-16 11:01 - 2008-10-27 10:04 - 00023376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_5.dll
2015-04-16 11:01 - 2008-10-10 04:52 - 05631312 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_40.dll
2015-04-16 11:01 - 2008-10-10 04:52 - 04379984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_40.dll
2015-04-16 11:01 - 2008-10-10 04:52 - 02605920 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_40.dll
2015-04-16 11:01 - 2008-10-10 04:52 - 02036576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_40.dll
2015-04-16 11:01 - 2008-10-10 04:52 - 00519000 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_40.dll
2015-04-16 11:01 - 2008-10-10 04:52 - 00452440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_40.dll
2015-04-16 11:01 - 2008-07-30 06:20 - 00513544 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_2.dll
2015-04-16 11:01 - 2008-07-30 06:20 - 00509448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_2.dll
2015-04-16 11:01 - 2008-07-30 06:20 - 00238088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_2.dll
2015-04-16 11:01 - 2008-07-30 06:20 - 00177672 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_2.dll
2015-04-16 11:01 - 2008-07-30 06:20 - 00072200 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_1.dll
2015-04-16 11:01 - 2008-07-30 06:20 - 00068616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_1.dll
2015-04-16 11:01 - 2008-07-10 11:01 - 00467984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_39.dll
2015-04-16 11:01 - 2008-07-10 11:00 - 04992520 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_39.dll
2015-04-16 11:01 - 2008-07-10 11:00 - 03851784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_39.dll
2015-04-16 11:01 - 2008-07-10 11:00 - 01942552 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_39.dll
2015-04-16 11:01 - 2008-07-10 11:00 - 01493528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_39.dll
2015-04-16 11:01 - 2008-07-10 11:00 - 00540688 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_39.dll
2015-04-16 11:01 - 2008-05-30 14:19 - 00511496 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_1.dll
2015-04-16 11:01 - 2008-05-30 14:19 - 00507400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_1.dll
2015-04-16 11:01 - 2008-05-30 14:18 - 00238088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_1.dll
2015-04-16 11:01 - 2008-05-30 14:18 - 00177672 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_1.dll
2015-04-16 11:01 - 2008-05-30 14:17 - 00068104 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_0.dll
2015-04-16 11:01 - 2008-05-30 14:17 - 00065032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_0.dll
2015-04-16 11:01 - 2008-05-30 14:17 - 00025608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_4.dll
2015-04-16 11:01 - 2008-05-30 14:16 - 00028168 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_4.dll
2015-04-16 11:01 - 2008-05-30 14:11 - 04991496 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_38.dll
2015-04-16 11:01 - 2008-05-30 14:11 - 03850760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_38.dll
2015-04-16 11:01 - 2008-05-30 14:11 - 01941528 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_38.dll
2015-04-16 11:01 - 2008-05-30 14:11 - 01491992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_38.dll
2015-04-16 11:01 - 2008-05-30 14:11 - 00540688 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_38.dll
2015-04-16 11:01 - 2008-05-30 14:11 - 00467984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_38.dll
2015-04-16 11:01 - 2008-03-05 16:04 - 00489480 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_0.dll
2015-04-16 11:01 - 2008-03-05 16:03 - 00479752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_0.dll
2015-04-16 11:01 - 2008-03-05 16:03 - 00238088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_0.dll
2015-04-16 11:01 - 2008-03-05 16:03 - 00177672 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_0.dll
2015-04-16 11:01 - 2008-03-05 16:00 - 00028168 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_3.dll
2015-04-16 11:01 - 2008-03-05 16:00 - 00025608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_3.dll
2015-04-16 11:01 - 2008-03-05 15:56 - 04910088 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_37.dll
2015-04-16 11:01 - 2008-03-05 15:56 - 03786760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_37.dll
2015-04-16 11:01 - 2008-03-05 15:56 - 01860120 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_37.dll
2015-04-16 11:01 - 2008-03-05 15:56 - 01420824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_37.dll
2015-04-16 11:01 - 2008-02-05 23:07 - 00529424 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_37.dll
2015-04-16 11:01 - 2008-02-05 23:07 - 00462864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_37.dll
2015-04-16 11:01 - 2007-10-22 03:40 - 00411656 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_10.dll
2015-04-16 11:01 - 2007-10-22 03:39 - 00267272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_10.dll
2015-04-16 11:01 - 2007-10-22 03:37 - 00021000 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_2.dll
2015-04-16 11:01 - 2007-10-22 03:37 - 00017928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_2.dll
2015-04-16 11:01 - 2007-10-12 15:14 - 05081608 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_36.dll
2015-04-16 11:01 - 2007-10-12 15:14 - 03734536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_36.dll
2015-04-16 11:01 - 2007-10-12 15:14 - 02006552 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_36.dll
2015-04-16 11:01 - 2007-10-12 15:14 - 01374232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_36.dll
2015-04-16 11:01 - 2007-10-02 09:56 - 00508264 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_36.dll
2015-04-16 11:01 - 2007-10-02 09:56 - 00444776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_36.dll
2015-04-16 11:01 - 2007-07-20 00:57 - 00411496 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_9.dll
2015-04-16 11:01 - 2007-07-20 00:57 - 00267112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_9.dll
2015-04-16 11:01 - 2007-07-19 18:14 - 05073256 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_35.dll
2015-04-16 11:01 - 2007-07-19 18:14 - 03727720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_35.dll
2015-04-16 11:01 - 2007-07-19 18:14 - 01985904 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_35.dll
2015-04-16 11:01 - 2007-07-19 18:14 - 01358192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_35.dll
2015-04-16 11:01 - 2007-07-19 18:14 - 00508264 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_35.dll
2015-04-16 11:01 - 2007-07-19 18:14 - 00444776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_35.dll
2015-04-16 11:01 - 2007-06-20 20:49 - 00409960 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_8.dll
2015-04-16 11:01 - 2007-06-20 20:46 - 00266088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_8.dll
2015-04-16 11:01 - 2007-05-16 16:45 - 04496232 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_34.dll
2015-04-16 11:01 - 2007-05-16 16:45 - 03497832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_34.dll
2015-04-16 11:01 - 2007-05-16 16:45 - 01401200 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_34.dll
2015-04-16 11:01 - 2007-05-16 16:45 - 01124720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_34.dll
2015-04-16 11:01 - 2007-05-16 16:45 - 00506728 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_34.dll
2015-04-16 11:01 - 2007-05-16 16:45 - 00443752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_34.dll
2015-04-16 11:01 - 2007-04-04 18:55 - 00403304 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_7.dll
2015-04-16 11:01 - 2007-04-04 18:55 - 00261480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_7.dll
2015-04-16 11:01 - 2007-04-04 18:54 - 00107368 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_3.dll
2015-04-16 11:01 - 2007-04-04 18:53 - 00081768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xinput1_3.dll
2015-04-16 11:01 - 2007-03-15 16:57 - 00506728 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_33.dll
2015-04-16 11:01 - 2007-03-15 16:57 - 00443752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_33.dll
2015-04-16 11:01 - 2007-03-12 16:42 - 04494184 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_33.dll
2015-04-16 11:01 - 2007-03-12 16:42 - 03495784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_33.dll
2015-04-16 11:01 - 2007-03-12 16:42 - 01400176 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_33.dll
2015-04-16 11:01 - 2007-03-12 16:42 - 01123696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_33.dll
2015-04-16 11:01 - 2007-03-05 12:42 - 00017688 _____ (Microsoft Corporation) C:\Windows\system32\x3daudio1_1.dll
2015-04-16 11:01 - 2007-03-05 12:42 - 00015128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\x3daudio1_1.dll
2015-04-16 11:01 - 2007-01-24 15:27 - 00393576 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_6.dll
2015-04-16 11:01 - 2007-01-24 15:27 - 00255848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_6.dll
2015-04-16 11:01 - 2006-12-08 12:02 - 00251672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_5.dll
2015-04-16 11:01 - 2006-12-08 12:00 - 00390424 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_5.dll
2015-04-16 11:01 - 2006-11-29 13:06 - 04398360 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_32.dll
2015-04-16 11:01 - 2006-11-29 13:06 - 03426072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_32.dll
2015-04-16 11:01 - 2006-11-29 13:06 - 00469264 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10.dll
2015-04-16 11:01 - 2006-11-29 13:06 - 00440080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10.dll
2015-04-16 11:01 - 2006-09-28 16:05 - 03977496 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_31.dll
2015-04-16 11:01 - 2006-09-28 16:05 - 02414360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_31.dll
2015-04-16 11:01 - 2006-09-28 16:05 - 00237848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_4.dll
2015-04-16 11:01 - 2006-09-28 16:04 - 00364824 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_4.dll
2015-04-16 11:01 - 2006-07-28 09:31 - 00083736 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_2.dll
2015-04-16 11:01 - 2006-07-28 09:30 - 00363288 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_3.dll
2015-04-16 11:01 - 2006-07-28 09:30 - 00236824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_3.dll
2015-04-16 11:01 - 2006-07-28 09:30 - 00062744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xinput1_2.dll
2015-04-16 11:01 - 2006-05-31 07:24 - 00230168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_2.dll
2015-04-16 11:01 - 2006-05-31 07:22 - 00354072 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_2.dll
2015-04-16 11:01 - 2006-03-31 12:40 - 00352464 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_1.dll
2015-04-16 11:01 - 2006-03-31 12:39 - 00229584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_1.dll
2015-04-16 11:01 - 2006-03-31 12:39 - 00083664 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_1.dll
2015-04-16 11:01 - 2006-03-31 12:39 - 00062672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xinput1_1.dll
2015-04-16 11:00 - 2015-04-16 11:01 - 00010123 _____ () C:\Windows\DirectX.log
2015-04-16 11:00 - 2006-03-31 12:41 - 03927248 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_30.dll
2015-04-16 11:00 - 2006-03-31 12:40 - 02388176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_30.dll
2015-04-16 11:00 - 2006-02-03 08:43 - 03830992 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_29.dll
2015-04-16 11:00 - 2006-02-03 08:43 - 02332368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_29.dll
2015-04-16 11:00 - 2006-02-03 08:42 - 00355536 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_0.dll
2015-04-16 11:00 - 2006-02-03 08:42 - 00230096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_0.dll
2015-04-16 11:00 - 2006-02-03 08:41 - 00016592 _____ (Microsoft Corporation) C:\Windows\system32\x3daudio1_0.dll
2015-04-16 11:00 - 2006-02-03 08:41 - 00014032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\x3daudio1_0.dll
2015-04-16 11:00 - 2005-12-05 18:09 - 03815120 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_28.dll
2015-04-16 11:00 - 2005-12-05 18:09 - 02323664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_28.dll
2015-04-16 11:00 - 2005-07-22 19:59 - 03807440 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_27.dll
2015-04-16 11:00 - 2005-07-22 19:59 - 02319568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_27.dll
2015-04-16 11:00 - 2005-05-26 15:34 - 03767504 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_26.dll
2015-04-16 11:00 - 2005-05-26 15:34 - 02297552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_26.dll
2015-04-16 11:00 - 2005-03-18 17:19 - 03823312 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_25.dll
2015-04-16 11:00 - 2005-03-18 17:19 - 02337488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_25.dll
2015-04-16 11:00 - 2005-02-05 19:45 - 03544272 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_24.dll
2015-04-16 11:00 - 2005-02-05 19:45 - 02222800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_24.dll
2015-04-16 10:53 - 2015-04-16 10:53 - 00024250 _____ () C:\Users\XXXXXX XXXXXX\Downloads\Ghostery-Backup-4-17-2015.ghost
2015-04-16 10:52 - 2015-04-16 10:52 - 00028171 _____ () C:\Users\XXXXXX XXXXXX\Downloads\noscr.txt
2015-04-16 10:51 - 2015-04-16 10:51 - 00000058 _____ () C:\Users\XXXXXX XXXXXX\Downloads\adblpopu.txt
2015-04-16 10:49 - 2015-04-16 10:49 - 01913304 _____ () C:\Users\XXXXXX XXXXXX\Downloads\adbl.ini
2015-04-16 10:47 - 2015-04-22 19:40 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-04-16 10:47 - 2015-04-16 10:47 - 00001170 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-04-16 10:47 - 2015-04-16 10:47 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Mozilla
2015-04-16 10:47 - 2015-04-16 10:47 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\Mozilla
2015-04-16 10:47 - 2015-04-16 10:47 - 00000000 ____D () C:\ProgramData\Mozilla
2015-04-16 10:46 - 2015-04-16 10:46 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\Logitech
2015-04-16 10:41 - 2015-04-16 14:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logitech
2015-04-16 10:41 - 2015-04-16 10:41 - 00000000 ____D () C:\Program Files\Logitech
2015-04-16 10:41 - 2015-04-16 10:41 - 00000000 ____D () C:\Program Files\Common Files\Logitech
2015-04-16 10:40 - 2015-04-16 10:40 - 00003190 _____ () C:\Windows\System32\Tasks\{5C755EAB-2069-42B3-82FA-14707930F6C8}
2015-04-16 10:40 - 2010-11-14 11:58 - 17276616 _____ (Logitech ) C:\Users\XXXXXX XXXXXX\Downloads\lgs510_x64.exe
2015-04-16 10:39 - 2015-04-16 10:39 - 00000000 __SHD () C:\Users\XXXXXX XXXXXX\AppData\Local\EmieUserList
2015-04-16 10:39 - 2015-04-16 10:39 - 00000000 __SHD () C:\Users\XXXXXX XXXXXX\AppData\Local\EmieSiteList
2015-04-16 10:39 - 2015-04-16 10:39 - 00000000 __SHD () C:\Users\XXXXXX XXXXXX\AppData\Local\EmieBrowserModeList
2015-04-16 10:22 - 2015-04-16 11:10 - 00000000 ____D () C:\SimBin
2015-04-16 09:32 - 2015-04-16 09:32 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\NVIDIA
2015-04-16 09:32 - 2015-04-16 09:32 - 00000000 ____D () C:\Program Files (x86)\AGEIA Technologies
2015-04-16 09:30 - 2015-02-06 05:01 - 32106640 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglv64.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 25460880 _____ (NVIDIA Corporation) C:\Windows\system32\nvcompiler.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 24768144 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 20466496 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 17253848 _____ (NVIDIA Corporation) C:\Windows\system32\nvd3dumx.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 16017040 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 13294528 _____ (NVIDIA Corporation) C:\Windows\system32\nvopencl.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 13208200 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuda.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 10773704 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 10713256 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 10284872 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvlddmkm.sys
2015-04-16 09:30 - 2015-02-06 05:01 - 03610768 _____ (NVIDIA Corporation) C:\Windows\system32\nvcuvid.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 03299512 _____ (NVIDIA Corporation) C:\Windows\system32\nvapi64.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 03247248 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 02902784 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvapi.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 01895240 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispco6434752.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 01557648 _____ (NVIDIA Corporation) C:\Windows\system32\nvdispgenco6434752.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 00995248 _____ (NVIDIA Corporation) C:\Windows\system32\nvumdshimx.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 00969872 _____ (NVIDIA Corporation) C:\Windows\system32\NvIFR64.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 00943760 _____ (NVIDIA Corporation) C:\Windows\system32\NvFBC64.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 00929936 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 00908104 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 00877816 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 00353224 _____ (NVIDIA Corporation) C:\Windows\system32\nvoglshim64.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 00305136 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 00177624 _____ (NVIDIA Corporation) C:\Windows\system32\nvinitx.dll
2015-04-16 09:30 - 2015-02-06 05:01 - 00164752 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll
2015-04-16 09:30 - 2014-10-10 01:02 - 00195728 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvhda64v.sys
2015-04-16 09:30 - 2014-10-10 01:02 - 00030536 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdap64.dll
2015-04-16 09:20 - 2015-04-16 09:20 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_ldiagio_uefi_01009.Wdf
2015-04-16 09:20 - 2015-04-16 09:20 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\LSC
2015-04-16 09:17 - 2015-04-16 09:17 - 00002002 _____ () C:\Users\Public\Desktop\Lenovo Solution Center.lnk
2015-04-16 09:15 - 2015-04-16 09:15 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\Tvsukernel
2015-04-16 08:58 - 2015-01-09 05:14 - 00950272 _____ (Microsoft Corporation) C:\Windows\system32\perftrack.dll
2015-04-16 08:58 - 2015-01-09 05:14 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\wdi.dll
2015-04-16 08:58 - 2015-01-09 05:14 - 00029696 _____ (Microsoft Corporation) C:\Windows\system32\powertracker.dll
2015-04-16 08:58 - 2015-01-09 04:48 - 00076800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdi.dll
2015-04-16 08:51 - 2015-04-16 08:51 - 00000000 ___SD () C:\Windows\system32\CompatTel
2015-04-16 08:51 - 2015-04-16 08:51 - 00000000 ____D () C:\Windows\system32\appraiser
2015-04-16 08:40 - 2015-03-25 05:24 - 03298816 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-04-16 08:40 - 2015-03-25 05:24 - 02553856 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-04-16 08:40 - 2015-03-25 05:24 - 00696320 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-04-16 08:40 - 2015-03-25 05:24 - 00191488 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-04-16 08:40 - 2015-03-25 05:24 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-04-16 08:40 - 2015-03-25 05:24 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-04-16 08:40 - 2015-03-25 05:24 - 00037376 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-04-16 08:40 - 2015-03-25 05:24 - 00035328 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-04-16 08:40 - 2015-03-25 05:23 - 00135168 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-04-16 08:40 - 2015-03-25 05:23 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-04-16 08:40 - 2015-03-25 05:23 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-04-16 08:40 - 2015-03-25 05:00 - 00566784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-04-16 08:40 - 2015-03-25 05:00 - 00173056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-04-16 08:40 - 2015-03-25 05:00 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-04-16 08:40 - 2015-03-25 05:00 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-04-16 08:40 - 2015-03-25 05:00 - 00029696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2015-04-16 08:40 - 2015-03-23 05:25 - 00769536 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-04-16 08:40 - 2015-03-23 05:25 - 00726528 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-04-16 08:40 - 2015-03-23 05:24 - 00957952 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-04-16 08:40 - 2015-03-23 05:24 - 00419840 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-04-16 08:40 - 2015-03-23 05:24 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-04-16 08:40 - 2015-03-23 05:24 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2015-04-16 08:40 - 2015-03-23 05:24 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2015-04-16 08:40 - 2015-03-23 05:17 - 01111552 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-04-16 08:40 - 2015-02-13 07:26 - 12875264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2015-04-16 08:40 - 2015-02-13 07:22 - 14177280 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-04-16 08:40 - 2015-02-03 05:31 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\ubpm.dll
2015-04-16 08:40 - 2015-02-03 05:12 - 00171520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ubpm.dll
2015-04-16 08:40 - 2015-01-28 01:36 - 01239720 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2015-04-16 08:40 - 2014-12-19 03:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-04-16 08:40 - 2014-11-11 03:46 - 00119296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2015-04-16 08:40 - 2014-08-01 13:53 - 01031168 _____ (Microsoft Corporation) C:\Windows\system32\TSWorkspace.dll
2015-04-16 08:40 - 2014-08-01 13:35 - 00793600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSWorkspace.dll
2015-04-16 08:40 - 2014-07-09 04:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDYAK.DLL
2015-04-16 08:40 - 2014-07-09 04:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDTAT.DLL
2015-04-16 08:40 - 2014-07-09 04:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDRU1.DLL
2015-04-16 08:40 - 2014-07-09 04:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDBASH.DLL
2015-04-16 08:40 - 2014-07-09 04:03 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\KBDRU.DLL
2015-04-16 08:40 - 2014-07-09 03:31 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDYAK.DLL
2015-04-16 08:40 - 2014-07-09 03:31 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDTAT.DLL
2015-04-16 08:40 - 2014-07-09 03:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDRU1.DLL
2015-04-16 08:40 - 2014-07-09 03:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDRU.DLL
2015-04-16 08:40 - 2014-07-09 03:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDBASH.DLL
2015-04-16 08:40 - 2014-06-24 05:29 - 02565120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2015-04-16 08:40 - 2014-06-24 04:59 - 01987584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2015-04-16 08:40 - 2014-05-30 08:45 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2015-04-16 08:40 - 2014-03-26 16:44 - 02002432 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2015-04-16 08:40 - 2014-03-26 16:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml6r.dll
2015-04-16 08:40 - 2014-03-26 16:27 - 01389056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2015-04-16 08:40 - 2014-03-26 16:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6r.dll
2015-04-16 08:39 - 2014-10-03 04:12 - 02020352 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll
2015-04-16 08:39 - 2014-10-03 04:12 - 00346624 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll
2015-04-16 08:39 - 2014-10-03 04:12 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll
2015-04-16 08:39 - 2014-10-03 04:12 - 00181248 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll
2015-04-16 08:39 - 2014-10-03 04:11 - 00266240 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe
2015-04-16 08:39 - 2014-10-03 03:45 - 01177088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll
2015-04-16 08:39 - 2014-10-03 03:45 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManMigrationPlugin.dll
2015-04-16 08:39 - 2014-10-03 03:45 - 00214016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll
2015-04-16 08:39 - 2014-10-03 03:45 - 00145920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll
2015-04-16 08:39 - 2014-10-03 03:44 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManHTTPConfig.exe
2015-04-16 08:38 - 2015-01-17 04:48 - 01067520 _____ (Microsoft Corporation) C:\Windows\system32\msctf.dll
2015-04-16 08:38 - 2015-01-17 04:30 - 00828928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msctf.dll
2015-04-16 08:38 - 2014-10-04 04:10 - 03722752 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2015-04-16 08:38 - 2014-10-04 03:42 - 03221504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2015-04-16 08:38 - 2014-10-04 03:42 - 00131584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2015-04-16 08:38 - 2014-08-12 04:02 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2015-04-16 08:38 - 2014-08-12 03:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10K.DLL
2015-04-16 08:36 - 2015-02-03 05:31 - 01424896 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-04-16 08:36 - 2015-02-03 05:12 - 01230848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2015-04-16 08:36 - 2014-11-08 05:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2015-04-16 08:36 - 2014-11-08 04:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2015-04-16 08:36 - 2013-07-20 12:33 - 00124112 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-04-16 08:36 - 2013-07-20 12:33 - 00102608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2015-04-16 08:24 - 2015-01-09 01:44 - 00419936 _____ () C:\Windows\SysWOW64\locale.nls
2015-04-16 08:24 - 2015-01-09 01:43 - 00419936 _____ () C:\Windows\system32\locale.nls
2015-04-16 08:07 - 2012-07-26 05:08 - 00744448 _____ (Microsoft Corporation) C:\Windows\system32\WUDFx.dll
2015-04-16 08:07 - 2012-07-26 05:08 - 00229888 _____ (Microsoft Corporation) C:\Windows\system32\WUDFHost.exe
2015-04-16 08:07 - 2012-07-26 05:08 - 00194048 _____ (Microsoft Corporation) C:\Windows\system32\WUDFPlatform.dll
2015-04-16 08:07 - 2012-07-26 05:08 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\WUDFSvc.dll
2015-04-16 08:07 - 2012-07-26 05:08 - 00045056 _____ (Microsoft Corporation) C:\Windows\system32\WUDFCoinstaller.dll
2015-04-16 08:07 - 2012-07-26 04:26 - 00198656 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WUDFRd.sys
2015-04-16 08:07 - 2012-07-26 04:26 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WUDFPf.sys
2015-04-16 08:07 - 2012-06-02 16:57 - 00000003 _____ () C:\Windows\system32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
2015-04-16 08:06 - 2015-04-17 22:29 - 00000000 ____D () C:\Windows\system32\MRT
2015-04-16 08:06 - 2015-04-17 22:26 - 128913832 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-04-16 08:02 - 2015-04-16 08:02 - 40676944 _____ () C:\Users\XXXXXX XXXXXX\Downloads\Firefox_Setup_37.0.1.exe
2015-04-16 08:02 - 2014-10-14 04:13 - 00683520 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2015-04-16 08:01 - 2015-02-20 06:41 - 00041984 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2015-04-16 08:01 - 2015-02-20 06:40 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2015-04-16 08:01 - 2015-02-20 06:40 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-04-16 08:01 - 2015-02-20 06:40 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2015-04-16 08:01 - 2015-02-20 06:13 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2015-04-16 08:01 - 2015-02-20 06:13 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2015-04-16 08:01 - 2015-02-20 06:13 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2015-04-16 08:01 - 2015-02-20 06:12 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2015-04-16 08:01 - 2015-02-20 05:29 - 00372224 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-04-16 08:01 - 2015-02-20 05:09 - 00299008 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2015-04-16 08:01 - 2015-02-03 05:34 - 00693176 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2015-04-16 08:01 - 2015-02-03 05:34 - 00094656 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mountmgr.sys
2015-04-16 08:01 - 2015-02-03 05:33 - 00616360 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2015-04-16 08:01 - 2015-02-03 05:31 - 14632960 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 01574400 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 00782848 _____ (Microsoft Corporation) C:\Windows\system32\wmdrmsdk.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 00641024 _____ (Microsoft Corporation) C:\Windows\system32\msscp.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 00500224 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 00432128 _____ (Microsoft Corporation) C:\Windows\system32\mfplat.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 00371712 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 00325632 _____ (Microsoft Corporation) C:\Windows\system32\msnetobj.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 00229376 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 00206848 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 00188416 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 00037376 _____ (Microsoft Corporation) C:\Windows\system32\pcadm.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\msmmsp.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll
2015-04-16 08:01 - 2015-02-03 05:31 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx
2015-04-16 08:01 - 2015-02-03 05:31 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 12625920 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2015-04-16 08:01 - 2015-02-03 05:30 - 01480192 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 01202176 _____ (Microsoft Corporation) C:\Windows\system32\drmv2clt.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 01069056 _____ (Microsoft Corporation) C:\Windows\system32\cryptui.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 00842240 _____ (Microsoft Corporation) C:\Windows\system32\blackbox.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 00680960 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\evr.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 00497664 _____ (Microsoft Corporation) C:\Windows\system32\drmmgrtn.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 00187904 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 00146944 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2015-04-16 08:01 - 2015-02-03 05:30 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 00126464 _____ (Microsoft Corporation) C:\Windows\system32\audiodg.exe
2015-04-16 08:01 - 2015-02-03 05:30 - 00082432 _____ (Microsoft Corporation) C:\Windows\system32\cryptsp.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 00058880 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 00055808 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe
2015-04-16 08:01 - 2015-02-03 05:30 - 00032256 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-04-16 08:01 - 2015-02-03 05:30 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe
2015-04-16 08:01 - 2015-02-03 05:30 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2015-04-16 08:01 - 2015-02-03 05:30 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\pcawrk.exe
2015-04-16 08:01 - 2015-02-03 05:30 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\pcalua.exe
2015-04-16 08:01 - 2015-02-03 05:29 - 00008704 _____ (Microsoft Corporation) C:\Windows\system32\pcaevts.dll
2015-04-16 08:01 - 2015-02-03 05:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll
2015-04-16 08:01 - 2015-02-03 05:19 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\PEAuth.sys
2015-04-16 08:01 - 2015-02-03 05:12 - 11411968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmp.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 01329664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\quartz.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 01174528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 01005056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptui.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00988160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\drmv2clt.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00744960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\blackbox.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00617984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmdrmsdk.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00504320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msscp.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00489984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\evr.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00442880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00406016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\drmmgrtn.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00374784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00354816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfplat.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00265216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msnetobj.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00195584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00143872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00103424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfps.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00081408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsp.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00008192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\spwmp.dll
2015-04-16 08:01 - 2015-02-03 05:12 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdxm.ocx
2015-04-16 08:01 - 2015-02-03 05:12 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxmasf.dll
2015-04-16 08:01 - 2015-02-03 05:11 - 12625408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmploc.DLL
2015-04-16 08:01 - 2015-02-03 05:11 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rrinstaller.exe
2015-04-16 08:01 - 2015-02-03 05:11 - 00023040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfpmp.exe
2015-04-16 08:01 - 2015-02-03 05:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mferror.dll
2015-04-16 08:01 - 2015-02-03 04:32 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2015-04-16 08:01 - 2014-12-19 05:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-04-16 08:01 - 2014-12-11 19:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-04-16 08:01 - 2014-12-06 06:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-04-16 08:01 - 2014-12-06 05:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-04-16 08:01 - 2014-12-06 05:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-04-16 08:01 - 2014-11-01 00:24 - 00619056 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2015-04-16 08:01 - 2014-06-28 02:21 - 00532176 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2015-04-16 08:01 - 2014-06-28 02:21 - 00457400 _____ (Microsoft Corporation) C:\Windows\system32\ci.dll
2015-04-16 08:01 - 2014-06-19 00:23 - 01943696 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2015-04-16 08:01 - 2014-06-19 00:23 - 01131664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dfshim.dll
2015-04-16 08:01 - 2014-06-19 00:23 - 00156824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscorier.dll
2015-04-16 08:01 - 2014-06-19 00:23 - 00156312 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2015-04-16 08:01 - 2014-06-19 00:23 - 00081560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscories.dll
2015-04-16 08:01 - 2014-06-19 00:23 - 00073880 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll
2015-04-16 08:01 - 2014-06-18 04:18 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\osk.exe
2015-04-16 08:01 - 2014-06-18 03:51 - 00646144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\osk.exe
2015-04-16 08:01 - 2014-06-06 12:10 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2015-04-16 08:01 - 2014-06-06 11:44 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2015-04-16 08:01 - 2014-04-25 04:34 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2015-04-16 08:01 - 2014-04-25 04:06 - 00626688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll
2015-04-16 08:01 - 2014-04-05 04:47 - 01903552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2015-04-16 08:01 - 2014-04-05 04:47 - 00288192 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
2015-04-16 08:01 - 2011-11-17 08:35 - 00395776 _____ (Microsoft Corporation) C:\Windows\system32\webio.dll
2015-04-16 08:01 - 2011-11-17 07:35 - 00314880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webio.dll
2015-04-16 08:01 - 2011-04-09 08:58 - 00142336 _____ (Microsoft Corporation) C:\Windows\system32\poqexec.exe
2015-04-16 08:01 - 2011-04-09 07:56 - 00123904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\poqexec.exe
2015-04-16 08:00 - 2015-02-25 05:18 - 00754688 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\http.sys
2015-04-16 08:00 - 2014-11-11 05:08 - 00241152 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll
2015-04-16 08:00 - 2014-11-11 04:44 - 00186880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
2015-04-16 08:00 - 2014-06-16 04:10 - 00985536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2015-04-16 07:53 - 2015-03-17 07:22 - 05557696 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-04-16 07:53 - 2015-03-17 07:22 - 00155576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-04-16 07:53 - 2015-03-17 07:22 - 00095672 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-04-16 07:53 - 2015-03-17 07:19 - 01727904 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-04-16 07:53 - 2015-03-17 07:17 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2015-04-16 07:53 - 2015-03-17 07:17 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2015-04-16 07:53 - 2015-03-17 07:17 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-04-16 07:53 - 2015-03-17 07:16 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-04-16 07:53 - 2015-03-17 07:16 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-04-16 07:53 - 2015-03-17 07:16 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2015-04-16 07:53 - 2015-03-17 07:15 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2015-04-16 07:53 - 2015-03-17 07:15 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-04-16 07:53 - 2015-03-17 07:15 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-04-16 07:53 - 2015-03-17 07:13 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-04-16 07:53 - 2015-03-17 07:13 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 07:01 - 03976632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-04-16 07:53 - 2015-03-17 07:01 - 03920824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-04-16 07:53 - 2015-03-17 06:59 - 01309696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2015-04-16 07:53 - 2015-03-17 06:57 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-04-16 07:53 - 2015-03-17 06:57 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-04-16 07:53 - 2015-03-17 06:57 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-04-16 07:53 - 2015-03-17 06:57 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-04-16 07:53 - 2015-03-17 06:57 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-04-16 07:53 - 2015-03-17 06:57 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-04-16 07:53 - 2015-03-17 06:57 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-04-16 07:53 - 2015-03-17 06:57 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-04-16 07:53 - 2015-03-17 06:57 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2015-04-16 07:53 - 2015-03-17 06:56 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2015-04-16 07:53 - 2015-03-17 06:56 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2015-04-16 07:53 - 2015-03-17 06:56 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-04-16 07:53 - 2015-03-17 06:56 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-04-16 07:53 - 2015-03-17 06:56 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2015-04-16 07:53 - 2015-03-17 06:56 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-04-16 07:53 - 2015-03-17 06:56 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2015-04-16 07:53 - 2015-03-17 06:53 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-04-16 07:53 - 2015-03-17 06:53 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 06:50 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 05:45 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2015-04-16 07:53 - 2015-03-17 05:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2015-04-16 07:53 - 2015-03-17 05:43 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 05:43 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 05:43 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2015-04-16 07:53 - 2015-03-17 05:43 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2015-04-16 07:53 - 2015-01-31 01:56 - 00459336 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-04-16 07:53 - 2014-03-04 11:44 - 00722944 _____ (Microsoft Corporation) C:\Windows\system32\objsel.dll
2015-04-16 07:53 - 2014-03-04 11:44 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\wincredprovider.dll
2015-04-16 07:53 - 2014-03-04 11:43 - 00057344 _____ (Microsoft Corporation) C:\Windows\system32\cngprovider.dll
2015-04-16 07:53 - 2014-03-04 11:43 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\adprovider.dll
2015-04-16 07:53 - 2014-03-04 11:43 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\capiprovider.dll
2015-04-16 07:53 - 2014-03-04 11:43 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\dpapiprovider.dll
2015-04-16 07:53 - 2014-03-04 11:43 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\dimsroam.dll
2015-04-16 07:53 - 2014-03-04 11:17 - 00538112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\objsel.dll
2015-04-16 07:53 - 2014-03-04 11:17 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cngprovider.dll
2015-04-16 07:53 - 2014-03-04 11:17 - 00049664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adprovider.dll
2015-04-16 07:53 - 2014-03-04 11:17 - 00048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\capiprovider.dll
2015-04-16 07:53 - 2014-03-04 11:17 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpapiprovider.dll
2015-04-16 07:53 - 2014-03-04 11:17 - 00036864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dimsroam.dll
2015-04-16 07:53 - 2014-03-04 11:17 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wincredprovider.dll
2015-04-16 07:52 - 2014-07-17 04:07 - 01118720 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2015-04-16 07:52 - 2014-07-17 04:07 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2015-04-16 07:52 - 2014-07-17 04:07 - 00235520 _____ (Microsoft Corporation) C:\Windows\system32\winsta.dll
2015-04-16 07:52 - 2014-07-17 04:07 - 00150528 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorekmts.dll
2015-04-16 07:52 - 2014-07-17 03:40 - 00157696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winsta.dll
2015-04-16 07:52 - 2014-07-17 03:39 - 01051136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe
2015-04-16 07:52 - 2014-07-17 03:21 - 00212480 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpwd.sys
2015-04-16 07:52 - 2014-07-17 03:21 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2015-04-16 07:50 - 2014-11-26 05:53 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2015-04-16 07:50 - 2014-11-26 05:32 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2015-04-16 07:50 - 2014-09-04 07:23 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\rastls.dll
2015-04-16 07:50 - 2014-09-04 07:04 - 00372736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rastls.dll
2015-04-16 07:49 - 2015-02-26 05:25 - 03204096 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-04-16 07:49 - 2014-12-08 05:09 - 00406528 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll
2015-04-16 07:49 - 2014-12-08 04:46 - 00308224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scesrv.dll
2015-04-16 07:49 - 2014-10-25 03:57 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2015-04-16 07:49 - 2014-10-25 03:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2015-04-16 07:47 - 2015-03-04 06:55 - 00367552 _____ (Microsoft Corporation) C:\Windows\system32\clfs.sys
2015-04-16 07:47 - 2015-03-04 06:41 - 00079360 _____ (Microsoft Corporation) C:\Windows\system32\clfsw32.dll
2015-04-16 07:47 - 2015-03-04 06:10 - 00058880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\clfsw32.dll
2015-04-16 07:47 - 2011-02-23 06:55 - 00090624 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\bowser.sys
2015-04-16 07:41 - 2015-04-16 07:46 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Downloads\Games
2015-04-16 07:40 - 2015-04-16 07:40 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\Downloads\ProLite B2776HDS
2015-04-16 07:40 - 2014-10-20 20:19 - 02536151 _____ (Dominik Reichl ) C:\Users\XXXXXX XXXXXX\Downloads\KeePass-2.28-Setup.exe
2015-04-16 07:40 - 2012-11-28 08:29 - 74637872 _____ (Logitech, Inc.) C:\Users\XXXXXX XXXXXX\Downloads\lws251.exe
2015-04-16 07:39 - 2015-04-04 20:59 - 15024516 _____ () C:\Users\XXXXXX XXXXXX\Downloads\synergy15.zip
2015-04-16 07:34 - 2015-04-22 18:31 - 00001989 _____ () C:\Users\Public\Desktop\G DATA INTERNET SECURITY.lnk
2015-04-16 07:34 - 2015-04-16 07:34 - 00075776 _____ (G Data Software AG) C:\Windows\system32\Drivers\PktIcpt.sys
2015-04-16 07:34 - 2015-04-16 07:34 - 00027648 _____ (G Data Software AG) C:\Windows\system32\Drivers\GDKBB64.sys
2015-04-16 07:34 - 2015-04-16 07:34 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_GDKBB64_01007.Wdf
2015-04-16 07:33 - 2015-04-22 18:31 - 00064512 _____ (G Data Software AG) C:\Windows\system32\Drivers\gdwfpcd64.sys
2015-04-16 07:33 - 2015-04-16 07:33 - 00230400 _____ (G Data Software AG) C:\Windows\system32\Drivers\MiniIcpt.sys
2015-04-16 07:33 - 2015-04-16 07:33 - 00150016 _____ (G Data Software AG) C:\Windows\system32\Drivers\GDBehave.sys
2015-04-16 07:33 - 2015-04-16 07:33 - 00124928 _____ (G Data Software AG) C:\Windows\system32\Drivers\HookCentre.sys
2015-04-16 07:33 - 2015-04-16 07:33 - 00020992 _____ (G Data Software AG) C:\Windows\system32\Drivers\GDKBFlt64.sys
2015-04-16 07:33 - 2015-04-16 07:33 - 00000779 _____ () C:\Users\XXXXXX XXXXXX\AppData\Roaming\gdscan.log
2015-04-16 07:33 - 2015-04-16 07:33 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_GDKBFlt64_01007.Wdf
2015-04-16 07:33 - 2015-04-16 07:33 - 00000000 ____D () C:\Program Files (x86)\G DATA
2015-04-16 07:33 - 2015-04-16 07:33 - 00000000 _____ () C:\Users\XXXXXX XXXXXX\AppData\Roaming\gdfw.log
2015-04-16 07:31 - 2015-04-16 08:26 - 00000000 ____D () C:\ProgramData\G Data
2015-04-16 07:27 - 2015-04-16 07:27 - 00896048 _____ () C:\Users\XXXXXX XXXXXX\Downloads\Norton_Removal_Tool.exe
2015-04-16 07:25 - 2015-04-04 15:40 - 475698480 _____ (G Data Software AG) C:\Users\XXXXXX XXXXXX\Downloads\INT_R_FUL_IS.exe
2015-04-16 07:21 - 2015-04-16 07:23 - 00000000 ___SD () C:\Windows\system32\GWX
2015-04-16 07:21 - 2015-04-16 07:21 - 00000000 ___SD () C:\Windows\SysWOW64\GWX
2015-04-16 07:18 - 2014-06-27 04:08 - 02777088 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
2015-04-16 07:18 - 2014-06-27 03:45 - 02285056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2015-04-16 07:12 - 2014-07-01 00:24 - 00008856 _____ (Microsoft Corporation) C:\Windows\system32\icardres.dll
2015-04-16 07:12 - 2014-07-01 00:14 - 00008856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardres.dll
2015-04-16 07:12 - 2014-06-06 08:16 - 00035480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TsWpfWrp.exe
2015-04-16 07:12 - 2014-06-06 08:12 - 00035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2015-04-16 07:12 - 2014-03-09 23:48 - 01389208 _____ (Microsoft Corporation) C:\Windows\system32\icardagt.exe
2015-04-16 07:12 - 2014-03-09 23:48 - 00171160 _____ (Microsoft Corporation) C:\Windows\system32\infocardapi.dll
2015-04-16 07:12 - 2014-03-09 23:47 - 00619672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardagt.exe
2015-04-16 07:12 - 2014-03-09 23:47 - 00099480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\infocardapi.dll
2015-04-16 07:08 - 2015-02-04 05:16 - 00465920 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
2015-04-16 07:08 - 2015-02-04 04:54 - 00417792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2015-04-16 07:07 - 2014-07-14 04:02 - 01216000 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2015-04-16 07:07 - 2014-07-14 03:40 - 00664064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2015-04-16 07:02 - 2015-03-05 07:12 - 00404480 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2015-04-16 07:02 - 2015-03-05 06:05 - 00311808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2015-04-16 06:57 - 2015-04-02 02:17 - 00389808 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-04-16 06:57 - 2015-04-02 01:49 - 00342704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-04-16 06:57 - 2015-03-13 06:32 - 24980480 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-04-16 06:57 - 2015-03-13 06:25 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-04-16 06:57 - 2015-03-13 06:25 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-04-16 06:57 - 2015-03-13 06:09 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-04-16 06:57 - 2015-03-13 06:08 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-04-16 06:57 - 2015-03-13 06:08 - 00417280 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-04-16 06:57 - 2015-03-13 06:08 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-04-16 06:57 - 2015-03-13 06:07 - 02886144 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-04-16 06:57 - 2015-03-13 06:06 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-04-16 06:57 - 2015-03-13 06:00 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-04-16 06:57 - 2015-03-13 05:59 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-04-16 06:57 - 2015-03-13 05:55 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-04-16 06:57 - 2015-03-13 05:54 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-04-16 06:57 - 2015-03-13 05:54 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-04-16 06:57 - 2015-03-13 05:53 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-04-16 06:57 - 2015-03-13 05:50 - 06025216 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-04-16 06:57 - 2015-03-13 05:44 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-04-16 06:57 - 2015-03-13 05:42 - 19695616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-04-16 06:57 - 2015-03-13 05:42 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-04-16 06:57 - 2015-03-13 05:40 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-04-16 06:57 - 2015-03-13 05:32 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-04-16 06:57 - 2015-03-13 05:28 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-04-16 06:57 - 2015-03-13 05:28 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-04-16 06:57 - 2015-03-13 05:27 - 00340992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-04-16 06:57 - 2015-03-13 05:27 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-04-16 06:57 - 2015-03-13 05:27 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-04-16 06:57 - 2015-03-13 05:26 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-04-16 06:57 - 2015-03-13 05:26 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-04-16 06:57 - 2015-03-13 05:23 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-04-16 06:57 - 2015-03-13 05:22 - 02278400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-04-16 06:57 - 2015-03-13 05:20 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-04-16 06:57 - 2015-03-13 05:20 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-04-16 06:57 - 2015-03-13 05:17 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-04-16 06:57 - 2015-03-13 05:16 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-04-16 06:57 - 2015-03-13 05:15 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-04-16 06:57 - 2015-03-13 05:08 - 00720384 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-04-16 06:57 - 2015-03-13 05:07 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-04-16 06:57 - 2015-03-13 05:06 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-04-16 06:57 - 2015-03-13 05:05 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-04-16 06:57 - 2015-03-13 05:05 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-04-16 06:57 - 2015-03-13 05:01 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-04-16 06:57 - 2015-03-13 05:00 - 14397440 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-04-16 06:57 - 2015-03-13 04:57 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-04-16 06:57 - 2015-03-13 04:56 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-04-16 06:57 - 2015-03-13 04:54 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-04-16 06:57 - 2015-03-13 04:49 - 04305408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-04-16 06:57 - 2015-03-13 04:45 - 02358784 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-04-16 06:57 - 2015-03-13 04:44 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-04-16 06:57 - 2015-03-13 04:43 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-04-16 06:57 - 2015-03-13 04:42 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-04-16 06:57 - 2015-03-13 04:34 - 12825600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-04-16 06:57 - 2015-03-13 04:33 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-04-16 06:57 - 2015-03-13 04:22 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-04-16 06:57 - 2015-03-13 04:20 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-04-16 06:57 - 2015-03-13 04:16 - 01311232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-04-16 06:57 - 2015-03-13 04:14 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-04-16 06:57 - 2015-03-10 05:25 - 01882624 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2015-04-16 06:57 - 2015-03-10 05:21 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2015-04-16 06:57 - 2015-03-10 05:08 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2015-04-16 06:57 - 2015-03-10 05:05 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2015-04-16 06:57 - 2014-10-14 04:13 - 03241984 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2015-04-16 06:57 - 2014-10-14 03:50 - 02363904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2015-04-16 06:57 - 2014-06-03 12:02 - 01941504 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2015-04-16 06:57 - 2014-06-03 12:02 - 00504320 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2015-04-16 06:57 - 2014-06-03 12:02 - 00112064 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2015-04-16 06:57 - 2014-06-03 11:29 - 01805824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2015-04-16 06:57 - 2014-06-03 11:29 - 00337408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msihnd.dll
2015-04-16 06:56 - 2014-10-30 04:03 - 00165888 _____ (Microsoft Corporation) C:\Windows\system32\charmap.exe
2015-04-16 06:56 - 2014-10-30 03:45 - 00155136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\charmap.exe
2015-04-16 06:45 - 2015-04-16 06:59 - 00007605 _____ () C:\Users\XXXXXX XXXXXX\AppData\Local\Resmon.ResmonCfg
2015-04-16 00:11 - 2015-04-19 13:15 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\Adobe
2015-04-16 00:10 - 2015-05-02 10:35 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Nitro PDF
2015-04-16 00:10 - 2015-04-16 00:10 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\Lenovo
2015-04-16 00:08 - 2012-02-17 08:38 - 01031680 _____ (Microsoft Corporation) C:\Windows\system32\rdpcore.dll
2015-04-16 00:08 - 2012-02-17 07:34 - 00826880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2015-04-16 00:08 - 2012-02-17 06:57 - 00023552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdtcp.sys
2015-04-16 00:03 - 2015-04-16 19:56 - 00115456 _____ () C:\Users\XXXXXX XXXXXX\AppData\Local\GDIPFONTCACHEV1.DAT
2015-04-16 00:03 - 2015-04-16 00:03 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Leadertech
2015-04-16 00:02 - 2015-04-19 13:15 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Adobe
2015-04-16 00:02 - 2015-04-16 20:15 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\VirtualStore
2015-04-16 00:02 - 2015-04-16 00:02 - 00001432 _____ () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-04-16 00:01 - 2015-04-16 00:01 - 00000010 _____ () C:\Windows\getvol.scp
2015-04-16 00:01 - 2015-04-16 00:01 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Local\Power2Go
2015-04-16 00:00 - 2015-05-03 09:34 - 01633980 _____ () C:\Windows\WindowsUpdate.log
2015-04-16 00:00 - 2015-04-16 18:21 - 00000000 ____D () C:\Users\XXXXXX XXXXXX
2015-04-16 00:00 - 2015-04-16 00:00 - 00000020 ___SH () C:\Users\XXXXXX XXXXXX\ntuser.ini
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\XXXXXX XXXXXX\Vorlagen
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\XXXXXX XXXXXX\Startmenü
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\XXXXXX XXXXXX\Netzwerkumgebung
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\XXXXXX XXXXXX\Lokale Einstellungen
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\XXXXXX XXXXXX\Eigene Dateien
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\XXXXXX XXXXXX\Druckumgebung
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\XXXXXX XXXXXX\Documents\Eigene Musik
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\XXXXXX XXXXXX\Documents\Eigene Bilder
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programme
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\XXXXXX XXXXXX\AppData\Local\Verlauf
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\XXXXXX XXXXXX\AppData\Local\Anwendungsdaten
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\XXXXXX XXXXXX\Anwendungsdaten
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Public\Documents\Eigene Musik
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Public\Documents\Eigene Bilder
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default\Vorlagen
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default\Startmenü
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default\Netzwerkumgebung
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default\Lokale Einstellungen
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default\Eigene Dateien
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default\Druckumgebung
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default\Documents\Eigene Musik
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default\Documents\Eigene Bilder
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programme
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default\AppData\Local\Verlauf
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default\AppData\Local\Anwendungsdaten
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default\Anwendungsdaten
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default User\Documents\Eigene Musik
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default User\Documents\Eigene Bilder
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programme
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default User\AppData\Local\Verlauf
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Users\Default User\AppData\Local\Anwendungsdaten
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Programme
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\ProgramData\Vorlagen
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\ProgramData\Startmenü
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\ProgramData\Microsoft\Windows\Start Menu\Programme
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\ProgramData\Favoriten
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\ProgramData\Dokumente
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\ProgramData\Anwendungsdaten
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Program Files\Gemeinsame Dateien
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _SHDL () C:\Dokumente und Einstellungen
2015-04-16 00:00 - 2015-04-16 00:00 - 00000000 _____ () C:\Windows\firstboot.dat
2015-04-16 00:00 - 2014-08-14 18:01 - 00000000 ____D () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Macromedia
2015-04-16 00:00 - 2009-07-14 06:54 - 00000000 ___RD () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-04-16 00:00 - 2009-07-14 06:49 - 00000000 ___RD () C:\Users\XXXXXX XXXXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
Beste Grüße
writeoff

writeoff 03.05.2015 12:09
...und der Rest der FRST.txt

Code:
==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-05-03 09:38 - 2009-07-14 06:45 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-05-03 09:38 - 2009-07-14 06:45 - 00031312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-05-03 09:31 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-05-03 09:31 - 2009-07-14 06:51 - 00051570 _____ () C:\Windows\setupact.log
2015-05-02 10:30 - 2010-11-21 05:47 - 00140778 _____ () C:\Windows\PFRO.log
2015-04-23 10:55 - 2014-08-14 18:04 - 00000000 ____D () C:\ProgramData\CyberLink
2015-04-22 18:31 - 2014-08-14 17:50 - 00011610 _____ () C:\Windows\DPINST.LOG
2015-04-19 12:52 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\rescache
2015-04-17 23:13 - 2014-02-03 16:34 - 00000000 ____D () C:\Program Files\Windows Journal
2015-04-17 23:13 - 2010-11-21 09:06 - 00000000 ____D () C:\Windows\SysWOW64\winrm
2015-04-17 23:13 - 2010-11-21 09:06 - 00000000 ____D () C:\Windows\SysWOW64\sysprep
2015-04-17 23:13 - 2010-11-21 09:06 - 00000000 ____D () C:\Windows\SysWOW64\slmgr
2015-04-17 23:13 - 2009-07-14 07:32 - 00000000 ____D () C:\Program Files\Windows Sidebar
2015-04-17 23:13 - 2009-07-14 07:32 - 00000000 ____D () C:\Program Files\Windows Photo Viewer
2015-04-17 23:13 - 2009-07-14 07:32 - 00000000 ____D () C:\Program Files\Windows Defender
2015-04-17 23:13 - 2009-07-14 07:32 - 00000000 ____D () C:\Program Files\DVD Maker
2015-04-17 23:13 - 2009-07-14 07:32 - 00000000 ____D () C:\Program Files (x86)\Windows Sidebar
2015-04-17 23:13 - 2009-07-14 07:32 - 00000000 ____D () C:\Program Files (x86)\Windows Photo Viewer
2015-04-17 23:13 - 2009-07-14 07:32 - 00000000 ____D () C:\Program Files (x86)\Windows Defender
2015-04-17 23:13 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\Setup
2015-04-17 23:13 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\oobe
2015-04-17 23:13 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\migwiz
2015-04-17 23:13 - 2009-07-14 05:20 - 00000000 ____D () C:\Program Files\Common Files\System
2015-04-17 23:12 - 2010-11-21 09:06 - 00000000 ____D () C:\Windows\SysWOW64\WCN
2015-04-17 23:12 - 2010-11-21 09:06 - 00000000 ____D () C:\Windows\SysWOW64\Printing_Admin_Scripts
2015-04-17 23:12 - 2010-11-21 09:06 - 00000000 ____D () C:\Windows\system32\winrm
2015-04-17 23:12 - 2010-11-21 09:06 - 00000000 ____D () C:\Windows\system32\WCN
2015-04-17 23:12 - 2010-11-21 09:06 - 00000000 ____D () C:\Windows\system32\slmgr
2015-04-17 23:12 - 2010-11-21 09:06 - 00000000 ____D () C:\Windows\system32\Printing_Admin_Scripts
2015-04-17 23:12 - 2009-07-14 07:37 - 00000000 ____D () C:\Windows\DigitalLocker
2015-04-17 23:12 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\MUI
2015-04-17 23:12 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\Dism
2015-04-17 23:12 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\SysWOW64\com
2015-04-17 23:12 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\sysprep
2015-04-17 23:12 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\Setup
2015-04-17 23:12 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\oobe
2015-04-17 23:12 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\MUI
2015-04-17 23:12 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\migwiz
2015-04-17 23:12 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\Dism
2015-04-17 23:12 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\system32\com
2015-04-17 23:12 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\IME
2015-04-17 16:09 - 2014-08-14 17:51 - 00000000 ____D () C:\Program Files\DIFX
2015-04-17 16:08 - 2014-08-14 17:55 - 00000000 ____D () C:\ProgramData\Package Cache
2015-04-17 15:25 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\AppCompat
2015-04-16 21:10 - 2014-08-15 03:29 - 00700130 _____ () C:\Windows\system32\perfh007.dat
2015-04-16 21:10 - 2014-08-15 03:29 - 00149768 _____ () C:\Windows\system32\perfc007.dat
2015-04-16 21:10 - 2009-07-14 07:13 - 01622706 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-16 20:29 - 2009-07-14 06:45 - 00413096 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-04-16 20:01 - 2009-07-14 07:32 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-04-16 19:14 - 2014-08-14 18:01 - 00000000 ____D () C:\ProgramData\Adobe
2015-04-16 19:14 - 2014-08-14 18:01 - 00000000 ____D () C:\Program Files (x86)\Adobe
2015-04-16 13:16 - 2009-07-14 04:34 - 00000478 _____ () C:\Windows\win.ini
2015-04-16 11:58 - 2014-02-03 16:34 - 00000000 ____D () C:\Windows\ShellNew
2015-04-16 11:53 - 2014-08-14 18:09 - 00000000 ____D () C:\Program Files (x86)\Microsoft Office
2015-04-16 11:46 - 2009-07-14 07:32 - 00000000 ____D () C:\Program Files (x86)\MSBuild
2015-04-16 11:44 - 2009-07-14 05:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2015-04-16 09:32 - 2014-08-14 17:51 - 00000000 ____D () C:\Program Files\NVIDIA Corporation
2015-04-16 09:32 - 2014-08-14 17:51 - 00000000 ____D () C:\Program Files (x86)\NVIDIA Corporation
2015-04-16 09:31 - 2014-08-14 17:59 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-04-16 09:17 - 2014-08-14 18:01 - 00000000 ____D () C:\Windows\System32\Tasks\Lenovo
2015-04-16 09:17 - 2014-08-14 17:56 - 00000000 ____D () C:\Program Files\Lenovo
2015-04-16 09:16 - 2014-08-14 18:01 - 00000000 ____D () C:\Windows\Downloaded Installations
2015-04-16 09:04 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\tracing
2015-04-16 09:01 - 2014-01-30 23:46 - 01596050 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2015-04-16 08:27 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2015-04-16 07:29 - 2014-08-14 18:08 - 00000000 ____D () C:\ProgramData\Norton
2015-04-16 07:24 - 2014-08-14 18:08 - 00000000 ____D () C:\Windows\system32\Drivers\NISx64
2015-04-16 00:10 - 2014-08-15 03:04 - 00000000 ____D () C:\ProgramData\Lenovo
2015-04-16 00:08 - 2014-08-14 18:09 - 00000000 ____D () C:\Windows\System32\Tasks\TVT
2015-04-16 00:08 - 2014-08-14 18:01 - 00000000 ___HD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo ThinkVantage Tools
2015-04-16 00:08 - 2014-08-14 17:56 - 00000000 ____D () C:\Program Files (x86)\Lenovo
2015-04-16 00:01 - 2014-08-14 17:54 - 00000042 _____ () C:\Windows\SysWOW64\Drivers\17AA_Lenovo_ThinkCentre_E73_10DR001DGE.MRK
2015-04-16 00:01 - 2014-01-30 21:47 - 00000000 ____D () C:\Windows\Panther
2015-04-16 00:01 - 2014-01-30 21:47 - 00000000 ____D () C:\SWTOOLS
2015-04-16 00:00 - 2009-07-14 07:32 - 00000000 ____D () C:\Windows\system32\restore
2015-04-16 00:00 - 2009-07-14 05:20 - 00000000 __RHD () C:\Users\Public\Libraries
2015-04-16 00:00 - 2009-07-14 05:20 - 00000000 __RHD () C:\Users\Default
2015-04-16 00:00 - 2009-07-14 05:20 - 00000000 ____D () C:\Program Files\Windows NT

==================== Files in the root of some directories =======

2015-04-16 07:33 - 2015-04-16 07:33 - 0000000 _____ () C:\Users\XXXXXX XXXXXX\AppData\Roaming\gdfw.log
2015-04-16 07:33 - 2015-04-16 07:33 - 0000779 _____ () C:\Users\XXXXXX XXXXXX\AppData\Roaming\gdscan.log
2015-04-16 06:45 - 2015-04-16 06:59 - 0007605 _____ () C:\Users\XXXXXX XXXXXX\AppData\Local\Resmon.ResmonCfg
2015-04-16 18:44 - 2015-04-16 18:44 - 0000057 _____ () C:\ProgramData\Ament.ini
2014-08-14 17:58 - 2014-08-14 17:58 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-08-14 18:06 - 2014-08-14 18:06 - 0000107 _____ () C:\ProgramData\{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}.log
2014-08-14 18:04 - 2014-08-14 18:05 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2014-08-14 18:05 - 2014-08-14 18:05 - 0000110 _____ () C:\ProgramData\{B7A0CE06-068E-11D6-97FD-0050BACBF861}.log
2014-08-14 18:05 - 2014-08-14 18:06 - 0000115 _____ () C:\ProgramData\{D6E853EC-8960-4D44-AF03-7361BB93227C}.log

Some content of TEMP:
====================
C:\Users\XXXXXX XXXXXX\AppData\Local\Temp\MouseKeyboardCenterx64_1031.exe
C:\Users\XXXXXX XXXXXX\AppData\Local\Temp\ose00000.exe


Some zero byte size files/folders:
==========================
C:\Windows\SysWOW64\dlumd10.dll
C:\Windows\SysWOW64\dlumd11.dll
C:\Windows\SysWOW64\dlumd9.dll
C:\Windows\System32\dlumd10.dll
C:\Windows\System32\dlumd11.dll
C:\Windows\System32\dlumd9.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-04-24 14:50

==================== End Of Log ============================

Beste Grüße
writeoff

Hi schrauber,

mir ist beim Lesen der Addition.txt etwas aufgefallen. Da ich mir nicht sicher bin, ob es für unser Thema relevant ist, teile ich es Dir lieber mit.

Aus dem log im ersten Post kann man sehen, dass G Data auch eine Datei des iclsclient in Quarantäne verschoben hat.
"c:\windows\syswow64\config\systemprofile\appdata\local\intel\icls client\iclsclient.log"
Der iclsclient gehört zur Intel Management Engine.

In der Addition.txt steht unter disabled services unter anderem
"MSCONFIG\Services: LMS => 2" .
Auch dieser Service hat mit der Intel Management Engine zu tun.

Ich hatte eine Reihe von Services und Autostarteinträgen deaktiviert, weil Lenovo den Rechner derart vollgeknallt hat mit allem möglichen unnützen Kram, dass der Rechner ewig lange zum Booten benötigt hat.

Ist es denkbar, dass ich mir dabei selber ins Knie geschossen hab? Das Booten geht jetzt zwar superschnell, aber möglicherweise fehlt einer der services und das führt zur besagten Meldung.

Dann müsste ich mich zwar ganz schön schämen, aber wenn wir dadurch den Fehler hätten und uns weitere Suchen ersparen könnten, dann wäre Schämen für mich ok.

Sofern das alles Quatsch ist --> nichts für Ungut, ich freue mich auf Deine nächsten Anweisungen.

Beste Grüße

writeoff

schrauber 03.05.2015 17:16
Öffne mal bitte FRST, in die Search Box folgendes kopieren:

rpcnetp.exe


und auf Search Files klicken.

writeoff 03.05.2015 17:22
das Ergebnis

search.txt

Code:
Farbar Recovery Scan Tool (x64) Version: 02-05-2015
Ran by XXXXXX XXXXXX at 2015-05-03 18:18:52
Running from C:\Users\XXXXXX XXXXXX\Desktop
Boot Mode: Normal

================== Search Files: "rpcnetp.exe" =============

C:\Windows\System32\rpcnetp.exe
[2015-05-03 13:31][2015-05-03 13:34] 0017408 ____A () 9A66E27C59C804A376A72831B5B771C5

====== End Of Search ======

schrauber 04.05.2015 11:42
Suche bitte wiederholen, diesmal damit:

rpcnetp.*

writeoff 04.05.2015 11:46
... das Ergebnis


Code:
Farbar Recovery Scan Tool (x64) Version: 02-05-2015
Ran by XXXXXX XXXXXX at 2015-05-04 12:43:13
Running from C:\Users\XXXXXX XXXXXX\Desktop
Boot Mode: Normal

================== Search Files: "rpcnetp.*" =============

C:\Windows\System32\rpcnetp.exe
[2015-05-03 13:31][2015-05-03 13:34] 0017408 ____A () 0C496AAF56C73DA7B93D1432FBEB5BCD

====== End Of Search ======

schrauber 05.05.2015 07:30
Tolle Wurst, kein Replacement da.


Bitte Windows Repair laufen lassen:
Windows reparieren - so geht's - Anleitungen

writeoff 05.05.2015 08:27
Hallo Schrauber,

danke, bin schon am downloaden von tweaking.com.

Gestern tauchte das Problem übrigens den ganzen Tag trotz mehrfachem Boot nicht auf. Heute wieder das gewohnte Bild: Rechner bootet ok, nach einigen Minuten schlägt die Verhaltensüberwachung dann wieder an und meldet rpcnetp.exe als verdächtig. Was auch immer da tätig wird, es findet nicht jeden Tag statt.

Noch eine Hinweis: das Problem ist zum ersten Mal aufgetaucht an Tag der Installation einer neuen Version (25.1.0.4) von G Data. Mit der 25.1.0.3 gab es keine Meldungen.

Beste Grüße
writeoff

schrauber 05.05.2015 10:43
Zur Not fragen wir mal beim GDATA Support an :)

writeoff 05.05.2015 11:33
Mein erster Anruf bei G Data war am 22.4.. An diesem Tag hatte ich um 18:32 G Data upgedatet auf die 25.1.0.4 und um 19:28 kam das Problem zum ersten Mal. Habe alle Infos an G Data hochgeladen, wie vom Support gefordert.

Am 1.5. (also nach 9 Tagen) habe ich nachgefragt, wie denn der Stand wäre. Meine Uploads lagen vor und waren beim 2nd Level zur Untersuchung.

Heute habe ich wieder angerufen, aber immer noch keine Antwort vom 2nd Level.

Habt Ihr da einen besseren Draht? Über meine Kanäle komme ich da nicht weiter.

Beste Grüße
writeoff

Noch ein paar Infos

1. Auch bevor das Problem am 22.4. das erste Mal gemeldet wurde, hat mein Rechner immer wieder die rpcnetp.exe modifiziert. Ich habe 7 Wiederherstellungspunkte, vor dem 22.4., bei denen immer eine Dateiversion mit anderem Änderungsdatum gespeichert ist. Vor dem 22.4. hat sich G Data daran aber nicht gestört.

2. Der zeitliche Verlauf der Meldungen ist merkwürdig:
vor 22.4.: Rechner läuft ohne Problem;
22.4.: Problem taucht auf;
23.-24.4.: Rechner läuft ohne Problem;
26.-27.4.: Rechner läuft ohne Problem;
30.4.: Rechner läuft ohne Problem;
1.5.: Problem taucht auf;
2.5.: Problem taucht auf;
3.5.: Problem taucht auf;
4.5.: Rechner läuft ohne Problem;
5.5.: Problem taucht auf;

Beste Grüße
writeoff

schrauber 05.05.2015 15:31
Nee, bei GDATA kenn ich leider keinen :)

writeoff 05.05.2015 17:31
Da wir anscheinend beide das G Data Update als Ursache in Erwägung ziehen und da G Data noch nicht geantwortet hat, könnte ich doch die Wartezeit auf die Antwort nutzen, um einfach mal via Systemwiederherstellung auf den Status vor dem Update zurückgehen.

Wenn der Fehler verschwunden sein sollte, hätten wir ja das Ziel erreicht. Wenn nicht, ist nichts versaut. Daten sind mehrfach gesichert, das Risiko ist also überschaubar.

Davon unabhängig wäre es natürlich schön zu wissen, welche Task/welcher Prozess immer wieder die rpcnetp.exe ändert und warum das nicht jeden Tag passiert, sondern dem oben beschriebenen merkwürdigen Muster folgt. Da das schon lange vor dem ersten Auftreten der Problemmeldung passierte, ist es möglicherweise völlig ok und harmlos. Die Verhaltensüberwachung hat ja auch FRST angemeckert, ohne dass FRST bösartig wäre (hoffe ich zumindest :D).

Sollen wir das so machen? Ich würde mich sofort wieder melden, wenn einer der folgenden Bedingungen erfüllt wäre:
1. Antwort von GData liegt vor
2. Fehler taucht wieder wieder auf (dann wäre die Idee mit der Wiederherstellung geplatzt)
3. Fehler taucht mindestens eine Woche nicht auf (das wäre ein deutlich längerer fehlerfreier Zeitraum und damit ein Hinweis, dass an der Idee etwas dran sein könnte.)

Beste Grüße
writeoff

schrauber 06.05.2015 08:00
Klingt gut :)

writeoff 06.05.2015 08:05
OK, dann lege ich los und melde mich unter den oben beschriebenen Bedingungen.

Beste Grüße
writeoff

schrauber 06.05.2015 12:45
ok :)

writeoff 17.05.2015 17:56
Hallo schrauber,

kurze Wasserstandsmeldung:

Rechner läuft seit Systemwiederherstellung ohne Probleme. Immer noch keine Antwort von G Data auf meine wiederholten Anfragen.

Die Hypothese des Zusammenhangs mit der neuen Version von G Data ist also zumindest nicht widerlegt.

Ich lasse den Test einfach noch etwas weiterlaufen, in der Hoffnung auf eine baldige Antwort von G Data. OK?

Beste Grüße
writeoff

schrauber 18.05.2015 10:52
jop :)

writeoff 01.06.2015 19:18
Hallo schrauber,

heute ist der Monatserste und das Problem ist wieder da.

Auch am ersten Mai ging das Problem nach einer längeren problemfreien Zeit los.

Was passiert da immer am Monatsersten und an den nachfolgenden Tagen? :confused:

Von G Data natürlich immer noch keine Antwort.

Beste Grüße
writeoff

schrauber 02.06.2015 17:07
Öhm, Patchday MS war schon.....Schau mal ins Update-Log von GDATA.

Der Support rührt sich immer noch nit???????

Wenn ich das bei Emsisoft so machen würde wäre ich schon lange ohne Job :)

writeoff 02.06.2015 21:09
Hallo schrauber,

habe gestern Abend wieder mal mit dem Support telefoniert. Mein Upload sei beschädigt gewesen; ich solle die Datei nochmal hochladen. :aufsmaul:
Habe ich dann auch gemacht und warte weiter ab.

In der Zwischenzeit habe ich mir einen Downloadlink der 25.1.0.3 bestellt. Während des Wartens auf die Antwort des 2nd Level werde ich die "Systemwiederherstellungsreparatur" komplett deinstallieren und dann die 25.1.0.3 sauber aufspielen. Kommt der Fehler erneut, dann ist die Versionshypothese final erledigt.

Spannend ist für mich immer noch die Frage, ob es ein Zufall ist, dass das Problem zum zweiten Mal nach länger Pause am Monatsersten aufgetreten ist. Immerhin war heute Ruhe, im Gegensatz zum 2.5.

Vielleicht läuft da einfach etwas im HIntergrund, was gar kein Problem ist und zu Unrecht von der Verhaltensüberwachuing angemeckert wird. Es wird ja auch ein Logfile des ICLS Client in die Quarantäne verschoben, und das ist laut Web ein Intel Produkt.

Blöde Sache, wenn man seinem Rechner nicht trauen kann. Na ja, das kann man heute aus anderen Gründen vermutlich sowieso nicht. :lach:

Sollen wir erstmal aud den 2nd Level warten und ich installiere inzwischen die 1.0.3?

Beste Grüße
writeoff

Zu früh frohlockt.

Nachdem der heute den ganzen Tag ohne Probleme lief, habe ich ihn eben runtergefahren. Musste dann nochmal ran und peng! da war der Alarm wieder.

Diesmal ist mehr als sonst in die Quarantäne gegangen.

Code:
*** Prozess ***

Prozess: 2724
Dateiname: rpcnetp.exe
Pfad: c:\windows\system32\rpcnetp.exe

Herausgeber: Unbekannter Herausgeber
Erstelldatum: 06/02/15 19:43:10
Änderungsdatum: 06/02/15 19:47:31

Gestartet von: services.exe
Herausgeber: Microsoft Windows


*** Aktionen ***

Das Programm hat Aktionen im Namen eines anderen Programmes ausgeführt.
Das Programm stellt eine Verbindung über ein Netzwerk her.
Das Programm hat Dateien im Systemordner gespeichert.
Das Programm hat eine ausführbare Datei angelegt oder manipuliert.
Eine Netzwerkverbindung wurde im Kontext eines anderen Programmes geöffnet.
Das Programm hat eine Kopie von sich selbst angelegt.
Das Programm hat versucht die eigene Programmdatei zu löschen.
Das Programm hat sich selbst gelöscht indem es die Kontrolle über ein anderes Programm übernimmt.
Das Programm hat sich in den Windows Ordner kopiert.
Das Programm hat eine ausführbare Datei im Windows-Ordner angelegt oder manipuliert.


*** Quarantäne ***

Folgende Dateien wurden in Quarantäne verschoben:
C:\Windows\System32\rpcnetp.exe
c:\windows\system32\gwx\telemetrystore.xml
c:\windows\system32\logfiles\scm\0d4e6746-882e-42c0-b262-2b3bdc76c667
c:\windows\system32\logfiles\scm\5f5a18eb-dc73-4e45-a11c-b59043598412
c:\windows\system32\logfiles\scm\7afcc0ca-7121-422a-ab45-b0e8d599ff08
c:\windows\system32\logfiles\scm\81cc0928-9fc0-4f0d-a5f3-932e47290d91
c:\windows\system32\logfiles\scm\8b1f1413-4a42-40b5-bfa4-94c968ea28d7
c:\windows\system32\logfiles\scm\9435f817-fed2-454e-88cd-7f78fda62c48
c:\windows\system32\logfiles\scm\abcf8661-794a-4238-86bd-a368b2efc154
c:\windows\system32\logfiles\scm\df20d329-10b6-40fa-9b46-c66bb493a2ed
c:\windows\system32\rpcnetp.exe
c:\windows\syswow64\config\systemprofile\appdata\local\intel\icls client\iclsclient.log
c:\windows\syswow64\upgrd.bat
c:\windows\syswow64\upgrd.exe
c:\windows\temp\instb64.sys

Folgende Registry Einträge wurden gelöscht:
\REGISTRY\MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

\REGISTRY\USER\S-1-5-21-1668834982-245352921-3405046034-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-12-bf-d7-ef-e4 || WpadDetectedUrl

YGLR2vKNDysnzXlygp4sJ9q/wHLiKyf6cpIMLSfoctJyggcuJ2e8cnLdcuLucCp0ckInJyYGt3JycnJiYoArJycnJyYGuWLR2uKvkC4nlykmJieXCWpyonKScnKgLCf/YmJy8g/acrLfcnKOcqK3wC4nqHLCcnIO/HLScqJyktAoJykmJicJnXKSKycnJ6nQKifXDM5ysp5yco5yonbwKCcnJiYnB89ygmJicoJwZnJyYmJycnCGcnJiYnJycJdygmJicoJw93KCcnJycnC4coIqJywn53DYcoJycnJycPly8isn63KSDacoJysmJicLpysXrTVmKiwXrTVmKicXrTVmKgunLScsJiYnDLcnJykmJicJtygnLycrJwq3KScpJycnCLcqJ8dw7HJyYmJycnD8cvIvJiYn/3CdcoJycnJycI5ycgnnLScoJiYnCPcsJycnJyYG9y0nyYCWcnLsgLZygnJycnKAp3KyrgAA
Version der Regeln: 5.0.40
OS: Windows 6.1 Service Pack 1.0 Build: 7601 - Workstation 64bit OS
Version der dll: 51504

C:\Windows\System32\rpcnetp.exe
MD5: 9A66E27C59C804A376A72831B5B771C5
C:\Windows\system32\services.exe
MD5:
Beste Grüße
writeoff

schrauber 03.06.2015 19:33
Wenn Du die Muße hast, alles raus aus der Quarantäne und nochmal bei Virustotal scannen.

writeoff 07.06.2015 11:19
So,

ich hatte die Muße und habe alles bei virustotal gescannt.

Erkennungsrate immer 0.
Immerhin liefert virustotal bei der rpcnetp.exe folgende zusätzlichen Informationen, die sich ebenfalls auf Verhaltensanalysen beziehen.


Code:
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
C:\7fac053236d3ec7df00d7592087197281b0291490f6ea85140e7dccb258b86ba (successful)
C:\7fac053236d3ec7df00d7592087197281b0291490f6ea85140e7dccb258b8dll (successful)
\\.\pipe\net\NtControlPipe10 (failed)
Written files
C:\7fac053236d3ec7df00d7592087197281b0291490f6ea85140e7dccb258b8dll (successful)
Copied files
SRC: C:\7fac053236d3ec7df00d7592087197281b0291490f6ea85140e7dccb258b86ba
DST: C:\7fac053236d3ec7df00d7592087197281b0291490f6ea85140e7dccb258b8dll (successful)
Runtime DLLs
c:\7fac053236d3ec7df00d7592087197281b0291490f6ea85140e7dccb258b8dll (failed)

Code:
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-02-20 04:29:24
Entry Point 0x00002B15
Number of sections 4
PE sections
Name Virtual address Virtual size Raw size Entropy MD5
.text 4096 13542 13824 6.25 61ceabe46a082eb24a8bc5d071da7a00
.data 20480 440 512 0.45 62ee1c1d9c5e5ae9ac9f6e96ba5f3b1d
.cdata 24576 572 1024 1.38 73cf8199cbfdf04d043540b8fb213953
.reloc 28672 824 1024 5.81 0784c2b1e1f9f540ef7808beba6681e4
PE imports
[+] ADVAPI32.dll
DuplicateTokenEx
RegQueryValueExA
RegCloseKey
StartServiceCtrlDispatcherA
OpenProcessToken
SetServiceStatus
CreateProcessAsUserA
RegOpenKeyA
RegDeleteValueA
RegEnumValueA
SetTokenInformation
RegisterServiceCtrlHandlerA
[+] KERNEL32.dll
GetStdHandle
EnterCriticalSection
WriteProcessMemory
VirtualAllocEx
TerminateThread
lstrlenA
lstrcmpiA
WaitForSingleObject
FreeLibrary
CopyFileA
ExitProcess
LoadLibraryA
RtlUnwind
ExitThread
CreateRemoteThread
DeleteCriticalSection
SetThreadPriority
LocalAlloc
OpenProcess
ReadProcessMemory
GetModuleFileNameA
GetProcAddress
SetStdHandle
SetFilePointer
RaiseException
CreateThread
GetModuleHandleA
GetExitCodeThread
lstrcatA
lstrcpyA
CloseHandle
ResetEvent
GetSystemDirectoryA
WaitForMultipleObjects
GetVersion
GetBinaryTypeA
SetEvent
LocalFree
TerminateProcess
ResumeThread
CreateProcessA
InitializeCriticalSection
WriteFile
CreateEventA
Sleep
VirtualFreeEx
CreateFileA
GetCurrentThreadId
GetCurrentProcessId
LeaveCriticalSection
[+] USER32.dll
GetMessageA
CreateWindowExA
PeekMessageA
wsprintfA
DispatchMessageA
PostQuitMessage
PostMessageA
KillTimer
SetTimer
TranslateMessage
DefWindowProcA
RegisterClassA
PostThreadMessageA
[+] USERENV.dll
CreateEnvironmentBlock
[+] WSOCK32.dll
inet_addr
ioctlsocket
PE exports
rpcnetp
ExifTool file metadata
FileAccessDate
2015:01:20 08:01:27+01:00

FileCreateDate
2015:01:20 08:01:27+01:00


Code:
File identification
MD5 9a66e27c59c804a376a72831b5b771c5
SHA1 c7f01630d7e276ef5bfc82e39cc6870556bdfe78
SHA256 7fac053236d3ec7df00d7592087197281b0291490f6ea85140e7dccb258b86ba
ssdeep
384:OW9KAUkANjOqYrxPheuHThCA2Ff2UKiQzCwEfB:O+KAU3kqYrxPhp9CA2cUKimCwEfB

authentihash f93ab0bb7a320992a41174e8ecea92259f2793fce966640c6ec5f8a18c3e0861
imphash ff5b6a43b1b731f25aeef3f8dca9cae0
File size 17.0 KB ( 17408 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID        Clipper DOS Executable (33.5%)
Generic Win/DOS Executable (33.2%)
DOS Executable Generic (33.2%)
Tags
peexe

VirusTotal metadata
First submission 2014-07-16 13:44:32 UTC ( vor 10 Monate, 3 Wochen )
Last submission 2015-06-07 10:02:29 UTC ( vor 7 Minuten )
Dateinamen        rpcnetp.dll
7FAC053236D3EC7DF00D7592087197281B0291490F6EA85140E7DCCB258B86BA.exe
file-7764171_exe
7FAC053236D3EC7DF00D7592087197281B0291490F6EA85140E7DCCB258B86BA.zip
rpcnetp.exe
bios_Lenovo_AMI_919_rpcnetp (2).exe
rpcnetp.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight

Beim Installieren der 25.1.0.3 würde die Quarantäne gelöscht. Das wird doch kein Problem sein, oder? Wenn der Fehler weg ist, benötigen wir die alten Quarantäne-Files nicht mehr. Wenn der Fehler wiederkommt, haben wir neue Files in der Quarantäne. Korrekt?

Beste Grüße
writeoff

schrauber 08.06.2015 06:08
korrekt :)

writeoff 12.06.2015 13:36
Hallo Schrauber,

der Rechner ist aktuell wieder friedlich, vermutlich bis zum 1.7..

Abwechslungsreich ist es an der G Data-Front.

Nachdem die ersten eingesendeten Quarantäne-Daten angeblich nicht lesbar waren, habe ich die Daten auf dem beschriebenen Weg mit dem speziell heruntergeladenen Tool ein weiteres Mal verschickt.

Hat dann wieder gedauert; danach die nächste Mail gleichen Inhalts: Daten unlesbar, bitte erneut einsenden. Habe dann die Hotline angerufen und gefragt, wie oft ich das denn noch machen solle. Der Agent schlug dann vor, alle Quarantäne-Files in ein Archiv zu packen und dieses per Mail zu versenden. Das haben wir dann live und gemeinsam erledigt, so dass am Ende des Telefonats die Daten per Mail versendet waren. Das war am Dienstag.

Heute kam eine Mail, dass ich die Daten des Quarantäne-Ordners erneut einsenden solle.

Jetzt habe ich alle Dateien der Quarantäne nochmal gezippt versendet, danach auch noch ungezippt versendet und zusätzlich dann noch alle Files des letzten Vorfalls unverschlüsselt abgeschickt. Mal sehen, mit welcher Ausrede die Kollegen diesmal ihren Job nicht erledigen.

Das ist doch echt nicht normal, oder?

Beste Grüße
writeoff

schrauber 13.06.2015 08:18
der Support ist ja mal nice :)

writeoff 16.06.2015 10:10
Und wieder hat sich der Support gemeldet. Ich hätte die rpcnetp.exe gar nicht geschickt. Wieder angerufen, auf meine Mails von letzter Woche hingewiesen, und, oh Wunder: natürlich lag die Datei vor. Höfliche Entschuldigung der Dame am Telefon, und sie werde die Datei gleich an den 2nd Level weiterleiten. :koch:

Ob die sich einen Spaß mit mir machen?????

Beste Grüße
writeoff

schrauber 17.06.2015 05:27
Nö, die verdienen aber so viel Kohle mit gewerblichen, dass Normalo-user egal sind. Meine persönliche Meinung :)

writeoff 23.06.2015 18:55
Hallo Schrauber,

kaum sind 2 Monate vorbei, schon gibt es eine Antwort von GData. "Die Prüfung der von Ihnen eingeschickten Datei durch unserer Virenlabor hat ergeben, dass die Software "LoJack" zu der die Datei gehört, ein Verhalten an den Tag legt, das echter Malware sehr ähnlich ist. Da zudem die Möglichkeit besteht, dass die Software durch Malware missbraucht werden kann, um Zugriff auf den jeweiligen PC zu erhalten, empfehlen wir Ihnen, diese Software nicht weiter zu verwenden."

Habe etwas recherchiert:LoJack kommt von einer Fa. namens Absolute Software. LoJack ist angeblich eine Sicherheitssoftware, die es erlaubt, gestolene Rechner wieder aufzufinden oder die FP per Fernbefehl zu schrotten. Hier der Link: hxxp://thinkwiki.de/Computrace

Bestimmt ok für ein Notebook, aber eher unnötig für einen Tower-PC. Anscheinend funkt das Teil regelmäßig nach Hause, um abzufragen, ob es die FP sprengen soll.

Immerhin ist es offensichtlich kein Virus, insofern aus dieser Sicht Entwarnung. Trotzdem ist es irgendwie schräg, eine Art Handgranate auf dem Rechner zu haben, bei der man keine Kontrolle darüber hat, ob diese ge- oder entsichert ist. Ich würde LoJack daher lieber loswerden.

Jetzt das Beste: ich finde nirgendwo in der Liste der installierten SW das Programm. Wie werde ich so etwas denn wieder los? Habe im Web einen Hinweis gefunden, dass die SW im BIOS verankert sei, aber auch im BIOS habe ich nichts gefunden, was ich disablen könnte. Bin gerade etwas ratlos und hoffe sehr, dass Du mir helfen kannst.

Beste Grüße
writeoff

schrauber 24.06.2015 09:03
Welche Datei genau hast du eingeschickt?

writeoff 24.06.2015 09:30
Hallo schrauber,

erst die Antwort auf Deine Frage: eingeschickt habe ich die rpcnetp.exe.


Jetzt die News mit Tendenz zu einer guten Nachricht:

Nach quälenden und letztlich völlig nutzlosen Telefinaten mit Lenovo, die schlicht abstreiten, dass sie diese SW installiert haben, habe ich gerade mit Absolute Software telefoniert und in London jemanden aufgetrieben, der sich scheinbar etwas auskannte.

In der Tat war deren SW auf meiner Maschine installiert und hat sich fröhlich jeden Tag auf deren Servern gemeldet und nachgefragt, ob der Rechner denn als gestolen gemeldet sei und ob er sich selber in die Luft sprengen solle. Der freundliche Mitarbeiter hat jetzt angeblich die SW deaktiviert, so dass mein Rechner bei der nächsten Routine-Meldung den Befehl bekommt, mit diesem Unsinn aufzuhören. Eine physische Löschung auf meinem Rechner sei nicht möglich; ich müsse mich mit der Deaktivierung zufriedengeben.

Damit haben wir meiner Meinung nach jetzt folgende Erkenntnisse:
1. GData hat die gemeldete/beanstandete Datei als Bestandteil von LoJack von Absolute Software identifiziert. Diese Aussage war aber noch nicht verifiziert.
2. Absolute Software hat bestätigt, dass die SW auf meinem REchner aktiv ist und dass mein Rechner sich täglich bei deren Servern meldet. Damit erscheint die Aussage von GData plausibel, dass es sich wirklich um LoJack handelt.
3. Die Software ist zwar kein Virus, verhält sich aber wie Schadsoftware und birgt Risiken für externe Manipulationen. Deshalb sollte sie nach Möglichkeit entfernt werden.
4. Der Support von Absolute hat die SW angeblich deaktiviert. Eine Löschung sei unmöglich, selbst durch ein neues Aufspielen des BS könne man das nicht schaffen.

Das ist aus meiner Sicht der aktuelle Kenntnisstand. Teilst Du meine Bewertung, oder liege ich daneben?
Falls Du meine Bewertung teilen solltest: wollen wir wieder auf den Abwartepfad gehen und sehen, ob noch etwas kommt, oder empfiehlst Du ein anderes Vorgehen wie z.B. den Versuch einer vollständigen Entfernung?

Übrigens ist es scheinbar völlig irrelevant, dass GData die rpcnetp.exe in Quarantäne geschickt hat. Die Software funkt trotzdem fröhlich meinen Standort und was auch immer in die Welt hinaus.

Beste Grüße
writeoff

schrauber 25.06.2015 08:12
Die Datei ist eine völlig legitime Windows Datei. Hast Du die mal bei Google eingegeben? :)
Von daher bringt entfernen da nix.
Ich würde mal abwarten ob GDATA weiter meckert.

writeoff 25.06.2015 09:08
Hallo schrauber,

ich habe mit diesem Thema so viele Stunden mit Google verbracht, dass ich bestimmt bald ne goldenen Ehrenmedaille von denen bekomme. :crazy:

Bei Thema "Entfernen" hatte ich nicht an die rpcnetp.exe gedacht, sondern daran, dass irgendwo auf dem Rechner ja die inzwischen hoffentlich deaktivierte Software herumliegen muss. Wenn die nur deaktiviert ist, kann sie auch durch was auch immer wieder aktiviert werden. Der Agent von gestern sagte, dass die SW sich irgendwo permanent auf dem Rechner einniste und auch ein neues Aufspielen der SW unbeschadet überstehe. Denen einfach zu glauben, dass der Sender jetzt abgeschaltet sei, fällt mir nicht ganz leicht. Daher meine Frage nach einer dauerhaften Entfernung.

Abwarten macht vermutlich am meisten Sinn, weil der nächste Monatserste ja bald kommt. Bleibt GData still, wäre das ein gutes Indiz dafür, dass die SW (fürs Erste) Ruhe gibt.

Beste Grüße
writeoff

schrauber 26.06.2015 05:43
Poste mal frische FRST Logs, wir gehen mal auf die Suche :)

writeoff 26.06.2015 08:06
FRST TEil 1

Code:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:24-06-2015
Ran by XXXXXX (administrator) on E73 on 26-06-2015 07:06:26
Running from C:\Users\XXXXXX\Desktop
Loaded Profiles: XXXXXX (Available Profiles: XXXXXX)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(G Data Software AG) C:\Program Files (x86)\Common Files\G Data\GDScan\GDScan.exe
(G Data Software AG) C:\Program Files (x86)\G DATA\InternetSecurity\AVK\AVKWCtlx64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
() C:\Programme (x86)\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(G Data Software AG) C:\Program Files (x86)\G DATA\InternetSecurity\AVKTray\AVKTray.exe
(G Data Software AG) C:\Program Files (x86)\Common Files\G Data\AVKProxy\AVKProxy.exe
(G Data Software AG) C:\Program Files (x86)\G DATA\InternetSecurity\AVK\AVKService.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe
() C:\Program Files\Synergy\synergyd.exe
(G Data Software AG) C:\Program Files (x86)\Common Files\G Data\AVKProxy\GDKBFltExe32.exe
(G Data Software AG) C:\Program Files (x86)\G DATA\InternetSecurity\Firewall\GDFwSvcx64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(G Data Software AG) C:\Program Files (x86)\Common Files\G Data\AVKProxy\AVKBap64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(G DATA Software AG) C:\Program Files (x86)\G DATA\InternetSecurity\Firewall\GDFirewallTray.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-04-26] (Intel Corporation)
HKLM-x32\...\Run: [GDFirewallTray] => C:\Program Files (x86)\G DATA\InternetSecurity\Firewall\GDFirewallTray.exe [1855608 2015-02-20] (G DATA Software AG)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,C:\Program Files (x86)\G DATA\InternetSecurity\AVKTray\AVKTray.exe
HKU\S-1-5-21-1668834982-245352921-3405046034-1001\...\MountPoints2: {a438ebc5-e483-11e4-b50f-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-1668834982-245352921-3405046034-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\SysWOW64\GdScrSv.scr [2229880 2015-02-20] (G Data Software AG)
HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1403224 2015-04-23] (Garmin Ltd. or its subsidiaries)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1668834982-245352921-3405046034-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://lenovo13-comm.msn.com/?pc=LNJB
HKU\S-1-5-21-1668834982-245352921-3405046034-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13-comm.msn.com/?pc=LNJB
HKU\S-1-5-21-1668834982-245352921-3405046034-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com/welcome/thinkcentre
HKU\S-1-5-21-1668834982-245352921-3405046034-1001\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.lenovo.com/welcome/thinkcentre
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1668834982-245352921-3405046034-1001 -> DefaultScope {7EF566CC-A607-4F01-A850-3B859A49212D} URL =
SearchScopes: HKU\S-1-5-21-1668834982-245352921-3405046034-1001 -> {7EF566CC-A607-4F01-A850-3B859A49212D} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-04-16] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-04-16] (Oracle Corporation)
BHO-x32: CmjBrowserHelperObject Object -> {6FE6A929-59D1-4763-91AD-29B61CFFB35B} -> C:\Program Files (x86)\Mindjet\MindManager 11\Mm8InternetExplorer.dll [2013-05-14] (Mindjet)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF ProfilePath: C:\Users\XXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\qa1my9yv.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_194.dll [2015-06-23] ()
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-04-16] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-04-16] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_194.dll [2015-06-23] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=3.0.72 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-03-12] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-03-12] (Intel Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 9\npnitromozilla.dll [2014-02-14] (Nitro PDF)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-03-17] (Adobe Systems Inc.)
FF Extension: Adblock Plus Pop-up Addon - C:\Users\XXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\qa1my9yv.default\Extensions\adblockpopups@jessehakanen.net.xpi [2015-04-16]
FF Extension: Ghostery - C:\Users\XXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\qa1my9yv.default\Extensions\firefox@ghostery.com.xpi [2015-04-16]
FF Extension: NoScript - C:\Users\XXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\qa1my9yv.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2015-04-16]
FF Extension: Adblock Plus - C:\Users\XXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\qa1my9yv.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-04-16]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AAV UpdateService; C:\Programme (x86)\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe [128296 2008-10-24] ()
R2 AVKProxy; C:\Program Files (x86)\Common Files\G Data\AVKProxy\AVKProxy.exe [2527864 2015-03-04] (G Data Software AG)
R2 AVKService; C:\Program Files (x86)\G DATA\InternetSecurity\AVK\AVKService.exe [965240 2015-02-20] (G Data Software AG)
R2 AVKWCtl; C:\Program Files (x86)\G DATA\InternetSecurity\AVK\AVKWCtlx64.exe [3672560 2015-04-07] (G Data Software AG)
S4 DisplayLinkService; C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [9954096 2014-03-31] (DisplayLink Corp.)
S3 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [713736 2015-04-23] (Garmin Ltd. or its subsidiaries)
R3 GDFwSvc; C:\Program Files (x86)\G DATA\InternetSecurity\Firewall\GDFwSvcx64.exe [3193080 2015-02-20] (G Data Software AG)
R3 GDScan; C:\Program Files (x86)\Common Files\G Data\GDScan\GDScan.exe [789112 2015-03-04] (G Data Software AG)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-02-26] (Intel Corporation)
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [731648 2013-02-13] (Intel(R) Corporation) [File not signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [820184 2013-02-13] (Intel(R) Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-03-12] (Intel Corporation)
S4 Lenovo EasyPlus Hotspot; C:\Program Files (x86)\Common Files\lenovo\easyplussdk\bin\EPHotspot64.exe [532224 2014-04-22] (Lenovo)
S4 LSCWinService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [272440 2015-03-09] (Lenovo)
R2 NitroDriverReadSpool9; C:\Program Files\Common Files\Nitro\Pro\9.0\NitroPDFDriverService9x64.exe [230920 2014-02-14] (Nitro PDF Software)
S4 Power Manager DBC Service; C:\Program Files (x86)\Lenovo\PowerMgr\PWMDBSVC.EXE [63848 2014-03-05] (Lenovo)
S4 PwmEWSvc; C:\Program Files (x86)\Lenovo\PowerMgr\PWMEWSVC.EXE [186728 2014-03-05] (Lenovo Group Limited)
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [49136 2015-03-27] ()
R2 Synergy; C:\Program Files\Synergy\synergyd.exe [298496 2014-05-23] () [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 GDBehave; C:\Windows\System32\drivers\GDBehave.sys [150016 2015-04-16] (G Data Software AG)
R3 GDKBB; C:\Windows\system32\drivers\GDKBB64.sys [27648 2015-04-16] (G Data Software AG)
R3 GDKBFlt; C:\Windows\system32\drivers\GDKBFlt64.sys [20992 2015-04-16] (G Data Software AG)
R1 GDMnIcpt; C:\Windows\system32\drivers\MiniIcpt.sys [230400 2015-04-16] (G Data Software AG)
R3 GDPkIcpt; C:\Windows\system32\drivers\PktIcpt.sys [75776 2015-04-16] (G Data Software AG)
R1 gdwfpcd; C:\Windows\System32\drivers\gdwfpcd64.sys [64512 2015-04-16] (G Data Software AG)
R1 GRD; C:\Windows\system32\drivers\GRD.sys [106272 2015-06-09] (G Data Software)
R1 HookCentre; C:\Windows\system32\drivers\HookCentre.sys [124928 2015-04-16] (G Data Software AG)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28008 2014-02-06] (Intel Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-26 07:01 - 2015-06-26 07:01 - 02112512 _____ (Farbar) C:\Users\XXXXXX\Desktop\FRST64.exe
2015-06-24 12:46 - 2015-06-24 12:46 - 00000000 ___HD C:\Users\XXXXXX\AppData\Roaming\.Lenovo
2015-06-24 10:58 - 2015-06-24 10:58 - 00000000 ____D C:\Users\XXXXXX\AppData\Roaming\Nitro
2015-06-21 12:37 - 2015-06-01 21:16 - 00389840 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-06-21 12:37 - 2015-06-01 20:07 - 00342736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-06-21 12:37 - 2015-05-27 16:08 - 19607040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-06-21 12:37 - 2015-05-23 05:15 - 00503808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-06-21 12:37 - 2015-05-23 05:15 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-06-21 12:37 - 2015-05-23 05:15 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-06-21 12:37 - 2015-05-23 05:13 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-06-21 12:37 - 2015-05-23 05:10 - 02278912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-06-21 12:37 - 2015-05-23 05:09 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-06-21 12:37 - 2015-05-23 05:08 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-06-21 12:37 - 2015-05-23 05:06 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-06-21 12:37 - 2015-05-23 05:05 - 00664064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-06-21 12:37 - 2015-05-23 05:05 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-06-21 12:37 - 2015-05-23 05:04 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-06-21 12:37 - 2015-05-23 04:57 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-06-21 12:37 - 2015-05-23 04:52 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-06-21 12:37 - 2015-05-23 04:48 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-06-21 12:37 - 2015-05-23 04:47 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-06-21 12:37 - 2015-05-23 04:38 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-06-21 12:37 - 2015-05-23 04:37 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-06-21 12:37 - 2015-05-23 04:28 - 12829696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-06-21 12:37 - 2015-05-23 04:16 - 01309696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-06-21 12:37 - 2015-05-23 04:14 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-06-21 12:37 - 2015-05-22 21:16 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-06-21 12:37 - 2015-05-22 21:16 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-06-21 12:37 - 2015-05-22 21:00 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-06-21 12:37 - 2015-05-22 20:52 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-06-21 12:37 - 2015-05-22 20:47 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-06-21 12:37 - 2015-05-22 20:40 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-06-21 12:37 - 2015-05-22 20:29 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-06-21 12:37 - 2015-05-22 20:21 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-06-21 12:37 - 2015-05-22 20:07 - 00720384 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-06-21 12:37 - 2015-05-22 20:06 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-06-21 12:37 - 2015-05-22 19:38 - 01545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-06-21 12:36 - 2015-05-27 16:35 - 24917504 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-06-21 12:36 - 2015-05-25 19:08 - 03206144 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-06-21 12:36 - 2015-05-23 05:28 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-06-21 12:36 - 2015-05-23 05:14 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-06-21 12:36 - 2015-05-23 04:49 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-06-21 12:36 - 2015-05-23 04:47 - 04305920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-06-21 12:36 - 2015-05-23 04:37 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-06-21 12:36 - 2015-05-23 04:20 - 01950720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-06-21 12:36 - 2015-05-22 21:01 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-06-21 12:36 - 2015-05-22 21:00 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-06-21 12:36 - 2015-05-22 21:00 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-06-21 12:36 - 2015-05-22 21:00 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-06-21 12:36 - 2015-05-22 20:59 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-06-21 12:36 - 2015-05-22 20:53 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-06-21 12:36 - 2015-05-22 20:52 - 06026240 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-06-21 12:36 - 2015-05-22 20:48 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-06-21 12:36 - 2015-05-22 20:47 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-06-21 12:36 - 2015-05-22 20:47 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-06-21 12:36 - 2015-05-22 20:47 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-06-21 12:36 - 2015-05-22 20:36 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-06-21 12:36 - 2015-05-22 20:25 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-06-21 12:36 - 2015-05-22 20:24 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-06-21 12:36 - 2015-05-22 20:05 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-06-21 12:36 - 2015-05-22 20:05 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-06-21 12:36 - 2015-05-22 19:57 - 14404096 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-06-21 12:36 - 2015-05-22 19:50 - 02426880 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-06-21 12:36 - 2015-05-22 19:26 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-06-21 12:36 - 2015-05-09 05:27 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2015-06-21 12:36 - 2015-05-09 05:27 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2015-06-21 12:36 - 2015-05-09 05:27 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2015-06-21 12:36 - 2015-05-09 05:27 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2015-06-21 12:36 - 2015-05-09 05:26 - 01162752 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2015-06-21 12:36 - 2015-05-09 05:26 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2015-06-21 12:36 - 2015-05-09 05:26 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2015-06-21 12:36 - 2015-05-09 05:25 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
FRST Teil 2

Code:
2015-06-21 12:36 - 2015-05-09 05:20 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:13 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2015-06-21 12:36 - 2015-05-09 05:13 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2015-06-21 12:36 - 2015-05-09 05:12 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2015-06-21 12:36 - 2015-05-09 05:12 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2015-06-21 12:36 - 2015-05-09 05:12 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 05:08 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 04:01 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2015-06-21 12:36 - 2015-05-09 04:01 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2015-06-21 12:36 - 2015-05-09 03:59 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 03:59 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 03:59 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2015-06-21 12:36 - 2015-05-09 03:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2015-06-21 12:36 - 2015-04-29 20:22 - 14635008 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2015-06-21 12:36 - 2015-04-29 20:21 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll
2015-06-21 12:36 - 2015-04-29 20:21 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx
2015-06-21 12:36 - 2015-04-29 20:21 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll
2015-06-21 12:36 - 2015-04-29 20:19 - 12625920 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2015-06-21 12:36 - 2015-04-29 20:07 - 11411456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmp.dll
2015-06-21 12:36 - 2015-04-29 20:07 - 00008192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\spwmp.dll
2015-06-21 12:36 - 2015-04-29 20:07 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdxm.ocx
2015-06-21 12:36 - 2015-04-29 20:07 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxmasf.dll
2015-06-21 12:36 - 2015-04-29 20:05 - 12625408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmploc.DLL
2015-06-21 12:36 - 2015-04-24 20:17 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.dll
2015-06-21 12:36 - 2015-04-24 19:56 - 00530432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll
2015-06-21 12:35 - 2015-04-11 05:19 - 00069888 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\stream.sys
2015-06-09 13:30 - 2015-06-09 13:30 - 00106272 _____ (G Data Software) C:\Windows\system32\Drivers\GRD.sys
2015-06-09 13:21 - 2015-06-09 13:21 - 00264973 _____ C:\Users\XXXXXX\Desktop\Quarantine.zip
2015-06-09 13:10 - 2015-06-26 07:01 - 00017408 _____ C:\Windows\system32\rpcnetp.exe
2015-06-07 11:50 - 2015-06-07 11:50 - 00000000 ____D C:\Users\XXXXXX\Desktop\Quarantäne
2015-06-07 11:48 - 2015-06-07 11:48 - 00148623 _____ C:\Users\XXXXXX\Downloads\Quarantine.zip
2015-06-02 22:05 - 2015-06-02 22:05 - 00623208 _____ C:\Users\XXXXXX\Desktop\FP(1).exe
2015-06-02 22:02 - 2015-06-02 22:02 - 00002945 _____ C:\Users\XXXXXX\Desktop\G*DATA Protokoll ID 242.txt
2015-06-02 21:33 - 2015-06-02 21:33 - 04798416 _____ (McAfee, Inc.) C:\Users\XXXXXX\Desktop\MCPR.exe
2015-06-02 21:31 - 2015-06-02 21:31 - 00411144 _____ C:\Users\XXXXXX\Desktop\AVCleaner.exe
2015-06-02 21:25 - 2015-06-02 21:27 - 226997104 _____ (G Data Software AG) C:\Users\XXXXXX\Desktop\INT_R_BASE_IS.exe
2015-06-01 20:56 - 2015-06-01 20:56 - 00623208 _____ C:\Users\XXXXXX\Downloads\FP.exe
2015-06-01 20:53 - 2015-06-01 20:53 - 00002247 _____ C:\Users\XXXXXX\Desktop\G*DATA Protokoll ID 224.txt

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-26 07:06 - 2015-05-03 09:42 - 00013858 _____ C:\Users\XXXXXX\Desktop\FRST.txt
2015-06-26 07:06 - 2015-05-03 09:34 - 00000000 ____D C:\FRST
2015-06-26 07:06 - 2009-07-14 06:45 - 00031312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-06-26 07:06 - 2009-07-14 06:45 - 00031312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-06-26 07:05 - 2015-04-16 19:17 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-06-26 07:04 - 2015-04-17 13:16 - 00049536 _____ (Absolute Software Corp.) C:\Windows\SysWOW64\agremove.exe
2015-06-26 07:02 - 2015-04-16 00:00 - 01433281 _____ C:\Windows\WindowsUpdate.log
2015-06-26 06:58 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-26 06:58 - 2009-07-14 06:51 - 00051570 _____ C:\Windows\setupact.log
2015-06-24 13:01 - 2015-04-16 19:15 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-06-24 12:16 - 2014-08-14 18:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo
2015-06-24 12:08 - 2015-04-16 00:10 - 00000000 ____D C:\Users\XXXXXX\AppData\Local\Lenovo
2015-06-24 11:26 - 2015-04-16 00:10 - 00000000 ____D C:\Users\XXXXXX\AppData\Roaming\Nitro PDF
2015-06-24 11:12 - 2014-01-30 21:47 - 00000000 ____D C:\SWTOOLS
2015-06-23 21:16 - 2015-04-17 00:05 - 00000000 ____D C:\Users\XXXXXX\Documents\Outlook-Dateien
2015-06-23 21:05 - 2015-04-16 19:17 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-06-23 21:05 - 2015-04-16 19:17 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-06-23 21:05 - 2015-04-16 19:17 - 00003822 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-06-21 18:20 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\rescache
2015-06-21 14:09 - 2015-04-16 18:42 - 00000000 ____D C:\Users\XXXXXX\AppData\Roaming\KeePass
2015-06-21 13:43 - 2009-07-14 06:45 - 00413096 _____ C:\Windows\system32\FNTCACHE.DAT
2015-06-21 13:42 - 2010-11-21 05:47 - 00144942 _____ C:\Windows\PFRO.log
2015-06-21 13:42 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2015-06-21 13:03 - 2015-04-16 11:43 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-06-21 13:00 - 2015-04-16 08:06 - 00000000 ____D C:\Windows\system32\MRT
2015-06-21 12:55 - 2009-07-14 04:34 - 00000478 _____ C:\Windows\win.ini
2015-06-12 15:04 - 2015-04-16 00:11 - 00000000 ____D C:\Users\XXXXXX\AppData\Local\Adobe
2015-06-09 17:43 - 2015-04-16 20:06 - 00000000 ____D C:\Users\XXXXXX\AppData\Roaming\Simple Sudoku
2015-06-07 09:18 - 2015-04-16 07:21 - 00000000 ___SD C:\Windows\system32\GWX
2015-06-02 21:43 - 2015-04-16 10:47 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-06-02 21:01 - 2015-05-05 12:18 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-01 20:28 - 2015-04-17 16:08 - 00003556 _____ C:\Windows\System32\Tasks\GarminUpdaterTask
2015-05-27 00:04 - 2015-04-16 08:06 - 140135120 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

==================== Files in the root of some directories =======

2015-04-16 07:33 - 2015-04-16 07:33 - 0000000 _____ () C:\Users\XXXXXX\AppData\Roaming\gdfw.log
2015-04-16 07:33 - 2015-04-16 07:33 - 0000779 _____ () C:\Users\XXXXXX\AppData\Roaming\gdscan.log
2015-04-16 06:45 - 2015-04-16 06:59 - 0007605 _____ () C:\Users\XXXXXX\AppData\Local\Resmon.ResmonCfg
2015-04-16 18:44 - 2015-04-16 18:44 - 0000057 _____ () C:\ProgramData\Ament.ini
2014-08-14 17:58 - 2014-08-14 17:58 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-08-14 18:06 - 2014-08-14 18:06 - 0000107 _____ () C:\ProgramData\{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}.log
2014-08-14 18:04 - 2014-08-14 18:05 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2014-08-14 18:05 - 2014-08-14 18:05 - 0000110 _____ () C:\ProgramData\{B7A0CE06-068E-11D6-97FD-0050BACBF861}.log
2014-08-14 18:05 - 2014-08-14 18:06 - 0000115 _____ () C:\ProgramData\{D6E853EC-8960-4D44-AF03-7361BB93227C}.log

Some files in TEMP:
====================
C:\Users\XXXXXX\AppData\Local\Temp\MouseKeyboardCenterx64_1031.exe
C:\Users\XXXXXX\AppData\Local\Temp\ose00000.exe


Some zero byte size files/folders:
==========================
C:\Windows\SysWOW64\dlumd10.dll
C:\Windows\SysWOW64\dlumd11.dll
C:\Windows\SysWOW64\dlumd9.dll
C:\Windows\System32\dlumd10.dll
C:\Windows\System32\dlumd11.dll
C:\Windows\System32\dlumd9.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-06-24 13:43

==================== End of log ============================
Additi0on.txt

[CODE]Additional
FRST Logfile:
Code:
scan result of Farbar Recovery Scan Tool (x64) Version:24-06-2015
Ran by XXXXXX at 2015-06-26 07:06:45
Running from C:\Users\XXXXXX\Desktop
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1668834982-245352921-3405046034-500 - Administrator - Disabled)
Gast (S-1-5-21-1668834982-245352921-3405046034-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1668834982-245352921-3405046034-1003 - Limited - Enabled)
XXXXXX (S-1-5-21-1668834982-245352921-3405046034-1001 - Administrator - Enabled) => C:\Users\XXXXXX

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: G DATA INTERNET SECURITY (Enabled - Up to date) {545C8713-0744-B079-87F8-349A6D5C8CF0}
AS: G DATA INTERNET SECURITY (Enabled - Up to date) {EF3D66F7-217E-BFF7-BD48-0FE816DBC64D}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: G*DATA Personal Firewall (Enabled) {6C670636-4D2B-B121-ACA7-9DAF938FCB8B}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
AAVUpdateManager (HKLM-x32\...\{AFA42FE1-A5C3-485F-9180-BFCF5BF1F1C3}) (Version: 18.00.0000 - Wolters Kluwer Deutschland GmbH)
Adobe Acrobat Reader DC - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AC0F074E4100}) (Version: 15.007.20033 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 18.0.0.144 - Adobe Systems Incorporated)
Adobe Flash Player 18 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 18.0.0.194 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 18.0.0.194 - Adobe Systems Incorporated)
ANT Drivers Installer x64 (Version: 2.3.4 - Garmin Ltd or its subsidiaries) Hidden
CameraHelperMsi (x32 Version: 13.51.815.0 - Logitech) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.04 - Piriform)
Create Recovery Media (HKLM-x32\...\{50DC5136-21E8-48BC-97E5-1AD055F6B0B6}) (Version: 1.20.0.00 - Lenovo Group Limited)
DisplayLink Core Software (HKLM\...\{58F4C39B-D946-4A45-A314-DEFC2AFDF397}) (Version: 7.5.54609.0 - DisplayLink Corp.)
Elevated Installer (x32 Version: 4.0.19.0 - Garmin Ltd or its subsidiaries) Hidden
Energie-Manager (HKLM-x32\...\{DAC01CEE-5BAE-42D5-81FC-B687E84E8405}_is1) (Version: 3.20.0008 - Lenovo Group Limited)
erLT (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
G DATA INTERNET SECURITY (HKLM-x32\...\{AC68D2FF-1674-4C16-A536-A69FC11BBD82}) (Version: 25.1.0.3 - G DATA Software AG)
Garmin Express (HKLM-x32\...\{3ee9d193-ab0b-47f1-a31c-cce4678679ce}) (Version: 4.0.19.0 - Garmin Ltd or its subsidiaries)
Garmin Express (x32 Version: 4.0.19.0 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express Tray (x32 Version: 4.0.19.0 - Garmin Ltd or its subsidiaries) Hidden
GTR 2 (HKLM-x32\...\GTR 2_is1) (Version:  - SimBin)
HP Officejet Pro 8500 A910 - Grundlegende Software für das Gerät (HKLM\...\{0A8BEF69-0DD7-4A8F-9AED-0CB91BEBCB58}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Officejet Pro 8500 A910 Hilfe (HKLM-x32\...\{871B2A9D-0F12-44B3-88C1-E0CB10A232E4}) (Version: 140.0.2.2 - Hewlett Packard)
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.0.0.1323 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 13.0.0.1098 - Intel Corporation)
Intel(R) USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 2.5.0.19 - Intel Corporation)
Intel® Chipsatz-Gerätesoftware (x32 Version: 10.0.13 - Intel(R) Corporation) Hidden
Java 8 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418045F0}) (Version: 8.0.450 - Oracle Corporation)
KeePass Password Safe 2.28 (HKLM-x32\...\KeePassPasswordSafe2_is1) (Version: 2.28 - Dominik Reichl)
Lenovo Patch Utility 64 bit (HKLM\...\{ABE4638D-D208-4061-9F26-E3E11E3A1E0C}) (Version: 1.3.1.1 - Lenovo Group Limited)
Lenovo Registration (HKLM-x32\...\{6707C034-ED6B-4B6A-B21F-969B3606FBDE}) (Version: 1.0.3 - Lenovo Inc.)
Lenovo Solution Center (HKLM\...\{1CA74803-5CB2-4C03-BDBE-061EDC81CC7F}) (Version: 2.8.004.00 - Lenovo Group Limited)
Lenovo System Update (HKLM-x32\...\{25C64847-B900-48AD-A164-1B4F9B774650}) (Version: 5.06.0034 - Lenovo)
Lenovo USB Graphics (HKLM\...\{E6B1FE9A-CB1E-4096-A0AF-163419CB971C}) (Version: 7.5.54614.0 - Lenovo)
Lenovo USB3.0 to DVI VGA Monitor Adapter (HKLM-x32\...\{454D32AD-C149-49BE-9F2E-8C089C3D6620}) (Version: 1.07.17 - Lenovo)
Lenovo User Guide (HKLM-x32\...\{13F59938-C595-479C-B479-F171AB9AF64F}) (Version: 1.0.0008.00 - Ihr Firmenname)
Logitech Gaming Software 5.10 (HKLM\...\{1444D2EE-C7AD-44A8-844F-2634B49353D1}) (Version: 5.10.127 - Logitech)
Logitech Webcam-Software (HKLM-x32\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.51 - Logitech Inc.)
Message Center Plus (HKLM\...\{3849486C-FF09-4F5D-B491-3E179D58EE15}) (Version: 3.1.0004.00 - Lenovo Group Limited)
Metric Collection SDK (x32 Version: 1.1.0005.00 - Lenovo Group Limited) Hidden
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Project Professional 2010 (HKLM-x32\...\Office14.PRJPROR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft Visio Premium 2010 (HKLM-x32\...\Office14.VISIOR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft Visual Studio 2010-Tools für Office-Laufzeit (x64) Language Pack - DEU (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Language Pack - DEU) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft-Maus- und Tastatur-Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.3.188.0 - Microsoft Corporation)
Mindjet (HKLM-x32\...\{EAFBFF2D-5553-474A-85FA-863A82F00900}) (Version: 11.3.305 - Mindjet)
Mozilla Firefox 38.0.5 (x86 de) (HKLM-x32\...\Mozilla Firefox 38.0.5 (x86 de)) (Version: 38.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 37.0.1 - Mozilla)
Nitro Pro 9 (HKLM\...\{237990BC-415C-4CE8-B279-37892516D9F2}) (Version: 9.0.6.20 - Nitro)
NVIDIA Grafiktreiber 347.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 347.52 - NVIDIA Corporation)
NVIDIA HD-Audiotreiber 1.3.33.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.33.0 - NVIDIA Corporation)
NVIDIA PhysX-Systemsoftware 9.14.0702 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.14.0702 - NVIDIA Corporation)
NVIDIA Update 10.4.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 10.4.0 - NVIDIA Corporation)
OBELISK top2 (HKLM-x32\...\OBELISK top2_is1) (Version:  - Theben AG)
Personal Backup 5.6 (HKLM\...\Personal Backup 5_is1) (Version: 5.6.8.2 - Dr. J. Rathlev)
PowerDVD Create (HKLM-x32\...\InstallShield_{DE485075-8CD3-4A1E-9ABC-6412EBA44872}) (Version: 10.0 - CyberLink Corp.)
PowerDVD Create 10 (x32 Version: 10.0.1.3710 - CyberLink Corp.) Hidden
Realtek Card Reader (HKLM-x32\...\{F0A8BF4A-972F-41E0-9800-1EFE3BF28266}) (Version: 6.2.9200.30158 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller All-In-One Windows Driver (HKLM-x32\...\{F7E7F0CB-AA41-4D5A-B6F2-8E6738EB063F}) (Version: 7.67.1226.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7116 - Realtek Semiconductor Corp.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-003B-0000-0000-0000000FF1CE}_Office14.PRJPROR_{58FA40EF-ABA9-4FED-AD3D-318A6073934D}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-0057-0000-0000-0000000FF1CE}_Office14.VISIOR_{359ADBEC-068A-4CC9-9174-77AB8EDB867A}) (Version:  - Microsoft)
Simple Sudoku 4.2 (HKLM-x32\...\Simple Sudoku_is1) (Version:  - )
Skype™ 7.3 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.3.101 - Skype Technologies S.A.)
SteuerSparErklärung 2015 (HKLM-x32\...\{312C0E08-8F94-4536-AAF6-3413F784AC5F}) (Version: 20.36.164 - Akademische Arbeitsgemeinschaft)
Synergy (64-bit) (HKLM\...\{FDD88467-9C61-4E2D-BA69-2A89735A21CC}) (Version: 1.5.0 - The Synergy Project)
Teachmaster 4.3 (nur Entfernen) (HKLM-x32\...\Teachmaster 4.3) (Version:  - )
ThinkVantage Communications Utility (HKLM\...\{88C6A6D9-324C-46E8-BA87-563D14021442}_is1) (Version: 3.0.42.0 - Lenovo)
USB Enhanced Performance Keyboard (HKLM\...\{989DC5D9-A776-430D-9E16-D36E5B81CD86}) (Version: 2.0.2.2 - Lenovo)
View Management Utility (HKLM\...\View Management Utility_is1) (Version: 3.0.1.20120921 - Lenovo Inc.)
WaveEditor (HKLM-x32\...\InstallShield_{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}) (Version: 1.0.1.4514 - CyberLink Corp.)
WaveEditor (x32 Version: 1.0.1.4514 - CyberLink Corp.) Hidden
Windows-Treiberpaket - Dynastream Innovations, Inc. ANT LibUSB Drivers (04/11/2012 1.2.40.201) (HKLM\...\F9D2A789F9CFF8CEC36B544F53877C80F1F73C46) (Version: 04/11/2012 1.2.40.201 - Dynastream Innovations, Inc.)
Windows-Treiberpaket - NVIDIA (nvlddmkm) Display  (01/10/2014 9.18.13.3238) (HKLM\...\E9A4B47F71DBAB00739515AD85C58A7593BACBEA) (Version: 01/10/2014 9.18.13.3238 - NVIDIA)
Windows-Treiberpaket - Silicon Labs Software (DSI_SiUSBXp_3_1) USB  (02/06/2007 3.1) (HKLM\...\D1506E0025B5A3F9EB8270FE81C1EEDD9388B8A2) (Version: 02/06/2007 3.1 - Silicon Labs Software)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

16-04-2015 09:11:49 20150417 vor lenovo updates
16-04-2015 10:56:47 20150417 nach lenovo, nvidia, firefox, g25  vor gtr2
16-04-2015 10:59:22 DirectX wurde installiert
16-04-2015 11:16:38 20150417 nach gtr2 vor syncmaster
16-04-2015 11:40:12 20150417 nach syncmaster
16-04-2015 11:42:44 Installed Microsoft Office Professional Plus 2010
16-04-2015 11:52:51 Removed Microsoft Office
16-04-2015 11:55:28 20150417 nach office vor project
16-04-2015 11:57:50 Installed Microsoft Project Professional 2010
16-04-2015 12:03:59 Installed Microsoft Visio Premium 2010
16-04-2015 12:07:49 20150417nach Project, VIsio vor Windows update
16-04-2015 12:37:09 Windows Update
16-04-2015 13:13:41 Windows Update
16-04-2015 13:24:16 20150417 office komplett
16-04-2015 13:34:02 Windows Update
16-04-2015 14:18:23 20150417nach skype, silverlight, mouse  vor mindmanager
16-04-2015 14:20:34 Installed Mindjet.
16-04-2015 14:51:23 20150417 nach MIndmanager
16-04-2015 18:26:39 20150417 nach MIndmanager vor Drucker
16-04-2015 18:57:13 SteuerSparErklärung 2015 wurde installiert.
16-04-2015 18:58:38 Installed AAVUpdateManager.
16-04-2015 19:06:59 20150417 nach drucker, keepass und steuer; vor adobe
16-04-2015 19:10:04 Removed Adobe Reader X (10.1.7) MUI.
16-04-2015 19:58:08 20150417 nach adobe vor kleinzeugs
16-04-2015 19:59:14 Installed Synergy (64-bit)
16-04-2015 20:00:42 Windows Modules Installer
16-04-2015 20:07:36 Installed 7-Zip 9.20 (x64 edition)
16-04-2015 20:24:09 20150417 nach kleinzeugs vor garmin
16-04-2015 20:57:55 20150417 Basisrechner ohne GArmin
16-04-2015 21:12:33 Windows-Sicherung
17-04-2015 15:04:28 20150418 nach Outlook und firefox vor garmin
17-04-2015 15:29:13 Sprachpaketdeinstallation
17-04-2015 16:08:04 Garmin Express
17-04-2015 21:07:58 20150417 Komplette Installation
17-04-2015 22:25:41 Windows Update
22-04-2015 19:08:10 20150421 vor virus quarantäne
02-05-2015 12:49:06 Geplanter Prüfpunkt
05-05-2015 08:46:47 20150505 vor sysrep
05-05-2015 08:55:02 Wiederherstellungsvorgang
05-05-2015 09:17:22 Garmin Express
05-05-2015 09:18:38 Garmin Express
17-05-2015 19:31:44 Windows Update
02-06-2015 10:56:36 Geplanter Prüfpunkt
09-06-2015 18:17:20 Geplanter Prüfpunkt
21-06-2015 12:54:34 Windows Update

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {028D016B-AEB9-401C-AF9F-041A2C4D6DDF} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {0D4E6746-882E-42C0-B262-2B3BDC76C667} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxcontent => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-25] (Microsoft Corporation)
Task: {2CEC4E41-B10E-4621-8070-9EE811B7419B} - System32\Tasks\GarminUpdaterTask => C:\Program Files (x86)\Garmin\Express SelfUpdater\ExpressSelfUpdater.exe [2015-04-23] ()
Task: {397C821B-11B3-4230-AB0F-5E51B33EA316} - System32\Tasks\RtHDVBg_LENOVO_MICPKEY => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2013-11-13] (Realtek Semiconductor)
Task: {3C09831B-FAF8-4FF1-A0B1-81D5A3838EAA} - System32\Tasks\TVT\TVSUUpdateTask => C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe [2015-03-27] ()
Task: {3DD7CAC4-43A3-4E37-AFBA-19FCDAA6B7CA} - System32\Tasks\{5C755EAB-2069-42B3-82FA-14707930F6C8} => pcalua.exe -a "C:\Users\XXXXXX\Downloads\Games\lgs510.exe" -d "C:\Users\XXXXXX\Downloads\Games"
Task: {3ED8BCAD-0D52-4509-B2A1-0E9909C0D53A} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2014-03-19] (Microsoft)
Task: {4BEFA616-F68B-46C6-BA77-1E2D5BF8CCFF} - System32\Tasks\Lenovo\Message Center Plus Launcher => C:\Program Files (x86)\Lenovo\message center plus\mcplaunch.exe [2012-05-15] (Lenovo)
Task: {4E391E70-CF01-4931-BF8B-70F07E113667} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)
Task: {5DE76225-9DAB-4A21-849B-8503B39F3939} - System32\Tasks\Lenovo\Lenovo Solution Center Launcher => C:\Program Files\lenovo\lenovo solution center\App\LSCService.exe [2015-03-09] (Lenovo)
Task: {7CEB4B03-13B6-4AF4-AD41-9FBD91A8FC00} - System32\Tasks\PMTask => C:\Program Files (x86)\Lenovo\PowerMgr\PwmIdTsv.exe [2014-03-05] (Lenovo Group Limited)
Task: {85C4DEBE-C483-40A8-8AAE-87DFBA4EA8FB} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-06-23] (Adobe Systems Incorporated)
Task: {8D3BF5B1-7D64-49AA-B4ED-3454953828CE} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program => C:\Program Files\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe
Task: {9E064A0C-B6B6-446B-B5D3-466238EAD512} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 => C:\Program Files (x86)\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2014-02-13] (Lenovo)
Task: {A04A2D3B-C1E8-4D38-9AC0-9FC61F1C34CB} - System32\Tasks\Lenovo\LSC\LSCTaskService => C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCTaskService.exe [2015-03-09] (Lenovo)
Task: {B7F3A3B4-8EAC-46A9-92A5-4446D0D61218} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {BC490265-B4E6-4636-AEB2-4980CDEF3F8E} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)
Task: {BC78E8EB-863E-41DA-B5CC-658FB042B54F} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2013-12-17] (Realtek Semiconductor)
Task: {C199D663-3941-4551-9F4E-E8E127F9600A} - System32\Tasks\Lenovo\LSC\Lenovo Solution Center Notifications => C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe [2015-03-09] (Lenovo)
Task: {D0647402-7FCD-4A93-9F8A-15DC1C65754B} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-03-13] (Piriform Ltd)
Task: {D3B7C638-9C0A-4379-8931-DD1F3414FF4C} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-06-12] (Adobe Systems Incorporated)
Task: {DD947DFE-4912-4E97-AE7D-91F8DF5CB124} - System32\Tasks\CLMLSvc => C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe [2013-03-06] (CyberLink)
Task: {DF20D329-10B6-40FA-9B46-C66BB493A2ED} - System32\Tasks\Microsoft\Windows\Setup\gwx\runappraiser => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-25] (Microsoft Corporation)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (Whitelisted) ==============

2014-08-14 17:51 - 2015-02-05 21:07 - 00117576 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2014-05-23 17:02 - 2014-05-23 17:02 - 00011264 _____ () C:\Program Files\Synergy\synwinhk.DLL
2008-10-24 16:35 - 2008-10-24 16:35 - 00128296 _____ () C:\Programme (x86)\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe
2013-09-05 00:17 - 2013-09-05 00:17 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2014-05-23 17:02 - 2014-05-23 17:02 - 00298496 _____ () C:\Program Files\Synergy\synergyd.exe
2015-02-20 05:42 - 2015-02-20 05:42 - 00382072 ____N () C:\Program Files (x86)\Common Files\G Data\AVKProxy\PktIcpt2x64.dll
2013-03-06 21:49 - 2013-03-06 21:49 - 00626240 _____ () C:\Program Files (x86)\CyberLink\Power2Go\CLMediaLibrary.dll
2013-03-06 21:52 - 2013-03-06 21:52 - 00015424 _____ () C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvcPS.dll
2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Windows:nlsPreferences

==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1668834982-245352921-3405046034-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\XXXXXX\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.2.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: DisplayLinkService => 2
MSCONFIG\Services: Lenovo EasyPlus Hotspot => 3
MSCONFIG\Services: LENOVO.CAMMUTE => 2
MSCONFIG\Services: LENOVO.TPKNRSVC => 2
MSCONFIG\Services: LSCWinService => 3
MSCONFIG\Services: nlsX86cc => 2
MSCONFIG\Services: Power Manager DBC Service => 3
MSCONFIG\Services: PwmEWSvc => 3
MSCONFIG\Services: rpcnet => 2
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\startupfolder: C:^Users^XXXXXX^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Produktregistrierung.lnk => C:\Windows\pss\Logitech . Produktregistrierung.lnk.Startup
MSCONFIG\startupreg: BCSSync => "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
MSCONFIG\startupreg: Enhanced Performance Keyboard => C:\Program Files\Lenovo\USB Enhanced Performance Keyboard\SKDaemon.exe
MSCONFIG\startupreg: GarminExpressTrayApp => "C:\Program Files (x86)\Garmin\Express Tray\tray.exe"
MSCONFIG\startupreg: HP Officejet Pro 8500 A910 (NET) => "C:\Program Files\HP\HP Officejet Pro 8500 A910\Bin\ScanToPCActivationApp.exe" -deviceID "CN0BCAM1Q6:NW" -scfn "HP Officejet Pro 8500 A910 (NET)" -AutoStart 1
MSCONFIG\startupreg: KeePass 2 PreLoad => "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
MSCONFIG\startupreg: Lenovo Registration => C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe /boot
MSCONFIG\startupreg: LENOVO.TPKNRRES => C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
MSCONFIG\startupreg: LWS => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
MSCONFIG\startupreg: MMReminderService => C:\Program Files (x86)\Mindjet\MindManager 11\MMReminderService.exe
MSCONFIG\startupreg: NvBackend => "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
MSCONFIG\startupreg: Power Manager Startup Utility => C:\Program Files (x86)\Lenovo\PowerMgr\DPMHost.exe
MSCONFIG\startupreg: Start WingMan Profiler => C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{373615F2-BA43-4D57-AACE-4B0B494C99A9}] => (Allow) C:\Program Files (x86)\Lenovo\System Update\uncserver.exe
FirewallRules: [{B1FA88B5-2D43-411E-8BD8-F8ED6AF3E1DF}] => (Allow) C:\Program Files (x86)\Lenovo\System Update\uncserver.exe
FirewallRules: [{9BF9D313-D91F-4953-837E-511FFE5676E1}] => (Allow) C:\Users\XXXXXX\AppData\Local\Temp\7zS6EF7.tmp\SymNRT.exe
FirewallRules: [{F0CD1910-BEE8-48D6-A4B9-9A16D446EA2E}] => (Allow) C:\Users\XXXXXX\AppData\Local\Temp\7zS6EF7.tmp\SymNRT.exe
FirewallRules: [{6BA94245-AA81-48A4-81F1-81A9B6AE88E7}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{F7597BA0-363F-4B8B-A447-19C8626F7BAE}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{750F24C1-681B-461B-AFC5-75466901F70E}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{A42D7995-E6BA-4329-9B45-BFDEFE5BB783}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8500 A910\bin\FaxApplications.exe
FirewallRules: [{117646AB-E3F1-49DF-9DB1-EB3C52C8F312}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8500 A910\bin\DigitalWizards.exe
FirewallRules: [{264F3E4C-D8E6-4807-AEF0-BBDD110FD559}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8500 A910\bin\SendAFax.exe
FirewallRules: [{CB4B6D53-93C7-47CF-A060-F8E2A33E6AC2}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8500 A910\Bin\DeviceSetup.exe
FirewallRules: [{DCE64E96-91BB-497B-8C85-070E65F6460D}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8500 A910\Bin\HPNetworkCommunicator.exe
FirewallRules: [{82EE2663-F1E9-42AE-8520-CD8177EB0BFC}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8500 A910\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{9BCFC4BC-EEA9-457F-927D-F491844477E7}] => (Allow) C:\Program Files\Synergy\synergys.exe

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (06/26/2015 06:59:47 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/24/2015 09:19:46 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/23/2015 07:34:34 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/23/2015 07:33:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: spoolsv.exe, Version: 6.1.7601.17777, Zeitstempel: 0x4f35fc1d
Name des fehlerhaften Moduls: HPDiscoPM5312.dll, Version: 28.0.1315.0, Zeitstempel: 0x507e9729
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000000000001ef74
ID des fehlerhaften Prozesses: 0x5b4
Startzeit der fehlerhaften Anwendung: 0xspoolsv.exe0
Pfad der fehlerhaften Anwendung: spoolsv.exe1
Pfad des fehlerhaften Moduls: spoolsv.exe2
Berichtskennung: spoolsv.exe3

Error: (06/23/2015 07:27:25 PM) (Source: Adobe Reader) (EventID: 16) (User: )
Description:

Error: (06/23/2015 07:27:25 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm LenovoUserGuide.exe, Version 1.0.6.0 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: 11b0

Startzeit: 01d0add9930f5130

Endzeit: 0

Anwendungspfad: C:\ProgramData\Lenovo\userguides\viewer\LenovoUserGuide.exe

Berichts-ID: 19eb6613-19cd-11e5-9786-448a5bc5dc44

Error: (06/23/2015 07:24:02 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/21/2015 05:21:00 PM) (Source: Adobe Reader) (EventID: 16) (User: )
Description:

Error: (06/21/2015 05:17:26 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/21/2015 01:59:10 PM) (Source: Adobe Reader) (EventID: 16) (User: )
Description:


System errors:
=============
Error: (06/24/2015 09:21:01 AM) (Source: BROWSER) (EventID: 8032) (User: )
Description: Das Einlesen der Sicherungsliste durch den Suchdienst schlug auf Transport "\Device\NetBT_Tcpip_{1E4C299D-DC11-498C-BA62-A512121AB20F}" zu oft fehl.
Der Sicherungssuchdienst wird beendet.

Error: (06/23/2015 07:33:29 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Der Dienst "Druckwarteschlange" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 60000 Millisekunden durchgeführt: Neustart des Diensts.

Error: (06/21/2015 00:50:34 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: Das System wurde zuvor am ‎21.‎06.‎2015 um 12:49:06 unerwartet heruntergefahren.

Error: (06/21/2015 00:34:20 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst WSearch erreicht.

Error: (06/21/2015 00:33:47 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst WSearch erreicht.

Error: (06/21/2015 00:33:17 PM) (Source: Ntfs) (EventID: 137) (User: )
Description: Auf dem Volume "D:" konnte der Transaktionsressourcen-Manager aufgrund eines nicht wiederholbaren Fehlers nicht gestartet werden. Der Fehlercode ist in den Daten enthalten.

Error: (06/21/2015 00:33:17 PM) (Source: volsnap) (EventID: 16) (User: )
Description: Die Schattenkopien von Volume "D:" wurden verworfen, weil die Bereitsstellungaufhebung von Volume "D:", das einen Schattenkopiespeicher für diese Schattenkopie enthält, erzwungen wurde.

Error: (06/21/2015 00:33:17 PM) (Source: volsnap) (EventID: 29) (User: )
Description: Die Schattenkopien von Volume "D:" wurde während der Ermittlung abgebrochen.

Error: (06/21/2015 00:32:00 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst WSearch erreicht.

Error: (06/21/2015 00:31:26 PM) (Source: Ntfs) (EventID: 137) (User: )
Description: Auf dem Volume "D:" konnte der Transaktionsressourcen-Manager aufgrund eines nicht wiederholbaren Fehlers nicht gestartet werden. Der Fehlercode ist in den Daten enthalten.


Microsoft Office:
=========================
Error: (06/26/2015 06:59:47 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/24/2015 09:19:46 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/23/2015 07:34:34 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/23/2015 07:33:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: spoolsv.exe6.1.7601.177774f35fc1dHPDiscoPM5312.dll28.0.1315.0507e9729c0000005000000000001ef745b401d0addaa9751be8C:\Windows\System32\spoolsv.exeC:\Windows\System32\HPDiscoPM5312.dllef1c0374-19cd-11e5-a068-448a5bc5dc44

Error: (06/23/2015 07:27:25 PM) (Source: Adobe Reader) (EventID: 16) (User: )
Description:

Error: (06/23/2015 07:27:25 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: LenovoUserGuide.exe1.0.6.011b001d0add9930f51300C:\ProgramData\Lenovo\userguides\viewer\LenovoUserGuide.exe19eb6613-19cd-11e5-9786-448a5bc5dc44

Error: (06/23/2015 07:24:02 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/21/2015 05:21:00 PM) (Source: Adobe Reader) (EventID: 16) (User: )
Description:

Error: (06/21/2015 05:17:26 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/21/2015 01:59:10 PM) (Source: Adobe Reader) (EventID: 16) (User: )
Description:


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i5-4460S CPU @ 2.90GHz
Percentage of memory in use: 45%
Total physical RAM: 4043.07 MB
Available physical RAM: 2187.27 MB
Total Pagefile: 8084.36 MB
Available Pagefile: 5519.38 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: (Windows7_OS) (Fixed) (Total:910.52 GB) (Free:508.04 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive q: (Lenovo_Recovery) (Fixed) (Total:19.53 GB) (Free:7.69 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 81F2BA25)
Partition 1: (Active) - (Size=1.5 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=910.5 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=19.5 GB) - (Type=07 NTFS)

==================== End of log ============================
--- --- ---


Beste Grüße
writeoff

Hallo schrauber,
mir ist da etwas aufgefallen::glaskugel:

In der Addition.txt gibt es den Abschnitt
"==================== MSCONFIG/TASK MANAGER disabled items =="


Wenn ich mir die da aufgelisteten Services ansehe, dann stimmen die von Inhalt und Reihenfolge exakt mit den Services, die in MSconfig kein Häkchen mehr haben. Klar, deshalb sind sie ja auch "disabled".

Es gibt aber eine Ausnahme in der Liste:
"MSCONFIG\Services: rpcnet => 2"

Dazu findet sich in MSconfig nichts.

RPCNET und RPCNETP sind die immer wieder im Zusammenhang mit LoJack genannten Exes. Auch der Agent von Absolute Software sprach vor allem von der rpcnet.exe.

Möglicherweise ist das nicht wichtig, aber schaden wird die Info bestimmt auch nicht ;)

Beste Grüße
writeoff

schrauber 26.06.2015 10:15
Lade SystemLook von jpshortstuff von einem der folgenden Spiegel herunter und speichere das Tool auf dem Desktop.
SystemLook (64 bit)
  • Doppelklicke auf die SystemLook_x64.exe, um das Tool zu starten.
  • Kopiere den Inhalt der folgenden Codebox in das Textfeld des Tools:
    Code:
    :regfind
    rpcnet
    :filefind
    *rpcnet*
  • Klicke nun auf den Button Look, um den Scan zu starten.
  • Der Suchlauf kann einige Zeit dauern.
  • Wenn der Suchlauf beendet ist, wird sich Dein Editor mit den Ergebnissen öffnen, poste diese in deinen Thread.
  • Die Ergebnisse werden auf dem Desktop als SystemLook.txt gespeichert.

writeoff 26.06.2015 11:47
Hallo schrauber,

das Ergebnis:

Code:
SystemLook 30.07.11 by jpshortstuff
Log created at 12:41 on 26/06/2015 by XXXXXX
Administrator - Elevation successful

========== regfind ==========

Searching for "rpcnet"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\rpcnet]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\rpcnetp]

========== filefind ==========

Searching for "*rpcnet*"
C:\Users\XXXXXX\Desktop\Quarantäne\rpcnetp.exe        --a---- 17408 bytes        [19:43 02/06/2015]        [19:47 02/06/2015] 9A66E27C59C804A376A72831B5B771C5
C:\Windows\System32\rpcnetp.exe        --a---- 17408 bytes        [11:10 09/06/2015]        [05:01 26/06/2015] 9A66E27C59C804A376A72831B5B771C5

-= EOF =-


Der Treffer unter C:\Users\XXXXXX\Desktop\Quarantäne\ geht auf mich zurück; das sind die Files, die ich aus der Quarantäne extrahiert hatte, um sie an den Support von GData zu senden.

Beste Grüße
writeoff

schrauber 27.06.2015 08:18
Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:
CloseProcesses:
C:\Windows\System32\rpcnetp.exe
reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\rpcnet" /f
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\rpcnetp" /f
Emptytemp:

Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).
  • Starte nun FRST erneut und klicke den Entfernen Button.
  • Das Tool erstellt eine Fixlog.txt.
  • Poste mir deren Inhalt.


writeoff 27.06.2015 13:49
Hallo schrauber,

das Ergebnis. Zusatzinfo: FRST lief um 14:44 und rebootete dann. Um 14:46, vermutlich während des Reboots, wurde die Datei C:\Windows\System32\rpcnetp.exe wieder neu angelegt. Das Ding hat offensichtlich Krallen.

Code:
Fix result of Farbar Recovery Scan Tool (x64) Version:24-06-2015
Ran by XXXXXX at 2015-06-27 14:44:56 Run:1
Running from C:\Users\XXXXXX\Desktop
Loaded Profiles: XXXXXX (Available Profiles: XXXXXX)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
C:\Windows\System32\rpcnetp.exe
reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\rpcnet" /f
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\rpcnetp" /f
Emptytemp:
*****************

Processes closed successfully.
C:\Windows\System32\rpcnetp.exe => moved successfully.

========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\rpcnet" /f =========

Der Vorgang wurde erfolgreich beendet.



========= End of Reg: =========


========= reg delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\rpcnetp" /f =========

FEHLER: Der angegebene Registrierungsschlssel bzw. Wert wurde nicht gefunden.


========= End of Reg: =========

EmptyTemp: => 1001 MB temporary data Removed.


The system needed a reboot..

==== End of Fixlog 14:45:28 ====


Hier das Ergebnis von Systemlook:

Code:
SystemLook 30.07.11 by jpshortstuff
Log created at 14:58 on 27/06/2015 by XXXXXX
Administrator - Elevation successful

========== regfind ==========

Searching for "rpcnet"
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet]
"UseRWHlinkNavigation"="http://www.trojaner-board.de/166608-...new-post.html"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\rpcnetp]
[HKEY_USERS\S-1-5-21-1668834982-245352921-3405046034-1001\Software\Microsoft\Office\14.0\Common\Internet]
"UseRWHlinkNavigation"="http://www.trojaner-board.de/166608-...new-post.html"

========== filefind ==========

Searching for "*rpcnet*"
C:\FRST\Quarantine\C\Windows\System32\rpcnetp.exe.xBAD        --a---- 17408 bytes        [11:10 09/06/2015]        [05:01 26/06/2015] 0C496AAF56C73DA7B93D1432FBEB5BCD
C:\Users\XXXXXX\Desktop\Quarantäne\rpcnetp.exe        --a---- 17408 bytes        [19:43 02/06/2015]        [19:47 02/06/2015] 9A66E27C59C804A376A72831B5B771C5
C:\Windows\Prefetch\RPCNET.EXE-A9AD5918.pf        --a---- 46230 bytes        [12:49 27/06/2015]        [12:50 27/06/2015] DDA120F56489D83716696F2658810786
C:\Windows\System32\rpcnetp.exe        --a---- 17408 bytes        [12:46 27/06/2015]        [12:49 27/06/2015] 9A66E27C59C804A376A72831B5B771C5

-= EOF =-



Beste Grüße
writeoff

schrauber 27.06.2015 18:19
Lade Dir bitte mal procmon, dann die Datei löschen und aufzeichnen, so kannste sehen wer die Datei wieder neu erstellt :)

writeoff 28.06.2015 11:32
Hallo schrauber,

procmon läuft. Habe quasi zum Üben zuerst mal auf den Bootvorgang verzichtet und nur das Löschen der rpcnetp.exe protokolliert. Die Datei wurde nicht automatisch neu angelegt; anscheinend passiert das nur beim Booten.
Der gesamte Vorgang hat keine Minute gedauert und ca. 500.000 Einträge erzeugt. Habe diese Einträge gefiltert mit "PATH enthält rpcnetp". Da sind dann noch 56 Einträge übrig geblieben.

Jetzt wollte ich die Einträge hier posten, aber finde keinen Weg, einen Text zu erzeugen. Habe fürs Erste mal den Umweg über CSV gewählt. Hilft Dir das, oder soll ich die Daten anders aufbereiten?

Wenn ich mit procmon richtig umgehen kann und das Reporting beherrsche, kann ich ja die rpcnetp.exe löschen und dann den Rechner neu booten. Dabei wird die Datei vermutlich neu angelegt, so dass wir sehen sollten, wer da tätig wird.
Wobei, der Agent von Absolute Software sagte etwas davon, dass die SW im MBR versteckt sei. Wird die dann nicht schon aktiv, bevor Procmon loslegt?

Hier der CSV-Mitschnitt der Einträge mit rpcnetp:

Code:
Time of Day,"Process Name","PID","Operation","Path","Result","Detail"
11:22:22,3415644,"Explorer.EXE","2888","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Control, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
11:22:22,3416068,"Explorer.EXE","2888","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","BUFFER OVERFLOW","Information: Owner, Group, DACL"
11:22:22,3416266,"Explorer.EXE","2888","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
11:22:22,3416479,"Explorer.EXE","2888","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
11:22:22,3417084,"Explorer.EXE","2888","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Control, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
11:22:22,3417424,"Explorer.EXE","2888","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","SUCCESS","Information: Owner, Group, DACL"
11:22:22,3417601,"Explorer.EXE","2888","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
11:22:22,3417778,"Explorer.EXE","2888","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
11:22:22,3991766,"Explorer.EXE","2888","RegOpenKey","HKCU\Software\Classes\Applications\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
11:22:22,3992038,"Explorer.EXE","2888","RegOpenKey","HKCR\Applications\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
11:22:22,3992927,"Explorer.EXE","2888","RegOpenKey","HKCU\Software\Classes\Applications\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
11:22:22,3993196,"Explorer.EXE","2888","RegOpenKey","HKCR\Applications\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
11:22:22,4078291,"Explorer.EXE","2888","RegOpenKey","HKCU\Software\Classes\Applications\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
11:22:22,4078577,"Explorer.EXE","2888","RegOpenKey","HKCR\Applications\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
11:22:22,4079246,"Explorer.EXE","2888","RegOpenKey","HKCU\Software\Classes\Applications\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
11:22:22,4079505,"Explorer.EXE","2888","RegOpenKey","HKCR\Applications\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
11:22:22,4189837,"Explorer.EXE","2888","IRP_MJ_DIRECTORY_CONTROL","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryDirectory, Filter: rpcnetp.exe, 2: rpcnetp.exe"
11:22:22,4191766,"Explorer.EXE","2888","RegOpenKey","HKCU\Software\Classes\Applications\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
11:22:22,4192081,"Explorer.EXE","2888","RegOpenKey","HKCR\Applications\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
11:22:22,4192800,"Explorer.EXE","2888","RegOpenKey","HKCU\Software\Classes\Applications\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
11:22:22,4193175,"Explorer.EXE","2888","RegOpenKey","HKCR\Applications\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
11:22:22,4307676,"Explorer.EXE","2888","IRP_MJ_DIRECTORY_CONTROL","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryDirectory, Filter: rpcnetp.exe, 2: rpcnetp.exe"
11:22:22,4310030,"Explorer.EXE","2888","IRP_MJ_DIRECTORY_CONTROL","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryDirectory, Filter: rpcnetp.exe, 2: rpcnetp.exe"
11:22:22,4311488,"Explorer.EXE","2888","IRP_MJ_DIRECTORY_CONTROL","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryDirectory, Filter: rpcnetp.exe, 2: rpcnetp.exe"
11:22:22,4313321,"Explorer.EXE","2888","IRP_MJ_DIRECTORY_CONTROL","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryDirectory, Filter: rpcnetp.exe, 2: rpcnetp.exe"
11:22:22,5169761,"Explorer.EXE","2888","RegOpenKey","HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
11:22:22,5170122,"Explorer.EXE","2888","RegOpenKey","HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
11:22:23,7900706,"Explorer.EXE","2888","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","ACCESS DENIED","Desired Access: Read Attributes, Delete, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
11:22:23,7957109,"Explorer.EXE","2888","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","ACCESS DENIED","Desired Access: Read Attributes, Delete, Read Control, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
11:22:23,7964686,"Explorer.EXE","2888","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","ACCESS DENIED","Desired Access: Read Attributes, Delete, Synchronize, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
11:22:23,7977035,"Explorer.EXE","2888","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","ACCESS DENIED","Desired Access: Read Attributes, Delete, Read Control, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
11:22:23,7983830,"Explorer.EXE","2888","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","ACCESS DENIED","Desired Access: Read Attributes, Delete, Synchronize, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
11:22:24,4483763,"DllHost.exe","1272","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Delete, Read Control, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
11:22:24,4486460,"DllHost.exe","1272","IRP_MJ_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryAttributeTagFile, Attributes: A, ReparseTag: 0x0"
11:22:24,4486849,"DllHost.exe","1272","IRP_MJ_SET_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: SetDispositionInformationFile, Delete: True"
11:22:24,4487383,"DllHost.exe","1272","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
11:22:24,4487666,"DllHost.exe","1272","IRP_MJ_SET_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: SetDispositionInformationFile, Delete: False"
11:22:24,4487928,"DllHost.exe","1272","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
11:22:24,4489705,"DllHost.exe","1272","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
11:22:24,5026405,"DllHost.exe","1272","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Read Control, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
11:22:24,5026858,"DllHost.exe","1272","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","BUFFER OVERFLOW","Information: DACL"
11:22:24,5027031,"DllHost.exe","1272","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","SUCCESS","Information: DACL"
11:22:24,5027187,"DllHost.exe","1272","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
11:22:24,5027350,"DllHost.exe","1272","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
11:22:24,5028043,"DllHost.exe","1272","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Delete, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
11:22:24,5031211,"DllHost.exe","1272","IRP_MJ_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryAttributeTagFile, Attributes: A, ReparseTag: 0x0"
11:22:24,5031558,"DllHost.exe","1272","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 27.06.2015 14:46:07, LastAccessTime: 27.06.2015 14:46:07, LastWriteTime: 28.06.2015 11:15:07, ChangeTime: 28.06.2015 11:15:07, FileAttributes: A"
11:22:24,5032793,"DllHost.exe","1272","IRP_MJ_SET_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: SetRenameInformationFile, ReplaceIfExists: False, FileName: C:\$Recycle.Bin\S-1-5-21-1668834982-245352921-3405046034-1001\$RWG4C6Y.exe"
11:22:24,5037857,"DllHost.exe","1272","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
11:22:24,5042019,"AVKBap64.exe","3968","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
11:22:24,5042972,"AVKBap64.exe","3968","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open For Backup, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
11:22:24,6219548,"Explorer.EXE","2888","IRP_MJ_DIRECTORY_CONTROL","C:\Windows\System32\rpcnetp.exe","NO SUCH FILE","Type: QueryDirectory, Filter: rpcnetp.exe"
11:22:24,6228979,"Explorer.EXE","2888","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a"
11:22:24,6320080,"Explorer.EXE","2888","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a"
11:22:24,6321592,"Explorer.EXE","2888","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
11:22:24,6323117,"Explorer.EXE","2888","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
Beste Grüße
writeoff

schrauber 28.06.2015 17:51
Mach mal bei Reboot, dann die komplette CSV zippen und anhängen.

writeoff 28.06.2015 18:26
Hallo schrauber,

die Datei ist so groß, dass beim Export in CSV gut 400.000 Zeilen verloren gehen. Ich habe jetzt erst mal einen Filter auf Path enthält rpcnet gesetzt. Brauchst Du alle Zeilen, und wenn ja, wie bekommen wir die transportiert?

Hier der Auszug aller Zeilen mit RPCNET im Path:

Beste Grüße
writeoff

Code:
Time of Day,"Process Name","PID","Operation","Path","Result","Detail"
19:04:09,0097445,"autochk.exe","352","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Delete, Disposition: Supersede, Options: Write Through, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Created"
19:04:09,0101762,"autochk.exe","352","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:09,0104201,"autochk.exe","352","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:09,0104647,"autochk.exe","352","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Generic Read/Write, Delete, Disposition: Supersede, Options: Write Through, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Superseded"
19:04:09,0107156,"autochk.exe","352","IRP_MJ_WRITE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Offset: 0, Length: 17.408, I/O Flags: Write Through, Priority: Normal"
19:04:09,0108862,"autochk.exe","352","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:09,0108965,"autochk.exe","352","IRP_MJ_WRITE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Offset: 0, Length: 20.480, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
19:04:09,0110281,"autochk.exe","352","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:09,0111669,"autochk.exe","352","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:09,0113771,"autochk.exe","352","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Delete, Disposition: Supersede, Options: Write Through, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Created"
19:04:09,0117469,"autochk.exe","352","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS",""
19:04:09,0118719,"autochk.exe","352","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS",""
19:04:09,0119172,"autochk.exe","352","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Desired Access: Generic Read/Write, Delete, Disposition: Supersede, Options: Write Through, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Superseded"
19:04:09,0121649,"autochk.exe","352","IRP_MJ_WRITE","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Offset: 0, Length: 17.408, I/O Flags: Write Through, Priority: Normal"
19:04:09,0125931,"autochk.exe","352","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS",""
19:04:09,0126027,"autochk.exe","352","IRP_MJ_WRITE","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Offset: 0, Length: 20.480, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
19:04:09,0127315,"autochk.exe","352","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS",""
19:04:09,0128660,"autochk.exe","352","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS",""
19:04:09,0129913,"autochk.exe","352","RegCreateKey","HKLM\System\CurrentControlSet\Services\rpcnetp","REPARSE","Desired Access: All Access"
19:04:09,0130026,"autochk.exe","352","RegCreateKey","HKLM\System\CurrentControlSet\Services\rpcnetp","SUCCESS","Desired Access: All Access, Disposition: REG_CREATED_NEW_KEY"
19:04:09,0130670,"autochk.exe","352","RegSetInfoKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","KeySetInformationClass: KeySetHandleTagsInformation, Length: 0"
19:04:09,0130791,"autochk.exe","352","RegSetValue","HKLM\System\CurrentControlSet\services\rpcnetp\ErrorControl","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
19:04:09,0131396,"autochk.exe","352","RegSetValue","HKLM\System\CurrentControlSet\services\rpcnetp\Start","SUCCESS","Type: REG_DWORD, Length: 4, Data: 2"
19:04:09,0132383,"autochk.exe","352","RegSetValue","HKLM\System\CurrentControlSet\services\rpcnetp\Type","SUCCESS","Type: REG_DWORD, Length: 4, Data: 16"
19:04:09,0133020,"autochk.exe","352","RegQueryKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Query: HandleTags, HandleTags: 0x400"
19:04:09,0133127,"autochk.exe","352","RegSetValue","HKLM\System\CurrentControlSet\services\rpcnetp\ImagePath","SUCCESS","Type: REG_EXPAND_SZ, Length: 68, Data: %SystemRoot%\System32\rpcnetp.exe"
19:04:09,0134132,"autochk.exe","352","RegQueryKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Query: HandleTags, HandleTags: 0x400"
19:04:09,0134202,"autochk.exe","352","RegSetValue","HKLM\System\CurrentControlSet\services\rpcnetp\ObjectName","SUCCESS","Type: REG_SZ, Length: 24, Data: LocalSystem"
19:04:09,0134786,"autochk.exe","352","RegSetValue","HKLM\System\CurrentControlSet\services\rpcnetp\(Default)","SUCCESS","Type: REG_BINARY, Length: 128, Data: 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
19:04:09,0135990,"autochk.exe","352","RegCloseKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS",""
19:04:09,4570518,"System","4","IRP_MJ_SET_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: SetEndOfFileInformationFile, EndOfFile: 17.408"
19:04:09,4570568,"System","4","IRP_MJ_SET_INFORMATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Type: SetEndOfFileInformationFile, EndOfFile: 17.408"
19:04:09,4570614,"System","4","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","SyncType: SyncTypeOther"
19:04:09,4570635,"System","4","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","SyncType: SyncTypeOther"
19:04:09,4570667,"System","4","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:09,4570702,"System","4","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS",""
19:04:14,3098393,"autochk.exe","352","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:14,3098687,"autochk.exe","352","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:14,3099019,"autochk.exe","352","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:14,3099239,"autochk.exe","352","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS",""
19:04:14,3099398,"autochk.exe","352","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS",""
19:04:14,3099614,"autochk.exe","352","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS",""
19:04:19,9110192,"services.exe","704","RegOpenKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Desired Access: Read"
19:04:19,9110365,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\Type","SUCCESS","Type: REG_DWORD, Length: 4, Data: 16"
19:04:19,9110429,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\Start","SUCCESS","Type: REG_DWORD, Length: 4, Data: 2"
19:04:19,9110478,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\ErrorControl","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
19:04:19,9110528,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\Tag","NAME NOT FOUND","Length: 16"
19:04:19,9110585,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\Group","NAME NOT FOUND","Length: 268"
19:04:19,9110638,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\DependOnService","NAME NOT FOUND","Length: 268"
19:04:19,9110691,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\DependOnGroup","NAME NOT FOUND","Length: 268"
19:04:19,9110762,"services.exe","704","RegOpenKey","HKLM\System\CurrentControlSet\services\rpcnetp\Security","NAME NOT FOUND","Desired Access: Read"
19:04:19,9110815,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\PreferredNode","NAME NOT FOUND","Length: 14"
19:04:19,9110871,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\DisplayName","NAME NOT FOUND","Length: 268"
19:04:19,9110921,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\DelayedAutostart","NAME NOT FOUND","Length: 16"
19:04:19,9110970,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\ServiceSidType","NAME NOT FOUND","Length: 16"
19:04:19,9111020,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\FailureActionsOnNonCrashFailures","NAME NOT FOUND","Length: 16"
19:04:19,9111190,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\DeleteFlag","NAME NOT FOUND","Length: 16"
19:04:19,9111246,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\RequiredPrivileges","NAME NOT FOUND","Length: 12"
19:04:19,9111307,"services.exe","704","RegCloseKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS",""
19:04:20,3486639,"services.exe","704","RegOpenKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Desired Access: Read"
19:04:20,3486717,"services.exe","704","RegOpenKey","HKLM\System\CurrentControlSet\services\rpcnetp\TriggerInfo","NAME NOT FOUND","Desired Access: Read"
19:04:20,3486784,"services.exe","704","RegCloseKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS",""
19:04:20,7057318,"services.exe","704","RegOpenKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Desired Access: Read"
19:04:20,7057389,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\ObjectName","SUCCESS","Type: REG_SZ, Length: 24, Data: LocalSystem"
19:04:20,7057456,"services.exe","704","RegCloseKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS",""
19:04:29,4731458,"services.exe","704","RegOpenKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Desired Access: Read"
19:04:29,4731610,"services.exe","704","RegOpenKey","HKLM\System\CurrentControlSet\services\rpcnetp\TriggerInfo","NAME NOT FOUND","Desired Access: Read"
19:04:29,4731748,"services.exe","704","RegCloseKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS",""
19:04:29,4731975,"services.exe","704","RegOpenKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Desired Access: Read"
19:04:29,4732106,"services.exe","704","RegOpenKey","HKLM\System\CurrentControlSet\services\rpcnetp\TriggerInfo","NAME NOT FOUND","Desired Access: Read"
19:04:29,4732226,"services.exe","704","RegCloseKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS",""
19:04:31,9816028,"services.exe","704","RegOpenKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Desired Access: Read"
19:04:31,9816198,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\ImagePath","SUCCESS","Type: REG_EXPAND_SZ, Length: 68, Data: %SystemRoot%\System32\rpcnetp.exe"
19:04:31,9816308,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\WOW64","NAME NOT FOUND","Length: 16"
19:04:31,9816389,"services.exe","704","RegCloseKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS",""
19:04:31,9816517,"services.exe","704","RegOpenKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Desired Access: Read"
19:04:31,9816637,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\ObjectName","SUCCESS","Type: REG_SZ, Length: 24, Data: LocalSystem"
19:04:31,9816718,"services.exe","704","RegCloseKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS",""
19:04:31,9836814,"services.exe","704","RegOpenKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Desired Access: Read"
19:04:31,9837061,"services.exe","704","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\Environment","NAME NOT FOUND","Length: 268"
19:04:31,9837175,"services.exe","704","RegCloseKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS",""
19:04:31,9837929,"services.exe","704","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:04:31,9838491,"services.exe","704","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:32,0438885,"services.exe","704","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:32,0439006,"services.exe","704","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0439154,"services.exe","704","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0440393,"services.exe","704","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:04:32,0440952,"services.exe","704","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:32,0441257,"services.exe","704","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:32,0441373,"services.exe","704","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0441490,"services.exe","704","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0442308,"services.exe","704","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:32,0444176,"AVKWCtlx64.exe","476","IRP_MJ_READ","C:\Windows\System32\rpcnetp.exe","SUCCESS","Offset: 0, Length: 4.096, I/O Flags: Non-cached, Paging I/O, Priority: Normal"
19:04:32,0618413,"System","4","IRP_MJ_READ","C:\Windows\System32\rpcnetp.exe","SUCCESS","Offset: 4.096, Length: 13.312, I/O Flags: Non-cached, Paging I/O, Priority: Normal"
19:04:32,0619000,"services.exe","704","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
19:04:32,0635606,"services.exe","704","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 20.480, EndOfFile: 17.408, NumberOfLinks: 1, DeletePending: False, Directory: False"
19:04:32,0635875,"services.exe","704","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0635981,"services.exe","704","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0636102,"services.exe","704","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0636208,"services.exe","704","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","SyncType: SyncTypeOther"
19:04:32,0636282,"services.exe","704","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0636484,"services.exe","704","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rpcnetp.exe","NAME NOT FOUND","Desired Access: Query Value, Enumerate Sub Keys"
19:04:32,0637436,"services.exe","704","IRP_MJ_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryNameInformationFile, Name: \Windows\System32\rpcnetp.exe"
19:04:32,0638070,"services.exe","704","Process Create","C:\Windows\System32\rpcnetp.exe","SUCCESS","PID: 2592, Command line: C:\Windows\System32\rpcnetp.exe"
19:04:32,0639029,"services.exe","704","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","SUCCESS","Information: Owner, Group, DACL, SACL, Label"
19:04:32,0639170,"services.exe","704","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:32,0659301,"services.exe","704","IRP_MJ_DIRECTORY_CONTROL","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryDirectory, Filter: rpcnetp.exe, 2: rpcnetp.exe"
19:04:32,0660370,"services.exe","704","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:04:32,0660869,"services.exe","704","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:32,0661198,"services.exe","704","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:32,0661350,"services.exe","704","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0661630,"services.exe","704","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0664935,"services.exe","704","IRP_MJ_DIRECTORY_CONTROL","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryDirectory, Filter: rpcnetp.exe, 2: rpcnetp.exe"
19:04:32,0667052,"services.exe","704","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\Windows\System32\rpcnetp.exe","NAME NOT FOUND","Length: 1.024"
19:04:32,0667593,"services.exe","704","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
19:04:32,0695507,"services.exe","704","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
19:04:32,0698363,"services.exe","704","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 20.480, EndOfFile: 17.408, NumberOfLinks: 1, DeletePending: False, Directory: False"
19:04:32,0698752,"services.exe","704","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 20.480, EndOfFile: 17.408, NumberOfLinks: 1, DeletePending: False, Directory: False"
19:04:32,0699014,"services.exe","704","IRP_MJ_READ","C:\Windows\System32\rpcnetp.exe","SUCCESS","Offset: 16.384, Length: 1.024, Priority: Normal"
19:04:32,0699562,"services.exe","704","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0699700,"services.exe","704","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0727309,"services.exe","704","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","SUCCESS","Information: Owner, Group, DACL, SACL, Label"
19:04:32,0727462,"services.exe","704","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:32,0727621,"services.exe","704","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","SUCCESS","Information: Owner, Group, DACL, SACL, Label"
19:04:32,0727748,"services.exe","704","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:32,0728484,"services.exe","704","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","SUCCESS","Information: Owner, Group, DACL, SACL, Label"
19:04:32,0729787,"csrss.exe","528","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","SUCCESS","Information: Owner, Group, DACL, SACL, Label"
19:04:32,0729957,"csrss.exe","528","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:32,0734975,"csrss.exe","528","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe.Manifest","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT-AUTORITÄT\SYSTEM"
19:04:32,0737601,"csrss.exe","528","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe.Local","FAST IO DISALLOWED",""
19:04:32,0738199,"csrss.exe","528","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe.Local","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: NT-AUTORITÄT\SYSTEM"
19:04:32,0738883,"csrss.exe","528","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","SUCCESS","Information: Owner, Group, DACL, SACL, Label"
19:04:32,0739106,"csrss.exe","528","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:32,0741590,"services.exe","704","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Disallow Exclusive, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:32,0744623,"services.exe","704","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:04:32,0745073,"services.exe","704","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:32,0745356,"services.exe","704","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:32,0745462,"services.exe","704","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0745596,"services.exe","704","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0746209,"services.exe","704","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Disallow Exclusive, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:32,0748003,"services.exe","704","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
19:04:32,0748148,"services.exe","704","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0748247,"services.exe","704","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0748343,"services.exe","704","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0748431,"services.exe","704","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","SyncType: SyncTypeOther"
19:04:32,0748502,"services.exe","704","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0748658,"services.exe","704","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0748785,"services.exe","704","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0749033,"services.exe","704","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 20.480, EndOfFile: 17.408, NumberOfLinks: 1, DeletePending: False, Directory: False"
19:04:32,0749174,"services.exe","704","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0749288,"services.exe","704","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0750243,"System","4","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: None 0x0, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:32,0750629,"System","4","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0750802,"System","4","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:32,0751036,"rpcnetp.exe","2592","Load Image","C:\Windows\System32\rpcnetp.exe","SUCCESS","Image Base: 0x400000, Image Size: 0x8000"
19:04:32,0842991,"rpcnetp.exe","2592","RegQueryValue","HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Compatibility32\rpcnetp","NAME NOT FOUND","Length: 172"
19:04:32,0865188,"rpcnetp.exe","2592","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:32,0868727,"rpcnetp.exe","2592","IRP_MJ_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Type: QueryAttributeTagFile, Attributes: A, ReparseTag: 0x0"
19:04:32,0868894,"rpcnetp.exe","2592","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS",""
19:04:32,0869018,"rpcnetp.exe","2592","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS",""
19:04:32,0869729,"rpcnetp.exe","2592","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:32,0872082,"rpcnetp.exe","2592","FASTIO_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 20.480, EndOfFile: 17.408, NumberOfLinks: 1, DeletePending: False, Directory: False"
19:04:32,0872192,"rpcnetp.exe","2592","FASTIO_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:32,0872320,"rpcnetp.exe","2592","IRP_MJ_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Type: QueryStreamInformationFile, 1: ::$DATA"
19:04:32,0872497,"rpcnetp.exe","2592","FASTIO_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:32,0872596,"rpcnetp.exe","2592","IRP_MJ_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Type: QueryEaInformationFile, EaSize: 0"
19:04:32,0873261,"rpcnetp.exe","2592","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Delete, Disposition: OverwriteIf, Options: Sequential Access, Non-Directory File, Attributes: A, ShareMode: None, AllocationSize: 17.408, OpenResult: Created"
19:04:32,2075624,"rpcnetp.exe","2592","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2076077,"rpcnetp.exe","2592","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2076771,"rpcnetp.exe","2592","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Delete, Disposition: OpenIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: None, AllocationSize: 17.408, OpenResult: Opened"
19:04:32,2077100,"rpcnetp.exe","2592","IRP_MJ_QUERY_VOLUME_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: QueryAttributeInformationVolume, FileSystemAttributes: Case Preserved, Case Sensitive, Unicode, ACLs, Compression, Named Streams, EFS, Object IDs, Reparse Points, Sparse Files, Quotas, Transactions, 0x3c00000, MaximumComponentNameLength: 255, FileSystemName: NTFS"
19:04:32,2077228,"rpcnetp.exe","2592","FASTIO_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:32, LastAccessTime: 28.06.2015 19:04:32, LastWriteTime: 28.06.2015 19:04:32, ChangeTime: 28.06.2015 19:04:32, FileAttributes: A"
19:04:32,2077316,"rpcnetp.exe","2592","IRP_MJ_QUERY_VOLUME_INFORMATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Type: QueryAttributeInformationVolume, FileSystemAttributes: Case Preserved, Case Sensitive, Unicode, ACLs, Compression, Named Streams, EFS, Object IDs, Reparse Points, Sparse Files, Quotas, Transactions, 0x3c00000, MaximumComponentNameLength: 255, FileSystemName: NTFS"
19:04:32,2077412,"rpcnetp.exe","2592","IRP_MJ_SET_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: SetEndOfFileInformationFile, EndOfFile: 17.408"
19:04:32,2078774,"rpcnetp.exe","2592","IRP_MJ_READ","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Offset: 0, Length: 17.408, Priority: Normal"
19:04:32,2078997,"rpcnetp.exe","2592","IRP_MJ_READ","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Offset: 0, Length: 17.408, I/O Flags: Non-cached, Paging I/O, Priority: Normal"
19:04:32,2616454,"rpcnetp.exe","2592","IRP_MJ_WRITE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Offset: 0, Length: 17.408, Priority: Normal"
19:04:32,2617219,"rpcnetp.exe","2592","IRP_MJ_SET_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: SetBasicInformationFile, CreationTime: 01.01.1601 02:00:00, LastAccessTime: 01.01.1601 02:00:00, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: n/a"
19:04:32,2617661,"rpcnetp.exe","2592","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS",""
19:04:32,2617874,"rpcnetp.exe","2592","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2618974,"rpcnetp.exe","2592","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: Generic Read/Write, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
19:04:32,2621760,"rpcnetp.exe","2592","IRP_MJ_WRITE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Offset: 94, Length: 2, Priority: Normal"
19:04:32,2622085,"rpcnetp.exe","2592","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2622337,"rpcnetp.exe","2592","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2623129,"rpcnetp.exe","2592","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\SysWOW64\rpcnetp.dll","FAST IO DISALLOWED",""
19:04:32,2623819,"rpcnetp.exe","2592","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:32,2624081,"rpcnetp.exe","2592","FASTIO_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:32, LastAccessTime: 28.06.2015 19:04:32, LastWriteTime: 28.06.2015 19:04:32, ChangeTime: 28.06.2015 19:04:32, FileAttributes: A"
19:04:32,2624170,"rpcnetp.exe","2592","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2624272,"rpcnetp.exe","2592","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2624810,"rpcnetp.exe","2592","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:32,2627121,"rpcnetp.exe","2592","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
19:04:32,2630215,"rpcnetp.exe","2592","FASTIO_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 20.480, EndOfFile: 17.408, NumberOfLinks: 1, DeletePending: False, Directory: False"
19:04:32,2630395,"rpcnetp.exe","2592","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2630523,"rpcnetp.exe","2592","IRP_MJ_WRITE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Offset: 0, Length: 20.480, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
19:04:32,2726529,"rpcnetp.exe","2592","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2726639,"rpcnetp.exe","2592","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2726717,"rpcnetp.exe","2592","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2726830,"rpcnetp.exe","2592","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2726915,"rpcnetp.exe","2592","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","SyncType: SyncTypeOther"
19:04:32,2726975,"rpcnetp.exe","2592","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2728002,"System","4","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: None 0x0, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:32,2728310,"System","4","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2728405,"System","4","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2728922,"rpcnetp.exe","2592","Load Image","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Image Base: 0x360000, Image Size: 0x8000"
19:04:32,2729570,"rpcnetp.exe","2592","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:32,2730762,"rpcnetp.exe","2592","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\rpcnetp.dll","NAME NOT FOUND","Length: 1.024"
19:04:32,2745634,"rpcnetp.exe","2592","RegOpenKey","HKLM\System\CurrentControlSet\Services\rpcnetp","REPARSE","Desired Access: Maximum Allowed"
19:04:32,2745800,"rpcnetp.exe","2592","RegOpenKey","HKLM\System\CurrentControlSet\Services\rpcnetp","SUCCESS","Desired Access: Maximum Allowed, Granted Access: All Access"
19:04:32,2746211,"rpcnetp.exe","2592","RegSetInfoKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","KeySetInformationClass: KeySetHandleTagsInformation, Length: 0"
19:04:32,2746296,"rpcnetp.exe","2592","RegQueryValue","HKLM\System\CurrentControlSet\services\rpcnetp\(Default)","SUCCESS","Type: REG_BINARY, Length: 128, Data: 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
19:04:32,2746448,"rpcnetp.exe","2592","RegEnumValue","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Index: 0, Name: ErrorControl, Type: REG_DWORD, Length: 4, Data: 1"
19:04:32,2747959,"rpcnetp.exe","2592","RegDeleteValue","HKLM\System\CurrentControlSet\services\rpcnetp\ErrorControl","SUCCESS",""
19:04:32,2748182,"rpcnetp.exe","2592","RegEnumValue","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Index: 0, Name: Start, Type: REG_DWORD, Length: 4, Data: 2"
19:04:32,2748299,"rpcnetp.exe","2592","RegDeleteValue","HKLM\System\CurrentControlSet\services\rpcnetp\Start","SUCCESS",""
19:04:32,2748440,"rpcnetp.exe","2592","RegEnumValue","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Index: 0, Name: Type, Type: REG_DWORD, Length: 4, Data: 16"
19:04:32,2748529,"rpcnetp.exe","2592","RegDeleteValue","HKLM\System\CurrentControlSet\services\rpcnetp\Type","SUCCESS",""
19:04:32,2748656,"rpcnetp.exe","2592","RegEnumValue","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Index: 0, Name: ImagePath, Type: REG_EXPAND_SZ, Length: 68, Data: %SystemRoot%\System32\rpcnetp.exe"
19:04:32,2748745,"rpcnetp.exe","2592","RegDeleteValue","HKLM\System\CurrentControlSet\services\rpcnetp\ImagePath","SUCCESS",""
19:04:32,2748869,"rpcnetp.exe","2592","RegEnumValue","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Index: 0, Name: ObjectName, Type: REG_SZ, Length: 24, Data: LocalSystem"
19:04:32,2749077,"rpcnetp.exe","2592","RegDeleteValue","HKLM\System\CurrentControlSet\services\rpcnetp\ObjectName","SUCCESS",""
19:04:32,2749244,"rpcnetp.exe","2592","RegEnumValue","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS","Index: 0, Name: , Type: REG_BINARY, Length: 128, Data: 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
19:04:32,2749332,"rpcnetp.exe","2592","RegDeleteValue","HKLM\System\CurrentControlSet\services\rpcnetp\(Default)","SUCCESS",""
19:04:32,2749488,"rpcnetp.exe","2592","RegEnumValue","HKLM\System\CurrentControlSet\services\rpcnetp","NO MORE ENTRIES","Index: 0, Length: 220"
19:04:32,2749591,"rpcnetp.exe","2592","RegCloseKey","HKLM\System\CurrentControlSet\services\rpcnetp","SUCCESS",""
19:04:33,5660272,"svchost.exe","1056","IRP_MJ_CREATE","C:\Windows\Prefetch\RPCNET.EXE-A9AD5918.pf","SUCCESS","Desired Access: Read Attributes, Read Control, Write DAC, Write Owner, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:33,5993117,"svchost.exe","1056","IRP_MJ_QUERY_INFORMATION","C:\Windows\Prefetch\RPCNET.EXE-A9AD5918.pf","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 27.06.2015 14:49:56, LastAccessTime: 27.06.2015 14:49:56, LastWriteTime: 28.06.2015 11:15:15, ChangeTime: 28.06.2015 11:15:15, FileAttributes: ANCI"
19:04:33,5993247,"svchost.exe","1056","IRP_MJ_QUERY_SECURITY","C:\Windows\Prefetch\RPCNET.EXE-A9AD5918.pf","BUFFER OVERFLOW","Information: Owner, Group, DACL, DACL Protected"
19:04:33,5993382,"svchost.exe","1056","IRP_MJ_QUERY_SECURITY","C:\Windows\Prefetch\RPCNET.EXE-A9AD5918.pf","SUCCESS","Information: Owner, Group, DACL, DACL Protected"
19:04:33,5993672,"svchost.exe","1056","IRP_MJ_SET_SECURITY","C:\Windows\Prefetch\RPCNET.EXE-A9AD5918.pf","SUCCESS","Information: Owner, DACL, DACL Protected"
19:04:33,5995421,"svchost.exe","1056","IRP_MJ_CLEANUP","C:\Windows\Prefetch\RPCNET.EXE-A9AD5918.pf","SUCCESS",""
19:04:33,5995746,"svchost.exe","1056","IRP_MJ_CLOSE","C:\Windows\Prefetch\RPCNET.EXE-A9AD5918.pf","SUCCESS",""
19:04:34,0112398,"System","4","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","SyncType: SyncTypeOther"
19:04:34,0112518,"System","4","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS",""
19:04:34,0112606,"System","4","IRP_MJ_SET_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: SetEndOfFileInformationFile, EndOfFile: 17.408"
19:04:34,0112812,"System","4","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","SyncType: SyncTypeOther"
19:04:34,0112872,"System","4","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:04:36,2070517,"GDFwSvcx64.exe","2788","IRP_MJ_DIRECTORY_CONTROL","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryDirectory, Filter: rpcnetp.exe, 2: rpcnetp.exe"
19:04:36,2071476,"GDFwSvcx64.exe","2788","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:04:36,2071922,"GDFwSvcx64.exe","2788","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:36,2072135,"GDFwSvcx64.exe","2788","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:36,2072223,"GDFwSvcx64.exe","2788","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:36,2072322,"GDFwSvcx64.exe","2788","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0291224,"svchost.exe","1116","IRP_MJ_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryNameInformationFile, Name: \Windows\System32\rpcnetp.exe"
19:04:38,0291419,"svchost.exe","1116","IRP_MJ_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryNameInformationFile, Name: \Windows\System32\rpcnetp.exe"
19:04:38,0291794,"svchost.exe","1116","IRP_MN_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","INVALID PARAMETER","Type: QueryNormalizedNameInformationFile"
19:04:38,0292615,"svchost.exe","1116","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:04:38,0293206,"svchost.exe","1116","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:38,0293514,"svchost.exe","1116","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:38,0293613,"svchost.exe","1116","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0293737,"svchost.exe","1116","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0296632,"svchost.exe","1116","IRP_MJ_DIRECTORY_CONTROL","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryDirectory, Filter: rpcnetp.exe, 2: rpcnetp.exe"
19:04:38,0297061,"svchost.exe","1116","IRP_MJ_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryNameInformationFile, Name: \Windows\System32\rpcnetp.exe"
19:04:38,0297160,"svchost.exe","1116","IRP_MJ_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryNameInformationFile, Name: \Windows\System32\rpcnetp.exe"
19:04:38,0297485,"svchost.exe","1116","IRP_MN_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","INVALID PARAMETER","Type: QueryNormalizedNameInformationFile"
19:04:38,0298115,"svchost.exe","1116","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:04:38,0298696,"svchost.exe","1116","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:38,0298968,"svchost.exe","1116","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:38,0299071,"svchost.exe","1116","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0299184,"svchost.exe","1116","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0302872,"svchost.exe","1116","IRP_MJ_DIRECTORY_CONTROL","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryDirectory, Filter: rpcnetp.exe, 2: rpcnetp.exe"
19:04:38,0303934,"svchost.exe","1116","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:04:38,0304387,"svchost.exe","1116","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:38,0307236,"svchost.exe","1116","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:38,0307370,"svchost.exe","1116","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0307515,"svchost.exe","1116","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0308464,"svchost.exe","1116","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:38,0310442,"svchost.exe","1116","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","SUCCESS","Information: Owner, Group, DACL, SACL, Label"
19:04:38,0310761,"svchost.exe","1116","IRP_MJ_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryFileInternalInformationFile, IndexNumber: 0x3b0000000000271"
19:04:38,0339216,"svchost.exe","1116","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:04:38,0339654,"svchost.exe","1116","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:38,0339920,"svchost.exe","1116","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:38,0340008,"svchost.exe","1116","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0340114,"svchost.exe","1116","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0341435,"svchost.exe","1116","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 20.480, EndOfFile: 17.408, NumberOfLinks: 1, DeletePending: False, Directory: False"
19:04:38,0341523,"svchost.exe","1116","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
19:04:38,0341587,"svchost.exe","1116","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 20.480, EndOfFile: 17.408, NumberOfLinks: 1, DeletePending: False, Directory: False"
19:04:38,0341650,"svchost.exe","1116","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0341714,"svchost.exe","1116","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","SyncType: SyncTypeOther"
19:04:38,0341771,"svchost.exe","1116","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0342390,"svchost.exe","1116","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0342479,"svchost.exe","1116","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0356692,"svchost.exe","1116","IRP_MJ_DIRECTORY_CONTROL","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryDirectory, Filter: rpcnetp.exe, 2: rpcnetp.exe"
19:04:38,0357577,"svchost.exe","1116","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:04:38,0357970,"svchost.exe","1116","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:38,0358196,"svchost.exe","1116","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:38,0358281,"svchost.exe","1116","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0358380,"svchost.exe","1116","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0360613,"svchost.exe","1116","IRP_MJ_DIRECTORY_CONTROL","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryDirectory, Filter: rpcnetp.exe, 2: rpcnetp.exe"
19:04:38,0361657,"svchost.exe","1116","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\Windows\System32\rpcnetp.exe","NAME NOT FOUND","Length: 1.024"
19:04:38,0362043,"svchost.exe","1116","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read"
19:04:38,0383204,"svchost.exe","1116","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:04:38,0383625,"svchost.exe","1116","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:38,0383869,"svchost.exe","1116","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:38,0383961,"svchost.exe","1116","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0384074,"svchost.exe","1116","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0384651,"svchost.exe","1116","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:04:38,0386775,"svchost.exe","1116","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
19:04:38,0386899,"svchost.exe","1116","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0386998,"svchost.exe","1116","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0387072,"svchost.exe","1116","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0387153,"svchost.exe","1116","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","SyncType: SyncTypeOther"
19:04:38,0387217,"svchost.exe","1116","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0387380,"svchost.exe","1116","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0387504,"svchost.exe","1116","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0389599,"svchost.exe","1116","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
19:04:38,0391733,"svchost.exe","1116","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 20.480, EndOfFile: 17.408, NumberOfLinks: 1, DeletePending: False, Directory: False"
19:04:38,0391861,"svchost.exe","1116","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
19:04:38,0391960,"svchost.exe","1116","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0392045,"svchost.exe","1116","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0392115,"svchost.exe","1116","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0392190,"svchost.exe","1116","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","SyncType: SyncTypeOther"
19:04:38,0392253,"svchost.exe","1116","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0392890,"svchost.exe","1116","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
19:04:38,0395064,"svchost.exe","1116","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 20.480, EndOfFile: 17.408, NumberOfLinks: 1, DeletePending: False, Directory: False"
19:04:38,0395180,"svchost.exe","1116","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 20.480, EndOfFile: 17.408, NumberOfLinks: 1, DeletePending: False, Directory: False"
19:04:38,0395279,"svchost.exe","1116","IRP_MJ_READ","C:\Windows\System32\rpcnetp.exe","SUCCESS","Offset: 16.384, Length: 1.024, Priority: Normal"
19:04:38,0395460,"svchost.exe","1116","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0395580,"svchost.exe","1116","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0395764,"svchost.exe","1116","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0395853,"svchost.exe","1116","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:38,0411945,"svchost.exe","1116","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","SUCCESS","Information: Owner, Group, DACL, SACL, Label"
19:04:38,0412059,"svchost.exe","1116","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:38,0412600,"svchost.exe","1116","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","SUCCESS","Information: Owner, Group, DACL, SACL, Label"
19:04:38,0412689,"svchost.exe","1116","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:04:38,0412827,"svchost.exe","1116","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:41,8256376,"System","4","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","SyncType: SyncTypeOther"
19:04:41,8256429,"System","4","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:04:41,8867763,"lpksetup.exe","3112","IRP_MJ_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryNameInformationFile, Name: \Windows\System32\rpcnetp.exe"
19:04:51,4185783,"GDFwSvcx64.exe","2788","FASTIO_NETWORK_QUERY_OPEN","C:\Program Files (x86)\G DATA\InternetSecurity\Firewall\rpcnetp.exe","FAST IO DISALLOWED",""
19:04:51,4186243,"GDFwSvcx64.exe","2788","IRP_MJ_CREATE","C:\Program Files (x86)\G DATA\InternetSecurity\Firewall\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
19:04:54,4269445,"GDFwSvcx64.exe","2788","FASTIO_NETWORK_QUERY_OPEN","C:\Program Files (x86)\G DATA\InternetSecurity\Firewall\rpcnetp.exe","FAST IO DISALLOWED",""
19:04:54,4269916,"GDFwSvcx64.exe","2788","IRP_MJ_CREATE","C:\Program Files (x86)\G DATA\InternetSecurity\Firewall\rpcnetp.exe","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
19:05:23,4074501,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4078051,"Explorer.EXE","2092","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","SUCCESS","Information: Owner, Group, DACL, SACL, Label"
19:05:23,4078189,"Explorer.EXE","2092","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:05:23,4078606,"Explorer.EXE","2092","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\rpcnetp.exe","NAME NOT FOUND","Desired Access: Query Value"
19:05:23,4153736,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4157792,"Explorer.EXE","2092","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
19:05:23,4157944,"Explorer.EXE","2092","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4158170,"Explorer.EXE","2092","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4158284,"Explorer.EXE","2092","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4158400,"Explorer.EXE","2092","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","SyncType: SyncTypeOther"
19:05:23,4158489,"Explorer.EXE","2092","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4161731,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe.Manifest","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a"
19:05:23,4162152,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4164229,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4169935,"Explorer.EXE","2092","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:05:23,4170603,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4170954,"Explorer.EXE","2092","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:05:23,4171092,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4171244,"Explorer.EXE","2092","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4172646,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4176355,"Explorer.EXE","2092","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","SyncType: SyncTypeOther"
19:05:23,4176549,"Explorer.EXE","2092","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4176691,"Explorer.EXE","2092","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4176857,"Explorer.EXE","2092","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
19:05:23,4177374,"Explorer.EXE","2092","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4177512,"Explorer.EXE","2092","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4177611,"Explorer.EXE","2092","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4177724,"Explorer.EXE","2092","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","SyncType: SyncTypeOther"
19:05:23,4177816,"Explorer.EXE","2092","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4178050,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4178800,"Explorer.EXE","2092","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 20.480, EndOfFile: 17.408, NumberOfLinks: 1, DeletePending: False, Directory: False"
19:05:23,4179005,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4179745,"Explorer.EXE","2092","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4179929,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4180276,"Explorer.EXE","2092","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4182053,"Explorer.EXE","2092","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:05:23,4183288,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4183691,"Explorer.EXE","2092","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:05:23,4183836,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4183921,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Read Control, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4184003,"Explorer.EXE","2092","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4184293,"Explorer.EXE","2092","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","BUFFER OVERFLOW","Information: Owner, DACL"
19:05:23,4184965,"Explorer.EXE","2092","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","SUCCESS","Information: Owner, DACL"
19:05:23,4185086,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4185210,"Explorer.EXE","2092","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4185379,"Explorer.EXE","2092","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:05:23,4187871,"Explorer.EXE","2092","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:05:23,4188182,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4189081,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4189361,"Explorer.EXE","2092","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:05:23,4189485,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4189616,"Explorer.EXE","2092","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4189800,"Explorer.EXE","2092","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:05:23,4190026,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4190193,"Explorer.EXE","2092","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4194907,"Explorer.EXE","2092","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:05:23,4195749,"Explorer.EXE","2092","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:05:23,4196765,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4197175,"Explorer.EXE","2092","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:05:23,4197331,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4197349,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4197487,"Explorer.EXE","2092","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4197699,"Explorer.EXE","2092","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:05:23,4197813,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4197940,"Explorer.EXE","2092","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4198938,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4202509,"Explorer.EXE","2092","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","SyncType: SyncTypeOther"
19:05:23,4202728,"Explorer.EXE","2092","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4202874,"Explorer.EXE","2092","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4203036,"Explorer.EXE","2092","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
19:05:23,4203153,"Explorer.EXE","2092","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4203256,"Explorer.EXE","2092","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4203341,"Explorer.EXE","2092","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4203443,"Explorer.EXE","2092","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","SyncType: SyncTypeOther"
19:05:23,4203528,"Explorer.EXE","2092","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4203776,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4204218,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Read Control, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4204725,"Explorer.EXE","2092","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","BUFFER OVERFLOW","Information: Owner, DACL"
19:05:23,4204887,"Explorer.EXE","2092","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","SUCCESS","Information: Owner, DACL"
19:05:23,4205050,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4205277,"Explorer.EXE","2092","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4510055,"Explorer.EXE","2092","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:05:23,4513025,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4513428,"Explorer.EXE","2092","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:05:23,4513555,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4513708,"Explorer.EXE","2092","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4520843,"Explorer.EXE","2092","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\System32\rpcnetp.exe","FAST IO DISALLOWED",""
19:05:23,4521752,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4522272,"Explorer.EXE","2092","FASTIO_QUERY_INFORMATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:05:23,4522471,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4522587,"Explorer.EXE","2092","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4529613,"Explorer.EXE","2092","IRP_MJ_CREATE","C:\Windows\System32\rpcnetp.exe","SUCCESS","Desired Access: Read Attributes, Read Control, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:23,4529945,"Explorer.EXE","2092","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","BUFFER OVERFLOW","Information: Owner, DACL"
19:05:23,4530051,"Explorer.EXE","2092","IRP_MJ_QUERY_SECURITY","C:\Windows\System32\rpcnetp.exe","SUCCESS","Information: Owner, DACL"
19:05:23,4530147,"Explorer.EXE","2092","IRP_MJ_CLEANUP","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:23,4530257,"Explorer.EXE","2092","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:25,0099005,"System","4","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS","SyncType: SyncTypeOther"
19:05:25,0099126,"System","4","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:25,0099225,"System","4","IRP_MJ_CLOSE","C:\Windows\System32\rpcnetp.exe","SUCCESS",""
19:05:32,6377211,"rpcnetp.exe","2592","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:32,6379880,"rpcnetp.exe","2592","IRP_MJ_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Type: QueryAttributeTagFile, Attributes: A, ReparseTag: 0x0"
19:05:32,6380018,"rpcnetp.exe","2592","FASTIO_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 20.480, EndOfFile: 17.408, NumberOfLinks: 1, DeletePending: False, Directory: False"
19:05:32,6380092,"rpcnetp.exe","2592","FASTIO_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:05:32,6380184,"rpcnetp.exe","2592","IRP_MJ_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Type: QueryStreamInformationFile, 1: ::$DATA"
19:05:32,6380287,"rpcnetp.exe","2592","FASTIO_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:09, LastAccessTime: 28.06.2015 19:04:09, LastWriteTime: 28.06.2015 19:04:09, ChangeTime: 28.06.2015 19:04:09, FileAttributes: A"
19:05:32,6380365,"rpcnetp.exe","2592","IRP_MJ_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS","Type: QueryEaInformationFile, EaSize: 0"
19:05:32,6383755,"rpcnetp.exe","2592","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SHARING VIOLATION","Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Delete, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: None, AllocationSize: 17.408"
19:05:32,6384767,"rpcnetp.exe","2592","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SHARING VIOLATION","Desired Access: Generic Write, Read Attributes, Delete, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: None, AllocationSize: 17.408"
19:05:32,6385645,"rpcnetp.exe","2592","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SHARING VIOLATION","Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Delete, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: Read, Write, AllocationSize: 17.408"
19:05:32,6386399,"rpcnetp.exe","2592","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SHARING VIOLATION","Desired Access: Generic Write, Read Attributes, Delete, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: Read, Write, AllocationSize: 17.408"
19:05:32,6387202,"rpcnetp.exe","2592","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SHARING VIOLATION","Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: Read, Write, AllocationSize: 17.408"
19:05:32,6388052,"rpcnetp.exe","2592","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SHARING VIOLATION","Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: Read, Write, AllocationSize: 17.408"
19:05:32,6388505,"rpcnetp.exe","2592","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS",""
19:05:32,6388622,"rpcnetp.exe","2592","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.exe","SUCCESS",""
19:05:32,7405193,"svchost.exe","5024","IRP_MJ_CREATE","C:\Windows\SysWOW64\RPCNET.DLL","NAME NOT FOUND","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a"
19:05:32,7428562,"svchost.exe","5024","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:32,7428796,"svchost.exe","5024","IRP_MJ_SET_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: SetBasicInformationFile, CreationTime: 01.01.1601 01:59:59, LastAccessTime: 01.01.1601 01:59:59, LastWriteTime: 01.01.1601 01:59:59, ChangeTime: 01.01.1601 01:59:59, FileAttributes: n/a"
19:05:32,7428884,"svchost.exe","5024","IRP_MJ_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: QueryAttributeTagFile, Attributes: A, ReparseTag: 0x0"
19:05:32,7429058,"svchost.exe","5024","IRP_MJ_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: QueryFileInternalInformationFile, IndexNumber: 0x3a0000000009e7"
19:05:32,7429132,"svchost.exe","5024","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
19:05:32,7429196,"svchost.exe","5024","FASTIO_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 20.480, EndOfFile: 17.408, NumberOfLinks: 1, DeletePending: False, Directory: False"
19:05:32,7429263,"svchost.exe","5024","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,7429326,"svchost.exe","5024","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","SyncType: SyncTypeOther"
19:05:32,7429383,"svchost.exe","5024","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,7739566,"svchost.exe","5024","IRP_MJ_CREATE","C:\Windows\SysWOW64\RPCNET.DLL","NAME NOT FOUND","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a"
19:05:32,7751040,"svchost.exe","5024","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
19:05:32,7751521,"svchost.exe","5024","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,7751691,"svchost.exe","5024","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,7751748,"svchost.exe","5024","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,7751811,"svchost.exe","5024","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","SyncType: SyncTypeOther"
19:05:32,7751868,"svchost.exe","5024","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,8231138,"svchost.exe","5024","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,8302912,"svchost.exe","5024","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\SysWOW64\rpcnetp.dll","FAST IO DISALLOWED",""
19:05:32,8303319,"svchost.exe","5024","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:32,8303546,"svchost.exe","5024","FASTIO_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:32, LastAccessTime: 28.06.2015 19:04:32, LastWriteTime: 28.06.2015 19:04:32, ChangeTime: 28.06.2015 19:04:32, FileAttributes: A"
19:05:32,8303620,"svchost.exe","5024","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,8303723,"svchost.exe","5024","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,8304204,"svchost.exe","5024","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:32,8306703,"svchost.exe","5024","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
19:05:32,8311293,"svchost.exe","5024","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,8311406,"svchost.exe","5024","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,8311473,"svchost.exe","5024","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,8311544,"svchost.exe","5024","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","SyncType: SyncTypeOther"
19:05:32,8311597,"svchost.exe","5024","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,8312631,"System","4","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: None 0x0, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:32,8312886,"System","4","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,8312963,"System","4","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,8313462,"svchost.exe","5024","Load Image","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Image Base: 0x400000, Image Size: 0x8000"
19:05:32,8313756,"svchost.exe","5024","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:32,8314581,"svchost.exe","5024","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:33,0151343,"System","4","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","SyncType: SyncTypeOther"
19:05:33,0151470,"System","4","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:33,0151544,"System","4","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:33,0582306,"iexplore.exe","5052","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:33,0582526,"iexplore.exe","5052","IRP_MJ_SET_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: SetBasicInformationFile, CreationTime: 01.01.1601 01:59:59, LastAccessTime: 01.01.1601 01:59:59, LastWriteTime: 01.01.1601 01:59:59, ChangeTime: 01.01.1601 01:59:59, FileAttributes: n/a"
19:05:33,0582614,"iexplore.exe","5052","IRP_MJ_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: QueryAttributeTagFile, Attributes: A, ReparseTag: 0x0"
19:05:33,0582685,"iexplore.exe","5052","IRP_MJ_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: QueryFileInternalInformationFile, IndexNumber: 0x3a0000000009e7"
19:05:33,0582752,"iexplore.exe","5052","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
19:05:33,0582813,"iexplore.exe","5052","FASTIO_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 20.480, EndOfFile: 17.408, NumberOfLinks: 1, DeletePending: False, Directory: False"
19:05:33,0582876,"iexplore.exe","5052","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:33,0582936,"iexplore.exe","5052","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","SyncType: SyncTypeOther"
19:05:33,0582990,"iexplore.exe","5052","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:33,5715834,"iexplore.exe","5052","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
19:05:33,5717982,"iexplore.exe","5052","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:33,5718060,"iexplore.exe","5052","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:33,5718124,"iexplore.exe","5052","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:33,5718194,"iexplore.exe","5052","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","SyncType: SyncTypeOther"
19:05:33,5718255,"iexplore.exe","5052","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:34,1424620,"iexplore.exe","5052","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:34,1625269,"iexplore.exe","5052","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\SysWOW64\rpcnetp.dll","FAST IO DISALLOWED",""
19:05:34,1625719,"iexplore.exe","5052","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:34,1626257,"iexplore.exe","5052","FASTIO_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:32, LastAccessTime: 28.06.2015 19:04:32, LastWriteTime: 28.06.2015 19:04:32, ChangeTime: 28.06.2015 19:04:32, FileAttributes: A"
19:05:34,1626349,"iexplore.exe","5052","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:34,1626462,"iexplore.exe","5052","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:34,1626993,"iexplore.exe","5052","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:34,1630773,"iexplore.exe","5052","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
19:05:34,1637925,"iexplore.exe","5052","FASTIO_ACQUIRE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:34,1638039,"iexplore.exe","5052","FASTIO_RELEASE_FOR_CC_FLUSH","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:34,1638117,"iexplore.exe","5052","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:34,1638202,"iexplore.exe","5052","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","SyncType: SyncTypeOther"
19:05:34,1638262,"iexplore.exe","5052","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:34,1639405,"System","4","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: None 0x0, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:34,1639769,"System","4","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:34,1639847,"System","4","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:34,1640343,"iexplore.exe","5052","Load Image","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Image Base: 0xb0000, Image Size: 0x8000"
19:05:34,1640874,"iexplore.exe","5052","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:34,1641688,"iexplore.exe","5052","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:34,1669672,"iexplore.exe","5052","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\rpcnetp.dll","NAME NOT FOUND","Length: 1.024"
19:05:35,0094316,"System","4","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","SyncType: SyncTypeOther"
19:05:35,0094397,"System","4","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:35,0094451,"System","4","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:39,7926989,"AVKWCtlx64.exe","476","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\SysWOW64\rpcnetp.dll","FAST IO DISALLOWED",""
19:05:39,7927375,"AVKWCtlx64.exe","476","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:39,7927549,"AVKWCtlx64.exe","476","FASTIO_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:32, LastAccessTime: 28.06.2015 19:04:32, LastWriteTime: 28.06.2015 19:04:32, ChangeTime: 28.06.2015 19:04:32, FileAttributes: A"
19:05:39,7927630,"AVKWCtlx64.exe","476","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:39,7927729,"AVKWCtlx64.exe","476","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:39,7984271,"AVKWCtlx64.exe","476","FASTIO_NETWORK_QUERY_OPEN","C:\Windows\SysWOW64\rpcnetp.dll","FAST IO DISALLOWED",""
19:05:39,7984703,"AVKWCtlx64.exe","476","IRP_MJ_CREATE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
19:05:39,7984869,"AVKWCtlx64.exe","476","FASTIO_QUERY_INFORMATION","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS","Type: QueryBasicInformationFile, CreationTime: 28.06.2015 19:04:32, LastAccessTime: 28.06.2015 19:04:32, LastWriteTime: 28.06.2015 19:04:32, ChangeTime: 28.06.2015 19:04:32, FileAttributes: A"
19:05:39,7984947,"AVKWCtlx64.exe","476","IRP_MJ_CLEANUP","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""
19:05:39,7985053,"AVKWCtlx64.exe","476","IRP_MJ_CLOSE","C:\Windows\SysWOW64\rpcnetp.dll","SUCCESS",""

writeoff 28.06.2015 20:55
Hallo schrauber,

jetzt habe ich den Dreh mit procmon soweit rausbekommen, dass ich das Log in 5 vollständige Blöcke teilen konnte. 4 Dateien mit je 300.000 Einträgen, die letzte mit gut 278.000 Einträgen. Die Blöcke geben den zeitlichen Ablauf wieder, aber das siehst Du ja auch am Zeitstempel.
Hat leider ein wenig gedauert, aber für einen Filter auf die Spalte "Time of Day" muss man in der Filtersicht "Date & Time" eingeben. Da musste ich erstmal drauf kommen. :stirn:

Beste Grüße
writeoff

schrauber 29.06.2015 12:05
Ok, das muss ich mir zu Hause anschauen. Schick mir bitte heute Abend nochmal nen Reminder per PM.


Alle Zeitangaben in WEZ +1. Es ist jetzt 22:54 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19