xxx outgoing spam mail on Windows Server 2008 R2

I am running a Windows Server 2008 R2 on a cloud provider. I am the server administrator but I have no control over the cloud infrastructure.

 

Recently, the SMTP server started sending out xxx spam mail. The SMTP service has been disabled and subsequently uninstalled, but the problem persist. Inbound port 25 has also been blocked by Windows Firewall at the moment.

 

I am running Avast for Business and mail shield continue to detect outgoing spam mail sent by some unknown malicious software.

 

I ran Malwarebyte, Windows SE, Avast and ESET scans. Each detected a couple of trojan horses and worms but did not resolve the problem. Subsequent scans did not find any more viruses.

 

 

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/596473 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

• If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  
• A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
  
  • Please do this even if you have previously posted logs for us.
  • If you were unable to produce the logs originally please try once more.
  • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
  • If you are unsure about any of these characteristics just post what you can and we will guide you.
• Please tell us if you have your original Windows CD/DVD available.
  
• Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

• Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.
  
  FRST Download Link
  
  
• When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
• Double click on the FRST icon and allow it to run.
• Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
• Notepad will open with the results.
• Post the new logs as explained in the prep guide.
• Close the program window, and delete the program from your desktop.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!

Greetings yongxian and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:

• First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
• Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
• Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
• Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
• When you post your reply, use the button instead.
• In the upper right hand corner of the topic you will see the button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
• If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
• When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
• I would like to remind you to make no further changes to your computer unless I direct you to do so.
• Now let's get started

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. We don't routinely work on Servers and therefore we aren't familiar with this type of Operating System. I will see how much I might be able to assist but I will approach your situation with an abundance of caution.

There are numerous entries which either look suspicious to me or I am not familiar with. As a result I would like some feedback from you regarding the below entries before we do anything to your system. Please tell me what you can about the following:

R2 TopazService; C:\Program Files (x86)\TKLA\TopazSetup\TopazService.exe [28672 2015-03-25] (Microsoft) [File not signed]
C:\Program Files (x86)\gplpv.cer
Task: {374DBDB7-EBC1-4F04-B0C8-D469DA4D365F} - System32\Tasks\Kill All IEs => taskkill
Task: {76B77312-1CA1-430E-B939-1BE6C1428F93} - System32\Tasks\Social Networking AI => C:\Server Programs\SocialNetworkAI.exe
Task: {ACE428C6-E365-44D3-B80A-1EB536DFE2B0} - System32\Tasks\SMEHR_Worker => C:\Server Programs\SMEHR_Worker\SMEHR.exe
Task: {AFB8F5F2-8BA2-41CE-8CDD-FFBDA2E0F84C} - System32\Tasks\MailSend Worker 2.0 => C:\Users\Administrator\Desktop\MailSendWorker 2.0\MailSendWorker.exe
Task: {CC16FC08-B4AA-44D4-9A05-6ABE60D16A02} - System32\Tasks\CUD Worker => C:\Server Programs\CUDWorker.exe
Task: {CED3BBA4-932D-4C7D-A936-2BFF2980F8A5} - System32\Tasks\RM-AHAP-Reminder-AM => C:\Server Programs\RMAHAP-Reminder\RMAHAP-Reminder.exe [2014-07-21] (Microsoft)
Task: {F6358387-51EF-4443-B4A4-4928B738B1A0} - System32\Tasks\Server Worker Programs => C:\Users\Administrator\Desktop\Server Programs\BestB\BestB-Automator.exe

Hi Gary, thank you for your assistance. I am trying my luck here.

 

-TopazService.exe is our in-house Windows Service application that transfers email queued in MySQL server into our IIS6 SMTP server (Port 25). However due to the outbreak of SPAM, I reconfigured TopazService.exe to send email via SendGrid.com instead. I have shutdown and removed IIS SMTP. Neither MySQL nor SendGrid reports any SPAM being queued through them. I tried disabling TopazService.exe but did not stop the SPAM being sent out.

 

R2 TopazService; C:\Program Files (x86)\TKLA\TopazSetup\TopazService.exe [28672 2015-03-25] (Microsoft) [File not signed]

 

 

-Not sure what what is gplpv.cer. Seems to be a test certificate for a GPLPV drivers for Windows 2008.

C:\Program Files (x86)\gplpv.cer

 

 

-This was a taskkill command to routinely kill all instances of internet explorer. Apparently a previous administrator decided to use IE to trigger an ASP.NET program locally, which left alot of IE windows opening. This approach is no longer being practice. I can remove this task if required.

Task: {374DBDB7-EBC1-4F04-B0C8-D469DA4D365F} - System32\Tasks\Kill All IEs => taskkill

 

 

-The exe files under C:\Server Programs are legacy in-house built VB.NET applications which are no longer being used, when running they fires up a visible GUI stating they are "Running...". They generally carry out task with MySQL database. I am able to remove them if needed.

Task: {76B77312-1CA1-430E-B939-1BE6C1428F93} - System32\Tasks\Social Networking AI => C:\Server Programs\SocialNetworkAI.exe
Task: {ACE428C6-E365-44D3-B80A-1EB536DFE2B0} - System32\Tasks\SMEHR_Worker => C:\Server Programs\SMEHR_Worker\SMEHR.exe
Task: {CC16FC08-B4AA-44D4-9A05-6ABE60D16A02} - System32\Tasks\CUD Worker => C:\Server Programs\CUDWorker.exe
Task: {CED3BBA4-932D-4C7D-A936-2BFF2980F8A5} - System32\Tasks\RM-AHAP-Reminder-AM => C:\Server Programs\RMAHAP-Reminder\RMAHAP-Reminder.exe [2014-07-21] (Microsoft)

 

 

-I recognize the following exes as similar in-house applications but they too are no longer running. C:\Users\Administrator\Desktop\Server Programs\. no longer exist. It seem to be a remnant entry in System32/Tasks.

Task: {F6358387-51EF-4443-B4A4-4928B738B1A0} - System32\Tasks\Server Worker Programs => C:\Users\Administrator\Desktop\Server Programs\BestB\BestB-Automator.exe

Task: {AFB8F5F2-8BA2-41CE-8CDD-FFBDA2E0F84C} - System32\Tasks\MailSend Worker 2.0 => C:\Users\Administrator\Desktop\MailSendWorker 2.0\MailSendWorker.exe

 

 

I have attached the latest FRST scan log for your reference.

Thanks for the detailed response. Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------

• Press the Windows key + r on your keyboard at the same time. Type in notepad and press Enter
• Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt

CHR Plugin: (Native Client) - C:\Users\Administrator\AppData\Local\Google\Chrome\Application\46.0.2490.86\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Administrator\AppData\Local\Google\Chrome\Application\46.0.2490.86\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Users\Administrator\AppData\Local\Google\Chrome\Application\46.0.2490.86\gcswf32.dll => No File
S2 Apache; "C:\zpanel\bin\apache\bin\httpd.exe" -k runservice [X]
S3 named; C:\zpanel\bin\bind\bin\named.exe [X]
2015-11-15 12:02 - 2015-11-16 12:49 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
File: C:\Program Files (x86)\TKLA\TopazSetup\TopazService.exe
File: C:\Program Files (x86)\gplpv.cer
File: C:\Server Programs\SocialNetworkAI.exe
File: C:\Server Programs\SMEHR_Worker\SMEHR.exe
File: C:\Server Programs\CUDWorker.exe
File: C:\Server Programs\RMAHAP-Reminder\RMAHAP-Reminder.exe
File: C:\Users\Administrator\Desktop\Server Programs\BestB\BestB-Automator.exe
File: C:\Users\Administrator\Desktop\MailSendWorker 2.0\MailSendWorker.exe

• Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
• The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Fixlog

Fix result of Farbar Recovery Scan Tool (x64) Version:26-11-2015
Ran by tklassociate (2015-11-27 11:17:16) Run:1
Running from C:\Users\Administrator\Desktop
Loaded Profiles: tklassociate (Available Profiles: suprt & tklassociate & Classic .NET AppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CHR Plugin: (Native Client) - C:\Users\Administrator\AppData\Local\Google\Chrome\Application\46.0.2490.86\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Administrator\AppData\Local\Google\Chrome\Application\46.0.2490.86\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Users\Administrator\AppData\Local\Google\Chrome\Application\46.0.2490.86\gcswf32.dll => No File
S2 Apache; "C:\zpanel\bin\apache\bin\httpd.exe" -k runservice [X]
S3 named; C:\zpanel\bin\bind\bin\named.exe [X]
2015-11-15 12:02 - 2015-11-16 12:49 - 00000000 ____D C:\Users\Administrator\AppData\Local\Temp
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Administrator\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
File: C:\Program Files (x86)\TKLA\TopazSetup\TopazService.exe
File: C:\Program Files (x86)\gplpv.cer
File: C:\Server Programs\SocialNetworkAI.exe
File: C:\Server Programs\SMEHR_Worker\SMEHR.exe
File: C:\Server Programs\CUDWorker.exe
File: C:\Server Programs\RMAHAP-Reminder\RMAHAP-Reminder.exe
File: C:\Users\Administrator\Desktop\Server Programs\BestB\BestB-Automator.exe
File: C:\Users\Administrator\Desktop\MailSendWorker 2.0\MailSendWorker.exe
*****************

C:\Users\Administrator\AppData\Local\Google\Chrome\Application\46.0.2490.86\ppGoogleNaClPluginChrome.dll => not found.
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\46.0.2490.86\pdf.dll => not found.
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\46.0.2490.86\gcswf32.dll => not found.
Apache => service removed successfully
named => service removed successfully

"C:\Users\Administrator\AppData\Local\Temp" folder move:

Could not move "C:\Users\Administrator\AppData\Local\Temp" => Scheduled to move on reboot.

"HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}" => key removed successfully
"HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}" => key removed successfully
"HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}" => key removed successfully
"HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}" => key removed successfully
"HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}" => key removed successfully
"HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => key removed successfully
"HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}" => key removed successfully
"HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}" => key removed successfully
"HKU\S-1-5-21-366400160-141739491-217090673-500_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}" => key removed successfully

========================= File: C:\Program Files (x86)\TKLA\TopazSetup\TopazService.exe ========================

File not signed
MD5: D98B7117F4F8BB2293D9E19A2593E4E5
Creation and modification date: 2015-03-25 11:17 - 2015-03-25 11:17
Size: 0028672
Attributes: ----A
Company Name: Microsoft
Internal Name: TopazService.exe
Original Name: TopazService.exe
Product: TopazService
Description: TopazService
File Version: 1.2.0.0
Product Version: 1.2.0.0
Copyright: Copyright © Microsoft 2015

====== End of File: ======


========================= File: C:\Program Files (x86)\gplpv.cer ========================

File not signed
MD5: C423EB59E626A03DED4F436045F769AD
Creation and modification date: 2011-12-13 19:31 - 2011-12-13 19:31
Size: 0000563
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:
Copyright:

====== End of File: ======


========================= File: C:\Server Programs\SocialNetworkAI.exe ========================

"C:\Server Programs\SocialNetworkAI.exe" => not found.
====== End of File: ======


========================= File: C:\Server Programs\SMEHR_Worker\SMEHR.exe ========================

"C:\Server Programs\SMEHR_Worker\SMEHR.exe" => not found.
====== End of File: ======


========================= File: C:\Server Programs\CUDWorker.exe ========================

"C:\Server Programs\CUDWorker.exe" => not found.
====== End of File: ======


========================= File: C:\Server Programs\RMAHAP-Reminder\RMAHAP-Reminder.exe ========================

File not signed
MD5: 425B645DAD300BF3BAEBE255AF41408E
Creation and modification date: 2014-10-07 00:39 - 2014-07-21 10:30
Size: 0049664
Attributes: ----A
Company Name: Microsoft
Internal Name: RMAHAP-Reminder.exe
Original Name: RMAHAP-Reminder.exe
Product: RMAHAP-Reminder
Description: RMAHAP-Reminder
File Version: 1.0.0.0
Product Version: 1.0.0.0
Copyright: Copyright © Microsoft 2014

====== End of File: ======


========================= File: C:\Users\Administrator\Desktop\Server Programs\BestB\BestB-Automator.exe ========================

"C:\Users\Administrator\Desktop\Server Programs\BestB\BestB-Automator.exe" => not found.
====== End of File: ======


========================= File: C:\Users\Administrator\Desktop\MailSendWorker 2.0\MailSendWorker.exe ========================

"C:\Users\Administrator\Desktop\MailSendWorker 2.0\MailSendWorker.exe" => not found.
====== End of File: ======


Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-11-27 11:24:43)

C:\Users\Administrator\AppData\Local\Temp => moved successfully

==== End of Fixlog 11:24:43 ====

Edited by Oh My!, 26 November 2015 - 10:33 PM.

Thank you.

Do you know what this is?

C:\zpanel

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------

• Press the Windows key + r on your keyboard at the same time. Type in notepad and press Enter
• Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt

C:\Program Files (x86)\gplpv.cer
C:\Server Programs\RMAHAP-Reminder
Task: {F6358387-51EF-4443-B4A4-4928B738B1A0} - System32\Tasks\Server Worker Programs => C:\Users\Administrator\Desktop\Server Programs\BestB\BestB-Automator.exe
Task: {AFB8F5F2-8BA2-41CE-8CDD-FFBDA2E0F84C} - System32\Tasks\MailSend Worker 2.0 => C:\Users\Administrator\Desktop\MailSendWorker 2.0\MailSendWorker.exe
Task: {76B77312-1CA1-430E-B939-1BE6C1428F93} - System32\Tasks\Social Networking AI => C:\Server Programs\SocialNetworkAI.exe
Task: {ACE428C6-E365-44D3-B80A-1EB536DFE2B0} - System32\Tasks\SMEHR_Worker => C:\Server Programs\SMEHR_Worker\SMEHR.exe
Task: {CC16FC08-B4AA-44D4-9A05-6ABE60D16A02} - System32\Tasks\CUD Worker => C:\Server Programs\CUDWorker.exe
Task: {CED3BBA4-932D-4C7D-A936-2BFF2980F8A5} - System32\Tasks\RM-AHAP-Reminder-AM => C:\Server Programs\RMAHAP-Reminder\RMAHAP-Reminder.exe [2014-07-21] (Microsoft)

• Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
• The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

===================================================

Virustotal Online Virus Scanner

--------------------

• Please go to Virustotal
• Select Choose File
• Navigate to the following file (if multiple files then one at a time), double click on it so the file name is populated, then click Scan it!
• IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.

C:\Program Files (x86)\TKLA\TopazSetup\TopazService.exe
C:\zpanel\bin\crond\crons.exe

• Once completed, highlight the information in the address bar and copy then paste the link in your reply

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Fixlog
• Virustotal links

FRST Log:

Fix result of Farbar Recovery Scan Tool (x64) Version:26-11-2015
Ran by tklassociate (2015-11-27 11:53:17) Run:2
Running from C:\Users\Administrator\Desktop
Loaded Profiles: tklassociate (Available Profiles: suprt & tklassociate & Classic .NET AppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
C:\Program Files (x86)\gplpv.cer
C:\Server Programs\RMAHAP-Reminder
Task: {F6358387-51EF-4443-B4A4-4928B738B1A0} - System32\Tasks\Server Worker Programs => C:\Users\Administrator\Desktop\Server Programs\BestB\BestB-Automator.exe
Task: {AFB8F5F2-8BA2-41CE-8CDD-FFBDA2E0F84C} - System32\Tasks\MailSend Worker 2.0 => C:\Users\Administrator\Desktop\MailSendWorker 2.0\MailSendWorker.exe
Task: {76B77312-1CA1-430E-B939-1BE6C1428F93} - System32\Tasks\Social Networking AI => C:\Server Programs\SocialNetworkAI.exe
Task: {ACE428C6-E365-44D3-B80A-1EB536DFE2B0} - System32\Tasks\SMEHR_Worker => C:\Server Programs\SMEHR_Worker\SMEHR.exe
Task: {CC16FC08-B4AA-44D4-9A05-6ABE60D16A02} - System32\Tasks\CUD Worker => C:\Server Programs\CUDWorker.exe
Task: {CED3BBA4-932D-4C7D-A936-2BFF2980F8A5} - System32\Tasks\RM-AHAP-Reminder-AM => C:\Server Programs\RMAHAP-Reminder\RMAHAP-Reminder.exe [2014-07-21] (Microsoft)
*****************

C:\Program Files (x86)\gplpv.cer => moved successfully
C:\Server Programs\RMAHAP-Reminder => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{F6358387-51EF-4443-B4A4-4928B738B1A0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F6358387-51EF-4443-B4A4-4928B738B1A0}" => key removed successfully
C:\Windows\System32\Tasks\Server Worker Programs => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Server Worker Programs" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{AFB8F5F2-8BA2-41CE-8CDD-FFBDA2E0F84C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AFB8F5F2-8BA2-41CE-8CDD-FFBDA2E0F84C}" => key removed successfully
C:\Windows\System32\Tasks\MailSend Worker 2.0 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MailSend Worker 2.0" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{76B77312-1CA1-430E-B939-1BE6C1428F93}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{76B77312-1CA1-430E-B939-1BE6C1428F93}" => key removed successfully
C:\Windows\System32\Tasks\Social Networking AI => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Social Networking AI" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{ACE428C6-E365-44D3-B80A-1EB536DFE2B0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ACE428C6-E365-44D3-B80A-1EB536DFE2B0}" => key removed successfully
C:\Windows\System32\Tasks\SMEHR_Worker => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SMEHR_Worker" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CC16FC08-B4AA-44D4-9A05-6ABE60D16A02}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CC16FC08-B4AA-44D4-9A05-6ABE60D16A02}" => key removed successfully
C:\Windows\System32\Tasks\CUD Worker => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CUD Worker" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CED3BBA4-932D-4C7D-A936-2BFF2980F8A5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CED3BBA4-932D-4C7D-A936-2BFF2980F8A5}" => key removed successfully
C:\Windows\System32\Tasks\RM-AHAP-Reminder-AM => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RM-AHAP-Reminder-AM" => key removed successfully

==== End of Fixlog 11:53:17 ====

---

virustotal.com:

 

TopazService.exe

https://www.virustotal.com/en/file/ad20a8ceb22f5130ab7d4301d60d9ae19244df45141ee562f5d0202f1ea568fa/analysis/1448596569/

 

crons.exe

https://www.virustotal.com/en/file/cc12aab01b6df360633d5298fbe80d99e8e395a15f231519754f2f6c976e04e5/analysis/1448596911/

 

---

 

C:\zpanel

I think zpanel is an old web administrative panel which we no longer use.

 

 

Thanks,

This will be my last post for the evening. Please manually remove C:\zpanel.
 

I am running Avast for Business and mail shield continue to detect outgoing spam mail sent by some unknown malicious software.

Please provide the Avast information related to these detections.

I will check back in first thing in the morning.

C:\zpanel

 

I tried deleting the directory but windows reported it is in use. I found out C:\zpanel\bin\crond\crons.exe is running as CRON Windows Service.

 

I attempted to stop the service but it responded with "cannot receive message" error. Nevertheless, the crons.exe disappeared from the running processes by itself. I am then able to delete crons.exe and then the directory.

 

---

 

Avast:

 

See attached image.

 

 

I look forward to your response again. Appreciate your time.

Thank you. I am assuming despite what we have done you are still getting outgoing emails blocked, correct?

Please do this.

===================================================

RogueKiller by Tigzy

--------------------

• Download RogueKiller and save it to your desktop
• Close all running programs
• Right click on the icon and select Run as Administrator
• For Windows XP simply double click on the icon
• The program will conduct a prescan and when finished you wlll see Prescan Finished. Please hit the scan button
• Click Scan
• If, during the scan, you receive a request to upload a file to Virustotal please click Yes
• A report should open and a copy of the report will be placed on your desktop. If not, hit the Report button.
• If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it winlogon.exe (or winlogon.com) and try again
• Copy and paste the contents of the report in your reply

===================================================

OTL

--------------------

• Please download OTL and save it to your desktop
• Double click on the icon on your desktop.
• Click the "Scan All Users" checkbox.
• Push the button.
• Copy and paste the two reports in your next reply.

OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• RogueKiller log
• OTL logs (2)

RogueKiller V10.11.7.0 [Nov 23 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Server 2008 R2 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : tklassociate [Administrator]
Started from : C:\Users\Administrator\Desktop\RogueKiller.exe
Mode : Scan -- Date : 11/28/2015 19:03:44

¤¤¤ Processes : 6 ¤¤¤
[VT.Unknown] MonBlockIPStatus.exe(1532) -- C:\Program Files (x86)\Huawei\BlockChangeIP\MonBlockIPStatus.exe[-] -> Killed [TermProc]
[VT.Unknown] hwprotector.exe(2148) -- C:\Program Files (x86)\Huawei\BlockChangeIP\hwprotector.exe[-] -> Killed [TermProc]
[VT.Unknown] UVPUpgradeService.exe(2688) -- C:\Program Files (x86)\Xen PV Drivers\bin\UVPUpgradeService.exe[7] -> Killed [TermProc]
[VT.Unknown] uvpmonitor.exe(2776) -- C:\Program Files (x86)\Xen PV Drivers\bin\uvpmonitor.exe[7] -> Killed [TermProc]
[VT.Unknown] UvpVssReq.exe(4532) -- C:\Program Files (x86)\Xen PV Drivers\bin\UvpVssReq.exe[7] -> Killed [TermProc]
[VT.Unknown] BlockChangingIP.exe(4572) -- C:\Program Files (x86)\Huawei\BlockChangeIP\BlockChangingIP.exe[-] -> Killed [TermProc]

¤¤¤ Registry : 14 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Internet Explorer\Main | Start Page : res://iesetup.dll/HardAdmin.htm  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Internet Explorer\Main | Start Page : res://iesetup.dll/HardAdmin.htm  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : res://iesetup.dll/HardAdmin.htm  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : res://iesetup.dll/HardAdmin.htm  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 2 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] [::1]           localhost

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 7e85f8364ca71502fce67d9a39d7db80
[BSP] 47b1af060c3a9b9e029e82fcf65622b2 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 40858 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1:  +++++
--- User ---
[MBR] 615737496064104192fbdf113479137b
[BSP] a0730d0fbd553e87e91c0f88dd0a9923 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 102398 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive2:  +++++
--- User ---
[MBR] 4b8a04408c8b38cfbd60e4b998ea19ff
[BSP] 1a93d564a598275a5ca078896a113ef3 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 102397 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

OTL.txt

OTL logfile created on: 28/11/2015 7:15:56 PM - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Administrator\Desktop
64bit- Server Enterprise Edition (full installation) Service Pack 1 (Version = 6.1.7601) - Type = NTServer
Internet Explorer (Version = 9.11.9600.18097)
Locale: 00004809 | Country: Singapore | Language: ENE | Date Format: d/M/yyyy
 
7.99 Gb Total Physical Memory | 0.82 Gb Available Physical Memory | 10.24% Memory free
15.98 Gb Paging File | 6.85 Gb Available in Paging File | 42.83% Paging File free
Paging file location(s): b:\pagefile.sys 0 0e:\pagefile.sys 0 0 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 39.90 Gb Total Space | 4.86 Gb Free Space | 12.17% Space Free | Partition Type: NTFS
Drive E: | 100.00 Gb Total Space | 43.77 Gb Free Space | 43.77% Space Free | Partition Type: NTFS
 
Computer Name: WINDOWS-MI1I12B | User Name: tklassociate | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
[color=#E56717]========== Processes (SafeList) ==========[/color]
 
PRC - [2015/11/27 19:43:19 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
PRC - [2015/11/11 11:43:09 | 005,516,008 | ---- | M] (Avast Software s.r.o.) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2015/11/11 11:43:06 | 000,343,336 | ---- | M] (Avast Software s.r.o.) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2015/11/11 11:43:04 | 001,313,096 | ---- | M] (Avast Software s.r.o.) -- C:\Program Files\AVAST Software\Avast\bccavsvc.exe
PRC - [2015/11/11 11:43:04 | 000,633,288 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\bcc.exe
PRC - [2015/10/07 13:45:22 | 007,953,944 | ---- | M] (Softland) -- C:\Program Files (x86)\Softland\FBackup 5\bTray.exe
PRC - [2015/10/07 13:42:34 | 004,678,680 | ---- | M] (Softland) -- C:\Program Files (x86)\Softland\FBackup 5\bService.exe
PRC - [2014/04/11 09:26:54 | 000,200,848 | ---- | M] () -- C:\Program Files (x86)\Xen PV Drivers\bin\HwUVPUpgrade.exe
PRC - [2013/12/10 22:10:30 | 000,043,520 | ---- | M] (The PHP Group) -- C:\Program Files (x86)\PHP\v5.3\php-cgi.exe
PRC - [2011/05/26 11:47:10 | 000,270,336 | ---- | M] () -- C:\Program Files (x86)\Huawei\BlockChangeIP\BlockChangingIP.exe
PRC - [2011/03/17 12:53:50 | 000,122,880 | ---- | M] () -- C:\Program Files (x86)\Huawei\BlockChangeIP\MonBlockIPStatus.exe
PRC - [2011/03/17 12:53:36 | 000,151,552 | ---- | M] () -- C:\Program Files (x86)\Huawei\BlockChangeIP\hwprotector.exe
 
 
[color=#E56717]========== Modules (No Company Name) ==========[/color]
 
MOD - [2015/11/11 11:43:09 | 040,540,672 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\libcef.dll
MOD - [2015/11/11 11:43:09 | 000,985,600 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\ffmpegsumo.dll
MOD - [2015/11/11 11:43:08 | 000,104,400 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\log.dll
MOD - [2015/11/11 11:43:06 | 000,081,728 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
MOD - [2015/10/07 13:26:30 | 000,437,760 | R--- | M] () -- C:\Program Files (x86)\Softland\FBackup 5\bResourceStrings.bpl
MOD - [2014/04/11 09:26:54 | 000,200,848 | ---- | M] () -- C:\Program Files (x86)\Xen PV Drivers\bin\HwUVPUpgrade.exe
MOD - [2014/03/28 17:35:02 | 000,093,696 | ---- | M] () -- C:\Program Files (x86)\FileZilla FTP Client\fzshellext.dll
MOD - [2014/02/10 12:44:24 | 004,592,128 | ---- | M] () -- C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libglesv2.dll
MOD - [2014/02/10 12:44:24 | 000,112,128 | ---- | M] () -- C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libegl.dll
 
 
[color=#E56717]========== Services (SafeList) ==========[/color]
 
SRV:[b]64bit:[/b] - [2015/11/11 11:43:06 | 000,343,336 | ---- | M] (Avast Software s.r.o.) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:[b]64bit:[/b] - [2015/11/11 11:43:04 | 001,313,096 | ---- | M] (Avast Software s.r.o.) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\bccavsvc.exe -- (Avast Business Console Client Antivirus Service)
SRV:[b]64bit:[/b] - [2015/11/11 11:43:04 | 000,633,288 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\bcc.exe -- (aswBcc)
SRV:[b]64bit:[/b] - [2015/10/31 07:12:09 | 000,114,688 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV:[b]64bit:[/b] - [2015/07/23 08:02:54 | 001,390,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\diagtrack.dll -- (DiagTrack)
SRV:[b]64bit:[/b] - [2015/04/30 01:53:40 | 000,366,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:[b]64bit:[/b] - [2015/04/30 01:53:40 | 000,023,816 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:[b]64bit:[/b] - [2014/11/21 07:31:30 | 013,035,008 | ---- | M] () [Auto | Running] -- C:\Program Files\MySQL\MySQL Server 5.6\bin\mysqld.exe -- (MySQL56x64)
SRV:[b]64bit:[/b] - [2014/09/18 17:03:36 | 018,905,600 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\MySQL\MySQL Server 5.7\bin\mysqld.exe -- (MYSQL57x64)
SRV:[b]64bit:[/b] - [2013/05/27 13:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:[b]64bit:[/b] - [2012/06/01 13:36:12 | 000,350,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\ftpsvc.dll -- (ftpsvc)
SRV:[b]64bit:[/b] - [2011/04/01 20:17:08 | 000,067,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe -- (MsDepSvc)
SRV:[b]64bit:[/b] - [2010/11/21 11:24:30 | 000,015,872 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\inetinfo.exe -- (IISADMIN)
SRV:[b]64bit:[/b] - [2009/07/14 09:41:53 | 000,014,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sacsvr.dll -- (sacsvr)
SRV:[b]64bit:[/b] - [2009/07/14 09:40:52 | 000,025,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FCRegSvc.dll -- (FCRegSvc)
SRV:[b]64bit:[/b] - [2009/07/14 09:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:[b]64bit:[/b] - [2009/07/14 09:39:56 | 000,010,752 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\SysNative\inetsrv\WMSvc.exe -- (WMSVC)
SRV:[b]64bit:[/b] - [2009/07/14 09:39:31 | 000,091,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\rsopprov.exe -- (RSoPProv)
SRV - [2015/10/07 13:42:34 | 004,678,680 | ---- | M] (Softland) [Auto | Running] -- C:\Program Files (x86)\Softland\FBackup 5\bService.exe -- (FBackup5Srv)
SRV - [2015/10/05 09:48:46 | 001,135,416 | ---- | M] (Malwarebytes) [Auto | Stopped] -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2015/03/25 11:17:10 | 000,028,672 | ---- | M] (Microsoft) [Auto | Running] -- C:\Program Files (x86)\TKLA\TopazSetup\TopazService.exe -- (TopazService)
SRV - [2015/03/20 18:21:34 | 000,027,280 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files (x86)\VisualSVN Server\bin\VisualSVNServer.exe -- (VisualSVNServer)
SRV - [2015/03/20 18:21:28 | 000,167,056 | ---- | M] (VisualSVN Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\VisualSVN Server\bin\vrepocfgsvc.exe -- (vrepocfgsvc)
SRV - [2015/03/20 18:21:28 | 000,096,912 | ---- | M] (VisualSVN Ltd.) [Disabled | Stopped] -- C:\Program Files (x86)\VisualSVN Server\bin\vdfssvc.exe -- (vdfssvc)
SRV - [2014/04/11 09:26:54 | 000,598,160 | ---- | M] () [Auto | Stopped] -- C:\Program Files (x86)\Xen PV Drivers\bin\UVPUpgradeService.exe -- (UVPGrade)
SRV - [2014/04/11 09:26:54 | 000,072,336 | ---- | M] (Huawei) [Auto | Stopped] -- C:\Program Files (x86)\Xen PV Drivers\bin\uvpmonitor.exe -- (UVPMonitor)
SRV - [2014/03/21 06:49:18 | 000,067,224 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2013/09/11 21:21:54 | 000,105,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2012/03/14 12:27:26 | 000,398,336 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2012/03/14 12:27:26 | 000,398,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2011/03/17 12:53:50 | 000,122,880 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Huawei\BlockChangeIP\MonBlockIPStatus.exe -- (MonBlockIPStatus)
SRV - [2010/11/21 11:24:58 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll -- (AppHostSvc)
 
 
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
 
DRV:[b]64bit:[/b] - [2015/11/28 18:34:18 | 000,035,064 | ---- | M] () [Kernel | On_Demand | Unknown] -- C:\Windows\SysNative\drivers\TrueSight.sys -- (TrueSight)
DRV:[b]64bit:[/b] - [2015/11/11 11:43:11 | 000,272,248 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswVmm.sys -- (aswVmm)
DRV:[b]64bit:[/b] - [2015/11/11 11:43:11 | 000,137,288 | ---- | M] (Avast Software s.r.o.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\aswStm.sys -- (aswStm)
DRV:[b]64bit:[/b] - [2015/11/11 11:43:10 | 000,442,264 | ---- | M] (Avast Software s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:[b]64bit:[/b] - [2015/11/11 11:43:10 | 000,093,528 | ---- | M] (Avast Software s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr)
DRV:[b]64bit:[/b] - [2015/11/11 11:43:10 | 000,089,944 | ---- | M] (Avast Software s.r.o.) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:[b]64bit:[/b] - [2015/11/11 11:43:10 | 000,065,736 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswRvrt.sys -- (aswRvrt)
DRV:[b]64bit:[/b] - [2015/11/11 11:43:10 | 000,029,168 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\aswHwid.sys -- (aswHwid)
DRV:[b]64bit:[/b] - [2015/10/05 09:50:18 | 000,063,704 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mwac.sys -- (MBAMWebAccessControl)
DRV:[b]64bit:[/b] - [2015/10/05 09:50:06 | 000,025,816 | ---- | M] (Malwarebytes) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:[b]64bit:[/b] - [2015/03/04 19:34:52 | 000,124,568 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:[b]64bit:[/b] - [2014/04/11 09:26:54 | 000,092,784 | ---- | M] (James Harper) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\xenpci.sys -- (XenPCI)
DRV:[b]64bit:[/b] - [2014/04/11 09:26:54 | 000,042,608 | ---- | M] (James Harper) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\xennet.sys -- (XenNet)
DRV:[b]64bit:[/b] - [2014/04/11 09:26:54 | 000,025,200 | ---- | M] (James Harper) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\xenvbd.sys -- (XenVbd)
DRV:[b]64bit:[/b] - [2014/04/03 14:00:58 | 000,038,328 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PerformanceTest\DirectIo64.sys -- (DIRECTIO)
DRV:[b]64bit:[/b] - [2012/03/01 14:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:[b]64bit:[/b] - [2011/12/02 12:17:41 | 000,120,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsp.sys -- (storvsp)
DRV:[b]64bit:[/b] - [2011/06/17 20:54:22 | 000,313,696 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\drivers\RsFx0151.sys -- (RsFx0151)
DRV:[b]64bit:[/b] - [2011/03/11 14:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:[b]64bit:[/b] - [2011/03/11 14:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:[b]64bit:[/b] - [2010/11/21 11:24:30 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:[b]64bit:[/b] - [2010/11/21 11:24:00 | 000,181,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Vid.sys -- (Vid)
DRV:[b]64bit:[/b] - [2010/11/21 11:24:00 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:[b]64bit:[/b] - [2010/11/21 11:24:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:[b]64bit:[/b] - [2010/11/21 11:24:00 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:[b]64bit:[/b] - [2009/07/14 09:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:[b]64bit:[/b] - [2009/07/14 09:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:[b]64bit:[/b] - [2009/07/14 09:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:[b]64bit:[/b] - [2009/07/14 09:45:45 | 000,096,320 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\drivers\sacdrv.sys -- (sacdrv)
DRV:[b]64bit:[/b] - [2009/06/11 04:35:53 | 000,051,712 | ---- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Rtnic64.sys -- (RTL8023x64)
DRV:[b]64bit:[/b] - [2009/06/11 04:35:30 | 000,035,328 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\qd260x64.sys -- (ioatdma)
DRV:[b]64bit:[/b] - [2009/06/11 04:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:[b]64bit:[/b] - [2009/06/11 04:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:[b]64bit:[/b] - [2009/06/11 04:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV - [2014/12/19 09:34:44 | 000,116,224 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\mrxdav.sys -- (MRxDAV)
DRV - [2009/07/14 09:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
 
 
[color=#E56717]========== Internet Explorer ==========[/color]
 
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/HardAdmin.htm
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = 
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = 
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
[color=#E56717]========== FireFox ==========[/color]
 
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll ( Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Administrator\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Administrator\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll (Google Inc.)
 
 
 
[color=#E56717]========== Chrome  ==========[/color]
 
CHR - Extension: No name found = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.1.2.0_0\
 
O1 HOSTS File: ([2012/05/16 09:44:01 | 000,000,820 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: [::1]           localhost
O4:[b]64bit:[/b] - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:[b]64bit:[/b] - HKLM..\Run: [TortoiseHgOverlayIconServer] C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe ()
O4 - HKLM..\Run: [AvastUI.exe] C:\Program Files\AVAST Software\Avast\AvastUI.exe (Avast Software s.r.o.)
O4 - HKLM..\Run: [HwUVPUpgrade] C:\Program Files (x86)\Xen PV Drivers\bin\HwUVPUpgrade.exe ()
O4 - HKU\S-1-5-21-366400160-141739491-217090673-500..\Run: [CCleaner Monitoring] C:\Program Files\CCleaner\CCleaner64.exe (Piriform Ltd)
O4 - HKU\S-1-5-21-366400160-141739491-217090673-500..\Run: [FBackup 5 Tray Agent] C:\Program Files (x86)\Softland\FBackup 5\bTray.exe (Softland)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O7 - HKU\S-1-5-21-366400160-141739491-217090673-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O13[b]64bit:[/b] - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 203.116.1.78
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F84D73AC-2B71-494F-9A11-135A59A9D226}: DhcpNameServer = 203.116.1.78
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F84D73AC-2B71-494F-9A11-135A59A9D226}: NameServer = 203.116.1.78,203.116.1.94
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O20:[b]64bit:[/b] - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:[b]64bit:[/b] - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:[b]64bit:[/b] - HKLM\..comfile [open] -- "%1" %*
O35:[b]64bit:[/b] - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:[b]64bit:[/b] - HKLM\...com [@ = comfile] -- "%1" %*
O37:[b]64bit:[/b] - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
 
[2015/11/28 18:34:15 | 000,000,000 | ---D | C] -- C:\ProgramData\RogueKiller
[2015/11/27 11:24:45 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Temp
[2015/11/23 16:05:47 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\Debug
[2015/11/23 12:07:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Licenses
[2015/11/23 12:07:29 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2015/11/23 12:07:25 | 001,070,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSCOMCTL.OCX
[2015/11/23 12:07:25 | 000,129,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSSTDFMT.DLL
[2015/11/23 12:07:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SpywareBlaster
[2015/11/16 12:48:57 | 000,000,000 | ---D | C] -- C:\FRST
[2015/11/16 11:24:27 | 002,348,544 | ---- | C] (Farbar) -- C:\Users\Administrator\Desktop\FRST64.exe
[2015/11/16 11:14:06 | 004,184,064 | ---- | C] (BrightFort LLC                                              ) -- C:\Users\Administrator\Desktop\spywareblastersetup52.exe
[2015/11/16 10:42:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2015/11/16 10:42:04 | 002,870,984 | ---- | C] (ESET) -- C:\Users\Administrator\Desktop\esetsmartinstaller_enu.exe
[2015/11/16 10:32:01 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2015/11/16 10:21:44 | 004,404,952 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Administrator\Desktop\tdsskiller.exe
[2015/11/13 17:45:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2015/11/13 17:44:43 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\mbar
[2015/11/13 14:26:38 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2015/11/13 13:21:42 | 000,150,392 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Administrator\Desktop\junction.exe
[2015/11/11 11:51:51 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\AVAST Software
[2015/11/11 11:43:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
[2015/11/11 11:43:13 | 000,442,264 | ---- | C] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswSP.sys
[2015/11/11 11:43:13 | 000,137,288 | ---- | C] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswStm.sys
[2015/11/11 11:43:13 | 000,093,528 | ---- | C] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2015/11/11 11:43:13 | 000,089,944 | ---- | C] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2015/11/11 11:43:12 | 000,364,472 | ---- | C] (Avast Software s.r.o.) -- C:\Windows\SysNative\aswBoot.exe
[2015/11/11 11:43:08 | 000,043,112 | ---- | C] (Avast Software s.r.o.) -- C:\Windows\avastSS.scr
[2015/11/11 11:36:04 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2015/11/11 11:33:58 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2015/11/11 09:58:23 | 000,192,216 | ---- | C] (Malwarebytes) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2015/11/11 09:56:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
[2015/11/11 09:56:49 | 000,109,272 | ---- | C] (Malwarebytes) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2015/11/11 09:56:49 | 000,063,704 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mwac.sys
[2015/11/11 09:56:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes Anti-Malware
[2015/11/11 09:52:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab Setup Files
[2015/11/11 07:32:07 | 000,342,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\apphelp.dll
[2015/11/11 07:32:07 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sdbinst.exe
[2015/11/11 07:32:07 | 000,020,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\sdbinst.exe
[2015/11/11 07:32:07 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\shimeng.dll
[2015/11/11 07:32:06 | 000,114,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollector.exe
[2015/11/11 07:32:06 | 000,076,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2015/11/11 07:32:06 | 000,064,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MshtmlDac.dll
[2015/11/11 07:32:06 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwproxystub.dll
[2015/11/11 07:32:06 | 000,047,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieetwproxystub.dll
[2015/11/11 07:32:05 | 000,720,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2015/11/11 07:32:05 | 000,130,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\occache.dll
[2015/11/11 07:32:05 | 000,077,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\JavaScriptCollectionAgent.dll
[2015/11/11 07:32:05 | 000,060,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
[2015/11/11 07:32:05 | 000,034,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2015/11/11 07:32:03 | 002,052,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2015/11/11 07:32:03 | 000,710,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieapfltr.dll
[2015/11/11 07:32:03 | 000,152,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\occache.dll
[2015/11/11 07:32:03 | 000,062,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2015/11/11 07:32:02 | 000,663,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2015/11/11 07:32:02 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollectorres.dll
[2015/11/11 07:32:01 | 000,968,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MsSpellCheckingFacility.exe
[2015/11/11 07:32:01 | 000,801,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2015/11/11 07:32:01 | 000,620,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript9diag.dll
[2015/11/11 07:32:01 | 000,480,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2015/11/11 07:32:01 | 000,315,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtrans.dll
[2015/11/11 07:32:01 | 000,030,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2015/11/11 07:32:00 | 000,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2015/11/11 07:31:59 | 002,126,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2015/11/11 07:31:59 | 000,800,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieapfltr.dll
[2015/11/11 07:31:58 | 001,155,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmlmedia.dll
[2015/11/11 07:31:58 | 000,585,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2015/11/11 07:31:58 | 000,115,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2015/11/11 07:31:57 | 000,341,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\html.iec
[2015/11/11 07:31:57 | 000,168,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msrating.dll
[2015/11/11 07:31:56 | 000,616,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2015/11/11 07:31:56 | 000,489,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtmsft.dll
[2015/11/11 07:31:54 | 001,359,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmlmedia.dll
[2015/11/11 07:31:54 | 000,092,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2015/11/11 07:31:53 | 000,817,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2015/11/11 07:31:53 | 000,814,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9diag.dll
[2015/11/11 07:31:53 | 000,144,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2015/11/11 07:31:52 | 005,990,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2015/11/11 07:31:52 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\html.iec
[2015/11/11 07:31:51 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msrating.dll
[2015/11/11 07:31:51 | 000,088,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MshtmlDac.dll
[2015/11/11 07:31:46 | 003,168,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wucltux.dll
[2015/11/11 07:31:46 | 000,696,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapi.dll
[2015/11/11 07:31:46 | 000,566,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wuapi.dll
[2015/11/11 07:31:45 | 000,192,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuwebv.dll
[2015/11/11 07:31:45 | 000,174,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wuwebv.dll
[2015/11/11 07:31:45 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuauclt.exe
[2015/11/11 07:31:45 | 000,098,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wudriver.dll
[2015/11/11 07:31:45 | 000,093,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wudriver.dll
[2015/11/11 07:31:45 | 000,091,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WinSetupUI.dll
[2015/11/11 07:31:45 | 000,037,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wups2.dll
[2015/11/11 07:31:45 | 000,037,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapp.exe
[2015/11/11 07:31:45 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wups.dll
[2015/11/11 07:31:45 | 000,035,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wuapp.exe
[2015/11/11 07:31:45 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wups.dll
[2015/11/11 07:31:45 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wu.upgrade.ps.dll
[2015/11/11 07:31:29 | 000,275,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\InkEd.dll
[2015/11/11 07:31:29 | 000,216,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\InkEd.dll
[2015/11/11 07:31:26 | 005,570,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2015/11/11 07:31:25 | 000,312,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ncrypt.dll
[2015/11/11 07:31:24 | 003,991,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2015/11/11 07:31:24 | 003,935,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2015/11/11 07:31:24 | 001,164,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kernel32.dll
[2015/11/11 07:31:24 | 000,299,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\bcryptprimitives.dll
[2015/11/11 07:31:24 | 000,251,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\bcryptprimitives.dll
[2015/11/11 07:31:23 | 001,730,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntdll.dll
[2015/11/11 07:31:23 | 001,461,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\lsasrv.dll
[2015/11/11 07:31:23 | 001,216,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rpcrt4.dll
[2015/11/11 07:31:23 | 000,424,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\KernelBase.dll
[2015/11/11 07:31:23 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\conhost.exe
[2015/11/11 07:31:23 | 000,243,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll
[2015/11/11 07:31:23 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
[2015/11/11 07:31:22 | 000,136,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sspicli.dll
[2015/11/11 07:31:22 | 000,112,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\smss.exe
[2015/11/11 07:31:22 | 000,064,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\auditpol.exe
[2015/11/11 07:31:22 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\auditpol.exe
[2015/11/11 07:31:22 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
[2015/11/11 07:31:21 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64win.dll
[2015/11/11 07:31:21 | 000,044,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptbase.dll
[2015/11/11 07:31:21 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\csrsrv.dll
[2015/11/11 07:31:21 | 000,029,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sspisrv.dll
[2015/11/11 07:31:21 | 000,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secur32.dll
[2015/11/11 07:31:21 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntvdm64.dll
[2015/11/11 07:31:21 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
[2015/11/11 07:31:21 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64cpu.dll
[2015/11/11 07:31:20 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
[2015/11/11 07:31:20 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-file-l1-1-0.dll
[2015/11/11 07:31:20 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
[2015/11/11 07:31:20 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
[2015/11/11 07:31:20 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
[2015/11/11 07:31:20 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
[2015/11/11 07:31:20 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
[2015/11/11 07:31:20 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
[2015/11/11 07:31:20 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
[2015/11/11 07:31:19 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-security-base-l1-1-0.dll
[2015/11/11 07:31:19 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
[2015/11/11 07:31:19 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
[2015/11/11 07:31:19 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
[2015/11/11 07:31:19 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
[2015/11/11 07:31:19 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-util-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-string-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-io-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
[2015/11/11 07:31:18 | 000,686,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\adtschema.dll
[2015/11/11 07:31:18 | 000,686,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\adtschema.dll
[2015/11/11 07:31:18 | 000,146,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msaudite.dll
[2015/11/11 07:31:18 | 000,146,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msaudite.dll
[2015/11/11 07:31:18 | 000,060,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msobjs.dll
[2015/11/11 07:31:18 | 000,060,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msobjs.dll
[2015/11/11 07:31:18 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
[2015/11/11 07:31:18 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\apisetschema.dll
[2015/11/11 07:31:18 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\apisetschema.dll
[2015/11/11 07:31:18 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
[2015/11/11 07:31:18 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
[2015/11/11 07:31:18 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
[2015/11/11 07:31:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
[2015/11/11 07:31:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
[2015/11/11 07:31:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-console-l1-1-0.dll
[2015/11/11 07:31:18 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
[2015/11/05 19:34:06 | 000,404,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\gdi32.dll
[2015/11/05 19:34:05 | 002,087,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ole32.dll
[2015/11/05 19:34:04 | 001,480,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\crypt32.dll
[2015/11/05 19:34:04 | 000,229,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wintrust.dll
[2015/11/05 19:34:03 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptnet.dll
[2015/11/05 19:34:00 | 000,696,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netlogon.dll
[2015/11/05 19:33:58 | 003,242,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msi.dll
[2015/11/05 19:33:57 | 000,504,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msihnd.dll
[2015/11/05 19:33:57 | 000,337,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msihnd.dll
[2015/11/05 19:33:57 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msimsg.dll
[2015/11/05 19:33:57 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msimsg.dll
[2015/11/05 19:33:54 | 000,254,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cewmdm.dll
[2015/11/05 19:33:54 | 000,210,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\cewmdm.dll
[2015/11/05 19:33:54 | 000,019,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\EsdSip.dll
[2015/11/05 19:33:54 | 000,018,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\EsdSip.dll
[2015/11/05 19:03:14 | 000,124,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\PresentationCFFRasterizerNative_v0300.dll
[2015/11/05 19:03:14 | 000,103,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
 
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
 
[2015/11/28 19:18:00 | 000,000,938 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-366400160-141739491-217090673-500UA.job
[2015/11/28 18:34:18 | 000,035,064 | ---- | M] () -- C:\Windows\SysNative\drivers\TrueSight.sys
[2015/11/28 18:23:45 | 000,021,408 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2015/11/28 18:23:45 | 000,021,408 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2015/11/28 00:18:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-366400160-141739491-217090673-500Core.job
[2015/11/27 19:43:19 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2015/11/27 19:04:37 | 019,746,888 | ---- | M] () -- C:\Users\Administrator\Desktop\RogueKiller.exe
[2015/11/27 12:20:48 | 000,033,194 | ---- | M] () -- C:\Users\Administrator\Desktop\avast.PNG
[2015/11/27 11:24:56 | 000,937,164 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2015/11/27 11:24:56 | 000,777,274 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2015/11/27 11:24:56 | 000,166,650 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2015/11/27 11:19:38 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2015/11/27 10:37:06 | 002,348,544 | ---- | M] (Farbar) -- C:\Users\Administrator\Desktop\FRST64.exe
[2015/11/23 12:09:19 | 000,041,256 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2015/11/16 11:13:52 | 004,184,064 | ---- | M] (BrightFort LLC                                              ) -- C:\Users\Administrator\Desktop\spywareblastersetup52.exe
[2015/11/16 11:10:26 | 000,132,597 | ---- | M] () -- C:\Users\Administrator\Desktop\Flash_Disinfector.exe
[2015/11/16 10:41:50 | 002,870,984 | ---- | M] (ESET) -- C:\Users\Administrator\Desktop\esetsmartinstaller_enu.exe
[2015/11/16 10:21:09 | 004,404,952 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Administrator\Desktop\tdsskiller.exe
[2015/11/15 12:06:48 | 000,001,977 | ---- | M] () -- C:\Users\Public\Desktop\Avast Business Security.lnk
[2015/11/15 12:06:48 | 000,000,877 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2015/11/15 11:43:21 | 000,270,608 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2015/11/13 17:45:55 | 000,192,216 | ---- | M] (Malwarebytes) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2015/11/13 17:45:37 | 000,109,272 | ---- | M] (Malwarebytes) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2015/11/12 05:24:45 | 000,002,375 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2015/11/11 12:56:28 | 000,946,726 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2015/11/11 11:43:11 | 000,272,248 | ---- | M] () -- C:\Windows\SysNative\drivers\aswVmm.sys
[2015/11/11 11:43:11 | 000,137,288 | ---- | M] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswStm.sys
[2015/11/11 11:43:10 | 000,442,264 | ---- | M] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswSP.sys
[2015/11/11 11:43:10 | 000,364,472 | ---- | M] (Avast Software s.r.o.) -- C:\Windows\SysNative\aswBoot.exe
[2015/11/11 11:43:10 | 000,093,528 | ---- | M] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2015/11/11 11:43:10 | 000,089,944 | ---- | M] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2015/11/11 11:43:10 | 000,065,736 | ---- | M] () -- C:\Windows\SysNative\drivers\aswRvrt.sys
[2015/11/11 11:43:10 | 000,029,168 | ---- | M] () -- C:\Windows\SysNative\drivers\aswHwid.sys
[2015/11/11 11:43:08 | 000,043,112 | ---- | M] (Avast Software s.r.o.) -- C:\Windows\avastSS.scr
[2015/10/31 07:40:38 | 000,004,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollectorres.dll
[2015/10/31 07:25:55 | 000,066,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2015/10/31 07:25:15 | 000,048,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwproxystub.dll
[2015/10/31 07:25:08 | 000,417,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\html.iec
[2015/10/31 07:24:50 | 000,585,728 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2015/10/31 07:24:34 | 000,088,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\MshtmlDac.dll
[2015/10/31 07:16:25 | 000,034,304 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2015/10/31 07:13:14 | 000,616,960 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2015/10/31 07:12:09 | 000,144,384 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2015/10/31 07:12:09 | 000,114,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollector.exe
[2015/10/31 07:11:58 | 000,814,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9diag.dll
[2015/10/31 07:11:51 | 000,817,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2015/10/31 07:11:46 | 005,990,912 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2015/10/31 07:04:48 | 000,968,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\MsSpellCheckingFacility.exe
[2015/10/31 07:01:22 | 000,489,984 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\dxtmsft.dll
[2015/10/31 06:53:49 | 000,077,824 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\JavaScriptCollectionAgent.dll
[2015/10/31 06:49:46 | 000,199,680 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\msrating.dll
[2015/10/31 06:49:06 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2015/10/31 06:46:32 | 000,315,392 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\dxtrans.dll
[2015/10/31 06:46:27 | 000,062,464 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2015/10/31 06:45:51 | 000,047,616 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieetwproxystub.dll
[2015/10/31 06:45:42 | 000,341,504 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\html.iec
[2015/10/31 06:44:57 | 000,064,000 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\MshtmlDac.dll
[2015/10/31 06:44:55 | 000,152,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\occache.dll
[2015/10/31 06:39:27 | 000,030,720 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2015/10/31 06:37:31 | 000,480,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2015/10/31 06:36:25 | 000,115,712 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2015/10/31 06:36:24 | 000,663,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2015/10/31 06:36:06 | 000,620,032 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript9diag.dll
[2015/10/31 06:32:13 | 000,720,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2015/10/31 06:31:26 | 000,801,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2015/10/31 06:29:57 | 001,359,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmlmedia.dll
[2015/10/31 06:29:52 | 002,126,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2015/10/31 06:23:51 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
[2015/10/31 06:21:10 | 000,168,960 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\msrating.dll
[2015/10/31 06:19:51 | 000,076,288 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2015/10/31 06:17:41 | 000,130,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\occache.dll
[2015/10/31 06:09:23 | 001,155,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmlmedia.dll
[2015/10/31 06:09:15 | 002,052,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2015/10/31 05:53:01 | 000,800,768 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieapfltr.dll
[2015/10/31 05:46:02 | 000,710,144 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieapfltr.dll
[2015/10/30 01:50:44 | 000,006,656 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\shimeng.dll
[2015/10/30 01:50:30 | 000,342,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\apphelp.dll
[2015/10/30 01:50:14 | 000,023,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\sdbinst.exe
[2015/10/30 01:49:35 | 000,020,992 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\sdbinst.exe
 
[color=#E56717]========== Files Created - No Company Name ==========[/color]
 
[2015/11/28 18:34:18 | 000,035,064 | ---- | C] () -- C:\Windows\SysNative\drivers\TrueSight.sys
[2015/11/28 18:34:05 | 019,746,888 | ---- | C] () -- C:\Users\Administrator\Desktop\RogueKiller.exe
[2015/11/27 12:20:48 | 000,033,194 | ---- | C] () -- C:\Users\Administrator\Desktop\avast.PNG
[2015/11/16 11:10:44 | 000,132,597 | ---- | C] () -- C:\Users\Administrator\Desktop\Flash_Disinfector.exe
[2015/11/11 11:43:33 | 000,001,977 | ---- | C] () -- C:\Users\Public\Desktop\Avast Business Security.lnk
[2015/11/11 11:43:13 | 000,272,248 | ---- | C] () -- C:\Windows\SysNative\drivers\aswVmm.sys
[2015/11/11 11:43:13 | 000,065,736 | ---- | C] () -- C:\Windows\SysNative\drivers\aswRvrt.sys
[2015/11/11 11:43:13 | 000,029,168 | ---- | C] () -- C:\Windows\SysNative\drivers\aswHwid.sys
[2013/12/16 10:35:29 | 000,000,043 | ---- | C] () -- C:\Users\Administrator\mercurial.ini
[2012/06/26 10:27:51 | 000,000,436 | RHS- | C] () -- C:\Users\Administrator\ntuser.pol
[2012/06/19 09:02:46 | 000,007,676 | ---- | C] () -- C:\Users\Administrator\AppData\Local\resmon.resmoncfg
[2012/04/13 16:50:21 | 000,041,256 | RHS- | C] () -- C:\ProgramData\ntuser.pol
 
[color=#E56717]========== ZeroAccess Check ==========[/color]
 
[2009/07/14 12:58:08 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2015/08/07 02:04:07 | 014,176,768 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2015/08/07 01:44:51 | 012,875,776 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 09:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/21 11:24:24 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 09:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
[color=#E56717]========== Alternate Data Streams ==========[/color]
 
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:5C321E34

< End of report >

Extra.txt

I did not see a minimized extra.txt nor can I find this log file on the desktop.

Greetings,

Please just copy and paste the text in your reply rather than use Code boxes.

I would like you to review the Processes and Registry sections of the RogueKiller log and identify any entries you do not recognize or make sense to you.

----------

The reason you did not get an Extras log is because the program automatically creates that log on the first run and the report is the second run:

OTL logfile created on: 28/11/2015 7:15:56 PM - Run 2

Please scan the computer again this way.

===================================================

Rerun OTL with Extras.txt

--------------------

• Double click on the icon on your desktop
• Click the "Scan All Users" checkbox
• Under the Extra Registry box check Use SafeList
• Push the button
• Copy and paste the two reports in your next reply
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Recognize entries?
• OTL logs (2)
• Update on computer performance

• Recognize entries?

The Processes entries in C:\Program Files (x86)\Huawei\ and C:\Program Files (x86)\Xen PV Drivers\ are VM drivers and programs installed by our VM provider huawei.

 

I am not too sure about the Registry entries.

• OTL logs (2)

OTL.txt

 

OTL logfile created on: 30/11/2015 11:30:31 AM - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Administrator\Desktop
64bit- Server Enterprise Edition (full installation) Service Pack 1 (Version = 6.1.7601) - Type = NTServer
Internet Explorer (Version = 9.11.9600.18097)
Locale: 00004809 | Country: Singapore | Language: ENE | Date Format: d/M/yyyy
 
7.99 Gb Total Physical Memory | 0.79 Gb Available Physical Memory | 9.85% Memory free
15.98 Gb Paging File | 6.80 Gb Available in Paging File | 42.57% Paging File free
Paging file location(s): b:\pagefile.sys 0 0e:\pagefile.sys 0 0 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 39.90 Gb Total Space | 4.95 Gb Free Space | 12.40% Space Free | Partition Type: NTFS
Drive E: | 100.00 Gb Total Space | 43.76 Gb Free Space | 43.76% Space Free | Partition Type: NTFS
 
Computer Name: WINDOWS-MI1I12B | User Name: tklassociate | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2015/11/27 19:43:19 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
PRC - [2015/11/11 11:43:09 | 005,516,008 | ---- | M] (Avast Software s.r.o.) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2015/11/11 11:43:06 | 000,343,336 | ---- | M] (Avast Software s.r.o.) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2015/11/11 11:43:04 | 001,313,096 | ---- | M] (Avast Software s.r.o.) -- C:\Program Files\AVAST Software\Avast\bccavsvc.exe
PRC - [2015/11/11 11:43:04 | 000,633,288 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\bcc.exe
PRC - [2015/10/07 13:42:34 | 004,678,680 | ---- | M] (Softland) -- C:\Program Files (x86)\Softland\FBackup 5\bService.exe
PRC - [2014/04/11 09:26:54 | 000,200,848 | ---- | M] () -- C:\Program Files (x86)\Xen PV Drivers\bin\HwUVPUpgrade.exe
PRC - [2013/12/10 22:10:30 | 000,043,520 | ---- | M] (The PHP Group) -- C:\Program Files (x86)\PHP\v5.3\php-cgi.exe
PRC - [2011/05/26 11:47:10 | 000,270,336 | ---- | M] () -- C:\Program Files (x86)\Huawei\BlockChangeIP\BlockChangingIP.exe
PRC - [2011/03/17 12:53:50 | 000,122,880 | ---- | M] () -- C:\Program Files (x86)\Huawei\BlockChangeIP\MonBlockIPStatus.exe
PRC - [2011/03/17 12:53:36 | 000,151,552 | ---- | M] () -- C:\Program Files (x86)\Huawei\BlockChangeIP\hwprotector.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2015/11/11 11:43:09 | 040,540,672 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\libcef.dll
MOD - [2015/11/11 11:43:08 | 000,104,400 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\log.dll
MOD - [2015/11/11 11:43:06 | 000,081,728 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
MOD - [2014/04/11 09:26:54 | 000,200,848 | ---- | M] () -- C:\Program Files (x86)\Xen PV Drivers\bin\HwUVPUpgrade.exe
MOD - [2014/03/28 17:35:02 | 000,093,696 | ---- | M] () -- C:\Program Files (x86)\FileZilla FTP Client\fzshellext.dll
MOD - [2014/02/10 12:44:24 | 004,592,128 | ---- | M] () -- C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libglesv2.dll
MOD - [2014/02/10 12:44:24 | 000,112,128 | ---- | M] () -- C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libegl.dll
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2015/11/11 11:43:06 | 000,343,336 | ---- | M] (Avast Software s.r.o.) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2015/11/11 11:43:04 | 001,313,096 | ---- | M] (Avast Software s.r.o.) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\bccavsvc.exe -- (Avast Business Console Client Antivirus Service)
SRV:64bit: - [2015/11/11 11:43:04 | 000,633,288 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\bcc.exe -- (aswBcc)
SRV:64bit: - [2015/10/31 07:12:09 | 000,114,688 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV:64bit: - [2015/07/23 08:02:54 | 001,390,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\diagtrack.dll -- (DiagTrack)
SRV:64bit: - [2015/04/30 01:53:40 | 000,366,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2015/04/30 01:53:40 | 000,023,816 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2014/11/21 07:31:30 | 013,035,008 | ---- | M] () [Auto | Running] -- C:\Program Files\MySQL\MySQL Server 5.6\bin\mysqld.exe -- (MySQL56x64)
SRV:64bit: - [2014/09/18 17:03:36 | 018,905,600 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\MySQL\MySQL Server 5.7\bin\mysqld.exe -- (MYSQL57x64)
SRV:64bit: - [2013/05/27 13:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2012/06/01 13:36:12 | 000,350,720 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\ftpsvc.dll -- (ftpsvc)
SRV:64bit: - [2011/04/01 20:17:08 | 000,067,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe -- (MsDepSvc)
SRV:64bit: - [2010/11/21 11:24:30 | 000,015,872 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\inetinfo.exe -- (IISADMIN)
SRV:64bit: - [2009/07/14 09:41:53 | 000,014,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sacsvr.dll -- (sacsvr)
SRV:64bit: - [2009/07/14 09:40:52 | 000,025,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FCRegSvc.dll -- (FCRegSvc)
SRV:64bit: - [2009/07/14 09:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009/07/14 09:39:56 | 000,010,752 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\SysNative\inetsrv\WMSvc.exe -- (WMSVC)
SRV:64bit: - [2009/07/14 09:39:31 | 000,091,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\rsopprov.exe -- (RSoPProv)
SRV - [2015/10/07 13:42:34 | 004,678,680 | ---- | M] (Softland) [Auto | Running] -- C:\Program Files (x86)\Softland\FBackup 5\bService.exe -- (FBackup5Srv)
SRV - [2015/10/05 09:48:46 | 001,135,416 | ---- | M] (Malwarebytes) [Auto | Stopped] -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2015/03/25 11:17:10 | 000,028,672 | ---- | M] (Microsoft) [Auto | Running] -- C:\Program Files (x86)\TKLA\TopazSetup\TopazService.exe -- (TopazService)
SRV - [2015/03/20 18:21:34 | 000,027,280 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files (x86)\VisualSVN Server\bin\VisualSVNServer.exe -- (VisualSVNServer)
SRV - [2015/03/20 18:21:28 | 000,167,056 | ---- | M] (VisualSVN Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\VisualSVN Server\bin\vrepocfgsvc.exe -- (vrepocfgsvc)
SRV - [2015/03/20 18:21:28 | 000,096,912 | ---- | M] (VisualSVN Ltd.) [Disabled | Stopped] -- C:\Program Files (x86)\VisualSVN Server\bin\vdfssvc.exe -- (vdfssvc)
SRV - [2014/04/11 09:26:54 | 000,598,160 | ---- | M] () [Auto | Stopped] -- C:\Program Files (x86)\Xen PV Drivers\bin\UVPUpgradeService.exe -- (UVPGrade)
SRV - [2014/04/11 09:26:54 | 000,072,336 | ---- | M] (Huawei) [Auto | Stopped] -- C:\Program Files (x86)\Xen PV Drivers\bin\uvpmonitor.exe -- (UVPMonitor)
SRV - [2014/03/21 06:49:18 | 000,067,224 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2013/09/11 21:21:54 | 000,105,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2012/03/14 12:27:26 | 000,398,336 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2012/03/14 12:27:26 | 000,398,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2011/03/17 12:53:50 | 000,122,880 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Huawei\BlockChangeIP\MonBlockIPStatus.exe -- (MonBlockIPStatus)
SRV - [2010/11/21 11:24:58 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll -- (AppHostSvc)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2015/11/28 18:34:18 | 000,035,064 | ---- | M] () [Kernel | On_Demand | Unknown] -- C:\Windows\SysNative\drivers\TrueSight.sys -- (TrueSight)
DRV:64bit: - [2015/11/11 11:43:11 | 000,272,248 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswVmm.sys -- (aswVmm)
DRV:64bit: - [2015/11/11 11:43:11 | 000,137,288 | ---- | M] (Avast Software s.r.o.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\aswStm.sys -- (aswStm)
DRV:64bit: - [2015/11/11 11:43:10 | 000,442,264 | ---- | M] (Avast Software s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2015/11/11 11:43:10 | 000,093,528 | ---- | M] (Avast Software s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr)
DRV:64bit: - [2015/11/11 11:43:10 | 000,089,944 | ---- | M] (Avast Software s.r.o.) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2015/11/11 11:43:10 | 000,065,736 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswRvrt.sys -- (aswRvrt)
DRV:64bit: - [2015/11/11 11:43:10 | 000,029,168 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\aswHwid.sys -- (aswHwid)
DRV:64bit: - [2015/10/05 09:50:18 | 000,063,704 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mwac.sys -- (MBAMWebAccessControl)
DRV:64bit: - [2015/10/05 09:50:06 | 000,025,816 | ---- | M] (Malwarebytes) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2015/03/04 19:34:52 | 000,124,568 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2014/04/11 09:26:54 | 000,092,784 | ---- | M] (James Harper) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\xenpci.sys -- (XenPCI)
DRV:64bit: - [2014/04/11 09:26:54 | 000,042,608 | ---- | M] (James Harper) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\xennet.sys -- (XenNet)
DRV:64bit: - [2014/04/11 09:26:54 | 000,025,200 | ---- | M] (James Harper) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\xenvbd.sys -- (XenVbd)
DRV:64bit: - [2014/04/03 14:00:58 | 000,038,328 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PerformanceTest\DirectIo64.sys -- (DIRECTIO)
DRV:64bit: - [2012/03/01 14:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/12/02 12:17:41 | 000,120,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsp.sys -- (storvsp)
DRV:64bit: - [2011/06/17 20:54:22 | 000,313,696 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\drivers\RsFx0151.sys -- (RsFx0151)
DRV:64bit: - [2011/03/11 14:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 14:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/21 11:24:30 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/21 11:24:00 | 000,181,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Vid.sys -- (Vid)
DRV:64bit: - [2010/11/21 11:24:00 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/21 11:24:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/21 11:24:00 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2009/07/14 09:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 09:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 09:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/14 09:45:45 | 000,096,320 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\drivers\sacdrv.sys -- (sacdrv)
DRV:64bit: - [2009/06/11 04:35:53 | 000,051,712 | ---- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Rtnic64.sys -- (RTL8023x64)
DRV:64bit: - [2009/06/11 04:35:30 | 000,035,328 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\qd260x64.sys -- (ioatdma)
DRV:64bit: - [2009/06/11 04:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/11 04:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/11 04:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV - [2014/12/19 09:34:44 | 000,116,224 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\mrxdav.sys -- (MRxDAV)
DRV - [2009/07/14 09:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
========== Standard Registry (All) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =  [binary data]
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =  [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation)
 
IE - HKU\S-1-5-20\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation)
 
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/HardAdmin.htm
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation)
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
IE - HKU\S-1-5-21-366400160-141739491-217090673-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll ( Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Administrator\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Administrator\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll (Google Inc.)
 
 
 
========== Chrome  ==========
 
CHR - Extension: No name found = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.1.2.0_0\
 
O1 HOSTS File: ([2012/05/16 09:44:01 | 000,000,820 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: [::1]           localhost
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [TortoiseHgOverlayIconServer] C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe ()
O4 - HKLM..\Run: [AvastUI.exe] C:\Program Files\AVAST Software\Avast\AvastUI.exe (Avast Software s.r.o.)
O4 - HKLM..\Run: [HwUVPUpgrade] C:\Program Files (x86)\Xen PV Drivers\bin\HwUVPUpgrade.exe ()
O4 - HKU\S-1-5-21-366400160-141739491-217090673-500..\Run: [CCleaner Monitoring] C:\Program Files\CCleaner\CCleaner64.exe (Piriform Ltd)
O4 - HKU\S-1-5-21-366400160-141739491-217090673-500..\Run: [FBackup 5 Tray Agent] C:\Program Files (x86)\Softland\FBackup 5\bTray.exe (Softland)
O4 - HKU\S-1-5-21-366400160-141739491-217090673-500..\Run: [Google Update] C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKU\S-1-5-21-366400160-141739491-217090673-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000001 [] - C:\Windows\SysNative\nlaapi.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000002 [] - C:\Windows\SysNative\NapiNSP.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000003 [] - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000004 [] - C:\Windows\SysNative\winrnr.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\SysWOW64\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\SysWOW64\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\SysWOW64\winrnr.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 203.116.1.78
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F84D73AC-2B71-494F-9A11-135A59A9D226}: DhcpNameServer = 203.116.1.78
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F84D73AC-2B71-494F-9A11-135A59A9D226}: NameServer = 203.116.1.78,203.116.1.94
O18:64bit: - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysNative\inetcomm.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysWOW64\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - c:\Program Files (x86)\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O29:64bit: - HKLM SecurityProviders - (credssp.dll) - C:\Windows\SysWow64\credssp.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\SysWow64\credssp.dll (Microsoft Corporation)
O30:64bit: - LSA: Authentication Packages - (msv1_0) - C:\Windows\SysNative\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\SysWow64\msv1_0.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (kerberos) - C:\Windows\SysNative\kerberos.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (msv1_0) - C:\Windows\SysNative\msv1_0.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (schannel) - C:\Windows\SysNative\schannel.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (wdigest) - C:\Windows\SysNative\wdigest.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (tspkg) - C:\Windows\SysNative\tspkg.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (pku2u) - C:\Windows\SysNative\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\Windows\SysWow64\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\Windows\SysWow64\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\Windows\SysWow64\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\Windows\SysWow64\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) - C:\Windows\SysWow64\tspkg.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\SysWow64\pku2u.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2015/11/28 18:34:15 | 000,000,000 | ---D | C] -- C:\ProgramData\RogueKiller
[2015/11/27 11:24:45 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Temp
[2015/11/23 16:05:47 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\Debug
[2015/11/23 12:07:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Licenses
[2015/11/23 12:07:29 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2015/11/23 12:07:25 | 001,070,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSCOMCTL.OCX
[2015/11/23 12:07:25 | 000,129,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSSTDFMT.DLL
[2015/11/23 12:07:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SpywareBlaster
[2015/11/16 12:48:57 | 000,000,000 | ---D | C] -- C:\FRST
[2015/11/16 11:24:27 | 002,348,544 | ---- | C] (Farbar) -- C:\Users\Administrator\Desktop\FRST64.exe
[2015/11/16 11:14:06 | 004,184,064 | ---- | C] (BrightFort LLC                                              ) -- C:\Users\Administrator\Desktop\spywareblastersetup52.exe
[2015/11/16 10:42:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2015/11/16 10:42:04 | 002,870,984 | ---- | C] (ESET) -- C:\Users\Administrator\Desktop\esetsmartinstaller_enu.exe
[2015/11/16 10:32:01 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2015/11/16 10:21:44 | 004,404,952 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Administrator\Desktop\tdsskiller.exe
[2015/11/13 17:45:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2015/11/13 17:44:43 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\mbar
[2015/11/13 14:26:38 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2015/11/13 13:21:42 | 000,150,392 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Administrator\Desktop\junction.exe
[2015/11/11 11:51:51 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\AVAST Software
[2015/11/11 11:43:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
[2015/11/11 11:43:13 | 000,442,264 | ---- | C] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswSP.sys
[2015/11/11 11:43:13 | 000,137,288 | ---- | C] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswStm.sys
[2015/11/11 11:43:13 | 000,093,528 | ---- | C] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2015/11/11 11:43:13 | 000,089,944 | ---- | C] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2015/11/11 11:43:12 | 000,364,472 | ---- | C] (Avast Software s.r.o.) -- C:\Windows\SysNative\aswBoot.exe
[2015/11/11 11:43:08 | 000,043,112 | ---- | C] (Avast Software s.r.o.) -- C:\Windows\avastSS.scr
[2015/11/11 11:36:04 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2015/11/11 11:33:58 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2015/11/11 09:58:23 | 000,192,216 | ---- | C] (Malwarebytes) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2015/11/11 09:56:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
[2015/11/11 09:56:49 | 000,109,272 | ---- | C] (Malwarebytes) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2015/11/11 09:56:49 | 000,063,704 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mwac.sys
[2015/11/11 09:56:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes Anti-Malware
[2015/11/11 09:52:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab Setup Files
[2015/11/11 07:32:07 | 000,342,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\apphelp.dll
[2015/11/11 07:32:07 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sdbinst.exe
[2015/11/11 07:32:07 | 000,020,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\sdbinst.exe
[2015/11/11 07:32:07 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\shimeng.dll
[2015/11/11 07:32:06 | 000,114,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollector.exe
[2015/11/11 07:32:06 | 000,076,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2015/11/11 07:32:06 | 000,064,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MshtmlDac.dll
[2015/11/11 07:32:06 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwproxystub.dll
[2015/11/11 07:32:06 | 000,047,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieetwproxystub.dll
[2015/11/11 07:32:05 | 000,720,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2015/11/11 07:32:05 | 000,130,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\occache.dll
[2015/11/11 07:32:05 | 000,077,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\JavaScriptCollectionAgent.dll
[2015/11/11 07:32:05 | 000,060,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
[2015/11/11 07:32:05 | 000,034,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2015/11/11 07:32:03 | 002,052,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2015/11/11 07:32:03 | 000,710,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieapfltr.dll
[2015/11/11 07:32:03 | 000,152,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\occache.dll
[2015/11/11 07:32:03 | 000,062,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2015/11/11 07:32:02 | 000,663,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2015/11/11 07:32:02 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollectorres.dll
[2015/11/11 07:32:01 | 000,968,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MsSpellCheckingFacility.exe
[2015/11/11 07:32:01 | 000,801,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2015/11/11 07:32:01 | 000,620,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript9diag.dll
[2015/11/11 07:32:01 | 000,480,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2015/11/11 07:32:01 | 000,315,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtrans.dll
[2015/11/11 07:32:01 | 000,030,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2015/11/11 07:32:00 | 000,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2015/11/11 07:31:59 | 002,126,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2015/11/11 07:31:59 | 000,800,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieapfltr.dll
[2015/11/11 07:31:58 | 001,155,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmlmedia.dll
[2015/11/11 07:31:58 | 000,585,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2015/11/11 07:31:58 | 000,115,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2015/11/11 07:31:57 | 000,341,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\html.iec
[2015/11/11 07:31:57 | 000,168,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msrating.dll
[2015/11/11 07:31:56 | 000,616,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2015/11/11 07:31:56 | 000,489,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtmsft.dll
[2015/11/11 07:31:54 | 001,359,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmlmedia.dll
[2015/11/11 07:31:54 | 000,092,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2015/11/11 07:31:53 | 000,817,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2015/11/11 07:31:53 | 000,814,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9diag.dll
[2015/11/11 07:31:53 | 000,144,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2015/11/11 07:31:52 | 005,990,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2015/11/11 07:31:52 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\html.iec
[2015/11/11 07:31:51 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msrating.dll
[2015/11/11 07:31:51 | 000,088,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MshtmlDac.dll
[2015/11/11 07:31:46 | 003,168,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wucltux.dll
[2015/11/11 07:31:46 | 000,696,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapi.dll
[2015/11/11 07:31:46 | 000,566,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wuapi.dll
[2015/11/11 07:31:45 | 000,192,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuwebv.dll
[2015/11/11 07:31:45 | 000,174,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wuwebv.dll
[2015/11/11 07:31:45 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuauclt.exe
[2015/11/11 07:31:45 | 000,098,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wudriver.dll
[2015/11/11 07:31:45 | 000,093,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wudriver.dll
[2015/11/11 07:31:45 | 000,091,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WinSetupUI.dll
[2015/11/11 07:31:45 | 000,037,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wups2.dll
[2015/11/11 07:31:45 | 000,037,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wuapp.exe
[2015/11/11 07:31:45 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wups.dll
[2015/11/11 07:31:45 | 000,035,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wuapp.exe
[2015/11/11 07:31:45 | 000,030,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wups.dll
[2015/11/11 07:31:45 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wu.upgrade.ps.dll
[2015/11/11 07:31:29 | 000,275,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\InkEd.dll
[2015/11/11 07:31:29 | 000,216,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\InkEd.dll
[2015/11/11 07:31:26 | 005,570,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2015/11/11 07:31:25 | 000,312,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ncrypt.dll
[2015/11/11 07:31:24 | 003,991,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2015/11/11 07:31:24 | 003,935,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2015/11/11 07:31:24 | 001,164,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kernel32.dll
[2015/11/11 07:31:24 | 000,299,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\bcryptprimitives.dll
[2015/11/11 07:31:24 | 000,251,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\bcryptprimitives.dll
[2015/11/11 07:31:23 | 001,730,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntdll.dll
[2015/11/11 07:31:23 | 001,461,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\lsasrv.dll
[2015/11/11 07:31:23 | 001,216,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rpcrt4.dll
[2015/11/11 07:31:23 | 000,424,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\KernelBase.dll
[2015/11/11 07:31:23 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\conhost.exe
[2015/11/11 07:31:23 | 000,243,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll
[2015/11/11 07:31:23 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
[2015/11/11 07:31:22 | 000,136,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sspicli.dll
[2015/11/11 07:31:22 | 000,112,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\smss.exe
[2015/11/11 07:31:22 | 000,064,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\auditpol.exe
[2015/11/11 07:31:22 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\auditpol.exe
[2015/11/11 07:31:22 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
[2015/11/11 07:31:21 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64win.dll
[2015/11/11 07:31:21 | 000,044,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptbase.dll
[2015/11/11 07:31:21 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\csrsrv.dll
[2015/11/11 07:31:21 | 000,029,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sspisrv.dll
[2015/11/11 07:31:21 | 000,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secur32.dll
[2015/11/11 07:31:21 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntvdm64.dll
[2015/11/11 07:31:21 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
[2015/11/11 07:31:21 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64cpu.dll
[2015/11/11 07:31:20 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
[2015/11/11 07:31:20 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-file-l1-1-0.dll
[2015/11/11 07:31:20 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
[2015/11/11 07:31:20 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
[2015/11/11 07:31:20 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
[2015/11/11 07:31:20 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
[2015/11/11 07:31:20 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
[2015/11/11 07:31:20 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
[2015/11/11 07:31:20 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
[2015/11/11 07:31:20 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
[2015/11/11 07:31:19 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-security-base-l1-1-0.dll
[2015/11/11 07:31:19 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
[2015/11/11 07:31:19 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
[2015/11/11 07:31:19 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
[2015/11/11 07:31:19 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
[2015/11/11 07:31:19 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-util-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-string-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-io-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
[2015/11/11 07:31:19 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
[2015/11/11 07:31:18 | 000,686,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\adtschema.dll
[2015/11/11 07:31:18 | 000,686,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\adtschema.dll
[2015/11/11 07:31:18 | 000,146,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msaudite.dll
[2015/11/11 07:31:18 | 000,146,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msaudite.dll
[2015/11/11 07:31:18 | 000,060,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msobjs.dll
[2015/11/11 07:31:18 | 000,060,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msobjs.dll
[2015/11/11 07:31:18 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
[2015/11/11 07:31:18 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\apisetschema.dll
[2015/11/11 07:31:18 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\apisetschema.dll
[2015/11/11 07:31:18 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
[2015/11/11 07:31:18 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
[2015/11/11 07:31:18 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
[2015/11/11 07:31:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
[2015/11/11 07:31:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
[2015/11/11 07:31:18 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-console-l1-1-0.dll
[2015/11/11 07:31:18 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
[2015/11/05 19:34:06 | 000,404,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\gdi32.dll
[2015/11/05 19:34:05 | 002,087,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ole32.dll
[2015/11/05 19:34:04 | 001,480,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\crypt32.dll
[2015/11/05 19:34:04 | 000,229,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wintrust.dll
[2015/11/05 19:34:03 | 000,140,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptnet.dll
[2015/11/05 19:34:00 | 000,696,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\netlogon.dll
[2015/11/05 19:33:58 | 003,242,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msi.dll
[2015/11/05 19:33:57 | 000,504,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msihnd.dll
[2015/11/05 19:33:57 | 000,337,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msihnd.dll
[2015/11/05 19:33:57 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msimsg.dll
[2015/11/05 19:33:57 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msimsg.dll
[2015/11/05 19:33:54 | 000,254,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cewmdm.dll
[2015/11/05 19:33:54 | 000,210,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\cewmdm.dll
[2015/11/05 19:33:54 | 000,019,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\EsdSip.dll
[2015/11/05 19:33:54 | 000,018,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\EsdSip.dll
[2015/11/05 19:03:14 | 000,124,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\PresentationCFFRasterizerNative_v0300.dll
[2015/11/05 19:03:14 | 000,103,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
 
========== Files - Modified Within 30 Days ==========
 
[2015/11/30 11:22:54 | 000,021,408 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2015/11/30 11:22:54 | 000,021,408 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2015/11/30 11:18:00 | 000,000,938 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-366400160-141739491-217090673-500UA.job
[2015/11/30 00:18:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-366400160-141739491-217090673-500Core.job
[2015/11/28 18:34:18 | 000,035,064 | ---- | M] () -- C:\Windows\SysNative\drivers\TrueSight.sys
[2015/11/27 19:43:19 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2015/11/27 19:04:37 | 019,746,888 | ---- | M] () -- C:\Users\Administrator\Desktop\RogueKiller.exe
[2015/11/27 12:20:48 | 000,033,194 | ---- | M] () -- C:\Users\Administrator\Desktop\avast.PNG
[2015/11/27 11:24:56 | 000,937,164 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2015/11/27 11:24:56 | 000,777,274 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2015/11/27 11:24:56 | 000,166,650 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2015/11/27 11:19:38 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2015/11/27 10:37:06 | 002,348,544 | ---- | M] (Farbar) -- C:\Users\Administrator\Desktop\FRST64.exe
[2015/11/23 12:09:19 | 000,041,256 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2015/11/16 11:13:52 | 004,184,064 | ---- | M] (BrightFort LLC                                              ) -- C:\Users\Administrator\Desktop\spywareblastersetup52.exe
[2015/11/16 11:10:26 | 000,132,597 | ---- | M] () -- C:\Users\Administrator\Desktop\Flash_Disinfector.exe
[2015/11/16 10:41:50 | 002,870,984 | ---- | M] (ESET) -- C:\Users\Administrator\Desktop\esetsmartinstaller_enu.exe
[2015/11/16 10:21:09 | 004,404,952 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Administrator\Desktop\tdsskiller.exe
[2015/11/15 12:06:48 | 000,001,977 | ---- | M] () -- C:\Users\Public\Desktop\Avast Business Security.lnk
[2015/11/15 12:06:48 | 000,000,877 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2015/11/15 11:43:21 | 000,270,608 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2015/11/13 17:45:55 | 000,192,216 | ---- | M] (Malwarebytes) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2015/11/13 17:45:37 | 000,109,272 | ---- | M] (Malwarebytes) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2015/11/12 05:24:45 | 000,002,375 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2015/11/11 12:56:28 | 000,946,726 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2015/11/11 11:43:11 | 000,272,248 | ---- | M] () -- C:\Windows\SysNative\drivers\aswVmm.sys
[2015/11/11 11:43:11 | 000,137,288 | ---- | M] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswStm.sys
[2015/11/11 11:43:10 | 000,442,264 | ---- | M] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswSP.sys
[2015/11/11 11:43:10 | 000,364,472 | ---- | M] (Avast Software s.r.o.) -- C:\Windows\SysNative\aswBoot.exe
[2015/11/11 11:43:10 | 000,093,528 | ---- | M] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2015/11/11 11:43:10 | 000,089,944 | ---- | M] (Avast Software s.r.o.) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2015/11/11 11:43:10 | 000,065,736 | ---- | M] () -- C:\Windows\SysNative\drivers\aswRvrt.sys
[2015/11/11 11:43:10 | 000,029,168 | ---- | M] () -- C:\Windows\SysNative\drivers\aswHwid.sys
[2015/11/11 11:43:08 | 000,043,112 | ---- | M] (Avast Software s.r.o.) -- C:\Windows\avastSS.scr
 
========== Files Created - No Company Name ==========
 
[2015/11/28 18:34:18 | 000,035,064 | ---- | C] () -- C:\Windows\SysNative\drivers\TrueSight.sys
[2015/11/28 18:34:05 | 019,746,888 | ---- | C] () -- C:\Users\Administrator\Desktop\RogueKiller.exe
[2015/11/27 12:20:48 | 000,033,194 | ---- | C] () -- C:\Users\Administrator\Desktop\avast.PNG
[2015/11/16 11:10:44 | 000,132,597 | ---- | C] () -- C:\Users\Administrator\Desktop\Flash_Disinfector.exe
[2015/11/11 11:43:33 | 000,001,977 | ---- | C] () -- C:\Users\Public\Desktop\Avast Business Security.lnk
[2015/11/11 11:43:13 | 000,272,248 | ---- | C] () -- C:\Windows\SysNative\drivers\aswVmm.sys
[2015/11/11 11:43:13 | 000,065,736 | ---- | C] () -- C:\Windows\SysNative\drivers\aswRvrt.sys
[2015/11/11 11:43:13 | 000,029,168 | ---- | C] () -- C:\Windows\SysNative\drivers\aswHwid.sys
[2013/12/16 10:35:29 | 000,000,043 | ---- | C] () -- C:\Users\Administrator\mercurial.ini
[2012/06/26 10:27:51 | 000,000,436 | RHS- | C] () -- C:\Users\Administrator\ntuser.pol
[2012/06/19 09:02:46 | 000,007,676 | ---- | C] () -- C:\Users\Administrator\AppData\Local\resmon.resmoncfg
[2012/04/13 16:50:21 | 000,041,256 | RHS- | C] () -- C:\ProgramData\ntuser.pol
 
========== ZeroAccess Check ==========
 
[2009/07/14 12:58:08 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2015/08/07 02:04:07 | 014,176,768 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2015/08/07 01:44:51 | 012,875,776 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 09:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/21 11:24:24 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 09:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:5C321E34

< End of report >

 

Extra.txt

 

OTL Extras logfile created on: 30/11/2015 11:30:31 AM - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Administrator\Desktop
64bit- Server Enterprise Edition (full installation) Service Pack 1 (Version = 6.1.7601) - Type = NTServer
Internet Explorer (Version = 9.11.9600.18097)
Locale: 00004809 | Country: Singapore | Language: ENE | Date Format: d/M/yyyy
 
7.99 Gb Total Physical Memory | 0.79 Gb Available Physical Memory | 9.85% Memory free
15.98 Gb Paging File | 6.80 Gb Available in Paging File | 42.57% Paging File free
Paging file location(s): b:\pagefile.sys 0 0e:\pagefile.sys 0 0 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 39.90 Gb Total Space | 4.95 Gb Free Space | 12.40% Space Free | Partition Type: NTFS
Drive E: | 100.00 Gb Total Space | 43.76 Gb Free Space | 43.76% Space Free | Partition Type: NTFS
 
Computer Name: WINDOWS-MI1I12B | User Name: tklassociate | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1"
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1"
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error.
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DefaultOutboundAction" = 0
"DefaultInboundAction" = 1
"DisableUnicastResponsesToMulticastBroadcast" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DefaultOutboundAction" = 0
"DefaultInboundAction" = 1
"DisableUnicastResponsesToMulticastBroadcast" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DefaultOutboundAction" = 0
"DefaultInboundAction" = 1
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{059C7CD2-8349-4BF1-88E9-6C6063645E18}" = lport=3308 | protocol=6 | dir=in | name=mysql57x64 |
"{15C8A6FC-AF17-4837-BEBF-A70596029DAE}" = lport=3307 | protocol=6 | dir=in | name=mysqltkla |
"{184A8360-938B-4C56-A822-ED9627020F6E}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{316F2391-5190-4A8B-8D6C-0F49BF0252E1}" = lport=3308 | protocol=6 | dir=in | name=mysql57x64 |
"{3F8F5D91-28F9-47ED-A38B-784D6A7DDB5C}" = lport=3307 | protocol=6 | dir=in | name=mysql56x64 |
"{5244958D-2228-4821-8F66-CE8896399E3F}" = lport=1433 | protocol=6 | dir=in | name=ms sql server |
"{56BCA104-8B72-440E-A646-96E118F43A15}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{58F69F0D-2FAC-40C7-AC1A-5E05E9209811}" = lport=3307 | protocol=6 | dir=in | name=mysql56x64 |
"{82BA7B76-1230-44D4-813C-30B4D75B75C1}" = lport=5353 | protocol=17 | dir=in | app=c:\users\administrator\appdata\local\google\chrome\application\chrome.exe |
"{8F008EC2-082C-40EF-8C32-F94C53B8DAD4}" = lport=445 | protocol=6 | dir=in | app=system |
"{90C850DD-19BA-4375-AD3A-48505C994173}" = lport=3306 | protocol=6 | dir=in | name=mysql server |
"{A6BBE136-E7C3-4F3A-B6E2-BCE3975B72BD}" = lport=137 | protocol=17 | dir=in | app=system |
"{A713A0F5-4268-4543-80D2-C1988A2B35B6}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{A8FA59BD-A14D-4708-B338-D7E8615003EC}" = rport=139 | protocol=6 | dir=out | app=system |
"{BD55694E-E438-4D98-ACA3-5B6D19707533}" = rport=137 | protocol=17 | dir=out | app=system |
"{C42917DE-C86D-4924-BD61-263434F58B7A}" = lport=139 | protocol=6 | dir=in | app=system |
"{C76C2F0B-9896-4949-8799-940D12604AE0}" = rport=445 | protocol=6 | dir=out | app=system |
"{D4EC33C4-2F14-41CB-A3D3-1F96FB802145}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{E9FE286C-8061-437B-8BB1-007D8F3B47E2}" = lport=138 | protocol=17 | dir=in | app=system |
"{F08D53AA-C4B7-4BE6-A5CA-909CBDC690BE}" = rport=138 | protocol=17 | dir=out | app=system |
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01C27FE2-94F5-4CB8-87C8-91BF2811EB32}" = dir=in | app=c:\program files (x86)\softland\fbackup 5\brestore.exe |
"{08DBBE9C-D997-427B-ACAB-5F86348C6A25}" = dir=in | app=c:\program files (x86)\softland\fbackup 5\fbackup.exe |
"{13E1D96B-07CB-4B77-A179-56C3342756D0}" = protocol=58 | dir=out | name=core networking - parameter problem (icmpv6-out) |
"{180F5590-D19E-4DD3-A359-F7C70376EDA5}" = protocol=58 | dir=out | name=core networking - time exceeded (icmpv6-out) |
"{2151ADD6-4C51-4A3A-A22C-424E23A70FDC}" = protocol=58 | dir=out | name=@firewallapi.dll,-25111 |
"{29DEB98F-5073-40AC-B9D4-5C9EFD185C35}" = protocol=1 | dir=in | name=all icmp v4 |
"{33D9FE21-3FEC-4A37-9EF3-7E07C1927EEB}" = protocol=6 | dir=in | name=website panel |
"{34321485-E74B-4D24-9F6D-551043BB37EC}" = protocol=1 | dir=out | name=@firewallapi.dll,-26009 |
"{3DB839BE-7AFA-4312-B806-2059F82E09DC}" = protocol=58 | dir=in | name=file and printer sharing (echo request - icmpv6-in) |
"{3FED70C2-17C8-485B-AA34-6ADBD79AC5FE}" = protocol=1 | dir=in | name=@firewallapi.dll,-26043 |
"{41DAB38C-7982-406D-A609-CA94AF0AD01A}" = protocol=1 | dir=out | name=@firewallapi.dll,-26016 |
"{468B2814-B105-49B9-BB48-6C9D5C385FDF}" = protocol=6 | dir=in | app=c:\program files (x86)\visualsvn server\bin\visualsvnserver.exe |
"{689130D1-5D8E-4A0C-8934-21EEAA6B8631}" = protocol=1 | dir=in | name=@firewallapi.dll,-26134 |
"{6892E8E4-2BDF-488E-9E7E-316C448E5E6B}" = protocol=1 | dir=out | name=@firewallapi.dll,-26023 |
"{70A279A0-D055-44B0-AC46-F4E23E689FD0}" = dir=in | app=c:\program files (x86)\softland\fbackup 5\btest.exe |
"{7FFEE038-459B-4929-85C3-A7AFBDC7F8C9}" = protocol=58 | dir=in | name=@firewallapi.dll,-26078 |
"{894D2F12-1D2E-4036-987D-2B09AB1AA8BC}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{8AA0E368-8E54-4E3B-A872-8312F5CC2D28}" = protocol=1 | dir=in | name=@firewallapi.dll,-26043 |
"{A12B9117-4936-4D1D-BEB7-F5AD46921411}" = protocol=1 | dir=in | app=system |
"{AE5F493E-0D19-496F-8D6D-ACAE04CD9378}" = protocol=1 | dir=in | name=@firewallapi.dll,-26022 |
"{C831FF2D-2A64-4DD5-8AD5-15243C21D01B}" = protocol=1 | dir=in | name=@firewallapi.dll,-26137 |
"{CBB514A7-793B-46E5-B55A-069F59A03AD9}" = protocol=1 | dir=out | name=@firewallapi.dll,-26058 |
"{E054B35C-0E04-4D09-AA60-583D1BFC4F19}" = protocol=1 | dir=out | name=@firewallapi.dll,-26037 |
"{EA8F30B1-4C87-438B-B233-6EFDFE27F7F3}" = protocol=1 | dir=in | name=file and printer sharing (echo request - icmpv4-in) |
"{F5A142C6-7B1F-4779-ABF5-4B90AFB22435}" = dir=in | app=c:\program files (x86)\softland\fbackup 5\bbackup.exe |
"{FD1615BF-8FB0-4935-A662-DF133A93DDB9}" = protocol=58 | dir=out | name=@firewallapi.dll,-26079 |
"{FD45BB76-73D2-4161-A393-8B336B4C8481}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"TCP Query User{7ED501B8-F316-4324-B236-B80CC34272D9}C:\program files (x86)\iometer.org\iometer 2006.07.27\dynamo.exe" = protocol=6 | dir=in | app=c:\program files (x86)\iometer.org\iometer 2006.07.27\dynamo.exe |
"TCP Query User{81693372-25CA-464E-94E4-1E160BCDEBF6}C:\program files (x86)\iometer.org\iometer 2006.07.27\iometer.exe" = protocol=6 | dir=in | app=c:\program files (x86)\iometer.org\iometer 2006.07.27\iometer.exe |
"UDP Query User{6AF9C999-761C-4E38-B2EC-A94D135CCA5B}C:\program files (x86)\iometer.org\iometer 2006.07.27\dynamo.exe" = protocol=17 | dir=in | app=c:\program files (x86)\iometer.org\iometer 2006.07.27\dynamo.exe |
"UDP Query User{B5DE5F99-4EB1-43D3-9684-FE27DD003970}C:\program files (x86)\iometer.org\iometer 2006.07.27\iometer.exe" = protocol=17 | dir=in | app=c:\program files (x86)\iometer.org\iometer 2006.07.27\iometer.exe |
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01078B88-2981-4F75-96B0-8B22E2D2DE03}" = Microsoft SQL Server 2008 R2 Setup (English)
"{02887779-BAEA-4C28-B883-DD533B292BFE}" = VisualSVN Server 3.3.1
"{02DA0248-DB55-44A7-8DC6-DBA573AEEA94}" = Application Initialization 1.0 for IIS 7.5
"{23170F69-40C1-2702-0920-000001000000}" = 7-Zip 9.20 (x64 edition)
"{234F6B0D-10AE-4BB7-B2F3-E48D4861952D}" = SQL Server 2008 R2 SP1 Common Files
"{288D79EE-A2D1-42AF-9597-B0ADCC23A8ED}" = Microsoft SQL Server VSS Writer
"{36F70DEE-1EBF-4707-AFA2-E035EEAEBAA1}" = SQL Server 2008 R2 SP1 Common Files
"{37BB8A81-DAF8-4DC4-84E9-2668FE8C6959}" = MySQL Server 5.6
"{39ABC5D4-D5FE-4AF9-A965-B15660480A7B}" = TortoiseHg 3.1.1 (x64)
"{40AFAA5A-72EE-45A7-B8D2-CC7E08C9370B}" = MySQL Workbench 6.3 CE
"{41D4D03E-5809-4CE0-9FCF-37CF9AD18F4C}" = HSTS IIS Module
"{45E8CF12-C061-492B-A11F-F72D3658A7A5}" = MySQL Server 5.7
"{45FB6CF5-9AD5-426D-88F3-131A8471DA87}" = Mercurial 3.1.1 (x64)
"{471AAD2C-9078-4DAC-BD43-FA10FB7C3FCE}" = Microsoft SQL Server 2008 R2 Native Client
"{49D665A2-4C2A-476E-9AB8-FCC425F526FC}" = Microsoft SQL Server 2012 Native Client
"{4D84C195-86F0-4B34-8FDE-4A17EB41306A}" = Microsoft Web Platform Installer 5.0
"{5134B35A-B559-4762-94A4-FD4918977953}" = Microsoft Web Deploy 2.0
"{51E5BC99-A087-4CFF-8D93-462903EA7E12}" = SQL Server 2008 R2 SP1 Management Studio
"{72AB7E6F-BC24-481E-8C45-1AB5B3DD795D}" = SQL Server 2008 R2 SP1 Management Studio
"{7A7126F2-8806-4D0A-8FA6-CF881D5D05A0}" = GPL PV Drivers for Windows 1.1.3.18
"{7DEBE4EB-6B40-3766-BB35-5CBBC385DA37}" = Microsoft .NET Framework 4.5.1
"{80EE5F65-5553-47A1-B6A9-8BF3211D21A3}" = MySQL Connector C++ 1.1.6
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8CCBEC22-D2DB-4DC9-A58A-E1A1F3A38C8A}" = Microsoft Sync Framework 2.0 Core Components (x64) ENU
"{90140000-00D1-0409-1000-0000000FF1CE}" = Microsoft Access database engine 2010 (English)
"{929FBD26-9020-399B-9A7A-751D61F0B942}" = Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005
"{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" = Microsoft .NET Framework 4.5.1
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A1991404-2634-47E1-BC45-8F3B5014B1D1}" = MySQL Connector/ODBC 5.3
"{A2122A9C-A699-4365-ADF8-68FEAC125D61}" = SQL Server 2008 R2 SP1 Database Engine Shared
"{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}" = Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005
"{ABC3A516-54E3-414B-B501-762E7FB2F9D5}" = MySQL Connector/C 6.1
"{B40EE88B-400A-4266-A17B-E3DE64E94431}" = Microsoft SQL Server 2008 Setup Support Files
"{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E3}" = Python 2.7.6 (64-bit)
"{C942A025-A840-4BF2-8987-849C0DD44574}" = SQL Server 2008 R2 SP1 Database Engine Shared
"{C9F697B9-FAC8-4B76-9D3D-40FA3BFA4F9E}" = Microsoft SQL Server System CLR Types (x64)
"{D8C23BDE-4748-44D9-A9DD-8AB64EB18BE3}" = Microsoft SQL Server 2008 R2 RsFx Driver
"{D9FCBAAE-DB72-488B-96D0-0AA3C892C0D6}" = Microsoft Security Client
"{E016AA48-A21B-4728-9BD0-E3AAE23BEE5F}" = Microsoft SQL Server 2008 R2 Management Objects (x64)
"{E851486F-1FE2-44F0-85ED-F969088A68EE}" = PHP Manager 1.2 for IIS 7
"{EB675D0A-2C95-405B-BEE8-B42A65D23E11}" = IIS URL Rewrite Module 2
"{F31183CF-E10F-4DE1-BB59-6C0FF38E481E}" = Sql Server Customer Experience Improvement Program
"{FA7394B8-CE65-4F9E-AC99-F372AD365424}" = SQL Server 2008 R2 SP1 Database Engine Services
"{FBD367D1-642F-47CF-B79B-9BE48FB34007}" = SQL Server 2008 R2 SP1 Database Engine Services
"CCleaner" = CCleaner
"mercurial-py2.6" = Python 2.6 mercurial-2.2.2
"mercurial-py2.7" = Python 2.7 mercurial-3.1.1
"Microsoft Security Client" = Microsoft Security Essentials
"Microsoft SQL Server 10" = Microsoft SQL Server 2008 R2 (64-bit)
"Microsoft SQL Server 2008 R2" = Microsoft SQL Server 2008 R2 (64-bit)
"PerformanceTest 8_is1" = PerformanceTest v8.0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01D76D8E-A496-4870-8357-87C6D2B5E807}" = MySQL Server 5.1
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
"{3A9FC03D-C685-4831-94CF-4EDFD3749497}" = Microsoft SQL Server Compact 3.5 SP2 ENU
"{3BA103F3-9F80-468F-A4D0-52ED5709B871}" = MySQL Installer for Windows - Community
"{3FE312D5-B862-40CE-8E4E-A6D8ABF62736}" = Microsoft ASP.NET MVC 4 Runtime
"{4ECF4BDC-8387-329A-ABE9-CF5798F84BB2}" = Microsoft Visual Studio Tools for Applications 2.0 - ENU
"{631471BE-DEAB-454B-A9AC-CE3EB42C28B3}" = Microsoft ASP.NET Web Pages
"{71458704-E552-4A3E-8BFA-4F61C1F70724}" = MySQL Connector Net 6.9.6
"{7f51bdb9-ee21-49ee-94d6-90afc321780e}" = Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005
"{8A9B23F6-9C1D-4DB2-8254-EAB70EF4325B}" = MySQL Connector J
"{90120000-00D1-0409-0000-0000000FF1CE}" = Microsoft Office Access database engine 2007 (English)
"{90AC1D94-916C-48C0-B557-E927749D3F72}" = FBackup 5
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A22F374C-4AFC-4B5D-A509-7456A6107588}" = WebsitePanel Installer
"{BF9BF038-FE03-429D-9B26-2FA0FD756052}" = Microsoft SQL Server Browser
"{CCE07B0A-3DD1-4177-9743-F5A95A57CFEF}" = MySQL Tools for 5.0
"{D21BC5B2-CBAC-48FA-A701-B5A63C1CA7B8}" = Microsoft SQL Server 2008 R2 Policies
"{D32EF103-4016-4C15-BCB0-700C0A7A2309}" = Microsoft ASP.NET MVC 3
"{D9B81630-6CC2-4CA1-929E-D3D91DE5723A}" = WebsitePanel Installer
"{DDFD8348-058C-4F4B-85E5-6D740D4AB3FE}" = Microsoft SQL Server Compact 3.5 SP2 Query Tools ENU
"{FBC90CFE-370B-413E-8865-E0385719B6CE}" = TopazSetup
"{fde86e74-7231-4a9e-bfec-c5e340e0ff2b}" = FBackup 5.5
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"7-Zip" = 7-Zip 9.20
"Avast" = Avast Business Security
"ESET Online Scanner" = ESET Online Scanner v3
"FileZilla Client" = FileZilla Client 3.8.0
"Malwarebytes Anti-Malware_is1" = Malwarebytes Anti-Malware version 2.2.0.1024
"Microsoft Report Viewer Redistributable 2008 (KB971119)" = Microsoft Report Viewer Redistributable 2008 SP1
"Notepad++" = Notepad++
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-366400160-141739491-217090673-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"WinDirStat" = WinDirStat 1.1.2
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 29/11/2015 11:34:52 PM | Computer Name = WINDOWS-MI1I12B | Source = MySQL | ID = 100
Description = Event Scheduler: [root@%][sharearide.updatequeue] Subquery returns
 more than 1 row    For more information, see Help and Support Center at http://www.mysql.com.


 
Error - 29/11/2015 11:35:07 PM | Computer Name = WINDOWS-MI1I12B | Source = MySQL | ID = 100
Description = Event Scheduler: [root@%][sharearide.updatequeue] Subquery returns
 more than 1 row    For more information, see Help and Support Center at http://www.mysql.com.


 
Error - 29/11/2015 11:35:22 PM | Computer Name = WINDOWS-MI1I12B | Source = MySQL | ID = 100
Description = Event Scheduler: [root@%][sharearide.updatequeue] Subquery returns
 more than 1 row    For more information, see Help and Support Center at http://www.mysql.com.


 
Error - 29/11/2015 11:35:37 PM | Computer Name = WINDOWS-MI1I12B | Source = MySQL | ID = 100
Description = Event Scheduler: [root@%][sharearide.updatequeue] Subquery returns
 more than 1 row    For more information, see Help and Support Center at http://www.mysql.com.


 
Error - 29/11/2015 11:35:52 PM | Computer Name = WINDOWS-MI1I12B | Source = MySQL | ID = 100
Description = Event Scheduler: [root@%][sharearide.updatequeue] Subquery returns
 more than 1 row    For more information, see Help and Support Center at http://www.mysql.com.


 
Error - 29/11/2015 11:36:07 PM | Computer Name = WINDOWS-MI1I12B | Source = MySQL | ID = 100
Description = Event Scheduler: [root@%][sharearide.updatequeue] Subquery returns
 more than 1 row    For more information, see Help and Support Center at http://www.mysql.com.


 
Error - 29/11/2015 11:36:22 PM | Computer Name = WINDOWS-MI1I12B | Source = MySQL | ID = 100
Description = Event Scheduler: [root@%][sharearide.updatequeue] Subquery returns
 more than 1 row    For more information, see Help and Support Center at http://www.mysql.com.


 
Error - 29/11/2015 11:36:37 PM | Computer Name = WINDOWS-MI1I12B | Source = MySQL | ID = 100
Description = Event Scheduler: [root@%][sharearide.updatequeue] Subquery returns
 more than 1 row    For more information, see Help and Support Center at http://www.mysql.com.


 
Error - 29/11/2015 11:36:52 PM | Computer Name = WINDOWS-MI1I12B | Source = MySQL | ID = 100
Description = Event Scheduler: [root@%][sharearide.updatequeue] Subquery returns
 more than 1 row    For more information, see Help and Support Center at http://www.mysql.com.


 
Error - 29/11/2015 11:37:07 PM | Computer Name = WINDOWS-MI1I12B | Source = MySQL | ID = 100
Description = Event Scheduler: [root@%][sharearide.updatequeue] Subquery returns
 more than 1 row    For more information, see Help and Support Center at http://www.mysql.com.


 
[ System Events ]
Error - 29/11/2015 5:01:38 PM | Computer Name = WINDOWS-MI1I12B | Source = Schannel | ID = 36874
Description = An TLS 1.2 connection request was received from a remote client application,
 but none of the cipher suites supported by the client application are supported
 by the server. The SSL connection request has failed.
 
Error - 29/11/2015 5:01:38 PM | Computer Name = WINDOWS-MI1I12B | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 40. The internal error state
 is 1205.
 
Error - 29/11/2015 5:01:43 PM | Computer Name = WINDOWS-MI1I12B | Source = Schannel | ID = 36874
Description = An TLS 1.2 connection request was received from a remote client application,
 but none of the cipher suites supported by the client application are supported
 by the server. The SSL connection request has failed.
 
Error - 29/11/2015 5:01:43 PM | Computer Name = WINDOWS-MI1I12B | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 40. The internal error state
 is 1205.
 
Error - 29/11/2015 10:14:53 PM | Computer Name = WINDOWS-MI1I12B | Source = UmrdpService | ID = 1111
Description = Driver ES7470 MFP(PS) required for printer ES7470 MFP(PS) is unknown.
 Contact the administrator to install the driver before you log in again.
 
Error - 29/11/2015 10:14:54 PM | Computer Name = WINDOWS-MI1I12B | Source = UmrdpService | ID = 1111
Description = Driver PDFCreator required for printer PDFCreator is unknown. Contact
 the administrator to install the driver before you log in again.
 
Error - 29/11/2015 10:14:58 PM | Computer Name = WINDOWS-MI1I12B | Source = UmrdpService | ID = 1111
Description = Driver ES7470 MFP(PS) required for printer OKI ES7470 MFP-773FE8 is
 unknown. Contact the administrator to install the driver before you log in again.
 
Error - 29/11/2015 11:20:04 PM | Computer Name = WINDOWS-MI1I12B | Source = UmrdpService | ID = 1111
Description = Driver ES7470 MFP(PS) required for printer ES7470 MFP(PS) is unknown.
 Contact the administrator to install the driver before you log in again.
 
Error - 29/11/2015 11:20:06 PM | Computer Name = WINDOWS-MI1I12B | Source = UmrdpService | ID = 1111
Description = Driver ES7470 MFP(PS) required for printer OKI ES7470 MFP-773FE8 is
 unknown. Contact the administrator to install the driver before you log in again.
 
Error - 29/11/2015 11:20:06 PM | Computer Name = WINDOWS-MI1I12B | Source = UmrdpService | ID = 1111
Description = Driver PDFCreator required for printer PDFCreator is unknown. Contact
 the administrator to install the driver before you log in again.
 
[ VisualSVNServer Events ]
Error - 25/11/2015 5:31:29 AM | Computer Name = WINDOWS-MI1I12B | Source = VisualSVN Server 3.3 | ID = 1001
Description = Provider encountered an error while streaming a REPORT response.  
[400, #0]  [client 118.200.140.29]
 
Error - 26/11/2015 6:51:03 AM | Computer Name = WINDOWS-MI1I12B | Source = VisualSVN Server 3.3 | ID = 1001
Description = Provider encountered an error while streaming a REPORT response.  
[500, #0]  [client 103.242.97.30]
 
Error - 26/11/2015 6:51:03 AM | Computer Name = WINDOWS-MI1I12B | Source = VisualSVN Server 3.3 | ID = 1001
Description = A failure occurred while driving the update report editor  [500, #106]
[client
 103.242.97.30]
 
Error - 26/11/2015 6:51:03 AM | Computer Name = WINDOWS-MI1I12B | Source = VisualSVN Server 3.3 | ID = 1001
Description = Error writing base64 data: Unknown error  [500, #106]  [client 103.242.97.30]
 
Error - 27/11/2015 12:48:09 AM | Computer Name = WINDOWS-MI1I12B | Source = VisualSVN Server 3.3 | ID = 1001
Description = Provider encountered an error while streaming a REPORT response.  
[500, #0]  [client 111.84.195.30]
 
Error - 27/11/2015 12:48:09 AM | Computer Name = WINDOWS-MI1I12B | Source = VisualSVN Server 3.3 | ID = 1001
Description = A failure occurred while driving the update report editor  [500, #106]
[client
 111.84.195.30]
 
Error - 27/11/2015 12:48:09 AM | Computer Name = WINDOWS-MI1I12B | Source = VisualSVN Server 3.3 | ID = 1001
Description = Error writing base64 data: Unknown error  [500, #106]  [client 111.84.195.30]
 
Error - 27/11/2015 10:04:34 PM | Computer Name = WINDOWS-MI1I12B | Source = VisualSVN Server 3.3 | ID = 1001
Description = Provider encountered an error while streaming a REPORT response.  
[500, #0]  [client 118.200.140.29]
 
Error - 27/11/2015 10:04:34 PM | Computer Name = WINDOWS-MI1I12B | Source = VisualSVN Server 3.3 | ID = 1001
Description = A failure occurred while driving the update report editor  [500, #106]
[client
 118.200.140.29]
 
Error - 27/11/2015 10:04:34 PM | Computer Name = WINDOWS-MI1I12B | Source = VisualSVN Server 3.3 | ID = 1001
Description = Error writing base64 data: Unknown error  [500, #106]  [client 118.200.140.29]
 
 
< End of report >

• Update on computer performance

Because it is a server accessed remotely, I wouldn't be able to tell the performance differences in the usual way. However, I do notice a more consistent CPU idle process.