Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML

Antwort
Alt 26.12.2014, 13:48   #1
jamerson
 
Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Standard

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local



Hallo und frohe Weihnachten!

Habe mir offenbar leider einen/mehrere Trojaner eingefangen, die ich nun selbst nicht mehr wegbekomme.
Hinweise:
- Ich sehe immer wieder Prozesse im Task Manager, die offenbar Trojaner sind (z.B. pibaad.exe oder immer wieder exe-Dateien, die mit tmp... beginnen). Diese Dateien liegen im Verzeichnis C:\ProgramData\Microsoft\Secure\Icons\temp - Aktuell zum Beispiel das File tmpFF90.exe - Löschen bringt nichts, irgendwie kommen diese Files dort immer wieder rein
- Im Verzeichnis C:\Users\Admin\AppData\Local liegen Ordner mit Dateien, die sich nicht löschen lassen, ich denke dass diese auch damit zu tun haben - aktuell zum Beispiel der Ordner "IDSoft"
- Aufgefallen ist mir das Problem zuerst durch den Task Manager, dort waren immer wieder verschiedene Internet Explorer (iexplore.exe) geöffnet, obwohl ich keinen Internet Explorer verwende. Scheinen sich selbst geöffnet zu haben, die Prozesse wurden auch immer mehr. Dieses Verhalten tritt momentan aber nicht mehr auf.

Bitte um Hilfe. Besten Dank im Voraus!

Logfiles als Anhang, waren leider zu groß.
Miniaturansicht angehängter Grafiken
Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local-2014-12-26-13_46_42-c__programdata_microsoft_secure_icons_temp.jpg  

Alt 26.12.2014, 14:38   #2
schrauber
/// the machine
/// TB-Ausbilder
 

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Standard

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local



Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.
Ich kann auf Arbeit keine Anhänge öffnen, danke.

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________

__________________

Alt 26.12.2014, 15:14   #3
jamerson
 
Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Standard

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local



achso, okay, kann ich gern machen:

defogger_disable.log:
Code:
ATTFilter
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 11:59 on 26/12/2014 (Admin)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-
         
FRST.txt

FRST Logfile:

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-12-2014
Ran by Admin (administrator) on ADMIN-PC on 26-12-2014 12:00:28
Running from C:\Users\Admin\Desktop
Loaded Profile: Admin (Available profiles: Admin)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
(AMD) C:\Windows\System32\atieclxx.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(VIA Technologies, Inc.) C:\VIA_XHCI\usb3Monitor.exe
(Greenshot) C:\Program Files\Greenshot\Greenshot.exe
(Azureus Software, Inc) C:\Program Files\Vuze\Azureus.exe
(Spotify Ltd) C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Native Instruments GmbH) C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
(WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Schnapper-Software  Robert Beer) C:\Program Files (x86)\SchnapperPro\TimeSync.exe
(Schnapper-Software  Robert Beer) C:\Program Files (x86)\SchnapperPro\SchnapperPro.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
(Nero AG) C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe
(Dropbox, Inc.) C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
(WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(SAP AG) C:\Program Files (x86)\SAP\SapSetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [VIAxHCUtl] => C:\VIA_XHCI\usb3Monitor.exe [331776 2012-03-26] (VIA Technologies, Inc.)
HKLM\...\Run: [Greenshot] => C:\Program Files\Greenshot\Greenshot.exe [495616 2014-05-12] (Greenshot)
HKLM\...\Run: [Icakupsie] => "C:\Users\Admin\AppData\Roaming\Urudne\pibaad.exe"
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-21] (Intel Corporation)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [702768 2014-12-09] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [126200 2014-11-20] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [NBAgent] => C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe [1234216 2010-03-26] (Nero AG)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [383544 2012-12-14] (Citrix Systems, Inc.)
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Azureus] => C:\Program Files\Vuze\Azureus.exe [346424 2014-08-12] (Azureus Software, Inc)
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Spotify Web Helper] => C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-10-24] (Spotify Ltd)
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Idsoft] => C:\Users\Admin\AppData\Local\Idsoft\tmpFF90.exe
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [UVMmedia] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Idsoft\ep0lvra9.dll
AppInit_DLLs-x32: C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll => C:\Program Files (x86)\Citrix\ICA Client\RSHook.dll [256568 2012-12-14] (Citrix Systems, Inc.)
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodeMeter Control Center.lnk
ShortcutTarget: CodeMeter Control Center.lnk -> C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe (WIBU-SYSTEMS AG)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SchnapperPro.lnk
ShortcutTarget: SchnapperPro.lnk -> C:\Program Files (x86)\SchnapperPro\SchnapperPro.exe (Schnapper-Software  Robert Beer)
ShellIconOverlayIdentifiers: [1SecureIconsProvider] -> {FC9D8189-520A-4417-AED7-9EAC810C6FBA} => C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3347311179-4269016646-269938500-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
Handler-x32: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf)
Handler-x32: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 10.0.0.138

FireFox:
========
FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364
FF SelectedSearchEngine: Google
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_235.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin HKU\S-1-5-21-3347311179-4269016646-269938500-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Admin\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Extension: WMDM CE Device Service Provider - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\Extensions\{066BF1A1-62A1-474B-4D00-591822FEB978} [2014-12-26]
FF Extension: WMDM CE Device Service Provider - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\Extensions\{066BF1A1-62A1-474B-4D00-591822FEB978} [2014-12-26]

Chrome: 
=======
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 a2AntiMalware; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2service.exe [4907232 2014-12-01] (Emsisoft GmbH)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-12-09] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-12-09] (Avira Operations GmbH & Co. KG)
R2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [166192 2014-11-20] (Avira Operations GmbH & Co. KG)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2014-12-25] (SurfRight B.V.)
R2 NWSAPAutoWorkstationUpdateSvc; C:\Program Files (x86)\SAP\SAPsetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe [165568 2012-06-19] (SAP AG)
R2 SchnapperPro-TimeSync; C:\Program Files (x86)\SchnapperPro\TimeSync.exe [45664 2007-08-30] (Schnapper-Software  Robert Beer)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [71472 2014-05-12] (Emsisoft GmbH)
R1 A2DDA; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2ddax64.sys [26176 2013-03-28] (Emsisoft GmbH)
R1 a2injectiondriver; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2dix64.sys [45208 2013-09-30] (Emsisoft GmbH)
R1 a2util; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2util64.sys [23088 2014-05-12] (Emsisoft GmbH)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-10-01] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-10-01] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-12-24] (Avira Operations GmbH & Co. KG)
R3 cleanhlp; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\cleanhlp64.sys [57024 2013-12-04] (Emsisoft GmbH)
R2 ei2c; C:\Windows\system32\drivers\ei2c.sys [20784 2014-08-30] (Nicomsoft Ltd.)
S3 gbxavs; C:\Windows\System32\Drivers\gbxavs.sys [357968 2011-07-07] () [File not signed]
S3 gbxavs_x64; C:\Windows\System32\Drivers\gbxavs_x64.sys [46096 2008-11-20] (Native Instruments GmbH)
S3 gbxusb_x64; C:\Windows\System32\Drivers\gbxusb_x64.sys [250896 2008-11-20] (Native Instruments GmbH)
R3 ka6avs; C:\Windows\System32\Drivers\ka6avs.sys [359784 2012-12-18] (Native Instruments GmbH)
R3 ka6usb_svc; C:\Windows\System32\Drivers\ka6usb.sys [85864 2012-12-18] (Native Instruments GmbH)
S3 rspLLL; C:\Windows\System32\DRIVERS\rspLLL64.sys [23968 2013-02-07] (Resplendence Software Projects Sp.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [53760 2012-09-28] (Apple, Inc.) [File not signed]
R3 VUSB3HUB; C:\Windows\System32\DRIVERS\ViaHub3.sys [204800 2012-03-26] (VIA Technologies, Inc.)
R3 xhcdrv; C:\Windows\System32\DRIVERS\xhcdrv.sys [256000 2012-03-26] (VIA Technologies, Inc.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-26 12:00 - 2014-12-26 12:00 - 00016986 _____ () C:\Users\Admin\Desktop\FRST.txt
2014-12-26 11:59 - 2014-12-26 11:59 - 00000472 _____ () C:\Users\Admin\Desktop\defogger_disable.log
2014-12-26 11:59 - 2014-12-26 11:59 - 00000000 _____ () C:\Users\Admin\defogger_reenable
2014-12-26 11:58 - 2014-12-26 11:59 - 00050477 _____ () C:\Users\Admin\Desktop\Defogger.exe
2014-12-26 11:50 - 2014-12-26 11:50 - 00000004 ____H () C:\ProgramData\cm-lock
2014-12-26 11:48 - 2014-12-26 11:48 - 00003874 _____ () C:\EamClean.log
2014-12-26 00:41 - 2014-12-26 00:41 - 00852505 _____ () C:\Users\Admin\Downloads\SecurityCheck.exe
2014-12-26 00:39 - 2014-12-26 00:39 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-12-26 00:38 - 2014-12-26 00:38 - 02347384 _____ (ESET) C:\Users\Admin\Downloads\esetsmartinstaller_deu.exe
2014-12-26 00:36 - 2014-12-26 12:00 - 00000000 ____D () C:\FRST
2014-12-26 00:36 - 2014-12-26 11:41 - 00044595 _____ () C:\Users\Admin\Downloads\FRST.txt
2014-12-26 00:36 - 2014-12-26 00:37 - 00037320 _____ () C:\Users\Admin\Downloads\Addition.txt
2014-12-26 00:34 - 2014-12-26 00:34 - 00000621 _____ () C:\Users\Admin\Desktop\JRT.txt
2014-12-26 00:20 - 2014-12-26 00:20 - 02122240 _____ (Farbar) C:\Users\Admin\Desktop\FRST64.exe
2014-12-26 00:07 - 2014-12-26 00:07 - 00023592 _____ () C:\ComboFix.txt
2014-12-25 23:53 - 2014-12-25 23:24 - 05603624 ____R (Swearware) C:\Users\Admin\Desktop\ComboFix.exe
2014-12-25 23:51 - 2014-12-25 23:51 - 00709564 _____ () C:\Users\Admin\Downloads\delfix_10.8.exe
2014-12-25 23:26 - 2014-12-26 00:07 - 00000000 ____D () C:\Qoobox
2014-12-25 23:26 - 2014-12-25 23:47 - 00000000 ____D () C:\Windows\erdnt
2014-12-25 23:26 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-12-25 23:26 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-12-25 23:26 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-12-25 23:26 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-12-25 23:26 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-12-25 23:26 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe
2014-12-25 23:26 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe
2014-12-25 23:26 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe
2014-12-25 23:24 - 2014-12-25 23:24 - 05603624 ____R (Swearware) C:\Users\Admin\Downloads\ComboFix.exe
2014-12-25 17:05 - 2014-12-25 17:05 - 00001098 _____ () C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2014-12-25 17:05 - 2014-12-25 17:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2014-12-25 17:04 - 2014-12-26 11:51 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware
2014-12-25 16:57 - 2014-12-25 16:57 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2014-12-25 16:51 - 2014-12-25 16:54 - 170741736 _____ (Emsisoft Ltd ) C:\Users\Admin\Downloads\EmsisoftAntiMalwareSetup.exe
2014-12-25 13:48 - 2014-12-25 13:48 - 00007506 _____ () C:\Windows\system32\.crusader
2014-12-25 13:38 - 2014-12-25 13:49 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-12-25 13:38 - 2014-12-25 13:38 - 00001912 _____ () C:\Users\Public\Desktop\HitmanPro.lnk
2014-12-25 13:38 - 2014-12-25 13:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2014-12-25 13:38 - 2014-12-25 13:38 - 00000000 ____D () C:\Program Files\HitmanPro
2014-12-25 13:04 - 2014-12-25 13:05 - 11222744 _____ (SurfRight B.V.) C:\Users\Admin\Downloads\HitmanPro_x64.exe
2014-12-25 12:18 - 2014-12-25 12:18 - 00000194 _____ () C:\Users\Admin\Downloads\hosts-perm.bat
2014-12-25 11:44 - 2014-12-26 11:41 - 00002764 _____ () C:\Users\Admin\Desktop\Rkill.txt
2014-12-25 11:11 - 2014-12-25 11:11 - 01061112 _____ (Bleeping Computer, LLC) C:\Users\Admin\Downloads\blabka4.exe
2014-12-24 17:17 - 2014-12-24 17:17 - 00001801 _____ () C:\Users\Public\Desktop\Vuze.lnk
2014-12-24 16:43 - 2014-12-24 16:43 - 02953520 _____ (AVAST Software) C:\Users\Admin\Downloads\avast-browser-cleanup.exe
2014-12-24 16:34 - 2014-12-24 16:34 - 00000000 ____D () C:\Windows\ERUNT
2014-12-24 16:04 - 2014-12-26 11:47 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-24 16:04 - 2014-12-24 16:04 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-12-24 16:04 - 2014-12-24 16:04 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-12-24 16:04 - 2014-12-24 16:04 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-12-24 14:11 - 2014-12-24 14:11 - 00001271 _____ () C:\Users\Admin\Desktop\Revo Uninstaller.lnk
2014-12-24 14:11 - 2014-12-24 14:11 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group
2014-12-24 14:10 - 2014-12-24 14:10 - 01707646 _____ (Thisisu) C:\Users\Admin\Desktop\JRT.exe
2014-12-24 14:09 - 2014-12-24 14:09 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\Admin\Downloads\revosetup.exe
2014-12-24 14:08 - 2014-12-24 14:08 - 01940728 _____ (Bleeping Computer, LLC) C:\Users\Admin\Downloads\rkill.exe
2014-12-24 13:50 - 2014-12-24 13:50 - 02173952 _____ () C:\Users\Admin\Desktop\AdwCleaner_4.106.exe
2014-12-19 13:46 - 2014-12-19 13:46 - 00001723 _____ () C:\Users\Admin\Desktop\Computer.lnk
2014-12-18 08:52 - 2014-12-13 06:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-12-18 08:52 - 2014-12-13 04:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-12-17 22:17 - 2014-12-17 22:17 - 00003133 _____ () C:\Users\Public\Desktop\Nero BackItUp 10.lnk
2014-12-17 22:16 - 2014-12-17 22:16 - 00002937 _____ () C:\Users\Public\Desktop\Nero Burning ROM 10.lnk
2014-12-17 22:14 - 2014-12-17 22:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nero
2014-12-17 20:59 - 2014-12-17 21:06 - 00000000 ____D () C:\Users\Admin\Desktop\volvo verkauf autoscout
2014-12-17 19:39 - 2014-12-17 19:39 - 00001156 _____ () C:\Users\Public\Desktop\etope 8 starten.lnk
2014-12-16 22:06 - 2014-12-24 14:17 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Line 6
2014-12-16 22:05 - 2014-12-17 18:49 - 00001137 _____ () C:\Users\Public\Desktop\Reason Essentials.lnk
2014-12-16 22:05 - 2014-12-16 22:06 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeMeter
2014-12-16 22:05 - 2014-12-16 22:06 - 00000000 ____D () C:\Program Files (x86)\CodeMeter
2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\ProgramData\CodeMeter
2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\Program Files\Propellerhead
2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\Program Files\CodeMeter
2014-12-16 19:49 - 2014-12-16 19:49 - 00000000 ____D () C:\Windows\pss
2014-12-16 19:13 - 2014-12-16 19:13 - 00000000 ____D () C:\ProgramData\Adobe Systems
2014-12-16 18:29 - 2014-12-16 18:29 - 02166272 _____ () C:\Users\Admin\Downloads\adwcleaner_4.105.exe
2014-12-16 18:28 - 2014-12-26 00:10 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-16 18:28 - 2014-12-16 18:28 - 00001109 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 
2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 
2014-12-16 18:28 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-12-16 18:28 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-12-16 18:28 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-12-16 18:27 - 2014-12-16 18:27 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Admin\Downloads\mbam-setup-2.0.4.1028.exe
2014-12-11 03:24 - 2014-12-11 03:24 - 00000000 ____D () C:\Windows\system32\appraiser
2014-12-11 03:02 - 2014-10-18 03:05 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2014-12-11 03:02 - 2014-10-18 02:33 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2014-12-10 19:37 - 2014-12-16 20:05 - 00000000 _____ () C:\ProgramData\@system.temp
2014-12-10 19:36 - 2014-12-16 20:30 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\FrameworkUpdate
2014-12-10 19:36 - 2014-12-10 19:36 - 00000480 ____H () C:\Users\Admin\AppData\Roaming\麽鎒駓覜
2014-12-10 08:43 - 2014-12-04 03:50 - 00830976 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2014-12-10 08:43 - 2014-12-04 03:50 - 00741376 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2014-12-10 08:43 - 2014-12-04 03:50 - 00413184 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-12-10 08:43 - 2014-12-04 03:50 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2014-12-10 08:43 - 2014-12-04 03:50 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-12-10 08:43 - 2014-12-04 03:50 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2014-12-10 08:43 - 2014-12-04 03:44 - 01083392 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-12-10 08:43 - 2014-12-02 00:28 - 01232040 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2014-12-10 08:42 - 2014-11-27 02:43 - 00389296 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-12-10 08:42 - 2014-11-27 02:10 - 00342200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-12-10 08:42 - 2014-11-22 04:13 - 25059840 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-12-10 08:42 - 2014-11-22 04:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-12-10 08:42 - 2014-11-22 04:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-12-10 08:42 - 2014-11-22 03:50 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-12-10 08:42 - 2014-11-22 03:50 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-12-10 08:42 - 2014-11-22 03:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-12-10 08:42 - 2014-11-22 03:49 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-12-10 08:42 - 2014-11-22 03:48 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-12-10 08:42 - 2014-11-22 03:41 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-12-10 08:42 - 2014-11-22 03:40 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-12-10 08:42 - 2014-11-22 03:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-12-10 08:42 - 2014-11-22 03:35 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-12-10 08:42 - 2014-11-22 03:34 - 06039552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-12-10 08:42 - 2014-11-22 03:34 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-12-10 08:42 - 2014-11-22 03:26 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-12-10 08:42 - 2014-11-22 03:22 - 19749376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-12-10 08:42 - 2014-11-22 03:22 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-12-10 08:42 - 2014-11-22 03:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-12-10 08:42 - 2014-11-22 03:14 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-12-10 08:42 - 2014-11-22 03:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-12-10 08:42 - 2014-11-22 03:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-12-10 08:42 - 2014-11-22 03:07 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-12-10 08:42 - 2014-11-22 03:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-12-10 08:42 - 2014-11-22 03:06 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-12-10 08:42 - 2014-11-22 03:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-12-10 08:42 - 2014-11-22 03:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-12-10 08:42 - 2014-11-22 03:01 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-12-10 08:42 - 2014-11-22 02:59 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-12-10 08:42 - 2014-11-22 02:58 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-12-10 08:42 - 2014-11-22 02:56 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-12-10 08:42 - 2014-11-22 02:54 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-12-10 08:42 - 2014-11-22 02:49 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-12-10 08:42 - 2014-11-22 02:49 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-12-10 08:42 - 2014-11-22 02:47 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-12-10 08:42 - 2014-11-22 02:46 - 02125312 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-12-10 08:42 - 2014-11-22 02:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-12-10 08:42 - 2014-11-22 02:43 - 14412800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-12-10 08:42 - 2014-11-22 02:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-12-10 08:42 - 2014-11-22 02:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-12-10 08:42 - 2014-11-22 02:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-12-10 08:42 - 2014-11-22 02:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-12-10 08:42 - 2014-11-22 02:29 - 04299264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-12-10 08:42 - 2014-11-22 02:28 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-12-10 08:42 - 2014-11-22 02:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-12-10 08:42 - 2014-11-22 02:22 - 02052096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-12-10 08:42 - 2014-11-22 02:21 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-12-10 08:42 - 2014-11-22 02:15 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-12-10 08:42 - 2014-11-22 02:13 - 12836864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-12-10 08:42 - 2014-11-22 02:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-12-10 08:42 - 2014-11-22 02:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-12-10 08:42 - 2014-11-22 01:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-12-10 08:42 - 2014-11-22 01:54 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-12-10 08:42 - 2014-11-11 04:09 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-12-10 08:42 - 2014-11-11 03:44 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-12-10 08:42 - 2014-11-11 02:46 - 00119296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2014-12-10 08:42 - 2014-10-30 03:03 - 00165888 _____ (Microsoft Corporation) C:\Windows\system32\charmap.exe
2014-12-10 08:42 - 2014-10-30 02:45 - 00155136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\charmap.exe
2014-12-10 08:42 - 2014-10-03 03:12 - 02020352 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll
2014-12-10 08:42 - 2014-10-03 03:12 - 00346624 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll
2014-12-10 08:42 - 2014-10-03 03:12 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll
2014-12-10 08:42 - 2014-10-03 03:12 - 00181248 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll
2014-12-10 08:42 - 2014-10-03 03:11 - 00266240 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe
2014-12-10 08:42 - 2014-10-03 02:45 - 01177088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll
2014-12-10 08:42 - 2014-10-03 02:45 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManMigrationPlugin.dll
2014-12-10 08:42 - 2014-10-03 02:45 - 00214016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll
2014-12-10 08:42 - 2014-10-03 02:45 - 00145920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll
2014-12-10 08:42 - 2014-10-03 02:44 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManHTTPConfig.exe
2014-12-10 08:41 - 2014-11-08 04:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-12-10 08:41 - 2014-11-08 03:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-12-09 21:04 - 2014-12-09 21:04 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Oracle
2014-12-09 09:14 - 2014-12-09 09:14 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-12-08 19:34 - 2014-12-08 19:34 - 00000000 ____D () C:\ProgramData\PACE
2014-12-08 19:19 - 2014-12-24 14:22 - 00000000 ____D () C:\Users\Admin\Documents\iZotope
2014-12-08 19:12 - 2014-12-26 11:52 - 00000000 ____D () C:\Users\Admin\AppData\Local\Idsoft
2014-12-08 19:12 - 2014-12-26 10:53 - 00000000 ____D () C:\Users\Admin\AppData\Local\Ejmtion
2014-12-07 00:22 - 2014-12-07 00:22 - 01389910 _____ () C:\Users\Admin\Downloads\mp3bee3.exe
2014-12-06 20:08 - 2014-12-06 20:08 - 00025478 _____ () C:\Users\Admin\Desktop\1131_I-Wont-be-Home-for-Christmas.mid
2014-12-06 20:04 - 2014-12-06 20:04 - 00028918 _____ () C:\Users\Admin\Desktop\Blink_182_-_I_Won't_Be_Home_for_Christmas.mid
2014-12-02 22:14 - 2014-12-02 22:14 - 04990667 _____ () C:\Users\Admin\Desktop\10433298_10204168401239201_2025431251_n.mp4
2014-11-30 16:23 - 2014-12-08 12:29 - 00000000 ____D () C:\Users\Admin\Desktop\5825
2014-11-30 12:59 - 2014-12-18 14:55 - 00000000 ____D () C:\Users\Admin\Desktop\facebook
2014-11-28 20:44 - 2014-11-28 12:13 - 00000000 ____D () C:\Users\Admin\Desktop\Haftbefehl-Russisch_Roulette-2CD-Deluxe_Edition-DE-2014-NOiR
2014-11-28 15:09 - 2014-11-28 16:09 - 184667365 _____ () C:\Users\Admin\Downloads\Haf-RuRo2CDeEdDE20NO.zip

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-26 12:00 - 2009-07-14 05:45 - 00020880 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-26 12:00 - 2009-07-14 05:45 - 00020880 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-26 11:59 - 2013-03-31 16:13 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Azureus
2014-12-26 11:59 - 2013-03-30 17:29 - 00000000 ____D () C:\Users\Admin
2014-12-26 11:57 - 2013-03-31 00:28 - 01683050 _____ () C:\Windows\WindowsUpdate.log
2014-12-26 11:55 - 2009-07-14 18:58 - 00702980 _____ () C:\Windows\system32\perfh007.dat
2014-12-26 11:55 - 2009-07-14 18:58 - 00150620 _____ () C:\Windows\system32\perfc007.dat
2014-12-26 11:55 - 2009-07-14 06:13 - 01629444 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-12-26 11:51 - 2013-04-03 21:41 - 00000000 ___RD () C:\Users\Admin\Dropbox
2014-12-26 11:51 - 2013-04-03 21:39 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Dropbox
2014-12-26 11:50 - 2013-04-04 20:00 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\SchnapperPro
2014-12-26 11:49 - 2013-05-01 22:29 - 00268308 _____ () C:\Windows\setupact.log
2014-12-26 11:49 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-26 11:48 - 2013-05-01 22:28 - 00230156 _____ () C:\Windows\PFRO.log
2014-12-26 02:00 - 2013-04-01 11:56 - 00000000 ____D () C:\Users\Admin\AppData\Local\Adobe
2014-12-26 01:22 - 2013-03-31 14:01 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\vlc
2014-12-26 00:26 - 2014-08-30 17:51 - 00000000 ____D () C:\AdwCleaner
2014-12-26 00:06 - 2009-07-14 03:34 - 00000215 _____ () C:\Windows\system.ini
2014-12-25 23:49 - 2009-07-14 04:20 - 00000000 __RHD () C:\Users\Default
2014-12-25 23:16 - 2013-03-30 18:07 - 00003930 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{2D7B81C1-8B06-4916-B13D-931EF0D2FBD7}
2014-12-25 13:50 - 2013-06-21 18:50 - 00000000 ____D () C:\Users\Admin\AppData\Local\Greenshot
2014-12-25 13:47 - 2014-11-16 23:37 - 00000000 ____D () C:\Users\Admin\AppData\Local\JDownloader 2.0
2014-12-25 12:47 - 2014-02-26 03:02 - 01648918 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-12-25 11:39 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\tracing
2014-12-24 17:17 - 2013-03-31 16:13 - 00001801 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vuze.lnk
2014-12-24 17:17 - 2013-03-31 16:13 - 00000000 ____D () C:\Program Files\Vuze
2014-12-24 14:50 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\Help
2014-12-24 14:27 - 2014-08-05 17:48 - 00000000 ____D () C:\ProgramData\Package Cache
2014-12-24 14:24 - 2013-03-30 17:59 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-12-24 14:22 - 2013-04-05 18:08 - 00000000 ____D () C:\Program Files\Common Files\VST3
2014-12-24 14:21 - 2013-04-07 10:11 - 00000000 ____D () C:\Program Files (x86)\Java
2014-12-24 14:18 - 2013-03-31 16:23 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-12-24 14:18 - 2013-03-31 03:19 - 00000000 ____D () C:\ProgramData\Adobe
2014-12-24 14:14 - 2013-04-01 08:35 - 00000000 ____D () C:\Users\Admin\AppData\Local\Citrix
2014-12-24 14:00 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\Cursors
2014-12-20 21:05 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\L2Schemas
2014-12-19 14:11 - 2013-03-31 00:23 - 00000000 ____D () C:\Windows\Panther
2014-12-19 14:11 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\schemas
2014-12-18 20:14 - 2013-05-18 11:32 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Spotify
2014-12-18 15:55 - 2013-05-18 11:33 - 00000000 ____D () C:\Users\Admin\AppData\Local\Spotify
2014-12-17 22:21 - 2013-04-01 18:04 - 00000000 ____D () C:\Program Files (x86)\Nero
2014-12-17 21:55 - 2014-08-30 12:41 - 00000000 ____D () C:\Temp
2014-12-17 19:39 - 2014-04-27 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\etope 8
2014-12-16 22:14 - 2009-07-14 05:45 - 11266360 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-12-16 22:13 - 2013-05-01 10:12 - 00000000 ____D () C:\ProgramData\Propellerhead Software
2014-12-16 22:08 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\LiveKernelReports
2014-12-16 22:06 - 2013-05-01 10:12 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Propellerhead Software
2014-12-16 22:05 - 2013-05-01 10:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Propellerhead
2014-12-16 19:53 - 2014-09-13 16:03 - 00000000 ____D () C:\Program Files (x86)\AntiTwin
2014-12-16 19:47 - 2013-06-19 18:24 - 00000000 ____D () C:\Program Files\ARIS Express
2014-12-16 19:40 - 2013-03-30 17:44 - 00440744 _____ () C:\Users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-16 19:15 - 2013-03-30 18:29 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Adobe
2014-12-16 19:12 - 2013-03-31 16:04 - 00000000 ____D () C:\Program Files (x86)\JDownloader
2014-12-16 19:11 - 2013-09-01 20:02 - 00000000 ____D () C:\Users\Admin\.android
2014-12-14 03:00 - 2013-03-30 17:34 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-12-13 03:22 - 2013-08-30 17:11 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-12-11 03:55 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\rescache
2014-12-11 03:26 - 2014-08-30 15:39 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-12-11 03:24 - 2014-05-07 02:00 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-12-11 03:24 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-12-11 03:24 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\AppCompat
2014-12-11 03:07 - 2013-07-23 02:00 - 00000000 ____D () C:\Windows\system32\MRT
2014-12-11 03:04 - 2013-03-30 20:21 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-12-09 21:04 - 2013-11-24 11:03 - 00000000 ____D () C:\ProgramData\Oracle
2014-12-09 20:08 - 2014-11-03 17:17 - 00001144 _____ () C:\Users\Public\Desktop\Avira.lnk
2014-12-09 20:08 - 2013-03-31 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2014-12-09 20:08 - 2013-03-31 13:43 - 00000000 ____D () C:\Program Files (x86)\Avira
2014-12-09 20:02 - 2009-07-14 06:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-12-08 19:44 - 2013-04-01 15:27 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\iZotope
2014-12-07 12:06 - 2014-05-01 10:37 - 00022016 ___SH () C:\Users\Admin\Thumbs.db

Some content of TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\avgnt.exe
C:\Users\Admin\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpkhktyu.dll
C:\Users\Admin\AppData\Local\Temp\Quarantine.exe
C:\Users\Admin\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-12-25 07:54

==================== End Of Log ============================
         
--- --- ---

--- --- ---


Addition.txt
Code:
ATTFilter
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 25-12-2014
Ran by Admin at 2014-12-26 12:00:54
Running from C:\Users\Admin\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Desktop (Disabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Desktop (Disabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Adobe CSI CS4 x64 (Version: 1 - Adobe Systems Incorporated) Hidden
Adobe Drive CS4 x64 (Version: 1 - Adobe Systems Incorporated) Hidden
Adobe Flash CS4 Professional (HKLM-x32\...\Adobe_a68eec966ce913ddaa63251dc82ed31) (Version: 10.0 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.235 - Adobe Systems Incorporated)
Adobe Flash Professional CS6 (HKLM-x32\...\{BD5669B5-49FF-4490-B956-E9D7CB9B0ADC}) (Version: 12.0 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Adobe Media Player (HKLM-x32\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1 - Adobe Systems Incorporated)
Adobe Photoshop CS6 (HKLM-x32\...\{74EB3499-8B95-4B5C-96EB-7B342F3FD0C6}) (Version: 13.0 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{6119B3A6-3603-9695-0398-CDF2AF0A13F8}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Antares Auto-Tune v4.39 (HKLM-x32\...\Antares Auto-Tune v4.39) (Version:  - )
Arturia Arp2600 V v1.0 (HKLM-x32\...\Arturia Arp2600 V v1.0) (Version:  - )
Arturia CS-80V v1.5 (HKLM-x32\...\Arturia CS-80V v1.5) (Version:  - )
Arturia Moog Modular V2 v1.0 (HKLM-x32\...\Arturia Moog Modular V2 v1.0) (Version:  - )
ASIO4ALL (HKLM-x32\...\ASIO4ALL) (Version: 2.11 Beta1 - Michael Tippach)
Audio Bro LA Scoring Strings (HKLM-x32\...\Audio Bro LA Scoring Strings) (Version:  - Audio Bro)
Audio Bro LA Scoring Strings (Version: 1.0.0.001 - Audio Bro) Hidden
Authorizer 2.7.0 (HKLM\...\{F6762963-9AE5-4bc6-A70F-2D749F6AC02F}_is1) (Version: 2.7.0 - Propellerhead Software AB)
Authorizer Ignition Key Support (Version: 1.0.8.0 - Propellerhead Software AB) Hidden
Avira (HKLM-x32\...\{e7c7c227-b742-4878-9425-f09bbf9951db}) (Version: 1.1.27.25527 - Avira Operations & Co. KG)
Avira (x32 Version: 1.1.27.25527 - Avira Operations & Co. KG) Hidden
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.7.468 - Avira)
Bass Station 1.6 (HKLM-x32\...\{ABAF1232-6213-4062-9D52-04E04A730CEA}_is1) (Version: 1.6 - Novation Digital Music Systems Ltd.)
CCleaner (HKLM\...\CCleaner) (Version: 4.01 - Piriform)
Celemony Melodyne Plugin VST RTAS v1.0 (HKLM-x32\...\Celemony Melodyne Plugin_is1) (Version:  - )
Citrix Online Launcher (HKLM-x32\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix)
Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 13.4.0.25 - Citrix Systems, Inc.)
Connect (x32 Version: 1.0.0.1 - Adobe Systems Incorporated) Hidden
DHTML Editing Component (HKLM-x32\...\{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation)
discoDSP Phantom VSTi v1.2 (HKLM-x32\...\discoDSP Phantom_is1) (Version:  - )
Dropbox (HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Dropbox) (Version: 3.0.3 - Dropbox, Inc.)
Edirol HQ Orchestral v1.01 (HKLM-x32\...\Edirol HQ Orchestral v1.01) (Version:  - )
Edirol Hyper Canvas VSTi DXi 1.6.0 (HKLM-x32\...\Edirol Hyper Canvas VSTi DXi_is1) (Version:  - )
Edirol Super Quartet v1.52 TALiO (HKLM-x32\...\Edirol Super Quartet v1.52 TALiO) (Version:  - )
EF Duplicate Files Manager (HKLM-x32\...\EF Duplicate Files Manager) (Version:  - EFSoftware)
eLicenser Control (HKLM-x32\...\eLicenser Control) (Version:  - Steinberg Media Technologies GmbH)
Emsisoft Anti-Malware (HKLM-x32\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 9.0 - Emsisoft Ltd)
Engineering Client Viewer 7.0 (HKLM-x32\...\SAP_Engineering Client Viewer 7.0) (Version:  - SAP AG)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
etope 8 (HKLM-x32\...\etope_is1) (Version:  - Freshworx GmbH & Co. KG)
EZdrummer (HKLM-x32\...\{43E8D9E7-AFC9-4BA3-8106-B95E02B87AB7}) (Version: 1.0 - Toontrack)
EZXClaustrophobic (HKLM-x32\...\{8094F7AE-CA21-4AF2-A256-BC918CE0E796}) (Version: 1.0 - Toontrack)
EZXCocktail (HKLM-x32\...\{147567F0-8575-4BE0-B5B3-62706C67FA5A}) (Version: 1.0 - Toontrack)
EZXDfh (HKLM-x32\...\{DB1299AF-9EE0-422B-959E-F4171B2AE0F7}) (Version: 1.0 - Toontrack)
EZXNashville (HKLM-x32\...\{82DF9225-13EC-41BD-BE31-AAB121B38166}) (Version: 1.0 - Toontrack)
EZXPercussion (HKLM-x32\...\{2CC4BC82-41CF-43D3-B533-7283AA8BB86F}) (Version: 1.0 - Toontrack)
EZXTwisted (HKLM-x32\...\{D1EBF11E-8CE3-4EF5-8E2D-FD5B8D6BD294}) (Version: 1.0 - Toontrack)
FabFilter Pro-Q VST RTAS v1.00 (HKLM-x32\...\FabFilter Pro-Q VST RTAS_is1) (Version:  - TEAM AiR)
FabFilter Timeless VST RTAS v1.01 (HKLM-x32\...\FabFilter Timeless_is1) (Version:  - )
FileZilla Client 3.9.0.3 (HKLM-x32\...\FileZilla Client) (Version: 3.9.0.3 - Tim Kosse)
Free MP4 Video Converter version 5.0.48.923 (HKLM-x32\...\Free MP4 Video Converter_is1) (Version: 5.0.48.923 - DVDVideoSoft Ltd.)
Free YouTube to MP3 Converter version 3.12.44.908 (HKLM-x32\...\Free YouTube to MP3 Converter_is1) (Version: 3.12.44.908 - DVDVideoSoft Ltd.)
Futureaudioworkshop Circle VSTi RTAS v1.03 (HKLM-x32\...\Futureaudioworkshop Circle VSTi RTAS_is1) (Version:  - )
Greenshot 1.1.9.13 (HKLM\...\Greenshot_is1) (Version: 1.1.9.13 - Greenshot)
High-Definition Video Playback 10 (x32 Version: 7.0.11400.29.0 - Nero AG) Hidden
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.232 - SurfRight B.V.)
Image Line ToxicIII v1.41 VSTi (HKLM-x32\...\Image Line ToxicIII v1.41 VSTi) (Version:  - )
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.1.0.1006 - Intel Corporation)
Intel(R) USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.5.235 - Intel Corporation)
JDownloader 2 (HKLM\...\jdownloader2) (Version: 2.0 - AppWork GmbH)
KORG M1 Le (HKLM-x32\...\{9624502C-3D39-41A0-8917-858EC16769CE}) (Version: 1.0.4 - KORG Inc.)
kuler (x32 Version: 2.0 - Adobe Systems Incorporated) Hidden
Malwarebytes Anti-Malware Version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
ManyGuitar 1.0 (HKLM-x32\...\ManyGuitar_is1) (Version:  - ManyTone)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (HKLM-x32\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Primary Interoperability Assemblies 2005 (HKLM-x32\...\{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Project Professional 2010 (HKLM-x32\...\Office14.PRJPROR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Project Professional 2013 (HKLM-x32\...\Office15.PRJPROR) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft redistributable runtime DLLs VS2005 SP1(x86) (HKLM-x32\...\{CEC7A786-A9C8-4EF7-BB59-6518E3B3C878}) (Version: 8.0.50727.4053 - SAP)
Microsoft redistributable runtime DLLs VS2008 SP1(x86) (HKLM-x32\...\{A47A9101-6EB5-4314-BDA1-297880FBB908}) (Version: 9.0 - SAP AG)
Microsoft redistributable runtime DLLs VS2010 SP1 (x86) (HKLM-x32\...\{2385C070-EC26-4AB9-8718-E605C977C0ED}) (Version: 10.0.40219.1 - SAP)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MixMeister BPM Analyzer 1.0 (HKLM-x32\...\MixMeister BPM Analyzer_is1) (Version:  - MixMeister Technology LLC)
MKVToolNix 6.4.1 (HKLM-x32\...\MKVToolNix) (Version: 6.4.1 - Moritz Bunkus)
MOBackup - Datensicherung für Outlook (Vollversion) (HKLM-x32\...\MOBackup-DatensicherungfürOutlook) (Version: 7.0 - Heiko Schröder)
Mozilla Firefox 34.0.5 (x86 de) (HKLM-x32\...\Mozilla Firefox 34.0.5 (x86 de)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Native Instruments Absynth 5 (HKLM-x32\...\Native Instruments Absynth 5) (Version:  - Native Instruments)
Native Instruments Battery 3 (HKLM-x32\...\Native Instruments Battery 3) (Version:  - )
Native Instruments Controller Editor (HKLM-x32\...\Native Instruments Controller Editor) (Version: 1.6.2.1863 - Native Instruments)
Native Instruments FM8 (HKLM-x32\...\Native Instruments FM8) (Version:  - )
Native Instruments George Duke Soul Treasures (HKLM-x32\...\Native Instruments George Duke Soul Treasures) (Version:  - Native Instruments)
Native Instruments Hardware Controller Support (HKLM-x32\...\Native Instruments Hardware Controller Support) (Version:  - Native Instruments)
Native Instruments Komplete 6 (HKLM-x32\...\Native Instruments Komplete 6) (Version:  - Native Instruments)
Native Instruments Komplete Audio 6 Driver (HKLM-x32\...\Native Instruments Komplete Audio 6 Driver) (Version:  - Native Instruments)
Native Instruments Kontakt 4 (HKLM-x32\...\Native Instruments Kontakt 4) (Version:  - Native Instruments)
Native Instruments Kontakt 5 (HKLM-x32\...\Native Instruments Kontakt 5) (Version:  - Native Instruments)
Native Instruments Maschine (HKLM-x32\...\Native Instruments Maschine) (Version:  - Native Instruments)
Native Instruments Maschine Driver (HKLM-x32\...\Native Instruments Maschine Driver) (Version:  - Native Instruments)
Native Instruments Massive v1.0.1.008 VSTi DXi RTAS (HKLM-x32\...\Native Instruments Massive v1.0.1.008 VSTi DXi RTAS) (Version:  - )
Native Instruments New York Concert Grand (HKLM-x32\...\Native Instruments New York Concert Grand) (Version:  - Native Instruments)
Native Instruments Pro-53 (HKLM-x32\...\Native Instruments Pro-53) (Version:  - )
Native Instruments Retro Machines Mk2 (HKLM-x32\...\Native Instruments Retro Machines Mk2) (Version:  - Native Instruments)
Native Instruments Service Center (HKLM-x32\...\Native Instruments Service Center) (Version: 2.5.2.1549 - Native Instruments)
Native Instruments Traktor 2 (HKLM-x32\...\Native Instruments Traktor 2) (Version: 2.6.8.382 - Native Instruments)
Native Instruments Upright Piano (HKLM-x32\...\Native Instruments Upright Piano) (Version:  - Native Instruments)
Native Instruments Vienna Concert Grand (HKLM-x32\...\Native Instruments Vienna Concert Grand) (Version:  - Native Instruments)
Nepheton 1.5.1 (32bit) (HKLM-x32\...\{B2F62BBB-C527-4CE7-90D1-5717110677B6}) (Version: 1.5.1.0 - D16 Group Audio Software)
Nepheton 1.5.1 (64bit) (HKLM\...\{02483A2B-9FDD-47BF-81AA-F47D6379EFA5}) (Version: 1.5.1.0 - D16 Group Audio Software)
Nero 7 Premium (HKLM-x32\...\{70AB1576-7883-2313-C650-7A71270B1031}) (Version: 7.01.0735 - Nero AG)
Nero BackItUp 10 (HKLM-x32\...\{68AB6930-5BFF-4FF6-923B-516A91984FE6}) (Version: 5.4.11600.19.100 - Nero AG)
Nero Burning ROM 10 (HKLM-x32\...\{7A5D731D-B4B3-490E-B339-75685712BAAB}) (Version: 10.0.11100.10.100 - Nero AG)
Nero BurnRights 10 (HKLM-x32\...\{943CFD7D-5336-47AF-9418-E02473A5A517}) (Version: 4.0.11000.12.100 - Nero AG)
Nero CoverDesigner 10 (HKLM-x32\...\{FCF00A6E-FB58-477A-ABE9-232907105521}) (Version: 5.0.10900.11.100 - Nero AG)
Nero DiscSpeed 10 (HKLM-x32\...\{34490F4E-48D0-492E-8249-B48BECF0537C}) (Version: 6.0.10800.7.100 - Nero AG)
Nero Express 10 (HKLM-x32\...\{70550193-1C22-445C-8FA4-564E155DB1A7}) (Version: 10.0.11000.10.100 - Nero AG)
Nero InfoTool 10 (HKLM-x32\...\{F412B4AF-388C-4FF5-9B2F-33DB1C536953}) (Version: 7.0.10800.8.100 - Nero AG)
Nero MediaHub 10 (HKLM-x32\...\{1F7FB68F-52F6-46A3-B42F-38CE46295AE5}) (Version: 1.0.13400.11.100 - Nero AG)
Nero Multimedia Suite 10 (HKLM-x32\...\{277C1559-4CF7-44FF-8D07-98AA9C13AABD}) (Version: 10.0.13100 - Nero AG)
Nero Recode 10 (HKLM-x32\...\{8ECEC853-5C3D-4B10-B5C7-FF11FF724807}) (Version: 4.6.10900.4.100 - Nero AG)
Nero RescueAgent 10 (HKLM-x32\...\{E337E787-CF61-4B7B-B84F-509202A54023}) (Version: 3.0.10900.9.100 - Nero AG)
Nero SoundTrax 10 (HKLM-x32\...\{E1EE5339-5D32-458F-BAAB-B19F6301BCE2}) (Version: 4.6.10600.2.100 - Nero AG)
Nero StartSmart 10 (HKLM-x32\...\{F61D489E-6C44-49AC-AD02-7DA8ACA73A65}) (Version: 10.0.11200.12.100 - Nero AG)
Nero Update (HKLM-x32\...\{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}) (Version: 1.0.0017 - Nero AG)
Nero Vision 10 (HKLM-x32\...\{9A4297F3-2A51-4ED9-92CA-4BCB8380947E}) (Version: 7.0.11100.8.100 - Nero AG)
Nero WaveEditor 10 (HKLM-x32\...\{EDCDFAD5-DF80-4600-A493-E9DAD6810230}) (Version: 5.6.10600.2.100 - Nero AG)
Ohmforce Hematohm PRO VST v1.22 (HKLM-x32\...\Ohmforce Hematohm PRO VST v1.22) (Version:  - )
Ohmforce Mobilohm PRO VST v1.12 (HKLM-x32\...\Ohmforce Mobilohm PRO VST v1.12) (Version:  - )
Ohmforce Ohmboyz PRO VST v1.42 (HKLM-x32\...\Ohmforce Ohmboyz PRO VST v1.42) (Version:  - )
Ohmforce Predatohm PRO VST v1.32 (HKLM-x32\...\Ohmforce Predatohm PRO VST v1.32) (Version:  - )
Ohmforce Quad Frohmage Pro VST v1.10 (HKLM-x32\...\Ohmforce Quad Frohmage Pro VST v1.10) (Version:  - )
Online Plug-in (x32 Version: 13.4.0.25 - Citrix Systems, Inc.) Hidden
Outils de vérification linguistique 2013 de Microsoft Office*- Français (x32 Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
PDF Settings CS4 (x32 Version: 9.0 - Adobe Systems Incorporated) Hidden
PDF Settings CS6 (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
Photoshop Camera Raw (x32 Version: 5.0 - Adobe Systems Incorporated) Hidden
Pixel Bender Toolkit (x32 Version: 1.0 - Adobe Systems Incorporated) Hidden
Platform (x32 Version: 1.38 - VIA Technologies, Inc.) Hidden
PowerISO (HKLM-x32\...\PowerISO) (Version: 5.5 - Power Software Ltd)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.61.612.2012 - Realtek)
Reason 3.0 (HKLM-x32\...\Reason_is1) (Version: 3.0 - Propellerhead Software AB)
Reason Essentials 8.0.0 (HKLM\...\ReasonEssentials8.0_64_is1) (Version: 8.0.0 - Propellerhead Software AB)
Reason Essentials Ignition Key Support (Version: 1.0.8.0 - Propellerhead Software AB) Hidden
reFX Nexus VSTi RTAS v2.2.0 (HKLM-x32\...\reFX Nexus_is1) (Version:  - )
reFX Vanguard VSTi v1.6.3 (HKLM-x32\...\reFX Vanguard VSTi_is1) (Version:  - )
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Rob Papen Blue VSTi v1.01  (HKLM-x32\...\Rob Papen Blue VSTi v1.01 ) (Version:  - )
Rob Papen Predator V1.5.8 32 Bits Single Core (HKLM-x32\...\Predator_is1) (Version:  - RPCX)
SAP Business Explorer (HKLM-x32\...\SAPBI) (Version: 7.30 - SAP AG)
SAP GUI for Windows 7.30 (HKLM-x32\...\SAPGUI710) (Version: 7.30 Compilation 1 - SAP)
SAP JNet (HKLM-x32\...\SAP_JNet) (Version:  - SAP AG)
SAPSetup Automatic Workstation Update Service (HKLM-x32\...\SAP_WUS) (Version:  - SAP AG)
SchnapperPro 2.0.94 (HKLM-x32\...\SchnapperPro) (Version: 2.0.94 - Schnapper-Software Robert Beer)
Secure Download Manager (HKLM-x32\...\{AA57D6F1-6360-4397-B2D9-B21C69863D97}) (Version: 3.1.0 - Kivuto Solutions Inc.)
Self-Service Plug-in (x32 Version: 3.4.0.33684 - Citrix Systems, Inc.) Hidden
Service Pack 1 for Microsoft Office 2013 (KB2850036) 32-Bit Edition (HKLM-x32\...\{91150000-003B-0000-0000-0000000FF1CE}_Office15.PRJPROR_{115B7592-B71D-4C27-AB34-34268FB199CA}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-003B-0000-0000-0000000FF1CE}_Office14.PRJPROR_{58FA40EF-ABA9-4FED-AD3D-318A6073934D}) (Version:  - Microsoft)
SideKick4.3.2 (HKLM-x32\...\SideKick432 ID_mp1) (Version:  - Twisted Lemon)
Spotify (HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Spotify) (Version: 0.9.14.13.gba5645ad - Spotify AB)
Steinberg Cubase 5 (HKLM-x32\...\{4A19D6AC-ADE0-4A07-80FF-9C9812C45557}) (Version: 5.1.0 - Steinberg Media Technologies GmbH)
Steinberg Drum Loop Expansion 01 (HKLM-x32\...\{490BF87E-1F75-4453-BF55-9F540543A3CA}) (Version: 1.0.0.1 - Steinberg Media Technologies GmbH)
Steinberg Groove Agent ONE Content (HKLM-x32\...\{BD86F1AC-B594-46E4-85DC-1258AC9E2232}) (Version: 1.0.0.003 - Steinberg Media Technologies GmbH)
Steinberg HALionOne (HKLM-x32\...\{E70E7159-93B1-470D-9FBD-D8E9EF34B538}) (Version: 1.1.0.457 - Steinberg Media Technologies GmbH)
Steinberg HALionOne Additional Content Set 01 (HKLM-x32\...\{F3AFD063-8BAD-485E-B641-E7F5A2C5AE71}) (Version: 1.0.0.001 - Steinberg Media Technologies GmbH)
Steinberg HALionOne Expression Set (HKLM-x32\...\{E22AD5D3-EB60-4A8F-835C-6C10E369DCE2}) (Version: 1.0.1.0 - Steinberg Media Technologies GmbH)
Steinberg HALionOne GM Drum Set (HKLM-x32\...\{AC997F93-0757-4ED4-A701-F40C2D654D09}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH)
Steinberg HALionOne GM Set (HKLM-x32\...\{F057965A-D974-4C64-ADB1-4381CD4B8956}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH)
Steinberg HALionOne Pro Set (HKLM-x32\...\{D82CDA0D-C182-42C8-8FF2-5649C98D6003}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH)
Steinberg HALionOne Studio Drum Set (HKLM-x32\...\{865D9ED1-EAC2-436D-AFA7-0B750EB5AAAB}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH)
Steinberg HALionOne Studio Set (HKLM-x32\...\{D23CBFDA-C46B-4920-BA70-FC7878A3F05A}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH)
Steinberg LoopMash Content (HKLM-x32\...\{4D454CF8-12FD-464D-B57B-B46FE27B78BB}) (Version: 1.0.0.005 - Steinberg Media Technologies GmbH)
Steinberg REVerence Content 01 (HKLM-x32\...\{532B917B-8235-4FA5-BE36-643A8BB053A5}) (Version: 1.0.0.006 - Steinberg Media Technologies GmbH)
Steinberg The Grand VSTi DXi v2.1.0 (HKLM-x32\...\Steinberg The Grand VSTi DXi_is1) (Version:  - )
Suite Shared Configuration CS4 (x32 Version: 1.0 - Adobe Systems Incorporated) Hidden
Turbo Lister 2 (HKLM-x32\...\{8927E07C-97F7-4A54-88FB-D976F50DD46E}) (Version: 2.00.0000 - eBay Inc.)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update für Microsoft Office Excel 2007 Help (KB963678) (HKLM-x32\...\{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISE_{BEC163EC-7A83-48A1-BFB6-3BF47CC2F8CF}) (Version:  - Microsoft)
Update für Microsoft Office Outlook 2007 Help (KB963677) (HKLM-x32\...\{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISE_{F6828576-6F79-470D-AB50-69D1BBADBD30}) (Version:  - Microsoft)
Update für Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM-x32\...\{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISE_{EA160DA3-E9B5-4D03-A518-21D306665B96}) (Version:  - Microsoft)
Update für Microsoft Office Word 2007 Help (KB963665) (HKLM-x32\...\{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISE_{38472199-D7B6-4833-A949-10E4EE6365A1}) (Version:  - Microsoft)
Vegas Pro 12.0 (64-bit) (HKLM\...\{7A0D09B0-6575-11E2-89D5-F04DA23A5C58}) (Version: 12.0.486 - Sony)
VIA Plattform-Geräte-Manager (HKLM-x32\...\InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.38 - VIA Technologies, Inc.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
Vuze (HKLM\...\8461-7759-5462-8226) (Version: 5.5.0.0 - Azureus Software, Inc.)
Waves Complete V9r10 (HKLM-x32\...\{91000001-C561-4E32-99EB-3C5AD3683A70}) (Version: 9.1.10 - Waves)
Waves Diamond Bundle v5.2 (HKLM-x32\...\Waves Diamond Bundle v5.2) (Version:  - )
Waves GTR Guitar Tool Rack v1.0 (HKLM-x32\...\Waves GTR Guitar Tool Rack v1.0) (Version:  - )
Waves IRx v5.2 (HKLM-x32\...\Waves IRx v5.2) (Version:  - )
Waves L3 v5.2 (HKLM-x32\...\Waves L3 v5.2) (Version:  - )
Waves Musicians Bundle v5.0 (HKLM-x32\...\Waves Musicians Bundle v5.0) (Version:  - )
WinRAR 4.20 (64-Bit) (HKLM\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

==================== Restore Points  =========================

24-12-2014 13:55:31 Removed Adobe Reader XI (11.0.10) - Deutsch.
24-12-2014 14:12:45 Revo Uninstaller's restore point - GoToMeeting 7.0.5.2130
24-12-2014 14:15:02 Revo Uninstaller's restore point - Line 6 Uninstaller
24-12-2014 14:17:44 Revo Uninstaller's restore point - Adobe Reader XI (11.0.10) - Deutsch
24-12-2014 14:19:52 Revo Uninstaller's restore point - Java 7 Update 71
24-12-2014 14:20:00 Removed Java 7 Update 71
24-12-2014 14:22:03 Revo Uninstaller's restore point - iZotope Ozone 6 Advanced
24-12-2014 14:23:26 Revo Uninstaller's restore point - PACE License Support Win64
24-12-2014 14:23:56 Removed PACE License Support Win64
24-12-2014 14:25:15 Revo Uninstaller's restore point - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
24-12-2014 14:25:37 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
24-12-2014 14:26:56 Revo Uninstaller's restore point - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
24-12-2014 14:27:11 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
25-12-2014 12:20:16 Windows Update
25-12-2014 13:47:19 Prüfpunkt von HitmanPro
25-12-2014 13:48:17 Prüfpunkt von HitmanPro
25-12-2014 16:57:19 Prüfpunkt von HitmanPro

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2014-05-11 10:54 - 00000894 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 lmlicenses.wip4.adobe.com
127.0.0.1 lm.licenses.adobe.com


==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {088AEE40-F12C-46E4-8B37-48501D277C2C} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-04-23] (Piriform Ltd)
Task: {091A6FF8-99A4-49AB-B0C1-63C5A0FB6B49} - System32\Tasks\Abelssoft\Updater scan => C:\Program Files (x86)\CHIP Updater\CHIPUpdater.exe
Task: {1891C158-600A-465F-806F-20EC07AEEA3D} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-22] (Microsoft Corporation)
Task: {301FC003-77CD-43DB-9226-3BE3A2952428} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-24] (Adobe Systems Incorporated)
Task: {77D876AF-4E96-4FD1-959A-F377674994E1} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-22] (Microsoft Corporation)
Task: {8F751E68-DB27-40CD-A6A5-3D26B5307D53} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe
Task: {95B909CC-8EBA-4FBF-B56B-2FB75D7FFD4E} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {D3D0748D-ADF6-4A4C-AE63-44F56829CBED} - System32\Tasks\AdobeAAMUpdater-1.0-Admin-PC-Admin => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2012-04-04] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2014-12-08 18:53 - 2014-12-08 18:53 - 02736640 _____ () C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll
2014-05-01 20:29 - 2014-05-01 20:29 - 00098304 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext_64.dll
2014-12-08 18:53 - 2014-12-08 18:53 - 02246144 _____ () C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll
2013-03-31 16:13 - 2014-04-15 09:26 - 00097592 _____ () C:\Program Files\Vuze\aereg64.dll
2014-08-30 10:31 - 2014-06-24 14:12 - 00217600 _____ () C:\Users\Admin\AppData\Roaming\Azureus\plugins\azitunes\jacob-1.17-M2-x64.dll
2014-08-30 10:31 - 2014-06-24 14:12 - 00015840 _____ () C:\Users\Admin\AppData\Roaming\Azureus\plugins\azitunes\libProcessAccess64.dll
2014-12-26 10:53 - 2014-12-26 10:53 - 01301504 _____ () C:\Users\Admin\AppData\Local\Idsoft\ep0lvra9.dll
2014-10-22 01:22 - 2014-10-22 01:22 - 00750080 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\libGLESv2.dll
2014-12-26 11:50 - 2014-12-26 11:50 - 00043008 _____ () c:\users\admin\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpkhktyu.dll
2014-10-22 01:22 - 2014-10-22 01:22 - 00047616 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\libEGL.dll
2014-10-22 01:22 - 2014-10-22 01:22 - 00863744 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll
2014-10-22 01:22 - 2014-10-22 01:22 - 00200704 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll
2014-12-09 09:14 - 2014-12-09 09:14 - 03758192 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2014-10-15 02:39 - 2014-10-15 02:39 - 00172544 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\1eeea3ab8d69ec722bdcb28b8eb8dd75\IsdiInterop.ni.dll
2013-03-30 20:31 - 2012-02-01 16:25 - 00059904 _____ () C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^JDownloader.lnk => C:\Windows\pss\JDownloader.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: AdobeCS4ServiceManager => "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
MSCONFIG\startupreg: AdobeCS6ServiceManager => "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: CitrixReceiver => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
MSCONFIG\startupreg: ConnectionCenter => "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
MSCONFIG\startupreg: GoToMeeting => "C:\Users\Admin\AppData\Local\Citrix\GoToMeeting\1468\g2mstart.exe" "/Trigger RunAtLogon"
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: Logitech Download Assistant => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
MSCONFIG\startupreg: NBAgent => "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
MSCONFIG\startupreg: NeroFilterCheck => C:\Program Files (x86)\Common Files\Ahead\Lib\NeroCheck.exe
MSCONFIG\startupreg: PWRISOVM.EXE => C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: Spotify => "C:\Users\Admin\AppData\Roaming\Spotify\spotify.exe" /uri spotify:autostart
MSCONFIG\startupreg: Spotify Web Helper => "C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
MSCONFIG\startupreg: StartCCC => "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
MSCONFIG\startupreg: WSHelperSetup.exe => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe

========================= Accounts: ==========================

Admin (S-1-5-21-3347311179-4269016646-269938500-1000 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-3347311179-4269016646-269938500-500 - Administrator - Disabled)
Gast (S-1-5-21-3347311179-4269016646-269938500-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3347311179-4269016646-269938500-1002 - Limited - Enabled)

==================== Faulty Device Manager Devices =============

Name: AMD High Definition Audio Device
Description: AMD High Definition Audio Device
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Advanced Micro Devices
Service: AtiHDAudioService
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: High Definition Audio-Gerät
Description: High Definition Audio-Gerät
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: HdAudAddService
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (12/26/2014 10:53:27 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: plugin-container.exe, Version: 34.0.5.5443, Zeitstempel: 0x5475dd5d
Name des fehlerhaften Moduls: mozalloc.dll, Version: 34.0.5.5443, Zeitstempel: 0x5475d664
Ausnahmecode: 0x80000003
Fehleroffset: 0x00001425
ID des fehlerhaften Prozesses: 0xc24
Startzeit der fehlerhaften Anwendung: 0xplugin-container.exe0
Pfad der fehlerhaften Anwendung: plugin-container.exe1
Pfad des fehlerhaften Moduls: plugin-container.exe2
Berichtskennung: plugin-container.exe3

Error: (12/26/2014 08:05:20 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile  WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3.
Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein.
Verweis: WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0".
Definition: WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0".
Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose.

Error: (12/26/2014 08:05:20 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile  WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3.
Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein.
Verweis: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0".
Definition: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0".
Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose.

Error: (12/26/2014 08:05:20 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile  WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3.
Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein.
Verweis: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0".
Definition: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0".
Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose.

Error: (12/26/2014 08:05:19 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile  WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3.
Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein.
Verweis: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0".
Definition: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0".
Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose.

Error: (12/26/2014 00:38:54 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.


System errors:
=============
Error: (12/26/2014 11:51:00 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: 
cdrom


Microsoft Office Sessions:
=========================
Error: (01/01/2014 10:08:39 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 423328 seconds with 3360 seconds of active time.  This session ended with a crash.


CodeIntegrity Errors:
===================================
  Date: 2014-12-25 23:38:11.689
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2014-12-25 23:38:11.656
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.


==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz
Percentage of memory in use: 26%
Total physical RAM: 16317.59 MB
Available physical RAM: 11962.38 MB
Total Pagefile: 32633.35 MB
Available Pagefile: 28053.43 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive a: (Primäre Festplatte) (Fixed) (Total:1004.98 GB) (Free:300.73 GB) NTFS
Drive b: (Sekundäre Festplatte) (Fixed) (Total:232.88 GB) (Free:13.73 GB) NTFS
Drive c: (Windows) (Fixed) (Total:1042.92 GB) (Free:393.27 GB) NTFS
Drive p: (Producing) (Fixed) (Total:931.51 GB) (Free:259.22 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 232.9 GB) (Disk ID: 1D631D62)
Partition 1: (Not Active) - (Size=232.9 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 2794.5 GB) (Disk ID: B819B29C)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=1042.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=1005 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 9B322B2C)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 3 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 46830F60)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 4 (Size: 931.5 GB) (Disk ID: E8900690)
Partition 1: (Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================
         
__________________

Alt 26.12.2014, 15:17   #4
jamerson
 
Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Standard

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local



Gmer Teil 1:

Code:
ATTFilter
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-12-26 13:21:33
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1 ST3000DM rev.CC24 2794,52GB
Running: Gmer-19357.exe; Driver: C:\Users\Admin\AppData\Local\Temp\awlorpod.sys


---- User code sections - GMER 2.1 ----

.text    C:\Windows\system32\Dwm.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                                                                             00000000770d1510 6 bytes {JMP QWORD [RIP+0x906eb20]}
.text    C:\Windows\system32\Dwm.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile                                                                                                                                                                      00000000770d1520 6 bytes {JMP QWORD [RIP+0x90ceb10]}
.text    C:\Windows\system32\Dwm.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                                00000000770d15e0 6 bytes {JMP QWORD [RIP+0x90aea50]}
.text    C:\Windows\system32\Dwm.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                              00000000770d1800 6 bytes {JMP QWORD [RIP+0x908e830]}
.text    C:\Windows\system32\Dwm.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                                                                                                             00000000770d18b0 6 bytes {JMP QWORD [RIP+0x902e780]}
.text    C:\Windows\system32\Dwm.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey                                                                                                                                                                          00000000770d1e40 6 bytes {JMP QWORD [RIP+0x904e1f0]}
.text    C:\Windows\system32\Dwm.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                                                                        00000000770d27e0 6 bytes {JMP QWORD [RIP+0x90ed850]}
.text    C:\Windows\system32\Dwm.exe[1656] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                                 0000000076f7db80 6 bytes {JMP QWORD [RIP+0x92624b0]}
.text    C:\Windows\system32\Dwm.exe[1656] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                                 000007fefd189055 3 bytes CALL 9000027
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                                                                                 00000000770d1510 6 bytes {JMP QWORD [RIP+0x906eb20]}
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile                                                                                                                                                                          00000000770d1520 6 bytes {JMP QWORD [RIP+0x90ceb10]}
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                                    00000000770d15e0 6 bytes {JMP QWORD [RIP+0x90aea50]}
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                                  00000000770d1800 6 bytes {JMP QWORD [RIP+0x908e830]}
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                                                                                                                 00000000770d18b0 6 bytes {JMP QWORD [RIP+0x902e780]}
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey                                                                                                                                                                              00000000770d1e40 6 bytes {JMP QWORD [RIP+0x904e1f0]}
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                                                                            00000000770d27e0 6 bytes {JMP QWORD [RIP+0x90ed850]}
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                                     0000000076f7db80 6 bytes {JMP QWORD [RIP+0x92624b0]}
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                                     000007fefd189055 3 bytes [B5, 6F, 06]
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\system32\msi.dll!MsiSetInternalUI                                                                                                                                                                                000007fef8ac5c70 6 bytes {JMP QWORD [RIP+0x5ba3c0]}
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\system32\msi.dll!MsiInstallProductA                                                                                                                                                                              000007fef8b42ad4 2 bytes [FF, 25]
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\system32\msi.dll!MsiInstallProductA + 3                                                                                                                                                                          000007fef8b42ad7 3 bytes [D5, 4F, 00]
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\system32\msi.dll!MsiInstallProductW                                                                                                                                                                              000007fef8b5167c 6 bytes {JMP QWORD [RIP+0x50e9b4]}
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW                                                                                                                                                                       0000000002b03030 6 bytes {JMP QWORD [RIP+0x47d000]}
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\system32\WS2_32.dll!connect + 1                                                                                                                                                                                  0000000002b045c1 5 bytes {JMP QWORD [RIP+0x6ba70]}
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\system32\WS2_32.dll!listen                                                                                                                                                                                       0000000002b08290 6 bytes JMP fe084fc0
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\system32\WS2_32.dll!WSAConnect                                                                                                                                                                                   0000000002b2e0f0 6 bytes JMP 0
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA                                                                                                                                                                          000007fef3757b34 6 bytes {JMP QWORD [RIP+0xc84fc]}
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW                                                                                                                                                                          000007fef37603c0 6 bytes {JMP QWORD [RIP+0x7fc70]}
.text    C:\Windows\Explorer.EXE[1668] C:\Windows\system32\RASAPI32.dll!RasDialW + 1                                                                                                                                                                               000007feef4296f5 5 bytes {JMP QWORD [RIP+0x8693c]}
.text    C:\Windows\system32\taskhost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                                                                        00000000770d1510 6 bytes {JMP QWORD [RIP+0x906eb20]}
.text    C:\Windows\system32\taskhost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile                                                                                                                                                                 00000000770d1520 6 bytes {JMP QWORD [RIP+0x90ceb10]}
.text    C:\Windows\system32\taskhost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                           00000000770d15e0 6 bytes {JMP QWORD [RIP+0x90aea50]}
.text    C:\Windows\system32\taskhost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                         00000000770d1800 6 bytes {JMP QWORD [RIP+0x908e830]}
.text    C:\Windows\system32\taskhost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                                                                                                        00000000770d18b0 6 bytes {JMP QWORD [RIP+0x902e780]}
.text    C:\Windows\system32\taskhost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey                                                                                                                                                                     00000000770d1e40 6 bytes {JMP QWORD [RIP+0x904e1f0]}
.text    C:\Windows\system32\taskhost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                                                                   00000000770d27e0 6 bytes {JMP QWORD [RIP+0x90ed850]}
.text    C:\Windows\system32\taskhost.exe[1132] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                            0000000076f7db80 6 bytes {JMP QWORD [RIP+0x92624b0]}
.text    C:\Windows\system32\taskhost.exe[1132] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                            000007fefd189055 3 bytes [B5, 6F, 06]
.text    C:\Windows\system32\taskhost.exe[1132] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                                                                                    000007fefd3555c8 6 bytes JMP 7be1
.text    C:\Windows\system32\taskhost.exe[1132] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                                                                                                    000007fefd36b85c 6 bytes {JMP QWORD [RIP+0xe47d4]}
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                                                                                                             000000007727fc20 3 bytes JMP 7184000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                                                                                                                                                         000000007727fc24 2 bytes JMP 7184000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                                                      000000007727fc38 3 bytes JMP 717b000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4                                                                                                                                                                  000000007727fc3c 2 bytes JMP 717b000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                                                000000007727fd64 3 bytes JMP 717e000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                                                            000000007727fd68 2 bytes JMP 717e000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                                              00000000772800b4 3 bytes JMP 7181000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                                                          00000000772800b8 2 bytes JMP 7181000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                                                             00000000772801c4 3 bytes JMP 718a000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                                                                                                                                                         00000000772801c8 2 bytes JMP 718a000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                                                          0000000077280a44 3 bytes JMP 7187000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                                                                                                                                                      0000000077280a48 2 bytes JMP 7187000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                                                                                        0000000077281920 3 bytes JMP 7178000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                                                                                                                                                    0000000077281924 2 bytes JMP 7178000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                                                 0000000076153bbb 3 bytes JMP 7175000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                                                             0000000076153bbf 2 bytes JMP 7175000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                                                 00000000769e2c9e 4 bytes CALL 71af0000
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                                                                         0000000075d870c4 6 bytes JMP 718d000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                                                                                                                                         0000000075da3264 6 bytes JMP 7190000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                                             0000000076b99679 6 bytes JMP 7199000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                                             0000000076ba12a5 6 bytes JMP 7193000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                                             0000000076ba3baa 6 bytes JMP 7196000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                                             0000000076ba612e 6 bytes JMP 719c000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                                                0000000076bbff4a 3 bytes JMP 719f000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                                                            0000000076bbff4e 2 bytes JMP 719f000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                                              0000000076bf027b 6 bytes JMP 71a5000a
.text    C:\VIA_XHCI\usb3Monitor.exe[1624] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                                              0000000076bf02bf 6 bytes JMP 71a2000a
.text    C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                                                                00000000770d1510 6 bytes {JMP QWORD [RIP+0x906eb20]}
.text    C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile                                                                                                                                                         00000000770d1520 6 bytes {JMP QWORD [RIP+0x90ceb10]}
.text    C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                   00000000770d15e0 6 bytes {JMP QWORD [RIP+0x90aea50]}
.text    C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                 00000000770d1800 6 bytes {JMP QWORD [RIP+0x908e830]}
.text    C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                                                                                                00000000770d18b0 6 bytes {JMP QWORD [RIP+0x902e780]}
.text    C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey                                                                                                                                                             00000000770d1e40 6 bytes {JMP QWORD [RIP+0x904e1f0]}
.text    C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                                                           00000000770d27e0 6 bytes {JMP QWORD [RIP+0x90ed850]}
.text    C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\system32\KERNEL32.dll!CreateProcessInternalW                                                                                                                                                    0000000076f7db80 6 bytes {JMP QWORD [RIP+0x92624b0]}
.text    C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                    000007fefd189055 3 bytes CALL 9000027
.text    C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                                                                                            000007fefd3555c8 6 bytes {JMP QWORD [RIP+0x11aa68]}
.text    C:\Program Files\Greenshot\Greenshot.exe[1932] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                                                                                            000007fefd36b85c 6 bytes {JMP QWORD [RIP+0xe47d4]}
.text    C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                                                                                                       00000000770d1510 6 bytes {JMP QWORD [RIP+0x906eb20]}
.text    C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile                                                                                                                                                                00000000770d1520 6 bytes {JMP QWORD [RIP+0x90ceb10]}
.text    C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                                                                                          00000000770d15e0 6 bytes {JMP QWORD [RIP+0x90aea50]}
.text    C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                                                                                                        00000000770d1800 6 bytes JMP 8a73c50
.text    C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                                                                                                       00000000770d18b0 6 bytes JMP 504
.text    C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteValueKey                                                                                                                                                                    00000000770d1e40 6 bytes JMP 0
.text    C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                                                                                                  00000000770d27e0 6 bytes {JMP QWORD [RIP+0x90ed850]}
.text    C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                                                                                                           0000000076f7db80 6 bytes JMP 3924
.text    C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357                                                                                                                                                           000007fefd189055 3 bytes [B5, 6F, 06]
.text    C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\WS2_32.dll!WSALookupServiceBeginW                                                                                                                                                             0000000006113030 6 bytes {JMP QWORD [RIP+0x1a9d000]}
.text    C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\WS2_32.dll!connect + 1                                                                                                                                                                        00000000061145c1 5 bytes {JMP QWORD [RIP+0x6ba70]}
.text    C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\WS2_32.dll!listen                                                                                                                                                                             0000000006118290 6 bytes {JMP QWORD [RIP+0x1a67da0]}
.text    C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\WS2_32.dll!WSAConnect                                                                                                                                                                         000000000613e0f0 6 bytes {JMP QWORD [RIP+0x1a21f40]}
.text    C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorA                                                                                                                                                                000007fef3757b34 6 bytes {JMP QWORD [RIP+0x884fc]}
.text    C:\Program Files\Vuze\Azureus.exe[1872] C:\Windows\system32\WINSPOOL.DRV!AddPrintProvidorW                                                                                                                                                                000007fef37603c0 6 bytes {JMP QWORD [RIP+0x9fc70]}
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                                                                        000000007727fc20 3 bytes JMP 717e000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                                                                                                                    000000007727fc24 2 bytes JMP 717e000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                 000000007727fc38 3 bytes JMP 7175000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4                                                                                                                             000000007727fc3c 2 bytes JMP 7175000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                           000000007727fd64 3 bytes JMP 7178000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                       000000007727fd68 2 bytes JMP 7178000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                         00000000772800b4 3 bytes JMP 717b000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                     00000000772800b8 2 bytes JMP 717b000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                        00000000772801c4 3 bytes JMP 7184000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                                                                                                                    00000000772801c8 2 bytes JMP 7184000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                     0000000077280a44 3 bytes JMP 7181000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                                                                                                                 0000000077280a48 2 bytes JMP 7181000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                                                   0000000077281920 3 bytes JMP 7172000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                                                                                                               0000000077281924 2 bytes JMP 7172000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                            0000000076153bbb 3 bytes JMP 716f000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                        0000000076153bbf 2 bytes JMP 716f000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                            00000000769e2c9e 4 bytes CALL 71af0000
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                        0000000076b99679 6 bytes JMP 7193000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                        0000000076ba12a5 6 bytes JMP 718d000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                        0000000076ba3baa 6 bytes JMP 7190000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                        0000000076ba612e 6 bytes JMP 7196000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                           0000000076bbff4a 3 bytes JMP 7199000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                       0000000076bbff4e 2 bytes JMP 7199000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                         0000000076bf027b 6 bytes JMP 719f000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                         0000000076bf02bf 6 bytes JMP 719c000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                                    0000000075d870c4 6 bytes JMP 7187000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                                                                                                    0000000075da3264 6 bytes JMP 718a000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW                                                                                                                              0000000074d4575a 6 bytes JMP 71a2000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\WS2_32.dll!connect                                                                                                                                             0000000074d46bdd 6 bytes JMP 71ab000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\WS2_32.dll!listen                                                                                                                                              0000000074d4b001 6 bytes JMP 71a5000a
.text    C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe[2052] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                                                                                                                          0000000074d4cc3f 6 bytes JMP 71a8000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint                                                                                                                                                                        000000007727000c 1 byte [C3]
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                                                                                                        000000007727fc20 3 bytes JMP 718a000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                                                                                                                                                    000000007727fc24 2 bytes JMP 718a000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                                                 000000007727fc38 3 bytes JMP 7181000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4                                                                                                                                                             000000007727fc3c 2 bytes JMP 7181000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                                           000000007727fd64 3 bytes JMP 7184000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                                                       000000007727fd68 2 bytes JMP 7184000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                                         00000000772800b4 3 bytes JMP 7187000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                                                     00000000772800b8 2 bytes JMP 7187000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                                                        00000000772801c4 3 bytes JMP 7190000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                                                                                                                                                    00000000772801c8 2 bytes JMP 7190000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                                                     0000000077280a44 3 bytes JMP 718d000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                                                                                                                                                 0000000077280a48 2 bytes JMP 718d000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                                                                                   0000000077281920 3 bytes JMP 717e000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                                                                                                                                               0000000077281924 2 bytes JMP 717e000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin                                                                                                                                                                   00000000772ff8ea 5 bytes JMP 00000001772ad5c1
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                                            0000000076153bbb 3 bytes JMP 717b000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                                                        0000000076153bbf 2 bytes JMP 717b000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                                            00000000769e2c9e 4 bytes CALL 71af0000
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                                                                    0000000075d870c4 6 bytes JMP 7193000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                                                                                                                                    0000000075da3264 6 bytes JMP 7196000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                                        0000000076b99679 6 bytes JMP 719f000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                                        0000000076ba12a5 6 bytes JMP 7199000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                                        0000000076ba3baa 6 bytes JMP 719c000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                                        0000000076ba612e 6 bytes JMP 71a2000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                                           0000000076bbff4a 3 bytes JMP 71a5000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                                                       0000000076bbff4e 2 bytes JMP 71a5000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                                         0000000076bf027b 6 bytes JMP 71ab000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                                         0000000076bf02bf 6 bytes JMP 71a8000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                                                                            0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                                                                              0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                                                                            0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                                                                            0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                                                                                                       * 9
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                                                                               0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                                                                        0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                                                                               0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                                                                        0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                                                                              0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                                                                                   0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                                                                            0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                                                                              0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                                                                                 0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                                                                              0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                                                                            0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                                                                        0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                                                                        0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW                                                                                                                                                              0000000074d4575a 6 bytes JMP 716f000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\WS2_32.dll!connect                                                                                                                                                                             0000000074d46bdd 6 bytes JMP 7178000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\WS2_32.dll!listen                                                                                                                                                                              0000000074d4b001 6 bytes JMP 7172000a
.text    C:\Windows\SysWOW64\regsvr32.exe[2196] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                                                                                                                                                          0000000074d4cc3f 6 bytes JMP 7175000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                                                                            000000007727fc20 3 bytes JMP 717e000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                                                                                                                        000000007727fc24 2 bytes JMP 717e000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                     000000007727fc38 3 bytes JMP 7175000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4                                                                                                                                 000000007727fc3c 2 bytes JMP 7175000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                               000000007727fd64 3 bytes JMP 7178000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                           000000007727fd68 2 bytes JMP 7178000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                             00000000772800b4 3 bytes JMP 717b000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                         00000000772800b8 2 bytes JMP 717b000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                            00000000772801c4 3 bytes JMP 7184000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                                                                                                                        00000000772801c8 2 bytes JMP 7184000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                         0000000077280a44 3 bytes JMP 7181000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                                                                                                                     0000000077280a48 2 bytes JMP 7181000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                                                       0000000077281920 3 bytes JMP 7172000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                                                                                                                   0000000077281924 2 bytes JMP 7172000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                0000000076153bbb 3 bytes JMP 716f000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                            0000000076153bbf 2 bytes JMP 716f000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                00000000769e2c9e 4 bytes CALL 71af0000
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                            0000000076b99679 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                            0000000076ba12a5 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                            0000000076ba3baa 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                            0000000076ba612e 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                               0000000076bbff4a 3 bytes JMP 7199000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                           0000000076bbff4e 2 bytes JMP 7199000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                             0000000076bf027b 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                             0000000076bf02bf 6 bytes JMP 719c000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                                        0000000075d870c4 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                                                                                                        0000000075da3264 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW                                                                                                                                  0000000074d4575a 6 bytes JMP 71a2000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\WS2_32.dll!connect                                                                                                                                                 0000000074d46bdd 6 bytes JMP 71ab000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\WS2_32.dll!listen                                                                                                                                                  0000000074d4b001 6 bytes JMP 71a5000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                                                                                                                              0000000074d4cc3f 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExW + 17                                                                                                                                0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!EnumProcessModules + 17                                                                                                                                  0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 17                                                                                                                                0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 42                                                                                                                                0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                                                                                                       * 9
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!EnumDeviceDrivers + 17                                                                                                                                   0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameA + 17                                                                                                                            0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!QueryWorkingSetEx + 17                                                                                                                                   0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameW + 17                                                                                                                            0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameW + 17                                                                                                                                  0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!EnumProcesses + 17                                                                                                                                       0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetProcessMemoryInfo + 17                                                                                                                                0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetPerformanceInfo + 17                                                                                                                                  0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!QueryWorkingSet + 17                                                                                                                                     0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameA + 17                                                                                                                                  0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExA + 17                                                                                                                                0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 20                                                                                                                            0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe[2384] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 31                                                                                                                            0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                                000000007727fc20 3 bytes JMP 718a000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                                                                            000000007727fc24 2 bytes JMP 718a000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                         000000007727fc38 3 bytes JMP 7181000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4                                                                                     000000007727fc3c 2 bytes JMP 7181000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                   000000007727fd64 3 bytes JMP 7184000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                               000000007727fd68 2 bytes JMP 7184000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                 00000000772800b4 3 bytes JMP 7187000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                             00000000772800b8 2 bytes JMP 7187000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                00000000772801c4 3 bytes JMP 7190000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                                                                            00000000772801c8 2 bytes JMP 7190000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                             0000000077280a44 3 bytes JMP 718d000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                                                                         0000000077280a48 2 bytes JMP 718d000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                           0000000077281920 3 bytes JMP 717e000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                                                                       0000000077281924 2 bytes JMP 717e000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                    0000000076153bbb 3 bytes JMP 717b000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                0000000076153bbf 2 bytes JMP 717b000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                    00000000769e2c9e 4 bytes CALL 71af0000
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                0000000076b99679 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                0000000076ba12a5 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                0000000076ba3baa 6 bytes JMP 719c000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                0000000076ba612e 6 bytes JMP 71a2000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                   0000000076bbff4a 3 bytes JMP 71a5000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                               0000000076bbff4e 2 bytes JMP 71a5000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                 0000000076bf027b 6 bytes JMP 71ab000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                 0000000076bf02bf 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                            0000000075d870c4 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2408] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                                                            0000000075da3264 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                                                                                  000000007727fc20 3 bytes JMP 713c000a
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                                                                                                                              000000007727fc24 2 bytes JMP 713c000a
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                           000000007727fc38 3 bytes JMP 7133000a
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4                                                                                                                                       000000007727fc3c 2 bytes JMP 7133000a
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                     000000007727fd64 3 bytes JMP 7136000a
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                                 000000007727fd68 2 bytes JMP 7136000a
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                   00000000772800b4 3 bytes JMP 7139000a
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                               00000000772800b8 2 bytes JMP 7139000a
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                                  00000000772801c4 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                                                                                                                              00000000772801c8 2 bytes [41, 71]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                               0000000077280a44 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                                                                                                                           0000000077280a48 2 bytes [3E, 71]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                                                             0000000077281920 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                                                                                                                         0000000077281924 2 bytes [2F, 71]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                      0000000076153bbb 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                                  0000000076153bbf 2 bytes [2C, 71]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                                              0000000075d870c4 6 bytes {JMP QWORD [RIP+0x7144001e]}
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                                                                                                              0000000075da3264 6 bytes {JMP QWORD [RIP+0x7147001e]}
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                  0000000076b99679 6 bytes JMP 7151000a
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                  0000000076ba12a5 6 bytes {JMP QWORD [RIP+0x714a001e]}
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                  0000000076ba3baa 6 bytes {JMP QWORD [RIP+0x714d001e]}
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                  0000000076ba612e 6 bytes {JMP QWORD [RIP+0x7153001e]}
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                     0000000076bbff4a 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                                 0000000076bbff4e 2 bytes [56, 71]
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                   0000000076bf027b 6 bytes {JMP QWORD [RIP+0x715c001e]}
.text    C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe[2484] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                   0000000076bf02bf 6 bytes {JMP QWORD [RIP+0x7159001e]}
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                                                                              000000007727fc20 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                                                                                                                          000000007727fc24 2 bytes [89, 71]
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                       000000007727fc38 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4                                                                                                                                   000000007727fc3c 2 bytes [80, 71]
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                 000000007727fd64 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                             000000007727fd68 2 bytes [83, 71]
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                               00000000772800b4 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                           00000000772800b8 2 bytes [86, 71]
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                              00000000772801c4 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                                                                                                                          00000000772801c8 2 bytes [8F, 71]
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                           0000000077280a44 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                                                                                                                       0000000077280a48 2 bytes [8C, 71]
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                                                         0000000077281920 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                                                                                                                     0000000077281924 2 bytes [7D, 71]
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW                                                                                                                                  0000000076153bbb 3 bytes [FF, 25, 1E]
.text    C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe[2656] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4                                                                                                                              0000000076153bbf 2 bytes [7A, 71]
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                                                                           000000007727fc20 3 bytes JMP 7188000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                                                                                                                       000000007727fc24 2 bytes JMP 7188000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                    000000007727fc38 3 bytes JMP 717f000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4                                                                                                                                000000007727fc3c 2 bytes JMP 717f000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                              000000007727fd64 3 bytes JMP 7182000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                          000000007727fd68 2 bytes JMP 7182000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                            00000000772800b4 3 bytes JMP 7185000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                        00000000772800b8 2 bytes JMP 7185000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                           00000000772801c4 3 bytes JMP 718e000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                                                                                                                       00000000772801c8 2 bytes JMP 718e000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                        0000000077280a44 3 bytes JMP 718b000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                                                                                                                    0000000077280a48 2 bytes JMP 718b000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                                                      0000000077281920 3 bytes JMP 717c000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                                                                                                                  0000000077281924 2 bytes JMP 717c000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                               0000000076153bbb 3 bytes JMP 7179000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                           0000000076153bbf 2 bytes JMP 7179000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                               00000000769e2c9e 4 bytes CALL 71ad0000
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                           0000000076b99679 6 bytes JMP 719d000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                           0000000076ba12a5 6 bytes JMP 7197000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                           0000000076ba3baa 6 bytes JMP 719a000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                           0000000076ba612e 6 bytes JMP 71a0000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                              0000000076bbff4a 3 bytes JMP 71a3000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                          0000000076bbff4e 2 bytes JMP 71a3000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                            0000000076bf027b 6 bytes JMP 71a9000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                            0000000076bf02bf 6 bytes JMP 71a6000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                                       0000000075d870c4 6 bytes JMP 7191000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                                                                                                       0000000075da3264 6 bytes JMP 7194000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                                               0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                                                 0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                                               0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                                               0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll
.text    ...
         

Alt 26.12.2014, 15:17   #5
jamerson
 
Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Standard

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local



Gmer Teil 2:

Code:
ATTFilter
                                                                                                                                                                                                                                                    * 9
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                                                  0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                                           0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                                                  0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                                           0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                                                 0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                                                      0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                                               0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                                                 0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                                                    0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                                                 0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                                               0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                                           0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                                           0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW                                                                                                                                 0000000074d4575a 6 bytes JMP 715e000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\WS2_32.dll!connect                                                                                                                                                0000000074d46bdd 6 bytes JMP 7170000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\WS2_32.dll!listen                                                                                                                                                 0000000074d4b001 6 bytes JMP 716a000a
.text    C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[2732] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                                                                                                                             0000000074d4cc3f 6 bytes JMP 716d000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                                                                                  000000007727fc20 3 bytes JMP 718a000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                                                                                                                              000000007727fc24 2 bytes JMP 718a000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                           000000007727fc38 3 bytes JMP 7181000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4                                                                                                                                       000000007727fc3c 2 bytes JMP 7181000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                     000000007727fd64 3 bytes JMP 7184000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                                 000000007727fd68 2 bytes JMP 7184000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                   00000000772800b4 3 bytes JMP 7187000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                               00000000772800b8 2 bytes JMP 7187000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                                  00000000772801c4 3 bytes JMP 7190000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                                                                                                                              00000000772801c8 2 bytes JMP 7190000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                               0000000077280a44 3 bytes JMP 718d000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                                                                                                                           0000000077280a48 2 bytes JMP 718d000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                                                             0000000077281920 3 bytes JMP 717e000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                                                                                                                         0000000077281924 2 bytes JMP 717e000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                      0000000076153bbb 3 bytes JMP 717b000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                                  0000000076153bbf 2 bytes JMP 717b000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                      00000000769e2c9e 4 bytes CALL 71af0000
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                  0000000076b99679 6 bytes JMP 719f000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                  0000000076ba12a5 6 bytes JMP 7199000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                  0000000076ba3baa 6 bytes JMP 719c000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                  0000000076ba612e 6 bytes JMP 71a2000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                     0000000076bbff4a 3 bytes JMP 71a5000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                                 0000000076bbff4e 2 bytes JMP 71a5000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                   0000000076bf027b 6 bytes JMP 71ab000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                   0000000076bf02bf 6 bytes JMP 71a8000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                                              0000000075d870c4 6 bytes JMP 7193000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                                                                                                              0000000075da3264 6 bytes JMP 7196000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW                                                                                                                                        0000000074d4575a 6 bytes JMP 716f000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\WS2_32.dll!connect                                                                                                                                                       0000000074d46bdd 6 bytes JMP 7178000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\WS2_32.dll!listen                                                                                                                                                        0000000074d4b001 6 bytes JMP 7172000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                                                                                                                                    0000000074d4cc3f 6 bytes JMP 7175000a
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExW + 17                                                                                                                                      0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!EnumProcessModules + 17                                                                                                                                        0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 17                                                                                                                                      0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 42                                                                                                                                      0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                                                                                                       * 9
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!EnumDeviceDrivers + 17                                                                                                                                         0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameA + 17                                                                                                                                  0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!QueryWorkingSetEx + 17                                                                                                                                         0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetDeviceDriverBaseNameW + 17                                                                                                                                  0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameW + 17                                                                                                                                        0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!EnumProcesses + 17                                                                                                                                             0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetProcessMemoryInfo + 17                                                                                                                                      0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetPerformanceInfo + 17                                                                                                                                        0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!QueryWorkingSet + 17                                                                                                                                           0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetModuleBaseNameA + 17                                                                                                                                        0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetModuleFileNameExA + 17                                                                                                                                      0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 20                                                                                                                                  0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll
.text    C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[2792] C:\Windows\syswow64\Psapi.dll!GetProcessImageFileNameW + 31                                                                                                                                  0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                                                                                   000000007727fc20 3 bytes JMP 717e000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                                                                                                                               000000007727fc24 2 bytes JMP 717e000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                            000000007727fc38 3 bytes JMP 7175000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4                                                                                                                                        000000007727fc3c 2 bytes JMP 7175000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                      000000007727fd64 3 bytes JMP 7178000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                                  000000007727fd68 2 bytes JMP 7178000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                    00000000772800b4 3 bytes JMP 717b000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                                00000000772800b8 2 bytes JMP 717b000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                                   00000000772801c4 3 bytes JMP 7184000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                                                                                                                               00000000772801c8 2 bytes JMP 7184000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                                0000000077280a44 3 bytes JMP 7181000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                                                                                                                            0000000077280a48 2 bytes JMP 7181000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                                                              0000000077281920 3 bytes JMP 7172000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                                                                                                                          0000000077281924 2 bytes JMP 7172000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                       0000000076153bbb 3 bytes JMP 716f000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                                   0000000076153bbf 2 bytes JMP 716f000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                       00000000769e2c9e 4 bytes CALL 71af0000
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                   0000000076b99679 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                   0000000076ba12a5 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                   0000000076ba3baa 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                   0000000076ba612e 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                      0000000076bbff4a 3 bytes JMP 7199000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                                  0000000076bbff4e 2 bytes JMP 7199000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                    0000000076bf027b 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                    0000000076bf02bf 6 bytes JMP 719c000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                                               0000000075d870c4 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                                                                                                               0000000075da3264 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW                                                                                                                                         0000000074d4575a 6 bytes JMP 71a2000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\WS2_32.dll!connect                                                                                                                                                        0000000074d46bdd 6 bytes JMP 71ab000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\WS2_32.dll!listen                                                                                                                                                         0000000074d4b001 6 bytes JMP 71a5000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                                                                                                                                     0000000074d4cc3f 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                                                       0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                                                         0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                                                       0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                                                       0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                                                                                                       * 9
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                                                          0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                                                   0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                                                          0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                                                   0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                                                         0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                                                              0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                                                       0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                                                         0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                                                            0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                                                         0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                                                       0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                                                   0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\concentr.exe[2872] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                                                   0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                                                                                     000000007727fc20 3 bytes JMP 7175000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                                                                                                                                 000000007727fc24 2 bytes JMP 7175000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                              000000007727fc38 3 bytes JMP 716c000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4                                                                                                                                          000000007727fc3c 2 bytes JMP 716c000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                        000000007727fd64 3 bytes JMP 716f000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                                    000000007727fd68 2 bytes JMP 716f000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                      00000000772800b4 3 bytes JMP 7172000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                                  00000000772800b8 2 bytes JMP 7172000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                                     00000000772801c4 3 bytes JMP 717b000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                                                                                                                                 00000000772801c8 2 bytes JMP 717b000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                                  0000000077280a44 3 bytes JMP 7178000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                                                                                                                              0000000077280a48 2 bytes JMP 7178000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                                                                0000000077281920 3 bytes JMP 7169000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                                                                                                                            0000000077281924 2 bytes JMP 7169000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                         0000000076153bbb 3 bytes JMP 7166000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                                     0000000076153bbf 2 bytes JMP 7166000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                         00000000769e2c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                                                 0000000075d870c4 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                                                                                                                 0000000075da3264 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                                                         0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                                                           0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                                                         0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                                                         0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                                                                                                       * 9
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                                                            0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                                                     0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                                                            0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                                                     0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                                                           0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                                                                0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                                                         0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                                                           0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                                                              0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                                                           0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                                                         0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                                                     0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                                                     0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                     0000000076b99679 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                     0000000076ba12a5 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                     0000000076ba3baa 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                     0000000076ba612e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                        0000000076bbff4a 3 bytes JMP 7190000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                                    0000000076bbff4e 2 bytes JMP 7190000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                      0000000076bf027b 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                      0000000076bf02bf 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW                                                                                                                                           0000000074d4575a 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\WS2_32.dll!connect                                                                                                                                                          0000000074d46bdd 6 bytes JMP 71a2000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\WS2_32.dll!listen                                                                                                                                                           0000000074d4b001 6 bytes JMP 719c000a
.text    C:\Program Files (x86)\Citrix\Receiver\Receiver.exe[1532] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                                                                                                                                       0000000074d4cc3f 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                                                  0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                                                    0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                                                  0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                                                  0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                                                                                                       * 9
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                                                     0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                                              0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                                                     0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                                              0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                                                    0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                                                         0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                                                  0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                                                    0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                                                       0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                                                    0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                                                  0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                                              0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe[1216] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                                              0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                                                           000000007727fc20 3 bytes JMP 7184000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                                                                                                       000000007727fc24 2 bytes JMP 7184000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                    000000007727fc38 3 bytes JMP 717b000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4                                                                                                                000000007727fc3c 2 bytes JMP 717b000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                              000000007727fd64 3 bytes JMP 717e000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                          000000007727fd68 2 bytes JMP 717e000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                            00000000772800b4 3 bytes JMP 7181000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                        00000000772800b8 2 bytes JMP 7181000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                           00000000772801c4 3 bytes JMP 718a000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                                                                                                       00000000772801c8 2 bytes JMP 718a000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                        0000000077280a44 3 bytes JMP 7187000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                                                                                                    0000000077280a48 2 bytes JMP 7187000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                                      0000000077281920 3 bytes JMP 7178000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                                                                                                  0000000077281924 2 bytes JMP 7178000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW                                                                                                               0000000076153bbb 3 bytes JMP 7175000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4                                                                                                           0000000076153bbf 2 bytes JMP 7175000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                               00000000769e2c9e 4 bytes CALL 71af0000
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                           0000000076b99679 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                           0000000076ba12a5 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                           0000000076ba3baa 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                           0000000076ba612e 6 bytes JMP 719c000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                              0000000076bbff4a 3 bytes JMP 719f000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                          0000000076bbff4e 2 bytes JMP 719f000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                            0000000076bf027b 6 bytes JMP 71a5000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                            0000000076bf02bf 6 bytes JMP 71a2000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                       0000000075d870c4 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3096] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                                                                                       0000000075da3264 6 bytes JMP 7190000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                                                                                   000000007727fc20 3 bytes JMP 7175000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                                                                                                                               000000007727fc24 2 bytes JMP 7175000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                            000000007727fc38 3 bytes JMP 716c000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4                                                                                                                                        000000007727fc3c 2 bytes JMP 716c000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                      000000007727fd64 3 bytes JMP 716f000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                                  000000007727fd68 2 bytes JMP 716f000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                    00000000772800b4 3 bytes JMP 7172000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                                00000000772800b8 2 bytes JMP 7172000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                                   00000000772801c4 3 bytes JMP 717b000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                                                                                                                               00000000772801c8 2 bytes JMP 717b000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                                0000000077280a44 3 bytes JMP 7178000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                                                                                                                            0000000077280a48 2 bytes JMP 7178000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                                                              0000000077281920 3 bytes JMP 7169000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                                                                                                                          0000000077281924 2 bytes JMP 7169000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                       0000000076153bbb 3 bytes JMP 715d000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                                   0000000076153bbf 2 bytes JMP 715d000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                       00000000769e2c9e 4 bytes CALL 71ac0000
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                   0000000076b99679 6 bytes JMP 718a000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                   0000000076ba12a5 6 bytes JMP 7184000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                   0000000076ba3baa 6 bytes JMP 7187000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                   0000000076ba612e 6 bytes JMP 718d000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                      0000000076bbff4a 3 bytes JMP 7190000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                                  0000000076bbff4e 2 bytes JMP 7190000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                    0000000076bf027b 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                    0000000076bf02bf 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                                               0000000075d870c4 6 bytes JMP 717e000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                                                                                                               0000000075da3264 6 bytes JMP 7181000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17                                                                                                                                       0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17                                                                                                                                         0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17                                                                                                                                       0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42                                                                                                                                       0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll
.text    ...                                                                                                                                                                                                                                                       * 9
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17                                                                                                                                          0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17                                                                                                                                   0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17                                                                                                                                          0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17                                                                                                                                   0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17                                                                                                                                         0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17                                                                                                                                              0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17                                                                                                                                       0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17                                                                                                                                         0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17                                                                                                                                            0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17                                                                                                                                         0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17                                                                                                                                       0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20                                                                                                                                   0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31                                                                                                                                   0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\kernel32.dll
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\WS2_32.dll!WSALookupServiceBeginW                                                                                                                                         0000000074d4575a 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\WS2_32.dll!connect                                                                                                                                                        0000000074d46bdd 6 bytes JMP 71a2000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\WS2_32.dll!listen                                                                                                                                                         0000000074d4b001 6 bytes JMP 719c000a
.text    C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe[5392] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                                                                                                                                     0000000074d4cc3f 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                                                                   000000007727fc20 3 bytes JMP 718a000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                                                                                                               000000007727fc24 2 bytes JMP 718a000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                            000000007727fc38 3 bytes JMP 7181000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4                                                                                                                        000000007727fc3c 2 bytes JMP 7181000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                      000000007727fd64 3 bytes JMP 7184000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                  000000007727fd68 2 bytes JMP 7184000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                    00000000772800b4 3 bytes JMP 7187000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                00000000772800b8 2 bytes JMP 7187000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                   00000000772801c4 3 bytes JMP 7190000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                                                                                                               00000000772801c8 2 bytes JMP 7190000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                0000000077280a44 3 bytes JMP 718d000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                                                                                                            0000000077280a48 2 bytes JMP 718d000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                                              0000000077281920 3 bytes JMP 717e000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                                                                                                          0000000077281924 2 bytes JMP 717e000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW                                                                                                                       0000000076153bbb 3 bytes JMP 717b000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\KERNEL32.dll!CreateProcessInternalW + 4                                                                                                                   0000000076153bbf 2 bytes JMP 717b000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                       00000000769e2c9e 4 bytes CALL 71af0000
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                   0000000076b99679 6 bytes JMP 719f000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                   0000000076ba12a5 6 bytes JMP 7199000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                   0000000076ba3baa 6 bytes JMP 719c000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                   0000000076ba612e 6 bytes JMP 71a2000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                      0000000076bbff4a 3 bytes JMP 71a5000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                  0000000076bbff4e 2 bytes JMP 71a5000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                    0000000076bf027b 6 bytes JMP 71ab000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                    0000000076bf02bf 6 bytes JMP 71a8000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                               0000000075d870c4 6 bytes JMP 7193000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                                                                                               0000000075da3264 6 bytes JMP 7196000a
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17                                                                                                                       0000000074c61401 2 bytes JMP 7616b21b C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17                                                                                                                         0000000074c61419 2 bytes JMP 7616b346 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17                                                                                                                       0000000074c61431 2 bytes JMP 761e8ea9 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42                                                                                                                       0000000074c6144a 2 bytes CALL 761448ad C:\Windows\syswow64\KERNEL32.dll
.text    ...                                                                                                                                                                                                                                                       * 9
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17                                                                                                                          0000000074c614dd 2 bytes JMP 761e87a2 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17                                                                                                                   0000000074c614f5 2 bytes JMP 761e8978 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17                                                                                                                          0000000074c6150d 2 bytes JMP 761e8698 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17                                                                                                                   0000000074c61525 2 bytes JMP 761e8a62 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17                                                                                                                         0000000074c6153d 2 bytes JMP 7615fca8 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17                                                                                                                              0000000074c61555 2 bytes JMP 761668ef C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17                                                                                                                       0000000074c6156d 2 bytes JMP 761e8f61 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17                                                                                                                         0000000074c61585 2 bytes JMP 761e8ac2 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17                                                                                                                            0000000074c6159d 2 bytes JMP 761e865c C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17                                                                                                                         0000000074c615b5 2 bytes JMP 7615fd41 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17                                                                                                                       0000000074c615cd 2 bytes JMP 7616b2dc C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20                                                                                                                   0000000074c616b2 2 bytes JMP 761e8e24 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe[5488] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31                                                                                                                   0000000074c616bd 2 bytes JMP 761e85f1 C:\Windows\syswow64\KERNEL32.dll
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                                                                                                 000000007727fc20 3 bytes JMP 718a000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 4                                                                                                                                                             000000007727fc24 2 bytes JMP 718a000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile                                                                                                                                                          000000007727fc38 3 bytes JMP 7181000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 4                                                                                                                                                      000000007727fc3c 2 bytes JMP 7181000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                                                                                                                                    000000007727fd64 3 bytes JMP 7184000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4                                                                                                                                                                000000007727fd68 2 bytes JMP 7184000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                                                                                                  00000000772800b4 3 bytes JMP 7187000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4                                                                                                                                                              00000000772800b8 2 bytes JMP 7187000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                                                                                                 00000000772801c4 3 bytes JMP 7190000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey + 4                                                                                                                                                             00000000772801c8 2 bytes JMP 7190000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey                                                                                                                                                              0000000077280a44 3 bytes JMP 718d000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey + 4                                                                                                                                                          0000000077280a48 2 bytes JMP 718d000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                                                                                            0000000077281920 3 bytes JMP 717e000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 4                                                                                                                                                        0000000077281924 2 bytes JMP 717e000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                                                                                                     0000000076153bbb 3 bytes JMP 717b000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW + 4                                                                                                                                                 0000000076153bbf 2 bytes JMP 717b000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493                                                                                                                                                     00000000769e2c9e 4 bytes CALL 71af0000
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!SendMessageW                                                                                                                                                                 0000000076b99679 6 bytes JMP 719f000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!PostMessageW                                                                                                                                                                 0000000076ba12a5 6 bytes JMP 7199000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!PostMessageA                                                                                                                                                                 0000000076ba3baa 6 bytes JMP 719c000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!SendMessageA                                                                                                                                                                 0000000076ba612e 6 bytes JMP 71a2000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!SendInput                                                                                                                                                                    0000000076bbff4a 3 bytes JMP 71a5000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!SendInput + 4                                                                                                                                                                0000000076bbff4e 2 bytes JMP 71a5000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!mouse_event                                                                                                                                                                  0000000076bf027b 6 bytes JMP 71ab000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\USER32.dll!keybd_event                                                                                                                                                                  0000000076bf02bf 6 bytes JMP 71a8000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                                                                                             0000000075d870c4 6 bytes JMP 7193000a
.text    C:\Users\Admin\Downloads\Gmer-19357.exe[6328] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                                                                                                                             0000000075da3264 6 bytes JMP 7196000a

---- Threads - GMER 2.1 ----

Thread   C:\Windows\SysWOW64\regsvr32.exe [2196:2648]                                                                                                                                                                                                              00000000701f9ee9
Thread   C:\Windows\System32\svchost.exe [2916:5444]                                                                                                                                                                                                               000007fee7e79688
Thread   C:\Program Files\Windows Media Player\wmpnetwk.exe [4488:4816]                                                                                                                                                                                            000007fefb232bf8
Thread   C:\Program Files\Windows Media Player\wmpnetwk.exe [4488:6016]                                                                                                                                                                                            000007fef3725124
---- Processes - GMER 2.1 ----

Library  C:\Users\Admin\AppData\Roaming\Azureus\plugins\azitunes\jacob-1.17-M2-x64.dll (*** suspicious ***) @ C:\Program Files\Vuze\Azureus.exe [1872](2014-08-30 09:31:46)                                                                                        0000000180000000
Library  C:\Users\Admin\AppData\Local\Idsoft\ep0lvra9.dll (*** suspicious ***) @ C:\Windows\SysWOW64\regsvr32.exe [2196](2014-12-26 09:53:55)                                                                                                                      0000000010000000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5Widgets.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:46)        000000006a210000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5Gui.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38)            0000000068610000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\libGLESv2.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792](2014-10-22 00:22:50)                                                                                        0000000068440000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5Core.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38)           0000000067980000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\icuin52.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (ICU I18N DLL/The ICU Project)(2014-10-22 00:22:50)                                                           000000004a900000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\icuuc52.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (ICU Common DLL/The ICU Project)(2014-10-22 00:22:50)                                                         0000000004710000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\icudt52.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (ICU Data DLL/The ICU Project)(2014-10-22 00:22:50)                                                           000000004ad00000
Library  c:\users\admin\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpkhktyu.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792](2014-12-26 10:50:22)                                       0000000004a30000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5Network.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38)        0000000066130000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5WebKit.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40)         0000000065060000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5Quick.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40)          0000000064e40000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5Qml.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40)            0000000064be0000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5Sql.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:40)            0000000067ee0000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\libEGL.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792](2014-10-22 00:22:50)                                                                                           0000000067ed0000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5WebKitWidgets.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:46)  0000000062910000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5OpenGL.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38)         00000000628d0000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\Qt5PrintSupport.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792] (C++ application development framework./Digia Plc and/or its subsidiary(-ies))(2014-10-22 00:22:38)   0000000062880000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792](2014-10-22 00:22:48)                                                                       00000000621f0000
Library  C:\Users\Admin\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll (*** suspicious ***) @ C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2792](2014-10-22 00:22:46)                                                                       000000005fe90000

---- EOF - GMER 2.1 ----
         


Alt 27.12.2014, 06:47   #6
schrauber
/// the machine
/// TB-Ausbilder
 

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Standard

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local



hi,

Scan mit Combofix
WARNUNG an die MITLESER:
Combofix sollte ausschließlich ausgeführt werden, wenn dies von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix vom folgenden Downloadspiegel: Link
  • WICHTIG: Speichere Combofix auf deinem Desktop.
  • Deaktiviere bitte alle deine Antivirensoftware sowie Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören. Combofix meckert auch manchmal trotzdem noch, das kannst du dann ignorieren, mir aber bitte mitteilen.
  • Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.
  • Während Combofix läuft bitte nicht am Computer arbeiten, die Maus bewegen oder ins Combofixfenster klicken!
  • Wenn Combofix fertig ist, wird es ein Logfile erstellen.
  • Bitte poste die C:\Combofix.txt in deiner nächsten Antwort (möglichst in CODE-Tags).
Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten
Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.
starte den Rechner einfach neu. Dies sollte das Problem beheben.

__________________
--> Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local

Alt 28.12.2014, 12:21   #7
jamerson
 
Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Standard

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local



hi!

combofix sagt folgendes:

Code:
ATTFilter
ComboFix 14-12-25.01 - Admin 28.12.2014  11:20:59.4.8 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.49.1031.18.16318.13491 [GMT 1:00]
ausgeführt von:: c:\users\Admin\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Disabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Admin\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll
.
---- Vorheriger Suchlauf -------
.
c:\users\Admin\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll
.
.
(((((((((((((((((((((((   Dateien erstellt von 2014-11-28 bis 2014-12-28  ))))))))))))))))))))))))))))))
.
.
2014-12-28 10:43 . 2014-12-28 10:43	--------	d-----w-	c:\users\Default\AppData\Local\temp
2014-12-26 12:43 . 2014-12-26 12:43	--------	d-----w-	c:\program files (x86)\7-Zip
2014-12-25 23:39 . 2014-12-25 23:39	--------	d-----w-	c:\program files (x86)\ESET
2014-12-25 23:36 . 2014-12-26 11:01	--------	d-----w-	C:\FRST
2014-12-25 22:21 . 2014-12-25 22:21	54525952	----a-w-	c:\programdata\Microsoft\Secure\Icons\CachedIcons\data\00b739032b3cf0d50401ed1f8df76f9e\ABCpdf.exe
2014-12-25 16:04 . 2014-12-28 10:46	--------	d-----w-	c:\program files (x86)\Emsisoft Anti-Malware
2014-12-25 15:57 . 2014-12-25 15:57	12872	----a-w-	c:\windows\system32\bootdelete.exe
2014-12-25 12:38 . 2014-12-25 12:38	--------	d-----w-	c:\program files\HitmanPro
2014-12-25 12:38 . 2014-12-25 12:49	--------	d-----w-	c:\programdata\HitmanPro
2014-12-24 15:34 . 2014-12-24 15:34	--------	d-----w-	c:\windows\ERUNT
2014-12-24 15:04 . 2014-12-24 15:04	71344	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-12-24 15:04 . 2014-12-24 15:04	701616	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2014-12-24 13:11 . 2014-12-24 13:11	--------	d-----w-	c:\program files (x86)\VS Revo Group
2014-12-18 07:52 . 2014-12-13 05:09	144384	----a-w-	c:\windows\system32\ieUnatt.exe
2014-12-18 07:52 . 2014-12-13 03:33	115712	----a-w-	c:\windows\SysWow64\ieUnatt.exe
2014-12-17 21:14 . 2014-12-17 21:16	--------	d-----w-	c:\program files (x86)\Common Files\Nero
2014-12-16 21:06 . 2014-12-24 13:17	--------	d-----w-	c:\users\Admin\AppData\Roaming\Line 6
2014-12-16 21:05 . 2014-12-16 21:06	--------	d-----w-	c:\program files (x86)\CodeMeter
2014-12-16 21:05 . 2014-12-16 21:05	--------	d-----w-	c:\programdata\CodeMeter
2014-12-16 21:05 . 2014-12-16 21:05	--------	d-----w-	c:\program files\CodeMeter
2014-12-16 21:05 . 2014-12-16 21:05	--------	d-----w-	c:\program files\Propellerhead
2014-12-16 18:13 . 2014-12-16 18:13	--------	d-----w-	c:\programdata\Adobe Systems
2014-12-16 17:28 . 2014-12-25 23:10	129752	----a-w-	c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-16 17:28 . 2014-12-16 17:28	--------	d-----w-	c:\program files (x86)\ Malwarebytes Anti-Malware 
2014-12-16 17:28 . 2014-12-16 17:28	--------	d-----w-	c:\programdata\Malwarebytes
2014-12-16 17:28 . 2014-11-21 05:14	63704	----a-w-	c:\windows\system32\drivers\mwac.sys
2014-12-16 17:28 . 2014-11-21 05:14	93400	----a-w-	c:\windows\system32\drivers\mbamchameleon.sys
2014-12-16 17:28 . 2014-11-21 05:14	25816	----a-w-	c:\windows\system32\drivers\mbam.sys
2014-12-11 02:24 . 2014-12-11 02:24	--------	d-----w-	c:\windows\system32\appraiser
2014-12-11 02:02 . 2014-10-18 02:05	4121600	----a-w-	c:\windows\system32\mf.dll
2014-12-11 02:02 . 2014-10-18 01:33	3209728	----a-w-	c:\windows\SysWow64\mf.dll
2014-12-10 18:36 . 2014-12-16 19:30	--------	d-----w-	c:\users\Admin\AppData\Roaming\FrameworkUpdate
2014-12-10 07:43 . 2014-12-01 23:28	1232040	----a-w-	c:\windows\system32\aitstatic.exe
2014-12-10 07:43 . 2014-12-04 02:50	413184	----a-w-	c:\windows\system32\generaltel.dll
2014-12-10 07:43 . 2014-12-04 02:50	741376	----a-w-	c:\windows\system32\invagent.dll
2014-12-10 07:43 . 2014-12-04 02:50	396800	----a-w-	c:\windows\system32\devinv.dll
2014-12-10 07:43 . 2014-12-04 02:50	192000	----a-w-	c:\windows\system32\aepic.dll
2014-12-10 07:43 . 2014-12-04 02:44	1083392	----a-w-	c:\windows\system32\aeinv.dll
2014-12-10 07:43 . 2014-12-04 02:50	227328	----a-w-	c:\windows\system32\aepdu.dll
2014-12-10 07:41 . 2014-11-08 03:16	2048	----a-w-	c:\windows\system32\tzres.dll
2014-12-10 07:41 . 2014-11-08 02:45	2048	----a-w-	c:\windows\SysWow64\tzres.dll
2014-12-09 20:04 . 2014-12-09 20:04	--------	d-----w-	c:\users\Admin\AppData\Roaming\Oracle
2014-12-08 18:34 . 2014-12-08 18:34	--------	d-----w-	c:\programdata\PACE
2014-12-08 18:12 . 2014-12-26 09:53	--------	d-----w-	c:\users\Admin\AppData\Local\Ejmtion
2014-12-08 18:12 . 2014-12-26 13:49	--------	d-----w-	c:\users\Admin\AppData\Local\Idsoft
2014-12-08 17:53 . 2014-12-08 17:53	2246144	----a-w-	c:\programdata\Microsoft\Secure\Icons\IconsCacheHelper.dll
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-12-25 22:21 . 2014-12-25 22:21	54525952	----a-w-	c:\programdata\Microsoft\Secure\Icons\CachedIcons\data\18474902db40b9986a3eb37c55dd8702\Recover My Files.exe
2014-12-25 22:21 . 2014-12-25 22:21	12582912	----a-w-	c:\programdata\Microsoft\Secure\Icons\CachedIcons\data\0dc1d55309138da7b2207859c327f623\Visual Paradigm for UML Standard Edition.exe
2014-12-11 02:04 . 2013-03-30 19:21	112710672	----a-w-	c:\windows\system32\MRT.exe
2014-11-24 13:04 . 2013-03-30 17:16	275080	------w-	c:\windows\system32\MpSigStub.exe
2014-11-18 19:47 . 2014-11-18 19:47	1247904	----a-w-	c:\windows\SysWow64\FM20.DLL
2014-11-11 03:08 . 2014-11-18 19:45	241152	----a-w-	c:\windows\system32\pku2u.dll
2014-11-11 03:08 . 2014-11-18 19:45	728064	----a-w-	c:\windows\system32\kerberos.dll
2014-11-11 02:44 . 2014-11-18 19:45	186880	----a-w-	c:\windows\SysWow64\pku2u.dll
2014-11-11 02:44 . 2014-11-18 19:45	550912	----a-w-	c:\windows\SysWow64\kerberos.dll
2014-10-25 01:57 . 2014-11-12 06:06	77824	----a-w-	c:\windows\system32\packager.dll
2014-10-25 01:32 . 2014-11-12 06:06	67584	----a-w-	c:\windows\SysWow64\packager.dll
2014-10-18 02:05 . 2014-11-12 06:06	861696	----a-w-	c:\windows\system32\oleaut32.dll
2014-10-18 01:33 . 2014-11-12 06:06	571904	----a-w-	c:\windows\SysWow64\oleaut32.dll
2014-10-14 02:16 . 2014-11-12 06:08	155064	----a-w-	c:\windows\system32\drivers\ksecpkg.sys
2014-10-14 02:13 . 2014-11-12 06:08	683520	----a-w-	c:\windows\system32\termsrv.dll
2014-10-14 02:13 . 2014-11-12 06:06	3241984	----a-w-	c:\windows\system32\msi.dll
2014-10-14 02:12 . 2014-11-12 06:08	1460736	----a-w-	c:\windows\system32\lsasrv.dll
2014-10-14 02:09 . 2014-11-12 06:08	146432	----a-w-	c:\windows\system32\msaudite.dll
2014-10-14 02:07 . 2014-11-12 06:08	681984	----a-w-	c:\windows\system32\adtschema.dll
2014-10-14 01:50 . 2014-11-12 06:08	22016	----a-w-	c:\windows\SysWow64\secur32.dll
2014-10-14 01:50 . 2014-11-12 06:06	2363904	----a-w-	c:\windows\SysWow64\msi.dll
2014-10-14 01:49 . 2014-11-12 06:08	96768	----a-w-	c:\windows\SysWow64\sspicli.dll
2014-10-14 01:47 . 2014-11-12 06:08	146432	----a-w-	c:\windows\SysWow64\msaudite.dll
2014-10-14 01:46 . 2014-11-12 06:08	681984	----a-w-	c:\windows\SysWow64\adtschema.dll
2014-10-10 00:57 . 2014-11-12 06:06	3198976	----a-w-	c:\windows\system32\win32k.sys
2014-10-03 02:12 . 2014-11-12 06:07	500224	----a-w-	c:\windows\system32\AUDIOKSE.dll
2014-10-03 02:11 . 2014-11-12 06:07	284672	----a-w-	c:\windows\system32\EncDump.dll
2014-10-03 02:11 . 2014-11-12 06:07	680960	----a-w-	c:\windows\system32\audiosrv.dll
2014-10-03 02:11 . 2014-11-12 06:07	440832	----a-w-	c:\windows\system32\AudioEng.dll
2014-10-03 02:11 . 2014-11-12 06:07	296448	----a-w-	c:\windows\system32\AudioSes.dll
2014-10-03 01:44 . 2014-11-12 06:07	442880	----a-w-	c:\windows\SysWow64\AUDIOKSE.dll
2014-10-03 01:44 . 2014-11-12 06:07	374784	----a-w-	c:\windows\SysWow64\AudioEng.dll
2014-10-03 01:44 . 2014-11-12 06:07	195584	----a-w-	c:\windows\SysWow64\AudioSes.dll
2014-10-01 11:43 . 2013-05-07 13:12	43064	----a-w-	c:\windows\system32\drivers\avnetflt.sys
2014-10-01 11:43 . 2013-03-31 12:43	131608	----a-w-	c:\windows\system32\drivers\avipbb.sys
2014-10-01 11:43 . 2013-03-31 12:43	119272	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2013-03-18 15:00 . 2013-03-18 15:00	1971200	----a-w-	c:\program files\WaveShell-VST 9.2_x64.dll
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04	131480	----a-w-	c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04	131480	----a-w-	c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04	131480	----a-w-	c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Azureus"="c:\program files\Vuze\Azureus.exe" [2014-08-12 346424]
"Spotify Web Helper"="c:\users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2014-10-24 1514040]
"UVMmedia"="c:\users\Admin\AppData\Local\Idsoft\ep0lvra9.dll" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe" [2012-02-29 56088]
"USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-05-21 291648]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-12-09 702768]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"Avira Systray"="c:\program files (x86)\Avira\My Avira\Avira.OE.Systray.exe" [2014-11-20 126200]
"NBAgent"="c:\program files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-03-26 1234216]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2012-12-14 383544]
.
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-12-9 39207112]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
CodeMeter Control Center.lnk - c:\program files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe [2014-7-23 10361720]
SchnapperPro.lnk - c:\program files (x86)\SchnapperPro\SchnapperPro.exe [2014-12-20 962824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Citrix\ICACLI~1\RSHook.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
R3 gbxavs;Maschine Midi;c:\windows\system32\Drivers\gbxavs.sys;c:\windows\SYSNATIVE\Drivers\gbxavs.sys [x]
R3 gbxavs_x64;gbxavs_x64;c:\windows\system32\Drivers\gbxavs_x64.sys;c:\windows\SYSNATIVE\Drivers\gbxavs_x64.sys [x]
R3 gbxusb_x64;gbxusb_x64;c:\windows\system32\Drivers\gbxusb_x64.sys;c:\windows\SYSNATIVE\Drivers\gbxusb_x64.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 rspLLL;rspLLL;c:\windows\system32\DRIVERS\rspLLL64.sys;c:\windows\SYSNATIVE\DRIVERS\rspLLL64.sys [x]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows-Aktivierungstechnologieservice;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 iusb3hcs;Intel(R) USB 3.0 Hostcontroller-Switchtreiber;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2ddax64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2ddax64.sys [x]
S1 a2injectiondriver;a2injectiondriver;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2dix64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2dix64.sys [x]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2util64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2util64.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x]
S2 a2AntiMalware;Emsisoft Protection Service;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2service.exe;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2service.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira Planer;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 Avira.OE.ServiceHost;Avira Service Host;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [x]
S2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe;c:\program files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe [x]
S2 ei2c;ei2c;c:\windows\system32\drivers\ei2c.sys;c:\windows\SYSNATIVE\drivers\ei2c.sys [x]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe;c:\program files\HitmanPro\hmpsched.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
S2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [x]
S2 NWSAPAutoWorkstationUpdateSvc;SAPSetup Automatic Workstation Update Service;c:\program files (x86)\SAP\SAPsetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe;c:\program files (x86)\SAP\SAPsetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe [x]
S2 SchnapperPro-TimeSync;SchnapperPro-TimeSync;c:\program files (x86)\SchnapperPro\TimeSync.exe;c:\program files (x86)\SchnapperPro\TimeSync.exe [x]
S3 a2acc;a2acc;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [x]
S3 cleanhlp;cleanhlp;c:\program files (x86)\EMSISOFT ANTI-MALWARE\cleanhlp64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\cleanhlp64.sys [x]
S3 iusb3hub;Intel(R) USB 3.0-Hubtreiber;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel(R) USB 3.0 eXtensible-Hostcontrollertreiber;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 ka6avs;Komplete Audio 6 WDM Audio;c:\windows\system32\Drivers\ka6avs.sys;c:\windows\SYSNATIVE\Drivers\ka6avs.sys [x]
S3 ka6usb_svc;Komplete Audio 6;c:\windows\system32\Drivers\ka6usb.sys;c:\windows\SYSNATIVE\Drivers\ka6usb.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 VUSB3HUB;VIA USB 3 Root Hub Service;c:\windows\system32\DRIVERS\ViaHub3.sys;c:\windows\SYSNATIVE\DRIVERS\ViaHub3.sys [x]
S3 xhcdrv;VIA USB eXtensible Host Controller Service;c:\windows\system32\DRIVERS\xhcdrv.sys;c:\windows\SYSNATIVE\DRIVERS\xhcdrv.sys [x]
.
.
Inhalt des "geplante Tasks" Ordners
.
2014-12-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-24 15:04]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-11-12 16:19	2334928	----a-w-	c:\progra~1\MICROS~2\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-11-12 16:19	2334928	----a-w-	c:\progra~1\MICROS~2\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-11-12 16:19	2334928	----a-w-	c:\progra~1\MICROS~2\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1SecureIconsProvider]
@="{FC9D8189-520A-4417-AED7-9EAC810C6FBA}"
[HKEY_CLASSES_ROOT\CLSID\{FC9D8189-520A-4417-AED7-9EAC810C6FBA}]
2014-12-08 17:53	2736640	----a-w-	c:\programdata\Microsoft\Secure\Icons\SecureIconsProvider.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04	164760	----a-w-	c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04	164760	----a-w-	c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04	164760	----a-w-	c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04	164760	----a-w-	c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VIAxHCUtl"="c:\via_xhci\usb3Monitor.exe" [2012-03-26 331776]
"Greenshot"="c:\program files\Greenshot\Greenshot.exe" [2014-05-12 495616]
"Icakupsie"="c:\users\Admin\AppData\Roaming\Urudne\pibaad.exe" [BU]
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <-loopback>
uSearchAssistant = www.google.com
IE: An SchnapperPro senden - https://ssl.schnapper.de/SchnapperPro/IE-MenuExt.php
IE: Nach Microsoft E&xel exportieren - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: fabasoft.com\folio
Trusted Zone: uibk.ac.at
Trusted Zone: uibk.ac.at\semiramisas99
TCP: DhcpNameServer = 10.0.0.138
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Wow6432Node-HKCU-Run-Idsoft - c:\users\Admin\AppData\Local\Idsoft\tmpFF90.exe
Wow6432Node-HKCU-Run-taskkill - c:\users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\taskkill.exe
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskkill.lnk - c:\users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\taskkill.exe
SafeBoot-CleanHlp
SafeBoot-CleanHlp.sys
AddRemove-Antares Auto-Tune v4.39 - c:\progra~2\ANTARE~1\AUTO-T~1\AIRLOG~1\AT4\UNWISE.EXE
AddRemove-FabFilter Pro-Q VST RTAS_is1 - c:\program files (x86)\FabFilter\Pro-Q\Uninstall\unins000.exe
AddRemove-FabFilter Timeless_is1 - c:\program files (x86)\FabFilter\Timeless\Uninstall\unins000.exe
AddRemove-Image Line ToxicIII v1.41 VSTi - c:\progra~1\STEINB~1\VSTPLU~1\ToxicIII\UNWISE.EXE
AddRemove-Native Instruments Hardware Controller Support - c:\programdata\{09B301EE-C58B-408E-8D5D-E17495536D3E}\Hardware Controller Support Setup.exe
AddRemove-Ohmforce Hematohm PRO VST v1.22 - c:\progra~2\STEINB~1\VSTPLU~1\OHMFOR~1\HEMATO~1\UNINST~1\UNWISE.EXE
AddRemove-Ohmforce Mobilohm PRO VST v1.12 - c:\progra~2\STEINB~1\VSTPLU~1\OHMFOR~1\MOBILO~1\UNINST~1\UNWISE.EXE
AddRemove-Ohmforce Ohmboyz PRO VST v1.42 - c:\progra~2\STEINB~1\VSTPLU~1\OHMFOR~1\OHMBOY~1\UNINST~1\UNWISE.EXE
AddRemove-Ohmforce Predatohm PRO VST v1.32 - c:\progra~2\STEINB~1\VSTPLU~1\OHMFOR~1\PREDAT~1\UNINST~1\UNWISE.EXE
AddRemove-reFX Vanguard VSTi_is1 - c:\program files (x86)\Steinberg\VstPlugins\VstPlugins\Vanguard\Uninstall\unins000.exe
AddRemove-Steinberg The Grand VSTi DXi_is1 - c:\program files (x86)\Steinberg\The Grand 2\Uninstall\unins000.exe
AddRemove-{491DF203-7B61-4F0E-BDCB-A1218C4DAFE9} - c:\programdata\{261FD3E7-AC6C-4785-8405-DCF2100A3A46}\Massive Setup PC.exe
AddRemove-{B2552FA6-86E3-410D-84AD-265C2242D410} - c:\programdata\{3EE98DDF-8EFF-4760-88EB-D666A839217F}\FM8 Setup PC.exe
AddRemove-{C7FAFC98-5ECC-40FC-B440-A5D5FE3A6A6E} - c:\programdata\{D69A48BF-7653-4AA8-94BC-5847522A4573}\Guitar Rig 4 Setup PC.exe
AddRemove-{E9EA5F38-6299-45A1-9D23-F21729A19357} - c:\programdata\{A6CBE6A2-B738-440D-B19A-60D7C36810C7}\Reaktor 5 Setup PC.exe
.
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2014-12-28  12:14:26 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2014-12-28 11:14
ComboFix2.txt  2014-12-25 23:07
ComboFix3.txt  2014-12-25 22:49
.
Vor Suchlauf: 17 Verzeichnis(se), 435.444.973.568 Bytes frei
Nach Suchlauf: 19 Verzeichnis(se), 434.928.824.320 Bytes frei
.
- - End Of File - - E162806CC1406B28E27A0CC075AB1650
         

Alt 28.12.2014, 19:30   #8
schrauber
/// the machine
/// TB-Ausbilder
 

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Standard

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local



Downloade Dir bitte Malwarebytes Anti-Malware
  • Installiere das Programm in den vorgegebenen Pfad. (Bebilderte Anleitung zu MBAM)
  • Starte Malwarebytes' Anti-Malware (MBAM).
  • Klicke im Anschluss auf Scannen, wähle den Bedrohungssuchlauf aus und klicke auf Suchlauf starten.
  • Lass am Ende des Suchlaufs alle Funde (falls vorhanden) in die Quarantäne verschieben. Klicke dazu auf Auswahl entfernen.
  • Lass deinen Rechner ggf. neu starten, um die Bereinigung abzuschließen.
  • Starte MBAM, klicke auf Verlauf und dann auf Anwendungsprotokolle.
  • Wähle das neueste Scan-Protokoll aus und klicke auf Export. Wähle Textdatei (.txt) aus und speichere die Datei als mbam.txt auf dem Desktop ab. Das Logfile von MBAM findest du hier.
  • Füge den Inhalt der mbam.txt mit deiner nächsten Antwort hinzu.


Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).

Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Bitte lade Junkware Removal Tool auf Deinen Desktop

  • Starte das Tool mit Doppelklick. Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten.
  • Drücke eine beliebige Taste, um das Tool zu starten.
  • Je nach System kann der Scan eine Weile dauern.
  • Wenn das Tool fertig ist wird das Logfile (JRT.txt) auf dem Desktop gespeichert und automatisch geöffnet.
  • Bitte poste den Inhalt der JRT.txt in Deiner nächsten Antwort.


und ein frisches FRST log bitte.
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 29.12.2014, 06:50   #9
jamerson
 
Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Standard

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local



hi schrauber. hier die logs. komisch ist aber, dass mbam im log offenbar keine funde anmerkt, obwohl im suchlauf 3 objekte gefunden und in die quarantäne verschoben wurden.

vielen dank!

mbam:
Code:
ATTFilter
 Malwarebytes Anti-Malware 
www.malwarebytes.org

Suchlauf Datum: 29.12.2014
Suchlauf-Zeit: 06:05:27
Logdatei: mbam.txt
Administrator: Ja

Version: 2.00.4.1028
Malware Datenbank: v2014.12.29.01
Rootkit Datenbank: v2014.12.23.02
Lizenz: Kostenlos
Malware Schutz: Deaktiviert
Bösartiger Webseiten Schutz: Deaktiviert
Selbstschutz: Deaktiviert

Betriebssystem: Windows 7 Service Pack 1
CPU: x64
Dateisystem: NTFS
Benutzer: Admin

Suchlauf-Art: Bedrohungs-Suchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 428888
Verstrichene Zeit: 16 Min, 42 Sek

Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Deaktiviert
Heuristik: Aktiviert
PUP: Aktiviert
PUM: Aktiviert

Prozesse: 0
(Keine schädliche Elemente erkannt)

Module: 0
(Keine schädliche Elemente erkannt)

Registrierungsschlüssel: 0
(Keine schädliche Elemente erkannt)

Registrierungswerte: 0
(Keine schädliche Elemente erkannt)

Registrierungsdaten: 0
(Keine schädliche Elemente erkannt)

Ordner: 0
(Keine schädliche Elemente erkannt)

Dateien: 0
(Keine schädliche Elemente erkannt)

Physische Sektoren: 0
(Keine schädliche Elemente erkannt)


(end)
         
adw:
Code:
ATTFilter
# AdwCleaner v4.106 - Bericht erstellt am 29/12/2014 um 04:49:30
# Aktualisiert 21/12/2014 von Xplode
# Database : 2014-12-28.1 [Live]
# Betriebssystem : Windows 7 Ultimate Service Pack 1 (64 bits)
# Benutzername : Admin - ADMIN-PC
# Gestartet von : C:\Users\Admin\Desktop\AdwCleaner_4.106.exe
# Option : Löschen

***** [ Dienste ] *****


***** [ Dateien / Ordner ] *****


***** [ Tasks ] *****


***** [ Verknüpfungen ] *****


***** [ Registrierungsdatenbank ] *****


***** [ Browser ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Mozilla Firefox v34.0.5 (x86 de)


*************************

AdwCleaner[R0].txt - [36954 octets] - [30/08/2014 17:51:04]
AdwCleaner[R1].txt - [1848 octets] - [24/12/2014 15:01:39]
AdwCleaner[R2].txt - [1019 octets] - [25/12/2014 12:01:36]
AdwCleaner[R3].txt - [1080 octets] - [25/12/2014 12:05:48]
AdwCleaner[R4].txt - [1140 octets] - [25/12/2014 12:45:14]
AdwCleaner[R5].txt - [1198 octets] - [26/12/2014 00:24:46]
AdwCleaner[R6].txt - [1318 octets] - [28/12/2014 22:30:02]
AdwCleaner[S0].txt - [36219 octets] - [30/08/2014 18:46:29]
AdwCleaner[S1].txt - [1762 octets] - [24/12/2014 16:27:16]
AdwCleaner[S2].txt - [1260 octets] - [26/12/2014 00:26:36]
AdwCleaner[S3].txt - [1240 octets] - [29/12/2014 04:49:30]

########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1300 octets] ##########
         
JRT:
Code:
ATTFilter
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Ultimate x64
Ran by Admin on 29.12.2014 at  6:41:40,42
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\Admin\AppData\Roaming\mozilla\firefox\profiles\k61t38wy.default-1409423412364\minidumps [3 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 29.12.2014 at  6:45:58,34
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         
FRST:

FRST Logfile:

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-12-2014
Ran by Admin (administrator) on ADMIN-PC on 29-12-2014 06:46:32
Running from C:\Users\Admin\Desktop
Loaded Profile: Admin (Available profiles: Admin)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
(AMD) C:\Windows\System32\atieclxx.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Native Instruments GmbH) C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
(Schnapper-Software  Robert Beer) C:\Program Files (x86)\SchnapperPro\TimeSync.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe
(WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(VIA Technologies, Inc.) C:\VIA_XHCI\usb3Monitor.exe
(Greenshot) C:\Program Files\Greenshot\Greenshot.exe
(Azureus Software, Inc) C:\Program Files\Vuze\Azureus.exe
(Spotify Ltd) C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
() C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe
(WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Schnapper-Software  Robert Beer) C:\Program Files (x86)\SchnapperPro\SchnapperPro.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
(Nero AG) C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe
(Dropbox, Inc.) C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
(SAP AG) C:\Program Files (x86)\SAP\SapSetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [VIAxHCUtl] => C:\VIA_XHCI\usb3Monitor.exe [331776 2012-03-26] (VIA Technologies, Inc.)
HKLM\...\Run: [Greenshot] => C:\Program Files\Greenshot\Greenshot.exe [495616 2014-05-12] (Greenshot)
HKLM\...\Run: [Icakupsie] => "C:\Users\Admin\AppData\Roaming\Urudne\pibaad.exe"
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-21] (Intel Corporation)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [702768 2014-12-09] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [126200 2014-11-20] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [NBAgent] => C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe [1234216 2010-03-26] (Nero AG)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [383544 2012-12-14] (Citrix Systems, Inc.)
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Azureus] => C:\Program Files\Vuze\Azureus.exe [346424 2014-08-12] (Azureus Software, Inc)
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Spotify Web Helper] => C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-10-24] (Spotify Ltd)
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [UVMmedia] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Idsoft\ATSCore.dll
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Idsoft] => C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe [155676 2014-12-28] ()
AppInit_DLLs-x32: C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll => C:\Program Files (x86)\Citrix\ICA Client\RSHook.dll [256568 2012-12-14] (Citrix Systems, Inc.)
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\resmon.lnk
ShortcutTarget: resmon.lnk -> C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\resmon.exe (No File)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodeMeter Control Center.lnk
ShortcutTarget: CodeMeter Control Center.lnk -> C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe (WIBU-SYSTEMS AG)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SchnapperPro.lnk
ShortcutTarget: SchnapperPro.lnk -> C:\Program Files (x86)\SchnapperPro\SchnapperPro.exe (Schnapper-Software  Robert Beer)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3347311179-4269016646-269938500-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
Handler-x32: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf)
Handler-x32: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.138

FireFox:
========
FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364
FF SelectedSearchEngine: Google
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_235.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin HKU\S-1-5-21-3347311179-4269016646-269938500-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Admin\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Extension: WMDM CE Device Service Provider - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\Extensions\{066BF1A1-62A1-474B-4D00-591822FEB978} [2014-12-26]
FF Extension: WMDM CE Device Service Provider - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\Extensions\{066BF1A1-62A1-474B-4D00-591822FEB978} [2014-12-26]

Chrome: 
=======
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 a2AntiMalware; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2service.exe [4907232 2014-12-01] (Emsisoft GmbH)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-12-09] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-12-09] (Avira Operations GmbH & Co. KG)
R2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [166192 2014-11-20] (Avira Operations GmbH & Co. KG)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2014-12-25] (SurfRight B.V.)
R2 NWSAPAutoWorkstationUpdateSvc; C:\Program Files (x86)\SAP\SAPsetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe [165568 2012-06-19] (SAP AG)
R2 SchnapperPro-TimeSync; C:\Program Files (x86)\SchnapperPro\TimeSync.exe [45664 2007-08-30] (Schnapper-Software  Robert Beer)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [71472 2014-05-12] (Emsisoft GmbH)
R1 A2DDA; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2ddax64.sys [26176 2013-03-28] (Emsisoft GmbH)
R1 a2injectiondriver; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2dix64.sys [45208 2013-09-30] (Emsisoft GmbH)
R1 a2util; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2util64.sys [23088 2014-05-12] (Emsisoft GmbH)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-10-01] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-10-01] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-12-24] (Avira Operations GmbH & Co. KG)
R3 cleanhlp; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\cleanhlp64.sys [57024 2013-12-04] (Emsisoft GmbH)
R2 ei2c; C:\Windows\system32\drivers\ei2c.sys [20784 2014-08-30] (Nicomsoft Ltd.)
S3 gbxavs; C:\Windows\System32\Drivers\gbxavs.sys [357968 2011-07-07] () [File not signed]
S3 gbxavs_x64; C:\Windows\System32\Drivers\gbxavs_x64.sys [46096 2008-11-20] (Native Instruments GmbH)
S3 gbxusb_x64; C:\Windows\System32\Drivers\gbxusb_x64.sys [250896 2008-11-20] (Native Instruments GmbH)
R3 ka6avs; C:\Windows\System32\Drivers\ka6avs.sys [359784 2012-12-18] (Native Instruments GmbH)
R3 ka6usb_svc; C:\Windows\System32\Drivers\ka6usb.sys [85864 2012-12-18] (Native Instruments GmbH)
S3 rspLLL; C:\Windows\System32\DRIVERS\rspLLL64.sys [23968 2013-02-07] (Resplendence Software Projects Sp.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [53760 2012-09-28] (Apple, Inc.) [File not signed]
R3 VUSB3HUB; C:\Windows\System32\DRIVERS\ViaHub3.sys [204800 2012-03-26] (VIA Technologies, Inc.)
R3 xhcdrv; C:\Windows\System32\DRIVERS\xhcdrv.sys [256000 2012-03-26] (VIA Technologies, Inc.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-29 06:46 - 2014-12-29 06:46 - 00000000 ____D () C:\Users\Admin\Desktop\FRST-OlderVersion
2014-12-29 06:45 - 2014-12-29 06:45 - 00000766 _____ () C:\Users\Admin\Desktop\JRT.txt
2014-12-29 06:41 - 2014-12-28 09:01 - 01707939 _____ (Thisisu) C:\Users\Admin\Desktop\JRT_NEW.exe
2014-12-29 06:39 - 2014-12-29 06:39 - 00001500 _____ () C:\Users\Admin\Desktop\AdwCleaner[S4].txt
2014-12-29 06:35 - 2014-12-29 06:35 - 00000004 ____H () C:\ProgramData\cm-lock
2014-12-29 06:04 - 2014-12-29 06:04 - 00001380 _____ () C:\Users\Admin\Desktop\AdwCleaner[S3].txt
2014-12-28 22:28 - 2014-12-28 22:29 - 00000000 ____D () C:\Users\Admin\Desktop\mal
2014-12-28 22:26 - 2014-12-28 22:26 - 00000270 _____ () C:\Users\Admin\Desktop\text.txt
2014-12-28 12:17 - 2014-12-28 12:17 - 00025716 _____ () C:\Users\Admin\Desktop\combofix.txt
2014-12-28 12:14 - 2014-12-28 12:14 - 00025716 _____ () C:\ComboFix.txt
2014-12-26 14:47 - 2014-12-26 14:47 - 00715952 _____ () C:\Windows\Minidump\122614-37533-01.dmp
2014-12-26 13:44 - 2014-12-26 13:44 - 00027910 _____ () C:\Users\Admin\Desktop\LogFiles.rar
2014-12-26 13:43 - 2014-12-26 13:43 - 01180834 _____ () C:\Users\Admin\Downloads\7z935.exe
2014-12-26 13:43 - 2014-12-26 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2014-12-26 13:43 - 2014-12-26 13:43 - 00000000 ____D () C:\Program Files (x86)\7-Zip
2014-12-26 13:21 - 2014-12-26 13:21 - 00208082 _____ () C:\Users\Admin\Desktop\Gmer.txt
2014-12-26 12:04 - 2014-12-26 12:04 - 00380416 _____ () C:\Users\Admin\Downloads\Gmer-19357.exe
2014-12-26 12:00 - 2014-12-29 06:46 - 00017241 _____ () C:\Users\Admin\Desktop\FRST.txt
2014-12-26 12:00 - 2014-12-26 13:25 - 00043445 _____ () C:\Users\Admin\Desktop\Addition.txt
2014-12-26 11:59 - 2014-12-26 11:59 - 00000472 _____ () C:\Users\Admin\Desktop\defogger_disable.log
2014-12-26 11:59 - 2014-12-26 11:59 - 00000000 _____ () C:\Users\Admin\defogger_reenable
2014-12-26 11:58 - 2014-12-26 11:59 - 00050477 _____ () C:\Users\Admin\Desktop\Defogger.exe
2014-12-26 11:48 - 2014-12-26 11:48 - 00003874 _____ () C:\EamClean.log
2014-12-26 00:41 - 2014-12-26 00:41 - 00852505 _____ () C:\Users\Admin\Downloads\SecurityCheck.exe
2014-12-26 00:39 - 2014-12-26 00:39 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-12-26 00:38 - 2014-12-26 00:38 - 02347384 _____ (ESET) C:\Users\Admin\Downloads\esetsmartinstaller_deu.exe
2014-12-26 00:36 - 2014-12-29 06:46 - 00000000 ____D () C:\FRST
2014-12-26 00:36 - 2014-12-26 11:41 - 00044595 _____ () C:\Users\Admin\Downloads\FRST.txt
2014-12-26 00:36 - 2014-12-26 00:37 - 00037320 _____ () C:\Users\Admin\Downloads\Addition.txt
2014-12-26 00:20 - 2014-12-29 06:46 - 02123264 _____ (Farbar) C:\Users\Admin\Desktop\FRST64.exe
2014-12-25 23:53 - 2014-12-25 23:24 - 05603624 ____R (Swearware) C:\Users\Admin\Desktop\ComboFix.exe
2014-12-25 23:51 - 2014-12-25 23:51 - 00709564 _____ () C:\Users\Admin\Downloads\delfix_10.8.exe
2014-12-25 23:26 - 2014-12-28 12:15 - 00000000 ____D () C:\Qoobox
2014-12-25 23:26 - 2014-12-25 23:47 - 00000000 ____D () C:\Windows\erdnt
2014-12-25 23:26 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-12-25 23:26 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-12-25 23:26 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-12-25 23:26 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-12-25 23:26 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-12-25 23:26 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe
2014-12-25 23:26 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe
2014-12-25 23:26 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe
2014-12-25 23:24 - 2014-12-25 23:24 - 05603624 ____R (Swearware) C:\Users\Admin\Downloads\ComboFix.exe
2014-12-25 17:05 - 2014-12-25 17:05 - 00001098 _____ () C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2014-12-25 17:05 - 2014-12-25 17:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2014-12-25 17:04 - 2014-12-29 06:42 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware
2014-12-25 16:57 - 2014-12-25 16:57 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2014-12-25 16:51 - 2014-12-25 16:54 - 170741736 _____ (Emsisoft Ltd ) C:\Users\Admin\Downloads\EmsisoftAntiMalwareSetup.exe
2014-12-25 13:48 - 2014-12-25 13:48 - 00007506 _____ () C:\Windows\system32\.crusader
2014-12-25 13:38 - 2014-12-25 13:49 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-12-25 13:38 - 2014-12-25 13:38 - 00001912 _____ () C:\Users\Public\Desktop\HitmanPro.lnk
2014-12-25 13:38 - 2014-12-25 13:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2014-12-25 13:38 - 2014-12-25 13:38 - 00000000 ____D () C:\Program Files\HitmanPro
2014-12-25 13:04 - 2014-12-25 13:05 - 11222744 _____ (SurfRight B.V.) C:\Users\Admin\Downloads\HitmanPro_x64.exe
2014-12-25 12:18 - 2014-12-25 12:18 - 00000194 _____ () C:\Users\Admin\Downloads\hosts-perm.bat
2014-12-25 11:11 - 2014-12-25 11:11 - 01061112 _____ (Bleeping Computer, LLC) C:\Users\Admin\Downloads\blabka4.exe
2014-12-24 17:17 - 2014-12-24 17:17 - 00001801 _____ () C:\Users\Public\Desktop\Vuze.lnk
2014-12-24 16:43 - 2014-12-24 16:43 - 02953520 _____ (AVAST Software) C:\Users\Admin\Downloads\avast-browser-cleanup.exe
2014-12-24 16:34 - 2014-12-24 16:34 - 00000000 ____D () C:\Windows\ERUNT
2014-12-24 16:04 - 2014-12-29 05:47 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-24 16:04 - 2014-12-24 16:04 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-12-24 16:04 - 2014-12-24 16:04 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-12-24 16:04 - 2014-12-24 16:04 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-12-24 14:11 - 2014-12-24 14:11 - 00001271 _____ () C:\Users\Admin\Desktop\Revo Uninstaller.lnk
2014-12-24 14:11 - 2014-12-24 14:11 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group
2014-12-24 14:10 - 2014-12-24 14:10 - 01707646 _____ (Thisisu) C:\Users\Admin\Desktop\JRT.exe
2014-12-24 14:09 - 2014-12-24 14:09 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\Admin\Downloads\revosetup.exe
2014-12-24 14:08 - 2014-12-24 14:08 - 01940728 _____ (Bleeping Computer, LLC) C:\Users\Admin\Downloads\rkill.exe
2014-12-24 13:50 - 2014-12-24 13:50 - 02173952 _____ () C:\Users\Admin\Desktop\AdwCleaner_4.106.exe
2014-12-19 13:46 - 2014-12-19 13:46 - 00001723 _____ () C:\Users\Admin\Desktop\Computer.lnk
2014-12-18 08:52 - 2014-12-13 06:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-12-18 08:52 - 2014-12-13 04:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-12-17 22:17 - 2014-12-17 22:17 - 00003133 _____ () C:\Users\Public\Desktop\Nero BackItUp 10.lnk
2014-12-17 22:16 - 2014-12-17 22:16 - 00002937 _____ () C:\Users\Public\Desktop\Nero Burning ROM 10.lnk
2014-12-17 22:14 - 2014-12-17 22:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nero
2014-12-17 20:59 - 2014-12-17 21:06 - 00000000 ____D () C:\Users\Admin\Desktop\volvo verkauf autoscout
2014-12-17 19:39 - 2014-12-17 19:39 - 00001156 _____ () C:\Users\Public\Desktop\etope 8 starten.lnk
2014-12-16 22:06 - 2014-12-24 14:17 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Line 6
2014-12-16 22:05 - 2014-12-17 18:49 - 00001137 _____ () C:\Users\Public\Desktop\Reason Essentials.lnk
2014-12-16 22:05 - 2014-12-16 22:06 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeMeter
2014-12-16 22:05 - 2014-12-16 22:06 - 00000000 ____D () C:\Program Files (x86)\CodeMeter
2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\ProgramData\CodeMeter
2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\Program Files\Propellerhead
2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\Program Files\CodeMeter
2014-12-16 19:49 - 2014-12-16 19:49 - 00000000 ____D () C:\Windows\pss
2014-12-16 19:13 - 2014-12-16 19:13 - 00000000 ____D () C:\ProgramData\Adobe Systems
2014-12-16 18:29 - 2014-12-16 18:29 - 02166272 _____ () C:\Users\Admin\Downloads\adwcleaner_4.105.exe
2014-12-16 18:28 - 2014-12-29 06:31 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-16 18:28 - 2014-12-16 18:28 - 00001109 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 
2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 
2014-12-16 18:28 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-12-16 18:28 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-12-16 18:28 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-12-16 18:27 - 2014-12-16 18:27 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Admin\Downloads\mbam-setup-2.0.4.1028.exe
2014-12-11 03:24 - 2014-12-11 03:24 - 00000000 ____D () C:\Windows\system32\appraiser
2014-12-11 03:02 - 2014-10-18 03:05 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2014-12-11 03:02 - 2014-10-18 02:33 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2014-12-10 19:37 - 2014-12-16 20:05 - 00000000 _____ () C:\ProgramData\@system.temp
2014-12-10 19:36 - 2014-12-16 20:30 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\FrameworkUpdate
2014-12-10 19:36 - 2014-12-10 19:36 - 00000480 ____H () C:\Users\Admin\AppData\Roaming\麽鎒駓覜
2014-12-10 08:43 - 2014-12-04 03:50 - 00830976 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2014-12-10 08:43 - 2014-12-04 03:50 - 00741376 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2014-12-10 08:43 - 2014-12-04 03:50 - 00413184 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-12-10 08:43 - 2014-12-04 03:50 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2014-12-10 08:43 - 2014-12-04 03:50 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-12-10 08:43 - 2014-12-04 03:50 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2014-12-10 08:43 - 2014-12-04 03:44 - 01083392 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-12-10 08:43 - 2014-12-02 00:28 - 01232040 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2014-12-10 08:42 - 2014-11-27 02:43 - 00389296 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-12-10 08:42 - 2014-11-27 02:10 - 00342200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-12-10 08:42 - 2014-11-22 04:13 - 25059840 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-12-10 08:42 - 2014-11-22 04:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-12-10 08:42 - 2014-11-22 04:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-12-10 08:42 - 2014-11-22 03:50 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-12-10 08:42 - 2014-11-22 03:50 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-12-10 08:42 - 2014-11-22 03:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-12-10 08:42 - 2014-11-22 03:49 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-12-10 08:42 - 2014-11-22 03:48 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-12-10 08:42 - 2014-11-22 03:41 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-12-10 08:42 - 2014-11-22 03:40 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-12-10 08:42 - 2014-11-22 03:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-12-10 08:42 - 2014-11-22 03:35 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-12-10 08:42 - 2014-11-22 03:34 - 06039552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-12-10 08:42 - 2014-11-22 03:34 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-12-10 08:42 - 2014-11-22 03:26 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-12-10 08:42 - 2014-11-22 03:22 - 19749376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-12-10 08:42 - 2014-11-22 03:22 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-12-10 08:42 - 2014-11-22 03:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-12-10 08:42 - 2014-11-22 03:14 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-12-10 08:42 - 2014-11-22 03:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-12-10 08:42 - 2014-11-22 03:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-12-10 08:42 - 2014-11-22 03:07 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-12-10 08:42 - 2014-11-22 03:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-12-10 08:42 - 2014-11-22 03:06 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-12-10 08:42 - 2014-11-22 03:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-12-10 08:42 - 2014-11-22 03:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-12-10 08:42 - 2014-11-22 03:01 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-12-10 08:42 - 2014-11-22 02:59 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-12-10 08:42 - 2014-11-22 02:58 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-12-10 08:42 - 2014-11-22 02:56 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-12-10 08:42 - 2014-11-22 02:54 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-12-10 08:42 - 2014-11-22 02:49 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-12-10 08:42 - 2014-11-22 02:49 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-12-10 08:42 - 2014-11-22 02:47 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-12-10 08:42 - 2014-11-22 02:46 - 02125312 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-12-10 08:42 - 2014-11-22 02:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-12-10 08:42 - 2014-11-22 02:43 - 14412800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-12-10 08:42 - 2014-11-22 02:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-12-10 08:42 - 2014-11-22 02:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-12-10 08:42 - 2014-11-22 02:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-12-10 08:42 - 2014-11-22 02:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-12-10 08:42 - 2014-11-22 02:29 - 04299264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-12-10 08:42 - 2014-11-22 02:28 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-12-10 08:42 - 2014-11-22 02:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-12-10 08:42 - 2014-11-22 02:22 - 02052096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-12-10 08:42 - 2014-11-22 02:21 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-12-10 08:42 - 2014-11-22 02:15 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-12-10 08:42 - 2014-11-22 02:13 - 12836864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-12-10 08:42 - 2014-11-22 02:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-12-10 08:42 - 2014-11-22 02:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-12-10 08:42 - 2014-11-22 01:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-12-10 08:42 - 2014-11-22 01:54 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-12-10 08:42 - 2014-11-11 04:09 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-12-10 08:42 - 2014-11-11 03:44 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-12-10 08:42 - 2014-11-11 02:46 - 00119296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2014-12-10 08:42 - 2014-10-30 03:03 - 00165888 _____ (Microsoft Corporation) C:\Windows\system32\charmap.exe
2014-12-10 08:42 - 2014-10-30 02:45 - 00155136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\charmap.exe
2014-12-10 08:42 - 2014-10-03 03:12 - 02020352 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll
2014-12-10 08:42 - 2014-10-03 03:12 - 00346624 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll
2014-12-10 08:42 - 2014-10-03 03:12 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll
2014-12-10 08:42 - 2014-10-03 03:12 - 00181248 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll
2014-12-10 08:42 - 2014-10-03 03:11 - 00266240 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe
2014-12-10 08:42 - 2014-10-03 02:45 - 01177088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll
2014-12-10 08:42 - 2014-10-03 02:45 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManMigrationPlugin.dll
2014-12-10 08:42 - 2014-10-03 02:45 - 00214016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll
2014-12-10 08:42 - 2014-10-03 02:45 - 00145920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll
2014-12-10 08:42 - 2014-10-03 02:44 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManHTTPConfig.exe
2014-12-10 08:41 - 2014-11-08 04:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-12-10 08:41 - 2014-11-08 03:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-12-09 21:04 - 2014-12-09 21:04 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Oracle
2014-12-09 09:14 - 2014-12-09 09:14 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-12-08 19:34 - 2014-12-08 19:34 - 00000000 ____D () C:\ProgramData\PACE
2014-12-08 19:19 - 2014-12-24 14:22 - 00000000 ____D () C:\Users\Admin\Documents\iZotope
2014-12-08 19:12 - 2014-12-29 06:37 - 00000000 ____D () C:\Users\Admin\AppData\Local\Idsoft
2014-12-08 19:12 - 2014-12-28 22:03 - 00000000 ____D () C:\Users\Admin\AppData\Local\Ejmtion
2014-12-07 00:22 - 2014-12-07 00:22 - 01389910 _____ () C:\Users\Admin\Downloads\mp3bee3.exe
2014-12-06 20:08 - 2014-12-06 20:08 - 00025478 _____ () C:\Users\Admin\Desktop\1131_I-Wont-be-Home-for-Christmas.mid
2014-12-06 20:04 - 2014-12-06 20:04 - 00028918 _____ () C:\Users\Admin\Desktop\Blink_182_-_I_Won't_Be_Home_for_Christmas.mid
2014-12-02 22:14 - 2014-12-02 22:14 - 04990667 _____ () C:\Users\Admin\Desktop\10433298_10204168401239201_2025431251_n.mp4
2014-11-30 16:23 - 2014-12-08 12:29 - 00000000 ____D () C:\Users\Admin\Desktop\5825
2014-11-30 12:59 - 2014-12-18 14:55 - 00000000 ____D () C:\Users\Admin\Desktop\facebook

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-29 06:46 - 2013-03-31 16:13 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Azureus
2014-12-29 06:43 - 2009-07-14 05:45 - 00020880 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-29 06:43 - 2009-07-14 05:45 - 00020880 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-29 06:40 - 2009-07-14 18:58 - 00702980 _____ () C:\Windows\system32\perfh007.dat
2014-12-29 06:40 - 2009-07-14 18:58 - 00150620 _____ () C:\Windows\system32\perfc007.dat
2014-12-29 06:40 - 2009-07-14 06:13 - 01629444 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-12-29 06:37 - 2013-04-03 21:41 - 00000000 ___RD () C:\Users\Admin\Dropbox
2014-12-29 06:37 - 2013-04-03 21:39 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Dropbox
2014-12-29 06:36 - 2013-04-04 20:00 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\SchnapperPro
2014-12-29 06:34 - 2013-05-01 22:29 - 00268812 _____ () C:\Windows\setupact.log
2014-12-29 06:34 - 2013-05-01 22:28 - 00232144 _____ () C:\Windows\PFRO.log
2014-12-29 06:34 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-29 06:33 - 2014-08-30 17:51 - 00000000 ____D () C:\AdwCleaner
2014-12-29 06:33 - 2013-03-31 00:28 - 01849776 _____ () C:\Windows\WindowsUpdate.log
2014-12-29 02:04 - 2013-03-30 18:07 - 00003930 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{2D7B81C1-8B06-4916-B13D-931EF0D2FBD7}
2014-12-29 02:00 - 2013-04-01 11:56 - 00000000 ____D () C:\Users\Admin\AppData\Local\Adobe
2014-12-28 22:15 - 2013-03-31 14:01 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\vlc
2014-12-28 11:47 - 2009-07-14 03:34 - 00000215 _____ () C:\Windows\system.ini
2014-12-27 11:36 - 2014-11-16 23:37 - 00000000 ____D () C:\Users\Admin\AppData\Local\JDownloader 2.0
2014-12-26 14:47 - 2013-10-18 05:16 - 1811278370 _____ () C:\Windows\MEMORY.DMP
2014-12-26 14:47 - 2013-04-05 16:37 - 00000000 ____D () C:\Windows\Minidump
2014-12-26 11:59 - 2013-03-30 17:29 - 00000000 ____D () C:\Users\Admin
2014-12-25 23:49 - 2009-07-14 04:20 - 00000000 __RHD () C:\Users\Default
2014-12-25 13:50 - 2013-06-21 18:50 - 00000000 ____D () C:\Users\Admin\AppData\Local\Greenshot
2014-12-25 12:47 - 2014-02-26 03:02 - 01648918 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-12-25 11:39 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\tracing
2014-12-24 17:17 - 2013-03-31 16:13 - 00001801 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vuze.lnk
2014-12-24 17:17 - 2013-03-31 16:13 - 00000000 ____D () C:\Program Files\Vuze
2014-12-24 14:50 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\Help
2014-12-24 14:27 - 2014-08-05 17:48 - 00000000 ____D () C:\ProgramData\Package Cache
2014-12-24 14:24 - 2013-03-30 17:59 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-12-24 14:22 - 2013-04-05 18:08 - 00000000 ____D () C:\Program Files\Common Files\VST3
2014-12-24 14:21 - 2013-04-07 10:11 - 00000000 ____D () C:\Program Files (x86)\Java
2014-12-24 14:18 - 2013-03-31 16:23 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-12-24 14:18 - 2013-03-31 03:19 - 00000000 ____D () C:\ProgramData\Adobe
2014-12-24 14:14 - 2013-04-01 08:35 - 00000000 ____D () C:\Users\Admin\AppData\Local\Citrix
2014-12-24 14:00 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\Cursors
2014-12-20 21:05 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\L2Schemas
2014-12-19 14:11 - 2013-03-31 00:23 - 00000000 ____D () C:\Windows\Panther
2014-12-19 14:11 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\schemas
2014-12-18 20:14 - 2013-05-18 11:32 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Spotify
2014-12-18 15:55 - 2013-05-18 11:33 - 00000000 ____D () C:\Users\Admin\AppData\Local\Spotify
2014-12-17 22:21 - 2013-04-01 18:04 - 00000000 ____D () C:\Program Files (x86)\Nero
2014-12-17 21:55 - 2014-08-30 12:41 - 00000000 ____D () C:\Temp
2014-12-17 19:39 - 2014-04-27 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\etope 8
2014-12-16 22:14 - 2009-07-14 05:45 - 11266360 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-12-16 22:13 - 2013-05-01 10:12 - 00000000 ____D () C:\ProgramData\Propellerhead Software
2014-12-16 22:08 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\LiveKernelReports
2014-12-16 22:06 - 2013-05-01 10:12 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Propellerhead Software
2014-12-16 22:05 - 2013-05-01 10:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Propellerhead
2014-12-16 19:53 - 2014-09-13 16:03 - 00000000 ____D () C:\Program Files (x86)\AntiTwin
2014-12-16 19:47 - 2013-06-19 18:24 - 00000000 ____D () C:\Program Files\ARIS Express
2014-12-16 19:40 - 2013-03-30 17:44 - 00440744 _____ () C:\Users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-16 19:15 - 2013-03-30 18:29 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Adobe
2014-12-16 19:12 - 2013-03-31 16:04 - 00000000 ____D () C:\Program Files (x86)\JDownloader
2014-12-16 19:11 - 2013-09-01 20:02 - 00000000 ____D () C:\Users\Admin\.android
2014-12-14 03:00 - 2013-03-30 17:34 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-12-13 03:22 - 2013-08-30 17:11 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-12-11 03:55 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\rescache
2014-12-11 03:26 - 2014-08-30 15:39 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-12-11 03:24 - 2014-05-07 02:00 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-12-11 03:24 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-12-11 03:24 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\AppCompat
2014-12-11 03:07 - 2013-07-23 02:00 - 00000000 ____D () C:\Windows\system32\MRT
2014-12-11 03:04 - 2013-03-30 20:21 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-12-09 21:04 - 2013-11-24 11:03 - 00000000 ____D () C:\ProgramData\Oracle
2014-12-09 20:08 - 2014-11-03 17:17 - 00001144 _____ () C:\Users\Public\Desktop\Avira.lnk
2014-12-09 20:08 - 2013-03-31 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2014-12-09 20:08 - 2013-03-31 13:43 - 00000000 ____D () C:\Program Files (x86)\Avira
2014-12-09 20:02 - 2009-07-14 06:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-12-08 19:44 - 2013-04-01 15:27 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\iZotope
2014-12-07 12:06 - 2014-05-01 10:37 - 00022016 ___SH () C:\Users\Admin\Thumbs.db

Some content of TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\avgnt.exe
C:\Users\Admin\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpsjyxol.dll
C:\Users\Admin\AppData\Local\Temp\Quarantine.exe
C:\Users\Admin\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-12-25 07:54

==================== End Of Log ============================
         
--- --- ---

--- --- ---

Alt 29.12.2014, 20:04   #10
schrauber
/// the machine
/// TB-Ausbilder
 

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Standard

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local




ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset


Downloade Dir bitte SecurityCheck und:

  • Speichere es auf dem Desktop.
  • Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
  • Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.
Poste den Inhalt bitte hier.

und ein frisches FRST log bitte. Noch Probleme?
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 30.12.2014, 18:47   #11
jamerson
 
Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Standard

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local



Leider noch nicht behoben, Avira bzw. HitmanPro melden weiterhin Funde, siehe Screenshot.

Hier die Logs:

ESET:
Code:
ATTFilter
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=a83ff6f5fe8cb3478e5633b4712a912b
# engine=21707
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-12-26 06:41:45
# local_time=2014-12-26 07:41:45 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Avira Desktop'
# compatibility_mode=1810 16777213 100 100 47108 54842535 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 28077 171205955 0 0
# scanned=1652005
# found=58
# cleaned=0
# scan_time=25206
sh=A2C0484EF77721E03B445B032132E12F37FCBB14 ft=1 fh=c71c00119898bc5a vn="Variante von MSIL/TrojanDropper.Agent.DT Trojaner" ac=I fn="A:\software\LinPlug VSTi (MorphoX, Organ, RMV Drum Addiction)\RMV Drum Addiction VSTi v5.0.5 UPDATE\RMV Instrument Installer 505.exe"
sh=FD4DD9605A03F619D09B650452E8C81618578B3A ft=1 fh=4c256b24a244bc05 vn="Win32/Toolbar.AskSBar evtl. unerwünschte Anwendung" ac=I fn="A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe"
sh=68F39FDC5C97B7D3B93A4B793E3E9DAF1ED75344 ft=1 fh=c71c0011ed98cc6f vn="Variante von Win32/Toolbar.Babylon.F evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll"
sh=D128CBAF3DEF02BD11A92A43C36D540E47BF06E0 ft=1 fh=6abf192eb2d8af09 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll"
sh=C88D76106C34D093167BD69B433CFF15F24CFE68 ft=1 fh=c9f8a6e51b4e4ea2 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe"
sh=BC025EB0A48183E45F54EACE19D7CCC9A30B5F37 ft=1 fh=c5ca840e53d8f07f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe"
sh=42C00555296E943150E177B3961FF2ED8196C506 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js"
sh=71C5BE3D9817B46CC684650AB201210449A75895 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js"
sh=5F87146C0AA00792B01FA4ABBB5BE7CDD69352E3 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Backup\C\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.pco\prefs_30_08_2014_19_46_33.js"
sh=78291A99C56B070EA0908A09C9ED4823F72C6A31 ft=1 fh=303c525d22b897e4 vn="Variante von Win32/DownloadSponsor.A evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Local\Temp\OCS\ocs_v7a.exe.vir"
sh=EAB3A867FD239AD7D1D5416E8139D3D71F4140FA ft=1 fh=38338eb635a00b8a vn="Variante von Win32/Toolbar.Babylon.A evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Local\Temp\OCS\Downloads\d340164aef134ca45f5d3a3a8b8d1b79\831fc6f9901af1fd98115b5a10864eef\DeltaTB.exe.vir"
sh=C5DB8386C3A901DD6D4FB8B66685B889FA1099F9 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\user.js.vir"
sh=C5DB8386C3A901DD6D4FB8B66685B889FA1099F9 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.pco\user.js.vir"
sh=843DF0FD9F9C356D5336452FCC2B3374A2BD06DC ft=1 fh=137ef7008edb618f vn="Win32/Toolbar.Conduit.R evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\OpenCandy\2FB876A736304B218EE063D76C34F633\SSStub_SearchProtect_p1v0.exe.vir"
sh=2AE12E87FC63FD6A16DF5C7EFE08ED882578B34C ft=1 fh=2407a90c81eb5dd5 vn="Variante von Win32/TrojanDropper.MsiDrop.A Trojaner" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\RHEng\6B9C2555E04B47079517D7F99B9288CD\Installer.exe.vir"
sh=827CDB291F6D8EEBF770451054D910D07B07D1E3 ft=1 fh=42bdf1b6ac1a732c vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe"
sh=DD890976442C9515101EDDFCF8B7E10F6774ECF8 ft=1 fh=e3c7b31c0d928ab2 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll"
sh=5A3DB504BB73DC8E79BF78530EDB17D8F1C94DF9 ft=1 fh=fa56f3a4ea361a51 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe"
sh=11F69B3BA4100A4C45B366C1F79BB52AC45476E8 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G"
sh=080F6B138931704FEC71EACD956E080229FCF952 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4]"
sh=F1715CFD27DC6BFDE10442102D08554C1C893A67 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5]"
sh=78BF31062051EB4CD0DDD6B8E372B19C267C9B98 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7]"
sh=45BA456433D613144A368AC17FB827216A4F28AB ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z"
sh=098C820D0A30963C886D605C187E6E0DEB9075D3 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2"
sh=A9A657C153EFF53D9D37F6A26E54608988FE8C46 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F"
sh=1E281AEB127FBCC9605EC5E34AF2E9B1194D5035 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00"
sh=BB492BAAFB8FB8BAD644F9DA0D0C7065F461A368 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11]"
sh=F465BDC7CDB6D902274B1B2DE4D03F466D7FBFD3 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6]"
sh=3233C8892659072CADA04EC6ABFE1615CE66FDF1 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8]"
sh=9BAF8A864BF199640F2D27D62CA0FC214C5A138C ft=0 fh=0000000000000000 vn="HTML/Refresh.BC Trojaner" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php"
sh=4E8BC33C6DFBDD9727988EB0AA95AF115C08FA8F ft=1 fh=efa4d311e75fd867 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll"
sh=096B736DCB93B86E094839B73D724E8B4172BB16 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX"
sh=96ECE4FD50478122EAA7B4C411CE4B1AA7103583 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH"
sh=76A0F71110E63B70CE321128A325BEF5728FFB30 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4]"
sh=9A43AEA05056A4631B5E852EAB52E9F89B9B4EE4 ft=0 fh=0000000000000000 vn="HTML/Refresh.BC Trojaner" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html"
sh=AC85DB00B2E2594170D9B607E34919C45CF8BE72 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G"
sh=6CA38C287E7E3638A1AC5F5FF3BDF74822D5D344 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5]"
sh=9BAF8A864BF199640F2D27D62CA0FC214C5A138C ft=0 fh=0000000000000000 vn="HTML/Refresh.BC Trojaner" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php"
sh=68F39FDC5C97B7D3B93A4B793E3E9DAF1ED75344 ft=1 fh=c71c0011ed98cc6f vn="Variante von Win32/Toolbar.Babylon.F evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll"
sh=D128CBAF3DEF02BD11A92A43C36D540E47BF06E0 ft=1 fh=6abf192eb2d8af09 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll"
sh=C88D76106C34D093167BD69B433CFF15F24CFE68 ft=1 fh=c9f8a6e51b4e4ea2 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe"
sh=BC025EB0A48183E45F54EACE19D7CCC9A30B5F37 ft=1 fh=c5ca840e53d8f07f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe"
sh=153D61D882922BA440ED0EDB0BE44F58CB47DC5B ft=0 fh=0000000000000000 vn="Variante von Win32/PriceGong.A evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi"
sh=19344467CB8A39A10E57BDAAA450DDD1F47BE033 ft=0 fh=0000000000000000 vn="JS/Kryptik.AP Trojaner" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm"
sh=6EF4B349F23F2B83D07BAAFF09F65ED63482818C ft=1 fh=c71c001182c4fa88 vn="Variante von Win32/Toolbar.SearchSuite.Z evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll"
sh=475FDFC60EA7EDAC01D81109C5432D56BE204EE0 ft=1 fh=e3d778651a32038a vn="Variante von Win32/KeyLogger.Refog.D Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe"
sh=14B1915594E3111C8B5BEEC0915CE0D5620191C3 ft=1 fh=8b9abe168a66d4b2 vn="Variante von Win32/Toolbar.Visicom.A evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe"
sh=4C5834A9F0D646B35A7719A4E352093C0240BA5F ft=1 fh=f68058267a38e609 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll"
sh=57CD8DEAF43DF3A2F4703E5219A69935B119D0DB ft=1 fh=311781f1ea21501f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll"
sh=57CD8DEAF43DF3A2F4703E5219A69935B119D0DB ft=1 fh=311781f1ea21501f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll"
sh=57CD8DEAF43DF3A2F4703E5219A69935B119D0DB ft=1 fh=311781f1ea21501f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll"
sh=027DF2D2944EA506A71D61928674C2CC42A8FE69 ft=1 fh=4c97c45eed1dce37 vn="Win32/Toolbar.Babylon evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe"
sh=FFB48EDC93E610BE77A3F69422014FF29BE027CA ft=1 fh=c71c00114e3734c7 vn="Variante von Win64/Sathurbot.A Trojaner" ac=I fn="C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll"
sh=74F9F4BF038FEA2E33D37906C375A454A9456B35 ft=1 fh=b9ea14dac9f8ad1c vn="Variante von Win32/Complitly.A evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe"
sh=457335C7D7CF3B76BDA5156BDFC9D2E55F5EB26E ft=1 fh=733834ea60493ef0 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe"
sh=FFB48EDC93E610BE77A3F69422014FF29BE027CA ft=1 fh=c71c00114e3734c7 vn="Variante von Win64/Sathurbot.A Trojaner" ac=I fn="C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll"
sh=3BAD2CF7AE22FE1CD6D934E09C2DDEB78FB8DC45 ft=0 fh=0000000000000000 vn="Win32/Toolbar.Conduit.A evtl. unerwünschte Anwendung" ac=I fn="Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar"
sh=B8D140F32E455F0B90C04CD93EA852E8D22AECEF ft=0 fh=0000000000000000 vn="Win32/Toolbar.Conduit.A evtl. unerwünschte Anwendung" ac=I fn="Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar"
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=a83ff6f5fe8cb3478e5633b4712a912b
# engine=21746
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-12-30 04:53:52
# local_time=2014-12-30 05:53:52 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Avira Desktop'
# compatibility_mode=1810 16777213 100 100 130643 55181662 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 30900 171545082 0 0
# compatibility_mode_1='Emsisoft Anti-Malware'
# compatibility_mode=16642 16777213 100 100 30591 221157520 0 0
# scanned=1657218
# found=67
# cleaned=0
# scan_time=26819
sh=A2C0484EF77721E03B445B032132E12F37FCBB14 ft=1 fh=c71c00119898bc5a vn="Variante von MSIL/TrojanDropper.Agent.DT Trojaner" ac=I fn="A:\software\LinPlug VSTi (MorphoX, Organ, RMV Drum Addiction)\RMV Drum Addiction VSTi v5.0.5 UPDATE\RMV Instrument Installer 505.exe"
sh=FD4DD9605A03F619D09B650452E8C81618578B3A ft=1 fh=4c256b24a244bc05 vn="Win32/Toolbar.AskSBar evtl. unerwünschte Anwendung" ac=I fn="A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe"
sh=68F39FDC5C97B7D3B93A4B793E3E9DAF1ED75344 ft=1 fh=c71c0011ed98cc6f vn="Variante von Win32/Toolbar.Babylon.F evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll"
sh=D128CBAF3DEF02BD11A92A43C36D540E47BF06E0 ft=1 fh=6abf192eb2d8af09 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll"
sh=C88D76106C34D093167BD69B433CFF15F24CFE68 ft=1 fh=c9f8a6e51b4e4ea2 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe"
sh=BC025EB0A48183E45F54EACE19D7CCC9A30B5F37 ft=1 fh=c5ca840e53d8f07f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe"
sh=42C00555296E943150E177B3961FF2ED8196C506 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js"
sh=71C5BE3D9817B46CC684650AB201210449A75895 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js"
sh=5F87146C0AA00792B01FA4ABBB5BE7CDD69352E3 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Backup\C\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.pco\prefs_30_08_2014_19_46_33.js"
sh=78291A99C56B070EA0908A09C9ED4823F72C6A31 ft=1 fh=303c525d22b897e4 vn="Variante von Win32/DownloadSponsor.C evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Local\Temp\OCS\ocs_v7a.exe.vir"
sh=EAB3A867FD239AD7D1D5416E8139D3D71F4140FA ft=1 fh=38338eb635a00b8a vn="Variante von Win32/Toolbar.Babylon.A evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Local\Temp\OCS\Downloads\d340164aef134ca45f5d3a3a8b8d1b79\831fc6f9901af1fd98115b5a10864eef\DeltaTB.exe.vir"
sh=C5DB8386C3A901DD6D4FB8B66685B889FA1099F9 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\user.js.vir"
sh=C5DB8386C3A901DD6D4FB8B66685B889FA1099F9 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.pco\user.js.vir"
sh=843DF0FD9F9C356D5336452FCC2B3374A2BD06DC ft=1 fh=137ef7008edb618f vn="Win32/Toolbar.Conduit.R evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\OpenCandy\2FB876A736304B218EE063D76C34F633\SSStub_SearchProtect_p1v0.exe.vir"
sh=2AE12E87FC63FD6A16DF5C7EFE08ED882578B34C ft=1 fh=2407a90c81eb5dd5 vn="Variante von Win32/TrojanDropper.MsiDrop.A Trojaner" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Admin\AppData\Roaming\RHEng\6B9C2555E04B47079517D7F99B9288CD\Installer.exe.vir"
sh=827CDB291F6D8EEBF770451054D910D07B07D1E3 ft=1 fh=42bdf1b6ac1a732c vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe"
sh=DD890976442C9515101EDDFCF8B7E10F6774ECF8 ft=1 fh=e3c7b31c0d928ab2 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll"
sh=5A3DB504BB73DC8E79BF78530EDB17D8F1C94DF9 ft=1 fh=fa56f3a4ea361a51 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe"
sh=11F69B3BA4100A4C45B366C1F79BB52AC45476E8 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G"
sh=080F6B138931704FEC71EACD956E080229FCF952 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4]"
sh=F1715CFD27DC6BFDE10442102D08554C1C893A67 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5]"
sh=78BF31062051EB4CD0DDD6B8E372B19C267C9B98 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7]"
sh=45BA456433D613144A368AC17FB827216A4F28AB ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z"
sh=098C820D0A30963C886D605C187E6E0DEB9075D3 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2"
sh=A9A657C153EFF53D9D37F6A26E54608988FE8C46 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F"
sh=1E281AEB127FBCC9605EC5E34AF2E9B1194D5035 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00"
sh=BB492BAAFB8FB8BAD644F9DA0D0C7065F461A368 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11]"
sh=F465BDC7CDB6D902274B1B2DE4D03F466D7FBFD3 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6]"
sh=3233C8892659072CADA04EC6ABFE1615CE66FDF1 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8]"
sh=9BAF8A864BF199640F2D27D62CA0FC214C5A138C ft=0 fh=0000000000000000 vn="HTML/Refresh.BC Trojaner" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php"
sh=4E8BC33C6DFBDD9727988EB0AA95AF115C08FA8F ft=1 fh=efa4d311e75fd867 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll"
sh=096B736DCB93B86E094839B73D724E8B4172BB16 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX"
sh=96ECE4FD50478122EAA7B4C411CE4B1AA7103583 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH"
sh=76A0F71110E63B70CE321128A325BEF5728FFB30 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4]"
sh=9A43AEA05056A4631B5E852EAB52E9F89B9B4EE4 ft=0 fh=0000000000000000 vn="HTML/Refresh.BC Trojaner" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html"
sh=AC85DB00B2E2594170D9B607E34919C45CF8BE72 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G"
sh=6CA38C287E7E3638A1AC5F5FF3BDF74822D5D344 ft=0 fh=0000000000000000 vn="HTML/Iframe.B.Gen Virus" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5]"
sh=9BAF8A864BF199640F2D27D62CA0FC214C5A138C ft=0 fh=0000000000000000 vn="HTML/Refresh.BC Trojaner" ac=I fn="C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php"
sh=68F39FDC5C97B7D3B93A4B793E3E9DAF1ED75344 ft=1 fh=c71c0011ed98cc6f vn="Variante von Win32/Toolbar.Babylon.F evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll"
sh=D128CBAF3DEF02BD11A92A43C36D540E47BF06E0 ft=1 fh=6abf192eb2d8af09 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll"
sh=C88D76106C34D093167BD69B433CFF15F24CFE68 ft=1 fh=c9f8a6e51b4e4ea2 vn="Variante von Win32/Toolbar.Babylon.E evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe"
sh=BC025EB0A48183E45F54EACE19D7CCC9A30B5F37 ft=1 fh=c5ca840e53d8f07f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe"
sh=153D61D882922BA440ED0EDB0BE44F58CB47DC5B ft=0 fh=0000000000000000 vn="Variante von Win32/PriceGong.A evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi"
sh=19344467CB8A39A10E57BDAAA450DDD1F47BE033 ft=0 fh=0000000000000000 vn="JS/Kryptik.AP Trojaner" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm"
sh=6EF4B349F23F2B83D07BAAFF09F65ED63482818C ft=1 fh=c71c001182c4fa88 vn="Variante von Win32/Toolbar.SearchSuite.Z evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll"
sh=475FDFC60EA7EDAC01D81109C5432D56BE204EE0 ft=1 fh=e3d778651a32038a vn="Variante von Win32/KeyLogger.Refog.D Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe"
sh=14B1915594E3111C8B5BEEC0915CE0D5620191C3 ft=1 fh=8b9abe168a66d4b2 vn="Variante von Win32/Toolbar.Visicom.A evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe"
sh=4C5834A9F0D646B35A7719A4E352093C0240BA5F ft=1 fh=f68058267a38e609 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll"
sh=57CD8DEAF43DF3A2F4703E5219A69935B119D0DB ft=1 fh=311781f1ea21501f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll"
sh=57CD8DEAF43DF3A2F4703E5219A69935B119D0DB ft=1 fh=311781f1ea21501f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll"
sh=57CD8DEAF43DF3A2F4703E5219A69935B119D0DB ft=1 fh=311781f1ea21501f vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll"
sh=027DF2D2944EA506A71D61928674C2CC42A8FE69 ft=1 fh=4c97c45eed1dce37 vn="Win32/Toolbar.Babylon evtl. unerwünschte Anwendung" ac=I fn="C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe"
sh=FFB48EDC93E610BE77A3F69422014FF29BE027CA ft=1 fh=c71c00114e3734c7 vn="Variante von Win64/Sathurbot.A Trojaner" ac=I fn="C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll"
sh=3C8E0EF3D8366D7C6881DE8D5B55CD4615650BEC ft=1 fh=d733a75a8cafce2d vn="Variante von Generik.LBXSLDK Trojaner" ac=I fn="C:\ProgramData\Microsoft\Secure\Icons\temp\tmp86EA.exe"
sh=F73A84AC385A3B05D0EA425BCE157381C6B4ACBC ft=1 fh=008645d93ec93ad6 vn="Win32/Boaxxe.BR Trojaner" ac=I fn="C:\ProgramData\Microsoft\Secure\Icons\temp\tmpFF90.exe"
sh=91CF851FC60AB6D4FFF4DBE4A98C37ECD6A841A8 ft=1 fh=06bd9319462efad2 vn="Variante von Win32/Packed.Themida evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Admin\AppData\Local\Idsoft\EP0LB03B.DLL"
sh=3C8E0EF3D8366D7C6881DE8D5B55CD4615650BEC ft=1 fh=d733a75a8cafce2d vn="Variante von Generik.LBXSLDK Trojaner" ac=I fn="C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe"
sh=7FAEDDFE7AA391AFCEC7BC4E36E95348F8F270DA ft=0 fh=0000000000000000 vn="Win32/Boaxxe.BU Trojaner" ac=I fn="C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js"
sh=7FAEDDFE7AA391AFCEC7BC4E36E95348F8F270DA ft=0 fh=0000000000000000 vn="Win32/Boaxxe.BU Trojaner" ac=I fn="C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js"
sh=74F9F4BF038FEA2E33D37906C375A454A9456B35 ft=1 fh=b9ea14dac9f8ad1c vn="Variante von Win32/Complitly.A evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe"
sh=457335C7D7CF3B76BDA5156BDFC9D2E55F5EB26E ft=1 fh=733834ea60493ef0 vn="Variante von Win32/Toolbar.Conduit.B evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe"
sh=FFB48EDC93E610BE77A3F69422014FF29BE027CA ft=1 fh=c71c00114e3734c7 vn="Variante von Win64/Sathurbot.A Trojaner" ac=I fn="C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll"
sh=3C8E0EF3D8366D7C6881DE8D5B55CD4615650BEC ft=1 fh=d733a75a8cafce2d vn="Variante von Generik.LBXSLDK Trojaner" ac=I fn="C:\Users\All Users\Microsoft\Secure\Icons\temp\tmp86EA.exe"
sh=F73A84AC385A3B05D0EA425BCE157381C6B4ACBC ft=1 fh=008645d93ec93ad6 vn="Win32/Boaxxe.BR Trojaner" ac=I fn="C:\Users\All Users\Microsoft\Secure\Icons\temp\tmpFF90.exe"
sh=3BAD2CF7AE22FE1CD6D934E09C2DDEB78FB8DC45 ft=0 fh=0000000000000000 vn="Win32/Toolbar.Conduit.A evtl. unerwünschte Anwendung" ac=I fn="Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar"
sh=B8D140F32E455F0B90C04CD93EA852E8D22AECEF ft=0 fh=0000000000000000 vn="Win32/Toolbar.Conduit.A evtl. unerwünschte Anwendung" ac=I fn="Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar"
sh=0000000000000000000000000000000000000000 ft=- fh=0000000000000000 vn="Mehrere Bedrohungen" ac=I fn="${Memory}"
         
SecurityCheck:
Code:
ATTFilter
 Results of screen317's Security Check version 0.99.93  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
Avira Desktop   
 Antivirus up to date!  (On Access scanning disabled!) 
`````````Anti-malware/Other Utilities Check:````````` 
 Adobe Flash Player 16.0.0.235  
 Mozilla Firefox (34.0.5) 
````````Process Check: objlist.exe by Laurent````````  
 Avira Antivir avgnt.exe 
 Avira Antivir avguard.exe 
 EMSISOFT Anti-Malware a2service.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````
         
FRST:

FRST Logfile:

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-12-2014
Ran by Admin (administrator) on ADMIN-PC on 30-12-2014 06:50:43
Running from C:\Users\Admin\Desktop
Loaded Profile: Admin (Available profiles: Admin)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
(AMD) C:\Windows\System32\atieclxx.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(VIA Technologies, Inc.) C:\VIA_XHCI\usb3Monitor.exe
(Greenshot) C:\Program Files\Greenshot\Greenshot.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Spotify Ltd) C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(Native Instruments GmbH) C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
(Schnapper-Software  Robert Beer) C:\Program Files (x86)\SchnapperPro\TimeSync.exe
() C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe
(WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Schnapper-Software  Robert Beer) C:\Program Files (x86)\SchnapperPro\SchnapperPro.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
(Dropbox, Inc.) C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Nero AG) C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
(WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(SAP AG) C:\Program Files (x86)\SAP\SapSetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [VIAxHCUtl] => C:\VIA_XHCI\usb3Monitor.exe [331776 2012-03-26] (VIA Technologies, Inc.)
HKLM\...\Run: [Greenshot] => C:\Program Files\Greenshot\Greenshot.exe [495616 2014-05-12] (Greenshot)
HKLM\...\Run: [Icakupsie] => "C:\Users\Admin\AppData\Roaming\Urudne\pibaad.exe"
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-21] (Intel Corporation)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [702768 2014-12-09] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [126200 2014-11-20] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [NBAgent] => C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe [1234216 2010-03-26] (Nero AG)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [383544 2012-12-14] (Citrix Systems, Inc.)
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Azureus] => C:\Program Files\Vuze\Azureus.exe [346424 2014-08-12] (Azureus Software, Inc)
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Spotify Web Helper] => C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-10-24] (Spotify Ltd)
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [UVMmedia] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Admin\AppData\Local\Idsoft\EP0LB03B.DLL
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Idsoft] => C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe [155676 2014-12-28] ()
AppInit_DLLs-x32: C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll => C:\Program Files (x86)\Citrix\ICA Client\RSHook.dll [256568 2012-12-14] (Citrix Systems, Inc.)
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\resmon.lnk
ShortcutTarget: resmon.lnk -> C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\resmon.exe (No File)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodeMeter Control Center.lnk
ShortcutTarget: CodeMeter Control Center.lnk -> C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe (WIBU-SYSTEMS AG)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SchnapperPro.lnk
ShortcutTarget: SchnapperPro.lnk -> C:\Program Files (x86)\SchnapperPro\SchnapperPro.exe (Schnapper-Software  Robert Beer)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3347311179-4269016646-269938500-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
Handler-x32: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf)
Handler-x32: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.138

FireFox:
========
FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364
FF SelectedSearchEngine: Google
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_235.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin HKU\S-1-5-21-3347311179-4269016646-269938500-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Admin\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Extension: WMDM CE Device Service Provider - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\Extensions\{066BF1A1-62A1-474B-4D00-591822FEB978} [2014-12-26]
FF Extension: WMDM CE Device Service Provider - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\Extensions\{066BF1A1-62A1-474B-4D00-591822FEB978} [2014-12-26]

Chrome: 
=======
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 a2AntiMalware; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2service.exe [4907232 2014-12-01] (Emsisoft GmbH)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-12-09] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-12-09] (Avira Operations GmbH & Co. KG)
R2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [166192 2014-11-20] (Avira Operations GmbH & Co. KG)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2014-12-25] (SurfRight B.V.)
R2 NWSAPAutoWorkstationUpdateSvc; C:\Program Files (x86)\SAP\SAPsetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe [165568 2012-06-19] (SAP AG)
R2 SchnapperPro-TimeSync; C:\Program Files (x86)\SchnapperPro\TimeSync.exe [45664 2007-08-30] (Schnapper-Software  Robert Beer)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [71472 2014-05-12] (Emsisoft GmbH)
R1 A2DDA; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2ddax64.sys [26176 2013-03-28] (Emsisoft GmbH)
R1 a2injectiondriver; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2dix64.sys [45208 2013-09-30] (Emsisoft GmbH)
R1 a2util; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2util64.sys [23088 2014-05-12] (Emsisoft GmbH)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-10-01] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-10-01] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-12-24] (Avira Operations GmbH & Co. KG)
R3 cleanhlp; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\cleanhlp64.sys [57024 2013-12-04] (Emsisoft GmbH)
R2 ei2c; C:\Windows\system32\drivers\ei2c.sys [20784 2014-08-30] (Nicomsoft Ltd.)
S3 gbxavs; C:\Windows\System32\Drivers\gbxavs.sys [357968 2011-07-07] () [File not signed]
S3 gbxavs_x64; C:\Windows\System32\Drivers\gbxavs_x64.sys [46096 2008-11-20] (Native Instruments GmbH)
S3 gbxusb_x64; C:\Windows\System32\Drivers\gbxusb_x64.sys [250896 2008-11-20] (Native Instruments GmbH)
R3 ka6avs; C:\Windows\System32\Drivers\ka6avs.sys [359784 2012-12-18] (Native Instruments GmbH)
R3 ka6usb_svc; C:\Windows\System32\Drivers\ka6usb.sys [85864 2012-12-18] (Native Instruments GmbH)
S3 rspLLL; C:\Windows\System32\DRIVERS\rspLLL64.sys [23968 2013-02-07] (Resplendence Software Projects Sp.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [53760 2012-09-28] (Apple, Inc.) [File not signed]
R3 VUSB3HUB; C:\Windows\System32\DRIVERS\ViaHub3.sys [204800 2012-03-26] (VIA Technologies, Inc.)
R3 xhcdrv; C:\Windows\System32\DRIVERS\xhcdrv.sys [256000 2012-03-26] (VIA Technologies, Inc.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-30 06:50 - 2014-12-30 06:50 - 00017338 _____ () C:\Users\Admin\Desktop\FRST.txt
2014-12-30 06:50 - 2014-12-30 06:50 - 00000760 _____ () C:\Users\Admin\Desktop\securitycheck.txt
2014-12-30 06:23 - 2014-12-30 06:23 - 00852505 _____ () C:\Users\Admin\Desktop\SecurityCheck(1).exe
2014-12-29 22:25 - 2014-12-29 22:25 - 02347384 _____ (ESET) C:\Users\Admin\Downloads\esetsmartinstaller_deu(1).exe
2014-12-29 22:21 - 2014-12-29 22:22 - 00000004 ____H () C:\ProgramData\cm-lock
2014-12-29 06:46 - 2014-12-29 06:46 - 00000000 ____D () C:\Users\Admin\Desktop\FRST-OlderVersion
2014-12-29 06:41 - 2014-12-28 09:01 - 01707939 _____ (Thisisu) C:\Users\Admin\Desktop\JRT_NEW.exe
2014-12-29 06:39 - 2014-12-29 06:39 - 00001500 _____ () C:\Users\Admin\Desktop\AdwCleaner[S4].txt
2014-12-28 22:28 - 2014-12-28 22:29 - 00000000 ____D () C:\Users\Admin\Desktop\mal
2014-12-28 22:26 - 2014-12-28 22:26 - 00000270 _____ () C:\Users\Admin\Desktop\text.txt
2014-12-28 12:14 - 2014-12-28 12:14 - 00025716 _____ () C:\ComboFix.txt
2014-12-26 14:47 - 2014-12-26 14:47 - 00715952 _____ () C:\Windows\Minidump\122614-37533-01.dmp
2014-12-26 13:43 - 2014-12-26 13:43 - 01180834 _____ () C:\Users\Admin\Downloads\7z935.exe
2014-12-26 13:43 - 2014-12-26 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2014-12-26 13:43 - 2014-12-26 13:43 - 00000000 ____D () C:\Program Files (x86)\7-Zip
2014-12-26 12:04 - 2014-12-26 12:04 - 00380416 _____ () C:\Users\Admin\Downloads\Gmer-19357.exe
2014-12-26 11:59 - 2014-12-26 11:59 - 00000000 _____ () C:\Users\Admin\defogger_reenable
2014-12-26 11:58 - 2014-12-26 11:59 - 00050477 _____ () C:\Users\Admin\Desktop\Defogger.exe
2014-12-26 11:48 - 2014-12-26 11:48 - 00003874 _____ () C:\EamClean.log
2014-12-26 00:41 - 2014-12-26 00:41 - 00852505 _____ () C:\Users\Admin\Downloads\SecurityCheck.exe
2014-12-26 00:39 - 2014-12-26 00:39 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-12-26 00:38 - 2014-12-26 00:38 - 02347384 _____ (ESET) C:\Users\Admin\Downloads\esetsmartinstaller_deu.exe
2014-12-26 00:36 - 2014-12-30 06:50 - 00000000 ____D () C:\FRST
2014-12-26 00:36 - 2014-12-26 11:41 - 00044595 _____ () C:\Users\Admin\Downloads\FRST.txt
2014-12-26 00:36 - 2014-12-26 00:37 - 00037320 _____ () C:\Users\Admin\Downloads\Addition.txt
2014-12-26 00:20 - 2014-12-29 06:46 - 02123264 _____ (Farbar) C:\Users\Admin\Desktop\FRST64.exe
2014-12-25 23:53 - 2014-12-25 23:24 - 05603624 ____R (Swearware) C:\Users\Admin\Desktop\ComboFix.exe
2014-12-25 23:51 - 2014-12-25 23:51 - 00709564 _____ () C:\Users\Admin\Downloads\delfix_10.8.exe
2014-12-25 23:26 - 2014-12-28 12:15 - 00000000 ____D () C:\Qoobox
2014-12-25 23:26 - 2014-12-25 23:47 - 00000000 ____D () C:\Windows\erdnt
2014-12-25 23:26 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-12-25 23:26 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-12-25 23:26 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-12-25 23:26 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-12-25 23:26 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-12-25 23:26 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe
2014-12-25 23:26 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe
2014-12-25 23:26 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe
2014-12-25 23:24 - 2014-12-25 23:24 - 05603624 ____R (Swearware) C:\Users\Admin\Downloads\ComboFix.exe
2014-12-25 17:05 - 2014-12-25 17:05 - 00001098 _____ () C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2014-12-25 17:05 - 2014-12-25 17:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2014-12-25 17:04 - 2014-12-30 00:31 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware
2014-12-25 16:57 - 2014-12-25 16:57 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2014-12-25 16:51 - 2014-12-25 16:54 - 170741736 _____ (Emsisoft Ltd ) C:\Users\Admin\Downloads\EmsisoftAntiMalwareSetup.exe
2014-12-25 13:48 - 2014-12-25 13:48 - 00007506 _____ () C:\Windows\system32\.crusader
2014-12-25 13:38 - 2014-12-25 13:49 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-12-25 13:38 - 2014-12-25 13:38 - 00001912 _____ () C:\Users\Public\Desktop\HitmanPro.lnk
2014-12-25 13:38 - 2014-12-25 13:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2014-12-25 13:38 - 2014-12-25 13:38 - 00000000 ____D () C:\Program Files\HitmanPro
2014-12-25 13:04 - 2014-12-25 13:05 - 11222744 _____ (SurfRight B.V.) C:\Users\Admin\Downloads\HitmanPro_x64.exe
2014-12-25 12:18 - 2014-12-25 12:18 - 00000194 _____ () C:\Users\Admin\Downloads\hosts-perm.bat
2014-12-25 11:11 - 2014-12-25 11:11 - 01061112 _____ (Bleeping Computer, LLC) C:\Users\Admin\Downloads\blabka4.exe
2014-12-24 17:17 - 2014-12-24 17:17 - 00001801 _____ () C:\Users\Public\Desktop\Vuze.lnk
2014-12-24 16:43 - 2014-12-24 16:43 - 02953520 _____ (AVAST Software) C:\Users\Admin\Downloads\avast-browser-cleanup.exe
2014-12-24 16:34 - 2014-12-24 16:34 - 00000000 ____D () C:\Windows\ERUNT
2014-12-24 16:04 - 2014-12-30 06:47 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-24 16:04 - 2014-12-24 16:04 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-12-24 16:04 - 2014-12-24 16:04 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-12-24 16:04 - 2014-12-24 16:04 - 00003822 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-12-24 14:11 - 2014-12-24 14:11 - 00001271 _____ () C:\Users\Admin\Desktop\Revo Uninstaller.lnk
2014-12-24 14:11 - 2014-12-24 14:11 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group
2014-12-24 14:10 - 2014-12-24 14:10 - 01707646 _____ (Thisisu) C:\Users\Admin\Desktop\JRT.exe
2014-12-24 14:09 - 2014-12-24 14:09 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\Admin\Downloads\revosetup.exe
2014-12-24 14:08 - 2014-12-24 14:08 - 01940728 _____ (Bleeping Computer, LLC) C:\Users\Admin\Downloads\rkill.exe
2014-12-24 13:50 - 2014-12-24 13:50 - 02173952 _____ () C:\Users\Admin\Desktop\AdwCleaner_4.106.exe
2014-12-19 13:46 - 2014-12-19 13:46 - 00001723 _____ () C:\Users\Admin\Desktop\Computer.lnk
2014-12-18 08:52 - 2014-12-13 06:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-12-18 08:52 - 2014-12-13 04:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-12-17 22:17 - 2014-12-17 22:17 - 00003133 _____ () C:\Users\Public\Desktop\Nero BackItUp 10.lnk
2014-12-17 22:16 - 2014-12-17 22:16 - 00002937 _____ () C:\Users\Public\Desktop\Nero Burning ROM 10.lnk
2014-12-17 22:14 - 2014-12-17 22:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nero
2014-12-17 20:59 - 2014-12-17 21:06 - 00000000 ____D () C:\Users\Admin\Desktop\volvo verkauf autoscout
2014-12-17 19:39 - 2014-12-17 19:39 - 00001156 _____ () C:\Users\Public\Desktop\etope 8 starten.lnk
2014-12-16 22:06 - 2014-12-24 14:17 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Line 6
2014-12-16 22:05 - 2014-12-17 18:49 - 00001137 _____ () C:\Users\Public\Desktop\Reason Essentials.lnk
2014-12-16 22:05 - 2014-12-16 22:06 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CodeMeter
2014-12-16 22:05 - 2014-12-16 22:06 - 00000000 ____D () C:\Program Files (x86)\CodeMeter
2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\ProgramData\CodeMeter
2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\Program Files\Propellerhead
2014-12-16 22:05 - 2014-12-16 22:05 - 00000000 ____D () C:\Program Files\CodeMeter
2014-12-16 19:49 - 2014-12-16 19:49 - 00000000 ____D () C:\Windows\pss
2014-12-16 19:13 - 2014-12-16 19:13 - 00000000 ____D () C:\ProgramData\Adobe Systems
2014-12-16 18:29 - 2014-12-16 18:29 - 02166272 _____ () C:\Users\Admin\Downloads\adwcleaner_4.105.exe
2014-12-16 18:28 - 2014-12-29 06:31 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-16 18:28 - 2014-12-16 18:28 - 00001109 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware 
2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-12-16 18:28 - 2014-12-16 18:28 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware 
2014-12-16 18:28 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-12-16 18:28 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-12-16 18:28 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-12-16 18:27 - 2014-12-16 18:27 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Admin\Downloads\mbam-setup-2.0.4.1028.exe
2014-12-11 03:24 - 2014-12-11 03:24 - 00000000 ____D () C:\Windows\system32\appraiser
2014-12-11 03:02 - 2014-10-18 03:05 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2014-12-11 03:02 - 2014-10-18 02:33 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2014-12-10 19:37 - 2014-12-16 20:05 - 00000000 _____ () C:\ProgramData\@system.temp
2014-12-10 19:36 - 2014-12-16 20:30 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\FrameworkUpdate
2014-12-10 19:36 - 2014-12-10 19:36 - 00000480 ____H () C:\Users\Admin\AppData\Roaming\麽鎒駓覜
2014-12-10 08:43 - 2014-12-04 03:50 - 00830976 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2014-12-10 08:43 - 2014-12-04 03:50 - 00741376 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2014-12-10 08:43 - 2014-12-04 03:50 - 00413184 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-12-10 08:43 - 2014-12-04 03:50 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2014-12-10 08:43 - 2014-12-04 03:50 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-12-10 08:43 - 2014-12-04 03:50 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2014-12-10 08:43 - 2014-12-04 03:44 - 01083392 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-12-10 08:43 - 2014-12-02 00:28 - 01232040 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2014-12-10 08:42 - 2014-11-27 02:43 - 00389296 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-12-10 08:42 - 2014-11-27 02:10 - 00342200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-12-10 08:42 - 2014-11-22 04:13 - 25059840 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-12-10 08:42 - 2014-11-22 04:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-12-10 08:42 - 2014-11-22 04:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-12-10 08:42 - 2014-11-22 03:50 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-12-10 08:42 - 2014-11-22 03:50 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-12-10 08:42 - 2014-11-22 03:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-12-10 08:42 - 2014-11-22 03:49 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-12-10 08:42 - 2014-11-22 03:48 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-12-10 08:42 - 2014-11-22 03:41 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-12-10 08:42 - 2014-11-22 03:40 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-12-10 08:42 - 2014-11-22 03:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-12-10 08:42 - 2014-11-22 03:35 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-12-10 08:42 - 2014-11-22 03:34 - 06039552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-12-10 08:42 - 2014-11-22 03:34 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-12-10 08:42 - 2014-11-22 03:26 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-12-10 08:42 - 2014-11-22 03:22 - 19749376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-12-10 08:42 - 2014-11-22 03:22 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-12-10 08:42 - 2014-11-22 03:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-12-10 08:42 - 2014-11-22 03:14 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-12-10 08:42 - 2014-11-22 03:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-12-10 08:42 - 2014-11-22 03:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-12-10 08:42 - 2014-11-22 03:07 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-12-10 08:42 - 2014-11-22 03:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-12-10 08:42 - 2014-11-22 03:06 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-12-10 08:42 - 2014-11-22 03:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-12-10 08:42 - 2014-11-22 03:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-12-10 08:42 - 2014-11-22 03:01 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-12-10 08:42 - 2014-11-22 02:59 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-12-10 08:42 - 2014-11-22 02:58 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-12-10 08:42 - 2014-11-22 02:56 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-12-10 08:42 - 2014-11-22 02:54 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-12-10 08:42 - 2014-11-22 02:49 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-12-10 08:42 - 2014-11-22 02:49 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-12-10 08:42 - 2014-11-22 02:47 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-12-10 08:42 - 2014-11-22 02:46 - 02125312 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-12-10 08:42 - 2014-11-22 02:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-12-10 08:42 - 2014-11-22 02:43 - 14412800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-12-10 08:42 - 2014-11-22 02:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-12-10 08:42 - 2014-11-22 02:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-12-10 08:42 - 2014-11-22 02:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-12-10 08:42 - 2014-11-22 02:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-12-10 08:42 - 2014-11-22 02:29 - 04299264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-12-10 08:42 - 2014-11-22 02:28 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-12-10 08:42 - 2014-11-22 02:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-12-10 08:42 - 2014-11-22 02:22 - 02052096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-12-10 08:42 - 2014-11-22 02:21 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-12-10 08:42 - 2014-11-22 02:15 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-12-10 08:42 - 2014-11-22 02:13 - 12836864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-12-10 08:42 - 2014-11-22 02:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-12-10 08:42 - 2014-11-22 02:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-12-10 08:42 - 2014-11-22 01:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-12-10 08:42 - 2014-11-22 01:54 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-12-10 08:42 - 2014-11-11 04:09 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-12-10 08:42 - 2014-11-11 03:44 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-12-10 08:42 - 2014-11-11 02:46 - 00119296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2014-12-10 08:42 - 2014-10-30 03:03 - 00165888 _____ (Microsoft Corporation) C:\Windows\system32\charmap.exe
2014-12-10 08:42 - 2014-10-30 02:45 - 00155136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\charmap.exe
2014-12-10 08:42 - 2014-10-03 03:12 - 02020352 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll
2014-12-10 08:42 - 2014-10-03 03:12 - 00346624 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll
2014-12-10 08:42 - 2014-10-03 03:12 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll
2014-12-10 08:42 - 2014-10-03 03:12 - 00181248 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll
2014-12-10 08:42 - 2014-10-03 03:11 - 00266240 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe
2014-12-10 08:42 - 2014-10-03 02:45 - 01177088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll
2014-12-10 08:42 - 2014-10-03 02:45 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManMigrationPlugin.dll
2014-12-10 08:42 - 2014-10-03 02:45 - 00214016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll
2014-12-10 08:42 - 2014-10-03 02:45 - 00145920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll
2014-12-10 08:42 - 2014-10-03 02:44 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManHTTPConfig.exe
2014-12-10 08:41 - 2014-11-08 04:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-12-10 08:41 - 2014-11-08 03:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-12-09 21:04 - 2014-12-09 21:04 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Oracle
2014-12-09 09:14 - 2014-12-09 09:14 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-12-08 19:34 - 2014-12-08 19:34 - 00000000 ____D () C:\ProgramData\PACE
2014-12-08 19:19 - 2014-12-24 14:22 - 00000000 ____D () C:\Users\Admin\Documents\iZotope
2014-12-08 19:12 - 2014-12-29 22:23 - 00000000 ____D () C:\Users\Admin\AppData\Local\Idsoft
2014-12-08 19:12 - 2014-12-28 22:03 - 00000000 ____D () C:\Users\Admin\AppData\Local\Ejmtion
2014-12-07 00:22 - 2014-12-07 00:22 - 01389910 _____ () C:\Users\Admin\Downloads\mp3bee3.exe
2014-12-06 20:08 - 2014-12-06 20:08 - 00025478 _____ () C:\Users\Admin\Desktop\1131_I-Wont-be-Home-for-Christmas.mid
2014-12-06 20:04 - 2014-12-06 20:04 - 00028918 _____ () C:\Users\Admin\Desktop\Blink_182_-_I_Won't_Be_Home_for_Christmas.mid
2014-12-02 22:14 - 2014-12-02 22:14 - 04990667 _____ () C:\Users\Admin\Desktop\10433298_10204168401239201_2025431251_n.mp4
2014-11-30 16:23 - 2014-12-08 12:29 - 00000000 ____D () C:\Users\Admin\Desktop\5825
2014-11-30 12:59 - 2014-12-18 14:55 - 00000000 ____D () C:\Users\Admin\Desktop\facebook

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-30 06:11 - 2013-03-31 00:28 - 01897689 _____ () C:\Windows\WindowsUpdate.log
2014-12-30 04:04 - 2013-03-30 18:07 - 00003930 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{2D7B81C1-8B06-4916-B13D-931EF0D2FBD7}
2014-12-30 02:02 - 2013-04-01 11:56 - 00000000 ____D () C:\Users\Admin\AppData\Local\Adobe
2014-12-30 00:02 - 2013-03-31 14:01 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\vlc
2014-12-29 22:33 - 2009-07-14 05:45 - 00020880 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-29 22:33 - 2009-07-14 05:45 - 00020880 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-29 22:27 - 2009-07-14 18:58 - 00702980 _____ () C:\Windows\system32\perfh007.dat
2014-12-29 22:27 - 2009-07-14 18:58 - 00150620 _____ () C:\Windows\system32\perfc007.dat
2014-12-29 22:27 - 2009-07-14 06:13 - 01629444 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-12-29 22:24 - 2013-03-31 16:13 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Azureus
2014-12-29 22:22 - 2013-04-04 20:00 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\SchnapperPro
2014-12-29 22:22 - 2013-04-03 21:41 - 00000000 ___RD () C:\Users\Admin\Dropbox
2014-12-29 22:22 - 2013-04-03 21:39 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Dropbox
2014-12-29 22:21 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-29 22:20 - 2013-05-01 22:29 - 00268924 _____ () C:\Windows\setupact.log
2014-12-29 16:31 - 2013-05-01 22:28 - 00232502 _____ () C:\Windows\PFRO.log
2014-12-29 06:33 - 2014-08-30 17:51 - 00000000 ____D () C:\AdwCleaner
2014-12-28 11:47 - 2009-07-14 03:34 - 00000215 _____ () C:\Windows\system.ini
2014-12-27 11:36 - 2014-11-16 23:37 - 00000000 ____D () C:\Users\Admin\AppData\Local\JDownloader 2.0
2014-12-26 14:47 - 2013-10-18 05:16 - 1811278370 _____ () C:\Windows\MEMORY.DMP
2014-12-26 14:47 - 2013-04-05 16:37 - 00000000 ____D () C:\Windows\Minidump
2014-12-26 11:59 - 2013-03-30 17:29 - 00000000 ____D () C:\Users\Admin
2014-12-25 23:49 - 2009-07-14 04:20 - 00000000 __RHD () C:\Users\Default
2014-12-25 13:50 - 2013-06-21 18:50 - 00000000 ____D () C:\Users\Admin\AppData\Local\Greenshot
2014-12-25 12:47 - 2014-02-26 03:02 - 01648918 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-12-25 11:39 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\tracing
2014-12-24 17:17 - 2013-03-31 16:13 - 00001801 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vuze.lnk
2014-12-24 17:17 - 2013-03-31 16:13 - 00000000 ____D () C:\Program Files\Vuze
2014-12-24 14:50 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\Help
2014-12-24 14:27 - 2014-08-05 17:48 - 00000000 ____D () C:\ProgramData\Package Cache
2014-12-24 14:24 - 2013-03-30 17:59 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-12-24 14:22 - 2013-04-05 18:08 - 00000000 ____D () C:\Program Files\Common Files\VST3
2014-12-24 14:21 - 2013-04-07 10:11 - 00000000 ____D () C:\Program Files (x86)\Java
2014-12-24 14:18 - 2013-03-31 16:23 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-12-24 14:18 - 2013-03-31 03:19 - 00000000 ____D () C:\ProgramData\Adobe
2014-12-24 14:14 - 2013-04-01 08:35 - 00000000 ____D () C:\Users\Admin\AppData\Local\Citrix
2014-12-24 14:00 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\Cursors
2014-12-20 21:05 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\L2Schemas
2014-12-19 14:11 - 2013-03-31 00:23 - 00000000 ____D () C:\Windows\Panther
2014-12-19 14:11 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\schemas
2014-12-18 20:14 - 2013-05-18 11:32 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Spotify
2014-12-18 15:55 - 2013-05-18 11:33 - 00000000 ____D () C:\Users\Admin\AppData\Local\Spotify
2014-12-17 22:21 - 2013-04-01 18:04 - 00000000 ____D () C:\Program Files (x86)\Nero
2014-12-17 21:55 - 2014-08-30 12:41 - 00000000 ____D () C:\Temp
2014-12-17 19:39 - 2014-04-27 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\etope 8
2014-12-16 22:14 - 2009-07-14 05:45 - 11266360 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-12-16 22:13 - 2013-05-01 10:12 - 00000000 ____D () C:\ProgramData\Propellerhead Software
2014-12-16 22:08 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\LiveKernelReports
2014-12-16 22:06 - 2013-05-01 10:12 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Propellerhead Software
2014-12-16 22:05 - 2013-05-01 10:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Propellerhead
2014-12-16 19:53 - 2014-09-13 16:03 - 00000000 ____D () C:\Program Files (x86)\AntiTwin
2014-12-16 19:47 - 2013-06-19 18:24 - 00000000 ____D () C:\Program Files\ARIS Express
2014-12-16 19:40 - 2013-03-30 17:44 - 00440744 _____ () C:\Users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-16 19:15 - 2013-03-30 18:29 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Adobe
2014-12-16 19:12 - 2013-03-31 16:04 - 00000000 ____D () C:\Program Files (x86)\JDownloader
2014-12-16 19:11 - 2013-09-01 20:02 - 00000000 ____D () C:\Users\Admin\.android
2014-12-14 03:00 - 2013-03-30 17:34 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-12-13 03:22 - 2013-08-30 17:11 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-12-11 03:55 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\rescache
2014-12-11 03:26 - 2014-08-30 15:39 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-12-11 03:24 - 2014-05-07 02:00 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-12-11 03:24 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-12-11 03:24 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\AppCompat
2014-12-11 03:07 - 2013-07-23 02:00 - 00000000 ____D () C:\Windows\system32\MRT
2014-12-11 03:04 - 2013-03-30 20:21 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-12-09 21:04 - 2013-11-24 11:03 - 00000000 ____D () C:\ProgramData\Oracle
2014-12-09 20:08 - 2014-11-03 17:17 - 00001144 _____ () C:\Users\Public\Desktop\Avira.lnk
2014-12-09 20:08 - 2013-03-31 13:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2014-12-09 20:08 - 2013-03-31 13:43 - 00000000 ____D () C:\Program Files (x86)\Avira
2014-12-09 20:02 - 2009-07-14 06:08 - 00032640 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-12-08 19:44 - 2013-04-01 15:27 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\iZotope
2014-12-07 12:06 - 2014-05-01 10:37 - 00022016 ___SH () C:\Users\Admin\Thumbs.db

Some content of TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\avgnt.exe
C:\Users\Admin\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp6ihpta.dll
C:\Users\Admin\AppData\Local\Temp\i4jdel0.exe
C:\Users\Admin\AppData\Local\Temp\Quarantine.exe
C:\Users\Admin\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-12-25 07:54

==================== End Of Log ============================
         
--- --- ---

--- --- ---
Miniaturansicht angehängter Grafiken
Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local-2014-12-30-18_44_25-hitmanpro-3.7.9-build-232-64-bit-.jpg  

Alt 30.12.2014, 18:48   #12
jamerson
 
Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Standard

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local



Addition:
Code:
ATTFilter
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-12-2014
Ran by Admin at 2014-12-30 06:51:04
Running from C:\Users\Admin\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Desktop (Disabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Desktop (Disabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.35 beta (HKLM-x32\...\7-Zip) (Version:  - )
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Adobe CSI CS4 x64 (Version: 1 - Adobe Systems Incorporated) Hidden
Adobe Drive CS4 x64 (Version: 1 - Adobe Systems Incorporated) Hidden
Adobe Flash CS4 Professional (HKLM-x32\...\Adobe_a68eec966ce913ddaa63251dc82ed31) (Version: 10.0 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.235 - Adobe Systems Incorporated)
Adobe Flash Professional CS6 (HKLM-x32\...\{BD5669B5-49FF-4490-B956-E9D7CB9B0ADC}) (Version: 12.0 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Adobe Media Player (HKLM-x32\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1 - Adobe Systems Incorporated)
Adobe Photoshop CS6 (HKLM-x32\...\{74EB3499-8B95-4B5C-96EB-7B342F3FD0C6}) (Version: 13.0 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{6119B3A6-3603-9695-0398-CDF2AF0A13F8}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Antares Auto-Tune v4.39 (HKLM-x32\...\Antares Auto-Tune v4.39) (Version:  - )
Arturia Arp2600 V v1.0 (HKLM-x32\...\Arturia Arp2600 V v1.0) (Version:  - )
Arturia CS-80V v1.5 (HKLM-x32\...\Arturia CS-80V v1.5) (Version:  - )
Arturia Moog Modular V2 v1.0 (HKLM-x32\...\Arturia Moog Modular V2 v1.0) (Version:  - )
ASIO4ALL (HKLM-x32\...\ASIO4ALL) (Version: 2.11 Beta1 - Michael Tippach)
Audio Bro LA Scoring Strings (HKLM-x32\...\Audio Bro LA Scoring Strings) (Version:  - Audio Bro)
Audio Bro LA Scoring Strings (Version: 1.0.0.001 - Audio Bro) Hidden
Authorizer 2.7.0 (HKLM\...\{F6762963-9AE5-4bc6-A70F-2D749F6AC02F}_is1) (Version: 2.7.0 - Propellerhead Software AB)
Authorizer Ignition Key Support (Version: 1.0.8.0 - Propellerhead Software AB) Hidden
Avira (HKLM-x32\...\{e7c7c227-b742-4878-9425-f09bbf9951db}) (Version: 1.1.27.25527 - Avira Operations & Co. KG)
Avira (x32 Version: 1.1.27.25527 - Avira Operations & Co. KG) Hidden
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.7.468 - Avira)
Bass Station 1.6 (HKLM-x32\...\{ABAF1232-6213-4062-9D52-04E04A730CEA}_is1) (Version: 1.6 - Novation Digital Music Systems Ltd.)
CCleaner (HKLM\...\CCleaner) (Version: 4.01 - Piriform)
Celemony Melodyne Plugin VST RTAS v1.0 (HKLM-x32\...\Celemony Melodyne Plugin_is1) (Version:  - )
Citrix Online Launcher (HKLM-x32\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix)
Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 13.4.0.25 - Citrix Systems, Inc.)
Connect (x32 Version: 1.0.0.1 - Adobe Systems Incorporated) Hidden
DHTML Editing Component (HKLM-x32\...\{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation)
discoDSP Phantom VSTi v1.2 (HKLM-x32\...\discoDSP Phantom_is1) (Version:  - )
Dropbox (HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Dropbox) (Version: 3.0.3 - Dropbox, Inc.)
Edirol HQ Orchestral v1.01 (HKLM-x32\...\Edirol HQ Orchestral v1.01) (Version:  - )
Edirol Hyper Canvas VSTi DXi 1.6.0 (HKLM-x32\...\Edirol Hyper Canvas VSTi DXi_is1) (Version:  - )
Edirol Super Quartet v1.52 TALiO (HKLM-x32\...\Edirol Super Quartet v1.52 TALiO) (Version:  - )
EF Duplicate Files Manager (HKLM-x32\...\EF Duplicate Files Manager) (Version:  - EFSoftware)
eLicenser Control (HKLM-x32\...\eLicenser Control) (Version:  - Steinberg Media Technologies GmbH)
Emsisoft Anti-Malware (HKLM-x32\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 9.0 - Emsisoft Ltd)
Engineering Client Viewer 7.0 (HKLM-x32\...\SAP_Engineering Client Viewer 7.0) (Version:  - SAP AG)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
etope 8 (HKLM-x32\...\etope_is1) (Version:  - Freshworx GmbH & Co. KG)
EZdrummer (HKLM-x32\...\{43E8D9E7-AFC9-4BA3-8106-B95E02B87AB7}) (Version: 1.0 - Toontrack)
EZXClaustrophobic (HKLM-x32\...\{8094F7AE-CA21-4AF2-A256-BC918CE0E796}) (Version: 1.0 - Toontrack)
EZXCocktail (HKLM-x32\...\{147567F0-8575-4BE0-B5B3-62706C67FA5A}) (Version: 1.0 - Toontrack)
EZXDfh (HKLM-x32\...\{DB1299AF-9EE0-422B-959E-F4171B2AE0F7}) (Version: 1.0 - Toontrack)
EZXNashville (HKLM-x32\...\{82DF9225-13EC-41BD-BE31-AAB121B38166}) (Version: 1.0 - Toontrack)
EZXPercussion (HKLM-x32\...\{2CC4BC82-41CF-43D3-B533-7283AA8BB86F}) (Version: 1.0 - Toontrack)
EZXTwisted (HKLM-x32\...\{D1EBF11E-8CE3-4EF5-8E2D-FD5B8D6BD294}) (Version: 1.0 - Toontrack)
FabFilter Pro-Q VST RTAS v1.00 (HKLM-x32\...\FabFilter Pro-Q VST RTAS_is1) (Version:  - TEAM AiR)
FabFilter Timeless VST RTAS v1.01 (HKLM-x32\...\FabFilter Timeless_is1) (Version:  - )
FileZilla Client 3.9.0.3 (HKLM-x32\...\FileZilla Client) (Version: 3.9.0.3 - Tim Kosse)
Free MP4 Video Converter version 5.0.48.923 (HKLM-x32\...\Free MP4 Video Converter_is1) (Version: 5.0.48.923 - DVDVideoSoft Ltd.)
Free YouTube to MP3 Converter version 3.12.44.908 (HKLM-x32\...\Free YouTube to MP3 Converter_is1) (Version: 3.12.44.908 - DVDVideoSoft Ltd.)
Futureaudioworkshop Circle VSTi RTAS v1.03 (HKLM-x32\...\Futureaudioworkshop Circle VSTi RTAS_is1) (Version:  - )
Greenshot 1.1.9.13 (HKLM\...\Greenshot_is1) (Version: 1.1.9.13 - Greenshot)
High-Definition Video Playback 10 (x32 Version: 7.0.11400.29.0 - Nero AG) Hidden
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.232 - SurfRight B.V.)
Image Line ToxicIII v1.41 VSTi (HKLM-x32\...\Image Line ToxicIII v1.41 VSTi) (Version:  - )
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.1.0.1006 - Intel Corporation)
Intel(R) USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.5.235 - Intel Corporation)
JDownloader 2 (HKLM\...\jdownloader2) (Version: 2.0 - AppWork GmbH)
KORG M1 Le (HKLM-x32\...\{9624502C-3D39-41A0-8917-858EC16769CE}) (Version: 1.0.4 - KORG Inc.)
kuler (x32 Version: 2.0 - Adobe Systems Incorporated) Hidden
Malwarebytes Anti-Malware Version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
ManyGuitar 1.0 (HKLM-x32\...\ManyGuitar_is1) (Version:  - ManyTone)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (HKLM-x32\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Primary Interoperability Assemblies 2005 (HKLM-x32\...\{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Project Professional 2010 (HKLM-x32\...\Office14.PRJPROR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Project Professional 2013 (HKLM-x32\...\Office15.PRJPROR) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft redistributable runtime DLLs VS2005 SP1(x86) (HKLM-x32\...\{CEC7A786-A9C8-4EF7-BB59-6518E3B3C878}) (Version: 8.0.50727.4053 - SAP)
Microsoft redistributable runtime DLLs VS2008 SP1(x86) (HKLM-x32\...\{A47A9101-6EB5-4314-BDA1-297880FBB908}) (Version: 9.0 - SAP AG)
Microsoft redistributable runtime DLLs VS2010 SP1 (x86) (HKLM-x32\...\{2385C070-EC26-4AB9-8718-E605C977C0ED}) (Version: 10.0.40219.1 - SAP)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MixMeister BPM Analyzer 1.0 (HKLM-x32\...\MixMeister BPM Analyzer_is1) (Version:  - MixMeister Technology LLC)
MKVToolNix 6.4.1 (HKLM-x32\...\MKVToolNix) (Version: 6.4.1 - Moritz Bunkus)
MOBackup - Datensicherung für Outlook (Vollversion) (HKLM-x32\...\MOBackup-DatensicherungfürOutlook) (Version: 7.0 - Heiko Schröder)
Mozilla Firefox 34.0.5 (x86 de) (HKLM-x32\...\Mozilla Firefox 34.0.5 (x86 de)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Native Instruments Absynth 5 (HKLM-x32\...\Native Instruments Absynth 5) (Version:  - Native Instruments)
Native Instruments Battery 3 (HKLM-x32\...\Native Instruments Battery 3) (Version:  - )
Native Instruments Controller Editor (HKLM-x32\...\Native Instruments Controller Editor) (Version: 1.6.2.1863 - Native Instruments)
Native Instruments FM8 (HKLM-x32\...\Native Instruments FM8) (Version:  - )
Native Instruments George Duke Soul Treasures (HKLM-x32\...\Native Instruments George Duke Soul Treasures) (Version:  - Native Instruments)
Native Instruments Hardware Controller Support (HKLM-x32\...\Native Instruments Hardware Controller Support) (Version:  - Native Instruments)
Native Instruments Komplete 6 (HKLM-x32\...\Native Instruments Komplete 6) (Version:  - Native Instruments)
Native Instruments Komplete Audio 6 Driver (HKLM-x32\...\Native Instruments Komplete Audio 6 Driver) (Version:  - Native Instruments)
Native Instruments Kontakt 4 (HKLM-x32\...\Native Instruments Kontakt 4) (Version:  - Native Instruments)
Native Instruments Kontakt 5 (HKLM-x32\...\Native Instruments Kontakt 5) (Version:  - Native Instruments)
Native Instruments Maschine (HKLM-x32\...\Native Instruments Maschine) (Version:  - Native Instruments)
Native Instruments Maschine Driver (HKLM-x32\...\Native Instruments Maschine Driver) (Version:  - Native Instruments)
Native Instruments Massive v1.0.1.008 VSTi DXi RTAS (HKLM-x32\...\Native Instruments Massive v1.0.1.008 VSTi DXi RTAS) (Version:  - )
Native Instruments New York Concert Grand (HKLM-x32\...\Native Instruments New York Concert Grand) (Version:  - Native Instruments)
Native Instruments Pro-53 (HKLM-x32\...\Native Instruments Pro-53) (Version:  - )
Native Instruments Retro Machines Mk2 (HKLM-x32\...\Native Instruments Retro Machines Mk2) (Version:  - Native Instruments)
Native Instruments Service Center (HKLM-x32\...\Native Instruments Service Center) (Version: 2.5.2.1549 - Native Instruments)
Native Instruments Traktor 2 (HKLM-x32\...\Native Instruments Traktor 2) (Version: 2.6.8.382 - Native Instruments)
Native Instruments Upright Piano (HKLM-x32\...\Native Instruments Upright Piano) (Version:  - Native Instruments)
Native Instruments Vienna Concert Grand (HKLM-x32\...\Native Instruments Vienna Concert Grand) (Version:  - Native Instruments)
Nepheton 1.5.1 (32bit) (HKLM-x32\...\{B2F62BBB-C527-4CE7-90D1-5717110677B6}) (Version: 1.5.1.0 - D16 Group Audio Software)
Nepheton 1.5.1 (64bit) (HKLM\...\{02483A2B-9FDD-47BF-81AA-F47D6379EFA5}) (Version: 1.5.1.0 - D16 Group Audio Software)
Nero 7 Premium (HKLM-x32\...\{70AB1576-7883-2313-C650-7A71270B1031}) (Version: 7.01.0735 - Nero AG)
Nero BackItUp 10 (HKLM-x32\...\{68AB6930-5BFF-4FF6-923B-516A91984FE6}) (Version: 5.4.11600.19.100 - Nero AG)
Nero Burning ROM 10 (HKLM-x32\...\{7A5D731D-B4B3-490E-B339-75685712BAAB}) (Version: 10.0.11100.10.100 - Nero AG)
Nero BurnRights 10 (HKLM-x32\...\{943CFD7D-5336-47AF-9418-E02473A5A517}) (Version: 4.0.11000.12.100 - Nero AG)
Nero CoverDesigner 10 (HKLM-x32\...\{FCF00A6E-FB58-477A-ABE9-232907105521}) (Version: 5.0.10900.11.100 - Nero AG)
Nero DiscSpeed 10 (HKLM-x32\...\{34490F4E-48D0-492E-8249-B48BECF0537C}) (Version: 6.0.10800.7.100 - Nero AG)
Nero Express 10 (HKLM-x32\...\{70550193-1C22-445C-8FA4-564E155DB1A7}) (Version: 10.0.11000.10.100 - Nero AG)
Nero InfoTool 10 (HKLM-x32\...\{F412B4AF-388C-4FF5-9B2F-33DB1C536953}) (Version: 7.0.10800.8.100 - Nero AG)
Nero MediaHub 10 (HKLM-x32\...\{1F7FB68F-52F6-46A3-B42F-38CE46295AE5}) (Version: 1.0.13400.11.100 - Nero AG)
Nero Multimedia Suite 10 (HKLM-x32\...\{277C1559-4CF7-44FF-8D07-98AA9C13AABD}) (Version: 10.0.13100 - Nero AG)
Nero Recode 10 (HKLM-x32\...\{8ECEC853-5C3D-4B10-B5C7-FF11FF724807}) (Version: 4.6.10900.4.100 - Nero AG)
Nero RescueAgent 10 (HKLM-x32\...\{E337E787-CF61-4B7B-B84F-509202A54023}) (Version: 3.0.10900.9.100 - Nero AG)
Nero SoundTrax 10 (HKLM-x32\...\{E1EE5339-5D32-458F-BAAB-B19F6301BCE2}) (Version: 4.6.10600.2.100 - Nero AG)
Nero StartSmart 10 (HKLM-x32\...\{F61D489E-6C44-49AC-AD02-7DA8ACA73A65}) (Version: 10.0.11200.12.100 - Nero AG)
Nero Update (HKLM-x32\...\{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}) (Version: 1.0.0017 - Nero AG)
Nero Vision 10 (HKLM-x32\...\{9A4297F3-2A51-4ED9-92CA-4BCB8380947E}) (Version: 7.0.11100.8.100 - Nero AG)
Nero WaveEditor 10 (HKLM-x32\...\{EDCDFAD5-DF80-4600-A493-E9DAD6810230}) (Version: 5.6.10600.2.100 - Nero AG)
Ohmforce Hematohm PRO VST v1.22 (HKLM-x32\...\Ohmforce Hematohm PRO VST v1.22) (Version:  - )
Ohmforce Mobilohm PRO VST v1.12 (HKLM-x32\...\Ohmforce Mobilohm PRO VST v1.12) (Version:  - )
Ohmforce Ohmboyz PRO VST v1.42 (HKLM-x32\...\Ohmforce Ohmboyz PRO VST v1.42) (Version:  - )
Ohmforce Predatohm PRO VST v1.32 (HKLM-x32\...\Ohmforce Predatohm PRO VST v1.32) (Version:  - )
Ohmforce Quad Frohmage Pro VST v1.10 (HKLM-x32\...\Ohmforce Quad Frohmage Pro VST v1.10) (Version:  - )
Online Plug-in (x32 Version: 13.4.0.25 - Citrix Systems, Inc.) Hidden
Outils de vérification linguistique 2013 de Microsoft Office - Français (x32 Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
PDF Settings CS4 (x32 Version: 9.0 - Adobe Systems Incorporated) Hidden
PDF Settings CS6 (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
Photoshop Camera Raw (x32 Version: 5.0 - Adobe Systems Incorporated) Hidden
Pixel Bender Toolkit (x32 Version: 1.0 - Adobe Systems Incorporated) Hidden
Platform (x32 Version: 1.38 - VIA Technologies, Inc.) Hidden
PowerISO (HKLM-x32\...\PowerISO) (Version: 5.5 - Power Software Ltd)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.61.612.2012 - Realtek)
Reason 3.0 (HKLM-x32\...\Reason_is1) (Version: 3.0 - Propellerhead Software AB)
Reason Essentials 8.0.0 (HKLM\...\ReasonEssentials8.0_64_is1) (Version: 8.0.0 - Propellerhead Software AB)
Reason Essentials Ignition Key Support (Version: 1.0.8.0 - Propellerhead Software AB) Hidden
reFX Nexus VSTi RTAS v2.2.0 (HKLM-x32\...\reFX Nexus_is1) (Version:  - )
reFX Vanguard VSTi v1.6.3 (HKLM-x32\...\reFX Vanguard VSTi_is1) (Version:  - )
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Rob Papen Blue VSTi v1.01  (HKLM-x32\...\Rob Papen Blue VSTi v1.01 ) (Version:  - )
Rob Papen Predator V1.5.8 32 Bits Single Core (HKLM-x32\...\Predator_is1) (Version:  - RPCX)
SAP Business Explorer (HKLM-x32\...\SAPBI) (Version: 7.30 - SAP AG)
SAP GUI for Windows 7.30 (HKLM-x32\...\SAPGUI710) (Version: 7.30 Compilation 1 - SAP)
SAP JNet (HKLM-x32\...\SAP_JNet) (Version:  - SAP AG)
SAPSetup Automatic Workstation Update Service (HKLM-x32\...\SAP_WUS) (Version:  - SAP AG)
SchnapperPro 2.0.94 (HKLM-x32\...\SchnapperPro) (Version: 2.0.94 - Schnapper-Software Robert Beer)
Secure Download Manager (HKLM-x32\...\{AA57D6F1-6360-4397-B2D9-B21C69863D97}) (Version: 3.1.0 - Kivuto Solutions Inc.)
Self-Service Plug-in (x32 Version: 3.4.0.33684 - Citrix Systems, Inc.) Hidden
Service Pack 1 for Microsoft Office 2013 (KB2850036) 32-Bit Edition (HKLM-x32\...\{91150000-003B-0000-0000-0000000FF1CE}_Office15.PRJPROR_{115B7592-B71D-4C27-AB34-34268FB199CA}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-003B-0000-0000-0000000FF1CE}_Office14.PRJPROR_{58FA40EF-ABA9-4FED-AD3D-318A6073934D}) (Version:  - Microsoft)
SideKick4.3.2 (HKLM-x32\...\SideKick432 ID_mp1) (Version:  - Twisted Lemon)
Spotify (HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Spotify) (Version: 0.9.14.13.gba5645ad - Spotify AB)
Steinberg Cubase 5 (HKLM-x32\...\{4A19D6AC-ADE0-4A07-80FF-9C9812C45557}) (Version: 5.1.0 - Steinberg Media Technologies GmbH)
Steinberg Drum Loop Expansion 01 (HKLM-x32\...\{490BF87E-1F75-4453-BF55-9F540543A3CA}) (Version: 1.0.0.1 - Steinberg Media Technologies GmbH)
Steinberg Groove Agent ONE Content (HKLM-x32\...\{BD86F1AC-B594-46E4-85DC-1258AC9E2232}) (Version: 1.0.0.003 - Steinberg Media Technologies GmbH)
Steinberg HALionOne (HKLM-x32\...\{E70E7159-93B1-470D-9FBD-D8E9EF34B538}) (Version: 1.1.0.457 - Steinberg Media Technologies GmbH)
Steinberg HALionOne Additional Content Set 01 (HKLM-x32\...\{F3AFD063-8BAD-485E-B641-E7F5A2C5AE71}) (Version: 1.0.0.001 - Steinberg Media Technologies GmbH)
Steinberg HALionOne Expression Set (HKLM-x32\...\{E22AD5D3-EB60-4A8F-835C-6C10E369DCE2}) (Version: 1.0.1.0 - Steinberg Media Technologies GmbH)
Steinberg HALionOne GM Drum Set (HKLM-x32\...\{AC997F93-0757-4ED4-A701-F40C2D654D09}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH)
Steinberg HALionOne GM Set (HKLM-x32\...\{F057965A-D974-4C64-ADB1-4381CD4B8956}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH)
Steinberg HALionOne Pro Set (HKLM-x32\...\{D82CDA0D-C182-42C8-8FF2-5649C98D6003}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH)
Steinberg HALionOne Studio Drum Set (HKLM-x32\...\{865D9ED1-EAC2-436D-AFA7-0B750EB5AAAB}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH)
Steinberg HALionOne Studio Set (HKLM-x32\...\{D23CBFDA-C46B-4920-BA70-FC7878A3F05A}) (Version: 1.0.1.457 - Steinberg Media Technologies GmbH)
Steinberg LoopMash Content (HKLM-x32\...\{4D454CF8-12FD-464D-B57B-B46FE27B78BB}) (Version: 1.0.0.005 - Steinberg Media Technologies GmbH)
Steinberg REVerence Content 01 (HKLM-x32\...\{532B917B-8235-4FA5-BE36-643A8BB053A5}) (Version: 1.0.0.006 - Steinberg Media Technologies GmbH)
Steinberg The Grand VSTi DXi v2.1.0 (HKLM-x32\...\Steinberg The Grand VSTi DXi_is1) (Version:  - )
Suite Shared Configuration CS4 (x32 Version: 1.0 - Adobe Systems Incorporated) Hidden
Turbo Lister 2 (HKLM-x32\...\{8927E07C-97F7-4A54-88FB-D976F50DD46E}) (Version: 2.00.0000 - eBay Inc.)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update für Microsoft Office Excel 2007 Help (KB963678) (HKLM-x32\...\{90120000-0016-0407-0000-0000000FF1CE}_ENTERPRISE_{BEC163EC-7A83-48A1-BFB6-3BF47CC2F8CF}) (Version:  - Microsoft)
Update für Microsoft Office Outlook 2007 Help (KB963677) (HKLM-x32\...\{90120000-001A-0407-0000-0000000FF1CE}_ENTERPRISE_{F6828576-6F79-470D-AB50-69D1BBADBD30}) (Version:  - Microsoft)
Update für Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM-x32\...\{90120000-0018-0407-0000-0000000FF1CE}_ENTERPRISE_{EA160DA3-E9B5-4D03-A518-21D306665B96}) (Version:  - Microsoft)
Update für Microsoft Office Word 2007 Help (KB963665) (HKLM-x32\...\{90120000-001B-0407-0000-0000000FF1CE}_ENTERPRISE_{38472199-D7B6-4833-A949-10E4EE6365A1}) (Version:  - Microsoft)
Vegas Pro 12.0 (64-bit) (HKLM\...\{7A0D09B0-6575-11E2-89D5-F04DA23A5C58}) (Version: 12.0.486 - Sony)
VIA Plattform-Geräte-Manager (HKLM-x32\...\InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.38 - VIA Technologies, Inc.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
Vuze (HKLM\...\8461-7759-5462-8226) (Version: 5.5.0.0 - Azureus Software, Inc.)
Waves Complete V9r10 (HKLM-x32\...\{91000001-C561-4E32-99EB-3C5AD3683A70}) (Version: 9.1.10 - Waves)
Waves Diamond Bundle v5.2 (HKLM-x32\...\Waves Diamond Bundle v5.2) (Version:  - )
Waves GTR Guitar Tool Rack v1.0 (HKLM-x32\...\Waves GTR Guitar Tool Rack v1.0) (Version:  - )
Waves IRx v5.2 (HKLM-x32\...\Waves IRx v5.2) (Version:  - )
Waves L3 v5.2 (HKLM-x32\...\Waves L3 v5.2) (Version:  - )
Waves Musicians Bundle v5.0 (HKLM-x32\...\Waves Musicians Bundle v5.0) (Version:  - )
WinRAR 4.20 (64-Bit) (HKLM\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3347311179-4269016646-269938500-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

==================== Restore Points  =========================

27-12-2014 12:46:44 ComboFix created restore point

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2014-12-28 11:43 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {088AEE40-F12C-46E4-8B37-48501D277C2C} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-04-23] (Piriform Ltd)
Task: {091A6FF8-99A4-49AB-B0C1-63C5A0FB6B49} - System32\Tasks\Abelssoft\Updater scan => C:\Program Files (x86)\CHIP Updater\CHIPUpdater.exe
Task: {1891C158-600A-465F-806F-20EC07AEEA3D} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-22] (Microsoft Corporation)
Task: {301FC003-77CD-43DB-9226-3BE3A2952428} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-24] (Adobe Systems Incorporated)
Task: {77D876AF-4E96-4FD1-959A-F377674994E1} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-22] (Microsoft Corporation)
Task: {8F751E68-DB27-40CD-A6A5-3D26B5307D53} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe
Task: {95B909CC-8EBA-4FBF-B56B-2FB75D7FFD4E} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {D3D0748D-ADF6-4A4C-AE63-44F56829CBED} - System32\Tasks\AdobeAAMUpdater-1.0-Admin-PC-Admin => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2012-04-04] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2014-05-01 20:29 - 2014-05-01 20:29 - 00098304 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext_64.dll
2014-12-28 22:01 - 2014-12-28 22:01 - 00155676 _____ () C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe
2014-10-22 01:22 - 2014-10-22 01:22 - 00750080 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\libGLESv2.dll
2014-12-29 22:22 - 2014-12-29 22:22 - 00043008 _____ () c:\users\admin\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp6ihpta.dll
2014-10-22 01:22 - 2014-10-22 01:22 - 00047616 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\libEGL.dll
2014-10-22 01:22 - 2014-10-22 01:22 - 00863744 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll
2014-10-22 01:22 - 2014-10-22 01:22 - 00200704 _____ () C:\Users\Admin\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll
2014-12-29 22:23 - 2014-12-29 22:23 - 01277440 _____ () C:\Users\Admin\AppData\Local\Idsoft\EP0LB03B.DLL
2014-12-09 09:14 - 2014-12-09 09:14 - 03758192 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2014-12-24 16:04 - 2014-12-24 16:04 - 16843952 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll
2014-10-15 02:39 - 2014-10-15 02:39 - 00172544 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\1eeea3ab8d69ec722bdcb28b8eb8dd75\IsdiInterop.ni.dll
2013-03-30 20:31 - 2012-02-01 16:25 - 00059904 _____ () C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll
2014-08-13 15:09 - 2014-08-13 15:09 - 00035328 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext.dll
2014-05-24 17:41 - 2014-05-24 17:41 - 00091648 _____ () C:\Program Files (x86)\FileZilla FTP Client\libgcc_s_sjlj-1.dll
2014-05-24 17:41 - 2014-05-24 17:41 - 00892416 _____ () C:\Program Files (x86)\FileZilla FTP Client\libstdc++-6.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^JDownloader.lnk => C:\Windows\pss\JDownloader.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: AdobeCS4ServiceManager => "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
MSCONFIG\startupreg: AdobeCS6ServiceManager => "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: CitrixReceiver => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
MSCONFIG\startupreg: ConnectionCenter => "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
MSCONFIG\startupreg: GoToMeeting => "C:\Users\Admin\AppData\Local\Citrix\GoToMeeting\1468\g2mstart.exe" "/Trigger RunAtLogon"
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: Logitech Download Assistant => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
MSCONFIG\startupreg: NBAgent => "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
MSCONFIG\startupreg: NeroFilterCheck => C:\Program Files (x86)\Common Files\Ahead\Lib\NeroCheck.exe
MSCONFIG\startupreg: PWRISOVM.EXE => C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: Spotify => "C:\Users\Admin\AppData\Roaming\Spotify\spotify.exe" /uri spotify:autostart
MSCONFIG\startupreg: Spotify Web Helper => "C:\Users\Admin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
MSCONFIG\startupreg: StartCCC => "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
MSCONFIG\startupreg: WSHelperSetup.exe => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe

========================= Accounts: ==========================

Admin (S-1-5-21-3347311179-4269016646-269938500-1000 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-3347311179-4269016646-269938500-500 - Administrator - Disabled)
Gast (S-1-5-21-3347311179-4269016646-269938500-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3347311179-4269016646-269938500-1002 - Limited - Enabled)

==================== Faulty Device Manager Devices =============

Name: AMD High Definition Audio Device
Description: AMD High Definition Audio Device
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Advanced Micro Devices
Service: AtiHDAudioService
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: High Definition Audio-Gerät
Description: High Definition Audio-Gerät
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: HdAudAddService
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (12/30/2014 06:22:18 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (12/30/2014 06:13:49 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile  WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3.
Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein.
Verweis: WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0".
Definition: WavesQtLibs_4.8.2_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0".
Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose.

Error: (12/30/2014 06:13:49 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile  WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3.
Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein.
Verweis: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0".
Definition: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0".
Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose.

Error: (12/30/2014 06:13:49 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile  WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3.
Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein.
Verweis: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0".
Definition: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0".
Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose.

Error: (12/30/2014 06:13:49 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"1". Fehler in Manifest- oder Richtliniendatei "WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"2" in Zeile  WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0"3.
Die im Manifest gefundene Komponenten-ID stimmt nicht mit der ID der angeforderten Komponente überein.
Verweis: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="AMD64",type="win32",version="1.0.0.0".
Definition: WavesQtLibs_4.7.3_Win32_Release,processorArchitecture="x86",type="win32",version="1.0.0.0".
Verwenden Sie das Programm "sxstrace.exe" für eine detaillierte Diagnose.

Error: (12/29/2014 10:57:07 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (12/29/2014 10:26:00 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (12/29/2014 10:25:53 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1". Fehler in
Manifest- oder Richtliniendatei "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" in Zeile C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit
einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Komponente 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.


System errors:
=============
Error: (12/29/2014 10:24:01 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: 
cdrom

Error: (12/29/2014 10:16:48 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk7\DR7 gefunden.

Error: (12/29/2014 10:16:48 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk7\DR7 gefunden.

Error: (12/29/2014 10:16:47 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk7\DR7 gefunden.

Error: (12/29/2014 10:16:47 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk7\DR7 gefunden.

Error: (12/29/2014 10:16:46 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk7\DR7 gefunden.

Error: (12/29/2014 04:34:27 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: Das Laden folgender Boot- oder Systemstarttreiber ist fehlgeschlagen: 
cdrom

Error: (12/29/2014 04:33:10 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Avira Service Host erreicht.


Microsoft Office Sessions:
=========================
Error: (01/01/2014 10:08:39 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 423328 seconds with 3360 seconds of active time.  This session ended with a crash.


CodeIntegrity Errors:
===================================
  Date: 2014-12-28 11:36:05.501
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2014-12-28 11:36:05.469
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2014-12-28 11:36:05.423
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2014-12-28 11:36:05.391
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2014-12-27 13:05:18.373
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2014-12-27 13:05:18.341
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2014-12-27 13:05:18.306
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2014-12-27 13:05:18.273
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2014-12-25 23:38:11.689
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.

  Date: 2014-12-25 23:38:11.656
  Description: Windows konnte die Abbildintegrität der Datei "\Device\HarddiskVolume3\ComboFix\catchme.sys" nicht überprüfen, weil der Dateihash nicht im System gefunden wurde. Möglicherweise wurde durch eine kürzlich durchgeführte Hardware- oder Softwareänderung eine falsch signierte oder beschädigte Datei oder eine Datei, bei der es sich um schädliche Software aus einer unbekannten Quelle handelt, installiert.


==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz
Percentage of memory in use: 34%
Total physical RAM: 16317.59 MB
Available physical RAM: 10710.53 MB
Total Pagefile: 32633.35 MB
Available Pagefile: 26773.99 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive a: (Primäre Festplatte) (Fixed) (Total:1004.98 GB) (Free:300.73 GB) NTFS
Drive b: (Sekundäre Festplatte) (Fixed) (Total:232.88 GB) (Free:10.49 GB) NTFS
Drive c: (Windows) (Fixed) (Total:1042.92 GB) (Free:403.96 GB) NTFS
Drive p: (Producing) (Fixed) (Total:931.51 GB) (Free:259.2 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 232.9 GB) (Disk ID: 1D631D62)
Partition 1: (Not Active) - (Size=232.9 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 2794.5 GB) (Disk ID: B819B29C)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=1042.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=1005 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 9B322B2C)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 3 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 46830F60)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 4 (Size: 931.5 GB) (Disk ID: E8900690)
Partition 1: (Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================
         

Alt 31.12.2014, 15:11   #13
schrauber
/// the machine
/// TB-Ausbilder
 

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Standard

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local



Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:
ATTFilter
CloseProcesses:
A:\software\LinPlug VSTi
A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe
B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll
B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll
B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe
B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe
B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js
B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php

C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi

C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe

C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll

C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe

C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe

C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll

Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar

Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar

A:\software\LinPlug VSTi

A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe

B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll

B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll

B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe

B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe

B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js

B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php

C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi

C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe

C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll

C:\ProgramData\Microsoft\Secure\Icons\temp\tmp86EA.exe

C:\ProgramData\Microsoft\Secure\Icons\temp\tmpFF90.exe

C:\Users\Admin\AppData\Local\Idsoft\EP0LB03B.DLL

C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js

C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe

C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe

C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll

C:\Users\All Users\Microsoft\Secure\Icons\temp\tmp86EA.exe

C:\Users\All Users\Microsoft\Secure\Icons\temp\tmpFF90.exe

Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar

Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar

C:\ProgramData\Microsoft\Secure
C:\Users\Admin\AppData\Local\Idsoft
HKLM\...\Run: [Icakupsie] => "C:\Users\Admin\AppData\Roaming\Urudne\pibaad.exe"
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Idsoft] => C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe [155676 2014-12-28] ()
C:\Users\Admin\AppData\Roaming\Urudne
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\resmon.lnk
ShortcutTarget: resmon.lnk -> C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\resmon.exe (No File)
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path
Emptytemp:
         

Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).
  • Starte nun FRST erneut und klicke den Entfernen Button.
  • Das Tool erstellt eine Fixlog.txt.
  • Poste mir deren Inhalt.

__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 31.12.2014, 15:57   #14
jamerson
 
Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Standard

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local



hier das fixlog:

Guten Rutsch schonmal!

Code:
ATTFilter
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-12-2014
Ran by Admin at 2014-12-31 15:43:35 Run:1
Running from C:\Users\Admin\Desktop
Loaded Profile: Admin (Available profiles: Admin)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CloseProcesses:
A:\software\LinPlug VSTi
A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe
B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll
B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll
B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe
B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe
B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js
B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php

C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi

C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe

C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll

C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe

C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe

C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll

Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar

Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar

A:\software\LinPlug VSTi

A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe

B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll

B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll

B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe

B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe

B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js

B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5]

C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php

C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi

C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll

C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe

C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll

C:\ProgramData\Microsoft\Secure\Icons\temp\tmp86EA.exe

C:\ProgramData\Microsoft\Secure\Icons\temp\tmpFF90.exe

C:\Users\Admin\AppData\Local\Idsoft\EP0LB03B.DLL

C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js

C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe

C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe

C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll

C:\Users\All Users\Microsoft\Secure\Icons\temp\tmp86EA.exe

C:\Users\All Users\Microsoft\Secure\Icons\temp\tmpFF90.exe

Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar

Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar

C:\ProgramData\Microsoft\Secure
C:\Users\Admin\AppData\Local\Idsoft
HKLM\...\Run: [Icakupsie] => "C:\Users\Admin\AppData\Roaming\Urudne\pibaad.exe"
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\...\Run: [Idsoft] => C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe [155676 2014-12-28] ()
C:\Users\Admin\AppData\Roaming\Urudne
Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\resmon.lnk
ShortcutTarget: resmon.lnk -> C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\resmon.exe (No File)
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path
Emptytemp:
         
*****************

Processes closed successfully.
A:\software\LinPlug VSTi => Error: No automatic fix found for this entry.
A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe => Error: No automatic fix found for this entry.
B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll => Error: No automatic fix found for this entry.
B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll => Error: No automatic fix found for this entry.
B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe => Error: No automatic fix found for this entry.
B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe => Error: No automatic fix found for this entry.
B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js => Error: No automatic fix found for this entry.
B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js => Error: No automatic fix found for this entry.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4] => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5] => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7] => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2 => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00 => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11] => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6] => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8] => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4] => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5] => Moved successfully.
C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php => Moved successfully.
C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll => Moved successfully.
C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll => Moved successfully.
C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe => Moved successfully.
C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe => Moved successfully.
C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi => Moved successfully.
C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm => Moved successfully.
C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll => Moved successfully.
C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe => Moved successfully.
C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe => Moved successfully.
C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll => Moved successfully.
C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll => Moved successfully.
C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll => Moved successfully.
C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll => Moved successfully.
C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe => Moved successfully.
C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll => Moved successfully.
C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe => Moved successfully.
C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe => Moved successfully.
"C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll" => File/Directory not found.
Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar => Moved successfully.
Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar => Moved successfully.
A:\software\LinPlug VSTi => Error: No automatic fix found for this entry.
A:\software\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe => Error: No automatic fix found for this entry.
B:\Downloads\Admin\AppData\Local\Babylon\Setup\BExternal.dll => Error: No automatic fix found for this entry.
B:\Downloads\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll => Error: No automatic fix found for this entry.
B:\Downloads\Admin\AppData\Local\Babylon\Setup\Setup.exe => Error: No automatic fix found for this entry.
B:\Downloads\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe => Error: No automatic fix found for this entry.
B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs-1.js => Error: No automatic fix found for this entry.
B:\Downloads\Alte Firefox-Daten\febeprof.pco\prefs.js => Error: No automatic fix found for this entry.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\softonic-de9.exe" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\tbsoft.dll" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\WeFiSetup_5_501_780.exe" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\impCA3QYP1G" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[4]" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[5]" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1KIRTFFT\imp[7]" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA1U742Z" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA2H6JR2" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCA354U3F" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\impCAUHVD00" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[11]" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[6]" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\imp[8]" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2A3F3LXT\index[1].php" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\HVBOIXJ0\tbedrs[1].dll" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA05KYPX" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\impCA11ZIXH" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\imp[4]" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VHK2HTNA\index[1].html" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\impCA6KYC6G" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temporary Internet Files\Content.IE5\VTXKDRYA\imp[5]" => File/Directory not found.
"C:\hdd c old pc\Sicherungsdateien PC alt\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\G5OVU3GT\config[1].php" => File/Directory not found.
"C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\BExternal.dll" => File/Directory not found.
"C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\IECookieLow.dll" => File/Directory not found.
"C:\hdd c old pc\Users\Admin\AppData\Local\Babylon\Setup\Setup.exe" => File/Directory not found.
"C:\hdd c old pc\Users\Admin\AppData\Local\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe" => File/Directory not found.
"C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GGAVFVX0\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}[1].cpi" => File/Directory not found.
"C:\hdd c old pc\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WW69Y73T\sw[1].htm" => File/Directory not found.
"C:\hdd c old pc\Users\Admin\AppData\Local\Temp\installhelper.dll" => File/Directory not found.
"C:\hdd c old pc\Users\Admin\AppData\Local\Temp\refog_setup_free_kl_643.exe" => File/Directory not found.
"C:\hdd c old pc\Users\Admin\AppData\Local\Temp\SetupDataMngr_Searchqu.exe" => File/Directory not found.
"C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbFree.dll" => File/Directory not found.
"C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbIsoB.dll" => File/Directory not found.
"C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbVuze.dll" => File/Directory not found.
"C:\hdd c old pc\Users\Admin\AppData\Local\Temp\tbWinl.dll" => File/Directory not found.
"C:\hdd c old pc\Users\Admin\AppData\Local\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe" => File/Directory not found.
"C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll" => File/Directory not found.
C:\ProgramData\Microsoft\Secure\Icons\temp\tmp86EA.exe => Moved successfully.
C:\ProgramData\Microsoft\Secure\Icons\temp\tmpFF90.exe => Moved successfully.
"C:\Users\Admin\AppData\Local\Idsoft\EP0LB03B.DLL" => File/Directory not found.
"C:\Users\Admin\AppData\Local\Idsoft\tmp86EA.exe" => File/Directory not found.
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lo553pk.default\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js => Moved successfully.
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k61t38wy.default-1409423412364\extensions\{066BF1A1-62A1-474B-4D00-591822FEB978}\components\WMDMDeviceService.js => Moved successfully.
"C:\Users\Admin\Documents\Downloads\free-m4a-wav-to-mp3-audio-converter.exe" => File/Directory not found.
"C:\Users\Admin\Documents\Downloads\Integrated_CT2325506.exe" => File/Directory not found.
"C:\Users\All Users\Microsoft\Secure\Icons\IconsCacheHelper.dll" => File/Directory not found.
"C:\Users\All Users\Microsoft\Secure\Icons\temp\tmp86EA.exe" => File/Directory not found.
"C:\Users\All Users\Microsoft\Secure\Icons\temp\tmpFF90.exe" => File/Directory not found.
"Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\chrome\zynga.jar" => File/Directory not found.
"Y:\$RECYCLE.BIN\S-1-5-21-1614201167-3170127117-3719364095-1000\$RBNY372\Profiles\d1vyk5ui.default\extensions\{a2e7819d-c729-4333-96aa-2f102226192f}\chrome\softonic-de9.jar" => File/Directory not found.
C:\ProgramData\Microsoft\Secure => Moved successfully.
C:\Users\Admin\AppData\Local\Idsoft => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Icakupsie => value deleted successfully.
HKU\S-1-5-21-3347311179-4269016646-269938500-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Idsoft => Value not found.
"C:\Users\Admin\AppData\Roaming\Urudne" => File/Directory not found.
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\resmon.lnk not found.
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate\resmon.exe not found.
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEUpdate => Moved successfully.
"HKU\S-1-5-21-3347311179-4269016646-269938500-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => Key deleted successfully.
EmptyTemp: => Removed 1.3 GB temporary data.


The system needed a reboot. 

==== End of Fixlog 15:48:23 ====
         

Alt 31.12.2014, 18:28   #15
schrauber
/// the machine
/// TB-Ausbilder
 

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Standard

Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local



Frisches FRST log bitte. Noch Probleme?
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Antwort

Themen zu Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local
appdata, exe-dateien, explorer, file, gen, icons, iexplore.exe, internet, internet explorer, löschen, manager, microsoft, nicht löschen, nicht mehr, nichts, ordner, problem, prozesse, secure, tan, task manager, temp, trojaner, windows, windows 7



Ähnliche Themen: Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local


  1. WIN 7 / E-Mail-ZIP ausgeführt / KIS meldet Trojaner C:\Users\Büro\AppData\Local\Temp\Grade_born\grade-try.exe
    Log-Analyse und Auswertung - 13.06.2015 (28)
  2. Windows Vista - Virusfund in C:\Users\Chrisz\AppData\Local\CopyEditor mit Avira
    Plagegeister aller Art und deren Bekämpfung - 25.04.2015 (5)
  3. PUA/Somoto.Gen2- C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\IE\JR8ICEBF\setup[1]
    Log-Analyse und Auswertung - 23.03.2015 (7)
  4. C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Roaming\BabSolution\Shared\enhancedNT.dll
    Log-Analyse und Auswertung - 09.10.2014 (18)
  5. Windows 7 Home Premium: Avira fand APPL/Solimba.Gen in C:\users...\AppData\Local\Temp\iGqm7kH.exe.part
    Log-Analyse und Auswertung - 15.04.2014 (9)
  6. Win 7 mit 3 Problemen: Problem beim Starten von C:\Users\Admin\AppData\Local\Conduit\BackgroundContainer.dll
    Log-Analyse und Auswertung - 19.02.2014 (27)
  7. Trojaner in C:\Users\Stefan\AppData\Local\Ter/comm
    Plagegeister aller Art und deren Bekämpfung - 09.06.2013 (23)
  8. BDS/Delf.MN.19 in C:\Users\admin\AppData\Roaming\Microsoft\Windows\unicode2.nls und weitere...
    Plagegeister aller Art und deren Bekämpfung - 15.01.2013 (2)
  9. C:\Users\AS8\AppData\Local\Temp\wgsdgsdgdsgsd.exe - Trojaner?
    Plagegeister aller Art und deren Bekämpfung - 07.11.2012 (12)
  10. RunDLL Probleme beim Starten von C:\users\***\AppData\Roaming\pndeb.dll & AppData\Local\powstak.dll
    Plagegeister aller Art und deren Bekämpfung - 22.10.2012 (5)
  11. C:\Users\User\AppData\Local\Temp\wgsdgsdgdsgsd.exe wurde nicht Gefunden - GVU Trojaner
    Plagegeister aller Art und deren Bekämpfung - 22.09.2012 (16)
  12. BKA Trojaner | C:\Users\~Name\AppData\Local\Temp\g7i0ol_kaz.exe
    Plagegeister aller Art und deren Bekämpfung - 30.07.2012 (5)
  13. GVU-Trojaner mit Webcamfenster (C:\Users\***\Appdata\Local\Temp\0_0u-I.exe)
    Plagegeister aller Art und deren Bekämpfung - 13.07.2012 (9)
  14. Avira findet TR/Fraud.Gen8 in C:\Users\Steffi\AppData\Local\Microsoft\Windows\Temporary Internet Fil
    Plagegeister aller Art und deren Bekämpfung - 05.06.2012 (1)
  15. TR/Sirefef.A.31 in C:\Users\***\AppData\Local\Temp\06263bf.cpl und weitere Trojaner
    Plagegeister aller Art und deren Bekämpfung - 11.06.2011 (13)
  16. C:/Users/Appdata/Local/Temp/WAB.log
    Log-Analyse und Auswertung - 21.04.2011 (3)
  17. Trojaner TR/Crypt.XPACK.Gen in C:\Users\***\AppData\Local\Temp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 12.07.2010 (23)

Zum Thema Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local - Hallo und frohe Weihnachten! Habe mir offenbar leider einen/mehrere Trojaner eingefangen, die ich nun selbst nicht mehr wegbekomme. Hinweise: - Ich sehe immer wieder Prozesse im Task Manager, die offenbar - Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local...
Archiv
Du betrachtest: Windows 7: Trojaner z.B. in C:\Users\Admin\AppData\Local auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.