Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.EXE: doesn't go away


  • This topic is locked This topic is locked
39 replies to this topic

#1 Zak McKracken

Zak McKracken

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 22 October 2015 - 03:16 AM

Hello,

 

I have the "explorer.EXE" (note all CAPITAL letters of the extension) file corrupted.

I tried to get rid of it in many ways, the only one program able to do it is ComboFix, but when I restart the computer, Explorer.EXE is corrupted again.

 

A direct cause is that I cannot open any explorer window, and the icon of my network (in the tray bar) shows that there is no connection.

After a ComboFix execution, everything is fixed, until the next reset.

 

Now, following the Preparation Guide For Use Malware Tools:

 

- I turned on the PC, and started "FRST"

- then, I started ComboFix

 

Here is FRST log, followed by ComboFix log:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:21-10-2015 01
Ran by p.pasoi (administrator) on KC036 (22-10-2015 09:12:31)
Running from C:\Users\p.pasoi\Desktop
Loaded Profiles: UpdatusUser & p.pasoi (Available Profiles: UpdatusUser & Administrator & p.pasoi)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: Italiano (Italia)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\FCDBLog.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\fcappdb.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\FortiSSLVPNdaemon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Juniper Networks, Inc.) C:\Program Files (x86)\Common Files\Juniper Networks\JUNS\dsAccessService.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\FCHelper.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare 8\Monitor.exe
(http://tortoisesvn.net) C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [HDAudDeck] => C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [5263504 2012-08-09] (VIA)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-20] (Intel Corporation)
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-959981040-3535681839-140195473-1128\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
ShellIconOverlayIdentifiers: [1TortoiseNormal] -> {C5994560-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers: [2TortoiseModified] -> {C5994561-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers: [3TortoiseConflict] -> {C5994562-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers: [4TortoiseLocked] -> {C5994563-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers: [5TortoiseReadOnly] -> {C5994564-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers: [6TortoiseDeleted] -> {C5994565-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers: [7TortoiseAdded] -> {C5994566-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers: [8TortoiseIgnored] -> {C5994567-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers: [9TortoiseUnversioned] -> {C5994568-53D9-4125-87C9-F193FC689CB2} => C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [1TortoiseNormal] -> {C5994560-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [2TortoiseModified] -> {C5994561-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [3TortoiseConflict] -> {C5994562-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [4TortoiseLocked] -> {C5994563-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [5TortoiseReadOnly] -> {C5994564-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [6TortoiseDeleted] -> {C5994565-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [7TortoiseAdded] -> {C5994566-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [8TortoiseIgnored] -> {C5994567-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
ShellIconOverlayIdentifiers-x32: [9TortoiseUnversioned] -> {C5994568-53D9-4125-87C9-F193FC689CB2} => C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll [2011-06-13] (http://tortoisesvn.net)
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.100.11 192.168.100.12
Tcpip\..\Interfaces\{21211C14-FB54-4880-9BCD-D303A34A989F}: [NameServer] 10.108.10.91
Tcpip\..\Interfaces\{5C3F5488-1E89-47E0-A599-A9AD0E6EE16C}: [DhcpNameServer] 192.168.150.4 192.168.150.5
Tcpip\..\Interfaces\{7A75C69F-B194-4A4C-99CB-E7646CC7F93C}: [DhcpNameServer] 192.168.100.11 192.168.100.12

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-959981040-3535681839-140195473-1128\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-959981040-3535681839-140195473-1128\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-959981040-3535681839-140195473-1128\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.it/
SearchScopes: HKU\S-1-5-21-959981040-3535681839-140195473-1128 -> DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL =
SearchScopes: HKU\S-1-5-21-959981040-3535681839-140195473-1128 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-959981040-3535681839-140195473-1128 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL =
SearchScopes: HKU\S-1-5-21-959981040-3535681839-140195473-1128 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL =
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll [2015-09-03] (IObit)
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2015-08-04] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2014-03-20] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [2015-09-11] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2015-09-11] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2014-03-20] (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-09-02] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2015-09-12] (Microsoft Corporation)
BHO-x32: Advanced SystemCare Surfing Protection -> {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll [2015-04-01] (IObit)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-09-02] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-959981040-3535681839-140195473-1128 -> No Name - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} -  No File
DPF: HKLM {AA570693-00E2-4907-B6F1-60A1199B030C} hxxps://juniper.net/dana-cached/sc/JuniperSetupClient64.cab
DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} hxxps://gate.nuoviinvestimenti.it/dana-cached/sc/JuniperSetupClient.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2013-10-01] (Citrix Systems, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\p.pasoi\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default
FF Homepage: www.google.it
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_226.dll [2015-10-21] ()
FF Plugin: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-03-20] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-03-20] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_226.dll [2015-10-21] ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [2013-10-01] (Citrix Systems, Inc.)
FF Plugin-x32: @FortinetCacheClean -> C:\Program Files (x86)\Fortinet\FortiClient\npccplugin.dll [2011-10-26] (Fortinet Inc.)
FF Plugin-x32: @FortinetTunnelControl -> C:\Program Files (x86)\Fortinet\FortiClient\nptcplugin.dll [2011-10-26] (Fortinet Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-09-02] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-09-02] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2013-07-24] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-09-27] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-959981040-3535681839-140195473-1128: @citrixonline.com/appdetectorplugin -> C:\Users\p.pasoi\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2014-08-04] (Citrix Online)
FF user.js: detected! => C:\Users\p.pasoi\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default\user.js [2015-10-22]
FF Extension: Advanced SystemCare Surfing Protection - C:\Users\p.pasoi\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default\Extensions\ascsurfingprotection@iobit.com [2015-09-03] [not signed]
FF Extension: Advanced SystemCare Surfing Protection - C:\Users\p.pasoi\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default\Extensions\iobitascsurfingprotection@iobit.com [2015-07-13] [not signed]
FF Extension: Italian dictionary - C:\Users\p.pasoi\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default\Extensions\it-IT@dictionaries.addons.mozilla.org [2014-08-05] [not signed]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 AdvancedSystemCareService8; C:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCService.exe [821024 2015-08-05] (IObit)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2774104 2015-09-11] (Microsoft Corporation)
R2 FA_Scheduler; C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe [73746 2011-10-26] (Fortinet Inc.) [File not signed]
S4 HP DS Service; C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [13824 2011-10-17] (Hewlett-Packard Company) [File not signed]
S4 HP LaserJet Service; C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [164864 2012-05-02] (HP) [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
S4 LiveUpdateSvc; C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2909472 2015-07-31] (IObit)
S4 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 NanoServiceMain; C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe [142072 2015-07-29] (Panda Security, S.L.)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2011-04-13] (Hewlett-Packard) [File not signed]
S4 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [271920 2007-05-08] (Nero AG)
S3 OpenVPNService; C:\Program Files\OpenVPN\bin\openvpnserv.exe [37176 2013-08-22] (The OpenVPN Project)
R2 PandaAgent; C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe [73464 2015-07-23] (Panda Security, S.L.)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2011-04-13] (Hewlett-Packard) [File not signed]
R2 PSUAService; C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe [38136 2015-07-28] (Panda Security, S.L.)
S4 RichVideo; C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe [167936 2005-08-08] () [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5495056 2015-06-18] (TeamViewer GmbH)
S4 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27768 2015-06-01] (VIA Technologies, Inc.)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 MsMpSvc; no ImagePath
S3 NisSrv; no ImagePath

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 fortiapd; C:\Windows\System32\drivers\fortiapd.sys [14952 2011-10-26] (Fortinet Inc)
R1 FortiFilter; C:\Windows\System32\DRIVERS\FortiFilter.sys [23928 2011-09-09] (Fortinet Inc)
S3 Fortips; C:\Windows\System32\drivers\fortips.sys [126056 2011-10-26] (Fortinet Inc)
S3 FortiRdr; C:\Windows\System32\drivers\FortiRdr2.sys [44136 2011-10-26] (Fortinet Inc)
R3 FortiStat2; C:\Windows\System32\drivers\Fortistat2.sys [15464 2011-10-26] (Fortinet Inc)
R3 ft_vnic; C:\Windows\System32\DRIVERS\ftvnic.sys [16928 2011-03-21] (Fortinet Inc.)
R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [26528 2015-06-01] (REALiX™)
R3 jnprna; C:\Windows\System32\DRIVERS\jnprna6.sys [504176 2011-04-19] (Juniper Networks, Inc.)
S3 jnprva; C:\Windows\System32\DRIVERS\jnprva.sys [26480 2011-04-19] (Juniper Networks, Inc.)
R3 JnprVaMgr; C:\Windows\System32\DRIVERS\jnprvamgr.sys [45352 2011-04-19] (Juniper Networks, Inc.)
R3 L1C; C:\Windows\System32\DRIVERS\L1C62x64.sys [129224 2015-06-01] (Qualcomm Atheros Co., Ltd.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2015-06-01] (Intel Corporation)
R2 mi2c; C:\Windows\system32\drivers\mi2c.sys [20784 2015-10-16] (Nicomsoft Ltd.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [280376 2015-03-04] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124568 2015-03-04] (Microsoft Corporation)
R1 NNSALPC; C:\Windows\System32\DRIVERS\NNSAlpc.sys [94456 2015-07-09] (Panda Security, S.L.)
R1 NNSHTTP; C:\Windows\System32\DRIVERS\NNSHttp.sys [201976 2015-07-09] (Panda Security, S.L.)
R1 NNSHTTPS; C:\Windows\System32\DRIVERS\NNSHttps.sys [110840 2015-07-09] (Panda Security, S.L.)
R1 NNSIDS; C:\Windows\System32\DRIVERS\NNSIds.sys [110840 2015-07-09] (Panda Security, S.L.)
R1 NNSNAHSL; C:\Windows\System32\DRIVERS\NNSNAHSL.sys [57648 2015-05-20] (Panda Security, S.L.)
R1 NNSPICC; C:\Windows\System32\DRIVERS\NNSPicc.sys [103160 2015-07-09] (Panda Security, S.L.)
R1 NNSPIHSW; C:\Windows\System32\DRIVERS\NNSPihsw.sys [72952 2015-07-09] ()
R1 NNSPOP3; C:\Windows\System32\DRIVERS\NNSPop3.sys [124152 2015-07-09] (Panda Security, S.L.)
R1 NNSPROT; C:\Windows\System32\DRIVERS\NNSProt.sys [300280 2015-07-09] (Panda Security, S.L.)
R1 NNSPRV; C:\Windows\System32\DRIVERS\NNSPrv.sys [170232 2015-07-09] (Panda Security, S.L.)
R1 NNSSMTP; C:\Windows\System32\DRIVERS\NNSSmtp.sys [113400 2015-07-09] (Panda Security, S.L.)
R1 NNSSTRM; C:\Windows\System32\DRIVERS\NNSStrm.sys [257784 2015-07-09] (Panda Security, S.L.)
R1 NNSTLSC; C:\Windows\System32\DRIVERS\NNSTlsc.sys [106232 2015-07-09] (Panda Security, S.L.)
R3 pppop; C:\Windows\System32\DRIVERS\pppop64.sys [42528 2011-03-21] (Fortinet Inc.)
R2 PSINAflt; C:\Windows\System32\DRIVERS\PSINAflt.sys [164088 2015-07-19] (Panda Security, S.L.)
R2 PSINFile; C:\Windows\System32\DRIVERS\PSINFile.sys [121592 2015-07-19] (Panda Security, S.L.)
R1 PSINKNC; C:\Windows\System32\DRIVERS\psinknc.sys [197880 2015-07-19] (Panda Security, S.L.)
R2 PSINProc; C:\Windows\System32\DRIVERS\PSINProc.sys [124152 2015-07-19] (Panda Security, S.L.)
R2 PSINProt; C:\Windows\System32\DRIVERS\PSINProt.sys [134392 2015-07-19] (Panda Security, S.L.)
R2 PSINReg; C:\Windows\System32\DRIVERS\PSINReg.sys [107768 2015-07-19] (Panda Security, S.L.)
U3 PSKMAD; C:\Windows\System32\DRIVERS\PSKMAD.sys [61712 2015-05-22] (Panda Security, S.L.)
S3 tapoas; C:\Windows\System32\DRIVERS\tapoas.sys [30720 2012-07-15] (The OpenVPN Project)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 mdareDriver_43; \??\C:\Users\P35C8~1.PAS\AppData\Local\Temp\FCPreScan\mdare64_43.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-22 09:10 - 2015-10-22 09:12 - 00041609 _____ C:\Users\p.pasoi\Desktop\Addition.txt
2015-10-22 09:09 - 2015-10-22 09:12 - 00025540 _____ C:\Users\p.pasoi\Desktop\FRST.txt
2015-10-22 09:09 - 2015-10-22 09:12 - 00000000 ____D C:\FRST
2015-10-22 09:09 - 2015-10-22 09:00 - 02196480 _____ (Farbar) C:\Users\p.pasoi\Desktop\FRST64.exe
2015-10-22 08:39 - 2015-10-22 08:39 - 00041824 _____ C:\ComboFix.txt
2015-10-22 08:30 - 2015-05-22 10:45 - 00061712 _____ (Panda Security, S.L.) C:\Windows\system32\Drivers\PSKMAD.sys
2015-10-21 16:32 - 2015-10-21 16:32 - 00002902 _____ C:\Windows\System32\Tasks\Uninstaller_SkipUac_p.pasoi
2015-10-21 15:43 - 2015-10-21 15:43 - 00000000 ____D C:\Program Files\Common Files\AV
2015-10-21 15:37 - 2015-10-21 15:37 - 00000000 ____D C:\Users\p.pasoi\Mozilla
2015-10-21 15:23 - 2015-10-21 15:23 - 00000000 ____D C:\Users\p.pasoi\AppData\Roaming\TestApp
2015-10-21 15:23 - 2015-10-21 15:23 - 00000000 ____D C:\ProgramData\TEMP
2015-10-21 15:23 - 2015-10-21 15:23 - 00000000 ____D C:\ProgramData\PC Tools
2015-10-21 13:19 - 2015-10-21 13:34 - 00000000 ____D C:\Windows\pss
2015-10-21 13:00 - 2015-10-22 08:29 - 00000336 _____ C:\Windows\setupact.log
2015-10-21 13:00 - 2015-10-21 13:00 - 00000000 _____ C:\Windows\setuperr.log
2015-10-21 12:59 - 2015-10-22 08:29 - 00004652 _____ C:\Windows\PFRO.log
2015-10-21 12:58 - 2015-10-21 12:58 - 03210240 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-10-21 11:32 - 2015-10-21 08:44 - 05637184 ____R (Swearware) C:\Users\p.pasoi\Desktop\ComboFix.exe
2015-10-21 11:13 - 2015-10-21 11:13 - 00026756 _____ C:\Users\p.pasoi\Documents\cc_20151021_111344.reg
2015-10-21 09:23 - 2015-10-21 13:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Panda Free Antivirus
2015-10-21 09:23 - 2015-10-21 09:24 - 00000000 ____D C:\ProgramData\Panda Security
2015-10-21 09:23 - 2015-10-21 09:24 - 00000000 ____D C:\Program Files (x86)\Panda Security
2015-10-21 09:23 - 2015-10-21 09:23 - 00000000 ____D C:\Users\p.pasoi\AppData\Roaming\Panda Security
2015-10-21 09:00 - 2015-10-22 08:39 - 00000000 ____D C:\Qoobox
2015-10-21 09:00 - 2011-06-26 08:45 - 00256000 _____ C:\Windows\PEV.exe
2015-10-21 09:00 - 2010-11-07 19:20 - 00208896 _____ C:\Windows\MBR.exe
2015-10-21 09:00 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-10-21 09:00 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-10-21 09:00 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-10-21 09:00 - 2000-08-31 02:00 - 00098816 _____ C:\Windows\sed.exe
2015-10-21 09:00 - 2000-08-31 02:00 - 00080412 _____ C:\Windows\grep.exe
2015-10-21 09:00 - 2000-08-31 02:00 - 00068096 _____ C:\Windows\zip.exe
2015-10-21 08:59 - 2015-10-21 13:34 - 00000000 ____D C:\Windows\erdnt
2015-10-21 08:35 - 2015-10-21 09:56 - 00000000 ____D C:\Users\p.pasoi\AppData\Local\VirtualStore
2015-10-20 13:52 - 2015-10-21 09:39 - 00000000 ____D C:\ProgramData\AVAST Software
2015-10-16 12:38 - 2015-10-21 13:34 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-10-16 09:40 - 2015-10-16 09:40 - 00000000 ____D C:\Users\p.pasoi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pulse Secure
2015-10-16 08:43 - 2015-09-16 06:21 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-10-16 08:43 - 2015-09-16 06:08 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-10-16 08:43 - 2015-09-16 05:32 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-10-16 08:43 - 2015-09-16 05:31 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-10-16 08:43 - 2015-09-16 05:06 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-10-16 08:43 - 2015-08-06 20:04 - 14176768 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-10-16 08:43 - 2015-08-06 20:03 - 01866752 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2015-10-16 08:43 - 2015-08-06 19:44 - 12875776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2015-10-16 08:43 - 2015-08-06 19:44 - 01498624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll
2015-10-16 08:42 - 2015-09-18 21:31 - 00391784 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-10-16 08:42 - 2015-09-18 20:58 - 00345688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-10-16 08:42 - 2015-09-16 06:48 - 25851904 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-10-16 08:42 - 2015-09-16 06:36 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-10-16 08:42 - 2015-09-16 06:36 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-10-16 08:42 - 2015-09-16 06:22 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-10-16 08:42 - 2015-09-16 06:21 - 02886656 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-10-16 08:42 - 2015-09-16 06:21 - 00585728 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-10-16 08:42 - 2015-09-16 06:21 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-10-16 08:42 - 2015-09-16 06:21 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-10-16 08:42 - 2015-09-16 06:14 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-10-16 08:42 - 2015-09-16 06:13 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-10-16 08:42 - 2015-09-16 06:10 - 00616960 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-10-16 08:42 - 2015-09-16 06:09 - 05990912 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-10-16 08:42 - 2015-09-16 06:08 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-10-16 08:42 - 2015-09-16 06:08 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-10-16 08:42 - 2015-09-16 06:08 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-10-16 08:42 - 2015-09-16 06:01 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-10-16 08:42 - 2015-09-16 05:58 - 20357632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-10-16 08:42 - 2015-09-16 05:58 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-10-16 08:42 - 2015-09-16 05:50 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-10-16 08:42 - 2015-09-16 05:46 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-10-16 08:42 - 2015-09-16 05:45 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-10-16 08:42 - 2015-09-16 05:45 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-10-16 08:42 - 2015-09-16 05:43 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-10-16 08:42 - 2015-09-16 05:41 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2015-10-16 08:42 - 2015-09-16 05:33 - 00504832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-10-16 08:42 - 2015-09-16 05:33 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-10-16 08:42 - 2015-09-16 05:32 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-10-16 08:42 - 2015-09-16 05:31 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-10-16 08:42 - 2015-09-16 05:29 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-10-16 08:42 - 2015-09-16 05:29 - 00720896 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-10-16 08:42 - 2015-09-16 05:28 - 02279936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-10-16 08:42 - 2015-09-16 05:28 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-10-16 08:42 - 2015-09-16 05:26 - 02126336 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-10-16 08:42 - 2015-09-16 05:26 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-10-16 08:42 - 2015-09-16 05:26 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-10-16 08:42 - 2015-09-16 05:24 - 00480256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-10-16 08:42 - 2015-09-16 05:23 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-10-16 08:42 - 2015-09-16 05:22 - 14458368 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-10-16 08:42 - 2015-09-16 05:22 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-10-16 08:42 - 2015-09-16 05:22 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-10-16 08:42 - 2015-09-16 05:15 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-10-16 08:42 - 2015-09-16 05:11 - 02487808 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-10-16 08:42 - 2015-09-16 05:10 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-10-16 08:42 - 2015-09-16 05:07 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-10-16 08:42 - 2015-09-16 05:05 - 04527616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-10-16 08:42 - 2015-09-16 05:05 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-10-16 08:42 - 2015-09-16 05:04 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2015-10-16 08:42 - 2015-09-16 04:59 - 01546752 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-10-16 08:42 - 2015-09-16 04:58 - 12853760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-10-16 08:42 - 2015-09-16 04:58 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2015-10-16 08:42 - 2015-09-16 04:56 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-10-16 08:42 - 2015-09-16 04:55 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-10-16 08:42 - 2015-09-16 04:55 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-10-16 08:42 - 2015-09-16 04:48 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-10-16 08:42 - 2015-09-16 04:37 - 02011136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-10-16 08:42 - 2015-09-16 04:34 - 01311232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-10-16 08:42 - 2015-09-16 04:32 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-10-16 08:41 - 2015-09-25 20:07 - 03168768 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-10-16 08:41 - 2015-09-25 20:07 - 02607104 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-10-16 08:41 - 2015-09-25 20:07 - 00696320 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-10-16 08:41 - 2015-09-25 20:07 - 00192512 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-10-16 08:40 - 2015-10-01 20:06 - 00692672 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2015-10-16 08:40 - 2015-10-01 20:04 - 00616360 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2015-10-16 08:40 - 2015-10-01 20:00 - 00147456 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2015-10-16 08:40 - 2015-10-01 20:00 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-10-16 08:40 - 2015-10-01 20:00 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-10-16 08:40 - 2015-10-01 20:00 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-10-16 08:40 - 2015-10-01 20:00 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2015-10-16 08:40 - 2015-10-01 19:50 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2015-10-16 08:40 - 2015-10-01 19:00 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2015-10-16 08:40 - 2015-09-29 05:16 - 05569472 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-10-16 08:40 - 2015-09-29 05:13 - 01730496 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-10-16 08:40 - 2015-09-29 05:11 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-10-16 08:40 - 2015-09-29 05:11 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2015-10-16 08:40 - 2015-09-29 05:11 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2015-10-16 08:40 - 2015-09-29 05:11 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2015-10-16 08:40 - 2015-09-29 05:11 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-10-16 08:40 - 2015-09-29 05:11 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-10-16 08:40 - 2015-09-29 05:11 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-10-16 08:40 - 2015-09-29 05:11 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2015-10-16 08:40 - 2015-09-29 05:10 - 01216512 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2015-10-16 08:40 - 2015-09-29 05:10 - 01164800 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2015-10-16 08:40 - 2015-09-29 05:10 - 00729088 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-10-16 08:40 - 2015-09-29 05:10 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2015-10-16 08:40 - 2015-09-29 05:10 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-10-16 08:40 - 2015-09-29 05:10 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-10-16 08:40 - 2015-09-29 05:10 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-10-16 08:40 - 2015-09-29 05:10 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2015-10-16 08:40 - 2015-09-29 05:10 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-10-16 08:40 - 2015-09-29 05:10 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-10-16 08:40 - 2015-09-29 05:10 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2015-10-16 08:40 - 2015-09-29 05:09 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2015-10-16 08:40 - 2015-09-29 05:09 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-10-16 08:40 - 2015-09-29 05:05 - 03990976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-10-16 08:40 - 2015-09-29 05:05 - 03936192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-10-16 08:40 - 2015-09-29 05:05 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-10-16 08:40 - 2015-09-29 05:05 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-10-16 08:40 - 2015-09-29 05:02 - 01311768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 05:01 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:59 - 00552960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-10-16 08:40 - 2015-09-29 04:59 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-10-16 08:40 - 2015-09-29 04:59 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-10-16 08:40 - 2015-09-29 04:59 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-10-16 08:40 - 2015-09-29 04:59 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-10-16 08:40 - 2015-09-29 04:59 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2015-10-16 08:40 - 2015-09-29 04:58 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-10-16 08:40 - 2015-09-29 04:58 - 00036864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2015-10-16 08:40 - 2015-09-29 04:58 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2015-10-16 08:40 - 2015-09-29 04:58 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-10-16 08:40 - 2015-09-29 04:57 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2015-10-16 08:40 - 2015-09-29 04:57 - 00665088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2015-10-16 08:40 - 2015-09-29 04:57 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2015-10-16 08:40 - 2015-09-29 04:57 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2015-10-16 08:40 - 2015-09-29 04:53 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-10-16 08:40 - 2015-09-29 04:53 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 04:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 03:50 - 00159232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-10-16 08:40 - 2015-09-29 03:49 - 00290816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-10-16 08:40 - 2015-09-29 03:49 - 00129024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-10-16 08:40 - 2015-09-29 03:43 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2015-10-16 08:40 - 2015-09-29 03:43 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2015-10-16 08:40 - 2015-09-29 03:40 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 03:40 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 03:40 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2015-10-16 08:40 - 2015-09-29 03:40 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2015-10-16 08:40 - 2015-09-25 20:07 - 00098816 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-10-16 08:40 - 2015-09-25 20:07 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-10-16 08:40 - 2015-09-25 20:07 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-10-16 08:40 - 2015-09-25 20:06 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-10-16 08:40 - 2015-09-25 20:06 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-10-16 08:40 - 2015-09-25 20:06 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-10-16 08:40 - 2015-09-25 20:06 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-10-16 08:40 - 2015-09-25 19:59 - 00566784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-10-16 08:40 - 2015-09-25 19:59 - 00174080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-10-16 08:40 - 2015-09-25 19:59 - 00093696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-10-16 08:40 - 2015-09-25 19:59 - 00030208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2015-10-16 08:40 - 2015-09-25 19:58 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-10-16 08:40 - 2015-09-18 21:22 - 00025432 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2015-10-16 08:40 - 2015-09-18 21:19 - 01291264 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-10-16 08:40 - 2015-09-18 21:19 - 00766464 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-10-16 08:40 - 2015-09-18 21:19 - 00700416 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-10-16 08:40 - 2015-09-18 21:19 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-10-16 08:40 - 2015-09-18 21:19 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2015-10-16 08:40 - 2015-09-18 21:09 - 01163776 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-10-16 08:40 - 2015-09-15 20:17 - 00157016 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-10-16 08:40 - 2015-09-15 20:17 - 00097112 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-10-16 08:40 - 2015-09-15 20:11 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-10-16 08:40 - 2015-09-15 20:11 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-10-16 08:40 - 2015-09-15 20:11 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-10-16 08:40 - 2015-09-15 20:11 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-10-16 08:40 - 2015-09-15 20:11 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-10-16 08:40 - 2015-09-15 20:11 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-10-16 08:40 - 2015-09-15 20:10 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-10-16 08:40 - 2015-09-15 19:36 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-10-16 08:40 - 2015-09-15 19:36 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-10-16 08:40 - 2015-09-15 19:36 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-10-16 08:40 - 2015-09-15 19:35 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-10-07 17:36 - 2015-10-07 17:36 - 00000000 ____D C:\Users\Administrator.KC036\AppData\Roaming\IObit
2015-10-07 17:36 - 2015-10-07 17:36 - 00000000 ____D C:\Users\Administrator.KC036\AppData\Roaming\ICAClient
2015-10-07 17:36 - 2015-10-07 17:36 - 00000000 ____D C:\Users\Administrator.KC036\AppData\Local\Citrix
2015-10-07 17:34 - 2015-10-07 17:34 - 00071264 _____ C:\Windows\SysWOW64\GDIPFONTCACHEV1.DAT
2015-10-07 17:34 - 2015-10-07 17:34 - 00000000 ____D C:\Users\administrator.KLINE\AppData\Roaming\ProductData
2015-10-07 17:34 - 2015-10-07 17:34 - 00000000 ____D C:\Users\administrator.KLINE\AppData\Roaming\ICAClient
2015-10-07 17:34 - 2015-10-07 17:34 - 00000000 ____D C:\Users\administrator.KLINE\AppData\Local\Citrix
2015-10-07 17:33 - 2015-10-07 17:34 - 00000000 ____D C:\Users\administrator.KLINE\AppData\Roaming\IObit
2015-10-05 14:52 - 2015-10-05 14:52 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2015-10-05 14:52 - 2015-10-05 14:52 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\icaapi.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00984448 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00901264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ucrtbase.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00066400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00063840 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-private-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00022368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00020832 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-math-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00019808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00019808 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00017760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00017760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-string-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00016224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00016224 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00015712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00015712 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00014176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00014176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-time-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-2-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00013664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-conio-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-2-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00011616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-eventing-provider-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00011616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00011616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00011616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00011616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-eventing-provider-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l2-1-0.dll
2015-10-05 14:50 - 2015-10-05 14:50 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-2-0.dll
2015-10-02 08:58 - 2015-10-22 09:08 - 00000000 ____D C:\Users\p.pasoi\AppData\Local\Messenger
2015-10-02 08:58 - 2015-10-22 08:46 - 00001152 _____ C:\Users\p.pasoi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Messenger.lnk
2015-10-02 08:57 - 2015-10-02 08:57 - 00001225 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uninstall Messenger for Desktop.lnk
2015-10-02 08:57 - 2015-10-02 08:57 - 00001115 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Messenger.lnk
2015-10-02 08:57 - 2015-10-02 08:57 - 00001103 _____ C:\Users\UpdatusUser.KC036\Desktop\Messenger.lnk
2015-10-02 08:57 - 2015-10-02 08:57 - 00001103 _____ C:\Users\p.pasoi\Desktop\Messenger.lnk
2015-10-02 08:57 - 2015-10-02 08:57 - 00001103 _____ C:\Users\Administrator.KC036\Desktop\Messenger.lnk
2015-10-01 10:37 - 2015-10-02 08:41 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2015-09-29 09:34 - 2015-09-29 09:34 - 00000000 ____D C:\Users\p.pasoi\AppData\Local\Fishbowl
2015-09-29 09:33 - 2015-09-29 09:35 - 00000000 ____D C:\Users\p.pasoi\AppData\Local\Deployment
2015-09-29 09:33 - 2015-09-29 09:33 - 00000000 ____D C:\Users\p.pasoi\AppData\Local\Apps\2.0
2015-09-22 12:03 - 2015-09-22 12:03 - 00000000 ____D C:\Users\p.pasoi\Documents\Fax
2015-09-22 11:52 - 2012-06-01 17:54 - 00947616 _____ (Hewlett-Packard) C:\Windows\system32\hpptsplj425_x64.dll
2015-09-22 11:52 - 2012-06-01 17:53 - 00776608 _____ (Hewlett-Packard) C:\Windows\SysWOW64\hpptsplj425.dll
2015-09-22 11:52 - 2012-06-01 16:34 - 00522128 _____ (Hewlett-Packard) C:\Windows\system32\hpwia2_lj425.dll
2015-09-22 11:52 - 2011-09-29 21:59 - 00638008 _____ (Hewlett-Packard) C:\Windows\system32\hpzjcd01.dll
2015-09-22 11:52 - 2010-10-21 23:15 - 00217656 _____ (Hewlett Packard) C:\Windows\system32\hppscancoins64.dll
2015-09-22 09:42 - 2015-09-30 09:15 - 00008225 _____ C:\Users\p.pasoi\Documents\Avion.xlsx

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-22 09:08 - 2014-05-30 14:09 - 00000000 ____D C:\Users\p.pasoi\Documents\File di Outlook
2015-10-22 09:08 - 2014-05-16 12:44 - 00000000 ____D C:\Users\p.pasoi\AppData\Local\TSVNCache
2015-10-22 09:07 - 2009-07-14 06:45 - 00032096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-22 09:07 - 2009-07-14 06:45 - 00032096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-22 08:49 - 2013-06-28 17:12 - 00000000 ____D C:\Program Files (x86)\PLSQL Developer
2015-10-22 08:48 - 2013-07-05 13:45 - 00000978 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-10-22 08:38 - 2013-06-13 16:52 - 01249739 _____ C:\Windows\WindowsUpdate.log
2015-10-22 08:38 - 2009-07-14 04:34 - 00000215 _____ C:\Windows\system.ini
2015-10-22 08:30 - 2015-06-12 12:35 - 00000638 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-959981040-3535681839-140195473-1128.job
2015-10-22 08:30 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-22 08:29 - 2014-05-21 13:18 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2015-10-21 17:20 - 2014-04-10 11:46 - 00000542 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-913831658-1639430116-1836264244-2106.job
2015-10-21 16:20 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\rescache
2015-10-21 15:37 - 2014-05-16 12:44 - 00000000 ____D C:\Users\p.pasoi
2015-10-21 15:28 - 2014-05-21 13:18 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2015-10-21 13:34 - 2015-05-21 09:57 - 00000000 ____D C:\Users\p.pasoi\AppData\Roaming\ProductData
2015-10-21 13:34 - 2015-05-21 09:56 - 00000000 ____D C:\Users\p.pasoi\AppData\Roaming\IObit
2015-10-21 13:34 - 2015-05-21 09:56 - 00000000 ____D C:\ProgramData\ProductData
2015-10-21 13:34 - 2015-05-21 09:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare 8
2015-10-21 13:34 - 2015-04-10 18:03 - 00000000 ___SD C:\Windows\system32\GWX
2015-10-21 13:34 - 2015-04-01 15:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-21 13:34 - 2015-04-01 15:35 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-10-21 13:34 - 2015-02-27 17:35 - 00000000 ____D C:\Users\p.pasoi\AppData\Roaming\vlc
2015-10-21 13:34 - 2015-02-27 17:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2015-10-21 13:34 - 2014-12-16 11:48 - 00000000 ____D C:\PNotes
2015-10-21 13:34 - 2014-12-11 09:22 - 00000000 ____D C:\Windows\system32\appraiser
2015-10-21 13:34 - 2014-05-19 08:28 - 00000000 ____D C:\Users\UpdatusUser.KC036
2015-10-21 13:34 - 2014-05-06 16:33 - 00000000 ___SD C:\Windows\system32\CompatTel
2015-10-21 13:34 - 2013-07-04 14:54 - 00000000 ____D C:\Program Files\Microsoft Security Client
2015-10-21 13:34 - 2010-11-21 17:41 - 00000000 ___RD C:\Users\Public\Recorded TV
2015-10-21 13:34 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\security
2015-10-21 13:34 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\registration
2015-10-21 13:34 - 2009-07-14 05:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2015-10-21 13:01 - 2014-05-16 12:44 - 00000000 ____D C:\Users\p.pasoi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink DVD Suite
2015-10-21 13:00 - 2009-07-14 06:45 - 00377304 _____ C:\Windows\system32\FNTCACHE.DAT
2015-10-21 12:58 - 2015-05-21 09:56 - 00002181 _____ C:\Users\Public\Desktop\Advanced SystemCare 8.lnk
2015-10-21 12:26 - 2014-05-16 13:14 - 00000000 ____D C:\Users\p.pasoi\AppData\Roaming\Notepad++
2015-10-21 11:46 - 2015-04-01 15:35 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-10-21 11:45 - 2015-04-01 15:35 - 00001102 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-10-21 11:25 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\TAPI
2015-10-21 09:38 - 2013-07-04 14:54 - 00002243 _____ C:\Windows\epplauncher.mif
2015-10-21 09:26 - 2010-11-21 17:30 - 00757828 _____ C:\Windows\system32\perfh010.dat
2015-10-21 09:26 - 2010-11-21 17:30 - 00153188 _____ C:\Windows\system32\perfc010.dat
2015-10-21 09:26 - 2009-07-14 07:13 - 01696330 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-21 09:23 - 2014-05-16 12:44 - 00071736 _____ C:\Users\p.pasoi\AppData\Local\GDIPFONTCACHEV1.DAT
2015-10-21 09:19 - 2014-09-02 09:41 - 00000000 ____D C:\Users\p.pasoi\AppData\Local\Adobe
2015-10-21 09:19 - 2013-07-05 13:45 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-10-21 09:19 - 2013-07-05 13:45 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-10-21 09:19 - 2013-07-05 13:45 - 00003916 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-10-21 09:14 - 2009-07-14 05:20 - 00000000 __RHD C:\Users\Default
2015-10-20 14:23 - 2014-05-16 12:56 - 00000839 _____ C:\Users\p.pasoi\Documents\De vazut.txt
2015-10-20 13:55 - 2015-02-27 10:13 - 00000000 ____D C:\Users\p.pasoi\Documents\OneDrive
2015-10-16 19:33 - 2013-09-02 18:02 - 00000000 ____D C:\Windows\system32\MRT
2015-10-16 19:30 - 2013-06-13 18:02 - 143481208 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-10-16 14:26 - 2014-05-15 09:24 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-10-16 08:40 - 2015-01-13 11:07 - 00020784 _____ (Nicomsoft Ltd.) C:\Windows\system32\Drivers\mi2c.sys
2015-10-15 08:59 - 2013-06-14 09:23 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-10-15 08:57 - 2014-12-29 09:47 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-10-13 18:01 - 2015-04-10 18:03 - 00000000 ___SD C:\Windows\SysWOW64\GWX
2015-10-07 17:37 - 2014-05-14 17:43 - 00000000 ____D C:\Users\Administrator.KC036\AppData\Local\TSVNCache
2015-10-07 17:36 - 2014-05-14 17:43 - 00071264 _____ C:\Users\Administrator.KC036\AppData\Local\GDIPFONTCACHEV1.DAT
2015-10-07 17:36 - 2014-05-14 17:43 - 00000000 ____D C:\Users\Administrator.KC036\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink DVD Suite
2015-10-07 17:36 - 2009-07-14 06:57 - 00001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-10-07 17:35 - 2014-05-16 12:35 - 00000000 ____D C:\Users\administrator.KLINE\AppData\Local\TSVNCache
2015-10-07 17:34 - 2014-05-16 12:35 - 00071264 _____ C:\Users\administrator.KLINE\AppData\Local\GDIPFONTCACHEV1.DAT
2015-10-07 17:34 - 2014-05-16 12:35 - 00000000 ____D C:\Users\administrator.KLINE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink DVD Suite
2015-10-07 08:44 - 2015-07-10 09:39 - 00000000 ____D C:\Users\p.pasoi\AppData\Roaming\Jitsi
2015-10-07 08:44 - 2015-07-10 09:38 - 00000000 ____D C:\Users\p.pasoi\AppData\Local\Jitsi
2015-10-06 14:08 - 2009-07-14 07:32 - 00000000 ____D C:\Windows\system32\FxsTmp
2015-10-06 09:40 - 2014-05-16 12:57 - 00000000 ____D C:\Users\p.pasoi\Documents\Doc pers
2015-10-05 09:50 - 2015-04-01 15:35 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-10-05 09:50 - 2015-04-01 15:35 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-10-05 09:50 - 2013-09-02 08:39 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2015-09-28 11:43 - 2014-05-16 13:57 - 00000000 ____D C:\Users\p.pasoi\AppData\Roaming\.purple
2015-09-25 08:53 - 2015-02-27 10:11 - 00002170 _____ C:\Users\p.pasoi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft OneDrive.lnk
2015-09-25 08:30 - 2013-07-24 10:47 - 00000000 ____D C:\Program Files\Microsoft Office 15
2015-09-23 09:04 - 2014-05-16 12:59 - 00000000 ____D C:\Users\p.pasoi\AppData\Local\Citrix
2015-09-22 11:54 - 2013-07-12 17:24 - 00000104 _____ C:\Windows\SysWOW64\msiexec.log
2015-09-22 11:53 - 2014-05-16 13:08 - 00000000 ____D C:\Users\p.pasoi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HP
2015-09-22 11:53 - 2013-07-12 17:23 - 00000141 _____ C:\Windows\system32\AddPort.ini

Some files in TEMP:
====================
C:\Users\p.pasoi\AppData\Local\Temp\WaitProgress.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-10-21 16:12

==================== End of FRST.txt ============================

 

 

ComboFix 15-10-21.01 - p.pasoi 22/10/2015   8:32.6.8 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.39.1040.18.8150.6321 [GMT 2:00]
Eseguito da: c:\users\p.pasoi\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
AV: Panda Free Antivirus *Disabled/Updated* {AAF74A68-8713-CDF1-004F-30003398BE9E}
FW: Panda Firewall *Disabled* {92CCCB4D-CD7C-CCA9-2B10-9935CD4BF9E5}
SP: Microsoft Security Essentials *Disabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Panda Free Antivirus *Disabled/Updated* {1196AB8C-A129-C27F-3AFF-0B72481FF423}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.pol
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Creati Da 2015-09-22 al 2015-10-22  )))))))))))))))))))))))))))))))))))
.
.
2015-10-22 06:37 . 2015-10-22 06:37    --------    d-----w-    c:\users\User\AppData\Local\temp
2015-10-22 06:37 . 2015-10-22 06:37    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2015-10-22 06:37 . 2015-10-22 06:37    --------    d-----w-    c:\users\UpdatusUser.KC036\AppData\Local\temp
2015-10-22 06:37 . 2015-10-22 06:37    --------    d-----w-    c:\users\P35C8~1~PAS\AppData\Local\temp
2015-10-22 06:37 . 2015-10-22 06:37    --------    d-----w-    c:\users\p.pasoi_old\AppData\Local\temp
2015-10-22 06:37 . 2015-10-22 06:37    --------    d-----w-    c:\users\p.pasoi_new\AppData\Local\temp
2015-10-22 06:37 . 2015-10-22 06:37    --------    d-----w-    c:\users\Default\AppData\Local\temp
2015-10-21 07:36 . 2015-10-21 07:36    --------    d-s---w-    c:\windows\SysWow64\Microsoft
2015-10-21 07:23 . 2015-10-21 07:23    --------    d-----w-    c:\users\p.pasoi\AppData\Roaming\Panda Security
2015-10-21 07:23 . 2015-10-21 07:24    --------    d-----w-    c:\program files (x86)\Panda Security
2015-10-21 07:23 . 2015-10-21 07:24    --------    d-----w-    c:\programdata\Panda Security
2015-10-21 06:35 . 2015-10-21 07:56    --------    d-----w-    c:\users\p.pasoi\AppData\Local\VirtualStore
2015-10-20 11:52 . 2015-10-21 07:39    --------    d-----w-    c:\programdata\AVAST Software
2015-10-19 06:44 . 2015-08-31 22:45    11062400    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{949E4E4D-E8BE-4268-94D9-A1296F5BC9C9}\mpengine.dll
2015-10-16 06:41 . 2015-09-25 18:07    3168768    ----a-w-    c:\windows\system32\wucltux.dll
2015-10-16 06:41 . 2015-09-25 18:07    2607104    ----a-w-    c:\windows\system32\wuaueng.dll
2015-10-16 06:41 . 2015-09-25 18:07    192512    ----a-w-    c:\windows\system32\wuwebv.dll
2015-10-16 06:41 . 2015-09-25 18:07    696320    ----a-w-    c:\windows\system32\wuapi.dll
2015-10-15 06:41 . 2015-08-31 22:45    11062400    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-10-14 06:38 . 2015-07-01 06:43    1190000    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A7AE6FA0-CB73-428D-83B2-9089B37E7854}\gapaengine.dll
2015-10-07 15:36 . 2015-10-07 15:36    --------    d-----w-    c:\users\Administrator.KC036\AppData\Roaming\ICAClient
2015-10-07 15:36 . 2015-10-07 15:36    --------    d-----w-    c:\users\Administrator.KC036\AppData\Local\Citrix
2015-10-07 15:36 . 2015-10-07 15:36    --------    d-----w-    c:\users\Administrator.KC036\AppData\Roaming\IObit
2015-10-07 15:34 . 2015-10-07 15:34    --------    d-----w-    c:\users\administrator.KLINE\AppData\Roaming\ProductData
2015-10-07 15:34 . 2015-10-07 15:34    --------    d-----w-    c:\users\administrator.KLINE\AppData\Roaming\ICAClient
2015-10-07 15:34 . 2015-10-07 15:34    --------    d-----w-    c:\users\administrator.KLINE\AppData\Local\Citrix
2015-10-07 15:33 . 2015-10-07 15:34    --------    d-----w-    c:\users\administrator.KLINE\AppData\Roaming\IObit
2015-10-05 12:52 . 2015-10-05 12:52    39936    ----a-w-    c:\windows\system32\drivers\tssecsrv.sys
2015-10-05 12:52 . 2015-10-05 12:52    22528    ----a-w-    c:\windows\system32\icaapi.dll
2015-10-02 06:58 . 2015-10-21 12:25    --------    d-----w-    c:\users\p.pasoi\AppData\Local\Messenger
2015-10-02 06:57 . 2015-10-02 06:57    --------    d-----w-    c:\program files (x86)\Messenger for Desktop
2015-10-01 08:37 . 2015-10-02 06:41    --------    d-----w-    c:\program files (x86)\Mozilla Thunderbird
2015-09-29 07:34 . 2015-09-29 07:34    --------    d-----w-    c:\users\p.pasoi\AppData\Local\Fishbowl
2015-09-29 07:33 . 2015-09-29 07:33    --------    d-----w-    c:\users\p.pasoi\AppData\Local\Apps
2015-09-29 07:33 . 2015-09-29 07:35    --------    d-----w-    c:\users\p.pasoi\AppData\Local\Deployment
2015-09-22 09:52 . 2012-06-01 15:54    947616    ----a-w-    c:\windows\system32\hpptsplj425_x64.dll
2015-09-22 09:52 . 2012-06-01 15:53    776608    ----a-w-    c:\windows\SysWow64\hpptsplj425.dll
2015-09-22 09:52 . 2012-06-01 14:34    522128    ----a-w-    c:\windows\system32\hpwia2_lj425.dll
2015-09-22 09:52 . 2011-09-29 19:59    638008    ----a-w-    c:\windows\system32\hpzjcd01.dll
2015-09-22 09:52 . 2010-10-21 21:15    217656    ----a-w-    c:\windows\system32\hppscancoins64.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-10-21 09:46 . 2015-04-01 13:35    192216    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-10-21 07:19 . 2013-07-05 11:45    780488    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2015-10-21 07:19 . 2013-07-05 11:45    142536    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-10-16 17:30 . 2013-06-13 16:02    143481208    ----a-w-    c:\windows\system32\MRT.exe
2015-10-16 06:40 . 2015-01-13 09:07    20784    ----a-w-    c:\windows\system32\drivers\mi2c.sys
2015-10-05 07:50 . 2015-04-01 13:35    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2015-10-05 07:50 . 2015-04-01 13:35    109272    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2015-10-05 07:50 . 2013-09-02 06:39    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2015-09-29 02:58 . 2015-10-16 06:40    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2015-09-11 23:47 . 2013-07-24 08:54    632432    ----a-w-    c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2015-09-03 12:20 . 2015-09-03 12:20    82944    ----a-w-    c:\windows\system32\dwmapi.dll
2015-09-03 12:20 . 2015-09-03 12:20    67584    ----a-w-    c:\windows\SysWow64\dwmapi.dll
2015-09-03 12:20 . 2015-09-03 12:20    1632256    ----a-w-    c:\windows\system32\dwmcore.dll
2015-09-03 12:20 . 2015-09-03 12:20    1372160    ----a-w-    c:\windows\SysWow64\dwmcore.dll
2015-09-03 12:20 . 2015-09-03 12:20    70656    ----a-w-    c:\windows\system32\appinfo.dll
2015-09-03 12:20 . 2015-09-03 12:20    1941504    ----a-w-    c:\windows\system32\authui.dll
2015-09-03 12:20 . 2015-09-03 12:20    1805824    ----a-w-    c:\windows\SysWow64\authui.dll
2015-09-03 12:20 . 2015-09-03 12:20    115136    ----a-w-    c:\windows\system32\consent.exe
2015-09-03 12:19 . 2015-09-03 12:19    41984    ----a-w-    c:\windows\system32\UtcResources.dll
2015-09-03 12:19 . 2015-09-03 12:19    1390592    ----a-w-    c:\windows\system32\diagtrack.dll
2015-09-03 12:19 . 2015-09-03 12:19    879104    ----a-w-    c:\windows\system32\tdh.dll
2015-09-03 12:19 . 2015-09-03 12:19    879104    ----a-w-    c:\windows\system32\advapi32.dll
2015-09-03 12:19 . 2015-09-03 12:19    641536    ----a-w-    c:\windows\SysWow64\advapi32.dll
2015-09-03 12:19 . 2015-09-03 12:19    635392    ----a-w-    c:\windows\SysWow64\tdh.dll
2015-09-03 12:17 . 2015-09-03 12:17    2048    ----a-w-    c:\windows\SysWow64\tzres.dll
2015-09-03 12:17 . 2015-09-03 12:17    2048    ----a-w-    c:\windows\system32\tzres.dll
2015-09-02 03:04 . 2015-09-10 06:42    41984    ----a-w-    c:\windows\system32\lpk.dll
2015-09-02 03:04 . 2015-09-10 06:42    100864    ----a-w-    c:\windows\system32\fontsub.dll
2015-09-02 03:04 . 2015-09-10 06:42    14336    ----a-w-    c:\windows\system32\dciman32.dll
2015-09-02 03:04 . 2015-09-10 06:42    46080    ----a-w-    c:\windows\system32\atmlib.dll
2015-09-02 02:48 . 2015-09-10 06:42    70656    ----a-w-    c:\windows\SysWow64\fontsub.dll
2015-09-02 02:48 . 2015-09-10 06:42    10240    ----a-w-    c:\windows\SysWow64\dciman32.dll
2015-09-02 02:48 . 2015-09-10 06:42    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2015-09-02 02:47 . 2015-09-10 06:42    25600    ----a-w-    c:\windows\SysWow64\lpk.dll
2015-09-02 01:47 . 2015-09-10 06:42    372736    ----a-w-    c:\windows\system32\atmfd.dll
2015-09-02 01:33 . 2015-09-10 06:42    299520    ----a-w-    c:\windows\SysWow64\atmfd.dll
2015-08-27 18:18 . 2015-09-10 06:43    2004480    ----a-w-    c:\windows\system32\msxml6.dll
2015-08-27 18:18 . 2015-09-10 06:43    1887232    ----a-w-    c:\windows\system32\msxml3.dll
2015-08-27 18:13 . 2015-09-10 06:43    2048    ----a-w-    c:\windows\system32\msxml6r.dll
2015-08-27 18:13 . 2015-09-10 06:43    2048    ----a-w-    c:\windows\system32\msxml3r.dll
2015-08-27 17:58 . 2015-09-10 06:43    1391104    ----a-w-    c:\windows\SysWow64\msxml6.dll
2015-08-27 17:58 . 2015-09-10 06:43    1241088    ----a-w-    c:\windows\SysWow64\msxml3.dll
2015-08-27 17:51 . 2015-09-10 06:43    2048    ----a-w-    c:\windows\SysWow64\msxml6r.dll
2015-08-27 17:51 . 2015-09-10 06:43    2048    ----a-w-    c:\windows\SysWow64\msxml3r.dll
2015-08-18 14:54 . 2015-08-18 14:54    2565120    ----a-w-    c:\windows\system32\d3d10warp.dll
2015-08-18 14:54 . 2015-08-18 14:54    1987584    ----a-w-    c:\windows\SysWow64\d3d10warp.dll
2015-08-18 14:54 . 2015-08-18 14:54    1648128    ----a-w-    c:\windows\system32\DWrite.dll
2015-08-18 14:54 . 2015-08-18 14:54    1251328    ----a-w-    c:\windows\SysWow64\DWrite.dll
2015-08-18 14:54 . 2015-08-18 14:54    1180160    ----a-w-    c:\windows\system32\FntCache.dll
2015-08-18 14:54 . 2015-08-18 14:54    82432    ----a-w-    c:\windows\SysWow64\davclnt.dll
2015-08-18 14:54 . 2015-08-18 14:54    206848    ----a-w-    c:\windows\SysWow64\WebClnt.dll
2015-08-18 14:54 . 2015-08-18 14:54    260096    ----a-w-    c:\windows\system32\WebClnt.dll
2015-08-18 14:54 . 2015-08-18 14:54    102912    ----a-w-    c:\windows\system32\davclnt.dll
2015-08-18 14:52 . 2015-08-18 14:52    94656    ----a-w-    c:\windows\system32\drivers\mountmgr.sys
2015-08-18 14:52 . 2015-08-18 14:52    11264    ----a-w-    c:\windows\system32\msmmsp.dll
2015-08-18 14:52 . 2015-08-18 14:52    1743360    ----a-w-    c:\windows\system32\sysmain.dll
2015-08-18 14:50 . 2015-08-18 14:50    52736    ----a-w-    c:\windows\system32\basesrv.dll
2015-08-18 14:49 . 2015-08-18 14:49    193536    ----a-w-    c:\windows\system32\notepad.exe
2015-08-18 14:49 . 2015-08-18 14:49    193536    ----a-w-    c:\windows\notepad.exe
2015-08-18 14:49 . 2015-08-18 14:49    179712    ----a-w-    c:\windows\SysWow64\notepad.exe
2015-08-18 14:49 . 2015-08-18 14:49    124624    ----a-w-    c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-08-18 14:49 . 2015-08-18 14:49    103120    ----a-w-    c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2015-08-18 14:48 . 2015-08-18 14:48    5779456    ----a-w-    c:\windows\system32\mstscax.dll
2015-08-18 14:48 . 2015-08-18 14:48    4922368    ----a-w-    c:\windows\SysWow64\mstscax.dll
2015-08-18 14:48 . 2015-08-18 14:48    44032    ----a-w-    c:\windows\system32\tsgqec.dll
2015-08-18 14:48 . 2015-08-18 14:48    37376    ----a-w-    c:\windows\SysWow64\tsgqec.dll
2015-08-18 14:48 . 2015-08-18 14:48    322560    ----a-w-    c:\windows\system32\aaclient.dll
2015-08-18 14:48 . 2015-08-18 14:48    269824    ----a-w-    c:\windows\SysWow64\aaclient.dll
2015-08-05 17:56 . 2015-09-10 06:45    1110016    ----a-w-    c:\windows\system32\schedsvc.dll
2015-08-05 17:56 . 2015-09-10 06:45    24576    ----a-w-    c:\windows\system32\jnwmon.dll
2015-08-05 17:56 . 2015-09-10 06:45    275456    ----a-w-    c:\windows\system32\InkEd.dll
2015-08-05 17:40 . 2015-09-10 06:45    216064    ----a-w-    c:\windows\SysWow64\InkEd.dll
.
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive1]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2015-09-25 06:53    1587272    ----a-w-    c:\users\p.pasoi\AppData\Local\Microsoft\OneDrive\17.3.5951.0827\FileSyncShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive2]
@="{5AB7172C-9C11-405C-8DD5-AF20F3606282}"
[HKEY_CLASSES_ROOT\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}]
2015-09-25 06:53    1587272    ----a-w-    c:\users\p.pasoi\AppData\Local\Microsoft\OneDrive\17.3.5951.0827\FileSyncShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive3]
@="{A78ED123-AB77-406B-9962-2A5D9D2F7F30}"
[HKEY_CLASSES_ROOT\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}]
2015-09-25 06:53    1587272    ----a-w-    c:\users\p.pasoi\AppData\Local\Microsoft\OneDrive\17.3.5951.0827\FileSyncShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive4]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2015-09-25 06:53    1587272    ----a-w-    c:\users\p.pasoi\AppData\Local\Microsoft\OneDrive\17.3.5951.0827\FileSyncShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive5]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2015-09-25 06:53    1587272    ----a-w-    c:\users\p.pasoi\AppData\Local\Microsoft\OneDrive\17.3.5951.0827\FileSyncShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotPostWindows10UpgradeReInstall"="c:\program files\Common Files\AV\Spybot - Search and Destroy\Test.exe" [2015-07-28 1011200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2012-08-09 5263504]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-05-20 291648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NanoServiceMain]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSUAService]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys;c:\windows\SYSNATIVE\drivers\fortips.sys [x]
R3 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr2.sys;c:\windows\SYSNATIVE\drivers\FortiRdr2.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 jnprva;Juniper Networks Virtual Adapter Service;c:\windows\system32\DRIVERS\jnprva.sys;c:\windows\SYSNATIVE\DRIVERS\jnprva.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 mdareDriver_43;mdareDriver_43;c:\users\P35C8~1.PAS\AppData\Local\Temp\FCPreScan\mdare64_43.sys;c:\users\P35C8~1.PAS\AppData\Local\Temp\FCPreScan\mdare64_43.sys [x]
R3 NisSrv;NisSrv; [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\DRIVERS\tapoas.sys;c:\windows\SYSNATIVE\DRIVERS\tapoas.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Servizio Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 AdvancedSystemCareService8;Advanced SystemCare Service 8;c:\program files (x86)\IObit\Advanced SystemCare 8\ASCService.exe;c:\program files (x86)\IObit\Advanced SystemCare 8\ASCService.exe [x]
R4 HP DS Service;HP DS Service;c:\program files (x86)\HP\HPBDSService\HPBDSService.exe;c:\program files (x86)\HP\HPBDSService\HPBDSService.exe [x]
R4 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [x]
R4 LiveUpdateSvc;LiveUpdate;c:\program files (x86)\IObit\LiveUpdate\LiveUpdate.exe;c:\program files (x86)\IObit\LiveUpdate\LiveUpdate.exe [x]
R4 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R4 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R4 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe;c:\windows\SYSNATIVE\viakaraokesrv.exe [x]
S0 iusb3hcs;Driver dello switch Controller Host Intel® USB 3.0;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x]
S1 FortiFilter;Fortinet NDIS6 Packet Filter Service;c:\windows\system32\DRIVERS\FortiFilter.sys;c:\windows\SYSNATIVE\DRIVERS\FortiFilter.sys [x]
S1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\windows\SysWOW64\drivers\HWiNFO64A.SYS;c:\windows\SysWOW64\drivers\HWiNFO64A.SYS [x]
S1 NNSALPC;NNSALPC;c:\windows\system32\DRIVERS\NNSAlpc.sys;c:\windows\SYSNATIVE\DRIVERS\NNSAlpc.sys [x]
S1 NNSHTTP;NNSHTTP;c:\windows\system32\DRIVERS\NNSHttp.sys;c:\windows\SYSNATIVE\DRIVERS\NNSHttp.sys [x]
S1 NNSHTTPS;NNSHTTPS;c:\windows\system32\DRIVERS\NNSHttps.sys;c:\windows\SYSNATIVE\DRIVERS\NNSHttps.sys [x]
S1 NNSIDS;NNSIDS;c:\windows\system32\DRIVERS\NNSIds.sys;c:\windows\SYSNATIVE\DRIVERS\NNSIds.sys [x]
S1 NNSNAHSL;Network Activity Hook Server LightWeight Filter Driver;c:\windows\system32\DRIVERS\NNSNAHSL.sys;c:\windows\SYSNATIVE\DRIVERS\NNSNAHSL.sys [x]
S1 NNSPICC;NNSPICC;c:\windows\system32\DRIVERS\NNSPicc.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPicc.sys [x]
S1 NNSPIHSW;NNSPIHSW;c:\windows\system32\DRIVERS\NNSPihsw.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPihsw.sys [x]
S1 NNSPOP3;NNSPOP3;c:\windows\system32\DRIVERS\NNSPop3.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPop3.sys [x]
S1 NNSPROT;NNSPROT;c:\windows\system32\DRIVERS\NNSProt.sys;c:\windows\SYSNATIVE\DRIVERS\NNSProt.sys [x]
S1 NNSPRV;NNSPRV;c:\windows\system32\DRIVERS\NNSPrv.sys;c:\windows\SYSNATIVE\DRIVERS\NNSPrv.sys [x]
S1 NNSSMTP;NNSSMTP;c:\windows\system32\DRIVERS\NNSSmtp.sys;c:\windows\SYSNATIVE\DRIVERS\NNSSmtp.sys [x]
S1 NNSSTRM;NNSSTRM;c:\windows\system32\DRIVERS\NNSStrm.sys;c:\windows\SYSNATIVE\DRIVERS\NNSStrm.sys [x]
S1 NNSTLSC;NNSTLSC;c:\windows\system32\DRIVERS\NNSTlsc.sys;c:\windows\SYSNATIVE\DRIVERS\NNSTlsc.sys [x]
S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys;c:\windows\SYSNATIVE\DRIVERS\psinknc.sys [x]
S2 ClickToRunSvc;Servizio A portata di clic di Microsoft Office;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [x]
S2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 JuniperAccessService;Juniper Unified Network Service;c:\program files (x86)\Common Files\Juniper Networks\JUNS\dsAccessService.exe;c:\program files (x86)\Common Files\Juniper Networks\JUNS\dsAccessService.exe [x]
S2 mi2c;mi2c;c:\windows\system32\drivers\mi2c.sys;c:\windows\SYSNATIVE\drivers\mi2c.sys [x]
S2 NanoServiceMain;Panda Protection Service;c:\program files (x86)\Panda Security\Panda Security Protection\PSANHost.exe;c:\program files (x86)\Panda Security\Panda Security Protection\PSANHost.exe [x]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
S2 PandaAgent;Panda Devices Agent;c:\program files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe;c:\program files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe [x]
S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys;c:\windows\SYSNATIVE\DRIVERS\PSINAflt.sys [x]
S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys;c:\windows\SYSNATIVE\DRIVERS\PSINFile.sys [x]
S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys;c:\windows\SYSNATIVE\DRIVERS\PSINProc.sys [x]
S2 PSINProt;PSINProt;c:\windows\system32\DRIVERS\PSINProt.sys;c:\windows\SYSNATIVE\DRIVERS\PSINProt.sys [x]
S2 PSINReg;PSINReg;c:\windows\system32\DRIVERS\PSINReg.sys;c:\windows\SYSNATIVE\DRIVERS\PSINReg.sys [x]
S2 PSUAService;Panda Product Service;c:\program files (x86)\Panda Security\Panda Security Protection\PSUAService.exe;c:\program files (x86)\Panda Security\Panda Security Protection\PSUAService.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys;c:\windows\SYSNATIVE\Drivers\EtronHub3.sys [x]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys;c:\windows\SYSNATIVE\Drivers\EtronXHCI.sys [x]
S3 fortiapd;fortiapd;c:\windows\system32\drivers\fortiapd.sys;c:\windows\SYSNATIVE\drivers\fortiapd.sys [x]
S3 FortiStat2;FortiStat2;c:\windows\system32\drivers\Fortistat2.sys;c:\windows\SYSNATIVE\drivers\Fortistat2.sys [x]
S3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\DRIVERS\ftvnic.sys;c:\windows\SYSNATIVE\DRIVERS\ftvnic.sys [x]
S3 iusb3hub;Driver hub Intel® USB 3.0;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Driver Controller Host estendibile Intel® USB 3.0;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 jnprna;Juniper Network Agent Miniport;c:\windows\system32\DRIVERS\jnprna6.sys;c:\windows\SYSNATIVE\DRIVERS\jnprna6.sys [x]
S3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\DRIVERS\jnprvamgr.sys;c:\windows\SYSNATIVE\DRIVERS\jnprvamgr.sys [x]
S3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\Drivers\nx6000.sys;c:\windows\SYSNATIVE\Drivers\nx6000.sys [x]
S3 pppop;PPPoP WAN Adapter;c:\windows\system32\DRIVERS\pppop64.sys;c:\windows\SYSNATIVE\DRIVERS\pppop64.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys;c:\windows\SYSNATIVE\drivers\viahduaa.sys [x]
.
.
--- Altri Servizi/Drivers In Memoria ---
.
*Deregistered* - PSKMAD
.
Contenuto della cartella 'Scheduled Tasks'
.
2015-10-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-07-05 07:19]
.
2015-10-21 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-913831658-1639430116-1836264244-2106.job
- c:\program files (x86)\Citrix\GoToMeeting\1350\g2mupdate.exe [2014-04-10 09:46]
.
2015-09-21 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-959981040-3535681839-140195473-1128.job
- c:\program files (x86)\Citrix\GoToMeeting\3499\g2mupdate.exe [2015-09-21 10:34]
.
2015-10-22 c:\windows\Tasks\G2MUploadTask-S-1-5-21-959981040-3535681839-140195473-1128.job
- c:\program files (x86)\Citrix\GoToMeeting\3499\g2mupload.exe [2015-09-21 10:34]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}]
2015-09-03 12:11    2471744    ----a-w-    c:\program files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive1]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2015-09-25 06:53    1638992    ----a-w-    c:\users\p.pasoi\AppData\Local\Microsoft\OneDrive\17.3.5951.0827\amd64\FileSyncShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive2]
@="{5AB7172C-9C11-405C-8DD5-AF20F3606282}"
[HKEY_CLASSES_ROOT\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}]
2015-09-25 06:53    1638992    ----a-w-    c:\users\p.pasoi\AppData\Local\Microsoft\OneDrive\17.3.5951.0827\amd64\FileSyncShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive3]
@="{A78ED123-AB77-406B-9962-2A5D9D2F7F30}"
[HKEY_CLASSES_ROOT\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}]
2015-09-25 06:53    1638992    ----a-w-    c:\users\p.pasoi\AppData\Local\Microsoft\OneDrive\17.3.5951.0827\amd64\FileSyncShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive4]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2015-09-25 06:53    1638992    ----a-w-    c:\users\p.pasoi\AppData\Local\Microsoft\OneDrive\17.3.5951.0827\amd64\FileSyncShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive5]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2015-09-25 06:53    1638992    ----a-w-    c:\users\p.pasoi\AppData\Local\Microsoft\OneDrive\17.3.5951.0827\amd64\FileSyncShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2015-09-11 08:26    2340472    ----a-w-    c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2015-09-11 08:26    2340472    ----a-w-    c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2015-09-11 08:26    2340472    ----a-w-    c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 09:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
------- Scansione supplementare -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.it/
mDefault_Search_URL = www.google.com
mDefault_Page_URL = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Page = www.google.com
IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\program files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.100.11 192.168.100.12
TCP: Interfaces\{21211C14-FB54-4880-9BCD-D303A34A989F}: NameServer = 10.108.10.91
FF - ProfilePath - c:\users\p.pasoi\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default\
FF - prefs.js: browser.startup.homepage - www.google.it
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: content.notify.ontimer - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.switch.threshold - 750000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
.
.
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_19_0_0_226_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_19_0_0_226_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_226.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.19"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_226.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_226.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_226.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Ora fine scansione: 2015-10-22  08:39:52
ComboFix-quarantined-files.txt  2015-10-22 06:39
ComboFix2.txt  2015-10-21 11:49
ComboFix3.txt  2015-10-21 11:17
ComboFix4.txt  2015-10-21 09:42
ComboFix5.txt  2015-10-22 06:31
.
Pre-Run: 923.433.193.472 byte disponibili
Post-Run: 923.062.259.712 byte disponibili
.
- - End Of File - - 473BBAF351A90DE00CAB9E39F8D00F4B
A36C5E4F47E84449FF07ED3517B43A31

 

 



BC AdBot (Login to Remove)

 


#2 Zak McKracken

Zak McKracken
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 22 October 2015 - 04:51 AM

Sorry for my multiple topics with the same subject: every time I made a post, I had an error: "Website is offline", and retried to post again.

You can keep this one and delete the others.

 

Sorry and thank you for your patience.

 

Mod Edit:  All dupes deleted - Hamluis.


Edited by hamluis, 22 October 2015 - 05:15 AM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 PM

Posted 24 October 2015 - 10:18 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-959981040-3535681839-140195473-1128\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-959981040-3535681839-140195473-1128 -> DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL =
SearchScopes: HKU\S-1-5-21-959981040-3535681839-140195473-1128 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-959981040-3535681839-140195473-1128 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL =
SearchScopes: HKU\S-1-5-21-959981040-3535681839-140195473-1128 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL =
Toolbar: HKU\S-1-5-21-959981040-3535681839-140195473-1128 -> No Name - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF user.js: detected! => C:\Users\p.pasoi\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default\user.js [2015-10-22]
S2 MsMpSvc; no ImagePath
S3 NisSrv; no ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 mdareDriver_43; \??\C:\Users\P35C8~1.PAS\AppData\Local\Temp\FCPreScan\mdare64_43.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

===

Let me know if the problem persists.

#4 Zak McKracken

Zak McKracken
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 26 October 2015 - 03:19 AM

Hello,

 

here is fixlog.txt :

 

Fix result of Farbar Recovery Scan Tool (x64) Version:25-10-2015 02
Ran by p.pasoi (2015-10-26 08:39:50) Run:1
Running from C:\Users\p.pasoi\Desktop
Loaded Profiles: UpdatusUser & p.pasoi (Available Profiles: UpdatusUser & Administrator & p.pasoi)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-959981040-3535681839-140195473-1128\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-959981040-3535681839-140195473-1128 -> DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL =
SearchScopes: HKU\S-1-5-21-959981040-3535681839-140195473-1128 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-959981040-3535681839-140195473-1128 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL =
SearchScopes: HKU\S-1-5-21-959981040-3535681839-140195473-1128 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL =
Toolbar: HKU\S-1-5-21-959981040-3535681839-140195473-1128 -> No Name - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF user.js: detected! => C:\Users\p.pasoi\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default\user.js [2015-10-22]
S2 MsMpSvc; no ImagePath
S3 NisSrv; no ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 mdareDriver_43; \??\C:\Users\P35C8~1.PAS\AppData\Local\Temp\FCPreScan\mdare64_43.sys [X]

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-959981040-3535681839-140195473-1128\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKU\S-1-5-21-959981040-3535681839-140195473-1128\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-959981040-3535681839-140195473-1128\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKU\S-1-5-21-959981040-3535681839-140195473-1128\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}" => key removed successfully
HKCR\CLSID\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} => key not found.
"HKU\S-1-5-21-959981040-3535681839-140195473-1128\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}" => key removed successfully
HKCR\CLSID\{E733165D-CBCF-4FDA-883E-ADEF965B476C} => key not found.
HKU\S-1-5-21-959981040-3535681839-140195473-1128\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C55BBCD6-41AD-48AD-9953-3609C48EACC7} => value removed successfully
HKCR\CLSID\{C55BBCD6-41AD-48AD-9953-3609C48EACC7} => key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
C:\Users\p.pasoi\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default\user.js => moved successfully
MsMpSvc => service could not remove
NisSrv => service could not remove
catchme => service removed successfully
gdrv => service removed successfully
mdareDriver_43 => service removed successfully
EmptyTemp: => 221.3 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 08:40:30 ====

 

 

 

Here is zoek-results.log :

 

Zoek.exe v5.0.0.1 Updated 25-October-2015
Tool run by p.pasoi on 26/10/2015 at  8:43:07,45.
Microsoft Windows 7 Professional  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\p.pasoi\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

26/10/2015 08:45:43 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\MSXML 4.0 deleted successfully
C:\PROGRA~2\VS Revo Group deleted successfully
C:\PROGRA~2\COMMON~1\SWF Studio deleted successfully
C:\PROGRA~3\Oracle deleted successfully
C:\PROGRA~3\{BAF091CA-86C4-4627-ADA1-897E2621C1B0} deleted successfully
C:\Users\p.pasoi\AppData\Roaming\GrabPro deleted successfully
C:\Users\p.pasoi\AppData\Roaming\Malwarebytes deleted successfully
C:\Users\p.pasoi\AppData\Roaming\Solvusoft deleted successfully
C:\Users\p.pasoi_new\AppData\Roaming\GrabPro deleted successfully
C:\Users\p.pasoi\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\p.pasoi\AppData\Local\EmieSiteList deleted successfully
C:\Users\p.pasoi\AppData\Local\EmieUserList deleted successfully
C:\Users\p.pasoi\AppData\Local\TSVNCache deleted successfully
C:\Users\p.pasoi_new\AppData\Local\Genesis deleted successfully
C:\Users\p.pasoi_new\AppData\Local\VirtualStore deleted successfully
C:\Users\p.pasoi_old\AppData\Local\VirtualStore deleted successfully
C:\Users\User\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

ProfilePath: C:\Users\P35C8~1.PAS\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default

user.js not found
---- Lines surfing removed from prefs.js ----
user_pref("extensions.ascsurfingprotection@iobit.com.install-event-fired", true);
user_pref("extensions.iobitascsurfingprotection@iobit.com.install-event-fired", true);
user_pref("extensions.xpiState", "{\"app-profile\":{\"ascsurfingprotection@iobit.com\":{\"d\":\"C:\\\\Users\\\\p.pasoi\\\\AppData\\\\Roaming\\\\Mozill
---- Lines surfing modified from prefs.js ----

user_pref("extensions.enabledAddons", "iobitascsurfingprotection%40iobit.com:2.0,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:41.0.2");
---- Lines istart removed from prefs.js ----
user_pref("browser.search.searchengine.alias", "istartsurf");
user_pref("browser.search.searchengine.iconURL", "http://www.istartsurf.com/web/favicon.ico");
user_pref("browser.search.searchengine.name", "istartsurf");
user_pref("browser.search.searchengine.url", "http://www.istartsurf.com/web/?type=dspp&ts=1426848855&from=smt&uid=WDCXWD10EZRX-00A8LB0_WD-WCC1U1831386
---- FireFox user.js and prefs.js backups ----

prefs_102015_0901_.backup

ProfilePath: C:\Users\P35C8~1.PAS\AppData\Roaming\Thunderbird\Profiles\ls8s15kl.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_102015_0901_.backup

ProfilePath: C:\Users\P8ECB~1.PAS\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_102015_0901_.backup

ProfilePath: C:\Users\P8ECB~1.PAS\AppData\Roaming\Thunderbird\Profiles\ls8s15kl.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_102015_0901_.backup

ProfilePath: C:\Users\P35C8~1.PAS\AppData\Roaming\Mozilla\Firefox\Profiles\cyshscp8.default-1400050522714

prefs.js not found
---- FireFox user.js and prefs.js backups ----

user_102015_0901_.backup

ProfilePath: C:\Users\P35C8~1.PAS\AppData\Roaming\Mozilla\Firefox\Profiles\oequcd3l.default

prefs.js not found
---- FireFox user.js and prefs.js backups ----

user_102015_0901_.backup

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\PROGRA~2\VS Revo Group not found
C:\PROGRA~3\{BAF091CA-86C4-4627-ADA1-897E2621C1B0} not found
C:\PROGRA~2\12print.it Creations deleted
C:\PROGRA~2\COMMON~1\DVDVideoSoft\bin deleted
C:\Users\administrator.KLINE\AppData\Roaming\ProductData deleted
C:\Users\p.pasoi\AppData\Roaming\ProductData deleted
C:\PROGRA~3\ProductData deleted
C:\Windows\SysNative\roboot64.exe deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\Users\P35C8~1.PAS\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default\extensions\ascsurfingprotection@iobit.com deleted
C:\Users\P35C8~1.PAS\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default\extensions\iobitascsurfingprotection@iobit.com deleted
C:\Users\P35C8~1.PAS\AppData\Roaming\Mozilla\Firefox\Profiles\cyshscp8.default-1400050522714\extensions\ascsurfingprotection@iobit.com deleted
C:\Users\P35C8~1.PAS\AppData\Roaming\Mozilla\Firefox\Profiles\cyshscp8.default-1400050522714\extensions\iobitascsurfingprotection@iobit.com deleted
C:\Users\P35C8~1.PAS\AppData\Roaming\Mozilla\Firefox\Profiles\oequcd3l.default\extensions\ascsurfingprotection@iobit.com deleted
C:\Users\P35C8~1.PAS\AppData\Roaming\Mozilla\Firefox\Profiles\oequcd3l.default\extensions\iobitascsurfingprotection@iobit.com deleted
"C:\Windows\Installer\1a73e2.msi" deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\P35C8~1.PAS\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default
user_pref("browser.startup.homepage", "www.google.it");

ProfilePath: C:\Users\P8ECB~1.PAS\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default
user_pref("browser.startup.homepage", "www.google.it");

==== Firefox Extensions ======================

ProfilePath: C:\Users\P35C8~1.PAS\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default
- Undetermined - C:\Users\p.pasoi\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default\extensions\iobitascsurfingprotection@iobit.com
- Dizionario italiano - %ProfilePath%\extensions\it-IT@dictionaries.addons.mozilla.org

ProfilePath: C:\Users\P35C8~1.PAS\AppData\Roaming\Thunderbird\Profiles\ls8s15kl.default
- Lightning - C:\Users\p.pasoi\AppData\Roaming\Thunderbird\Profiles\ls8s15kl.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}
- Dizionario italiano - %ProfilePath%\extensions\it-IT@dictionaries.addons.mozilla.org
- Lightning - %ProfilePath%\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}

ProfilePath: C:\Users\P8ECB~1.PAS\AppData\Roaming\Thunderbird\Profiles\ls8s15kl.default
- Dizionario italiano - C:\Users\p.pasoi\AppData\Roaming\Thunderbird\Profiles\ls8s15kl.default\extensions\it-IT@dictionaries.addons.mozilla.org
- Dizionario italiano - %ProfilePath%\extensions\it-IT@dictionaries.addons.mozilla.org

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\p.pasoi\AppData\Roaming\Mozilla\Firefox\Profiles\avnbh2mg.default
18CF51689186AEB9D1D149AEB0E92D03    - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL -    Microsoft Office 2013
863AF0003392FEBC2667A8A790DED955    - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_226.dll -    Shockwave Flash
E3B4EA121F7BDEB0F6366E2BA9608CB5    - C:\Users\p.pasoi\AppData\Local\Citrix\Plugins\104\npappdetector.dll -    Citrix Online Web Deployment Plugin 1.0.0.104


==== Chromium Look ======================


==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.it/"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
No DefaultScope Set For HKCU

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.it/"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\358CA8E5BB5699C40AE9918B81151EC4 deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5E8AC853-65BB-4C99-A09E-19B81851E14C} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0BE47A0B-0151-45E7-8015-FF148E0AEE4F} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\358CA8E5BB5699C40AE9918B81151EC4 deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BoBrowser deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCleaner Monitoring deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\p.pasoi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\p.pasoi_new\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\p.pasoi_new\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\p.pasoi_old\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\P35C8~1.PAS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\P8ECB~1.PAS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\P8ECB~1.PAS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\PCF3C~1.PAS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

C:\Users\p.pasoi_new\AppData\Local\Mozilla\Firefox\Profiles\avnbh2mg.default\Cache emptied successfully
C:\Users\P8ECB~1.PAS\AppData\Local\Mozilla\Firefox\Profiles\avnbh2mg.default\Cache emptied successfully

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=3287 folders=165 190507552 bytes)

==== Empty Temp Folders ======================

C:\Users\administrator\AppData\Local\temp emptied successfully
C:\Users\Administrator.KC036\AppData\Local\temp emptied successfully
C:\Users\administrator.KLINE\AppData\Local\temp emptied successfully
C:\Users\Default\AppData\Local\temp emptied successfully
C:\Users\Default User\AppData\Local\temp emptied successfully
C:\Users\p.pasoi\AppData\Local\Temp will be emptied at reboot
C:\Users\p.pasoi_new\AppData\Local\temp emptied successfully
C:\Users\p.pasoi_old\AppData\Local\temp emptied successfully
C:\Users\P35C8~1~PAS\AppData\Local\temp emptied successfully
C:\Users\Public\AppData\Local\temp emptied successfully
C:\Users\UpdatusUser\AppData\Local\temp emptied successfully
C:\Users\UpdatusUser.KC036\AppData\Local\temp emptied successfully
C:\Users\User\AppData\Local\temp emptied successfully
C:\Users\P35C8~1.PAS\AppData\Local\Temp will be emptied at reboot
C:\Users\P8ECB~1.PAS\AppData\Local\temp emptied successfully
C:\Users\PCF3C~1.PAS\AppData\Local\temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\P35C8~1.PAS\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on 26/10/2015 at  9:08:53,74 ======================
 

 

 

After the last reboot mady by Zoek, the problem still exists: every time I open the explorer (window key + E) I get this error:

explorer.jpg

(translation: "Unable to access the device, the path or the specified file. Maybe you don't have the needed rights.")

 

But I noticed the "explorer.exe" extension is correct: in lowercase.

 

What to do next?

 

Thank you!



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 PM

Posted 26 October 2015 - 08:04 AM

Please run the Farbar Recovery Scan Tool. Enter explorer.EXE in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

<<<>>>


Lets look also in the Registry.

Please run the Farbar Recovery Scan Tool. Enter explorer.EXE in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

#6 Zak McKracken

Zak McKracken
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 26 October 2015 - 09:00 AM

File Search:

 

Farbar Recovery Scan Tool (x64) Version:25-10-2015 02
Ran by p.pasoi (2015-10-26 14:53:29)
Running from C:\Users\p.pasoi\Desktop
Boot Mode: Normal

================== Search Files: "explorer.EXE" =============

C:\Windows\explorer.exe
[2013-06-13 16:49][2011-02-25 07:19] 2871808 ____A (Microsoft Corporation) 332FEAB1435662FC6C672E25BEB37BE3 [File is digitally signed]

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe
[2013-06-13 16:49][2011-02-26 06:19] 2616320 ____A (Microsoft Corporation) 0FB9C74046656D1579A64660AD67B746 [File is digitally signed]

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe
[2013-06-13 16:49][2011-02-25 06:30] 2616320 ____A (Microsoft Corporation) 8B88EBBB05A0E56B7DCC708498C02B3E [File is digitally signed]

C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe
[2010-11-21 04:24][2010-11-21 04:24] 2616320 ____A (Microsoft Corporation) 40D777B7A95E00593EB1568C68514493 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe
[2013-06-13 16:49][2011-02-26 07:14] 2871808 ____A (Microsoft Corporation) 3B69712041F3D63605529BD66DC00C48 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe
[2013-06-13 16:49][2011-02-25 07:19] 2871808 ____A (Microsoft Corporation) 332FEAB1435662FC6C672E25BEB37BE3 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe
[2010-11-21 04:24][2010-11-21 04:24] 2872320 ____A (Microsoft Corporation) AC4C51EB24AA95B77F705AB159189E24 [File is digitally signed]

C:\Windows\SysWOW64\explorer.exe
[2013-06-13 16:49][2011-02-25 06:30] 2616320 ____A (Microsoft Corporation) 8B88EBBB05A0E56B7DCC708498C02B3E [File is digitally signed]

C:\Windows\erdnt\cache86\explorer.exe
[2015-10-21 08:13][2011-02-25 07:19] 2871808 ____A (Microsoft Corporation) 332FEAB1435662FC6C672E25BEB37BE3 [File is digitally signed]

====== End of Search ======

 

 

 

Registry search:

 

Farbar Recovery Scan Tool (x64) Version:25-10-2015 02
Ran by p.pasoi (2015-10-26 14:55:20)
Running from C:\Users\p.pasoi\Desktop
Boot Mode: Normal

================== Search Registry: "explorer.EXE" ===========

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ee9241ee577dbf20]
"f!explorer.exe.mui"="0x6500780070006C006F007200650072002E006500780065002E006D0075006900"
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900]
"f!explorer.exe"="0x6500780070006C006F007200650072002E00650078006500"
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba]
"f!explorer.exe"="0x6500780070006C006F007200650072002E00650078006500"
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332]
"f!explorer.exe"="0x6500780070006C006F007200650072002E00650078006500"
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\wow64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f8e6ec408bde811b]
"f!explorer.exe.mui"="0x6500780070006C006F007200650072002E006500780065002E006D0075006900"
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb]
"f!explorer.exe"="0x6500780070006C006F007200650072002E00650078006500"
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5]
"f!explorer.exe"="0x6500780070006C006F007200650072002E00650078006500"
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d]
"f!explorer.exe"="0x6500780070006C006F007200650072002E00650078006500"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\explorer.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WINWORD.EXE\TaskbarExceptionsIcons\WordMail]
"IconPath"="explorer.exe,16"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CABFolder\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CABFolder\shell\Open\Command]
""="%SystemRoot%\Explorer.exe /idlist,%I,%L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0AFACED1-E828-11D1-9187-B532F1E9575D}\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@%SystemRoot%\explorer.exe,-7020"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7000"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@%SystemRoot%\explorer.exe,-7021"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7001"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@%SystemRoot%\explorer.exe,-7022"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@%SystemRoot%\explorer.exe,-7023"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7003"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@%SystemRoot%\explorer.exe,-7025"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7005"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}\DefaultIcon]
""="%SystemRoot%\explorer.exe,-254"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3080F90D-D7AD-11D9-BD98-0000947B0257}\DefaultIcon]
""="%SystemRoot%\explorer.exe,-103"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3080F90E-D7AD-11D9-BD98-0000947B0257}\DefaultIcon]
""="%SystemRoot%\explorer.exe,-258"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48e7caab-b918-4e58-a94d-505519c795dc}\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{682159d9-c321-47ca-b3f1-30e36b2ec8b9}\LocalServer32]
""="%SystemRoot%\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75dff2b7-6936-4c06-a8bb-676a7b00b24b}\LocalServer32]
""="%SystemRoot%\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ceff45ee-c862-41de-aee2-a022c81eda92}\LocalServer32]
""="%SystemRoot%\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CompressedFolder\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CompressedFolder\shell\Open\Command]
""="%SystemRoot%\Explorer.exe /idlist,%I,%L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DeviceDisplayObject\AllItems\Shell\Microsoft.DxpOpen\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DeviceDisplayObject\AllItems\Shell\Microsoft.DxpOpenInNewWindow\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Explorer.AssocProtocol.search-ms]
"FriendlyTypeName"="@%SystemRoot%\explorer.exe,-6010"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Explorer.AssocProtocol.search-ms\shell\open\command]
""="%SystemRoot%\Explorer.exe /separate,/idlist,%I,%L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\open\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\opensearchdescription\shell\open\command]
""="%SystemRoot%\explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\search]
"FriendlyTypeName"="@%SystemRoot%\explorer.exe,-6010"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\search\shell\open\command]
""="%SystemRoot%\Explorer.exe /separate,/idlist,%I,%L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\search-ms]
"FriendlyTypeName"="@%SystemRoot%\explorer.exe,-6010"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\search-ms\shell\open\command]
""="%SystemRoot%\Explorer.exe /separate,/idlist,%I,%L"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SHCmdFile\shell\open\command]
""="%SystemRoot%\explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.bmp\Shell\setdesktopwallpaper\Command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dib\Shell\setdesktopwallpaper\Command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.gif\Shell\setdesktopwallpaper\Command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jfif\Shell\setdesktopwallpaper\Command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpe\Shell\setdesktopwallpaper\Command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpeg\Shell\setdesktopwallpaper\Command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.jpg\Shell\setdesktopwallpaper\Command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.png\Shell\setdesktopwallpaper\Command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.tif\Shell\setdesktopwallpaper\Command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.tiff\Shell\setdesktopwallpaper\Command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.wdp\Shell\setdesktopwallpaper\Command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0AFACED1-E828-11D1-9187-B532F1E9575D}\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@%SystemRoot%\explorer.exe,-7020"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7000"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@%SystemRoot%\explorer.exe,-7021"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7001"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@%SystemRoot%\explorer.exe,-7022"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@%SystemRoot%\explorer.exe,-7023"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7003"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@%SystemRoot%\explorer.exe,-7025"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7005"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}\DefaultIcon]
""="%SystemRoot%\explorer.exe,-254"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3080F90D-D7AD-11D9-BD98-0000947B0257}\DefaultIcon]
""="%SystemRoot%\explorer.exe,-103"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3080F90E-D7AD-11D9-BD98-0000947B0257}\DefaultIcon]
""="%SystemRoot%\explorer.exe,-258"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48e7caab-b918-4e58-a94d-505519c795dc}\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{682159d9-c321-47ca-b3f1-30e36b2ec8b9}\LocalServer32]
""="%SystemRoot%\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75dff2b7-6936-4c06-a8bb-676a7b00b24b}\LocalServer32]
""="%SystemRoot%\SysWow64\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ceff45ee-c862-41de-aee2-a022c81eda92}\LocalServer32]
""="%SystemRoot%\SysWow64\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{20D04FE0-3AEA-1069-A2D8-08002B30309D}]
"AppName"="explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BEHAVIORS]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER]
"explorer.exe"="10"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER]
"explorer.exe"="10"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_OBJECT_CACHING]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
"explorer.exe"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SAFE_BINDTOOBJECT]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WINDOW_RESTRICTIONS]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONE_ELEVATION]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Explorer.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\ReflectionApplications\explorer.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Resolvers]
"SystemBinariesList"="win32k.sys:winlogon.exe:EXPLORER.EXE:CSRSS.Exe:dwm.exe:logon.scr:logonui.exe:lsass.exe:lsm.exe:ntkrpamp.exe:ntoskrnl.exe:RUNDLL32.EXE:services.exe:sppsvc.exe:smss.exe:spoolsv.exe:svchost.exe:taskeng.exe:WinInit.exe:WISPTIS.EXE:dllhost.exe:dllhst3g.exe:cscript.exe:mmc.exe:msiexec.exe:upnpcont.exe:wscript.exe:WUDFHost.exe:dfsvc.exe:dfsvc.exe:fdbs.exe:ntfsbs.exe:memdiag.exe:NETFXSBS10.exe:applaunch.exe:aspnet_compiler.exe:aspnet_regbrowsers.exe:aspnet_regiis.exe:aspnet_regsql.exe:aspnet_state.exe:aspnet_wp.exe:caspol.exe:csc.exe:CVTRES.EXE:dfsvc.exe:dw20.exe:IEExec.exe:ilasm.exe:InstallUtil.exe:jsc.exe:MSBuild.exe:mscorsvw.exe:ngen.exe:RegAsm.exe::RegSvcs.exe:vbc.exe:TrustedInstaller.exe:Aurora.scr:AutoChk.Exe:AUTOFMT.EXE:CHKDSK.EXE:CHKNTFS.EXE:consent.exe:PnPUnattend.exe:PnPutil.exe:RacAgent.exe:fsquirt.exe:Uninst.exe:updateWmc.exe:wmdc.exe:wmdsync.exe:mofcomp.exe:ScrCons.exe:smi2smir.exe:unsecapp.exe:wbemtest.exe:winmgmt.exe:wmic.exe:bfsvc.exe:Twunk_16.exe:Twunk_32.exe:wuauclt.exe:wsqmcons.exe:sapisvr.exe:WinSAT.exe:p2phost.exe:SearchProtocolHost.exe:WerFault.exe:drvinst.exe:ehshell.exe:UI0Detect.exe:ehtray.exe:HelpPane.exe:mrt.exe:SearchFilterHost.exe:mobsync.exe:Narrator.exe:SLUI.exe:taskmgr.exe:PresentationSettings.exe:vds.exe:sdclt.exe:irftp.exe:DFDWiz.exe:SndVol.exe:makecab.exe:msfeedssync.exe:unregmp2.exe:DeviceProperties.exe:rstrui.exe:MdRes.exe:netsh.exe:printui.exe:mcupdate.exe:4mmdat.sys:61883.sys:ACPI.sys:amdk7.sys:amdk8.sys:ASYNCMAC.SYS:atapi.sys:AVC.SYS:cdfs.sys:cdrom.sys:circlass.sys:cmbatt.sys:crusoe.sys:CSC.Sys:dc21x4vm.sys:disk.sys:dot4.sys:dot4usb.sys:drmkaud.sys:ecache.sys:fdc.sys:floppy.sys:hdaudbus.sys:HDAudio.sys:HIDBTH.SYS:HIDIR.SYS:i8042prt.sys:intelppm.sys:irenum.SYS:IRSIR.SYS:kbdclass.sys:kbdhid.sys:LOOP.SYS:mf.sys:monitor.sys:mouclass.sys:mouhid.sys:msisadrv.sys:msiscsi.sys:NDISWAN.SYS:nsiproxy.sys:ohci1394.sys:pci.sys:pciide.sys:powerfil.sys:processr.sys:rasl2tp.sys:raspppoe.sys:RASPPTP.SYS:RDPCDD.SYS:rfcomm.sys:sbp2port.sys:sdbus.sys:serenum.sys:serial.sys:sermouse.sys:sffdisk.sys:sffp_mmc.sys:smbios.sys:swenum.sys:tdx.sys:termdd.sys:tpm.sys:tunmp.sys:tunnel.sys:umbus.sys:update.sys:usb8023.sys:USBAudio.sys:USBCCGP.SYS:usbcir.sys:USBEHCI.sys:usbhub.sys:USBOHCI.sys:usbprint.sys:USBUHCI.sys:viac7.sys:wacompen.sys:wceusbsh.sys:winusb.sys:ws2ifsl.sys:xnacc.sys"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation]
"KillList"="%1;explorer.exe;dvdplay.exe;msohtmed.exe;quikview.exe;rundll.exe;rundll32.exe;taskman.exe;bck32api.dll;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Capabilities]
"ApplicationDescription"="@%SystemRoot%\explorer.exe,-6012"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Capabilities]
"ApplicationName"="@%SystemRoot%\explorer.exe,-6011"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{20D04FE0-3AEA-1069-A2D8-08002B30309D}]
"AppName"="explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BEHAVIORS]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER]
"explorer.exe"="4"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER]
"explorer.exe"="2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_OBJECT_CACHING]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
"explorer.exe"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SAFE_BINDTOOBJECT]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WINDOW_RESTRICTIONS]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONE_ELEVATION]
"explorer.exe"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\RADAR\HeapLeakDetection\ReflectionApplications\explorer.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FileAssociation]
"KillList"="%1;explorer.exe;dvdplay.exe;msohtmed.exe;quikview.exe;rundll.exe;rundll32.exe;taskman.exe;bck32api.dll;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Search\Capabilities]
"ApplicationDescription"="@%SystemRoot%\explorer.exe,-6012"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Search\Capabilities]
"ApplicationName"="@%SystemRoot%\explorer.exe,-6011"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{0AFACED1-E828-11D1-9187-B532F1E9575D}\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@%SystemRoot%\explorer.exe,-7020"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7000"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@%SystemRoot%\explorer.exe,-7021"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7001"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@%SystemRoot%\explorer.exe,-7022"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@%SystemRoot%\explorer.exe,-7023"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7003"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@%SystemRoot%\explorer.exe,-7025"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7005"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}\DefaultIcon]
""="%SystemRoot%\explorer.exe,-254"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3080F90D-D7AD-11D9-BD98-0000947B0257}\DefaultIcon]
""="%SystemRoot%\explorer.exe,-103"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3080F90E-D7AD-11D9-BD98-0000947B0257}\DefaultIcon]
""="%SystemRoot%\explorer.exe,-258"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{48e7caab-b918-4e58-a94d-505519c795dc}\shell\find\command]
""="%SystemRoot%\Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{682159d9-c321-47ca-b3f1-30e36b2ec8b9}\LocalServer32]
""="%SystemRoot%\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{75dff2b7-6936-4c06-a8bb-676a7b00b24b}\LocalServer32]
""="%SystemRoot%\SysWow64\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{ceff45ee-c862-41de-aee2-a022c81eda92}\LocalServer32]
""="%SystemRoot%\SysWow64\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92}"
[HKEY_USERS\S-1-5-21-959981040-3535681839-140195473-1128\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"b"="explorer.exe\1"
[HKEY_USERS\S-1-5-21-959981040-3535681839-140195473-1128\Software\Classes\Local Settings\MuiCache\14E\7F06864B]
"@C:\Windows\explorer.exe,-7021"="Guida e supporto tecnico"
[HKEY_USERS\S-1-5-21-959981040-3535681839-140195473-1128\Software\Classes\Local Settings\MuiCache\14E\7F06864B]
"@%windir%\explorer.exe,-307"="Modificare le impostazioni e personalizzare la funzionalità del computer."
[HKEY_USERS\S-1-5-21-959981040-3535681839-140195473-1128\Software\Classes\Local Settings\MuiCache\14E\7F06864B]
"@explorer.exe,-8243"="Cerca ovunque"
[HKEY_USERS\S-1-5-21-959981040-3535681839-140195473-1128_Classes\Local Settings\MuiCache\14E\7F06864B]
"@C:\Windows\explorer.exe,-7021"="Guida e supporto tecnico"
[HKEY_USERS\S-1-5-21-959981040-3535681839-140195473-1128_Classes\Local Settings\MuiCache\14E\7F06864B]
"@%windir%\explorer.exe,-307"="Modificare le impostazioni e personalizzare la funzionalità del computer."
[HKEY_USERS\S-1-5-21-959981040-3535681839-140195473-1128_Classes\Local Settings\MuiCache\14E\7F06864B]
"@explorer.exe,-8243"="Cerca ovunque"

====== End of Search ======



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 PM

Posted 26 October 2015 - 12:57 PM

I just checked my Windows 7 and I do not have Explorer.EXE or Explorer.exe listed in this key.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Explorer.EXE]

I could give you an fix to remove it but do not feel at ease in doing so. I'm checking with the Windows 7 experts and will get back to you.

Stay with me.

#8 Zak McKracken

Zak McKracken
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 27 October 2015 - 02:37 AM

OK thank you. I'll wait for news from you. Wow, this one is tough!

 

If it can help: every morning, when I turn on my computer, I execute Combofix, and when it finishes everything works fine: network On, Explorer working correctly.

Today I had an idea: AFTER executing combofix, I did a FRST search in the same way you told me before (scan files and scan registry), and compared the two files with their previous versions, posted here, which I had done BEFORE executing combofix.

 

The comparison is perfect, that is, no lines are different.

 

In the ComboFix log, there is always this line present in the section "Deleted Files" :

 

c:\programdata\ntuser.pol


Edited by Zak McKracken, 27 October 2015 - 02:54 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 PM

Posted 27 October 2015 - 08:19 AM

Boot to safe mode as suggested on this topic and delete the ntuser.pol file.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_22701223.html

Restart the computer normally when done.

Let me know in a day or tow if the problem persists.

#10 Zak McKracken

Zak McKracken
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 27 October 2015 - 10:15 AM

Hi,

if I boot in safe mode, the file "ntuser.pol" is not found.

Everything in safe mode works fine: explorer opens regularly.

 

So I assume there is some other task or process loaded in normal mode that triggers or drop the fake "explorer.exe".



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 PM

Posted 27 October 2015 - 02:04 PM

The last time you have used the Zoek tool a restore point was created.
26/10/2015 08:45:43 Zoek.exe System Restore Point Created Successfully.


Let hit the bullet and remove that reference to Explorer.EXE on the key not the key.
If something goes wrong you will be able to restore it.

Copy the text IN THE CODE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 
Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Explorer.EXE]
Restart the when completed.

You can delete the fixme.reg file when done.

How is it now?

Edited by nasdaq, 27 October 2015 - 02:05 PM.


#12 Zak McKracken

Zak McKracken
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 28 October 2015 - 02:57 AM

I have done.

 

After restart, the problem persists: Win+E doesn't open any windows, but this time the error message shows "explorer.exe" all in lowercase.

 

I have checked the registry: the key :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Explorer.EXE

no longer exists.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 PM

Posted 28 October 2015 - 09:06 AM

Will reinstall the registry key.

Create a new fixme.reg and run it as previously suggested.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications\Explorer.EXE]
Restart the computer normally.

===

Check the integrity of the operating system files.
How to run sfc /Scannow
http://support.microsoft.com/kb/929833

If that fails to correct the situation continue.

Restore your Windows 7 to the Last good configuration
Follow the instructions on this page.

Keep me posted.

#14 Zak McKracken

Zak McKracken
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 29 October 2015 - 03:19 AM

sfc /scannow results:

 

Windows Resource Protection did not find any integrity violations.

The problem still exists.

 

 

Restored Win 7 to Last Good Configuration:

 

done, but the problem still exists.


Edited by Zak McKracken, 29 October 2015 - 03:21 AM.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 PM

Posted 29 October 2015 - 07:56 AM

Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Deselect Remove found threats.

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology


Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.
<<<>>>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users