Trojaner-Board
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Windows 7: Trojaner kommen immer wieder, meist Win32/Dynamer!ac (https://www.trojaner-board.de/174614-windows-7-trojaner-kommen-immer-meist-win32-dynamer-ac.html)

Joliwa 31.12.2015 03:42
Windows 7: Trojaner kommen immer wieder, meist Win32/Dynamer!ac
 
Seit November 2015 wurden verschiedene Trojaner, meist Win32/Dynamer!ac, durch Microsoft Security Essentials (MSE) erkannt, die trotz Desinfektion durch MSE immer wieder kamen (siehe angehängtes MSE-Log vom 11.11. bis 25.12.).
Der Rechner ist seit der Infektion langsamer. Im Einzelnen war der Ablauf wie folgt:
  • Anwendung der Kaspersky-Notfall-CD am 05.12. mit Funden (nur im Mailverzeichnis und im Verzeichnis Microsoft Antimalware) und Desinfektion (kein Logfile vorhanden)
  • Schreiben per Post vom Provider (Telekom) vom 09.12. erhalten: „Uns liegen Hinweise von Sicherheitsexperten vor, dass mindestens ein Rechner, der sich über Ihren Internetzugang mit dem Internet verbindet, mit einem Virus/Trojaner infiziert ist.“
  • Wiederholte Funde durch MSE in der Zwischenzeit.
  • Browser SeaMonkey frisch installiert am 20.12.
    Kaspersky-Notfall-CD 20.12.: keine Funde
  • 25.12.: Download und Installation von Malwarebytes (mbam-setup-org-2.2.0.1024.exe). Unmittelbar danach findet MSE wieder Win32/Dynamer!ac:
    Prozessname: C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
    Pfad: file:_C:\ProgramData\codec-76\codec-3.exe
  • Installation von Kaspersky Internet Security am 26.12., seither keine Funde bei Rootkit-Suche und vollständiger Untersuchung
Der Rechner ist noch immer langsam. Die Historie lässt mich daran zweifeln, dass der Rechner sauber ist. Irritierend ist der Befall von mbam. Ich kann mir vorstellen, dass Kaspersky für diesen Virus ungeeignet ist.
Was kann ich tun, um eine fortdauernde Infektion zu erkennen?

Vielen Dank für diese Seite und Ihre Hilfe!

Code:
Untersuchungsergebnis von Farbar Recovery Scan Tool (FRST) (x86) Version:25-12-2015
durchgeführt von Admin (Administrator) auf JOLIWA (31-12-2015 02:08:55)
Gestartet von C:\Users\Admin\Desktop
Geladene Profile: Admin (Verfügbare Profile: Admin & Opa & Papa)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) Sprache: Deutsch (Deutschland)
Internet Explorer Version 11 (Standard-Browser: "D:\Programme\Seamonkey\seamonkey.exe" -requestPending -osint -url "%1")
Start-Modus: Normal
Anleitung für Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Prozesse (Nicht auf der Ausnahmeliste) =================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Prozess geschlossen. Die Datei wird nicht verschoben.)

(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTAudSvc.exe
(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avp.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avpui.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Creative Technology Ltd) C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
(Creative Technology Ltd) C:\Program Files\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
() D:\Programme\pdf-Experte\vspdfprsrv.exe
(Macrovision Europe Ltd.) C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001
(SEIKO EPSON CORPORATION) C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Epson Software\Event Manager\EEventManager.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Creative Labs) C:\Program Files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Microsoft Corporation) D:\Programme\Microsoft Office\Office\WINWORD.EXE
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(mozilla.org) D:\Programme\Seamonkey\seamonkey.exe
(AO Kaspersky Lab) C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\wmi32.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Nicht auf der Ausnahmeliste) ===========================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Registryeintrag auf den Standardwert zurückgesetzt oder entfernt. Die Datei wird nicht verschoben.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [9398888 2010-07-28] (Realtek Semiconductor)
HKLM\...\Run: [CTSyncService] => C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe [1233195 2009-07-08] (Creative Technology Ltd)
HKLM\...\Run: [VolPanel] => C:\Program Files\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe [241789 2009-05-04] (Creative Technology Ltd)
HKLM\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM\...\Run: [RunDLLEntry] => C:\Windows\system32\RunDLL32.exe C:\Windows\system32\AmbRunE.dll,RunDLLEntry
HKLM\...\Run: [vspdfprsrv.exe] => D:\Programme\pdf-Experte\vspdfprsrv.exe [998912 2006-05-04] ()
HKLM\...\Run: [FUFAXSTM] => C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe [847872 2009-12-02] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [EEventManager] => C:\Program Files\Epson Software\Event Manager\EEventManager.exe [976320 2009-12-03] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKU\S-1-5-21-1987672872-2594305773-2641038054-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [10240 2009-07-14] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk [2014-04-28]
ShortcutTarget: Microsoft Office.lnk -> D:\Programme\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)

==================== Internet (Nicht auf der Ausnahmeliste) ====================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Eintrag entfernt oder auf den Standardwert zurückgesetzt, wenn es sich um einen Registryeintrag handelt.)

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{CF1091E5-7424-4CB1-BFB4-24AE9B222A14}: [DhcpNameServer] 192.168.2.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1987672872-2594305773-2641038054-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1987672872-2594305773-2641038054-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.dell.com
SearchScopes: HKU\S-1-5-21-1987672872-2594305773-2641038054-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=ASRK
SearchScopes: HKU\S-1-5-21-1987672872-2594305773-2641038054-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=ASRK
SearchScopes: HKU\S-1-5-21-1987672872-2594305773-2641038054-1000 -> {5CC8B395-8628-4c1e-A56F-F22AE4A161CA} URL = hxxp://www.google.com/custom?client=pub-3794288947762788&forid=1&channel=5480255188&ie=UTF-8&oe=UTF-8&safe=active&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A1&hl=de&q={searchTerms}
BHO: Easy Photo Print -> {9421DD08-935F-4701-A9CA-22DF90AC4EA6} -> C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll [2008-03-30] (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
BHO: Kaspersky Protection plugin -> {C66D064F-82FE-4E1A-B06A-B2490BA48B18} -> C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\IEExt\ie_plugin.dll [2015-12-26] (AO Kaspersky Lab)
Toolbar: HKLM - Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll [2008-03-30] (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
Toolbar: HKLM - Kaspersky Protection toolbar - {3507FA00-ADA2-4A02-99B9-51AD26CA9120} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\IEExt\ie_plugin.dll [2015-12-26] (AO Kaspersky Lab)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2008-07-02] (Skype Technologies)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_20_0_0_267.dll [2015-12-28] ()
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [light_plugin_D772DC8D6FAF43A29B25C4EBAA5AD1DE@kaspersky.com] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\FFExt\light_plugin_firefox
FF Extension: Kaspersky Protection - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\FFExt\light_plugin_firefox [2015-12-26]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [eahebamiopdhefndnmappcihfajigkka] - hxxps://chrome.google.com/webstore/detail/eahebamiopdhefndnmappcihfajigkka

==================== Dienste (Nicht auf der Ausnahmeliste) ========================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

R2 AVP16.0.0; C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\avp.exe [194000 2015-12-26] (Kaspersky Lab ZAO)
S3 becldr3Service; C:\Program Files\BCL Technologies\easyConverter SDK 3\Common\becldr.exe [225280 2012-08-01] () [Datei ist nicht signiert]
S3 Creative ALchemy AL6 Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [79360 2014-04-25] (Creative Labs) [Datei ist nicht signiert]
S3 Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2014-04-25] (Creative Labs) [Datei ist nicht signiert]
R2 CTAudSvcService; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [307200 2009-02-23] (Creative Technology Ltd) [Datei ist nicht signiert]
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [279776 2014-03-11] (Microsoft Corporation)
R3 Sound Blaster X-Fi MB Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [79360 2014-04-25] (Creative Labs) [Datei ist nicht signiert]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
S2 MBAMScheduler; "C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe" [X]
S2 MBAMService; "C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe" [X]

===================== Treiber (Nicht auf der Ausnahmeliste) ==========================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

R0 cm_km; C:\Windows\System32\DRIVERS\cm_km.sys [201912 2015-07-06] (Kaspersky Lab ZAO)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [153784 2015-06-22] (Kaspersky Lab ZAO)
R0 klbackupdisk; C:\Windows\System32\DRIVERS\klbackupdisk.sys [46776 2015-06-06] (Kaspersky Lab ZAO)
R1 klbackupflt; C:\Windows\System32\DRIVERS\klbackupflt.sys [58224 2015-06-27] (Kaspersky Lab ZAO)
R2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [58040 2015-06-06] (Kaspersky Lab ZAO)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [147328 2015-12-26] (AO Kaspersky Lab)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [44728 2015-12-26] (AO Kaspersky Lab)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [783744 2015-12-26] (AO Kaspersky Lab)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [33976 2015-06-11] (Kaspersky Lab ZAO)
R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [37048 2015-06-06] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [38072 2015-06-07] (Kaspersky Lab ZAO)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [39304 2015-12-26] (AO Kaspersky Lab)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [54328 2015-06-11] (Kaspersky Lab ZAO)
R1 Klwtp; C:\Windows\System32\DRIVERS\klwtp.sys [87736 2015-06-16] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [156856 2015-06-23] (Kaspersky Lab ZAO)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
R1 MpKslabf1b010; C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4AD033F6-4DEF-4785-9C17-FF248F03C6B7}\MpKslabf1b010.sys [39168 2015-12-31] (Microsoft Corporation)
S1 asdqninf; \??\C:\Windows\system32\drivers\asdqninf.sys [X]
S1 betdysgm; \??\C:\Windows\system32\drivers\betdysgm.sys [X]
S1 defknbgo; \??\C:\Windows\system32\drivers\defknbgo.sys [X]
S1 epdwqqzv; \??\C:\Windows\system32\drivers\epdwqqzv.sys [X]
S1 fffywdyo; \??\C:\Windows\system32\drivers\fffywdyo.sys [X]
S1 hrwcvaht; \??\C:\Windows\system32\drivers\hrwcvaht.sys [X]
U4 klkbdflt2; system32\DRIVERS\klkbdflt2.sys [X]
S1 lmuqvbjq; \??\C:\Windows\system32\drivers\lmuqvbjq.sys [X]
S3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S1 regwsrei; \??\C:\Windows\system32\drivers\regwsrei.sys [X]

==================== NetSvcs (Nicht auf der Ausnahmeliste) ===================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)


==================== Ein Monat: Erstellte Dateien und Ordner ========

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Datei/der Ordner verschoben.)

2015-12-31 02:08 - 2015-12-31 02:09 - 00012536 _____ C:\Users\Admin\Desktop\FRST.txt
2015-12-31 00:18 - 2015-12-31 00:18 - 00002123 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-12-31 00:18 - 2015-12-31 00:18 - 00000000 ____D C:\Program Files\Microsoft Security Client
2015-12-28 20:06 - 2015-12-31 02:08 - 00000000 ____D C:\FRST
2015-12-27 22:57 - 2015-12-30 14:41 - 00000000 ____D C:\Users\Opa\Desktop\LG Sachaufg
2015-12-27 21:34 - 2015-12-27 21:34 - 00000806 _____ C:\Users\Admin\Desktop\SeaMonkey.lnk
2015-12-26 15:24 - 2015-12-26 15:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Internet Security
2015-12-26 15:23 - 2015-12-31 01:51 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2015-12-26 15:23 - 2015-12-26 15:23 - 00000000 ____D C:\Windows\ELAMBKUP
2015-12-26 15:23 - 2015-12-26 15:23 - 00000000 ____D C:\Program Files\Kaspersky Lab
2015-12-26 15:22 - 2015-12-26 20:42 - 00783744 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klif.sys
2015-12-26 15:22 - 2015-12-26 20:42 - 00147328 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klflt.sys
2015-12-26 13:56 - 2015-12-26 13:56 - 01721856 _____ (Farbar) C:\Users\Admin\Desktop\FRST.exe
2015-12-25 23:11 - 2015-12-26 21:45 - 00000000 ____D C:\Users\Admin\EurekaLog
2015-12-25 16:52 - 2015-12-26 15:24 - 00000000 ___RD C:\Sandbox
2015-12-25 16:49 - 2015-12-26 21:17 - 00000000 ____D C:\Program Files\Sandboxie
2015-12-25 16:22 - 2015-12-25 16:22 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-12-20 17:49 - 2015-12-20 17:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SeaMonkey
2015-12-18 11:59 - 2015-12-20 13:41 - 00000000 ____D C:\Users\Opa\AppData\Roaming\screw-5
2015-12-18 11:58 - 2015-12-25 16:38 - 00000000 ____D C:\ProgramData\codec-76
2015-12-18 11:55 - 2015-12-19 22:22 - 00000000 ____D C:\Users\Opa\AppData\Roaming\ampere-11
2015-12-18 11:53 - 2015-12-20 12:25 - 00000000 ____D C:\ProgramData\diode-48
2015-12-16 13:30 - 2015-12-18 00:25 - 00000000 ____D C:\Users\Opa\AppData\Roaming\friction-5
2015-12-13 15:48 - 2015-12-16 13:30 - 00000000 ____D C:\Users\Opa\AppData\Roaming\blvds-1
2015-12-13 00:39 - 2014-04-18 20:25 - 00058850 _____ C:\Users\Opa\Desktop\Antrag neu - Kopie.pdf
2015-12-10 21:55 - 2015-12-12 17:56 - 00000000 ____D C:\Users\Opa\AppData\Roaming\homerf-88
2015-12-10 15:21 - 2015-11-11 21:52 - 00341192 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-12-10 15:21 - 2015-11-11 16:44 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-12-10 15:21 - 2015-11-11 16:44 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-12-10 15:21 - 2015-11-10 01:24 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-12-10 15:21 - 2015-11-10 01:24 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-12-10 15:21 - 2015-11-10 01:13 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-12-10 15:21 - 2015-11-10 01:12 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-12-10 15:21 - 2015-11-10 01:06 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-12-10 15:21 - 2015-11-10 01:06 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-12-10 15:21 - 2015-11-10 01:04 - 00476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-12-10 15:21 - 2015-11-10 01:03 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-12-10 15:21 - 2015-11-10 01:03 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-12-10 15:21 - 2015-11-10 01:02 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-12-10 15:21 - 2015-11-10 00:57 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-12-10 15:21 - 2015-11-10 00:50 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-12-10 15:21 - 2015-11-10 00:47 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-12-10 15:21 - 2015-11-10 00:44 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2015-12-10 15:21 - 2015-11-10 00:37 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-12-10 15:21 - 2015-11-10 00:36 - 02050560 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-12-10 15:21 - 2015-11-10 00:36 - 00687104 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-12-10 15:21 - 2015-11-10 00:36 - 00684032 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-12-10 15:21 - 2015-11-10 00:17 - 02011136 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-12-10 15:21 - 2015-11-10 00:14 - 01311744 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-12-10 15:21 - 2015-11-10 00:12 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-12-10 15:20 - 2015-11-11 17:00 - 12856832 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-12-10 15:20 - 2015-11-11 16:41 - 20366848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-12-10 15:20 - 2015-11-11 15:57 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-12-10 15:20 - 2015-11-10 01:13 - 00496640 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-12-10 15:20 - 2015-11-10 01:12 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-12-10 15:20 - 2015-11-10 01:11 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-12-10 15:20 - 2015-11-10 01:08 - 02280448 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-12-10 15:20 - 2015-11-10 01:02 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-12-10 15:20 - 2015-11-10 00:46 - 04514816 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-12-10 15:20 - 2015-11-10 00:35 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-12-10 15:18 - 2015-11-11 19:39 - 01242624 _____ (Microsoft Corporation) C:\Windows\system32\comsvcs.dll
2015-12-10 15:18 - 2015-11-11 19:39 - 00487936 _____ (Microsoft Corporation) C:\Windows\system32\catsrvut.dll
2015-12-10 15:18 - 2015-11-10 19:39 - 01251328 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-12-10 15:18 - 2015-11-10 19:39 - 00909824 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-12-10 15:18 - 2015-11-10 19:39 - 00811520 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll
2015-12-10 15:18 - 2015-11-10 18:40 - 02386944 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-12-10 15:13 - 2015-11-20 19:34 - 02956800 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-12-10 15:13 - 2015-11-20 19:34 - 02062848 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-12-10 15:13 - 2015-11-20 19:34 - 00573440 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-12-10 15:13 - 2015-11-20 19:34 - 00174080 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-12-10 15:13 - 2015-11-20 19:34 - 00093696 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-12-10 15:13 - 2015-11-20 19:34 - 00073728 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-12-10 15:13 - 2015-11-20 19:34 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-12-10 15:13 - 2015-11-20 19:34 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-12-10 15:13 - 2015-11-20 19:33 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-12-10 15:13 - 2015-11-20 19:33 - 00035328 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-12-10 15:13 - 2015-11-20 19:33 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-12-10 15:13 - 2015-11-05 20:02 - 00014848 _____ (Microsoft Corporation) C:\Windows\system32\wshrm.dll
2015-12-10 15:13 - 2015-11-05 20:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2015-12-10 15:13 - 2015-11-05 10:48 - 00117760 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rmcast.sys
2015-12-10 15:13 - 2015-11-03 19:56 - 00627712 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2015-12-10 15:13 - 2015-11-03 19:55 - 00179712 _____ (Microsoft Corporation) C:\Windows\system32\els.dll
2015-12-10 15:13 - 2015-10-09 00:17 - 00069120 _____ (Microsoft Corporation) C:\Windows\system32\nlsbres.dll
2015-12-10 15:13 - 2015-10-09 00:13 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\kbdgeoqw.dll
2015-12-10 15:13 - 2015-10-09 00:13 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\KBDAZEL.DLL
2015-12-10 15:13 - 2015-10-09 00:13 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\KBDAZE.DLL
2015-12-10 15:13 - 2015-10-08 20:13 - 00419928 _____ C:\Windows\system32\locale.nls
2015-12-09 00:12 - 2015-12-09 00:12 - 00297893 _____ C:\Users\Opa\Documents\Beihilfe neu.pdf
2015-12-08 13:50 - 2015-12-10 00:05 - 00000000 ____D C:\Users\Opa\AppData\Roaming\evkit-6
2015-12-06 21:46 - 2015-12-06 21:46 - 00273646 _____ C:\Users\Opa\Desktop\TE22hHeimwerker.pdf
2015-12-06 00:21 - 2015-12-06 00:21 - 00000868 _____ C:\Users\Papa\Desktop\Clemens.lnk
2015-12-05 20:48 - 2015-12-05 20:53 - 00000000 ____D C:\Users\Papa\AppData\Roaming\eXPert PDF Editor
2015-12-04 12:53 - 2015-12-04 23:30 - 00000000 ____D C:\Users\Opa\AppData\Roaming\snubber-29
2015-12-03 22:49 - 2015-12-04 12:53 - 00000000 ____D C:\Users\Opa\AppData\Roaming\adhesion-6

==================== Ein Monat: Geänderte Dateien und Ordner ========

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Datei/der Ordner verschoben.)

2015-12-31 01:57 - 2009-07-14 05:34 - 00035088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-31 01:57 - 2009-07-14 05:34 - 00035088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-31 01:53 - 2015-01-02 20:44 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-31 00:19 - 2014-04-25 00:50 - 00001912 _____ C:\Windows\epplauncher.mif
2015-12-30 23:10 - 2014-05-01 14:55 - 00000000 ____D C:\Windows\Minidump
2015-12-30 12:38 - 2009-07-14 05:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-28 21:37 - 2015-04-25 02:15 - 00000000 __SHD C:\Users\Admin\AppData\LocalLow\EmieUserList
2015-12-28 21:37 - 2015-04-25 02:15 - 00000000 __SHD C:\Users\Admin\AppData\LocalLow\EmieSiteList
2015-12-28 21:37 - 2015-04-25 02:15 - 00000000 __SHD C:\Users\Admin\AppData\LocalLow\EmieBrowserModeList
2015-12-28 21:37 - 2015-04-25 02:15 - 00000000 __SHD C:\Users\Admin\AppData\Local\EmieUserList
2015-12-28 21:37 - 2015-04-25 02:15 - 00000000 __SHD C:\Users\Admin\AppData\Local\EmieSiteList
2015-12-28 21:37 - 2015-04-25 02:15 - 00000000 __SHD C:\Users\Admin\AppData\Local\EmieBrowserModeList
2015-12-28 20:06 - 2009-07-14 03:37 - 00000000 ____D C:\Windows
2015-12-28 19:55 - 2014-05-24 16:44 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-12-28 19:55 - 2014-05-24 16:44 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-12-27 22:54 - 2009-07-14 05:52 - 00000000 ____D C:\Windows\system32\FxsTmp
2015-12-26 20:42 - 2015-06-08 19:43 - 00039304 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klpd.sys
2015-12-26 18:28 - 2015-07-04 02:18 - 00044728 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klhk.sys
2015-12-26 15:24 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\inf
2015-12-25 23:11 - 2014-04-25 00:46 - 00000000 ____D C:\Users\Admin
2015-12-25 14:11 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\rescache
2015-12-20 18:36 - 2015-11-20 21:31 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2015-12-20 00:14 - 2015-11-01 11:09 - 00000000 ____D C:\ProgramData\jto
2015-12-18 12:10 - 2015-04-05 12:29 - 00000000 ___SD C:\Windows\system32\GWX
2015-12-18 00:17 - 2015-11-06 00:09 - 00000000 ____D C:\Users\Opa\AppData\Roaming\tesla-82
2015-12-13 01:01 - 2014-04-25 10:34 - 00698868 _____ C:\Windows\system32\perfh007.dat
2015-12-13 01:01 - 2014-04-25 10:34 - 00149008 _____ C:\Windows\system32\perfc007.dat
2015-12-13 01:01 - 2010-11-20 22:01 - 01618376 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-11 03:30 - 2009-07-14 05:33 - 00347864 _____ C:\Windows\system32\FNTCACHE.DAT
2015-12-11 03:08 - 2014-05-11 17:59 - 00000000 ____D C:\Windows\system32\MRT
2015-12-11 03:01 - 2014-05-11 17:59 - 137798368 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-12-10 20:41 - 2015-11-20 13:33 - 00000000 ____D C:\Users\Opa\AppData\Roaming\vctxo-69
2015-12-03 23:39 - 2015-11-30 22:57 - 00001119 _____ C:\Users\Opa\Desktop\LG Dividieren - Verknüpfung.lnk
2015-12-02 13:25 - 2014-04-25 02:23 - 00247976 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

==================== Dateien im Wurzelverzeichnis einiger Verzeichnisse =======

2015-04-26 03:15 - 2015-04-26 03:15 - 0000293 _____ () C:\Users\Admin\AppData\Local\config.ini
2015-04-26 01:20 - 2015-04-26 02:12 - 0000000 _____ () C:\Users\Admin\AppData\Local\simedit.log

Einige Dateien in TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\expertpdf_v4_avanquest_retail_deu.exe
C:\Users\Admin\AppData\Local\Temp\PDSetup1ca6.exe
C:\Users\Admin\AppData\Local\Temp\PDSetupa14a.exe
C:\Users\Admin\AppData\Local\Temp\_is91DA.exe
C:\Users\Admin\AppData\Local\Temp\_isB19E.exe


==================== Bamital & volsnap =================

(Es ist kein automatischer Fix für Dateien vorhanden, die an der Verifikation gescheitert sind.)

C:\Windows\explorer.exe => Datei ist digital signiert
C:\Windows\system32\winlogon.exe => Datei ist digital signiert
C:\Windows\system32\wininit.exe => Datei ist digital signiert
C:\Windows\system32\svchost.exe => Datei ist digital signiert
C:\Windows\system32\services.exe => Datei ist digital signiert
C:\Windows\system32\User32.dll => Datei ist digital signiert
C:\Windows\system32\userinit.exe => Datei ist digital signiert
C:\Windows\system32\rpcss.dll => Datei ist digital signiert
C:\Windows\system32\dnsapi.dll => Datei ist digital signiert
C:\Windows\system32\Drivers\volsnap.sys => Datei ist digital signiert


LastRegBack: 2015-12-30 13:35

==================== Ende vom FRST.txt ============================
Code:
Zusätzliches Untersuchungsergebnis von Farbar Recovery Scan Tool (x86) Version:25-12-2015
durchgeführt von Admin (2015-12-31 02:10:15)
Gestartet von C:\Users\Admin\Desktop
Microsoft Windows 7 Professional  Service Pack 1 (X86) (2014-04-24 23:46:34)
Start-Modus: Normal
==========================================================


==================== Konten: =============================

Admin (S-1-5-21-1987672872-2594305773-2641038054-1000 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-1987672872-2594305773-2641038054-500 - Administrator - Disabled)
Gast (S-1-5-21-1987672872-2594305773-2641038054-501 - Limited - Disabled)
Opa (S-1-5-21-1987672872-2594305773-2641038054-1001 - Limited - Enabled) => C:\Users\Opa
Papa (S-1-5-21-1987672872-2594305773-2641038054-1002 - Limited - Enabled) => C:\Users\Papa

==================== Sicherheits-Center ========================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er entfernt.)

AV: Microsoft Security Essentials (Disabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AV: Kaspersky Internet Security (Disabled - Up to date) {B41C7598-35F6-4D89-7D0E-7ADE69B4047B}
AS: Kaspersky Internet Security (Disabled - Up to date) {0F7D947C-13CC-4207-47BE-41AC12334EC6}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Disabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
FW: Kaspersky Internet Security (Disabled) {8C27F4BD-7F99-4CD1-5651-D3EB97674300}

==================== Installierte Programme ======================

(Nur Adware-Programme mit dem Zusatz "Hidden" können in die Fixlist aufgenommen werden, um sie sichtbar zu machen. Die Adware-Programme sollten manuell deinstalliert werden.)

Adobe Flash Player 20 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 20.0.0.267 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.12) - Deutsch (HKLM\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.12 - Adobe Systems Incorporated)
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver (HKLM\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.35 - Atheros Communications Inc.)
Colin McRae Rally 2 (HKLM\...\{19B72AA9-985A-11D4-9C8A-00D0B75D1498}) (Version:  - )
CoolPacMan (HKLM\...\CoolPacMan_is1) (Version:  - )
Drome Racers (HKLM\...\{EC1DCD6C-3AE0-42CE-8EAA-6886CC4400DC}) (Version:  - )
EPSON BX320FW Series Handbuch (HKLM\...\EPSON BX320FW Series Manual) (Version:  - )
EPSON BX320FW Series Netzwerk-Handbuch (HKLM\...\EPSON BX320FW Series Network Guide) (Version:  - )
EPSON BX320FW Series Printer Uninstall (HKLM\...\EPSON BX320FW Series) (Version:  - SEIKO EPSON Corporation)
Epson Easy Photo Print 2 (HKLM\...\{310C1558-F6B5-4889-98B0-7471966BA7F2}) (Version: 2.2.3.0 - SEIKO EPSON CORPORATION)
Epson Easy Photo Print Plug-in for PMB(Picture Motion Browser) (HKLM\...\{B2D55EB8-32C5-4B43-9006-9E97DECBA178}) (Version: 1.00.0000 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM\...\{03B8AA32-F23C-4178-B8E6-09ECD07EAA47}) (Version: 2.40.0001 - SEIKO EPSON CORPORATION)
Epson FAX Utility (HKLM\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.10.00 - SEIKO EPSON CORPORATION)
Epson PC-FAX Driver (HKLM\...\EPSON PC-FAX Driver 2) (Version:  - )
EPSON Scan (HKLM\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EpsonNet Print (HKLM\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.4j - SEIKO EPSON CORPORATION)
EpsonNet Setup 3.2 (HKLM\...\{C9D8A041-2963-4B31-8FFC-1500F3DB9293}) (Version: 3.2a - SEIKO EPSON CORPORATION)
eXPert PDF 4 (HKLM\...\{A6E92CAB-9E63-46DC-8ABF-0CAFF7B7CD02}) (Version: 4.1.670.404 - Visage Software)
HardlinkBackup (HKLM\...\{A99A1AE2-5EAB-4742-91DB-72A8B2F9529C}) (Version: 1.0.1 - Lupinho.Net)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.14.10.2230 - Intel Corporation)
Kaspersky Internet Security (HKLM\...\InstallWIX_{77E7AE5C-181C-4CAF-ADBF-946F11C1CE26}) (Version: 16.0.0.614 - Kaspersky Lab)
Kaspersky Internet Security (Version: 16.0.0.614 - Kaspersky Lab) Hidden
L&H TTS3000 Deutsch (HKLM\...\LHTTSGED) (Version:  - )
L&H TTS3000 Español (HKLM\...\LHTTSSPE) (Version:  - )
L&H TTS3000 Français (HKLM\...\LHTTSFRF) (Version:  - )
L&H TTS3000 Italiano (HKLM\...\LHTTSITI) (Version:  - )
L&H TTS3000 Português (Brasil) (HKLM\...\LHTTSPTB) (Version:  - )
L&H TTS3000 Russian (HKLM\...\LHTTSRUR) (Version:  - )
Landwirtschafts Simulator 15 (HKLM\...\FarmingSimulator2015DE_is1) (Version: 1.0 - GIANTS Software)
LEGO Insel 2 (HKLM\...\{85967580-EBC2-11D4-AEA3-0050046A88ED}) (Version:  - )
Lernkartei Mathe Grundschule (HKLM\...\Lernkartei Mathe Grundschule) (Version:  - )
Lern-Karteikasten Englisch Grundschule (HKLM\...\Lern-Karteikasten Englisch Grundschule) (Version:  - )
Lernout & Hauspie TruVoice American English TTS Engine (HKLM\...\tv_enua) (Version:  - )
Mathe Klasse 1 - 4 (HKLM\...\Mathe Klasse 1 - 4) (Version:  - )
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office 2000 SR-1 Disc 2 (HKLM\...\{00040407-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.3821 - Microsoft Corporation)
Microsoft Office 2000 SR-1 Premium (HKLM\...\{00000407-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.3821 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Minecraft (HKLM\...\{02BAAFC5-4E16-42E6-A9F6-8DDE0B7ED3B8}) (Version: 1.0.0.0 - Mojang)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Pflanzen gegen Zombies (HKLM\...\Pflanzen gegen Zombies) (Version:  - PopCap Games)
PROMT Personal 9.5 Multilingual  (HKLM\...\{E89EC7CC-5727-4392-A967-49B886E8E41F}) (Version: 9.6.00003 - PROMT Ltd.)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6167 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.00042 - Realtek Semiconductor Corp.)
SeaMonkey 2.39 (x86 de) (HKLM\...\SeaMonkey 2.39 (x86 de)) (Version: 2.39 - Mozilla)
Sound Blaster X-Fi MB (HKLM\...\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}) (Version: 1.0 - Creative Technology Limited)
TeamViewer 7 (HKLM\...\TeamViewer 7) (Version: 7.0.12280 - TeamViewer)

==================== Benutzerdefinierte CLSID (Nicht auf der Ausnahmeliste): ==========================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)


==================== Geplante Aufgaben (Nicht auf der Ausnahmeliste) =============

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

Task: {05C1AF3B-379C-42FF-812F-D3F5B9D13B85} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-12-28] (Adobe Systems Incorporated)
Task: {0FE646A5-AE1B-4CAB-918C-F4732F75EE96} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime => C:\Windows\system32\GWX\GWXUXWorker.exe [2015-12-05] (Microsoft Corporation)
Task: {72D38E85-01E7-4243-89A0-C89F3E9FBE47} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-10-28] (Adobe Systems Incorporated)
Task: {C547D203-0C61-4BFB-92AD-F13918D2459C} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => C:\Windows\system32\GWX\GWXUXWorker.exe [2015-12-05] (Microsoft Corporation)

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Aufgabe verschoben. Die Datei, die durch die Aufgabe gestartet wird, wird nicht verschoben.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Verknüpfungen =============================

(Die Einträge können gelistet werden, um sie zurückzusetzen oder zu entfernen.)

==================== Geladene Module (Nicht auf der Ausnahmeliste) ==============

2014-04-25 03:25 - 2005-06-02 11:40 - 00014336 _____ () C:\Windows\System32\vsmon1.dll
2015-07-08 23:18 - 2015-07-08 23:18 - 00794920 _____ () C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\kpcengine.2.3.dll
2015-12-30 23:37 - 2015-12-30 23:37 - 00697884 _____ () C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0031\~df394b.tmp
2015-12-30 23:37 - 2015-12-30 23:37 - 00592896 _____ () C:\Users\Admin\AppData\Local\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0031\~de6248.tmp
2014-04-25 01:46 - 2009-02-06 17:52 - 00073728 _____ () C:\Windows\SYSTEM32\CmdRtr.DLL
2014-04-25 01:46 - 2009-04-20 10:55 - 00148480 _____ () C:\Windows\SYSTEM32\APOMngr.DLL
2006-05-04 05:58 - 2006-05-04 05:58 - 00998912 _____ () D:\Programme\pdf-Experte\vspdfprsrv.exe
2006-05-04 05:58 - 2006-05-04 05:58 - 01239040 _____ () D:\Programme\pdf-Experte\vspdfdialogs100.bpl
2006-03-02 19:39 - 2006-03-02 19:39 - 01844224 _____ () D:\Programme\pdf-Experte\te100.bpl
2006-05-04 05:58 - 2006-05-04 05:58 - 03014656 _____ () D:\Programme\pdf-Experte\vspdfcore100.bpl
2005-12-26 12:20 - 2005-12-26 12:20 - 02098176 _____ () D:\Programme\pdf-Experte\PKIECtrl100.bpl
2006-05-04 05:58 - 2006-05-04 05:58 - 01026048 _____ () D:\Programme\pdf-Experte\vsvector100.bpl
2006-03-02 18:57 - 2006-03-02 18:57 - 00383488 _____ () D:\Programme\pdf-Experte\visage100.bpl
2006-03-02 19:28 - 2006-03-02 19:28 - 00139776 _____ () D:\Programme\pdf-Experte\uoolep100.bpl
2006-04-15 05:34 - 2006-04-15 05:34 - 00568320 _____ () D:\Programme\pdf-Experte\TMSlite100.bpl
2006-03-02 19:33 - 2006-03-02 19:33 - 00444928 _____ () D:\Programme\pdf-Experte\VirtualTree100.bpl
2006-05-04 05:58 - 2006-05-04 05:58 - 00230912 _____ () D:\Programme\pdf-Experte\vspdfeditor100.bpl
2006-03-02 18:55 - 2006-03-02 18:55 - 00089088 _____ () D:\Programme\pdf-Experte\vsmisc100.bpl
2006-03-02 19:01 - 2006-03-02 19:01 - 00071168 _____ () D:\Programme\pdf-Experte\VSDesktop100.bpl
2006-05-04 05:58 - 2006-05-04 05:58 - 00237056 _____ () D:\Programme\pdf-Experte\expertpdf4core.bpl
2003-08-22 06:23 - 2003-08-22 06:23 - 00225792 _____ () D:\Programme\pdf-Experte\sqlite.dll
2006-05-04 05:58 - 2006-05-04 05:58 - 00622592 _____ () D:\Programme\pdf-Experte\eXPertPDFAddIn.dll
2006-05-04 05:58 - 2006-05-04 05:58 - 01330176 _____ () D:\Programme\pdf-Experte\vsword2pdf100.bpl

==================== Alternate Data Streams (Nicht auf der Ausnahmeliste) =========

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird nur der ADS entfernt.)


==================== Abgesicherter Modus (Nicht auf der Ausnahmeliste) ===================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Der Wert "AlternateShell" wird wiederhergestellt.)


==================== EXE Verknüpfungen (Nicht auf der Ausnahmeliste) ===============

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Registryeintrag auf den Standardwert zurückgesetzt oder entfernt.)


==================== Internet Explorer Vertrauenswürdig/Eingeschränkt ===============

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt.)


==================== Hosts Inhalt: ===============================

(Wenn benötigt kann der Hosts: Schalter in die Fixlist aufgenommen werden um die Hosts Datei zurückzusetzen.)

2009-07-14 03:04 - 2009-06-10 22:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Andere Bereiche ============================

(Aktuell gibt es keinen automatisierten Fix für diesen Bereich.)

HKU\S-1-5-21-1987672872-2594305773-2641038054-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.2.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall ist aktiviert.

==================== MSCONFIG/TASK MANAGER Deaktivierte Einträge ==

(Aktuell gibt es keinen automatisierten Fix für diesen Bereich.)


==================== FirewallRules (Nicht auf der Ausnahmeliste) ===============

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{9D3B5843-CE66-4E4C-8AEF-9B7F36F90B9F}] => (Allow) C:\Program Files\TeamViewer\Version7\TeamViewer.exe
FirewallRules: [{650B2034-084B-4051-94E7-44037345D752}] => (Allow) C:\Program Files\TeamViewer\Version7\TeamViewer.exe
FirewallRules: [{52D34E1D-D63B-49BC-A874-45A3AD637768}] => (Allow) C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
FirewallRules: [{0A83FAD2-15C0-4A84-9AE6-9EBE3A7F62C0}] => (Allow) C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
FirewallRules: [TCP Query User{7B92195E-249C-4538-88B2-D088AFB016CE}C:\program files\epson software\event manager\eeventmanager.exe] => (Block) C:\program files\epson software\event manager\eeventmanager.exe
FirewallRules: [UDP Query User{DC393E51-3664-480C-8B6E-99F3CE8C30AF}C:\program files\epson software\event manager\eeventmanager.exe] => (Block) C:\program files\epson software\event manager\eeventmanager.exe
FirewallRules: [{559D354C-C25C-47DA-A563-537324439936}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{81CF767F-2528-4A47-8E1E-49A8EAAAB264}] => (Allow) D:\Programme\Spiele\Landwirtschafts Simulator 2015\FarmingSimulator2015.exe
FirewallRules: [{6384DAF0-E017-4C4B-8733-36276840E7B9}] => (Allow) D:\Programme\Spiele\Landwirtschafts Simulator 2015\FarmingSimulator2015.exe
FirewallRules: [{BD218624-9D34-4177-9AE5-E52A8182F79D}] => (Allow) D:\Programme\Spiele\Landwirtschafts Simulator 2015\x86\FarmingSimulator2015Game.exe
FirewallRules: [{2A56CBDA-F76F-4C84-AC9A-2E84092D087D}] => (Allow) D:\Programme\Spiele\Landwirtschafts Simulator 2015\x86\FarmingSimulator2015Game.exe
FirewallRules: [{3CD8F3FE-58D2-453D-8E0A-15EA0F46AD69}] => (Allow) D:\Programme\Spiele\Landwirtschafts Simulator 2015\x64\FarmingSimulator2015Game.exe
FirewallRules: [{B073FB12-D8C1-46B9-AD51-D5D81499FC30}] => (Allow) D:\Programme\Spiele\Landwirtschafts Simulator 2015\x64\FarmingSimulator2015Game.exe
FirewallRules: [TCP Query User{E0C0A721-959B-4D10-A113-B758966F88C3}D:\programme\spiele\minecraft\runtime\jre-x32\1.8.0_25\bin\javaw.exe] => (Block) D:\programme\spiele\minecraft\runtime\jre-x32\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{692C92F9-DCE4-4C4D-AB2D-7299727847D7}D:\programme\spiele\minecraft\runtime\jre-x32\1.8.0_25\bin\javaw.exe] => (Block) D:\programme\spiele\minecraft\runtime\jre-x32\1.8.0_25\bin\javaw.exe

==================== Wiederherstellungspunkte =========================


==================== Fehlerhafte Geräte im Gerätemanager =============


==================== Fehlereinträge in der Ereignisanzeige: =========================

Applikationsfehler:
==================
Error: (12/30/2015 12:40:30 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/30/2015 09:04:33 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/29/2015 09:07:32 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/29/2015 12:05:17 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/28/2015 07:35:17 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/28/2015 01:52:57 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/27/2015 03:44:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/26/2015 09:25:08 PM) (Source: eXPert PDF) (EventID: 3299) (User: )
Description: eXPert PDF Printer driverreported the following error:<<<

DrvEscape: Unsupported Escape Code : 4117
>>>

Error: (12/26/2015 09:11:27 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/26/2015 09:01:13 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


Systemfehler:
=============
Error: (12/30/2015 03:06:36 PM) (Source: volsnap) (EventID: 36) (User: )
Description: Die Schattenkopien von Volume "C:" wurden abgebrochen, weil der Schattenkopiespeicher nicht auf ein benutzerdefiniertes Limit vergrößert werden konnte.

Error: (12/30/2015 01:40:32 PM) (Source: volsnap) (EventID: 36) (User: )
Description: Die Schattenkopien von Volume "C:" wurden abgebrochen, weil der Schattenkopiespeicher nicht auf ein benutzerdefiniertes Limit vergrößert werden konnte.

Error: (12/30/2015 12:44:56 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR3 gefunden.

Error: (12/30/2015 12:44:55 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR3 gefunden.

Error: (12/30/2015 12:44:54 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR3 gefunden.

Error: (12/30/2015 12:44:53 PM) (Source: volsnap) (EventID: 27) (User: )
Description: Die Schattenkopien von Volume "G:" wurden während der Ermittlung abgebrochen, weil eine kritische Steuerungsdatei nicht geöffnet werden konnte.

Error: (12/30/2015 12:44:45 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR2 gefunden.

Error: (12/30/2015 12:44:44 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR2 gefunden.

Error: (12/30/2015 12:44:44 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR2 gefunden.

Error: (12/30/2015 12:44:43 PM) (Source: Disk) (EventID: 11) (User: )
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk1\DR2 gefunden.


==================== Memory info ===========================

Processor: Intel(R) Atom(TM) CPU D525 @ 1.80GHz
Prozentuale Nutzung des RAM: 57%
Installierter physikalischer RAM: 2038.24 MB
Verfügbarer physikalischer RAM: 867.36 MB
Summe virtueller Speicher: 4076.48 MB
Verfügbarer virtueller Speicher: 2306.75 MB

==================== Laufwerke ================================

Drive c: (System) (Fixed) (Total:32 GB) (Free:4.88 GB) NTFS ==>[Laufwerk mit Startkomponenten (eingeholt von BCD)]
Drive d: (Programme) (Fixed) (Total:32 GB) (Free:26.45 GB) NTFS
Drive e: (Daten) (Fixed) (Total:401.76 GB) (Free:373.26 GB) NTFS
Drive g: (SimpleDrive) (Fixed) (Total:931.51 GB) (Free:852.2 GB) NTFS

==================== MBR & Partitionstabelle ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 1DB01DAF)
Partition 1: (Active) - (Size=32 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=433.8 GB) - (Type=OF Extended)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: B0CCD65D)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== Ende vom Addition.txt ============================

cosinus 31.12.2015 04:39
Hi und :hallo:

Logs bitte nicht anhängen, notfalls splitten und über mehrere Postings verteilt posten

Lesestoff:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR oder 7Z-Archiv zu packen erschwert mir massiv die Arbeit.
Auch wenn die Logs für einen Beitrag zu groß sein sollten, bitte ich dich die Logs direkt und notfalls über mehrere Beiträge verteilt zu posten.
Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
http://www.trojaner-board.de/picture...&pictureid=307

Joliwa 01.01.2016 17:02
MSE-Logfile Teil 1
 
Danke für die Antwort.
Hier ist das MSE-Logfile in zwei Teilen.

Code:
Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        25.12.2015 16:35:25
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\codec-76\codec-3.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Konkret
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Admin
        Prozessname: C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
        Signaturversion: AV: 1.213.562.0, AS: 1.213.562.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12400.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-25T15:35:25.000000000Z" />
    <EventRecordID>256073</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{FE68E92A-32D4-47C1-A894-BE21595058C8}</Data>
    <Data>2015-12-25T15:35:14.211Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Program Files\Malwarebytes Anti-Malware\mbam.exe</Data>
    <Data>JOLIWA\Admin</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\codec-76\codec-3.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>0</Data>
    <Data>%%822</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.213.562.0, AS: 1.213.562.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12400.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        20.12.2015 13:58:31
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Local\Temp\15D.tmp;file:_C:\Users\Opa\AppData\Local\Temp\A052.tmp
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Konkret
        Quelle der Erkennung: Benutzer
        Benutzer: JOLIWA\Admin
        Prozessname: Unknown
        Signaturversion: AV: 1.213.451.0, AS: 1.213.451.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12400.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-20T12:58:31.000000000Z" />
    <EventRecordID>254875</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{E76A96DB-27BC-44AD-993B-53C8A2281AB7}</Data>
    <Data>2015-12-20T12:58:20.348Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>1</Data>
    <Data>%%815</Data>
    <Data>Unknown</Data>
    <Data>JOLIWA\Admin</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Local\Temp\15D.tmp;file:_C:\Users\Opa\AppData\Local\Temp\A052.tmp</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>0</Data>
    <Data>%%822</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.213.451.0, AS: 1.213.451.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12400.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        20.12.2015 13:41:11
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\screw-3.lnk;file:_C:\Users\Opa\AppData\Roaming\screw-5\screw-69.exe;startup:_C:\Users\Opa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\screw-3.lnk
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Konkret
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.213.451.0, AS: 1.213.451.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12400.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-20T12:41:11.000000000Z" />
    <EventRecordID>254855</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{B10DE3E2-336C-46FC-B824-34DAC1381954}</Data>
    <Data>2015-12-20T12:39:09.222Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\screw-3.lnk;file:_C:\Users\Opa\AppData\Roaming\screw-5\screw-69.exe;startup:_C:\Users\Opa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\screw-3.lnk</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>0</Data>
    <Data>%%822</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.213.451.0, AS: 1.213.451.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12400.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        20.12.2015 13:39:17
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\screw-5\screw-69.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Konkret
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.213.451.0, AS: 1.213.451.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12400.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-20T12:39:17.000000000Z" />
    <EventRecordID>254853</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{B10DE3E2-336C-46FC-B824-34DAC1381954}</Data>
    <Data>2015-12-20T12:39:09.222Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\screw-5\screw-69.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>0</Data>
    <Data>%%822</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.213.451.0, AS: 1.213.451.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12400.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        19.12.2015 22:22:57
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\ampere-11\ampere-1.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-19T21:22:57.000000000Z" />
    <EventRecordID>254444</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{7612C672-6D67-430D-89CC-6C8987C3EC81}</Data>
    <Data>2015-12-19T21:20:58.051Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\ampere-11\ampere-1.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        19.12.2015 22:21:38
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\ampere-11\ampere-1.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\ampere-19;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\ampere-19
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-19T21:21:38.000000000Z" />
    <EventRecordID>254438</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{4E9EC744-FBFC-4ECE-82A8-C2FE8C5138D7}</Data>
    <Data>2015-12-19T21:20:35.909Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\ampere-11\ampere-1.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\ampere-19;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\ampere-19</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        19.12.2015 22:20:36
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\ampere-11\ampere-1.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-19T21:20:36.000000000Z" />
    <EventRecordID>254427</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{4E9EC744-FBFC-4ECE-82A8-C2FE8C5138D7}</Data>
    <Data>2015-12-19T21:20:35.909Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\ampere-11\ampere-1.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        18.12.2015 00:18:41
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\lithium-20\lithium-1.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-17T23:18:41.000000000Z" />
    <EventRecordID>254133</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{9F597972-5A18-4555-A3E3-E48B6B2E0283}</Data>
    <Data>2015-12-17T23:18:00.013Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\lithium-20\lithium-1.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        18.12.2015 00:18:37
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\lithium-20\lithium-1.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\lithium-1;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\lithium-1
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-17T23:18:37.000000000Z" />
    <EventRecordID>254131</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{F94919EE-76DA-4828-B2F2-A48180E8B671}</Data>
    <Data>2015-12-17T23:17:02.773Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\lithium-20\lithium-1.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\lithium-1;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\lithium-1</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        18.12.2015 00:17:53
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\lithium-20\lithium-1.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-17T23:17:53.000000000Z" />
    <EventRecordID>254129</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{F94919EE-76DA-4828-B2F2-A48180E8B671}</Data>
    <Data>2015-12-17T23:17:02.773Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\lithium-20\lithium-1.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        18.12.2015 00:17:44
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tesla-57.lnk;file:_C:\Users\Opa\AppData\Roaming\tesla-82\tesla-1.exe;startup:_C:\Users\Opa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tesla-57.lnk
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Konkret
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-17T23:17:44.000000000Z" />
    <EventRecordID>254127</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{848B9EB6-F014-4C67-B55E-CCC80EBAE2DE}</Data>
    <Data>2015-12-17T23:16:09.899Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tesla-57.lnk;file:_C:\Users\Opa\AppData\Roaming\tesla-82\tesla-1.exe;startup:_C:\Users\Opa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tesla-57.lnk</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>0</Data>
    <Data>%%822</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        18.12.2015 00:16:17
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\tesla-82\tesla-1.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Konkret
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-17T23:16:17.000000000Z" />
    <EventRecordID>254111</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{848B9EB6-F014-4C67-B55E-CCC80EBAE2DE}</Data>
    <Data>2015-12-17T23:16:09.899Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\tesla-82\tesla-1.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>0</Data>
    <Data>%%822</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2946.0, AS: 1.211.2946.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        17.12.2015 00:29:38
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Pelsi!plock&threatid=2147695982&enterprise=0
        Name: Trojan:Win32/Pelsi!plock
        ID: 2147695982
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\aliasing-4\aliasing-6.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\aliasing-7;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\aliasing-7
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.2623.0, AS: 1.211.2623.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-16T23:29:38.000000000Z" />
    <EventRecordID>253959</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{2BD211E8-BC00-4A2D-AA1D-577E27DF9E39}</Data>
    <Data>2015-12-16T23:28:54.914Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147695982</Data>
    <Data>Trojan:Win32/Pelsi!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Pelsi!plock&amp;threatid=2147695982&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\aliasing-4\aliasing-6.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\aliasing-7;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\aliasing-7</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2623.0, AS: 1.211.2623.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        17.12.2015 00:28:54
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Pelsi!plock&threatid=2147695982&enterprise=0
        Name: Trojan:Win32/Pelsi!plock
        ID: 2147695982
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\aliasing-4\aliasing-6.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.2623.0, AS: 1.211.2623.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-16T23:28:54.000000000Z" />
    <EventRecordID>253955</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{2BD211E8-BC00-4A2D-AA1D-577E27DF9E39}</Data>
    <Data>2015-12-16T23:28:54.914Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147695982</Data>
    <Data>Trojan:Win32/Pelsi!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Pelsi!plock&amp;threatid=2147695982&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\aliasing-4\aliasing-6.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2623.0, AS: 1.211.2623.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        15.12.2015 22:47:57
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Peaac.gen!A!plock&threatid=2147688670&enterprise=0
        Name: Trojan:Win32/Peaac.gen!A!plock
        ID: 2147688670
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\spice-8\spice-95.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\spice-9;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\spice-9
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\System32\taskhost.exe
        Signaturversion: AV: 1.211.2623.0, AS: 1.211.2623.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-15T21:47:57.000000000Z" />
    <EventRecordID>253696</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{F683DC35-29F3-4F1E-81A2-FA94C0AFB6E9}</Data>
    <Data>2015-12-15T21:46:24.216Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147688670</Data>
    <Data>Trojan:Win32/Peaac.gen!A!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Peaac.gen!A!plock&amp;threatid=2147688670&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\System32\taskhost.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\spice-8\spice-95.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\spice-9;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\spice-9</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2623.0, AS: 1.211.2623.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        15.12.2015 22:46:27
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Peaac.gen!A!plock&threatid=2147688670&enterprise=0
        Name: Trojan:Win32/Peaac.gen!A!plock
        ID: 2147688670
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\spice-8\spice-95.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\System32\taskhost.exe
        Signaturversion: AV: 1.211.2623.0, AS: 1.211.2623.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-15T21:46:27.000000000Z" />
    <EventRecordID>253688</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{F683DC35-29F3-4F1E-81A2-FA94C0AFB6E9}</Data>
    <Data>2015-12-15T21:46:24.216Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147688670</Data>
    <Data>Trojan:Win32/Peaac.gen!A!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Peaac.gen!A!plock&amp;threatid=2147688670&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\System32\taskhost.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\spice-8\spice-95.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2623.0, AS: 1.211.2623.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        15.12.2015 22:46:20
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\siphon-38\siphon-21.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.211.2623.0, AS: 1.211.2623.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-15T21:46:20.000000000Z" />
    <EventRecordID>253686</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{2ECC61BA-580B-44C0-BDF1-3F7361F3C925}</Data>
    <Data>2015-12-15T21:46:20.176Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\siphon-38\siphon-21.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2623.0, AS: 1.211.2623.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        14.12.2015 22:52:09
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\baseline-80\baseline-4.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\baseline-76;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\baseline-76
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\System32\taskhost.exe
        Signaturversion: AV: 1.211.2623.0, AS: 1.211.2623.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-14T21:52:09.000000000Z" />
    <EventRecordID>253552</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{00678473-8F43-4A27-9EA5-F16C4C432F21}</Data>
    <Data>2015-12-14T21:51:10.562Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\System32\taskhost.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\baseline-80\baseline-4.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\baseline-76;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\baseline-76</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2623.0, AS: 1.211.2623.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        14.12.2015 22:51:28
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\baseline-80\baseline-4.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\System32\taskhost.exe
        Signaturversion: AV: 1.211.2623.0, AS: 1.211.2623.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-14T21:51:28.000000000Z" />
    <EventRecordID>253551</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{00678473-8F43-4A27-9EA5-F16C4C432F21}</Data>
    <Data>2015-12-14T21:51:10.562Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\System32\taskhost.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\baseline-80\baseline-4.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2623.0, AS: 1.211.2623.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        13.12.2015 15:44:20
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Peals.E!plock&threatid=2147691763&enterprise=0
        Name: Trojan:Win32/Peals.E!plock
        ID: 2147691763
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\fsotc-3\fsotc-4.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\fsotc-68;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\fsotc-68
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.211.2548.0, AS: 1.211.2548.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-13T14:44:20.000000000Z" />
    <EventRecordID>253235</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{067D6D10-9606-42FD-B2F8-AA7CB8D8C891}</Data>
    <Data>2015-12-13T14:43:15.679Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147691763</Data>
    <Data>Trojan:Win32/Peals.E!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Peals.E!plock&amp;threatid=2147691763&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\fsotc-3\fsotc-4.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\fsotc-68;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\fsotc-68</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2548.0, AS: 1.211.2548.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        13.12.2015 15:43:32
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Peals.E!plock&threatid=2147691763&enterprise=0
        Name: Trojan:Win32/Peals.E!plock
        ID: 2147691763
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\fsotc-3\fsotc-4.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.211.2548.0, AS: 1.211.2548.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-13T14:43:32.000000000Z" />
    <EventRecordID>253226</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{067D6D10-9606-42FD-B2F8-AA7CB8D8C891}</Data>
    <Data>2015-12-13T14:43:15.679Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147691763</Data>
    <Data>Trojan:Win32/Peals.E!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Peals.E!plock&amp;threatid=2147691763&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\fsotc-3\fsotc-4.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2548.0, AS: 1.211.2548.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        12.12.2015 17:50:33
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Varpes.E!plock&threatid=2147705672&enterprise=0
        Name: Trojan:Win32/Varpes.E!plock
        ID: 2147705672
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\fsotc-2\fsotc-64.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.2339.0, AS: 1.211.2339.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-12T16:50:33.000000000Z" />
    <EventRecordID>252911</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{65804D2F-77C8-4C3D-B830-F2DFB124EA1B}</Data>
    <Data>2015-12-12T16:49:18.495Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147705672</Data>
    <Data>Trojan:Win32/Varpes.E!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Varpes.E!plock&amp;threatid=2147705672&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\fsotc-2\fsotc-64.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2339.0, AS: 1.211.2339.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        12.12.2015 17:49:34
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Varpes.E!plock&threatid=2147705672&enterprise=0
        Name: Trojan:Win32/Varpes.E!plock
        ID: 2147705672
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\fsotc-2\fsotc-64.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\fsotc-4;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\fsotc-4
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.2339.0, AS: 1.211.2339.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-12T16:49:34.000000000Z" />
    <EventRecordID>252905</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{AC647485-7CCB-49F9-937D-7A296229D3EF}</Data>
    <Data>2015-12-12T16:48:45.298Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147705672</Data>
    <Data>Trojan:Win32/Varpes.E!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Varpes.E!plock&amp;threatid=2147705672&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\fsotc-2\fsotc-64.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\fsotc-4;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\fsotc-4</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2339.0, AS: 1.211.2339.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        12.12.2015 17:48:45
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Varpes.E!plock&threatid=2147705672&enterprise=0
        Name: Trojan:Win32/Varpes.E!plock
        ID: 2147705672
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\fsotc-2\fsotc-64.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.2339.0, AS: 1.211.2339.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-12T16:48:45.000000000Z" />
    <EventRecordID>252900</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{AC647485-7CCB-49F9-937D-7A296229D3EF}</Data>
    <Data>2015-12-12T16:48:45.298Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147705672</Data>
    <Data>Trojan:Win32/Varpes.E!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Varpes.E!plock&amp;threatid=2147705672&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\fsotc-2\fsotc-64.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2339.0, AS: 1.211.2339.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        10.12.2015 20:36:48
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Anaki.A!plock&threatid=2147689588&enterprise=0
        Name: Trojan:Win32/Anaki.A!plock
        ID: 2147689588
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Local\Temp\15D.tmp
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Benutzer
        Benutzer: JOLIWA\Opa
        Prozessname: Unknown
        Signaturversion: AV: 1.211.2339.0, AS: 1.211.2339.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-10T19:36:48.000000000Z" />
    <EventRecordID>220450</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{EAE51705-D80A-42B7-BD37-F00E9D8F09DF}</Data>
    <Data>2015-12-10T19:36:48.194Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147689588</Data>
    <Data>Trojan:Win32/Anaki.A!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Anaki.A!plock&amp;threatid=2147689588&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>1</Data>
    <Data>%%815</Data>
    <Data>Unknown</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Local\Temp\15D.tmp</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2339.0, AS: 1.211.2339.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        10.12.2015 20:36:48
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Local\Temp\3D81.tmp;file:_C:\Users\Opa\AppData\Roaming\vctxo-69\vctxo-0.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Benutzer
        Benutzer: JOLIWA\Opa
        Prozessname: Unknown
        Signaturversion: AV: 1.211.2339.0, AS: 1.211.2339.0, NIS: 115.28.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-10T19:36:48.000000000Z" />
    <EventRecordID>220449</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{4B25555A-4211-4505-B23B-978D4D1EE6DE}</Data>
    <Data>2015-12-10T19:36:24.603Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>1</Data>
    <Data>%%815</Data>
    <Data>Unknown</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Local\Temp\3D81.tmp;file:_C:\Users\Opa\AppData\Roaming\vctxo-69\vctxo-0.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2339.0, AS: 1.211.2339.0, NIS: 115.28.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        08.12.2015 13:47:08
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Beaugrit.gen!D&threatid=2147692709&enterprise=0
        Name: Trojan:Win32/Beaugrit.gen!D
        ID: 2147692709
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\tdscdma-28\tdscdma-26.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\tdscdma-23;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\tdscdma-23
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\System32\taskhost.exe
        Signaturversion: AV: 1.211.2083.0, AS: 1.211.2083.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-08T12:47:08.000000000Z" />
    <EventRecordID>214679</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{98864D8E-6AA5-4DAF-B254-495EC91D3D55}</Data>
    <Data>2015-12-08T12:46:19.169Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147692709</Data>
    <Data>Trojan:Win32/Beaugrit.gen!D</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Beaugrit.gen!D&amp;threatid=2147692709&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\System32\taskhost.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\tdscdma-28\tdscdma-26.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\tdscdma-23;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\tdscdma-23</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2083.0, AS: 1.211.2083.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        08.12.2015 13:46:43
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Tulim.C!plock&threatid=2147706923&enterprise=0
        Name: Trojan:Win32/Tulim.C!plock
        ID: 2147706923
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\strain-5\strain-74.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.2083.0, AS: 1.211.2083.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-08T12:46:43.000000000Z" />
    <EventRecordID>214675</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{02600719-DDF5-439C-A574-392A4CB1C586}</Data>
    <Data>2015-12-08T12:46:43.508Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147706923</Data>
    <Data>Trojan:Win32/Tulim.C!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Tulim.C!plock&amp;threatid=2147706923&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\strain-5\strain-74.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2083.0, AS: 1.211.2083.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        08.12.2015 13:46:19
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Beaugrit.gen!D&threatid=2147692709&enterprise=0
        Name: Trojan:Win32/Beaugrit.gen!D
        ID: 2147692709
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\tdscdma-28\tdscdma-26.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\System32\taskhost.exe
        Signaturversion: AV: 1.211.2083.0, AS: 1.211.2083.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-08T12:46:19.000000000Z" />
    <EventRecordID>214674</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{98864D8E-6AA5-4DAF-B254-495EC91D3D55}</Data>
    <Data>2015-12-08T12:46:19.169Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147692709</Data>
    <Data>Trojan:Win32/Beaugrit.gen!D</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Beaugrit.gen!D&amp;threatid=2147692709&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\System32\taskhost.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\tdscdma-28\tdscdma-26.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2083.0, AS: 1.211.2083.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        08.12.2015 13:46:18
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Hiclas.C!plock&threatid=2147707899&enterprise=0
        Name: Trojan:Win32/Hiclas.C!plock
        ID: 2147707899
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\serdes-94\serdes-8.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.211.2083.0, AS: 1.211.2083.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-08T12:46:18.000000000Z" />
    <EventRecordID>214673</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{27B1C4C0-70A7-4273-9BEC-3292C4BCBC0A}</Data>
    <Data>2015-12-08T12:46:15.849Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147707899</Data>
    <Data>Trojan:Win32/Hiclas.C!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Hiclas.C!plock&amp;threatid=2147707899&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\serdes-94\serdes-8.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.2083.0, AS: 1.211.2083.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        06.12.2015 13:22:34
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Anaki.A!plock&threatid=2147689588&enterprise=0
        Name: Trojan:Win32/Anaki.A!plock
        ID: 2147689588
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\molality-2\molality-67.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\molality-0;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\molality-0
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.211.1944.0, AS: 1.211.1944.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-06T12:22:34.000000000Z" />
    <EventRecordID>214029</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{8548110F-4211-4AD2-8BFB-08338AB89619}</Data>
    <Data>2015-12-06T12:21:45.249Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147689588</Data>
    <Data>Trojan:Win32/Anaki.A!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Anaki.A!plock&amp;threatid=2147689588&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\molality-2\molality-67.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\molality-0;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\molality-0</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.1944.0, AS: 1.211.1944.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        06.12.2015 13:21:47
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Anaki.A!plock&threatid=2147689588&enterprise=0
        Name: Trojan:Win32/Anaki.A!plock
        ID: 2147689588
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\molality-2\molality-67.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.211.1944.0, AS: 1.211.1944.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-06T12:21:47.000000000Z" />
    <EventRecordID>214028</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{8548110F-4211-4AD2-8BFB-08338AB89619}</Data>
    <Data>2015-12-06T12:21:45.249Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147689588</Data>
    <Data>Trojan:Win32/Anaki.A!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Anaki.A!plock&amp;threatid=2147689588&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\molality-2\molality-67.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.1944.0, AS: 1.211.1944.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        03.12.2015 22:41:34
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Anaki.A!plock&threatid=2147689588&enterprise=0
        Name: Trojan:Win32/Anaki.A!plock
        ID: 2147689588
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\anode-47\anode-07.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.211.1525.0, AS: 1.211.1525.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-03T21:41:34.000000000Z" />
    <EventRecordID>212963</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{127C5957-275E-4396-9175-923746D308D2}</Data>
    <Data>2015-12-03T21:41:31.901Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147689588</Data>
    <Data>Trojan:Win32/Anaki.A!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Anaki.A!plock&amp;threatid=2147689588&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\anode-47\anode-07.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.1525.0, AS: 1.211.1525.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        28.11.2015 17:10:57
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Varpes.E!plock&threatid=2147705672&enterprise=0
        Name: Trojan:Win32/Varpes.E!plock
        ID: 2147705672
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\cardbus-51\cardbus-2.exe;process:_pid:3884,ProcessStart:130932005590595703;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\cardbus-79;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\cardbus-79
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.1073.0, AS: 1.211.1073.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-28T16:10:57.000000000Z" />
    <EventRecordID>212193</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{F3019206-AD15-4233-A928-CE51F7F8ADD5}</Data>
    <Data>2015-11-28T16:10:06.294Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147705672</Data>
    <Data>Trojan:Win32/Varpes.E!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Varpes.E!plock&amp;threatid=2147705672&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\cardbus-51\cardbus-2.exe;process:_pid:3884,ProcessStart:130932005590595703;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\cardbus-79;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\cardbus-79</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>3</Data>
    <Data>%%848</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.1073.0, AS: 1.211.1073.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Joliwa 01.01.2016 17:04
MSE-Logfile Teil 2
 
Code:
Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        28.11.2015 17:10:06
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Varpes.E!plock&threatid=2147705672&enterprise=0
        Name: Trojan:Win32/Varpes.E!plock
        ID: 2147705672
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\cardbus-51\cardbus-2.exe;process:_pid:3884,ProcessStart:130932005590595703
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.1073.0, AS: 1.211.1073.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-28T16:10:06.000000000Z" />
    <EventRecordID>212188</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{F3019206-AD15-4233-A928-CE51F7F8ADD5}</Data>
    <Data>2015-11-28T16:10:06.294Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147705672</Data>
    <Data>Trojan:Win32/Varpes.E!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Varpes.E!plock&amp;threatid=2147705672&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\cardbus-51\cardbus-2.exe;process:_pid:3884,ProcessStart:130932005590595703</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>3</Data>
    <Data>%%848</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.1073.0, AS: 1.211.1073.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        28.11.2015 12:07:42
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\framer-97\framer-3.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\framer-0;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\framer-0
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.1073.0, AS: 1.211.1073.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-28T11:07:42.000000000Z" />
    <EventRecordID>212053</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{F49A199D-A100-4950-8B26-DBFFFD753CED}</Data>
    <Data>2015-11-28T11:06:25.672Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\framer-97\framer-3.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\framer-0;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\framer-0</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.1073.0, AS: 1.211.1073.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        28.11.2015 12:06:48
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\framer-97\framer-3.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.1073.0, AS: 1.211.1073.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-28T11:06:48.000000000Z" />
    <EventRecordID>212050</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{F49A199D-A100-4950-8B26-DBFFFD753CED}</Data>
    <Data>2015-11-28T11:06:25.672Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\framer-97\framer-3.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.1073.0, AS: 1.211.1073.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        28.11.2015 12:05:07
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\vmebus-6\vmebus-99.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Konkret
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.211.1073.0, AS: 1.211.1073.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-28T11:05:07.000000000Z" />
    <EventRecordID>212036</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{77C6047A-EC8A-4F67-881F-D0F54FF30CAD}</Data>
    <Data>2015-11-28T11:05:06.917Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\vmebus-6\vmebus-99.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>0</Data>
    <Data>%%822</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.1073.0, AS: 1.211.1073.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        26.11.2015 00:45:35
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Yakad.A!plock&threatid=2147691141&enterprise=0
        Name: Trojan:Win32/Yakad.A!plock
        ID: 2147691141
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\glonass-29\glonass-5.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.211.725.0, AS: 1.211.725.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-25T23:45:35.000000000Z" />
    <EventRecordID>211180</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{587A7485-3F12-45A5-843D-823C7F0BC00B}</Data>
    <Data>2015-11-25T23:45:24.442Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147691141</Data>
    <Data>Trojan:Win32/Yakad.A!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Yakad.A!plock&amp;threatid=2147691141&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\glonass-29\glonass-5.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.725.0, AS: 1.211.725.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        25.11.2015 14:57:21
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Yakad.A!plock&threatid=2147691141&enterprise=0
        Name: Trojan:Win32/Yakad.A!plock
        ID: 2147691141
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\glonass-29\glonass-5.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\glonass-8;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\glonass-8
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.725.0, AS: 1.211.725.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-25T13:57:21.000000000Z" />
    <EventRecordID>211059</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{D8C839A3-E4C7-4BA5-B4EF-DABF882AAFB0}</Data>
    <Data>2015-11-25T13:56:17.212Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147691141</Data>
    <Data>Trojan:Win32/Yakad.A!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Yakad.A!plock&amp;threatid=2147691141&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\glonass-29\glonass-5.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\glonass-8;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\glonass-8</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.725.0, AS: 1.211.725.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        25.11.2015 14:56:17
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Yakad.A!plock&threatid=2147691141&enterprise=0
        Name: Trojan:Win32/Yakad.A!plock
        ID: 2147691141
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\glonass-29\glonass-5.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.725.0, AS: 1.211.725.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-25T13:56:17.000000000Z" />
    <EventRecordID>211057</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{D8C839A3-E4C7-4BA5-B4EF-DABF882AAFB0}</Data>
    <Data>2015-11-25T13:56:17.212Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147691141</Data>
    <Data>Trojan:Win32/Yakad.A!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Yakad.A!plock&amp;threatid=2147691141&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\glonass-29\glonass-5.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.725.0, AS: 1.211.725.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        22.11.2015 22:12:36
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Anaki.A!plock&threatid=2147689588&enterprise=0
        Name: Trojan:Win32/Anaki.A!plock
        ID: 2147689588
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\booster-5\booster-53.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\booster-47;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\booster-47
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.444.0, AS: 1.211.444.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-22T21:12:36.000000000Z" />
    <EventRecordID>210171</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{DB5ECA48-6283-48D1-9830-1C683406F461}</Data>
    <Data>2015-11-22T21:11:38.560Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147689588</Data>
    <Data>Trojan:Win32/Anaki.A!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Anaki.A!plock&amp;threatid=2147689588&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\booster-5\booster-53.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\booster-47;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\booster-47</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.444.0, AS: 1.211.444.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        22.11.2015 22:11:38
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Anaki.A!plock&threatid=2147689588&enterprise=0
        Name: Trojan:Win32/Anaki.A!plock
        ID: 2147689588
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\booster-5\booster-53.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.444.0, AS: 1.211.444.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-22T21:11:38.000000000Z" />
    <EventRecordID>210169</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{DB5ECA48-6283-48D1-9830-1C683406F461}</Data>
    <Data>2015-11-22T21:11:38.560Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147689588</Data>
    <Data>Trojan:Win32/Anaki.A!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Anaki.A!plock&amp;threatid=2147689588&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\booster-5\booster-53.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.444.0, AS: 1.211.444.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        22.11.2015 13:53:54
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Tulim.B!plock&threatid=2147706922&enterprise=0
        Name: Trojan:Win32/Tulim.B!plock
        ID: 2147706922
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\dfmea-0\dfmea-6.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\dfmea-4;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\dfmea-4
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.444.0, AS: 1.211.444.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-22T12:53:54.000000000Z" />
    <EventRecordID>209634</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{FF3BDE20-9731-42FE-8036-88CD58724F9D}</Data>
    <Data>2015-11-22T12:52:55.824Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147706922</Data>
    <Data>Trojan:Win32/Tulim.B!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Tulim.B!plock&amp;threatid=2147706922&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\dfmea-0\dfmea-6.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\dfmea-4;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\dfmea-4</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.444.0, AS: 1.211.444.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        22.11.2015 13:52:55
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Tulim.B!plock&threatid=2147706922&enterprise=0
        Name: Trojan:Win32/Tulim.B!plock
        ID: 2147706922
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\dfmea-0\dfmea-6.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.211.444.0, AS: 1.211.444.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-22T12:52:55.000000000Z" />
    <EventRecordID>209631</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{FF3BDE20-9731-42FE-8036-88CD58724F9D}</Data>
    <Data>2015-11-22T12:52:55.824Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147706922</Data>
    <Data>Trojan:Win32/Tulim.B!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Tulim.B!plock&amp;threatid=2147706922&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\dfmea-0\dfmea-6.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.444.0, AS: 1.211.444.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        21.11.2015 09:22:46
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Peals.F!plock&threatid=2147691764&enterprise=0
        Name: Trojan:Win32/Peals.F!plock
        ID: 2147691764
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\centroid-02\centroid-6.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\centroid-07;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\centroid-07
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\System32\taskhost.exe
        Signaturversion: AV: 1.211.303.0, AS: 1.211.303.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-21T08:22:46.000000000Z" />
    <EventRecordID>209136</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{55CC6129-811D-4E49-90E3-F47ECAAA016D}</Data>
    <Data>2015-11-21T08:20:56.066Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147691764</Data>
    <Data>Trojan:Win32/Peals.F!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Peals.F!plock&amp;threatid=2147691764&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\System32\taskhost.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\centroid-02\centroid-6.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\centroid-07;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\centroid-07</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.303.0, AS: 1.211.303.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        21.11.2015 09:21:10
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Peals.F!plock&threatid=2147691764&enterprise=0
        Name: Trojan:Win32/Peals.F!plock
        ID: 2147691764
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\centroid-02\centroid-6.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\System32\taskhost.exe
        Signaturversion: AV: 1.211.303.0, AS: 1.211.303.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12300.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-21T08:21:10.000000000Z" />
    <EventRecordID>209134</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{55CC6129-811D-4E49-90E3-F47ECAAA016D}</Data>
    <Data>2015-11-21T08:20:56.066Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147691764</Data>
    <Data>Trojan:Win32/Peals.F!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Peals.F!plock&amp;threatid=2147691764&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\System32\taskhost.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\centroid-02\centroid-6.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.211.303.0, AS: 1.211.303.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12300.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        17.11.2015 23:54:35
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\megabits-2\megabits-6.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.209.3174.0, AS: 1.209.3174.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12205.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-17T22:54:35.000000000Z" />
    <EventRecordID>207535</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{BB448970-CC19-48C9-89E8-42A181DBE69B}</Data>
    <Data>2015-11-17T22:54:35.012Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\megabits-2\megabits-6.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.209.3174.0, AS: 1.209.3174.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12205.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        16.11.2015 18:03:29
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Tulim.D!plock&threatid=2147706924&enterprise=0
        Name: Trojan:Win32/Tulim.D!plock
        ID: 2147706924
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\ascii-7\ascii-54.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.209.2988.0, AS: 1.209.2988.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12205.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-16T17:03:29.000000000Z" />
    <EventRecordID>207242</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{92A83ECB-A47A-41B3-82F7-5169D6365188}</Data>
    <Data>2015-11-16T17:03:28.273Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147706924</Data>
    <Data>Trojan:Win32/Tulim.D!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Tulim.D!plock&amp;threatid=2147706924&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\ascii-7\ascii-54.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.209.2988.0, AS: 1.209.2988.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12205.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        15.11.2015 21:12:59
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Varpes.K!plock&threatid=2147706744&enterprise=0
        Name: Trojan:Win32/Varpes.K!plock
        ID: 2147706744
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_D:\Programme\Microsoft Office\Office\WINWORD.EXE;process:_pid:3212,ProcessStart:130920919068855470
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.209.2879.0, AS: 1.209.2879.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12205.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-15T20:12:59.000000000Z" />
    <EventRecordID>206556</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{C9F95422-C687-494C-AB55-16107AAFE16D}</Data>
    <Data>2015-11-15T20:12:00.820Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147706744</Data>
    <Data>Trojan:Win32/Varpes.K!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Varpes.K!plock&amp;threatid=2147706744&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_D:\Programme\Microsoft Office\Office\WINWORD.EXE;process:_pid:3212,ProcessStart:130920919068855470</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>3</Data>
    <Data>%%848</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.209.2879.0, AS: 1.209.2879.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12205.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        15.11.2015 21:12:07
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Varpes.K!plock&threatid=2147706744&enterprise=0
        Name: Trojan:Win32/Varpes.K!plock
        ID: 2147706744
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_D:\Programme\Microsoft Office\Office\WINWORD.EXE
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.209.2879.0, AS: 1.209.2879.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12205.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-15T20:12:07.000000000Z" />
    <EventRecordID>206555</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{C9F95422-C687-494C-AB55-16107AAFE16D}</Data>
    <Data>2015-11-15T20:12:00.820Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147706744</Data>
    <Data>Trojan:Win32/Varpes.K!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Varpes.K!plock&amp;threatid=2147706744&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_D:\Programme\Microsoft Office\Office\WINWORD.EXE</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.209.2879.0, AS: 1.209.2879.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12205.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        15.11.2015 21:11:59
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Varpes.K!plock&threatid=2147706744&enterprise=0
        Name: Trojan:Win32/Varpes.K!plock
        ID: 2147706744
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: clsid:_HKLM\SOFTWARE\CLASSES\CLSID\{00020900-0000-0000-C000-000000000046};clsid:_HKLM\SOFTWARE\CLASSES\CLSID\{00020901-0000-0000-C000-000000000046};clsid:_HKLM\SOFTWARE\CLASSES\CLSID\{00020906-0000-0000-C000-000000000046};clsid:_HKLM\SOFTWARE\CLASSES\CLSID\{00020907-0000-0000-C000-000000000046};clsid:_HKLM\SOFTWARE\CLASSES\CLSID\{000209FE-0000-0000-C000-000000000046};clsid:_HKLM\SOFTWARE\CLASSES\CLSID\{000209FF-0000-0000-C000-000000000046};clsid:_HKLM\SOFTWARE\CLASSES\CLSID\{00030003-0000-0000-C000-000000000046};file:_D:\Programme\Microsoft Office\Office\WINWORD.EXE;regkey:_HKLM\SOFTWARE\CLASSES\CLSID\{00020900-0000-0000-C000-000000000046};regkey:_HKLM\SOFTWARE\CLASSES\CLSID\{00020901-0000-0000-C000-000000000046};regkey:_HKLM\SOFTWARE\CLASSES\CLSID\{00020906-0000-0000-C000-000000000046};regkey:_HKLM\SOFTWARE\CLASSES\CLSID\{00020907-0000-0000-C000-000000000046};regkey:_HKLM\SOFTWARE\CLASSES\CLSID\{000209FE-0000-0000-C000-000000000046};regkey:_HKLM\SOFTWARE\CLASSES\CLSID\{000209FF-0000-0000-C000-000000000046};
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.209.2879.0, AS: 1.209.2879.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12205.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-15T20:11:59.000000000Z" />
    <EventRecordID>206552</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{B1E11724-6658-44BA-A832-7CDDE28892D9}</Data>
    <Data>2015-11-15T20:10:43.137Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147706744</Data>
    <Data>Trojan:Win32/Varpes.K!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Varpes.K!plock&amp;threatid=2147706744&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>clsid:_HKLM\SOFTWARE\CLASSES\CLSID\{00020900-0000-0000-C000-000000000046};clsid:_HKLM\SOFTWARE\CLASSES\CLSID\{00020901-0000-0000-C000-000000000046};clsid:_HKLM\SOFTWARE\CLASSES\CLSID\{00020906-0000-0000-C000-000000000046};clsid:_HKLM\SOFTWARE\CLASSES\CLSID\{00020907-0000-0000-C000-000000000046};clsid:_HKLM\SOFTWARE\CLASSES\CLSID\{000209FE-0000-0000-C000-000000000046};clsid:_HKLM\SOFTWARE\CLASSES\CLSID\{000209FF-0000-0000-C000-000000000046};clsid:_HKLM\SOFTWARE\CLASSES\CLSID\{00030003-0000-0000-C000-000000000046};file:_D:\Programme\Microsoft Office\Office\WINWORD.EXE;regkey:_HKLM\SOFTWARE\CLASSES\CLSID\{00020900-0000-0000-C000-000000000046};regkey:_HKLM\SOFTWARE\CLASSES\CLSID\{00020901-0000-0000-C000-000000000046};regkey:_HKLM\SOFTWARE\CLASSES\CLSID\{00020906-0000-0000-C000-000000000046};regkey:_HKLM\SOFTWARE\CLASSES\CLSID\{00020907-0000-0000-C000-000000000046};regkey:_HKLM\SOFTWARE\CLASSES\CLSID\{000209FE-0000-0000-C000-000000000046};regkey:_HKLM\SOFTWARE\CLASSES\CLSID\{000209FF-0000-0000-C000-000000000046};</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.209.2879.0, AS: 1.209.2879.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12205.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        15.11.2015 21:10:43
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Varpes.K!plock&threatid=2147706744&enterprise=0
        Name: Trojan:Win32/Varpes.K!plock
        ID: 2147706744
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_D:\Programme\Microsoft Office\Office\WINWORD.EXE
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.209.2879.0, AS: 1.209.2879.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12205.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-15T20:10:43.000000000Z" />
    <EventRecordID>206550</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{B1E11724-6658-44BA-A832-7CDDE28892D9}</Data>
    <Data>2015-11-15T20:10:43.137Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147706744</Data>
    <Data>Trojan:Win32/Varpes.K!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Varpes.K!plock&amp;threatid=2147706744&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_D:\Programme\Microsoft Office\Office\WINWORD.EXE</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.209.2879.0, AS: 1.209.2879.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12205.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        15.11.2015 01:58:42
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Dynamer!ac&threatid=2147684005&enterprise=0
        Name: Trojan:Win32/Dynamer!ac
        ID: 2147684005
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Roaming\powercap-15\powercap-79.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Konkret
        Quelle der Erkennung: Benutzer
        Benutzer: JOLIWA\Opa
        Prozessname: Unknown
        Signaturversion: AV: 1.209.2879.0, AS: 1.209.2879.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12205.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-15T00:58:42.000000000Z" />
    <EventRecordID>206148</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{B87CA379-AC1A-4A6B-9FC9-0DE569435187}</Data>
    <Data>2015-11-15T00:58:41.260Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147684005</Data>
    <Data>Trojan:Win32/Dynamer!ac</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Dynamer!ac&amp;threatid=2147684005&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>1</Data>
    <Data>%%815</Data>
    <Data>Unknown</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Roaming\powercap-15\powercap-79.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>0</Data>
    <Data>%%822</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.209.2879.0, AS: 1.209.2879.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12205.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        14.11.2015 21:38:14
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Skeeyah.A!plock&threatid=2147692018&enterprise=0
        Name: Trojan:Win32/Skeeyah.A!plock
        ID: 2147692018
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\docsis-1\docsis-1.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\docsis-87;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\docsis-87
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.209.2591.0, AS: 1.209.2591.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12205.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-14T20:38:14.000000000Z" />
    <EventRecordID>206047</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{916FB272-04EF-4E31-827D-EC83F980E82E}</Data>
    <Data>2015-11-14T20:36:54.869Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147692018</Data>
    <Data>Trojan:Win32/Skeeyah.A!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Skeeyah.A!plock&amp;threatid=2147692018&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\docsis-1\docsis-1.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\docsis-87;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\docsis-87</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.209.2591.0, AS: 1.209.2591.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12205.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        14.11.2015 21:36:57
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Skeeyah.A!plock&threatid=2147692018&enterprise=0
        Name: Trojan:Win32/Skeeyah.A!plock
        ID: 2147692018
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\ProgramData\docsis-1\docsis-1.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: Echtzeitschutz
        Benutzer: JOLIWA\Opa
        Prozessname: C:\Windows\explorer.exe
        Signaturversion: AV: 1.209.2591.0, AS: 1.209.2591.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12205.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-14T20:36:57.000000000Z" />
    <EventRecordID>206043</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{916FB272-04EF-4E31-827D-EC83F980E82E}</Data>
    <Data>2015-11-14T20:36:54.869Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147692018</Data>
    <Data>Trojan:Win32/Skeeyah.A!plock</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Skeeyah.A!plock&amp;threatid=2147692018&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>3</Data>
    <Data>%%818</Data>
    <Data>C:\Windows\explorer.exe</Data>
    <Data>JOLIWA\Opa</Data>
    <Data>
    </Data>
    <Data>file:_C:\ProgramData\docsis-1\docsis-1.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>1</Data>
    <Data>%%813</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.209.2591.0, AS: 1.209.2591.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12205.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        11.11.2015 23:09:05
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Matsnu.O&threatid=2147690811&enterprise=0
        Name: Trojan:Win32/Matsnu.O
        ID: 2147690811
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Local\Temp\Ladder_fail\ladder-dare.exe;process:_pid:2532,ProcessStart:130917532464609375;process:_pid:2824,ProcessStart:130917532487167968;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\ladder-monitor;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\ladder-monitor
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.209.2210.0, AS: 1.209.2210.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12205.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-11T22:09:05.000000000Z" />
    <EventRecordID>205320</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{FFF90EFC-9ADB-4C6B-B45E-CEA46FD8F9A3}</Data>
    <Data>2015-11-11T22:08:14.907Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147690811</Data>
    <Data>Trojan:Win32/Matsnu.O</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Matsnu.O&amp;threatid=2147690811&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Local\Temp\Ladder_fail\ladder-dare.exe;process:_pid:2532,ProcessStart:130917532464609375;process:_pid:2824,ProcessStart:130917532487167968;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\ladder-monitor;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\ladder-monitor</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>3</Data>
    <Data>%%848</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.209.2210.0, AS: 1.209.2210.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12205.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        11.11.2015 23:09:05
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Matsnu.O&threatid=2147690811&enterprise=0
        Name: Trojan:Win32/Matsnu.O
        ID: 2147690811
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Local\Temp\Ladder_fail\ladder-dare.exe;process:_pid:2532,ProcessStart:130917532464609375;process:_pid:2824,ProcessStart:130917532487167968
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.209.2210.0, AS: 1.209.2210.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12205.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-11T22:09:05.000000000Z" />
    <EventRecordID>205319</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{FFF90EFC-9ADB-4C6B-B45E-CEA46FD8F9A3}</Data>
    <Data>2015-11-11T22:08:14.907Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147690811</Data>
    <Data>Trojan:Win32/Matsnu.O</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Matsnu.O&amp;threatid=2147690811&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Local\Temp\Ladder_fail\ladder-dare.exe;process:_pid:2532,ProcessStart:130917532464609375;process:_pid:2824,ProcessStart:130917532487167968</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>3</Data>
    <Data>%%848</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.209.2210.0, AS: 1.209.2210.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12205.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        11.11.2015 23:08:59
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Matsnu.O&threatid=2147690811&enterprise=0
        Name: Trojan:Win32/Matsnu.O
        ID: 2147690811
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Local\Temp\Ladder_fail\ladder-dare.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\ladder-monitor;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\ladder-monitor;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\ladder-monitor;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\ladder-monitor
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.209.2210.0, AS: 1.209.2210.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12205.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-11T22:08:59.000000000Z" />
    <EventRecordID>205315</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{F160218D-E43B-49B6-9FF9-5ADCECA14205}</Data>
    <Data>2015-11-11T22:08:04.533Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147690811</Data>
    <Data>Trojan:Win32/Matsnu.O</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Matsnu.O&amp;threatid=2147690811&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Local\Temp\Ladder_fail\ladder-dare.exe;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\ladder-monitor;regkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\ladder-monitor;runkey:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\ladder-monitor;runonce:_HKCU@S-1-5-21-1987672872-2594305773-2641038054-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\\ladder-monitor</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.209.2210.0, AS: 1.209.2210.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12205.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        11.11.2015 23:08:15
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Matsnu.O&threatid=2147690811&enterprise=0
        Name: Trojan:Win32/Matsnu.O
        ID: 2147690811
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Local\Temp\Ladder_fail\ladder-dare.exe;process:_pid:2532,ProcessStart:130917532464609375;process:_pid:2824,ProcessStart:130917532487167968
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.209.2210.0, AS: 1.209.2210.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12205.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-11T22:08:15.000000000Z" />
    <EventRecordID>205308</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{FFF90EFC-9ADB-4C6B-B45E-CEA46FD8F9A3}</Data>
    <Data>2015-11-11T22:08:14.907Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147690811</Data>
    <Data>Trojan:Win32/Matsnu.O</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Matsnu.O&amp;threatid=2147690811&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Local\Temp\Ladder_fail\ladder-dare.exe;process:_pid:2532,ProcessStart:130917532464609375;process:_pid:2824,ProcessStart:130917532487167968</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>3</Data>
    <Data>%%848</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.209.2210.0, AS: 1.209.2210.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12205.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

Protokollname: System
Quelle:        Microsoft Antimalware
Datum:        11.11.2015 23:08:04
Ereignis-ID:  1116
Aufgabenkategorie:Keine
Ebene:        Warnung
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      JOLIWA
Beschreibung:
Von Microsoft-Antischadsoftware wurde Schadsoftware oder andere potenziell unerwünschte Software entdeckt.
 Weitere Informationen finden Sie hier:
hxxp://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Matsnu.O&threatid=2147690811&enterprise=0
        Name: Trojan:Win32/Matsnu.O
        ID: 2147690811
        Schweregrad: Schwerwiegend
        Kategorie: Trojaner
        Pfad: file:_C:\Users\Opa\AppData\Local\Temp\Ladder_fail\ladder-dare.exe
        Ursprung der Erkennung: Lokaler Computer
        Typ der Erkennung: Dynamische Signatur
        Quelle der Erkennung: System
        Benutzer: NT-AUTORITÄT\SYSTEM
        Prozessname: Unknown
        Signaturversion: AV: 1.209.2210.0, AS: 1.209.2210.0, NIS: 115.26.0.0
        Modulversion: AM: 1.1.12205.0, NIS: 2.1.11804.0
Ereignis-XML:
<Event xmlns="hxxp://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft Antimalware" />
    <EventID Qualifiers="0">1116</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-11-11T22:08:04.000000000Z" />
    <EventRecordID>205306</EventRecordID>
    <Channel>System</Channel>
    <Computer>JOLIWA</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%860</Data>
    <Data>4.8.0204.0</Data>
    <Data>{F160218D-E43B-49B6-9FF9-5ADCECA14205}</Data>
    <Data>2015-11-11T22:08:04.533Z</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>2147690811</Data>
    <Data>Trojan:Win32/Matsnu.O</Data>
    <Data>5</Data>
    <Data>Schwerwiegend</Data>
    <Data>8</Data>
    <Data>Trojaner</Data>
    <Data>hxxp://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Matsnu.O&amp;threatid=2147690811&amp;enterprise=0</Data>
    <Data>1</Data>
    <Data>
    </Data>
    <Data>1</Data>
    <Data>2</Data>
    <Data>%%820</Data>
    <Data>Unknown</Data>
    <Data>NT-AUTORITÄT\SYSTEM</Data>
    <Data>
    </Data>
    <Data>file:_C:\Users\Opa\AppData\Local\Temp\Ladder_fail\ladder-dare.exe</Data>
    <Data>1</Data>
    <Data>%%845</Data>
    <Data>0</Data>
    <Data>%%812</Data>
    <Data>8</Data>
    <Data>%%862</Data>
    <Data>0</Data>
    <Data>9</Data>
    <Data>%%887</Data>
    <Data>
    </Data>
    <Data>0x00000000</Data>
    <Data>Der Vorgang wurde erfolgreich beendet. </Data>
    <Data>
    </Data>
    <Data>0</Data>
    <Data>0</Data>
    <Data>No additional actions required</Data>
    <Data>
    </Data>
    <Data>
    </Data>
    <Data>AV: 1.209.2210.0, AS: 1.209.2210.0, NIS: 115.26.0.0</Data>
    <Data>AM: 1.1.12205.0, NIS: 2.1.11804.0</Data>
  </EventData>
</Event>

cosinus 01.01.2016 21:38
Zitat:
AS: Kaspersky Internet Security (Disabled - Up to date) {0F7D947C-13CC-4207-47BE-41AC12334EC6}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Disabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
FW: Kaspersky Internet Security (Disabled) {8C27F4BD-7F99-4CD1-5651-D3EB97674300}
Das geht so nicht. Verwende entweder Kaspersky oder MSE, aber nicht beides.

Funde von Malwarebytes? Wenn ja, bitte alle Logs mit Funden posten.

Joliwa 02.01.2016 10:11
OK, verstanden. Ich werde eines der beiden deinstallieren.

Malwarebytes war installiert und hat bei einem Full Scan nichts gefunden. Als direkt danach (bzw. während Malwarebytes lief!) der MSE wieder etwas gefunden hat, wurde mir mulmig und ich bin auf dieses Board gestoßen.

cosinus 02.01.2016 21:12
Malwarebytes Anti-Rootkit (MBAR)

Downloade dir bitte Malwarebytes Anti-Rootkit Malwarebytes Anti-Rootkit und speichere es auf deinem Desktop.
  • Starte bitte die mbar.exe.
  • Folge den Anweisungen auf deinem Bildschirm gemäß Anleitung zu Malwarebytes Anti-Rootkit
  • Aktualisiere unbedingt die Datenbank und erlaube dem Tool, dein System zu scannen.
  • Klicke auf den CleanUp Button und erlaube den Neustart.
  • Während dem Neustart wird MBAR die gefundenen Objekte entfernen, also bleib geduldig.
  • Nach dem Neustart starte die mbar.exe erneut.
  • Sollte nochmal was gefunden werden, wiederhole den CleanUp Prozess.
Das Tool wird im erstellten Ordner eine Logfile ( mbar-log-<Jahr-Monat-Tag>.txt ) erzeugen. Bitte poste diese hier.

Starte keine andere Datei in diesem Ordner ohne Anweisung eines Helfers

Joliwa 06.01.2016 21:12
Scan mit mbar
 
Danke!
Ich habe Kaspersky entfernt, und mit mbar gescannt.
MSE hat am 04.01. einen Fund gemeldet.


Code:
Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org

Database version:
  main:    v2016.01.06.04
  rootkit: v2016.01.05.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.18124
Admin :: JOLIWA [administrator]

06.01.2016 19:29:36
mbar-log-2016-01-06 (19-29-36).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 370218
Time elapsed: 35 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
Code:

--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On ‎12‎-‎31‎-‎2015 00:18:50
************************************************************
2015-12-30T23:18:50.179Z Trace session started - MpWppTracing-12312015-001850-00000003-ffffffff.binResetting SFCState failed with 0x80070015**********Cache stats************
No. Of buckets -> 12800
Each Bucket has max capacity of -> 1 entries
number of Entries is 0
Number of invalid entries is 0
Number of inserts issued is 0
Number of replaces issued is 0
Number of insert failures is 0
Number of inserts with duplicate entries is 0
Number of lookups is 0
Number of lookup misses is 0
Number of fast lookup misses is 0
Number of false fast lookups is 0
Number of invalidations is 0
Number of maintenance invalidations is 0
Current File Size is 319488
Journal ID = 1cf6016361880da
Trusted image state = 1 USN = 0
Setup boot count = 0

2015-12-30T23:18:50.475Z Verifying RTP plugin...
2015-12-30T23:18:50.625Z verified!
2015-12-30T23:18:50.821Z Verifying Nis plugin...
2015-12-30T23:18:50.854Z verified!
2015-12-30T23:18:50.858Z Initializing Nis plugin state...
2015-12-30T23:18:50.858Z Nis initialized!
2015-12-30T23:18:50.858Z Loading engine...
2015-12-30T23:18:50.865Z CSignatureStatus: changed to DUE_REPORTED
2015-12-30T23:18:50.866Z loaded!
2015-12-30T23:18:50.906Z Verifying license file...
2015-12-30T23:18:50.951Z verified!
2015-12-30T23:18:50.952Z Product supports installmode: 0
2015-12-30T23:18:50.957Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.5.216.0
Service Version: 4.5.216.0
Engine Version: 0.0.0.0
AS Signature Version: 0.0.0.0
AV Signature Version: 0.0.0.0
************************************************************
2015-12-30T23:18:55.685Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(0)
2015-12-30T23:18:55.737Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(0)
2015-12-30T23:18:57.762Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(0)
2015-12-30T23:18:57.779Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(0)
2015-12-30T23:18:59.819Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(0)
2015-12-30T23:18:59.837Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(0)
2015-12-30T23:19:08.244Z Task(SignaturesUpdateService -UnmanagedUpdate) launched
2015-12-30T23:19:50.958Z Calling MpUpdateStart with update options = 257
2015-12-30T23:28:50.957Z AutoPurgeWorker triggered with dwWork=0x3
2015-12-30T23:28:50.958Z Product supports installmode: 0
2015-12-30T23:28:50.961Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
2015-12-30T23:28:51.324Z Trace buffers written: 12, events lost: 0, buffers lost: 0, days: 0
2015-12-30T23:28:51.324Z Trusted image bitmap: 0x1
2015-12-30T23:28:51.324Z Trusted image OEM name: (not found)
2015-12-30T23:28:51.324Z Start sending one time SQM data points.
2015-12-30T23:28:51.325Z Finished sending one time SQM data points.
2015-12-30T23:28:51.397Z Task(-UploadSQM -RestrictPrivileges) launched
2015-12-30T23:28:51.493Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2015-12-30T23:28:51.495Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 5387107(ms)
2015-12-30T23:45:04.867Z Verifying engine and signature files (source: 0) ...
2015-12-30T23:45:06.775Z verified!
2015-12-30T23:45:26.874Z Initializing SQM in engine...
2015-12-30T23:45:26.874Z SQM initialized in the engine successfully
2015-12-30T23:45:27.899Z CSignatureStatus: back to good
2015-12-30T23:45:27.899Z Initializing RTP plugin state...
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:N/A
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:19
  Async:4
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:0
  AsyncQCurrent:0
  BMFlags:0
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:6
  TotalStreamCon:936
  TotalBitmap:113040
  NTFS Cache Statistics:
  TotalMisses:10404
  TotalHits:0
  InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2015-12-30T23:45:27.900Z initialized!
Signature updated on ‎12‎-‎31‎-‎2015 00:45:27
Product Version: 4.5.216.0
Service Version: 4.5.216.0
Engine Version: 1.1.12400.0
AS Signature Version: 1.213.1379.0
AV Signature Version: 1.213.1379.0
************************************************************
2015-12-30T23:45:28.132Z Process scan (postsignatureupdatescan) started.
2015-12-30T23:45:30.027Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-30T23:45:30.051Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-30T23:45:32.381Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-30T23:45:32.402Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
Signature updated via MicrosoftUpdateServer on ‎12‎-‎31‎-‎2015 00:45:33
************************************************************
2015-12-30T23:45:34.480Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-30T23:45:34.500Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-30T23:45:36.553Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-30T23:45:36.577Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-30T23:45:38.631Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-30T23:45:38.654Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-30T23:45:40.709Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-30T23:45:40.757Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-30T23:45:42.934Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-30T23:45:42.956Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-30T23:45:45.029Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-30T23:45:45.073Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)

BEGIN BM telemetry
GUID:{09D9EC19-48D9-C250-A542-90483D28D827}
TelemetryName:Behavior:Win32/MpTamperIoavClsidDelete.A
SignatureID:243761822934816
ProcessID:5156
ProcessCreationTime:0
SessionID:4294967295
CreationTime:‎12‎-‎31‎-‎2015 00:45:30
ImagePath:C:\Windows\System32\svchost.exe
ImagePathHash:121118A0F5E0E8C933EFD28C9901E54E42792619A8A3A6D11E1F0025A7324BC2
END BM telemetry

2015-12-30T23:45:49.040Z Dynamic signature received
Dynamic Signature has been received
Dynamic Signature Type:Signature Update
Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\8ea90f7a839cdcda0410ed7cb6ea15d5b71c4793
Dynamic Signature Compilation Timestamp:‎12‎-‎31‎-‎2015 00:45:49
Persistence Type:Duration
Time remaining:216000000
DSS Timeout:Received results after timeout
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"
2015-12-30T23:50:15.479Z Dynamic signature received
Dynamic Signature has been received
Dynamic Signature Type:Signature Update
Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\02d3942fefdb6158b94c870c32256580c73bc77a
Dynamic Signature Compilation Timestamp:‎12‎-‎31‎-‎2015 00:50:15
Persistence Type:Duration
Time remaining:216000000
2015-12-30T23:50:15.865Z Process scan (postsignatureupdatescan) completed.
2015-12-30T23:55:28.111Z Process scan (poststartupscan) started.
2015-12-30T23:56:11.931Z Process scan (poststartupscan) completed.
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Windows\system32\Sens_oal.dll"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=true, resource="\\?\C:\Windows\system32\Sens_oal.dll"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Windows\system32\Sens_oal.dll"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Windows\system32\Sens_oal.dll"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Windows\system32\Sens_oal.dll"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Windows\system32\Sens_oal.dll"
Begin Resource Scan
Scan ID:{8F093B0F-1896-470D-B8A4-7634B41F51A9}
Scan Source:7
Start Time:‎12‎-‎31‎-‎2015 01:11:12
End Time:‎12‎-‎31‎-‎2015 01:11:27
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Windows\system32\Sens_oal.dll
Result Count:1
Unknown File
Identifier:18103529816144740350
Number of Resources:1
Resource Schema:queryfilertsig
Resource Path:C:\Windows\system32\Sens_oal.dll
Extended Info:65519410711387
End Scan
************************************************************

Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=true, resource="\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Begin Resource Scan
Scan ID:{53FA064F-4C68-49F1-8E37-06872723E7C7}
Scan Source:7
Start Time:‎12‎-‎31‎-‎2015 01:19:26
End Time:‎12‎-‎31‎-‎2015 01:19:31
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll
Result Count:1
Unknown File
Identifier:6723857877691269118
Number of Resources:1
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll
Extended Info:5863886377321
End Scan
************************************************************

Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\Program Files\Creative\ALchemy\ALchemy.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\ALchemy\ALchemy.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\Program Files\Creative\ALchemy\dsound.dll"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\ALchemy\ALchemy.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\ALchemy\ALchemy.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\ALchemy\ALchemy.exe"
2015-12-31T01:00:17.272Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-31T01:00:17.379Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-31T01:00:23.931Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (0) and up-to-date state(1)
2015-12-31T01:00:23.952Z IWscASStatus::UpdateStatus() succceeded writing instance with state (0) and up-to-date state(1)
2015-12-31T01:00:25.996Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (0) and up-to-date state(1)
2015-12-31T01:00:26.028Z IWscASStatus::UpdateStatus() succceeded writing instance with state (0) and up-to-date state(1)
2015-12-31T01:00:28.079Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (0) and up-to-date state(1)
2015-12-31T01:00:28.106Z IWscASStatus::UpdateStatus() succceeded writing instance with state (0) and up-to-date state(1)
2015-12-31T01:00:30.146Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (0) and up-to-date state(1)
2015-12-31T01:00:30.167Z IWscASStatus::UpdateStatus() succceeded writing instance with state (0) and up-to-date state(1)
Begin Resource Scan
Scan ID:{F59FA1A8-7151-4BC2-B1E4-E362A641C89C}
Scan Source:7
Start Time:‎12‎-‎31‎-‎2015 02:00:01
End Time:‎12‎-‎31‎-‎2015 02:00:22
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Creative\ALchemy\ALchemy.exe
Result Count:1
Unknown File
Identifier:3058306356609023998
Number of Resources:1
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Creative\ALchemy\ALchemy.exe
Extended Info:65519410711387
End Scan
************************************************************

2015-12-31T01:11:50.498Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (0) and up-to-date state(1)
2015-12-31T01:11:50.515Z IWscASStatus::UpdateStatus() succceeded writing instance with state (0) and up-to-date state(1)
2015-12-31T01:11:50.778Z Reloading engine...
2015-12-31T01:11:51.068Z Verifying engine and signature files (source: 0) ...
2015-12-31T01:11:51.071Z verified!
2015-12-31T01:11:52.584Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-31T01:11:52.601Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-31T01:12:14.051Z Initializing SQM in engine...
2015-12-31T01:12:14.051Z SQM initialized in the engine successfully
2015-12-31T01:12:14.483Z Initializing RTP plugin state...
2015-12-31T01:12:14.484Z initialized!
2015-12-31T01:12:14.498Z Engine reloaded
****************************RTP Perf Log***************************
RTP Start:‎12‎-‎31‎-‎2015 00:45:27
Last Perf:‎12‎-‎31‎-‎2015 00:45:27
First RTP Scan:‎12‎-‎31‎-‎2015 00:45:28
Plugin States:  AV:1  AS:1  RTP:1  OA:1  BM:1
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:19
  Async:4
Cache Flushes:
  RTP:3
System File Cache:
  Hits:826
  Misses:4005
BM Queue:0,97,0
  Proc:0,90,0
  File:0,77,0
Plugin Queue:0,1,0
  Threat:0,1,0
  Susp:0,1,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:2,3,0
  SetEngine:1,1,0
  SetState:1,2,0
  SetUser:0,0,0
  Config:0,1,0
  ProcExcl:0,2,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:5634
  Pending:0
  RegSize:60200
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:545058
  AsyncQCurrent:0
  BMFlags:3
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:6
  TotalStreamCon:3992
  TotalBitmap:113040
  NTFS Cache Statistics:
  TotalMisses:133047
  TotalHits:51491
  InstanceCacheHits:327
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2015-12-31T01:12:14.615Z Process scan (poststartupscan) started.
2015-12-31T01:12:16.541Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-31T01:12:16.566Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-31T01:12:18.668Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-31T01:12:18.688Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-31T01:12:20.807Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-31T01:12:20.841Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On ‎12‎-‎31‎-‎2015 04:29:35
************************************************************
2015-12-31T03:29:35.500Z Trace session started - MpWppTracing-12312015-042935-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 12800
Each Bucket has max capacity of -> 1 entries
number of Entries is 9587
Number of invalid entries is 0
Number of inserts issued is 9650
Number of replaces issued is 0
Number of insert failures is 0
Number of inserts with duplicate entries is 8796
Number of lookups is 42623
Number of lookup misses is 1974
Number of fast lookup misses is 33089
Number of false fast lookups is 1974
Number of invalidations is 11
Number of maintenance invalidations is 0
Current File Size is 319488
Journal ID = 1cf6016361880da
Trusted image state = 1 USN = 0
Setup boot count = 0

2015-12-31T03:29:35.656Z Verifying RTP plugin...
2015-12-31T03:29:35.671Z verified!
2015-12-31T03:29:35.859Z Verifying Nis plugin...
2015-12-31T03:29:35.859Z verified!
2015-12-31T03:29:35.906Z Initializing Nis plugin state...
2015-12-31T03:29:35.906Z Nis initialized!
2015-12-31T03:29:35.906Z Loading engine...
2015-12-31T03:29:36.203Z Verifying engine and signature files (source: 1) ...
2015-12-31T03:29:36.203Z verified!
2015-12-31T03:29:44.203Z Initializing SQM in engine...
2015-12-31T03:29:44.250Z SQM initialized in the engine successfully
2015-12-31T03:29:45.421Z CSignatureStatus: back to good
2015-12-31T03:29:45.437Z Initializing RTP plugin state...
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:N/A
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:19
  Async:4
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:1144
  AsyncQCurrent:0
  BMFlags:0
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:5
  TotalStreamCon:1352
  TotalBitmap:113040
  NTFS Cache Statistics:
  TotalMisses:3440
  TotalHits:0
  InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2015-12-31T03:29:45.437Z initialized!
2015-12-31T03:29:45.437Z loaded!
2015-12-31T03:29:45.578Z Verifying license file...
2015-12-31T03:29:45.578Z verified!
2015-12-31T03:29:45.593Z Product supports installmode: 0
2015-12-31T03:29:45.656Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.5.216.0
Service Version: 4.5.216.0
Engine Version: 1.1.12400.0
AS Signature Version: 1.213.1379.0
AV Signature Version: 1.213.1379.0
************************************************************
2015-12-31T13:58:15.187Z Process scan (poststartupscan) started.
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=true, resource="\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=true, resource="\Device\HarddiskVolume1\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"

Begin Resource Scan
Scan ID:{71E8FE4D-1B95-4106-9EE5-9B149D9B7043}
Scan Source:7
Start Time:‎12‎-‎31‎-‎2015 14:58:48
End Time:‎12‎-‎31‎-‎2015 14:58:57
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
Result Count:1
Known File
Number of Resources:1
Resource Schema:file
Resource Path:C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
Extended Info:35872412566804
End Scan
************************************************************

2015-12-31T13:59:02.694Z Process scan (poststartupscan) completed.
2015-12-31T13:59:41.165Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-31T13:59:41.226Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
2015-12-31T14:07:24.546Z Task(Scan -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 13058946(ms)
2015-12-31T14:07:24.560Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2015-12-31T14:07:24.561Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 40718304(ms)
2015-12-31T14:07:24.609Z Timer is triggered for missed daily auto purge tasks
2015-12-31T14:17:24.613Z AutoPurgeWorker triggered with dwWork=0x100003
2015-12-31T14:17:24.901Z Product supports installmode: 0
2015-12-31T14:17:30.323Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
2015-12-31T14:17:31.912Z Trace buffers written: 48, events lost: 0, buffers lost: 0, days: 0
2015-12-31T14:17:31.913Z Trusted image bitmap: 0x1
2015-12-31T14:17:31.913Z Trusted image OEM name: (not found)
2015-12-31T14:17:31.978Z Task(-UploadSQM -RestrictPrivileges) launched
2015-12-31T14:17:32.287Z Task(Scan -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 14414241(ms)
2015-12-31T14:17:32.290Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 39491359(ms)
2015-12-31T14:53:25.813Z Cache Resizing**********Cache stats************
No. Of buckets -> 12800
Each Bucket has max capacity of -> 1 entries
number of Entries is 12151
Number of invalid entries is 0
Number of inserts issued is 13650
Number of replaces issued is 0
Number of insert failures is 1
Number of inserts with duplicate entries is 11300
Number of lookups is 67046
Number of lookup misses is 3482
Number of fast lookup misses is 43372
Number of false fast lookups is 3482
Number of invalidations is 12
Number of maintenance invalidations is 0
Current File Size is 319488
Journal ID = 1cf6016361880da
Trusted image state = 1 USN = 0
Setup boot count = 0

2015-12-31T14:57:47.436Z Cache Resizing**********Cache stats************
No. Of buckets -> 16000
Each Bucket has max capacity of -> 1 entries
number of Entries is 14721
Number of invalid entries is 0
Number of inserts issued is 29327
Number of replaces issued is 0
Number of insert failures is 2
Number of inserts with duplicate entries is 13870
Number of lookups is 73376
Number of lookup misses is 4592
Number of fast lookup misses is 48592
Number of false fast lookups is 4592
Number of invalidations is 12
Number of maintenance invalidations is 0
Current File Size is 397312
Journal ID = 1cf6016361880da
Trusted image state = 1 USN = 0
Setup boot count = 0

2015-12-31T15:05:24.554Z Cache Resizing**********Cache stats************
No. Of buckets -> 20000
Each Bucket has max capacity of -> 1 entries
number of Entries is 19173
Number of invalid entries is 0
Number of inserts issued is 51124
Number of replaces issued is 0
Number of insert failures is 3
Number of inserts with duplicate entries is 18322
Number of lookups is 82282
Number of lookup misses is 6198
Number of fast lookup misses is 55892
Number of false fast lookups is 6198
Number of invalidations is 12
Number of maintenance invalidations is 0
Current File Size is 495616
Journal ID = 1cf6016361880da
Trusted image state = 1 USN = 0
Setup boot count = 0

Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Log
Stopped On ‎12‎-‎31‎-‎2015 16:32:37 (Exit Code = 0x0)
************************************************************
2015-12-31T15:32:37.644Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (0) and up-to-date state(1)
2015-12-31T15:32:37.707Z IWscASStatus::UpdateStatus() succceeded writing instance with state (0) and up-to-date state(1)
****************************RTP Perf Log***************************
RTP Start:‎12‎-‎31‎-‎2015 04:29:45
Last Perf:‎12‎-‎31‎-‎2015 04:29:45
First RTP Scan:‎12‎-‎31‎-‎2015 04:29:45
Plugin States:  AV:1  AS:1  RTP:1  OA:1  BM:1
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:19
  Async:4
Cache Flushes:
  RTP:1
System File Cache:
  Hits:3391
  Misses:3180
BM Queue:1,127,0
  Proc:0,126,0
  File:1,72,0
Plugin Queue:0,1,0
  Threat:0,1,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,3,0
  SetEngine:1,1,0
  SetState:0,1,0
  SetUser:0,0,0
  Config:0,1,0
  ProcExcl:0,1,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:7961
  Pending:0
  RegSize:60200
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:1964626
  AsyncQCurrent:0
  BMFlags:3
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:7
  TotalStreamCon:10246
  TotalBitmap:113040
  NTFS Cache Statistics:
  TotalMisses:125555
  TotalHits:21664
  InstanceCacheHits:902
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

****************************RTP Perf Log***************************
RTP Start:‎12‎-‎31‎-‎2015 16:32:38
Last Perf:‎12‎-‎31‎-‎2015 16:32:37
First RTP Scan:N/A
Plugin States:  AV:1  AS:1  RTP:1  OA:1  BM:1
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:19
  Async:4
Cache Flushes:
  RTP:1
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:0,1,0
  SetEngine:0,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:7961
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:1964626
  AsyncQCurrent:0
  BMFlags:0
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:7
  TotalStreamCon:10193
  TotalBitmap:113040
  NTFS Cache Statistics:
  TotalMisses:125557
  TotalHits:21664
  InstanceCacheHits:902
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On 01-01-2016 14:47:09
************************************************************
2016-01-01T13:47:09.640Z Trace session started - MpWppTracing-01012016-144709-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 25000
Each Bucket has max capacity of -> 1 entries
number of Entries is 22188
Number of invalid entries is 0
Number of inserts issued is 74092
Number of replaces issued is 0
Number of insert failures is 3
Number of inserts with duplicate entries is 21326
Number of lookups is 91493
Number of lookup misses is 7251
Number of fast lookup misses is 62417
Number of false fast lookups is 7251
Number of invalidations is 12
Number of maintenance invalidations is 0
Current File Size is 618496
Journal ID = 1cf6016361880da
Trusted image state = 1 USN = 0
Setup boot count = 0

2016-01-01T13:47:09.953Z Verifying RTP plugin...
2016-01-01T13:47:09.953Z verified!
2016-01-01T13:47:10.140Z Verifying Nis plugin...
2016-01-01T13:47:10.156Z verified!
2016-01-01T13:47:10.203Z Initializing Nis plugin state...
2016-01-01T13:47:10.203Z Nis initialized!
2016-01-01T13:47:10.203Z Loading engine...
2016-01-01T13:47:10.375Z Verifying engine and signature files (source: 1) ...
2016-01-01T13:47:10.375Z verified!
2016-01-01T13:47:43.437Z Dynamic signature dropped
Dynamic Signature has been dropped
Dynamic Signature Type:Signature Update
Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\75712b95e219bf0eee0e63b448e1f0e21a2fc86d
Dynamic Signature Compilation Timestamp:12-31-2015 19:57:15
Persistence Type:Duration
Time remaining:216000000
2016-01-01T13:47:43.514Z Initializing MPUT in engine...
2016-01-01T13:47:43.514Z MPUT initialized in the engine successfully
2016-01-01T13:47:43.745Z CSignatureStatus: back to good
2016-01-01T13:47:43.746Z Initializing RTP plugin state...
2016-01-01T13:47:43.747Z
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:(null)
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:19
  Async:4
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:1240
  AsyncQCurrent:0
  BMFlags:8
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:5
  TotalStreamCon:2044
  TotalBitmap:0
  NTFS Cache Statistics:
  TotalMisses:7858
  TotalHits:0
  InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2016-01-01T13:47:43.747Z initialized!
2016-01-01T13:47:43.748Z loaded!
2016-01-01T13:47:43.810Z Verifying license file...
2016-01-01T13:47:43.811Z verified!
2016-01-01T13:47:43.811Z Product supports installmode: 0
2016-01-01T13:47:43.908Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.8.204.0
Service Version: 4.8.204.0
Engine Version: 1.1.12400.0
AS Signature Version: 1.213.1379.0
AV Signature Version: 1.213.1379.0
************************************************************
2016-01-01T13:48:10.090Z Task(GetDeviceTicket -AccessKey 30DA7AB1-B716-AA91-A49C-51A3B0874BF1 ) launched as network service
2016-01-01T13:48:10.417Z Process scan (poststartupscan) started.
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"
2016-01-01T13:48:32.796Z Task(GetDeviceTicket -AccessKey 60C08B9B-2271-7C2C-7CCA-F8734B3BF582 ) launched as network service
2016-01-01T13:48:34.046Z Dynamic signature received
Dynamic Signature has been received
Dynamic Signature Type:Signature Update
Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\f550f9591700a75746eaae2cb1cc70164d801cb6
Dynamic Signature Compilation Timestamp:01-01-2016 14:48:33
Persistence Type:Duration
Time remaining:216000000
2016-01-01T13:48:34.321Z Process scan (poststartupscan) completed.
2016-01-01T13:48:50.459Z [Mini-filter] Restricted access to process 4184 from pid: 1812. Original desired access: 0x1fffff.
2016-01-01T13:48:50.459Z [Mini-filter] Restricted access to process 4184 from pid: 1812. Original desired access: 0x1fffff.
2016-01-01T13:49:22.555Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1), snoooze state (0), and up-to-date state(1)
2016-01-01T13:49:22.594Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1), snoooze state (0), and up-to-date state(1)
2016-01-01T13:57:26.304Z [Mini-filter] Restricted access to engine process from pid: 1156. Original desired access: 0x1fffff.
2016-01-01T13:57:26.511Z [Mini-filter] Restricted access to engine process from pid: 1156. Original desired access: 0x1fffff.
2016-01-01T13:57:30.175Z [Mini-filter] Restricted access to engine process from pid: 1156. Original desired access: 0x1fffff.
2016-01-01T13:57:30.338Z [Mini-filter] Restricted access to engine process from pid: 1156. Original desired access: 0x1fffff.
2016-01-01T13:57:31.261Z [Mini-filter] Restricted access to process 4184 from pid: 1156. Original desired access: 0x1fffff.
2016-01-01T13:57:43.856Z Task(Scan -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 14956074(ms)
2016-01-01T13:57:43.859Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2016-01-01T13:57:43.860Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 40485089(ms)
2016-01-01T13:57:43.908Z AutoPurgeWorker triggered with dwWork=0x3
2016-01-01T13:57:43.909Z Product supports installmode: 0
2016-01-01T13:57:53.021Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On 01-01-2016 22:21:24
************************************************************
2016-01-01T21:21:24.781Z Trace session started - MpWppTracing-01012016-222124-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 25000
Each Bucket has max capacity of -> 1 entries
number of Entries is 22220
Number of invalid entries is 0
Number of inserts issued is 74153
Number of replaces issued is 0
Number of insert failures is 3
Number of inserts with duplicate entries is 21329
Number of lookups is 104684
Number of lookup misses is 8333
Number of fast lookup misses is 68572
Number of false fast lookups is 8333
Number of invalidations is 29
Number of maintenance invalidations is 0
Current File Size is 618496
Journal ID = 1cf6016361880da
Trusted image state = 1 USN = 0
Setup boot count = 0

2016-01-01T21:21:25.234Z Verifying RTP plugin...
2016-01-01T21:21:25.234Z verified!
2016-01-01T21:21:25.468Z Verifying Nis plugin...
2016-01-01T21:21:25.484Z verified!
2016-01-01T21:21:25.484Z Initializing Nis plugin state...
2016-01-01T21:21:25.484Z Nis initialized!
2016-01-01T21:21:25.484Z Loading engine...
2016-01-01T21:21:25.593Z Verifying engine and signature files (source: 1) ...
2016-01-01T21:21:25.593Z verified!
2016-01-01T21:21:34.606Z Dynamic signature dropped
Dynamic Signature has been dropped
Dynamic Signature Type:Signature Update
Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\f550f9591700a75746eaae2cb1cc70164d801cb6
Dynamic Signature Compilation Timestamp:01-01-2016 14:48:33
Persistence Type:Duration
Time remaining:216000000
2016-01-01T21:21:34.684Z Initializing MPUT in engine...
2016-01-01T21:21:34.684Z MPUT initialized in the engine successfully
2016-01-01T21:21:35.356Z CSignatureStatus: back to good
2016-01-01T21:21:35.356Z Initializing RTP plugin state...
2016-01-01T21:21:35.356Z initialized!
2016-01-01T21:21:35.356Z
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:(null)
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:19
  Async:4
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:1240
  AsyncQCurrent:0
  BMFlags:8
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:5
  TotalStreamCon:1160
  TotalBitmap:0
  NTFS Cache Statistics:
  TotalMisses:3219
  TotalHits:0
  InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2016-01-01T21:21:35.356Z loaded!
2016-01-01T21:21:35.512Z Verifying license file...
2016-01-01T21:21:35.512Z verified!
2016-01-01T21:21:35.512Z Product supports installmode: 0
2016-01-01T21:21:35.528Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.8.204.0
Service Version: 4.8.204.0
Engine Version: 1.1.12400.0
AS Signature Version: 1.213.1529.0
AV Signature Version: 1.213.1529.0
************************************************************
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=true, resource="\Device\HarddiskVolume1\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"

Begin Resource Scan
Scan ID:{183EA626-3D94-4C03-8AEE-D6FABB028F81}
Scan Source:7
Start Time:01-01-2016 22:21:49
End Time:01-01-2016 22:21:49
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
Result Count:1
Known File
Number of Resources:1
Resource Schema:file
Resource Path:C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
Extended Info:35872412566804
End Scan
************************************************************

Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=true, resource="\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Begin Resource Scan
Scan ID:{689A3CF9-EF1B-49B4-B6C2-9F27D82EA294}
Scan Source:7
Start Time:01-01-2016 22:22:07
End Time:01-01-2016 22:22:19
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll
Result Count:1
Unknown File
Identifier:6723857877691269118
Number of Resources:1
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll
Extended Info:5863886377321
End Scan
************************************************************

2016-01-01T21:22:19.713Z Task(GetDeviceTicket -AccessKey D11A13A3-1464-54BE-B75C-0AE121A07853 ) launched as network service
2016-01-01T21:22:25.353Z Task(GetDeviceTicket -AccessKey 075A53CD-233C-8F42-3E73-38283F575333 ) launched as network service
2016-01-01T21:22:25.413Z Process scan (poststartupscan) started.
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"
2016-01-01T21:22:46.756Z Task(GetDeviceTicket -AccessKey DF7FC241-BAFA-42B0-6726-9BBE1A7B1045 ) launched as network service
Dynamic Signature has been received
Dynamic Signature Type:Signature Update
Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\e263c1cb17211e7bb30d43385f53db4389cb4ef8
Dynamic Signature Compilation Timestamp:01-01-2016 22:22:48
Persistence Type:Duration
Time remaining:216000000
2016-01-01T21:22:48.013Z Dynamic signature received
2016-01-01T21:22:48.405Z Process scan (poststartupscan) completed.
2016-01-01T21:23:05.151Z [Mini-filter] Restricted access to process 2820 from pid: 1828. Original desired access: 0x1fffff.
2016-01-01T21:23:05.152Z [Mini-filter] Restricted access to process 2820 from pid: 1828. Original desired access: 0x1fffff.
2016-01-01T21:23:54.027Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1), snoooze state (0), and up-to-date state(1)
2016-01-01T21:23:54.046Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1), snoooze state (0), and up-to-date state(1)
2016-01-01T21:27:13.548Z [Mini-filter] Restricted access to engine process from pid: 1152. Original desired access: 0x1fffff.
2016-01-01T21:27:13.698Z [Mini-filter] Restricted access to process 2820 from pid: 1152. Original desired access: 0x1fffff.
2016-01-01T21:27:18.090Z [Mini-filter] Restricted access to engine process from pid: 1152. Original desired access: 0x1fffff.
2016-01-01T21:27:18.103Z [Mini-filter] Restricted access to process 2820 from pid: 1152. Original desired access: 0x1fffff.
2016-01-01T21:31:35.512Z Task(Scan -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 72534355(ms)
2016-01-01T21:31:35.515Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2016-01-01T21:31:35.516Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 12193720(ms)
2016-01-01T21:31:35.528Z AutoPurgeWorker triggered with dwWork=0x3
2016-01-01T21:31:35.528Z Product supports installmode: 0
2016-01-01T21:31:42.641Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On 01-02-2016 23:22:58
************************************************************
2016-01-02T22:22:58.453Z Trace session started - MpWppTracing-01022016-232258-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 25000
Each Bucket has max capacity of -> 1 entries
number of Entries is 22221
Number of invalid entries is 0
Number of inserts issued is 74156
Number of replaces issued is 0
Number of insert failures is 3
Number of inserts with duplicate entries is 21329
Number of lookups is 118052
Number of lookup misses is 9673
Number of fast lookup misses is 76088
Number of false fast lookups is 9673
Number of invalidations is 31
Number of maintenance invalidations is 0
Current File Size is 618496
Journal ID = 1cf6016361880da
Trusted image state = 1 USN = 0
Setup boot count = 0

2016-01-02T22:22:58.515Z Verifying RTP plugin...
2016-01-02T22:22:58.531Z verified!
2016-01-02T22:22:58.562Z Verifying Nis plugin...
2016-01-02T22:22:58.562Z verified!
2016-01-02T22:22:58.578Z Initializing Nis plugin state...
2016-01-02T22:22:58.578Z Nis initialized!
2016-01-02T22:22:58.578Z Loading engine...
2016-01-02T22:22:58.625Z Verifying engine and signature files (source: 1) ...
2016-01-02T22:22:58.625Z verified!
2016-01-02T22:23:04.818Z Dynamic signature dropped
Dynamic Signature has been dropped
Dynamic Signature Type:Signature Update
Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\69fe6ba3bb1625cacd52c04762aee0d67c8ea6d1
Dynamic Signature Compilation Timestamp:01-02-2016 13:03:21
Persistence Type:Duration
Time remaining:216000000
2016-01-02T22:23:04.919Z Initializing MPUT in engine...
2016-01-02T22:23:04.919Z MPUT initialized in the engine successfully
2016-01-02T22:23:05.099Z CSignatureStatus: back to good
2016-01-02T22:23:05.099Z Initializing RTP plugin state...
2016-01-02T22:23:05.099Z initialized!
2016-01-02T22:23:05.099Z
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:(null)
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:19
  Async:4
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:2,2,0
  SetEngine:1,1,0
  SetState:1,1,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:1240
  AsyncQCurrent:0
  BMFlags:8
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:4
  TotalStreamCon:958
  TotalBitmap:0
  NTFS Cache Statistics:
  TotalMisses:2685
  TotalHits:0
  InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2016-01-02T22:23:05.099Z loaded!
2016-01-02T22:23:05.146Z Verifying license file...
2016-01-02T22:23:05.154Z verified!
2016-01-02T22:23:05.154Z Product supports installmode: 0
2016-01-02T22:23:05.169Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.8.204.0
Service Version: 4.8.204.0
Engine Version: 1.1.12400.0
AS Signature Version: 1.213.1529.0
AV Signature Version: 1.213.1529.0
************************************************************
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"
Begin Resource Scan
Scan ID:{E7B59B03-CAE3-433A-96A8-56A34E3E9389}
Scan Source:7
Start Time:01-02-2016 23:23:26
End Time:01-02-2016 23:23:26
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
Result Count:1
Known File
Number of Resources:1
Resource Schema:file
Resource Path:C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
Extended Info:35872412566804
End Scan
************************************************************

Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=true, resource="\Device\HarddiskVolume1\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"

Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=true, resource="\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Begin Resource Scan
Scan ID:{6660D123-21F4-4F91-A068-00B38A50A5B6}
Scan Source:7
Start Time:01-02-2016 23:23:42
End Time:01-02-2016 23:23:54
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll
Result Count:1
Unknown File
Identifier:6723857877691269118
Number of Resources:1
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll
Extended Info:5863886377321
End Scan
************************************************************

2016-01-02T22:23:54.757Z Task(GetDeviceTicket -AccessKey C106FC41-9D3D-4049-DECC-5B4DBEB809B0 ) launched as network service
2016-01-02T22:23:58.623Z Task(GetDeviceTicket -AccessKey 9BB7B301-7BE8-A5D9-5823-56CC16542DB5 ) launched as network service
2016-01-02T22:23:58.983Z Process scan (poststartupscan) started.
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"
2016-01-02T22:24:39.815Z Task(GetDeviceTicket -AccessKey 6F40E7B6-FDBF-F23C-810A-2A62604C7C78 ) launched as network service
2016-01-02T22:24:40.591Z Dynamic signature received
Dynamic Signature has been received
Dynamic Signature Type:Signature Update
Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\339d9954d05f16f58eb5675020a24927ba512aa9
Dynamic Signature Compilation Timestamp:01-02-2016 23:24:41
Persistence Type:Duration
Time remaining:216000000
2016-01-02T22:24:40.965Z Process scan (poststartupscan) completed.
2016-01-02T22:24:47.127Z [Mini-filter] Restricted access to process 2688 from pid: 1796. Original desired access: 0x1fffff.
2016-01-02T22:24:47.127Z [Mini-filter] Restricted access to process 2688 from pid: 1796. Original desired access: 0x1fffff.
2016-01-02T22:25:20.183Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1), snoooze state (0), and up-to-date state(1)
2016-01-02T22:25:20.204Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1), snoooze state (0), and up-to-date state(1)
2016-01-02T22:33:05.155Z Task(Scan -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 69306649(ms)
2016-01-02T22:33:05.158Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2016-01-02T22:33:05.159Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 7644882(ms)
2016-01-02T22:33:05.169Z AutoPurgeWorker triggered with dwWork=0x3
2016-01-02T22:33:05.169Z Product supports installmode: 0
2016-01-02T22:33:12.089Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On 01-03-2016 20:27:57
************************************************************
2016-01-03T19:27:57.187Z Trace session started - MpWppTracing-01032016-202757-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 25000
Each Bucket has max capacity of -> 1 entries
number of Entries is 22230
Number of invalid entries is 0
Number of inserts issued is 74178
Number of replaces issued is 0
Number of insert failures is 3
Number of inserts with duplicate entries is 21332
Number of lookups is 126135
Number of lookup misses is 10381
Number of fast lookup misses is 80145
Number of false fast lookups is 10381
Number of invalidations is 41
Number of maintenance invalidations is 0
Current File Size is 618496
Journal ID = 1cf6016361880da
Trusted image state = 1 USN = 0
Setup boot count = 0

2016-01-03T19:27:57.296Z Verifying RTP plugin...
2016-01-03T19:27:57.312Z verified!
2016-01-03T19:27:57.343Z Verifying Nis plugin...
2016-01-03T19:27:57.343Z verified!
2016-01-03T19:27:57.375Z Initializing Nis plugin state...
2016-01-03T19:27:57.375Z Nis initialized!
2016-01-03T19:27:57.375Z Loading engine...
2016-01-03T19:27:57.500Z Verifying engine and signature files (source: 1) ...
2016-01-03T19:27:57.515Z verified!
2016-01-03T19:28:05.472Z Dynamic signature dropped
Dynamic Signature has been dropped
Dynamic Signature Type:Signature Update
Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\339d9954d05f16f58eb5675020a24927ba512aa9
Dynamic Signature Compilation Timestamp:01-02-2016 23:24:41
Persistence Type:Duration
Time remaining:216000000
2016-01-03T19:28:05.566Z Initializing MPUT in engine...
2016-01-03T19:28:05.582Z MPUT initialized in the engine successfully
2016-01-03T19:28:05.847Z CSignatureStatus: back to good
2016-01-03T19:28:05.847Z Initializing RTP plugin state...
2016-01-03T19:28:05.847Z
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:N/A
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:19
  Async:4
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:1240
  AsyncQCurrent:0
  BMFlags:8
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:4
  TotalStreamCon:927
  TotalBitmap:0
  NTFS Cache Statistics:
  TotalMisses:2636
  TotalHits:0
  InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2016-01-03T19:28:05.847Z initialized!
2016-01-03T19:28:05.847Z loaded!
2016-01-03T19:28:05.878Z Verifying license file...
2016-01-03T19:28:05.878Z verified!
2016-01-03T19:28:05.878Z Product supports installmode: 0
2016-01-03T19:28:05.878Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.8.204.0
Service Version: 4.8.204.0
Engine Version: 1.1.12400.0
AS Signature Version: 1.213.1618.0
AV Signature Version: 1.213.1618.0
************************************************************
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"
Begin Resource Scan
Scan ID:{0490B158-6AF2-4879-AB30-4FEF23DF272C}
Scan Source:7
Start Time:01-03-2016 20:28:28
End Time:01-03-2016 20:28:28
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
Result Count:1
Known File
Number of Resources:1
Resource Schema:file
Resource Path:C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
Extended Info:35872412566804
End Scan
************************************************************

Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=true, resource="\Device\HarddiskVolume1\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"

Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=true, resource="\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
2016-01-03T19:28:58.337Z Task(GetDeviceTicket -AccessKey 3B04B1B6-7B9E-E212-4D7A-08CC0D867434 ) launched as network service
2016-01-03T19:28:58.705Z Process scan (poststartupscan) started.
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Begin Resource Scan
Scan ID:{92B85ECA-3CB1-484F-936D-617C169EEBD4}
Scan Source:7
Start Time:01-03-2016 20:28:51
End Time:01-03-2016 20:29:10
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll
Result Count:1
Unknown File
Identifier:6723857877691269118
Number of Resources:1
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll
Extended Info:5863886377321
End Scan
************************************************************

2016-01-03T19:29:23.313Z Task(GetDeviceTicket -AccessKey 256D63D6-14B7-BCC6-60CA-453AF73B5483 ) launched as network service
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"
2016-01-03T19:29:48.062Z [Mini-filter] Restricted access to process 2248 from pid: 1804. Original desired access: 0x1fffff.
2016-01-03T19:29:48.062Z [Mini-filter] Restricted access to process 2248 from pid: 1804. Original desired access: 0x1fffff.
2016-01-03T19:30:10.616Z Task(GetDeviceTicket -AccessKey CFA6A359-0C57-FB12-5508-777871812C19 ) launched as network service
2016-01-03T19:30:11.541Z Dynamic signature received
Dynamic Signature has been received
Dynamic Signature Type:Signature Update
Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\d7e4d615581d3b9d5609d58777be7a6a247ecd0a
Dynamic Signature Compilation Timestamp:01-03-2016 20:30:11
Persistence Type:Duration
Time remaining:216000000
2016-01-03T19:30:11.812Z Process scan (poststartupscan) completed.
2016-01-03T19:30:16.099Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1), snoooze state (0), and up-to-date state(1)
2016-01-03T19:30:16.118Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1), snoooze state (0), and up-to-date state(1)
2016-01-03T19:35:20.623Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-03T19:35:24.231Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-03T19:35:40.415Z [Mini-filter] Restricted access to process 2248 from pid: 1148. Original desired access: 0x1fffff.
2016-01-03T19:38:05.877Z AutoPurgeWorker triggered with dwWork=0x3
2016-01-03T19:38:05.878Z Task(Scan -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 79434020(ms)
2016-01-03T19:38:05.880Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2016-01-03T19:38:05.895Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 18127289(ms)
2016-01-03T19:38:05.999Z Product supports installmode: 0
2016-01-03T19:38:12.520Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
2016-01-03T19:38:16.278Z Trace buffers written: 39, events lost: 0, buffers lost: 0, days: 0
2016-01-03T19:38:16.278Z Trusted image bitmap: 0x1
2016-01-03T19:38:16.279Z Trusted image OEM name: (not found)
2016-01-03T19:38:16.301Z MOAC capability telemetry: 3,2,CNTFS3DNTFS3ENTFS3F0x155GNTFS3. hr = 0x0
2016-01-03T19:38:16.330Z Task(-UploadSQM -RestrictPrivileges) launched
2016-01-03T19:38:16.523Z [Mini-filter] Restricted access to process 5756 from pid: 2492. Original desired access: 0x1fffff.
2016-01-03T19:38:50.735Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-03T19:43:39.845Z [Mini-filter] Restricted access to engine process from pid: 1940. Original desired access: 0x1411.
2016-01-03T19:43:39.856Z [Mini-filter] Restricted access to process 2248 from pid: 1940. Original desired access: 0x1411.
2016-01-03T19:45:58.161Z [Mini-filter] Restricted access to engine process from pid: 1940. Original desired access: 0x1fffff.
2016-01-03T19:45:58.243Z [Mini-filter] Restricted access to process 2248 from pid: 1940. Original desired access: 0x1fffff.
2016-01-03T20:19:25.748Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-03T20:22:22.376Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-03T20:22:29.132Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-03T20:57:35.546Z [Mini-filter] Restricted access to engine process from pid: 1940. Original desired access: 0x1411.
2016-01-03T20:57:35.565Z [Mini-filter] Restricted access to process 2248 from pid: 1940. Original desired access: 0x1411.
2016-01-03T21:00:46.257Z [Mini-filter] Restricted access to engine process from pid: 1940. Original desired access: 0x1fffff.
2016-01-03T21:00:46.355Z [Mini-filter] Restricted access to process 2248 from pid: 1940. Original desired access: 0x1fffff.
2016-01-03T21:03:56.676Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-03T21:03:56.804Z [Mini-filter] Restricted access to process 2248 from pid: 1148. Original desired access: 0x1fffff.
2016-01-03T21:04:02.120Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-03T21:04:02.121Z [Mini-filter] Restricted access to process 2248 from pid: 1148. Original desired access: 0x1fffff.
2016-01-03T21:04:05.414Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-03T21:07:11.700Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\ProgramData\Creative\MediaSource U\AddOnPack.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\ProgramData\Creative\MediaSource U\AddOnPack.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\ProgramData\Creative\MediaSource U\AddOnPack.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\ProgramData\Creative\MediaSource U\AddOnPack.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\ProgramData\Creative\MediaSource U\AddOnPack.exe"
Begin Resource Scan
Scan ID:{2A69BC19-3A46-4A3B-955A-7AB86F5A6CA7}
Scan Source:7
Start Time:01-03-2016 22:09:41
End Time:01-03-2016 22:10:45
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\ProgramData\Creative\MediaSource U\AddOnPack.exe
Result Count:1
Unknown File
Identifier:15559123462655049726
Number of Resources:1
Resource Schema:queryfilertsig
Resource Path:C:\ProgramData\Creative\MediaSource U\AddOnPack.exe
Extended Info:65519410711387
End Scan
************************************************************

2016-01-03T21:10:46.530Z Task(GetDeviceTicket -AccessKey AC95A143-EC49-F8F9-5E4D-193195E9F034 ) launched as network service
Begin Resource Scan
Scan ID:{1345F8C9-6D83-4E24-93E7-A36176DE74BC}
Scan Source:3
Start Time:01-03-2016 22:11:37
End Time:01-03-2016 22:12:06
Explicit resource to scan
Resource Schema:file
Resource Path:C:\ProgramData\molecule-9\molecule-5.exe
Result Count:1
Threat Name:TrojanDownloader:Win32/Nymaim.I
ID:2147708375
Severity:5
Number of Resources:1
Resource Schema:file
Resource Path:C:\ProgramData\molecule-9\molecule-5.exe
Extended Info:252306585499706
End Scan
************************************************************

2016-01-03T21:12:06.837Z DETECTIONEVENT TrojanDownloader:Win32/Nymaim.I file:C:\ProgramData\molecule-9\molecule-5.exe;
2016-01-03T21:12:06.881Z DETECTION_ADD TrojanDownloader:Win32/Nymaim.I file:C:\ProgramData\molecule-9\molecule-5.exe
2016-01-03T21:19:26.608Z Cache Resizing**********Cache stats************
No. Of buckets -> 25000
Each Bucket has max capacity of -> 1 entries
number of Entries is 24167
Number of invalid entries is 0
Number of inserts issued is 79192
Number of replaces issued is 0
Number of insert failures is 4
Number of inserts with duplicate entries is 21332
Number of lookups is 180920
Number of lookup misses is 19117
Number of fast lookup misses is 123750
Number of false fast lookups is 19117
Number of invalidations is 48
Number of maintenance invalidations is 0
Current File Size is 618496
Journal ID = 1cf6016361880da
Trusted image state = 1 USN = 0
Setup boot count = 0

Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\Program Files\Creative\ALchemy\ALchemy.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\ALchemy\ALchemy.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\Program Files\Creative\ALchemy\dsound.dll"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\ALchemy\ALchemy.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\ALchemy\ALchemy.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\ALchemy\ALchemy.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\Program Files\Creative\SB X-Fi MB\AudioCS\CTAudCS.exe"
Begin Resource Scan
Scan ID:{0F0FCC9A-CCE6-4433-AAB8-6BA20208DF3E}
Scan Source:7
Start Time:01-03-2016 22:25:52
End Time:01-03-2016 22:26:06
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Creative\ALchemy\ALchemy.exe
Result Count:1
Unknown File
Identifier:3058306356609023998
Number of Resources:1
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Creative\ALchemy\ALchemy.exe
Extended Info:65519410711387
End Scan
************************************************************

2016-01-03T21:26:07.317Z Task(GetDeviceTicket -AccessKey 18E62776-C241-FC75-F9BC-C40701D51478 ) launched as network service
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\Program Files\Creative\SB X-Fi MB\Console Launcher\ConsoLCu.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\Program Files\Creative\SB X-Fi MB\Console Launcher\CTAudMon.dll"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\SB X-Fi MB\AudioCS\CTAudCS.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\SB X-Fi MB\Console Launcher\ConsoLCu.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\SB X-Fi MB\AudioCS\CTAudCS.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\SB X-Fi MB\Console Launcher\ConsoLCu.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\SB X-Fi MB\AudioCS\CTAudCS.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\SB X-Fi MB\Console Launcher\ConsoLCu.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\SB X-Fi MB\AudioCS\CTAudCS.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\Creative\SB X-Fi MB\Console Launcher\ConsoLCu.exe"
Begin Resource Scan
Scan ID:{EE56D8A6-5F97-4DF3-B84C-371E7ACEE485}
Scan Source:7
Start Time:01-03-2016 22:26:23
End Time:01-03-2016 22:27:19
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Creative\SB X-Fi MB\AudioCS\CTAudCS.exe
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Creative\SB X-Fi MB\Console Launcher\ConsoLCu.exe
Result Count:2
Unknown File
Identifier:9476335291930247166
Number of Resources:1
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Creative\SB X-Fi MB\Console Launcher\ConsoLCu.exe
Extended Info:65519410711387
Unknown File
Identifier:11827572875647254526
Number of Resources:1
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Creative\SB X-Fi MB\AudioCS\CTAudCS.exe
Extended Info:65519410711387
End Scan
************************************************************

2016-01-03T21:27:20.370Z Task(GetDeviceTicket -AccessKey C985B550-4ADC-E735-AE09-C382AF9876B0 ) launched as network service
Internal signature match:subtype=Lowfi, sigseq=0x800022783EA9DC83, signame=!#Datechk, cached=false, resource="\Device\HarddiskVolume1\Windows\SoftwareDistribution\Download\50c3ba3b5a597cdd29f9d4e053e3c23fc1522acb"
Begin Resource Scan
Scan ID:{6E86FDB7-0C6B-4925-AB78-D35293158180}
Scan Source:7
Start Time:01-03-2016 22:38:26
End Time:01-03-2016 22:38:33
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Windows\SoftwareDistribution\Download\50c3ba3b5a597cdd29f9d4e053e3c23fc1522acb
Result Count:1
Known File
Number of Resources:1
Resource Schema:file
Resource Path:C:\Windows\SoftwareDistribution\Download\50c3ba3b5a597cdd29f9d4e053e3c23fc1522acb
Extended Info:481036337152
End Scan
************************************************************

Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\Windows\System32\Sens_oal.dll"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Windows\System32\Sens_oal.dll"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Windows\System32\Sens_oal.dll"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Windows\System32\Sens_oal.dll"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Windows\System32\Sens_oal.dll"
Begin Resource Scan
Scan ID:{C066BF39-99CB-4F8D-93F6-F68F2D68450D}
Scan Source:7
Start Time:01-03-2016 22:39:46
End Time:01-03-2016 22:41:34
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Windows\System32\Sens_oal.dll
Result Count:1
Unknown File
Identifier:18103529816144740350
Number of Resources:1
Resource Schema:queryfilertsig
Resource Path:C:\Windows\System32\Sens_oal.dll
Extended Info:65519410711387
End Scan
************************************************************

2016-01-03T21:41:41.902Z Task(GetDeviceTicket -AccessKey 00CAC880-01E7-AF8F-0692-73FE88799292 ) launched as network service
Internal signature match:subtype=Lowfi, sigseq=0x80004D8FDD5A2B9B, signame=!#HSTR:MacroDownloader, cached=false, resource="\Device\HarddiskVolume2\Programme\Microsoft Office\Templates\1031\Batch Conversion Wizard.Wiz"
Internal signature match:subtype=Lowfi, sigseq=0x80004D8FDD5A2B9B, signame=!#HSTR:MacroDownloader, cached=false, resource="\\?\D:\Programme\Microsoft Office\Templates\1031\Batch Conversion Wizard.Wiz"
Begin Resource Scan
Scan ID:{133B22F6-597A-476F-92CA-FA895BC8350A}
Scan Source:7
Start Time:01-03-2016 23:11:39
End Time:01-03-2016 23:11:44
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:D:\Programme\Microsoft Office\Templates\1031\Batch Conversion Wizard.Wiz
Result Count:1
Unknown File
Identifier:4902323854745010174
Number of Resources:1
Resource Schema:queryfilertsig
Resource Path:D:\Programme\Microsoft Office\Templates\1031\Batch Conversion Wizard.Wiz
Extended Info:9223457317144112027
End Scan
************************************************************

2016-01-03T22:11:50.699Z Task(GetDeviceTicket -AccessKey 18C535BE-5575-52B0-CF24-B1C24ECC7316 ) launched as network service
2016-01-03T22:35:26.386Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-03T22:37:25.978Z [Mini-filter] Restricted access to process 2248 from pid: 1148. Original desired access: 0x1fffff.
Internal signature match:subtype=Lowfi, sigseq=0x80004D8FDD5A2B9B, signame=!#HSTR:MacroDownloader, cached=true, resource="\Device\HarddiskVolume3\Daten\Schuldaten alt PC\DATEN\PROGRAMME\MICROSOFT_OFFICE\TEMPLATES\1031\BATCH_CONVERSION_WIZARD.WIZ"
2016-01-04T00:19:24.617Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-04T01:05:13.440Z Timer is triggered for lost scheduled jobs
2016-01-04T01:05:13.440Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 84899744(ms)
2016-01-04T01:05:36.036Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-04T01:05:42.992Z [Mini-filter] Restricted access to process 2248 from pid: 1148. Original desired access: 0x1fffff.
2016-01-04T01:05:43.521Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-04T01:05:45.368Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-04T01:05:46.877Z [Mini-filter] Restricted access to process 2248 from pid: 1148. Original desired access: 0x1fffff.
2016-01-04T01:05:46.969Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-04T01:05:46.973Z [Mini-filter] Restricted access to process 2248 from pid: 1148. Original desired access: 0x1fffff.
2016-01-04T01:06:00.475Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-04T01:06:00.491Z [Mini-filter] Restricted access to process 2248 from pid: 1148. Original desired access: 0x1fffff.
2016-01-04T01:06:22.409Z [Mini-filter] Restricted access to process 2248 from pid: 1148. Original desired access: 0x1fffff.
2016-01-04T01:06:35.159Z [Mini-filter] Restricted access to engine process from pid: 1148. Original desired access: 0x1fffff.
2016-01-04T01:06:35.166Z [Mini-filter] Restricted access to process 2248 from pid: 1148. Original desired access: 0x1fffff.
--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On 01-06-2016 00:50:22
************************************************************
2016-01-05T23:50:22.953Z Trace session started - MpWppTracing-01062016-005022-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 31250
Each Bucket has max capacity of -> 1 entries
number of Entries is 27824
Number of invalid entries is 0
Number of inserts issued is 108135
Number of replaces issued is 0
Number of insert failures is 4
Number of inserts with duplicate entries is 21332
Number of lookups is 344384
Number of lookup misses is 40965
Number of fast lookup misses is 238936
Number of false fast lookups is 40965
Number of invalidations is 53
Number of maintenance invalidations is 0
Current File Size is 774144
Journal ID = 1cf6016361880da
Trusted image state = 1 USN = 0
Setup boot count = 0

2016-01-05T23:50:23.062Z Verifying RTP plugin...
2016-01-05T23:50:23.062Z verified!
2016-01-05T23:50:23.109Z Verifying Nis plugin...
2016-01-05T23:50:23.109Z verified!
2016-01-05T23:50:23.125Z Initializing Nis plugin state...
2016-01-05T23:50:23.125Z Nis initialized!
2016-01-05T23:50:23.125Z Loading engine...
2016-01-05T23:50:23.218Z Verifying engine and signature files (source: 1) ...
2016-01-05T23:50:23.218Z verified!
2016-01-05T23:50:29.083Z Dynamic signature dropped
Dynamic Signature has been dropped
Dynamic Signature Type:Signature Update
Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\24b41a112605f8d887cdf9b58e899332f72526f9
Dynamic Signature Compilation Timestamp:01-04-2016 23:54:19
Persistence Type:Duration
Time remaining:216000000
2016-01-05T23:50:29.129Z Initializing MPUT in engine...
2016-01-05T23:50:29.129Z MPUT initialized in the engine successfully
2016-01-05T23:50:29.453Z CSignatureStatus: back to good
2016-01-05T23:50:29.458Z Initializing RTP plugin state...
2016-01-05T23:50:29.458Z
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:N/A
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:19
  Async:4
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:1240
  AsyncQCurrent:0
  BMFlags:8
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:4
  TotalStreamCon:883
  TotalBitmap:0
  NTFS Cache Statistics:
  TotalMisses:2516
  TotalHits:0
  InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2016-01-05T23:50:29.460Z initialized!
2016-01-05T23:50:29.469Z loaded!
2016-01-05T23:50:29.765Z Verifying license file...
2016-01-05T23:50:29.772Z verified!
2016-01-05T23:50:29.772Z Product supports installmode: 0
2016-01-05T23:50:29.807Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.8.204.0
Service Version: 4.8.204.0
Engine Version: 1.1.12400.0
AS Signature Version: 1.213.1618.0
AV Signature Version: 1.213.1618.0
************************************************************
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"
Begin Resource Scan
Scan ID:{575B2647-CB71-47A3-93E0-E6EA07F570EE}
Scan Source:7
Start Time:01-06-2016 00:50:44
End Time:01-06-2016 00:50:44
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
Result Count:1
Known File
Number of Resources:1
Resource Schema:file
Resource Path:C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
Extended Info:35872412566804
End Scan
************************************************************

Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=true, resource="\Device\HarddiskVolume1\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"

Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=true, resource="\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\\?\C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Begin Resource Scan
Scan ID:{46E3C3B5-E1E1-41CC-B8FD-5FF2FC8A4E7C}
Scan Source:7
Start Time:01-06-2016 00:51:11
End Time:01-06-2016 00:51:19
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll
Result Count:1
Unknown File
Identifier:6723857877691269118
Number of Resources:1
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll
Extended Info:5863886377321
End Scan
************************************************************

2016-01-05T23:51:19.969Z Task(GetDeviceTicket -AccessKey E98D5DDA-27D7-6140-3D46-D8234DE487A5 ) launched as network service
2016-01-05T23:51:23.178Z Task(GetDeviceTicket -AccessKey ABAAC391-6C4F-A880-2D36-09F55C51C305 ) launched as network service
2016-01-05T23:51:23.255Z Process scan (poststartupscan) started.
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\\?\C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"
2016-01-05T23:51:41.889Z Task(GetDeviceTicket -AccessKey 8557344F-C841-8982-BE99-426A6D4E8678 ) launched as network service
2016-01-05T23:51:42.634Z Dynamic signature received
Dynamic Signature has been received
Dynamic Signature Type:Signature Update
Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\cfd9c510a6e7cfabccb95fa29bc70dbeff8097b3
Dynamic Signature Compilation Timestamp:01-06-2016 00:51:44
Persistence Type:Duration
Time remaining:216000000
2016-01-05T23:51:42.957Z Process scan (poststartupscan) completed.
2016-01-05T23:52:07.119Z [Mini-filter] Restricted access to process 2168 from pid: 1844. Original desired access: 0x1fffff.
2016-01-05T23:52:07.120Z [Mini-filter] Restricted access to process 2168 from pid: 1844. Original desired access: 0x1fffff.
2016-01-05T23:52:42.630Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1), snoooze state (0), and up-to-date state(1)
2016-01-05T23:52:42.649Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1), snoooze state (0), and up-to-date state(1)
2016-01-06T00:00:29.791Z Task(Scan -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 65613747(ms)
2016-01-06T00:00:29.794Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2016-01-06T00:00:29.807Z AutoPurgeWorker triggered with dwWork=0x3
2016-01-06T00:00:29.821Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 3060078(ms)
2016-01-06T00:00:30.148Z Product supports installmode: 0
2016-01-06T00:01:04.797Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On 01-06-2016 17:43:47
************************************************************
2016-01-06T16:43:47.781Z Trace session started - MpWppTracing-01062016-174347-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 31250
Each Bucket has max capacity of -> 1 entries
number of Entries is 27830
Number of invalid entries is 0
Number of inserts issued is 108179
Number of replaces issued is 0
Number of insert failures is 4
Number of inserts with duplicate entries is 21335
Number of lookups is 354128
Number of lookup misses is 42115
Number of fast lookup misses is 243724
Number of false fast lookups is 42115
Number of invalidations is 85
Number of maintenance invalidations is 0
Current File Size is 774144
Journal ID = 1cf6016361880da
Trusted image state = 1 USN = 0
Setup boot count = 0

2016-01-06T16:43:47.875Z Verifying RTP plugin...
2016-01-06T16:43:47.875Z verified!
2016-01-06T16:43:47.921Z Verifying Nis plugin...
2016-01-06T16:43:47.921Z verified!
2016-01-06T16:43:47.937Z Initializing Nis plugin state...
2016-01-06T16:43:47.937Z Nis initialized!
2016-01-06T16:43:47.937Z Loading engine...
2016-01-06T16:43:48.187Z Verifying engine and signature files (source: 1) ...
2016-01-06T16:43:48.187Z verified!
Dynamic Signature has been dropped
Dynamic Signature Type:Signature Update
Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\cfd9c510a6e7cfabccb95fa29bc70dbeff8097b3
Dynamic Signature Compilation Timestamp:01-06-2016 00:51:44
Persistence Type:Duration
Time remaining:216000000
2016-01-06T16:43:57.221Z Dynamic signature dropped
2016-01-06T16:43:57.237Z Initializing MPUT in engine...
2016-01-06T16:43:57.252Z MPUT initialized in the engine successfully
2016-01-06T16:43:57.502Z CSignatureStatus: back to good
2016-01-06T16:43:57.502Z Initializing RTP plugin state...
2016-01-06T16:43:57.502Z
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:(null)
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:19
  Async:4
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:1,1,0
  SetEngine:1,1,0
  SetState:0,0,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:1240
  AsyncQCurrent:0
  BMFlags:8
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:5
  TotalStreamCon:972
  TotalBitmap:0
  NTFS Cache Statistics:
  TotalMisses:2701
  TotalHits:0
  InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2016-01-06T16:43:57.502Z initialized!
2016-01-06T16:43:57.518Z loaded!
2016-01-06T16:43:57.549Z Verifying license file...
2016-01-06T16:43:57.549Z verified!
2016-01-06T16:43:57.549Z Product supports installmode: 0
2016-01-06T16:43:57.549Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.8.204.0
Service Version: 4.8.204.0
Engine Version: 1.1.12400.0
AS Signature Version: 1.213.1872.0
AV Signature Version: 1.213.1872.0
************************************************************
2016-01-06T16:44:48.096Z Task(GetDeviceTicket -AccessKey 0D49B277-C2DA-33B9-47CA-3B3F1D424E7A ) launched as network service
2016-01-06T16:44:48.174Z Process scan (poststartupscan) started.
2016-01-06T16:44:54.377Z Process scan (poststartupscan) completed.
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=true, resource="\Device\HarddiskVolume1\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"

Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=false, resource="\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Internal signature match:subtype=Lowfi, sigseq=0x000005554ADD5169, signame=#LowFi:Win32/Generic!SigAttrIdsFastRank, cached=true, resource="\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\instrumental_services.dll"
Begin Resource Scan
Scan ID:{774006BF-39BC-42E4-B234-F2F04D1331FB}
Scan Source:7
Start Time:01-06-2016 17:45:35
End Time:01-06-2016 17:45:55
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
Result Count:1
Known File
Number of Resources:1
Resource Schema:file
Resource Path:C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
Extended Info:35872412566804
End Scan
************************************************************

2016-01-06T16:46:22.535Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1), snoooze state (0), and up-to-date state(1)
2016-01-06T16:46:22.582Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1), snoooze state (0), and up-to-date state(1)
2016-01-06T16:46:59.097Z [Mini-filter] Restricted access to process 2284 from pid: 1840. Original desired access: 0x1fffff.
2016-01-06T16:46:59.098Z [Mini-filter] Restricted access to process 2284 from pid: 1840. Original desired access: 0x1fffff.
2016-01-06T16:46:59.108Z [Mini-filter] Restricted access to engine process from pid: 1840. Original desired access: 0x1fffff.
2016-01-06T16:46:59.108Z [Mini-filter] Restricted access to engine process from pid: 1840. Original desired access: 0x1fffff.
2016-01-06T16:49:36.708Z [Mini-filter] Restricted access to engine process from pid: 1176. Original desired access: 0x1fffff.
2016-01-06T16:49:36.754Z [Mini-filter] Restricted access to process 2284 from pid: 1176. Original desired access: 0x1fffff.
2016-01-06T16:49:41.129Z [Mini-filter] Restricted access to engine process from pid: 1176. Original desired access: 0x1fffff.
2016-01-06T16:49:41.135Z [Mini-filter] Restricted access to process 2284 from pid: 1176. Original desired access: 0x1fffff.
2016-01-06T16:53:57.550Z Task(Scan -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 5145294(ms)
2016-01-06T16:53:57.553Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2016-01-06T16:53:57.554Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 30121750(ms)
2016-01-06T16:53:57.554Z AutoPurgeWorker triggered with dwWork=0x3
2016-01-06T16:53:57.555Z Product supports installmode: 0
2016-01-06T16:54:14.797Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
--------------------------------------------------------------------------------
Microsoft Security Essentials (EDB4FA23-53B8-4AFA-8C5D-99752CCA7094) Service Log
Started On 01-06-2016 18:51:03
************************************************************
2016-01-06T17:51:03.859Z Trace session started - MpWppTracing-01062016-185103-00000003-ffffffff.bin**********Cache stats************
No. Of buckets -> 31250
Each Bucket has max capacity of -> 1 entries
number of Entries is 27829
Number of invalid entries is 0
Number of inserts issued is 108187
Number of replaces issued is 0
Number of insert failures is 4
Number of inserts with duplicate entries is 21335
Number of lookups is 364410
Number of lookup misses is 43489
Number of fast lookup misses is 250261
Number of false fast lookups is 43489
Number of invalidations is 94
Number of maintenance invalidations is 0
Current File Size is 774144
Journal ID = 1cf6016361880da
Trusted image state = 1 USN = 0
Setup boot count = 0

2016-01-06T17:51:03.953Z Verifying RTP plugin...
2016-01-06T17:51:03.953Z verified!
2016-01-06T17:51:04.000Z Verifying Nis plugin...
2016-01-06T17:51:04.000Z verified!
2016-01-06T17:51:04.000Z Initializing Nis plugin state...
2016-01-06T17:51:04.000Z Nis initialized!
2016-01-06T17:51:04.000Z Loading engine...
2016-01-06T17:51:04.421Z Verifying engine and signature files (source: 1) ...
2016-01-06T17:51:04.421Z verified!
2016-01-06T17:51:10.898Z Initializing MPUT in engine...
2016-01-06T17:51:10.914Z MPUT initialized in the engine successfully
2016-01-06T17:51:11.148Z CSignatureStatus: back to good
2016-01-06T17:51:11.164Z Initializing RTP plugin state...
2016-01-06T17:51:11.164Z initialized!
2016-01-06T17:51:11.164Z loaded!
2016-01-06T17:51:11.164Z
****************************RTP Perf Log***************************
RTP Start:N/A
Last Perf:N/A
First RTP Scan:N/A
Plugin States:  AV:2  AS:2  RTP:2  OA:2  BM:2
Process Exclusions:
Path Exclusions:
Ext Exclusions:
Worker Threads:
  AM:19
  Async:4
Cache Flushes:
  RTP:0
System File Cache:
  Hits:0
  Misses:0
BM Queue:0,0,0
  Proc:0,0,0
  File:0,0,0
Plugin Queue:0,0,0
  Threat:0,0,0
  Susp:0,0,0
  Unknown:0,0,0
  Error:0,0,0
Request Queue:2,2,0
  SetEngine:1,1,0
  SetState:1,1,0
  SetUser:0,0,0
  Config:0,0,0
  ProcExcl:0,0,0
  FilterReload:0,0,0
  FilterUnload:0,0,0
MpFilter:
  Scans:0
  Pending:0
  RegSize:0
  AsyncQNotif:0
  AsyncQMissed:0
  AsyncQTotalSent:1240
  AsyncQCurrent:0
  BMFlags:8
  ServiceMaj:0
  ServiceMin:0
  ProcBitmap:0
  NumInstance:5
  TotalStreamCon:1227
  TotalBitmap:0
  NTFS Cache Statistics:
  TotalMisses:3166
  TotalHits:0
  InstanceCacheHits:0
  CSVFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
  REFS Cache Statistics (Type:GenericTable, Policy:WriteBack):
  TotalMisses:0
  TotalHits:0
  InstanceCacheInserts:0
  InstanceCacheUpdates:0
  InstanceCacheDeletes:0
  InstanceCacheHits:0
  InstanceCacheMisses:0
  InstanceCacheOverflows:0
 
**************************END RTP Perf Log*************************

 
 

2016-01-06T17:51:11.179Z Verifying license file...
2016-01-06T17:51:11.179Z verified!
2016-01-06T17:51:11.179Z Product supports installmode: 0
2016-01-06T17:51:11.201Z Auto purger task is scheduled to run in 600000(ms) from now with period 86400000(ms)
Product Version: 4.8.204.0
Service Version: 4.8.204.0
Engine Version: 1.1.12400.0
AS Signature Version: 1.213.1872.0
AV Signature Version: 1.213.1872.0
************************************************************
2016-01-06T17:52:04.094Z Task(GetDeviceTicket -AccessKey 867E86E8-1C49-CB03-060F-5F07EFDF809F ) launched as network service
2016-01-06T17:52:04.141Z Process scan (poststartupscan) started.
2016-01-06T17:52:05.235Z Process scan (poststartupscan) completed.
2016-01-06T17:53:14.438Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1), snoooze state (0), and up-to-date state(1)
2016-01-06T17:53:14.454Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1), snoooze state (0), and up-to-date state(1)
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=false, resource="\Device\HarddiskVolume1\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"
Internal signature match:subtype=Lowfi, sigseq=0x00003B96ED338B5B, signame=ALF:PeaDisUnpRdVd, cached=true, resource="\Device\HarddiskVolume1\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe"

Begin Resource Scan
Scan ID:{5378F9AF-6A45-442B-A2BA-99CAC325428D}
Scan Source:7
Start Time:01-06-2016 18:55:35
End Time:01-06-2016 18:55:38
Explicit resource to scan
Resource Schema:queryfilertsig
Resource Path:C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
Result Count:1
Known File
Number of Resources:1
Resource Schema:file
Resource Path:C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
Extended Info:35872412566804
End Scan
************************************************************

2016-01-06T17:57:02.053Z [Mini-filter] Restricted access to process 2220 from pid: 1664. Original desired access: 0x1fffff.
2016-01-06T17:57:02.053Z [Mini-filter] Restricted access to process 2220 from pid: 1664. Original desired access: 0x1fffff.
2016-01-06T17:57:02.060Z [Mini-filter] Restricted access to engine process from pid: 1664. Original desired access: 0x1fffff.
2016-01-06T17:57:02.060Z [Mini-filter] Restricted access to engine process from pid: 1664. Original desired access: 0x1fffff.
2016-01-06T18:01:11.179Z Task(Scan -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 116134(ms)
2016-01-06T18:01:11.182Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 86400000(ms) from now with period 86400000(ms)
2016-01-06T18:01:11.183Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 26049452(ms)
2016-01-06T18:01:11.201Z AutoPurgeWorker triggered with dwWork=0x3
2016-01-06T18:01:11.201Z Product supports installmode: 0
2016-01-06T18:01:17.370Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)

cosinus 07.01.2016 08:07
Adware/Junkware/Toolbars entfernen

Alte Versionen von adwCleaner und falls vorhanden JRT vorher löschen, danach neu runterladen auf den Desktop!
Virenscanner jetzt vor dem Einsatz dieser Tools bitte komplett deaktivieren!

1. Schritt: adwCleaner

Downloade Dir bitte AdwCleaner Logo Icon AdwCleaner auf deinen Desktop.
  • Schließe alle offenen Programme und Browser. Bebilderte Anleitung zu AdwCleaner.
  • Starte die AdwCleaner.exe mit einem Doppelklick.
  • Stimme den Nutzungsbedingungen zu.
  • Klicke auf Optionen und vergewissere dich, dass die folgenden Punkte ausgewählt sind:
    • "Tracing" Schlüssel löschen
    • Winsock Einstellungen zurücksetzen
    • Proxy Einstellungen zurücksetzen
    • Internet Explorer Richtlinien zurücksetzen
    • Chrome Richtlinien zurücksetzen
    • Stelle sicher, dass alle 5 Optionen wie hier dargestellt, ausgewählt sind
  • Klicke auf Suchlauf und warte bis dieser abgeschlossen ist.
  • Klicke nun auf Löschen und bestätige auftretende Hinweise mit Ok.
  • Dein Rechner wird automatisch neu gestartet. Nach dem Neustart öffnet sich eine Textdatei. Poste mir deren Inhalt mit deiner nächsten Antwort.
  • Die Logdatei findest du auch unter C:\AdwCleaner\AdwCleaner[Cx].txt. (x = fortlaufende Nummer).




2. Schritt: JRT - Junkware Removal Tool

Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
Bitte lade Junkware Removal Tool auf Deinen Desktop

  • Starte das Tool mit Doppelklick. Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten.
  • Drücke eine beliebige Taste, um das Tool zu starten.
  • Je nach System kann der Scan eine Weile dauern.
  • Wenn das Tool fertig ist wird das Logfile (JRT.txt) auf dem Desktop gespeichert und automatisch geöffnet.
  • Bitte poste den Inhalt der JRT.txt in Deiner nächsten Antwort.




3. Schritt: Frisches Log mit FRST

Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST Download FRST 32-Bit | FRST 64-Bit
(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)
  • Starte jetzt FRST.
  • Ändere ungefragt keine der Checkboxen und klicke auf Untersuchen.
  • Die Logdateien werden nun erstellt und befinden sich danach auf deinem Desktop.
  • Poste mir die FRST.txt und nach dem ersten Scan auch die Addition.txt in deinem Thread (#-Symbol im Eingabefenster der Webseite anklicken)


Joliwa 07.01.2016 20:51
AdwCleaner[S1].txt

AdwCleaner Logfile:
Code:
# AdwCleaner v5.028 - Bericht erstellt am 07/01/2016 um 19:58:45
# Aktualisiert am 04/01/2016 von Xplode
# Datenbank : 2016-01-04.2 [Server]
# Betriebssystem : Windows 7 Professional Service Pack 1 (x86)
# Benutzername : Admin - JOLIWA
# Gestartet von : E:\Arbeitsverzeichnisse\Seamonkey\downloads\AdwCleaner_5.028.exe
# Option : Suchlauf
# Unterstützung : hxxp://toolslib.net/forum

***** [ Dienste ] *****


***** [ Ordner ] *****

Ordner Gefunden : C:\ProgramData\DeviceVM
Ordner Gefunden : C:\Users\Admin\AppData\Roaming\DeviceVM

***** [ Dateien ] *****


***** [ DLL ] *****


***** [ Verknüpfungen ] *****


***** [ Aufgabenplanung ] *****


***** [ Registrierungsdatenbank ] *****

Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\464AA55239C100F32AF2D438EDDC0F47
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5652BA3D5FB98AE31B337BF0AF939856
Schlüssel Gefunden : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\86EB95E1AFCBABE3DB9ECCC669B99494

***** [ Internetbrowser ] *****


########## EOF - \AdwCleaner\AdwCleaner[S1].txt - [1186 Bytes] ##########
--- --- ---
JRT.txt
Code:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows 7 Professional x86
Ran by Admin (Administrator) on 07.01.2016 at 20:22:06,99
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 07.01.2016 at 20:24:26,78
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FRST.txt
Code:
Untersuchungsergebnis von Farbar Recovery Scan Tool (FRST) (x86) Version:07-01-2015
durchgeführt von Admin (Administrator) auf JOLIWA (07-01-2016 20:35:12)
Gestartet von E:\Arbeitsverzeichnisse\Seamonkey\downloads
Geladene Profile: Admin & Opa (Verfügbare Profile: Admin & Opa & Papa)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) Sprache: Deutsch (Deutschland)
Internet Explorer Version 11 (Standard-Browser: "D:\Programme\Seamonkey\seamonkey.exe" -requestPending -osint -url "%1")
Start-Modus: Normal
Anleitung für Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Prozesse (Nicht auf der Ausnahmeliste) =================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Prozess geschlossen. Die Datei wird nicht verschoben.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTAudSvc.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version7\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version7\tv_w32.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version7\TeamViewer_Desktop.exe
(mozilla.org) D:\Programme\Seamonkey\seamonkey.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Nicht auf der Ausnahmeliste) ===========================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Registryeintrag auf den Standardwert zurückgesetzt oder entfernt. Die Datei wird nicht verschoben.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [9398888 2010-07-28] (Realtek Semiconductor)
HKLM\...\Run: [CTSyncService] => C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe [1233195 2009-07-08] (Creative Technology Ltd)
HKLM\...\Run: [VolPanel] => C:\Program Files\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe [241789 2009-05-04] (Creative Technology Ltd)
HKLM\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM\...\Run: [RunDLLEntry] => C:\Windows\system32\RunDLL32.exe C:\Windows\system32\AmbRunE.dll,RunDLLEntry
HKLM\...\Run: [vspdfprsrv.exe] => D:\Programme\pdf-Experte\vspdfprsrv.exe [998912 2006-05-04] ()
HKLM\...\Run: [FUFAXSTM] => C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe [847872 2009-12-02] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [EEventManager] => C:\Program Files\Epson Software\Event Manager\EEventManager.exe [976320 2009-12-03] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [981688 2015-04-30] (Microsoft Corporation)
HKU\S-1-5-21-1987672872-2594305773-2641038054-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [10240 2009-07-14] (Microsoft Corporation)
HKU\S-1-5-21-1987672872-2594305773-2641038054-1001\...\Run: [EPSON] => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIGIE.EXE [200704 2009-09-14] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-1987672872-2594305773-2641038054-1001\...\Run: [career-improve] => C:\Users\Opa\AppData\Local\Temp\Career_tour\career-behave.exe <===== ACHTUNG
HKU\S-1-5-21-1987672872-2594305773-2641038054-1001\...\Run: [SandboxieControl] => "C:\Program Files\Sandboxie\SbieCtrl.exe"
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk [2014-04-28]
ShortcutTarget: Microsoft Office.lnk -> D:\Programme\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)

==================== Internet (Nicht auf der Ausnahmeliste) ====================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Eintrag entfernt oder auf den Standardwert zurückgesetzt, wenn es sich um einen Registryeintrag handelt.)

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{CF1091E5-7424-4CB1-BFB4-24AE9B222A14}: [DhcpNameServer] 192.168.2.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1987672872-2594305773-2641038054-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1987672872-2594305773-2641038054-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.dell.com
HKU\S-1-5-21-1987672872-2594305773-2641038054-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1987672872-2594305773-2641038054-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.dell.com
SearchScopes: HKU\S-1-5-21-1987672872-2594305773-2641038054-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=ASRK
SearchScopes: HKU\S-1-5-21-1987672872-2594305773-2641038054-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=ASRK
SearchScopes: HKU\S-1-5-21-1987672872-2594305773-2641038054-1000 -> {5CC8B395-8628-4c1e-A56F-F22AE4A161CA} URL = hxxp://www.google.com/custom?client=pub-3794288947762788&forid=1&channel=5480255188&ie=UTF-8&oe=UTF-8&safe=active&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A1&hl=de&q={searchTerms}
BHO: Easy Photo Print -> {9421DD08-935F-4701-A9CA-22DF90AC4EA6} -> C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll [2008-03-30] (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
Toolbar: HKLM - Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll [2008-03-30] (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2008-07-02] (Skype Technologies)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_20_0_0_267.dll [2015-12-28] ()
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)

==================== Dienste (Nicht auf der Ausnahmeliste) ========================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

S3 becldr3Service; C:\Program Files\BCL Technologies\easyConverter SDK 3\Common\becldr.exe [225280 2012-08-01] () [Datei ist nicht signiert]
S3 Creative ALchemy AL6 Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [79360 2014-04-25] (Creative Labs) [Datei ist nicht signiert]
S3 Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2014-04-25] (Creative Labs) [Datei ist nicht signiert]
R2 CTAudSvcService; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [307200 2009-02-23] (Creative Technology Ltd) [Datei ist nicht signiert]
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2015-04-30] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [284504 2015-04-30] (Microsoft Corporation)
S3 Sound Blaster X-Fi MB Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [79360 2014-04-25] (Creative Labs) [Datei ist nicht signiert]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
S2 MBAMScheduler; "C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe" [X]
S2 MBAMService; "C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe" [X]

===================== Treiber (Nicht auf der Ausnahmeliste) ==========================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [245096 2015-03-04] (Microsoft Corporation)
R1 MpKsl7d7d7bc2; C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6226F22E-BF0B-4935-BD9D-48CDAB3EFEFC}\MpKsl7d7d7bc2.sys [39168 2016-01-07] (Microsoft Corporation)
S1 asdqninf; \??\C:\Windows\system32\drivers\asdqninf.sys [X]
S1 betdysgm; \??\C:\Windows\system32\drivers\betdysgm.sys [X]
S1 defknbgo; \??\C:\Windows\system32\drivers\defknbgo.sys [X]
S1 epdwqqzv; \??\C:\Windows\system32\drivers\epdwqqzv.sys [X]
S1 fffywdyo; \??\C:\Windows\system32\drivers\fffywdyo.sys [X]
S1 hrwcvaht; \??\C:\Windows\system32\drivers\hrwcvaht.sys [X]
S1 lmuqvbjq; \??\C:\Windows\system32\drivers\lmuqvbjq.sys [X]
S3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [X]
S1 regwsrei; \??\C:\Windows\system32\drivers\regwsrei.sys [X]

==================== NetSvcs (Nicht auf der Ausnahmeliste) ===================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)


==================== Ein Monat: Erstellte Dateien und Ordner ========

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Datei/der Ordner verschoben.)

2016-01-07 20:24 - 2016-01-07 20:24 - 00000554 _____ C:\Users\Admin\Desktop\JRT.txt
2016-01-07 20:20 - 2016-01-07 20:02 - 00001263 _____ C:\Users\Opa\Desktop\AdwCleaner[S1].txt
2016-01-06 19:29 - 2016-01-06 20:23 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-01-06 19:29 - 2016-01-06 19:29 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-01-06 19:16 - 2016-01-06 20:23 - 00000000 ____D C:\Users\Admin\Desktop\mbar
2016-01-06 19:16 - 2016-01-06 19:22 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-01-06 19:09 - 2016-01-06 19:12 - 16563352 _____ (Malwarebytes Corp.) C:\Users\Admin\Desktop\mbar-1.09.3.1001.exe
2016-01-02 23:27 - 2016-01-02 23:27 - 00076349 _____ C:\Users\Opa\Desktop\img182.pdf
2016-01-02 23:26 - 2016-01-02 23:26 - 00072366 _____ C:\Users\Opa\Documents\img182.pdf
2015-12-31 04:29 - 2015-12-31 04:29 - 00003906 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-12-31 00:18 - 2015-12-31 16:33 - 00002123 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-12-31 00:18 - 2015-12-31 16:32 - 00000000 ____D C:\Program Files\Microsoft Security Client
2015-12-28 20:06 - 2016-01-07 20:35 - 00000000 ____D C:\FRST
2015-12-27 21:34 - 2015-12-27 21:34 - 00000806 _____ C:\Users\Admin\Desktop\SeaMonkey.lnk
2015-12-26 15:23 - 2016-01-06 18:49 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2015-12-25 23:11 - 2015-12-26 21:45 - 00000000 ____D C:\Users\Admin\EurekaLog
2015-12-25 16:52 - 2015-12-26 15:24 - 00000000 ___RD C:\Sandbox
2015-12-25 16:49 - 2015-12-26 21:17 - 00000000 ____D C:\Program Files\Sandboxie
2015-12-25 16:22 - 2016-01-06 19:29 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-12-20 17:49 - 2015-12-20 17:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SeaMonkey
2015-12-18 11:59 - 2015-12-20 13:41 - 00000000 ____D C:\Users\Opa\AppData\Roaming\screw-5
2015-12-18 11:58 - 2015-12-25 16:38 - 00000000 ____D C:\ProgramData\codec-76
2015-12-18 11:55 - 2015-12-19 22:22 - 00000000 ____D C:\Users\Opa\AppData\Roaming\ampere-11
2015-12-18 11:53 - 2015-12-20 12:25 - 00000000 ____D C:\ProgramData\diode-48
2015-12-16 13:30 - 2015-12-18 00:25 - 00000000 ____D C:\Users\Opa\AppData\Roaming\friction-5
2015-12-13 15:48 - 2015-12-16 13:30 - 00000000 ____D C:\Users\Opa\AppData\Roaming\blvds-1
2015-12-13 00:39 - 2014-04-18 20:25 - 00058850 _____ C:\Users\Opa\Desktop\Antrag neu - Kopie.pdf
2015-12-10 21:55 - 2015-12-12 17:56 - 00000000 ____D C:\Users\Opa\AppData\Roaming\homerf-88
2015-12-10 15:21 - 2015-11-11 21:52 - 00341192 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-12-10 15:21 - 2015-11-11 16:44 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-12-10 15:21 - 2015-11-11 16:44 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-12-10 15:21 - 2015-11-10 01:24 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-12-10 15:21 - 2015-11-10 01:24 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-12-10 15:21 - 2015-11-10 01:13 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-12-10 15:21 - 2015-11-10 01:12 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-12-10 15:21 - 2015-11-10 01:06 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-12-10 15:21 - 2015-11-10 01:06 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-12-10 15:21 - 2015-11-10 01:04 - 00476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-12-10 15:21 - 2015-11-10 01:03 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-12-10 15:21 - 2015-11-10 01:03 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-12-10 15:21 - 2015-11-10 01:02 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-12-10 15:21 - 2015-11-10 00:57 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-12-10 15:21 - 2015-11-10 00:50 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-12-10 15:21 - 2015-11-10 00:47 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-12-10 15:21 - 2015-11-10 00:44 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2015-12-10 15:21 - 2015-11-10 00:37 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-12-10 15:21 - 2015-11-10 00:36 - 02050560 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-12-10 15:21 - 2015-11-10 00:36 - 00687104 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-12-10 15:21 - 2015-11-10 00:36 - 00684032 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-12-10 15:21 - 2015-11-10 00:17 - 02011136 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-12-10 15:21 - 2015-11-10 00:14 - 01311744 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-12-10 15:21 - 2015-11-10 00:12 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-12-10 15:20 - 2015-11-11 17:00 - 12856832 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-12-10 15:20 - 2015-11-11 16:41 - 20366848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-12-10 15:20 - 2015-11-11 15:57 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-12-10 15:20 - 2015-11-10 01:13 - 00496640 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-12-10 15:20 - 2015-11-10 01:12 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-12-10 15:20 - 2015-11-10 01:11 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-12-10 15:20 - 2015-11-10 01:08 - 02280448 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-12-10 15:20 - 2015-11-10 01:02 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-12-10 15:20 - 2015-11-10 00:46 - 04514816 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-12-10 15:20 - 2015-11-10 00:35 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-12-10 15:18 - 2015-11-11 19:39 - 01242624 _____ (Microsoft Corporation) C:\Windows\system32\comsvcs.dll
2015-12-10 15:18 - 2015-11-11 19:39 - 00487936 _____ (Microsoft Corporation) C:\Windows\system32\catsrvut.dll
2015-12-10 15:18 - 2015-11-10 19:39 - 01251328 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-12-10 15:18 - 2015-11-10 19:39 - 00909824 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-12-10 15:18 - 2015-11-10 19:39 - 00811520 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll
2015-12-10 15:18 - 2015-11-10 18:40 - 02386944 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-12-10 15:13 - 2015-11-20 19:34 - 02956800 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-12-10 15:13 - 2015-11-20 19:34 - 02062848 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-12-10 15:13 - 2015-11-20 19:34 - 00573440 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-12-10 15:13 - 2015-11-20 19:34 - 00174080 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-12-10 15:13 - 2015-11-20 19:34 - 00093696 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-12-10 15:13 - 2015-11-20 19:34 - 00073728 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-12-10 15:13 - 2015-11-20 19:34 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-12-10 15:13 - 2015-11-20 19:34 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-12-10 15:13 - 2015-11-20 19:33 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-12-10 15:13 - 2015-11-20 19:33 - 00035328 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-12-10 15:13 - 2015-11-20 19:33 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-12-10 15:13 - 2015-11-05 20:02 - 00014848 _____ (Microsoft Corporation) C:\Windows\system32\wshrm.dll
2015-12-10 15:13 - 2015-11-05 20:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2015-12-10 15:13 - 2015-11-05 10:48 - 00117760 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rmcast.sys
2015-12-10 15:13 - 2015-11-03 19:56 - 00627712 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2015-12-10 15:13 - 2015-11-03 19:55 - 00179712 _____ (Microsoft Corporation) C:\Windows\system32\els.dll
2015-12-10 15:13 - 2015-10-09 00:17 - 00069120 _____ (Microsoft Corporation) C:\Windows\system32\nlsbres.dll
2015-12-10 15:13 - 2015-10-09 00:13 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\kbdgeoqw.dll
2015-12-10 15:13 - 2015-10-09 00:13 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\KBDAZEL.DLL
2015-12-10 15:13 - 2015-10-09 00:13 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\KBDAZE.DLL
2015-12-10 15:13 - 2015-10-08 20:13 - 00419928 _____ C:\Windows\system32\locale.nls
2015-12-09 00:12 - 2015-12-09 00:12 - 00297893 _____ C:\Users\Opa\Documents\Beihilfe neu.pdf
2015-12-08 13:50 - 2015-12-10 00:05 - 00000000 ____D C:\Users\Opa\AppData\Roaming\evkit-6

==================== Ein Monat: Geänderte Dateien und Ordner ========

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Datei/der Ordner verschoben.)

2016-01-07 20:01 - 2009-07-14 05:34 - 00035088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-01-07 20:01 - 2009-07-14 05:34 - 00035088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-01-07 19:53 - 2015-01-02 20:44 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-01-07 02:59 - 2009-07-14 05:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-01-06 18:49 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\inf
2016-01-06 18:49 - 2009-07-14 03:37 - 00000000 ____D C:\Windows
2016-01-04 02:08 - 2015-11-26 01:24 - 00000000 ____D C:\ProgramData\molecule-9
2015-12-31 16:33 - 2014-04-25 00:50 - 00001912 _____ C:\Windows\epplauncher.mif
2015-12-30 23:10 - 2014-05-01 14:55 - 00000000 ____D C:\Windows\Minidump
2015-12-28 21:37 - 2015-04-25 02:15 - 00000000 __SHD C:\Users\Admin\AppData\LocalLow\EmieUserList
2015-12-28 21:37 - 2015-04-25 02:15 - 00000000 __SHD C:\Users\Admin\AppData\LocalLow\EmieSiteList
2015-12-28 21:37 - 2015-04-25 02:15 - 00000000 __SHD C:\Users\Admin\AppData\LocalLow\EmieBrowserModeList
2015-12-28 21:37 - 2015-04-25 02:15 - 00000000 __SHD C:\Users\Admin\AppData\Local\EmieUserList
2015-12-28 21:37 - 2015-04-25 02:15 - 00000000 __SHD C:\Users\Admin\AppData\Local\EmieSiteList
2015-12-28 21:37 - 2015-04-25 02:15 - 00000000 __SHD C:\Users\Admin\AppData\Local\EmieBrowserModeList
2015-12-28 19:55 - 2014-05-24 16:44 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-12-28 19:55 - 2014-05-24 16:44 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-12-27 22:54 - 2009-07-14 05:52 - 00000000 ____D C:\Windows\system32\FxsTmp
2015-12-25 23:11 - 2014-04-25 00:46 - 00000000 ____D C:\Users\Admin
2015-12-25 14:11 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\rescache
2015-12-20 18:36 - 2015-11-20 21:31 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2015-12-20 00:14 - 2015-11-01 11:09 - 00000000 ____D C:\ProgramData\jto
2015-12-18 12:10 - 2015-04-05 12:29 - 00000000 ___SD C:\Windows\system32\GWX
2015-12-18 00:17 - 2015-11-06 00:09 - 00000000 ____D C:\Users\Opa\AppData\Roaming\tesla-82
2015-12-13 01:01 - 2014-04-25 10:34 - 00698868 _____ C:\Windows\system32\perfh007.dat
2015-12-13 01:01 - 2014-04-25 10:34 - 00149008 _____ C:\Windows\system32\perfc007.dat
2015-12-13 01:01 - 2010-11-20 22:01 - 01618376 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-11 03:30 - 2009-07-14 05:33 - 00347864 _____ C:\Windows\system32\FNTCACHE.DAT
2015-12-11 03:08 - 2014-05-11 17:59 - 00000000 ____D C:\Windows\system32\MRT
2015-12-11 03:01 - 2014-05-11 17:59 - 137798368 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-12-10 20:41 - 2015-11-20 13:33 - 00000000 ____D C:\Users\Opa\AppData\Roaming\vctxo-69

==================== Dateien im Wurzelverzeichnis einiger Verzeichnisse =======

2015-04-26 03:15 - 2015-04-26 03:15 - 0000293 _____ () C:\Users\Admin\AppData\Local\config.ini
2015-04-26 01:20 - 2015-04-26 02:12 - 0000000 _____ () C:\Users\Admin\AppData\Local\simedit.log

Einige Dateien in TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\expertpdf_v4_avanquest_retail_deu.exe
C:\Users\Admin\AppData\Local\Temp\PDSetup1ca6.exe
C:\Users\Admin\AppData\Local\Temp\PDSetupa14a.exe
C:\Users\Admin\AppData\Local\Temp\_is91DA.exe
C:\Users\Admin\AppData\Local\Temp\_isB19E.exe


==================== Bamital & volsnap =================

(Es ist kein automatischer Fix für Dateien vorhanden, die an der Verifikation gescheitert sind.)

C:\Windows\explorer.exe => Datei ist digital signiert
C:\Windows\system32\winlogon.exe => Datei ist digital signiert
C:\Windows\system32\wininit.exe => Datei ist digital signiert
C:\Windows\system32\svchost.exe => Datei ist digital signiert
C:\Windows\system32\services.exe => Datei ist digital signiert
C:\Windows\system32\User32.dll => Datei ist digital signiert
C:\Windows\system32\userinit.exe => Datei ist digital signiert
C:\Windows\system32\rpcss.dll => Datei ist digital signiert
C:\Windows\system32\dnsapi.dll => Datei ist digital signiert
C:\Windows\system32\Drivers\volsnap.sys => Datei ist digital signiert


LastRegBack: 2015-12-30 13:35

==================== Ende vom FRST.txt ============================
Addition.txt
Code:
Zusätzliches Untersuchungsergebnis von Farbar Recovery Scan Tool (x86) Version:07-01-2015
durchgeführt von Admin (2016-01-07 20:36:16)
Gestartet von E:\Arbeitsverzeichnisse\Seamonkey\downloads
Microsoft Windows 7 Professional  Service Pack 1 (X86) (2014-04-24 23:46:34)
Start-Modus: Normal
==========================================================


==================== Konten: =============================

Admin (S-1-5-21-1987672872-2594305773-2641038054-1000 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-1987672872-2594305773-2641038054-500 - Administrator - Disabled)
Gast (S-1-5-21-1987672872-2594305773-2641038054-501 - Limited - Disabled)
Opa (S-1-5-21-1987672872-2594305773-2641038054-1001 - Limited - Enabled) => C:\Users\Opa
Papa (S-1-5-21-1987672872-2594305773-2641038054-1002 - Limited - Enabled) => C:\Users\Papa

==================== Sicherheits-Center ========================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er entfernt.)

AV: Microsoft Security Essentials (Disabled - Up to date) {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
AS: Microsoft Security Essentials (Disabled - Up to date) {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installierte Programme ======================

(Nur Adware-Programme mit dem Zusatz "Hidden" können in die Fixlist aufgenommen werden, um sie sichtbar zu machen. Die Adware-Programme sollten manuell deinstalliert werden.)

Adobe Flash Player 20 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 20.0.0.267 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.12) - Deutsch (HKLM\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.12 - Adobe Systems Incorporated)
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver (HKLM\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.35 - Atheros Communications Inc.)
Colin McRae Rally 2 (HKLM\...\{19B72AA9-985A-11D4-9C8A-00D0B75D1498}) (Version:  - )
CoolPacMan (HKLM\...\CoolPacMan_is1) (Version:  - )
Drome Racers (HKLM\...\{EC1DCD6C-3AE0-42CE-8EAA-6886CC4400DC}) (Version:  - )
EPSON BX320FW Series Handbuch (HKLM\...\EPSON BX320FW Series Manual) (Version:  - )
EPSON BX320FW Series Netzwerk-Handbuch (HKLM\...\EPSON BX320FW Series Network Guide) (Version:  - )
EPSON BX320FW Series Printer Uninstall (HKLM\...\EPSON BX320FW Series) (Version:  - SEIKO EPSON Corporation)
Epson Easy Photo Print 2 (HKLM\...\{310C1558-F6B5-4889-98B0-7471966BA7F2}) (Version: 2.2.3.0 - SEIKO EPSON CORPORATION)
Epson Easy Photo Print Plug-in for PMB(Picture Motion Browser) (HKLM\...\{B2D55EB8-32C5-4B43-9006-9E97DECBA178}) (Version: 1.00.0000 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM\...\{03B8AA32-F23C-4178-B8E6-09ECD07EAA47}) (Version: 2.40.0001 - SEIKO EPSON CORPORATION)
Epson FAX Utility (HKLM\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.10.00 - SEIKO EPSON CORPORATION)
Epson PC-FAX Driver (HKLM\...\EPSON PC-FAX Driver 2) (Version:  - )
EPSON Scan (HKLM\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EpsonNet Print (HKLM\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.4j - SEIKO EPSON CORPORATION)
EpsonNet Setup 3.2 (HKLM\...\{C9D8A041-2963-4B31-8FFC-1500F3DB9293}) (Version: 3.2a - SEIKO EPSON CORPORATION)
eXPert PDF 4 (HKLM\...\{A6E92CAB-9E63-46DC-8ABF-0CAFF7B7CD02}) (Version: 4.1.670.404 - Visage Software)
HardlinkBackup (HKLM\...\{A99A1AE2-5EAB-4742-91DB-72A8B2F9529C}) (Version: 1.0.1 - Lupinho.Net)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.14.10.2230 - Intel Corporation)
L&H TTS3000 Deutsch (HKLM\...\LHTTSGED) (Version:  - )
L&H TTS3000 Español (HKLM\...\LHTTSSPE) (Version:  - )
L&H TTS3000 Français (HKLM\...\LHTTSFRF) (Version:  - )
L&H TTS3000 Italiano (HKLM\...\LHTTSITI) (Version:  - )
L&H TTS3000 Português (Brasil) (HKLM\...\LHTTSPTB) (Version:  - )
L&H TTS3000 Russian (HKLM\...\LHTTSRUR) (Version:  - )
Landwirtschafts Simulator 15 (HKLM\...\FarmingSimulator2015DE_is1) (Version: 1.0 - GIANTS Software)
LEGO Insel 2 (HKLM\...\{85967580-EBC2-11D4-AEA3-0050046A88ED}) (Version:  - )
Lernkartei Mathe Grundschule (HKLM\...\Lernkartei Mathe Grundschule) (Version:  - )
Lern-Karteikasten Englisch Grundschule (HKLM\...\Lern-Karteikasten Englisch Grundschule) (Version:  - )
Lernout & Hauspie TruVoice American English TTS Engine (HKLM\...\tv_enua) (Version:  - )
Mathe Klasse 1 - 4 (HKLM\...\Mathe Klasse 1 - 4) (Version:  - )
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office 2000 SR-1 Disc 2 (HKLM\...\{00040407-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.3821 - Microsoft Corporation)
Microsoft Office 2000 SR-1 Premium (HKLM\...\{00000407-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.3821 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.8.204.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Minecraft (HKLM\...\{02BAAFC5-4E16-42E6-A9F6-8DDE0B7ED3B8}) (Version: 1.0.0.0 - Mojang)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Pflanzen gegen Zombies (HKLM\...\Pflanzen gegen Zombies) (Version:  - PopCap Games)
PROMT Personal 9.5 Multilingual  (HKLM\...\{E89EC7CC-5727-4392-A967-49B886E8E41F}) (Version: 9.6.00003 - PROMT Ltd.)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6167 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.00042 - Realtek Semiconductor Corp.)
SeaMonkey 2.39 (x86 de) (HKLM\...\SeaMonkey 2.39 (x86 de)) (Version: 2.39 - Mozilla)
Sound Blaster X-Fi MB (HKLM\...\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}) (Version: 1.0 - Creative Technology Limited)
TeamViewer 7 (HKLM\...\TeamViewer 7) (Version: 7.0.12280 - TeamViewer)

==================== Benutzerdefinierte CLSID (Nicht auf der Ausnahmeliste): ==========================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)


==================== Geplante Aufgaben (Nicht auf der Ausnahmeliste) =============

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

Task: {05C1AF3B-379C-42FF-812F-D3F5B9D13B85} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-12-28] (Adobe Systems Incorporated)
Task: {6AEF0C98-2CB4-4B67-8C70-4C977C7355CC} - System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask => start sppsvc
Task: {72D38E85-01E7-4243-89A0-C89F3E9FBE47} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-10-28] (Adobe Systems Incorporated)
Task: {87260E40-E85A-4579-8CED-957024D70EDB} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => C:\Windows\system32\GWX\GWXUXWorker.exe [2015-12-05] (Microsoft Corporation)
Task: {88FCB06C-FEB2-4E8B-8842-5744F8B9D617} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime => C:\Windows\system32\GWX\GWXUXWorker.exe [2015-12-05] (Microsoft Corporation)
Task: {D622195C-D680-4FEA-9C56-59660C7C9E94} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig => config upnphost start= auto

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird die Aufgabe verschoben. Die Datei, die durch die Aufgabe gestartet wird, wird nicht verschoben.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Verknüpfungen =============================

(Die Einträge können gelistet werden, um sie zurückzusetzen oder zu entfernen.)

==================== Geladene Module (Nicht auf der Ausnahmeliste) ==============

2014-04-25 03:25 - 2005-06-02 11:40 - 00014336 _____ () C:\Windows\System32\vsmon1.dll

==================== Alternate Data Streams (Nicht auf der Ausnahmeliste) =========

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird nur der ADS entfernt.)


==================== Abgesicherter Modus (Nicht auf der Ausnahmeliste) ===================

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Der Wert "AlternateShell" wird wiederhergestellt.)


==================== EXE Verknüpfungen (Nicht auf der Ausnahmeliste) ===============

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird der Registryeintrag auf den Standardwert zurückgesetzt oder entfernt.)


==================== Internet Explorer Vertrauenswürdig/Eingeschränkt ===============

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt.)


==================== Hosts Inhalt: ===============================

(Wenn benötigt kann der Hosts: Schalter in die Fixlist aufgenommen werden um die Hosts Datei zurückzusetzen.)

2009-07-14 03:04 - 2009-06-10 22:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Andere Bereiche ============================

(Aktuell gibt es keinen automatisierten Fix für diesen Bereich.)

HKU\S-1-5-21-1987672872-2594305773-2641038054-1000\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-1987672872-2594305773-2641038054-1001\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.2.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall ist aktiviert.

==================== MSCONFIG/TASK MANAGER Deaktivierte Einträge ==

(Aktuell gibt es keinen automatisierten Fix für diesen Bereich.)


==================== FirewallRules (Nicht auf der Ausnahmeliste) ===============

(Wenn ein Eintrag in die Fixlist aufgenommen wird, wird er aus der Registry entfernt. Die Datei wird nicht verschoben solange sie nicht separat aufgelistet wird.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{9D3B5843-CE66-4E4C-8AEF-9B7F36F90B9F}] => (Allow) C:\Program Files\TeamViewer\Version7\TeamViewer.exe
FirewallRules: [{650B2034-084B-4051-94E7-44037345D752}] => (Allow) C:\Program Files\TeamViewer\Version7\TeamViewer.exe
FirewallRules: [{52D34E1D-D63B-49BC-A874-45A3AD637768}] => (Allow) C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
FirewallRules: [{0A83FAD2-15C0-4A84-9AE6-9EBE3A7F62C0}] => (Allow) C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
FirewallRules: [TCP Query User{7B92195E-249C-4538-88B2-D088AFB016CE}C:\program files\epson software\event manager\eeventmanager.exe] => (Block) C:\program files\epson software\event manager\eeventmanager.exe
FirewallRules: [UDP Query User{DC393E51-3664-480C-8B6E-99F3CE8C30AF}C:\program files\epson software\event manager\eeventmanager.exe] => (Block) C:\program files\epson software\event manager\eeventmanager.exe
FirewallRules: [{559D354C-C25C-47DA-A563-537324439936}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{81CF767F-2528-4A47-8E1E-49A8EAAAB264}] => (Allow) D:\Programme\Spiele\Landwirtschafts Simulator 2015\FarmingSimulator2015.exe
FirewallRules: [{6384DAF0-E017-4C4B-8733-36276840E7B9}] => (Allow) D:\Programme\Spiele\Landwirtschafts Simulator 2015\FarmingSimulator2015.exe
FirewallRules: [{BD218624-9D34-4177-9AE5-E52A8182F79D}] => (Allow) D:\Programme\Spiele\Landwirtschafts Simulator 2015\x86\FarmingSimulator2015Game.exe
FirewallRules: [{2A56CBDA-F76F-4C84-AC9A-2E84092D087D}] => (Allow) D:\Programme\Spiele\Landwirtschafts Simulator 2015\x86\FarmingSimulator2015Game.exe
FirewallRules: [{3CD8F3FE-58D2-453D-8E0A-15EA0F46AD69}] => (Allow) D:\Programme\Spiele\Landwirtschafts Simulator 2015\x64\FarmingSimulator2015Game.exe
FirewallRules: [{B073FB12-D8C1-46B9-AD51-D5D81499FC30}] => (Allow) D:\Programme\Spiele\Landwirtschafts Simulator 2015\x64\FarmingSimulator2015Game.exe
FirewallRules: [TCP Query User{E0C0A721-959B-4D10-A113-B758966F88C3}D:\programme\spiele\minecraft\runtime\jre-x32\1.8.0_25\bin\javaw.exe] => (Block) D:\programme\spiele\minecraft\runtime\jre-x32\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{692C92F9-DCE4-4C4D-AB2D-7299727847D7}D:\programme\spiele\minecraft\runtime\jre-x32\1.8.0_25\bin\javaw.exe] => (Block) D:\programme\spiele\minecraft\runtime\jre-x32\1.8.0_25\bin\javaw.exe

==================== Wiederherstellungspunkte =========================

07-01-2016 20:22:09 JRT Pre-Junkware Removal

==================== Fehlerhafte Geräte im Gerätemanager =============


==================== Fehlereinträge in der Ereignisanzeige: =========================

Applikationsfehler:
==================
Error: (01/07/2016 03:12:21 AM) (Source: MsiInstaller) (EventID: 1024) (User: JOLIWA)
Description: Produkt: Adobe Reader XI (11.0.12) - Deutsch - Update "{AC76BA86-7AD7-0000-2550-7A8C40011013}" konnte nicht installiert werden. Fehlercode 1625. Windows Installer kann Protokolle erstellen, um bei der Problembehandlung betreffend der Installation von Softwarepaketen behilflich zu sein. Verwenden Sie folgenden Link, um Anweisungen zur Aktivierung der Protokollierungsunterstützung zu erhalten: hxxp://go.microsoft.com/fwlink/?LinkId=23127

Error: (01/07/2016 03:01:23 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/06/2016 09:40:25 PM) (Source: MsiInstaller) (EventID: 1024) (User: JOLIWA)
Description: Produkt: Adobe Reader XI (11.0.12) - Deutsch - Update "{AC76BA86-7AD7-0000-2550-7A8C40011013}" konnte nicht installiert werden. Fehlercode 1625. Windows Installer kann Protokolle erstellen, um bei der Problembehandlung betreffend der Installation von Softwarepaketen behilflich zu sein. Verwenden Sie folgenden Link, um Anweisungen zur Aktivierung der Protokollierungsunterstützung zu erhalten: hxxp://go.microsoft.com/fwlink/?LinkId=23127

Error: (01/06/2016 06:52:38 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/06/2016 05:57:53 PM) (Source: MsiInstaller) (EventID: 1024) (User: JOLIWA)
Description: Produkt: Adobe Reader XI (11.0.12) - Deutsch - Update "{AC76BA86-7AD7-0000-2550-7A8C40011013}" konnte nicht installiert werden. Fehlercode 1625. Windows Installer kann Protokolle erstellen, um bei der Problembehandlung betreffend der Installation von Softwarepaketen behilflich zu sein. Verwenden Sie folgenden Link, um Anweisungen zur Aktivierung der Protokollierungsunterstützung zu erhalten: hxxp://go.microsoft.com/fwlink/?LinkId=23127

Error: (01/06/2016 05:45:29 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/06/2016 01:06:59 AM) (Source: Windows Backup) (EventID: 4104) (User: )
Description: Die Sicherung war nicht erfolgreich. Fehler: "Falscher Parameter. (0x80070057)"

Error: (01/06/2016 01:06:50 AM) (Source: Microsoft-Windows-Backup) (EventID: 517) (User: NT-AUTORITÄT)
Description: Fehler bei der um 2016-01-06T00:01:07.500000000Z gestarteten Sicherung. Fehlercode: "2147942487" (%%2147942487). Suchen Sie in den Ereignisdetails nach einer Lösung, und führen Sie die Sicherung erneut aus, nachdem das Problem behoben wurde.

Error: (01/06/2016 01:04:47 AM) (Source: MsiInstaller) (EventID: 1024) (User: JOLIWA)
Description: Produkt: Adobe Reader XI (11.0.12) - Deutsch - Update "{AC76BA86-7AD7-0000-2550-7A8C40011013}" konnte nicht installiert werden. Fehlercode 1625. Windows Installer kann Protokolle erstellen, um bei der Problembehandlung betreffend der Installation von Softwarepaketen behilflich zu sein. Verwenden Sie folgenden Link, um Anweisungen zur Aktivierung der Protokollierungsunterstützung zu erhalten: hxxp://go.microsoft.com/fwlink/?LinkId=23127

Error: (01/06/2016 12:55:48 AM) (Source: eXPert PDF) (EventID: 3299) (User: )
Description: eXPert PDF Printer driverreported the following error:<<<

DrvEscape: Unsupported Escape Code : 4117
>>>


Systemfehler:
=============
Error: (01/07/2016 02:59:45 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Der Dienst "MBAMService" ist vom Dienst "MBAMProtector" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:
%%2

Error: (01/07/2016 02:59:45 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "MBAMScheduler" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2

Error: (01/07/2016 02:59:36 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "MBAMProtector" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2

Error: (01/06/2016 08:22:08 PM) (Source: volsnap) (EventID: 36) (User: )
Description: Die Schattenkopien von Volume "C:" wurden abgebrochen, weil der Schattenkopiespeicher nicht auf ein benutzerdefiniertes Limit vergrößert werden konnte.

Error: (01/06/2016 07:58:04 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Error: (01/06/2016 06:51:06 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Der Dienst "MBAMService" ist vom Dienst "MBAMProtector" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:
%%2

Error: (01/06/2016 06:51:06 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "MBAMScheduler" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2

Error: (01/06/2016 06:50:59 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "MBAMProtector" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2

Error: (01/06/2016 05:43:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Der Dienst "MBAMService" ist vom Dienst "MBAMProtector" abhängig, der aufgrund folgenden Fehlers nicht gestartet wurde:
%%2

Error: (01/06/2016 05:43:53 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Der Dienst "MBAMScheduler" wurde aufgrund folgenden Fehlers nicht gestartet:
%%2


==================== Memory info ===========================

Processor: Intel(R) Atom(TM) CPU D525 @ 1.80GHz
Prozentuale Nutzung des RAM: 53%
Installierter physikalischer RAM: 2038.24 MB
Verfügbarer physikalischer RAM: 950.64 MB
Summe virtueller Speicher: 4076.48 MB
Verfügbarer virtueller Speicher: 3004.08 MB

==================== Laufwerke ================================

Drive c: (System) (Fixed) (Total:32 GB) (Free:6.02 GB) NTFS ==>[Laufwerk mit Startkomponenten (eingeholt von BCD)]
Drive d: (Programme) (Fixed) (Total:32 GB) (Free:26.45 GB) NTFS
Drive e: (Daten) (Fixed) (Total:401.76 GB) (Free:373.24 GB) NTFS
Drive g: (SimpleDrive) (Fixed) (Total:931.51 GB) (Free:852.2 GB) NTFS

==================== MBR & Partitionstabelle ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 1DB01DAF)
Partition 1: (Active) - (Size=32 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=433.8 GB) - (Type=OF Extended)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: B0CCD65D)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== Ende vom Addition.txt ============================
Danke & schönen Abend!

cosinus 07.01.2016 22:21
FRST-Fix

Virenscanner jetzt bitte komplett deaktivieren, damit sichergestellt ist, dass der Fix sauber durchläuft!

Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:
S1 asdqninf; \??\C:\Windows\system32\drivers\asdqninf.sys [X]
S1 betdysgm; \??\C:\Windows\system32\drivers\betdysgm.sys [X]
S1 defknbgo; \??\C:\Windows\system32\drivers\defknbgo.sys [X]
S1 epdwqqzv; \??\C:\Windows\system32\drivers\epdwqqzv.sys [X]
S1 fffywdyo; \??\C:\Windows\system32\drivers\fffywdyo.sys [X]
S1 hrwcvaht; \??\C:\Windows\system32\drivers\hrwcvaht.sys [X]
S1 lmuqvbjq; \??\C:\Windows\system32\drivers\lmuqvbjq.sys [X]
S1 regwsrei; \??\C:\Windows\system32\drivers\regwsrei.sys [X]
HKU\S-1-5-21-1987672872-2594305773-2641038054-1001\...\Run: [career-improve] => C:\Users\Opa\AppData\Local\Temp\Career_tour\career-behave.exe <===== ACHTUNG
C:\Users\Opa\AppData\Roaming\screw-5
C:\ProgramData\codec-76
C:\Users\Opa\AppData\Roaming\ampere-11
C:\ProgramData\diode-48
C:\Users\Opa\AppData\Roaming\friction-5
C:\Users\Opa\AppData\Roaming\blvds-1
C:\Users\Opa\AppData\Roaming\homerf-88
C:\Users\Opa\AppData\Roaming\evkit-6
C:\ProgramData\molecule-9
C:\ProgramData\jto
C:\Users\Opa\AppData\Roaming\vctxo-69
emptytemp:

Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).
  • Starte nun FRST erneut und klicke den Entfernen Button.
  • Das Tool erstellt eine Fixlog.txt.
  • Poste mir deren Inhalt.


Joliwa 08.01.2016 21:13
Fixlog.txt

Code:
Entferungsergebnis von Farbar Recovery Scan Tool (x86) Version:07-01-2015
durchgeführt von Admin (2016-01-08 21:06:50) Run:1
Gestartet von E:\Arbeitsverzeichnisse\Seamonkey\downloads
Geladene Profile: Admin & Opa (Verfügbare Profile: Admin & Opa & Papa)
Start-Modus: Normal

==============================================

fixlist Inhalt:
*****************
S1 asdqninf; \??\C:\Windows\system32\drivers\asdqninf.sys [X]
S1 betdysgm; \??\C:\Windows\system32\drivers\betdysgm.sys [X]
S1 defknbgo; \??\C:\Windows\system32\drivers\defknbgo.sys [X]
S1 epdwqqzv; \??\C:\Windows\system32\drivers\epdwqqzv.sys [X]
S1 fffywdyo; \??\C:\Windows\system32\drivers\fffywdyo.sys [X]
S1 hrwcvaht; \??\C:\Windows\system32\drivers\hrwcvaht.sys [X]
S1 lmuqvbjq; \??\C:\Windows\system32\drivers\lmuqvbjq.sys [X]
S1 regwsrei; \??\C:\Windows\system32\drivers\regwsrei.sys [X]
HKU\S-1-5-21-1987672872-2594305773-2641038054-1001\...\Run: [career-improve] => C:\Users\Opa\AppData\Local\Temp\Career_tour\career-behave.exe <===== ACHTUNG
C:\Users\Opa\AppData\Roaming\screw-5
C:\ProgramData\codec-76
C:\Users\Opa\AppData\Roaming\ampere-11
C:\ProgramData\diode-48
C:\Users\Opa\AppData\Roaming\friction-5
C:\Users\Opa\AppData\Roaming\blvds-1
C:\Users\Opa\AppData\Roaming\homerf-88
C:\Users\Opa\AppData\Roaming\evkit-6
C:\ProgramData\molecule-9
C:\ProgramData\jto
C:\Users\Opa\AppData\Roaming\vctxo-69
emptytemp:
*****************

asdqninf => service erfolgreich entfernt
betdysgm => service erfolgreich entfernt
defknbgo => service erfolgreich entfernt
epdwqqzv => service erfolgreich entfernt
fffywdyo => service erfolgreich entfernt
hrwcvaht => service erfolgreich entfernt
lmuqvbjq => service erfolgreich entfernt
regwsrei => service erfolgreich entfernt
HKU\S-1-5-21-1987672872-2594305773-2641038054-1001\Software\Microsoft\Windows\CurrentVersion\Run\\career-improve => Wert erfolgreich entfernt
C:\Users\Opa\AppData\Roaming\screw-5 => erfolgreich verschoben
C:\ProgramData\codec-76 => erfolgreich verschoben
C:\Users\Opa\AppData\Roaming\ampere-11 => erfolgreich verschoben
C:\ProgramData\diode-48 => erfolgreich verschoben
C:\Users\Opa\AppData\Roaming\friction-5 => erfolgreich verschoben
C:\Users\Opa\AppData\Roaming\blvds-1 => erfolgreich verschoben
C:\Users\Opa\AppData\Roaming\homerf-88 => erfolgreich verschoben
C:\Users\Opa\AppData\Roaming\evkit-6 => erfolgreich verschoben
C:\ProgramData\molecule-9 => erfolgreich verschoben
C:\ProgramData\jto => erfolgreich verschoben
C:\Users\Opa\AppData\Roaming\vctxo-69 => erfolgreich verschoben
EmptyTemp: => 657.9 MB temporäre Dateien entfernt.


Das System musste neu gestartet werden.

==== Ende vom Fixlog 21:07:25 ====

cosinus 09.01.2016 07:08
Okay, dann Kontrollscans mit (1) MBAM, (2) ESET und (3) SecurityCheck bitte:


1. Schritt: MBAM

Downloade Dir bitte Malwarebytes Anti-Malware
  • Installiere das Programm in den vorgegebenen Pfad. (Bebilderte Anleitung zu MBAM)
  • Starte Malwarebytes' Anti-Malware (MBAM).
  • Klicke im Anschluss auf Scannen, wähle den Bedrohungssuchlauf aus und klicke auf Suchlauf starten.
  • Lass am Ende des Suchlaufs alle Funde (falls vorhanden) in die Quarantäne verschieben. Klicke dazu auf Auswahl entfernen.
  • Lass deinen Rechner ggf. neu starten, um die Bereinigung abzuschließen.
  • Starte MBAM, klicke auf Verlauf und dann auf Anwendungsprotokolle.
  • Wähle das neueste Scan-Protokoll aus und klicke auf Export. Wähle Textdatei (.txt) aus und speichere die Datei als mbam.txt auf dem Desktop ab. Das Logfile von MBAM findest du hier.
  • Füge den Inhalt der mbam.txt mit deiner nächsten Antwort hinzu.




2. Schritt: ESET

ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset




3. Schritt: SecurityCheck

Downloade Dir bitte SecurityCheck und:

  • Speichere es auf dem Desktop.
  • Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
  • Wenn der Scan beendet wurde sollte sich ein Textdokument (checkup.txt) öffnen.
Poste den Inhalt bitte hier.

Joliwa 10.01.2016 11:42
mbam.txt

Code:
Malwarebytes Anti-Malware
www.malwarebytes.org

Suchlaufdatum: 09.01.2016
Suchlaufzeit: 21:10
Protokolldatei: mbam.txt
Administrator: Nein

Version: 2.2.0.1024
Malware-Datenbank: v2016.01.09.04
Rootkit-Datenbank: v2016.01.09.01
Lizenz: Kostenlose Version
Malware-Schutz: Deaktiviert
Schutz vor bösartigen Websites: Deaktiviert
Selbstschutz: Deaktiviert

Betriebssystem: Windows 7 Service Pack 1
CPU: x86
Dateisystem: NTFS
Benutzer: Opa

Suchlauftyp: Bedrohungssuchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 268869
Abgelaufene Zeit: 8 Min., 38 Sek.

Speicher: Aktiviert
Start: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Aktiviert
Heuristik: Aktiviert
PUP: Aktiviert
PUM: Aktiviert

Prozesse: 0
(keine bösartigen Elemente erkannt)

Module: 0
(keine bösartigen Elemente erkannt)

Registrierungsschlüssel: 0
(keine bösartigen Elemente erkannt)

Registrierungswerte: 0
(keine bösartigen Elemente erkannt)

Registrierungsdaten: 0
(keine bösartigen Elemente erkannt)

Ordner: 0
(keine bösartigen Elemente erkannt)

Dateien: 0
(keine bösartigen Elemente erkannt)

Physische Sektoren: 0
(keine bösartigen Elemente erkannt)


(end)
C:\Programme\Eset\EsetOnlineScanner\log.txt

Code:
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=d24ae76a545bd24f9cf134383fa3935f
# end=init
# utc_time=2016-01-09 08:23:21
# local_time=2016-01-09 09:23:21 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# osver=6.1.7601 NT Service Pack 1
Update Init
Update Download
Update Finalize
Updated modules version: 27569
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=d24ae76a545bd24f9cf134383fa3935f
# end=updated
# utc_time=2016-01-09 08:38:26
# local_time=2016-01-09 09:38:26 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# osver=6.1.7601 NT Service Pack 1
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7777
# api_version=3.1.1
# EOSSerial=d24ae76a545bd24f9cf134383fa3935f
# engine=27569
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2016-01-10 03:46:01
# local_time=2016-01-10 04:46:01 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Microsoft Security Essentials'
# compatibility_mode=5895 16777213 100 100 821593 75377955 0 0
# scanned=552941
# found=2
# cleaned=0
# scan_time=25654
sh=AAD6F1CAA5C35AEEFCFBE646FB5093D2FB559AEC ft=1 fh=2ca4112e4b89bd5a vn="Variante von Win32/Toolbar.Conduit.P evtl. unerwünschte Anwendung" ac=I fn="E:\Installationsdateien\Brennprogramm\ashampoo_burning_studio_elements_10.0.9_8678.exe"
sh=5CE951D6844E09BD65F6B5E1F79BD2E2C3339C59 ft=1 fh=b126f8f7a8c98d66 vn="Variante von Win32/LoadTubes.A evtl. unerwünschte Anwendung" ac=I fn="E:\Installationsdateien\Flash Player_DivX-Player\DivxUpdate_de.exe"
checkup.txt

Code:
Results of screen317's Security Check version 1.009 
 Windows 7 Service Pack 1 x86 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
Microsoft Security Essentials 
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Flash Player        20.0.0.267 
 Adobe Reader XI 
````````Process Check: objlist.exe by Laurent```````` 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Malwarebytes Anti-Malware mbam.exe 
 Malwarebytes Anti-Malware mbamscheduler.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 
````````````````````End of Log``````````````````````

cosinus 10.01.2016 12:18
FRST-Fix

Virenscanner jetzt bitte komplett deaktivieren, damit sichergestellt ist, dass der Fix sauber durchläuft!

Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:
E:\Installationsdateien\Brennprogramm\ashampoo_burning_studio_elements_10.0.9_8678.exe
E:\Installationsdateien\Flash Player_DivX-Player\DivxUpdate_de.exe
emptytemp:

Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).
  • Starte nun FRST erneut und klicke den Entfernen Button.
  • Das Tool erstellt eine Fixlog.txt.
  • Poste mir deren Inhalt.



Alle Zeitangaben in WEZ +1. Es ist jetzt 03:45 Uhr.
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131