Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Performed system restore to remove rootkit. Is this machine clean now?


  • This topic is locked This topic is locked
15 replies to this topic

#1 anova13

anova13

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 16 January 2017 - 12:54 PM

Hello and thanks in advance for your help.

 

About more than a month ago I was browsing a generic web forum and making google queries about relevant subjects of interest, until google popped for me the "prove that you are not a robot" screen.

I read about it and saw that this may happen if your machine is infected with malware, so I launched Gmer (with which I scan the machine about once a month).

Gmer found rootkit entries after the initial launch scan (unfortunately I didn't save those results). Since it was late, I asked Avast for a boot time full scan and went to sleep.

The next day the desktop screen was all black, so I hit the reset button - windows would not boot at all and I was getting a black screen each time I hit the reset button. So, unfortunately I don't know what exactly happened during that boot time Avast scan either...

I then booted with a recovery disk and performed a system restore @2 days before the incident.

 

The PC did boot into windows after that system restore and is working fine since then, although for a few days I was getting a few random blue screens here and there.

Of course I rerun Gmer right away and although the launch scan did not mark any rootkit activity, I noticed a lot of SSDT entries, which were never there before the incident.

 

 

I am afraid I have succumbed to "paranoia" since then and have run every single scanner I could find online - all clean. Other than that the only oddity are a few "The system could not find the file specified" by SysInternals' Autoruns, run with admin privileges. Another weird incident was that my laptop, connected to the same router, also showed a single rootkit entry with Gmer after the desktop incident - I don't know if it could have been a false positive (I never got rootkit hits for as long as I can remember, 15 years+). I disabled that entry through Gmer, rebooted, and never saw anything else on the laptop either, since.

I still have this strange feeling that something rogue is hiding in there - probably over-reacting, but still, could you please take a look into my logs? 

 

Gmer/FRST64 logs for my desktop attached.

 

Thank you kindly.

Attached Files


Edited by anova13, 16 January 2017 - 05:48 PM.


BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,293 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:09 AM

Posted 17 January 2017 - 04:04 PM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(it takes a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:



createsrpoint;
filesrcm; 
uninstall-list;
iedefaults;
ffdefaults;
chrdefaults;
emptyclsid;
emptyalltemp;
autoclean;
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Copy and paste the log to your next reply please.
 

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 anova13

anova13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 17 January 2017 - 05:39 PM

Hello Jo,

thanks, I appreciate your help.

 

Here are the logs you asked for:

--------------------------------------

 

checkup.txt

 

notcheckup31.txt 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 
 
--------------------------------------
 
zoek-results.txt
 

 
Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by Jim on ’¨  17/01/2017 at 23:32:57,17.
Microsoft Windows 10 Pro 10.0.14393  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Jim\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
17/1/2017 11:34:46 μμ Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~2\Epson Software deleted successfully
C:\PROGRA~2\Freemake deleted successfully
C:\PROGRA~2\Malwarebytes' Anti-Malware deleted successfully
C:\PROGRA~2\Sony Ericsson deleted successfully
C:\PROGRA~2\WAV to MP3 Encoder deleted successfully
C:\PROGRA~2\COMMON~1\EPSON deleted successfully
C:\PROGRA~3\APN deleted successfully
C:\PROGRA~3\clone.AD deleted successfully
C:\PROGRA~3\Comms deleted successfully
C:\PROGRA~3\Freemake deleted successfully
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) deleted successfully
C:\PROGRA~3\SoftwareDistribution deleted successfully
C:\PROGRA~3\Sony Ericsson deleted successfully
C:\Users\DefaultAppPool\AppData\LocalLow deleted successfully
C:\Users\Jim\AppData\Local\._Revolution_ deleted successfully
C:\Users\Jim\AppData\Local\ActiveSync deleted successfully
C:\Users\Jim\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\Jim\AppData\Local\EmieSiteList deleted successfully
C:\Users\Jim\AppData\Local\EmieUserList deleted successfully
C:\Users\Jim\AppData\Local\PeerDistRepub deleted successfully
C:\Users\Jim\AppData\Local\Skype deleted successfully
C:\Users\Jim\AppData\Local\Unity deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\PeerDistPub deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\PeerDistRepub deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== FireFox Fix ======================
 
Deleted from C:\Users\Jim\AppData\Roaming\Mozilla\Firefox\Profiles\jucvs2aq.default-1432054248572\prefs.js:
user_pref("browser.startup.homepage", "http://www.in.gr/");
 
Added to C:\Users\Jim\AppData\Roaming\Mozilla\Firefox\Profiles\jucvs2aq.default-1432054248572\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
==== Batch Command(s) Run By Tool======================
 
C:\WINDOWS\system32\appdata deleted
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~2\Epson Software not found
C:\PROGRA~2\Freemake not found
C:\PROGRA~2\Sony Ericsson not found
C:\PROGRA~2\WAV to MP3 Encoder not found
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) not found
C:\PROGRA~2\Sorian AI Mod deleted
C:\WINDOWS\syswow64\appdata deleted
C:\PROGRA~3\{93E26451-CD9A-43A5-A2FA-C42392EA4001} deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Jim\AppData\Local\Pokki deleted
C:\Users\Jim\AppData\LocalLow\Unity deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\gpt.ini deleted
C:\WINDOWS\SysWow64\AI_RecycleBin deleted
C:\Users\Jim\Documents\Updater deleted
"C:\Users\Jim\AppData\Roaming\gnuplot_history" deleted
"C:\PROGRA~2\Bonjour\mdnsNSP.dll" deleted
"C:\PROGRA~2\Bonjour" not deleted
 
==== Files Recently Created / Modified ======================
 
====== C:\WINDOWS ====
====== C:\Users\Jim\AppData\Local\Temp ====
====== Java Cache =====
====== C:\WINDOWS\SysWOW64 =====
====== C:\WINDOWS\SysWOW64\drivers =====
====== C:\WINDOWS\Sysnative =====
====== C:\WINDOWS\Sysnative\drivers =====
====== C:\WINDOWS\Tasks ======
====== C:\WINDOWS\Temp ======
======= C:\Program Files =====
======= C:\PROGRA~2 =====
======= C: =====
====== C:\Users\Jim\AppData\Roaming ======
====== C:\Users\Jim ======
 
====== C: exe-files ==
=== C: other files ==
 
==== Firefox Start and Search pages ======================
 
ProfilePath: C:\Users\Jim\AppData\Roaming\Mozilla\Firefox\Profiles\jucvs2aq.default-1432054248572
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
==== Firefox Extensions Registry ======================
 
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"sp@avast.com"="C:\Program Files\Alwil Software\Avast5\SafePrice\FF" [17/12/2016 12:43 ££]
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"sp@avast.com"="C:\Program Files\Alwil Software\Avast5\SafePrice\FF" [17/12/2016 12:43 ££]
 
==== Firefox Extensions ======================
 
AppDir: C:\Program Files (x86)\Mozilla Firefox
- Skype Click to Call - %AppDir%\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
 
==== Firefox Plugins ======================
 
Profilepath: C:\Users\Jim\AppData\Roaming\Mozilla\Firefox\Profiles\jucvs2aq.default-1432054248572
8CE35D76726DFC8C3848BB26B3C79A54 - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1224194.dll - Shockwave for Director / Shockwave for Director
9E602A9634AC3EFA8CD5BC4CD943416B - C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_194.dll - Shockwave Flash
 
 
==== Chromium Look ======================
 
Google Chrome Version: 46.0.2490.86
 
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
daanglpcpkjjlkhcbladppjphglbigam - No path found[]
efaidnbmnnnibpcajpcglclefindmkaj - No path found[]
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChromeSp.crx[]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx[]
lifbcibllhkdhoafpjfnlhfpfgnpldfl - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx[31/01/2013 09:40 §£]
 
HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
bbjllphbppobebmjpjcijfbakobcheof - No path found[]
hknpjpodmmapnfjhnblgmalmaanpajhc - C:\ProgramData\VideoDownloaderUltimate\Chrome\VideoDownloaderUltimate.crx[]
 
Rapport - Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbjllphbppobebmjpjcijfbakobcheof
Avast Online Security - Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
Skype - Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
Chrome Media Router - Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
 
==== Chromium Fix ======================
 
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_adserver.adtechus.com_0.localstorage deleted successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_adserver.adtechus.com_0.localstorage-journal deleted successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_c.betrad.com_0.localstorage deleted successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_c.betrad.com_0.localstorage-journal deleted successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_c.betrad.com_0.localstorage deleted successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_c.betrad.com_0.localstorage-journal deleted successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d10lpsik1i8c69.cloudfront.net_0.localstorage deleted successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d10lpsik1i8c69.cloudfront.net_0.localstorage-journal deleted successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d16fk4ms6rqz1v.cloudfront.net_0.localstorage deleted successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d16fk4ms6rqz1v.cloudfront.net_0.localstorage-journal deleted successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d22j4fzzszoii2.cloudfront.net_0.localstorage deleted successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d22j4fzzszoii2.cloudfront.net_0.localstorage-journal deleted successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki deleted successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gomekmidlodglbbmalcneegieacbdmki_0.localstorage deleted successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gomekmidlodglbbmalcneegieacbdmki_0.localstorage-journal deleted successfully
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.in.gr/"
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.in.gr/"
 
==== All HKLM and HKCU SearchScopes ======================
 
HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKCU\SearchScopes "DefaultScope"="{D6C60F4B-2951-44E2-80B2-0C687D41F7E6}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
HKCU\SearchScopes\{D6C60F4B-2951-44E2-80B2-0C687D41F7E6} - http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=
 
==== Reset Google Chrome ======================
 
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Preferences_before_uninstall was reset successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully
 
==== Uninstall List x64 ======================
 
3DMark 11 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{46EDCFA5-7EDB-46A9-B093-1C6237470CEC}]
3DMark06  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}]
7-Zip 9.20 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip]
?Torrent  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\uTorrent]
ABBYY FineReader 9.0 Sprint [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ABBYY FineReader 9.0 Sprint]
ABBYY FineReader 9.0 Sprint [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F9000000-0018-0000-0000-074957833700}]
AMD APP SDK Runtime [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{503F672D-6C84-448A-8F8F-4BC35AC83441}]
AMD Accelerated Video Transcoding [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A47E1D0E-FBAC-369C-DCC2-DC21E3D48E2F}]
AMD Catalyst Control Center [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WUCCCApp]
AMD Catalyst Control Center [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{3C7B5C75-FD82-BC1F-F148-89A3189EF385}]
AMD Catalyst Install Manager [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{7E5DC2C5-115A-322B-976C-219237FAED66}]
AMD Drag and Drop Transcoding [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{08347912-0AA5-C85E-BC02-416568E741B4}]
AMD Fuel [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{36FAF585-3D08-3D84-8330-4D048F4B6CE6}]
AMD Media Foundation Decoders [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0249EDBC-2C22-7C9D-A3B0-20906826064C}]
AMD Wireless Display v3.0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{630E5EF7-72F8-9E5D-BEF5-ED85B698E160}]
AMD Wireless Display v3.0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{D7C275A6-3266-0FBC-2D84-17A6AC226F01}]
ATI Catalyst Registration [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{11083C7A-D0D6-4DA4-8C3A-74B8389EC07B}]
Adobe Acrobat Reader DC [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}]
Adobe Anchor Service CS3 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90176341-0A8B-4CCC-A78D-F862228A6B95}]
Adobe Asset Services CS3 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}]
Adobe Bridge 1.0 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{B74D4E10-1033-0000-0000-000000000001}]
Adobe Bridge CS3 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9C9824D9-9000-4373-A6A5-D0E5D4831394}]
Adobe Bridge Start Meeting [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{08B32819-6EEF-4057-AEDA-5AB681A36A23}]
Adobe CMaps [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}]
Adobe Camera Raw 4.0 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}]
Adobe Color Common Settings [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}]
Adobe Color EU Extra Settings [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{51846830-E7B2-4218-8968-B77F0FF475B8}]
Adobe Color JA Extra Settings [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}]
Adobe Color NA Recommended Settings [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{95655ED4-7CA5-46DF-907F-7144877A32E5}]
Adobe Common File Installer [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8EDBA74D-0686-4C99-BFDD-F894678E5B39}]
Adobe Device Central CS3 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}]
Adobe ExtendScript Toolkit 2 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}]
Adobe Flash CS3 Professional [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe_c3c7fe8b09d497ab2b3fd91c9353390]
Adobe Flash CS3 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6B52140A-F189-4945-BFFC-DB3F00B8C589}]
Adobe Flash Player 24 NPAPI [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI]
Adobe Flash Video Encoder [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}]
Adobe Help Center 1.0 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E9787678-1033-0000-8E67-000000000001}]
Adobe Help Viewer CS3 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{04AF207D-9A77-465A-8B76-991F6AB66245}]
Adobe Linguistics CS3 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{54793AA1-5001-42F4-ABB6-C364617C6078}]
Adobe PDF Library Files [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}]
Adobe Photoshop CS2 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}]
Adobe Photoshop CS2 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{236BB7C4-4419-42FD-0409-1E257A25E34D}]
Adobe Refresh Manager [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-0804-1033-1959-001824211354}]
Adobe Setup [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FFC1ADE3-944B-4231-894E-3903C37271D2}]
Adobe Shockwave Player 12.2 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Shockwave Player]
Adobe Stock Photos 1.0 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{786C5747-1033-0000-B58E-000000000001}]
Adobe Type Support [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}]
Adobe Update Manager CS3 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E69AE897-9E0B-485C-8552-7841F48D42D8}]
Adobe Version Cue CS3 Client [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D0DFF92A-492E-4C40-B862-A74A173C25C5}]
Adobe WinSoft Linguistics Plugin [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}]
Amazon MP3 Downloader 1.0.9 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Amazon MP3 Downloader]
AppServ 2.5.10 (remove only) [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AppServ]
Ashampoo Burning Studio Elements 10.0.9 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Ashampoo Burning Studio Elements_is1]
Autorun Eater v2.5 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Autorun Eater_is1]
Avast Free Antivirus [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\avast]
AviSynth 2.5 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AviSynth]
BB FlashBack Express 5 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BB FlashBack Express 5]
BB FlashBack Pro 5 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BB FlashBack Pro 5]
Baldur's Gate II: Enhanced Edition [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 257350]
Battle.net  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Battle.net]
CCC Help Chinese Standard [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6D7A146A-BD56-8EE1-FCC7-BE02013ACE36}]
CCC Help Chinese Standard [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{703F229F-573E-10E7-3B44-341DB59AD86B}]
CCC Help Chinese Traditional [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{489E5436-B101-CAD9-5571-14746675ECE3}]
CCC Help Chinese Traditional [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AFDFBED8-CC9A-8E00-015D-845F0BF9D1E1}]
CCC Help Czech [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7E0B1563-7607-00D7-21CE-7DAFA6FF009C}]
CCC Help Czech [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BBA1614E-6470-7841-8A42-ABD5BA7B3FFE}]
CCC Help Danish [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1E93452B-BA3E-7375-958C-EBC5E8672A5E}]
CCC Help Danish [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AA0E1433-8F16-AA01-E8E9-E6408579D0D8}]
CCC Help Dutch [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{504819D1-3C0A-2695-0007-BBDFA5936D68}]
CCC Help Dutch [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C3EAC1D2-A492-7B08-A9D5-15EDD5EA1A89}]
CCC Help English [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6C495748-5F03-0B97-568B-76D0368FB460}]
CCC Help English [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7D94356D-48E0-DE1A-423C-67A363C13771}]
CCC Help Finnish [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D9CBA021-DB41-9736-923F-52E3E426912D}]
CCC Help Finnish [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F6860530-9733-0BB2-9C09-F25101076E78}]
CCC Help French [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AAAE97DA-1E8B-C0E9-F0E3-5481A09F97C8}]
CCC Help French [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{B03A580A-5D67-DAC5-59A1-7AD7C513381C}]
CCC Help German [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{3310DD5A-3695-3390-6F38-2B93D862FE02}]
CCC Help German [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{69DF4822-9B16-CE04-7587-22E09FB5FD1D}]
CCC Help Greek [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4D72F94C-95A5-AA85-E75B-A1A1CB8FCE7A}]
CCC Help Greek [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{968C0E92-6DA9-5784-9A0B-1061D0CB2C14}]
CCC Help Hungarian [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{11BC8F83-7260-65EB-3E0A-FA7AC894B42D}]
CCC Help Hungarian [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A3168DE0-479A-D5EC-59C4-0278C7DEC11C}]
CCC Help Italian [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{71971AE8-C8F3-3C62-FB89-AC41A96761AB}]
CCC Help Italian [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FE4DC915-D724-E72C-EF86-DC5B89961ACF}]
CCC Help Japanese [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6953ECF8-0B1B-FBD7-0DDB-84C82FBBC2F4}]
CCC Help Japanese [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C9353DBC-A47C-2C9B-AF32-5E2C8B4E3D3A}]
CCC Help Korean [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{37DBC990-C514-3821-D6FB-12E0745AA990}]
CCC Help Korean [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5DA870C0-BC5C-BE96-5045-BD429959C0D3}]
CCC Help Norwegian [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{79E3071B-8A0C-C105-6442-CF611732601E}]
CCC Help Norwegian [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{87006B27-A5A6-9EF1-BA04-CD7284462419}]
CCC Help Polish [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A12E8E1A-A77D-94E5-72F8-E83D6256AF11}]
CCC Help Polish [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BF44ADDF-E927-4B66-E829-4AF27BF6A58B}]
CCC Help Portuguese [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5F3182EE-2532-3B96-2BBB-03B87F574E76}]
CCC Help Portuguese [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AD5E3969-F0C0-ECBF-45E5-C36B84904281}]
CCC Help Russian [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{947E1256-258E-60A2-7331-44D09E61CF99}]
CCC Help Russian [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CFA2067C-AE90-3BF9-06AF-E7E65E679B3D}]
CCC Help Spanish [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{110E4EE7-85A9-B76B-B943-C0C1CF0C2F74}]
CCC Help Spanish [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7F8B68A2-0CD0-7DAF-8955-1419C60886D3}]
CCC Help Swedish [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2B642F70-BA82-5E78-41CE-BDFFD5C37530}]
CCC Help Swedish [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{42A97797-A255-49F9-4250-D58A9CEA2904}]
CCC Help Thai [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{31BC0B51-0676-A531-3940-1818B609EEA7}]
CCC Help Thai [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7DE27D8A-1D73-61EB-86F1-079AF7E55C3A}]
CCC Help Turkish [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2EA40F3D-0D93-A391-F383-6F1C708B80BF}]
CCC Help Turkish [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9DB45EC2-90E7-642D-7CF9-5AC2FBDC14F7}]
COSMOTE Internet On The Go [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A899DA1F-D626-401C-8651-F2921E3B4CB3}]
COSMOTE MF Series driver version 1.2059.0.8 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZTE_1.2059.0.8]
CPUID HWMonitor 1.21 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\CPUID HWMonitor_is1]
Catalyst Control Center - Branding [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{11087D24-567D-7D88-69C6-D7A08B5F4C47}]
Catalyst Control Center Graphics Previews Common [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9114BDDB-A6A6-152D-060A-E99307057AD1}]
Catalyst Control Center InstallProxy [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{257C7A78-535E-1450-C720-AE353876C816}]
Catalyst Control Center InstallProxy [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D7D20EB4-BD89-05C0-05C6-33E5B762989E}]
Catalyst Control Center Localization All [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{315D9E6B-98B1-1E2B-9E93-B36A0B104224}]
Catalyst Control Center Localization All [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5644668B-04A5-68F6-0AA9-03255877C58F}]
ControlCenter  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{009E5DF2-3F97-480B-89DA-F2D5E672E14A}_is1]
CutePDF Writer 3.0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\CutePDF Writer Installation]
D3DX10  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E09C4DB7-630C-4F06-A631-8EA7239923AF}]
DVD Shrink 3.2 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DVD Shrink_is1]
Diablo III [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Diablo III]
Dino D-Day [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 70000]
DivX Setup [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DivX Setup]
FLV Player 2.0 (build 25) [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FLV Player]
FileZilla Client 3.7.3 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FileZilla Client]
Football Manager 2014 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 231670]
Forged Alliance Forever [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{EF37C7C0-1281-4452-8A3F-D71215478D63}]
Free YouTube Downloader 4.1.400 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A7E19604-93AF-4611-8C9F-CE509C2B286F}_is1]
Futuremark SystemInfo [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BEE64C14-BEF1-4610-8A68-A16EAA47B882}]
GPGNet  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C194D333-B84A-4BB7-B35E-060732D98DC4}]
Google Chrome [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome]
Google Earth Plug-in [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4AB54F11-2F8C-11E3-B09F-B8AC6F97B88E}]
Google Update Helper [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}]
Google Update Helper [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}]
Gordian Knot Rip Pack 0.35.0 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gordian Knot]
HP Customer Experience Enhancements [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{64228DFB-7450-49B7-935C-B97342CB6659}]
HP DeskJet 4670 series Basic Device Software [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{4C7E368E-C145-47DC-98F2-D858E5E448EA}]
HP DeskJet 4670 series Help [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E8AECAA9-A451-4D79-A2A8-D3BEDA917B7D}]
HP Dropbox Plugin [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{23617173-F935-4C17-A323-EB1207F3ED49}]
HP Google Drive Plugin [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AFF80405-E56A-48E7-98FC-8E46E261949F}]
HP Photo Creations [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\HP Photo Creations]
HP Support Assistant [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{56D27851-B9A6-430F-875A-E2D7A3802C7B}]
HP Support Solutions Framework [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1CF12646-4DC2-4CDD-B073-4907562A3B96}]
HP Update [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}]
Homeworld2  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Homeworld2]
I.R.I.S. OCR [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C60E2D8F-0FC0-497D-A149-90F3B361937C}]
ImgBurn  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ImgBurn]
Java 8 Update 111 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180111F0}]
Java SE Development Kit 7 Update 45 (64-bit) [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170450}]
Java SE Development Kit 8 Update 45 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{32A3A4F4-B792-11D6-A78A-00B0D0180450}]
Junk Mail filter update [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}]
Kaspersky Security Scan [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\InstallWIX_{D1282694-0693-41A8-ABC1-6D1FFC1F65C5}]
Kaspersky Security Scan [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D1282694-0693-41A8-ABC1-6D1FFC1F65C5}]
Kaspersky Software Updater Beta [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\InstallWIX_{94C8D443-1D07-4E6D-A9EB-FDBA45A839D8}]
Kaspersky Software Updater Beta [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{94C8D443-1D07-4E6D-A9EB-FDBA45A839D8}]
MSI Live Update 6 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4F46CF54-47D2-41F4-B230-B0954C544420}}_is1]
MSVCRT  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}]
MSVCRT_amd64  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D0B44725-3666-492D-BEF6-587A14BD9BD9}]
MSXML 4.0 SP3 Parser (KB2721691) [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{355B5AC0-CEEE-42C5-AD4D-7F3CFD806C36}]
MSXML 4.0 SP3 Parser (KB2758694) [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}]
MSXML 4.0 SP3 Parser (KB973685) [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{859DFA95-E4A6-48CD-B88E-A3E483E89B44}]
MSXML 4.0 SP3 Parser [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{196467F1-C11F-4F76-858B-5812ADC83B94}]
Malwarebytes Anti-Malware version 2.2.1.1043 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes Anti-Malware_is1]
Media Go [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5C318BD3-BA72-43E4-9D16-A18210B4A5A5}]
Memeo Instant Backup [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8E666407-AC41-46a2-9692-6C7BFCBFDD37}]
Mesh Runtime [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8C6D6116-B724-4810-8F2D-D047E6B7D68E}]
Messenger Companion [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{50816F92-1652-4A7C-B9BC-48F682742C4B}]
Microsoft .NET Framework 4.6.1 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{BD6F5371-DAC1-30F0-9DDE-CAC6791E28C3}]
Microsoft DVD App Installation for Microsoft.WindowsDVDPlayer_2019.6.13291.0_neutral_~_8wekyb3d8bbwe (x64) [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{25E80DAA-FD87-DCE5-202C-CC02F6673002}]
Microsoft IntelliPoint 8.2 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft IntelliPoint 8.2]
Microsoft IntelliPoint 8.2 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{624C7F0A-89B2-4C49-9CAB-9D69613EC95A}]
Microsoft Office Professional Edition 2003 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90110408-6000-11D3-8CFE-0150048383C9}]
Microsoft SQL Server 2005 Compact Edition [ENU] [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}]
Microsoft Search Enhancement Pack [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CFF8B8E8-E086-4DE0-935F-FE22CAB54F80}]
Microsoft Silverlight [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}]
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{770657D0-A123-3C07-8E44-1C83EC895118}]
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}]
Microsoft Visual C++ 2005 Redistributable (x64) [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{071c9b48-7c32-4621-a0ac-3f809523288f}]
Microsoft Visual C++ 2005 Redistributable (x64) [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}]
Microsoft Visual C++ 2005 Redistributable [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}]
Microsoft Visual C++ 2005 Redistributable [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7299052b-02a4-4627-81f2-1818da5d550d}]
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{8338783A-0968-3B85-AFC7-BAAE0A63DC50}]
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}]
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{8220EEFE-38CD-377E-8595-13398D740ACE}]
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}]
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9A25302D-30C0-39D9-BD6F-21E6EC160475}]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}]
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}]
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{15134cb0-b767-4960-a911-f2d16ae54797}]
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}]
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{22154f09-719a-4619-bb71-5b3356999fbf}]
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}]
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.50727 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AC53FC8B-EE18-3F9C-9B59-60937D0B182C}]
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}]
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.50727 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A2CB1ACB-94A2-32BA-A15E-7D80319F7589}]
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}]
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.50727 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FDB30193-FDA0-3DAA-ACCA-A75EEFE53607}]
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9}]
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.50727 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2F73A7B2-E50E-39A6-9ABC-EF89E4C62E36}]
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}]
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f65db027-aff3-4070-886a-0d87064aabb1}]
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}]
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}]
Might & Magic: Heroes VI [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 48220]
Mozilla Firefox 50.1.0 (x86 en-US) [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 50.1.0 (x86 en-US)]
Mozilla Maintenance Service [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService]
Mp3tag v2.49a [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mp3tag]
NEC Electronics USB 3.0 Host Controller Driver [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{D7BF9739-8A68-4335-BBEE-37752AD9E86B}]
NEC Electronics USB 3.0 Host Controller Driver [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D7BF9739-8A68-4335-BBEE-37752AD9E86B}]
NetBeans IDE 7.0 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\nbi-nb-base-7.0.0.0.0]
NetBeans IDE 7.4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\nbi-nb-base-7.4.0.0.201310111528]
NetBeans IDE 8.0.2 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\nbi-nb-base-8.0.2.0.201411181905]
OpenAL  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OpenAL]
Overwatch  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Overwatch]
PDF Settings [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}]
PDFBinder  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8BA03AC2-579F-41CD-A250-740137D86F7A}]
PS3 Video 9 6 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PS3 Video 9]
Path of Exile [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90A4562F-D4A1-4B65-906D-41F236CF6902}]
Pdf995  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Pdf995]
PlayStation®Network Downloader [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{B6659DD8-00A7-4A24-BBFB-C1F6982E5D66}]
PlayStation®Store  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}]
Popcorn Time [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Popcorn Time]
QuickTime 7 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{80CEEB1E-0A6C-45B9-A312-37A1D25FDEBC}]
R for Windows 2.12.2 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\R for Windows 2.12.2_is1]
Rampant Logic Postscript Viewer 1.1 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{39C4C6DE-641B-483F-B875-2AEDF0FB85CA}_is1]
Rapport  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}]
Rapport  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}]
Realtek Ethernet Controller Driver [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}]
Realtek High Definition Audio Driver [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}]
Rtools 2.12 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Rtools_is1]
SafeZone Stable 1.51.2220.62 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SafeZone 1.51.2220.62]
Samsung_MonSetup  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8EA79DBF-D637-448A-89D6-410A087A4493}]
Seagate Dashboard [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C3A11907-930D-41AC-A135-CC3B12F92011}]
Security Update for CAPICOM (KB931906) [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}]
Skype Click to Call [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{B6CF2967-C81E-40C0-9815-C05774FEF120}]
Skype? 7.31 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FC965A47-4839-40CA-B618-18F486F042C6}]
Sophos Virus Removal Tool [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{B829E117-D072-41EA-9606-9826A38D34C1}]
Sorian AI Mod 2.1.2 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Sorian AI Mod_is1]
SpeedFan (remove only) [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SpeedFan]
Spybot - Search & Destroy [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1]
Star Wars: The Old Republic [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{3B11D799-48E0-48ED-BFD7-EA655676D8BB}]
StarCraft II [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\StarCraft II]
Steam  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{048298C9-A4D3-490B-9FF9-AB023A9238F3}]
Strike Suit Infinity [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 234160]
Strike Suit Zero [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 209540]
Subtitle Edit 3.3.5 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SubtitleEdit_is1]
Supreme Commander - Forged Alliance [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{31D95937-B237-405D-920C-A3EF4E482395}]
Supreme Commander [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{25A1E6A4-2DBD-4AC0-8650-8EA9A45B183D}]
SysTools Outlook Express Restore [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SysTools Outlook Express Restore - Demo Version_is1]
Tag&Rename 3.5.7 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Tag&Rename_is1]
TeamSpeak 3 Client [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TeamSpeak 3 Client]
TeamViewer 11 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer]
TechPowerUp GPU-Z [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TechPowerUp GPU-Z]
Text-To-Speech-Runtime  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7B3F0113-E63C-4D6D-AF19-111A3165CCA2}]
The Lord of the Rings FREE Trial  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{8ACC73AA-6511-7C55-B1A9-8E5D1DEAFAA3}]
The Ur-Quan Masters 0.7.0 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\The Ur-Quan Masters]
Tom Clancy's H.A.W.X [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6E36A172-06FB-4BC8-B7FC-D30D219E6776}]
Trusteer Endpoint Protection [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Rapport_msi]
Ubisoft Game Launcher [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{888F1505-C2B3-4FDE-835D-36353EBD4754}]
VC80CRTRedist - 8.0.50727.6195 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{933B4015-4618-4716-A828-5289FC03165F}]
VLC media player 2.1.1 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player]
VobSub v2.23 (Remove Only) [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\VobSub]
WinDirStat 1.1.2 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinDirStat]
WinRAR 4.20 (64-bit) [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver]
Windows 10 Upgrade Assistant [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}]
Windows Live Communications Platform [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D45240D3-B6B3-4FF9-B243-54ECE3E10066}]
Windows Live Essentials [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WinLiveSuite]
Windows Live Essentials [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}]
Windows Live Family Safety [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{02A5BD31-16AC-45DF-BE9F-A3167BC4AFB2}]
Windows Live Family Safety [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0D87AE67-14EB-4C10-88A5-DA6C3181EB18}]
Windows Live ID Sign-in Assistant [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}]
Windows Live Installer [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0B0F231F-CE6A-483D-AA23-77B364F75917}]
Windows Live Language Selector [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{027E5FAB-1476-4C59-AAB4-32EF28520399}]
Windows Live MIME IFilter [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{DA54F80E-261C-41A2-A855-549A144F2F59}]
Windows Live Mail [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9D56775A-93F3-44A3-8092-840E3826DE30}]
Windows Live Mail [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C66824E4-CBB3-4851-BB3F-E8CFD6350923}]
Windows Live Mesh ActiveX Control for Remote Connections [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}]
Windows Live Mesh [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A0C91188-C88F-4E86-93E6-CD7C9A266649}]
Windows Live Mesh [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{DECDCB7C-58CC-4865-91AF-627F9798FE48}]
Windows Live Messenger Companion Core [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}]
Windows Live Messenger [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}]
Windows Live Messenger [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E5B21F11-6933-4E0B-A25C-7963E3C07D11}]
Windows Live Movie Maker [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{19BA08F7-C728-469C-8A35-BFBD3633BE08}]
Windows Live Movie Maker [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92EA4134-10D1-418A-91E1-5A0453131A38}]
Windows Live PIMT Platform [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{83C292B7-38A5-440B-A731-07070E81A64F}]
Windows Live Photo Common [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}]
Windows Live Photo Common [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D436F577-1695-4D2F-8B44-AC76C99E0002}]
Windows Live Photo Gallery [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{3336F667-9049-4D46-98B6-4C743EEBC5B1}]
Windows Live Photo Gallery [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{34F4D9A4-42C2-4348-BEF4-E553C84549E7}]
Windows Live Remote Client Resources [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}]
Windows Live Remote Client [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{DF6D988A-EEA0-4277-AAB8-158E086E439B}]
Windows Live Remote Service Resources [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}]
Windows Live Remote Service [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}]
Windows Live SOXE Definitions [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{200FEC62-3C34-4D60-9CE8-EC372E01C08F}]
Windows Live SOXE [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{682B3E4F-696A-42DE-A41C-4C07EA1678B4}]
Windows Live Sync [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}]
Windows Live UX Platform Language Pack [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}]
Windows Live UX Platform [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}]
Windows Live Writer Resources [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}]
Windows Live Writer [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A726AE06-AAA3-43D1-87E3-70F510314F04}]
Windows Live Writer [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}]
Windows Live Writer [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AAF454FC-82CA-4F29-AB31-6A109485E76E}]
Windows Media Player Firefox Plugin [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}]
Windows XP Mode [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1374CC63-B520-4f3f-98E8-E9020BF01CFF}]
World of Warcraft [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\World of Warcraft]
XSplit Gamecaster [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CD5D1B7C-E018-4F6A-92BD-6BB998CCC82D}]
Xperia Companion Service [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{7D8E3C78-DA8C-4BBC-86BC-6A42068EE7C2}]
Xperia Companion [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{34D872B2-47FB-40A4-8C3F-915EA14F2586}]
Xperia Companion [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f494d3ac-4796-4bbd-b7a0-1873600d110d}]
XviD MPEG4 Video Codec (remove only) [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\XviD MPEG4 Video Codec]
YouTube Downloader App 3.00 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\YouTube Downloader App]
ccc-utility64  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{D9C2E250-17A1-0D68-CB41-83232EC31C2C}]
foobar2000 v1.2.2 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\foobar2000]
iCare Data Recovery Free 5.0 [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\iCare Data Recovery Free_is1]
mkv2vob  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}]
swMSM  [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{612C34C7-5E90-47D8-9B5C-0F717DD82726}]
 
==== Deleting Registry Keys ======================
 
HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki deleted successfully
HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\hknpjpodmmapnfjhnblgmalmaanpajhc deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCleaner Monitoring deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dropbox Update deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON PX720WD Series deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Live Update 5 deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Companion deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vdultimate_chrome deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather deleted successfully
 
==== Empty IE Cache ======================
 
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Jim\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Jim\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp\Temporary Internet Files\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Jim\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Jim\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
 
==== Empty FireFox Cache ======================
 
C:\Users\Jim\AppData\Local\Mozilla\Firefox\Profiles\jucvs2aq.default-1432054248572\cache2 emptied successfully
 
==== Empty Chrome Cache ======================
 
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
No Flash Cache Found
 
==== Empty All Java Cache ======================
 
Java Cache cleared successfully
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=220 folders=117 98512160 bytes)
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp successfully emptied
C:\Users\Jim\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== Deleting Files / Folders ======================
 
"C:\PROGRA~2\Bonjour"  not found
 
==== EOF on ’« 18/01/2017 at  0:33:46,21 ======================
 
 
--------------------------------
 


#4 Jo*

Jo*

  • Malware Response Team
  • 3,293 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:09 AM

Posted 17 January 2017 - 05:51 PM

Hello,
 

***


Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt

 
Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [NWEReboot] => [X]
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1768868742-2019341739-1117648865-1001\...\MountPoints2: {a35156bf-b31f-11e6-a931-4061862cb36a} - "E:\Startme.exe" 
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
GroupPolicy: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-1768868742-2019341739-1117648865-1001 -> DefaultScope {D6C60F4B-2951-44E2-80B2-0C687D41F7E6} URL = hxxp://www.google.co.uk/search?hl=en&q={searchTerms}&meta=
SearchScopes: HKU\S-1-5-21-1768868742-2019341739-1117648865-1001 -> {D6C60F4B-2951-44E2-80B2-0C687D41F7E6} URL = hxxp://www.google.co.uk/search?hl=en&q={searchTerms}&meta=
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\PepperFlash\pepflashplayer.dll => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll => No File
CHR Plugin: (DivX Web Player) - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll => No File
CHR Plugin: (Java(TM) Platform SE 7 U21) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll => No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll => No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll => No File
CHR HKU\S-1-5-21-1768868742-2019341739-1117648865-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hknpjpodmmapnfjhnblgmalmaanpajhc] - C:\ProgramData\VideoDownloaderUltimate\Chrome\VideoDownloaderUltimate.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChromeSp.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx <not found>
File: C:\Users\Jim\AppData\Local\Temp\mfe_rr.sys
U3 idsvc; no ImagePath
2017-01-06 00:53 - 2017-01-06 00:53 - 00010022 _____ C:\Users\Jim\AppData\Local\Temp77.html
2017-01-06 00:40 - 2017-01-06 00:40 - 00008232 _____ C:\Users\Jim\AppData\Local\Temp50.html
2017-01-06 00:36 - 2017-01-06 00:36 - 00008986 _____ C:\Users\Jim\AppData\Local\Temp27.html
2017-01-06 00:33 - 2017-01-06 00:33 - 00001293 _____ C:\Users\Jim\AppData\Local\Temp1.html
Folder: C:\Program Files\WindowsApps
2017-01-06 00:33 - 2017-01-06 00:33 - 0001293 _____ () C:\Users\Jim\AppData\Local\Temp1.html
2017-01-06 00:36 - 2017-01-06 00:36 - 0008986 _____ () C:\Users\Jim\AppData\Local\Temp27.html
2017-01-06 00:40 - 2017-01-06 00:40 - 0008232 _____ () C:\Users\Jim\AppData\Local\Temp50.html
2017-01-06 00:53 - 2017-01-06 00:53 - 0010022 _____ () C:\Users\Jim\AppData\Local\Temp77.html
Popcorn Time (HKU\S-1-5-21-1768868742-2019341739-1117648865-1001\...\Popcorn Time) (Version:  - Popcorn Official) <==== ATTENTION
Task: {00DA5B7D-470D-4C70-94B5-F398C39BAE33} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {00E96671-97CF-4A42-9C44-1ADDA6777497} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {16948153-4634-4157-A595-59590FA9844D} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {17C1CFCD-012C-49D0-8DDD-E8B980C82B41} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {337C7631-9F12-4E20-8922-6A8A05E73A5A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {56018778-52A2-47CA-A8DF-65D80FC98CB2} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {59386B4B-D971-4354-B196-B95400D1D374} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {5E0B4E25-9891-4B47-BD9A-FF5E347C4AC7} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {6F5C8FE6-45BA-4EB1-BD21-DADD23E99DCE} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {729633E1-A1A5-4B9C-9A08-29D62BF2C12A} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {97021DD1-2C6B-4C00-8518-A62659C3A92B} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {A374F5A1-D412-4999-B176-FDD654C45B75} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {B3236E98-E302-43D0-9279-D96F5BA1E9F5} - System32\Tasks\{1348A3B3-5B2E-4EED-8996-271651633BAE} => Firefox.exe hxxp://ui.skype.com/ui/0/5.10.0.116/en/abandoninstall?source=lightinstaller&amp;page=tsMain
Task: {CB346EC3-A632-4AFE-9794-CF1805968898} - \CCleanerSkipUAC -> No File <==== ATTENTION
Task: {df79be18-78cf-4ccc-9842-45a75b5e87ce} - no filepath
Task: {F62B0BF1-12D9-41EF-9DB7-2EF3FFD36542} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION
Task: {FC6BBB5D-B938-40CB-8741-033E9C995CDB} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:2A81F9CE [196]
MSCONFIG\startupreg: EPSON PX720WD Series => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGYE.EXE /FU "C:\Windows\TEMP\E_S5F08.tmp" /EF "HKCU"
FirewallRules: [TCP Query User{A3112AE9-EF63-456F-895F-934980C3F8DF}C:\users\jim\appdata\local\popcorn time\nw.exe] => C:\users\jim\appdata\local\popcorn time\nw.exe
FirewallRules: [UDP Query User{9147037B-652B-4214-9BEF-C8DDEAFE1522}C:\users\jim\appdata\local\popcorn time\nw.exe] => C:\users\jim\appdata\local\popcorn time\nw.exe
FirewallRules: [{1DFC3F2D-ACF3-479A-99B7-C66F077C421F}] => C:\Users\Jim\AppData\Local\Temp\7zS1254\HP.EasyStart.exe
EmptyTemp:
End

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

---

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 anova13

anova13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 17 January 2017 - 06:24 PM

I am having trouble pasting the Fixlog.txt contents. Chrome becomes unresponsive upon pasting, FF shows the text but when I press "Post", it tries to save message for a few seconds then stops.

Any advice?



#6 Jo*

Jo*

  • Malware Response Team
  • 3,293 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:09 AM

Posted 17 January 2017 - 06:37 PM

try to attach the file as you did it in your post #1

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 anova13

anova13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 17 January 2017 - 06:45 PM

Ah, didn't see the "more reply options" button ! Thx

Attached Files


Edited by anova13, 17 January 2017 - 06:46 PM.


#8 Jo*

Jo*

  • Malware Response Team
  • 3,293 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:09 AM

Posted 17 January 2017 - 06:56 PM

Hello,

:step1: Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7/8/10 users need to right click and choose Run as Administrator
You only need to get one of them to run, not all of them.Do not reboot your computer after running rkill as the malware programs will start again.


---


:step2: Malwarebytes' Anti-Malware
If this program is already installed: Skip the installation and run only the scan!
Download and install: Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.4.5.2467.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
How to get logs: (Export log to save as txt)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
(Copy to clipboard for pasting into forum replies or tickets)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

---


:step3: Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

---


:step4: How the computer is running now?


---


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 anova13

anova13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 17 January 2017 - 07:57 PM

Here are the logs requested.

I am afraid I need to go to sleep now as I work in a few hours. Will read you response asap tomorrow.

Thank you for your time so far !

 

-----------------------------------

Run RKill64.exe that I had already downloaded from a trusted source a few days ago.

Nothing special to report.

 

-----------------------------------

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 18/1/2017
Scan Time: 2:02 πμ
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2017.01.17.10
Rootkit Database: v2016.11.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Jim

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 384302
Time Elapsed: 52 min, 18 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

-------------------------------------------

 

Farbar Service Scanner Version: 27-01-2016
Ran by Jim (administrator) on 18-01-2017 at 02:56:34
Running from "C:\Users\Jim\Desktop"
Microsoft Windows 10 Pro  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Security Center:
============


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Demand. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

 

 

--------------------------------------

 

The machine seems to be running normally.


Edited by anova13, 17 January 2017 - 07:59 PM.


#10 Jo*

Jo*

  • Malware Response Team
  • 3,293 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:09 AM

Posted 18 January 2017 - 03:45 AM

Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Open the scan log and copy and paste the content to your next reply.
 

***


How the computer is running now?


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 anova13

anova13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 18 January 2017 - 04:19 PM

Malwarebytes Anti-Rootkit BETA 1.9.3.1001

www.malwarebytes.org

 

Database version:

  main:    v2017.01.18.07

  rootkit: v2016.11.20.01

 

Windows 10 x64 NTFS

Internet Explorer 11.576.14393.0

Jim :: SILEO-55 [administrator]

 

18/1/2017 6:19:19 μμ

mbar-log-2017-01-18 (18-19-19).txt

 

Scan type: Quick scan

Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: 

Objects scanned: 382465

Time elapsed: 52 minute(s), 8 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

Physical Sectors Detected: 0

(No malicious items detected)

 

(end)

 
----------------------------------------------
 
ESET Online Scanner
 
C:\Users\Jim\AppData\Roaming\uTorrent\updates\3.4.2_37754.exe a variant of Win32/OpenCandy.A potentially unsafe application cleaned by deleting
C:\Users\Jim\Downloads\ccsetup510.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
C:\Users\Jim\Downloads\CuteWriter.exe a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application cleaned by deleting
 
----------------------------------------------
 
The computer seems to be running fine.
Should I reboot yet? Still on the same windows session that RKill64.exe was run.

Edited by anova13, 18 January 2017 - 04:38 PM.


#12 Jo*

Jo*

  • Malware Response Team
  • 3,293 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:09 AM

Posted 18 January 2017 - 05:31 PM

***


It Appears That Your Pc Is Clean!


***


Clean up:


***


Right-click AdwCleaner.exe and select Run As Administrator.
  • Click on the Uninstall button.
  • A window will open, press the Confirm button.
  • AdwCleaner will uninstall now.

***


Clean up with delfix:
  • please download delfix to your desktop.
  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

***


Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.

===================================

Here are some Preventive tips to reduce the potential for spyware infection in the future

:step1: Make sure you keep your Windows OS current.
  • Windows XP users can visit Windows update regularly to download and install any critical updates and service packs.
  • Windows Vista / 7 / 8 users can update via
    Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).
:step2: Avoid P2P
  • If you think you're using a "safe" P2P program, only the program is safe, not the data.
  • You will share files from unsafe sources, and these may be infected.
  • Some bad guys use P2P filesharing as an important chanel to spread their wares.
:step3: Use only one anti-virus software and keep it up-to-date.

:step4: Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

:step5: Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

:step6: Use Strong passwords!

:step7: Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
And you could install Malwarebytes Anti-Exploit to run alongside your traditional anti-virus or anti-malware products.

Make sure your programs are up to date - because older versions may contain Security Leaks.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 anova13

anova13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 18 January 2017 - 06:04 PM

Great news ! Thank you very much for your time, indeed.

If I can keep you for just a little bit longer, I would like to ask you:

 

1) I see there were a lot of things deleted during the FRST fix. Did you spot and remove an active malware infection or traces of past infection? I am asking regarding the safety of passwords used since the system restore that I performed after the Gmer detected a rootkit and the follow-up Avast boot-time scan that somehow rendered windows unbootable.

 

2) If that month-old Gmer detection wasn't a false positive and there has actually been a rootkit infection initially (which is corroborated by the fact that windows couldn't boot after the follow-up Avast boot-time scan), is it really possible that the infection was simply removed by a ...system restore?

 

Thanks again, what you and the other security researchers are doing here is very much appreciated.



#14 Jo*

Jo*

  • Malware Response Team
  • 3,293 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:09 AM

Posted 19 January 2017 - 02:50 AM

Anti-Rootkit scans can cause false positive detections.

Some - but not all - rootkits can be removed with a System restore.

We have found - and removed - only temp files, adware and orphaned registry keys.

Edited by Jo*, 19 January 2017 - 02:50 AM.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#15 anova13

anova13
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 19 January 2017 - 12:29 PM

Ok I see - cheers !

I guess we are done from my side so you can close this thread if you wish.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users