Page 2 of 3 First 123 Last
  1. #21
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    Quote Originally Posted by niemiro View Post
    Hello there! I think we've met before

    I'm going to step in briefly to try out a few tools and techniques which may be applicable here. What I'm going to do is set up some loggers and audit policies to try to track down precisely what process or program is recreating these registry keys. In essence I'm going to try to monitor the system and watch what's fiddling with these registry keys. If we can find an explicit process or service name then at least we'll have something to go on/analyse.

    The first technique we shall try will be to use Windows's own built in registry auditor.

    Step 0: Restart your computer such that the Locky keys reappear (we need them to exist).

    Step 1: Press Windows Key + R, type in cmd, paste in
    auditpol /set /subcategory:"Registry" /success:enable /failure:enable

    and press enter.

    Step 2: Open regedit in a similar way and navigate to each of the following four keys in turn (just these ones - I do not wish you to touch the .DEFAULT or S-1-5-18 etc. keys):

    Code:
    HKEY_CLASSES_ROOT\Software\F43o6aqLPEF6
    HKEY_CLASSES_ROOT\Software\Locky
    
    HKEY_CURRENT_USER\Software\Classes\Software\F43o6aqLPEF6
    HKEY_CURRENT_USER\Software\Classes\Software\Locky
    For each key separately, right click on it > Permissions > Advanced > Auditing > Add > Select a Principal > Advanced > Find Now > double click on Everyone > OK > and then:

    Type dropdown: All
    Applies to dropdown: This key and subkeys
    Put a tick in "Full Control"

    OK x2

    Step 3:

    Navigate to each of:

    Code:
    HKEY_CLASSES_ROOT\Software
    HKEY_CURRENT_USER\Software\Classes\Software
    in turn.

    Do exactly the same as above except this time, instead of putting a tick in Full Control, click "Show Advanced Permissions" and put a tick in Create Subkey, Create Link, Write DAC, Write Owner.

    Step 4: Restart your computer. Once again, do not delete or touch any Locky keys/run any other tools. You must leave them alone for the time being.

    Step 5: Search for "Event Viewer"/eventvwr.msc and press enter. Navigate through Windows > Security log and on the right, Save All Events As. Name it "Security.evtx" and press enter. Select "Display Information for these languages" in the next popup if it appears. Click OK.

    Step 6: Upload security.evtx to OneDrop/DropBox/similar and post a public link here.

    Step 7:

    Any questions or similar don't hesitate to let me know. Some of these instructions are based on Windows 10 although should be similar under Windows 7. If anything doesn't look quite right and you can't figure it out, more than happy to help out.

    Richard



    Thank you Richard. I must apologize again for not replying back right away. I was terribly busy with something equally important, but I'm now able to devote my full attention to this once again and I will now try your instructions and post back just as you requested with the public link once I'm finished. Thanks again...


    • Ad Bot

      advertising
      Beep.

        
       

  2. #22
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    Quote Originally Posted by niemiro View Post
    Hello there! I think we've met before

    I'm going to step in briefly to try out a few tools and techniques which may be applicable here. What I'm going to do is set up some loggers and audit policies to try to track down precisely what process or program is recreating these registry keys. In essence I'm going to try to monitor the system and watch what's fiddling with these registry keys. If we can find an explicit process or service name then at least we'll have something to go on/analyse.

    The first technique we shall try will be to use Windows's own built in registry auditor.

    Step 0: Restart your computer such that the Locky keys reappear (we need them to exist).

    Step 1: Press Windows Key + R, type in cmd, paste in
    auditpol /set /subcategory:"Registry" /success:enable /failure:enable

    and press enter.

    Step 2: Open regedit in a similar way and navigate to each of the following four keys in turn (just these ones - I do not wish you to touch the .DEFAULT or S-1-5-18 etc. keys):

    Code:
    HKEY_CLASSES_ROOT\Software\F43o6aqLPEF6
    HKEY_CLASSES_ROOT\Software\Locky
    
    HKEY_CURRENT_USER\Software\Classes\Software\F43o6aqLPEF6
    HKEY_CURRENT_USER\Software\Classes\Software\Locky
    For each key separately, right click on it > Permissions > Advanced > Auditing > Add > Select a Principal > Advanced > Find Now > double click on Everyone > OK > and then:

    Type dropdown: All
    Applies to dropdown: This key and subkeys
    Put a tick in "Full Control"

    OK x2

    Step 3:

    Navigate to each of:

    Code:
    HKEY_CLASSES_ROOT\Software
    HKEY_CURRENT_USER\Software\Classes\Software
    in turn.

    Do exactly the same as above except this time, instead of putting a tick in Full Control, click "Show Advanced Permissions" and put a tick in Create Subkey, Create Link, Write DAC, Write Owner.

    Step 4: Restart your computer. Once again, do not delete or touch any Locky keys/run any other tools. You must leave them alone for the time being.

    Step 5: Search for "Event Viewer"/eventvwr.msc and press enter. Navigate through Windows > Security log and on the right, Save All Events As. Name it "Security.evtx" and press enter. Select "Display Information for these languages" in the next popup if it appears. Click OK.

    Step 6: Upload security.evtx to OneDrop/DropBox/similar and post a public link here.

    Step 7:

    Any questions or similar don't hesitate to let me know. Some of these instructions are based on Windows 10 although should be similar under Windows 7. If anything doesn't look quite right and you can't figure it out, more than happy to help out.

    Richard




    Thank you again Richard. I followed your instructions. Here is the link for the "Security.evtx" file...


    Dropbox - Security.evtx

  3. #23
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,815

    Re: Totally Perplexed by this Locky Ransomware...

    Okay, so I've analysed the logfile and you've done a good job putting in place the auditing policies. I can watch you playing around in regedit, restarting the computer and then six minutes later uploading the event logs. The success was mixed though as the auditing didn't capture a recreate attempt during those six minutes. There are a number of possibilities here and I'm not yet sure which it is. One is that the recreate isn't tied strictly into a startup process and is instead triggered by something else. I prepared myself for this possibility by setting up the auditing on the parent subkeys also. Let's give it a try.

    What I want you to do is as follows - leave all security event logs alone for now. I want it to capture during all normal computer usage too, not just over reboots etc. so don't clean them up and don't run CCleaner or any other tools like that which might clean them up for you.

    I then want you to use your computer normally for a couple of hours. If you've already used it normally for a couple of hours between your last post and this one, consider this step complete. I then want you to go in and delete HKEY_CLASSES_ROOT\Software\F43o6aqLPEF6 and HKEY_CLASSES_ROOT\Software\Locky using regedit (no specialist tools - regedit please).

    Finally, I want you to restart your computer and give your computer a minute to stabilise. Finally, please open regedit and check that they've been recreated. If they have, please upload another Security.evtx log. If they haven't, keep using the computer until they have.

    In essence, the six minutes of capture time didn't capture a recreate attempt. Why not? Well, it could be because a recreate attempt wasn't made during those six minutes. If so, we need to figure out when and where it is being recreated. Alternatively, it could be that a super low level rootkit is managing to change the security logs. This seems unlikely but we cannot rule out any possibility at this stage. Alternatively, it could be doing something really clever and quirky which the audit logs aren't designed to pick up. In those cases I need first to know that the audit logs definitely, definitely should have seen a recreation before switching strategy.
    YOnGodsGreenEarth says thanks for this.

  4. #24
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,815

    Re: Totally Perplexed by this Locky Ransomware...

    Also, I have an entirely separate strategy I've been thinking about I want to try. May as well go for it simultaneously I guess.

    The fact that these keys are Classes may be of help to us. I'm wondering if there are related CLSIDs or similar I may be able to track down and use those to help ID the location of whatever it is that is creating them. What I would like to do is to take your registry hives to analyse on my own system. I want to see if I can forensically dig out any other keys which may be related to these Locky ones but which we haven't yet identified.

    At a time when all of the relevant Locky keys you know about exist (I need them to exist so I have an entry point for comparative analysis with other keys), please download and run RegBak: Acelogix Software

    Make a backup of your registry somewhere, zip up the whole folder, put it on OneDrive/DropBox/similar, and send me a private message containing the link.


    I'll also investigate at the same time whether we can lock down the permissions on these Locky keys (without deleting them) in such a way as to generate a traceable failure that we can detect with a monitoring program. The trouble with these programs is that they generate absolutely vast amounts of data and we usually need some idea of what we're aiming them at before we turn them on else we can only collect data for a few seconds and usually miss what we're trying to record.
    YOnGodsGreenEarth says thanks for this.

  5. #25
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    I'm now midway through the latest steps you've provided. I will post back once I've created the new securtiy.evtx log. I've already downloaded RegBak and will install and run after my next reboot. I will post back once I have the everything else you requested.

    This also brings me to wonder about what to do with the other three drives I pulled from my system prior to installing my new drive Windows is on now (the drive we are currently trouble-shooting)?

    I'm happy with crossing that bridge when we get to it, but I just want to re-iterate this point too, since now Windows is no longer installed on the original drives I pulled from my system, correct me if I'm wrong, but maybe that means if I wanted make sure those drives no longer had remnants of Locky too, that other forensic methods may be necessary to root out any Locky files attached to them as well. My original thought on this was possibly using the built-in WinXP console on Hiren's BCD, maybe to follow steps similar to what we're doing now with my current drive?

    Anyway, I'm just surmising at this point, but if we're successful in removing Locky from my new drive, I'd at least like to attempt to see if the same can be done for the original drives I pulled before installing the current one.

    Thanks again for the time you're putting into to helping me with this issue. The last thing I want to do is throw away any hard-drives if it can be helped...

  6. #26
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,815

    Re: Totally Perplexed by this Locky Ransomware...

    Quote Originally Posted by YOnGodsGreenEarth View Post
    I'm now midway through the latest steps you've provided. I will post back once I've created the new securtiy.evtx log. I've already downloaded RegBak and will install and run after my next reboot. I will post back once I have the everything else you requested.

    This also brings me to wonder about what to do with the other three drives I pulled from my system prior to installing my new drive Windows is on now (the drive we are currently trouble-shooting)?

    I'm happy with crossing that bridge when we get to it, but I just want to re-iterate this point too, since now Windows is no longer installed on the original drives I pulled from my system, correct me if I'm wrong, but maybe that means if I wanted make sure those drives no longer had remnants of Locky too, that other forensic methods may be necessary to root out any Locky files attached to them as well. My original thought on this was possibly using the built-in WinXP console on Hiren's BCD, maybe to follow steps similar to what we're doing now with my current drive?

    Anyway, I'm just surmising at this point, but if we're successful in removing Locky from my new drive, I'd at least like to attempt to see if the same can be done for the original drives I pulled before installing the current one.

    Thanks again for the time you're putting into to helping me with this issue. The last thing I want to do is throw away any hard-drives if it can be helped...
    I think our best chance of success is to analyse Locky on this one drive in isolation to begin with, and if we are able to find all parts of it here then look for it in the same places on the other HDDs and take it off those too. In regards to what tools and methods we would use - I honestly could not yet tell you. We haven't yet found enough to fully understand the Locky we have here yet and so cannot pass meaningful comment yet.

    I'll definitely keep in mind these other drives and we can look at them later/I'll tell you if I want to perform any analysis on them, but trying to find Locky on inactive drives is going to be like trying to find a needle in a haystack. My belief is that our best chance of success comes from finding it on the live drive whilst it's still actively recreating itself and we can attempt to watch it do so.

  7. #27
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    I'm about to run the RegBak to generate the specified folder, but I wanted to mention that I've now been on my computer for about 4 hrs and after simply checking RegEdit for the entries you asked me to look for after deleting the keys and restarting, they have not yet appeared in those two locations. But that brings me to another question about the auditing policy you had me implement-------will this policy continue to log after every reboot or do I need to recreate it with Command Prompt again before I can generate another security.evtx file?

    In the meantime, I'm going to reboot again and still run RegBak. As soon as I've completed your instructions with it, I will send you the message as you requested...

  8. #28
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,815

    Re: Totally Perplexed by this Locky Ransomware...

    Quote Originally Posted by YOnGodsGreenEarth View Post
    I'm about to run the RegBak to generate the specified folder, but I wanted to mention that I've now been on my computer for about 4 hrs and after simply checking RegEdit for the entries you asked me to look for after deleting the keys and restarting, they have not yet appeared in those two locations. But that brings me to another question about the auditing policy you had me implement-------will this policy continue to log after every reboot or do I need to recreate it with Command Prompt again before I can generate another security.evtx file?

    In the meantime, I'm going to reboot again and still run RegBak. As soon as I've completed your instructions with it, I will send you the message as you requested...
    The auditing policies are permanent until such time as we unset them - you don't need to keep recreating them. The nature of the audit policies is such that they only work if we can actively capture a recreate occurring.

    Give it a couple of days if necessary. We'll still be here whenever you are (we don't time out of expire threads - you can post back as and when and we'll reply when we get a chance).

    So I'd suggest that you give it a couple of days and see if they get recreated. We'll work from there either way.

  9. #29
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    Quote Originally Posted by niemiro View Post
    Quote Originally Posted by YOnGodsGreenEarth View Post
    I'm about to run the RegBak to generate the specified folder, but I wanted to mention that I've now been on my computer for about 4 hrs and after simply checking RegEdit for the entries you asked me to look for after deleting the keys and restarting, they have not yet appeared in those two locations. But that brings me to another question about the auditing policy you had me implement-------will this policy continue to log after every reboot or do I need to recreate it with Command Prompt again before I can generate another security.evtx file?

    In the meantime, I'm going to reboot again and still run RegBak. As soon as I've completed your instructions with it, I will send you the message as you requested...
    The auditing policies are permanent until such time as we unset them - you don't need to keep recreating them. The nature of the audit policies is such that they only work if we can actively capture a recreate occurring.

    Give it a couple of days if necessary. We'll still be here whenever you are (we don't time out of expire threads - you can post back as and when and we'll reply when we get a chance).

    So I'd suggest that you give it a couple of days and see if they get recreated. We'll work from there either way.


    Thanks. After another reboot, its looks like they in fact did recreate themselves. I've posted another security.evtx file from Dropbox which I included below. I also included the latest scan results after running regedit again. One thing I noticed differently in regedit this time was that some of the paired occurrences of these Locky keys are now actually displayed several folders apart from each other within each respective location---albeit still sequentially the same (the Alpha-numeric keys listed first).

    I actually took the liberty of creating a screen-capture which I uploaded to Dropbox as well. I've also included this link too so you can see what I mean...


    New RegEdit Scan:

    HKEY_CURRENT_USER\Software\F43o6aqLPEF6
    HKEY_CURRENT_USER\Software\Locky

    HKEY_USERS\.DEFAULT\Software\F43o6aqLPEF6
    HKEY_USERS\.DEFAULT\Software\Locky

    HKEY_USERS\S-1-5-18\Software\F43o6aqLPEF6
    HKEY_USERS\S-1-5-18\Software\Locky

    HKEY_USERS\S-1-5-19\Software\F43o6aqLPEF6
    HKEY_USERS\S-1-5-19\Software\Locky

    HKEY_USERS\S-1-5-20\Software\F43o6aqLPEF6
    HKEY_USERS\S-1-5-20\Software\Locky

    HKEY_USERS\S-1-5-21-2205198338-1926017667-846148581-1000\Software\F43o6aqLPEF6
    HKEY_USERS\S-1-5-21-2205198338-1926017667-846148581-1000\Software\Locky



    New Security.evtx log:


    Dropbox - Security2.evtx



    Partial ScreenCap of Regedit Scan (In the form of a Bitmap image using Wordpad):

    Dropbox - Partial Screen-Cap of RegEdit Scan.rtf

  10. #30
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    I've opened RegBak and now I just need to know-------should I leave the option to "Use Volume Shadow Copy Service to backup the hives" ticked?

  11. #31
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,815

    Re: Totally Perplexed by this Locky Ransomware...

    Quote Originally Posted by YOnGodsGreenEarth View Post
    I've opened RegBak and now I just need to know-------should I leave the option to "Use Volume Shadow Copy Service to backup the hives" ticked?
    Yes - leave it ticked :)

  12. #32
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,815

    Re: Totally Perplexed by this Locky Ransomware...

    Hello again.

    Thanks for all this data. The registry files I'm still analysing whilst the results from the new trace were a bit mixed. It didn't work in the way I expected it to and I'm currently recreating/practicing various possibilities on my own computer & seeing what they look like to the auditor to see if I can get a match. I'll get back to you tomorrow either way. I had hoped it would be an easy spot with the auditor but it has not proven to be so

    Be back soon.

    Richard

  13. #33
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    Okay. Sorry it didn't quite yield the exact results you were hoping for. I appreciate that you're even taking some time to do this over the holiday weekend. That is very kind of you. As I mentioned before, take all the time you need and if there are any further logs I can provide and/or additional scans to aid in your trouble-shooting----please don't hesitate to ask and I will gladly comply.

    Thanks again Richard. Hope you get to enjoy the rest of your weekend.

  14. #34
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    I ran some new scans of FRST, RGSA, and ComboFix, as well as a scan with JRT from Malwarebytes and the latest version of AVZ Antiviral Toolkit from Kaspersky (of which revealed some odd-looking Rootkit detections once it completed its scan). I've posted the results below...




    New FRST Scan Results:

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:23-05-2016
    Ran by TKRA7 (administrator) on TKRA7-PC (30-05-2016 20:44:38)
    Running from C:\Users\TKRA7\Desktop
    Loaded Profiles: TKRA7 (Available Profiles: TKRA7)
    Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
    Internet Explorer Version 11 (Default browser: FF)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    (SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    (AMD) C:\Windows\System32\atiesrxx.exe
    (AMD) C:\Windows\System32\atieclxx.exe
    (SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
    () C:\Program Files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe
    (SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    () C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe
    () C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\DIGI+ VRM\VRMHelp.exe
    (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\USB 3.0 Boost\U3BoostSvr64.exe
    (ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\TurboV EVO\TurboVHelp.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
    (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\EPU\EPUHelp.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe
    (Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe


    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM-x32\...\Run: [JMB36X IDE Setup] => C:\Windows\RaidTool\xInsIDE.exe
    HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
    Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
    BootExecute: autocheck autochk * sdnclean64.exe
    GroupPolicyScripts: Restriction <======= ATTENTION

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    ProxyEnable: [S-1-5-21-2205198338-1926017667-846148581-1000] => Proxy is enabled.
    ProxyServer: [S-1-5-21-2205198338-1926017667-846148581-1000] => localhost:21320
    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
    Tcpip\..\Interfaces\{C9558C5F-54E7-41D5-A78D-1AC2DCD6718F}: [DhcpNameServer] 75.75.75.75 75.75.76.76
    ManualProxies: 1localhost:21320

    Internet Explorer:
    ==================
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://duckduckgo.com/

    FireFox:
    ========
    FF ProfilePath: C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default
    FF Homepage: hxxps://duckduckgo.com/
    FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_242.dll [2016-05-20] ()
    FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_242.dll [2016-05-20] ()
    FF Extension: HTTPS-Everywhere - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\extensions\https-everywhere@eff.org [2016-05-20]
    FF Extension: NoScript - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-05-20]
    FF Extension: Bitdefender QuickScan - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2016-05-21]
    FF Extension: YouTube Auto Replay - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\extensions\YouTubeAutoReplay@arikv.com.xpi [2016-05-22]
    FF Extension: WOT - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2016-05-27]
    FF Extension: Privacy Badger - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\Extensions\jid1-MnnxcxisBPnSXQ@jetpack.xpi [2016-05-20]

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
    R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe [922240 2011-06-13] ()
    R2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [915584 2010-12-01] ()
    R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [586880 2010-10-21] ()
    R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2519904 2016-04-13] (ESET)
    R2 hmpalertsvc; C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [4397896 2016-05-30] (SurfRight B.V.)
    R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
    R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
    S3 NETGEARGenieDaemon; C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe [232192 2016-03-09] (NETGEAR)
    R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
    R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
    R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
    R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R0 AiChargerPlus; C:\Windows\System32\DRIVERS\AiChargerPlus.sys [14464 2010-11-08] (ASUSTek Computer Inc.)
    R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-08-24] ()
    R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-03] ()
    R3 ASUSFILTER; C:\Windows\SysWow64\drivers\ASUSFILTER.sys [46152 2011-09-20] (MCCI Corporation)
    R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [264552 2016-05-12] (ESET)
    S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
    R0 edevmon; C:\Windows\System32\DRIVERS\edevmon.sys [199680 2016-05-12] (ESET)
    S3 efavdrv; C:\Windows\SysWOW64\drivers\efavdrv.sys [115008 2016-05-29] (ESET)
    R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [186784 2016-05-12] (ESET)
    R2 epfwwfpr; C:\Windows\system32\DRIVERS\epfwwfpr.sys [170792 2016-05-12] (ESET)
    S3 ERmvrDrv; C:\Windows\system32\drivers\ERKRmvrDrv.sys [43608 2016-05-29] (ESET spol. s r.o.)
    R3 hmpalert; C:\Windows\system32\drivers\hmpalert.sys [175472 2016-05-30] (SurfRight B.V.)
    R3 hmpnet; C:\Windows\system32\drivers\hmpnet.sys [84520 2016-05-30] (SurfRight B.V.)
    S3 keycrypt; C:\Windows\System32\DRIVERS\KeyCrypt64.sys [143904 2015-11-05] (Zemana Ltd.)
    R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [140672 2016-03-10] (Malwarebytes)
    R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
    R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-05-30] (Malwarebytes)
    S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
    R2 NPF; C:\Windows\system32\drivers\npf.sys [35344 2016-05-26] (CACE Technologies, Inc.)
    R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-05-30 20:44 - 2016-05-30 20:44 - 00010235 _____ C:\Users\TKRA7\Desktop\FRST.txt
    2016-05-30 20:37 - 2016-05-30 20:37 - 00274320 _____ C:\Windows\system32\FNTCACHE.DAT
    2016-05-30 20:26 - 2016-05-30 20:27 - 07119782 _____ C:\Users\TKRA7\Desktop\eav_logs.zip
    2016-05-30 19:41 - 2016-05-30 19:41 - 00913608 _____ (ESET) C:\Users\TKRA7\Downloads\ESETLogCollector_enu.exe
    2016-05-30 19:15 - 2016-05-30 19:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
    2016-05-30 19:15 - 2016-05-30 19:15 - 00000000 ____D C:\Program Files\ESET
    2016-05-30 19:00 - 2016-05-30 19:15 - 00000000 ____D C:\ProgramData\ESET
    2016-05-30 15:21 - 2016-05-30 15:21 - 00016384 _____ C:\Windows\SysWOW64\p��
    2016-05-30 02:57 - 2016-05-30 02:57 - 00000000 ____D C:\Users\TKRA7\Documents\ProcAlyzer Dumps
    2016-05-30 02:34 - 2016-05-24 10:40 - 00000027 _____ C:\Windows\system32\Drivers\etc\hosts.20160530-023429.backup
    2016-05-30 02:19 - 2016-05-30 02:19 - 00000000 ____D C:\Program Files\Common Files\AV
    2016-05-30 02:15 - 2016-05-30 02:30 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2016-05-30 02:15 - 2016-05-30 02:24 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2016-05-30 02:15 - 2016-05-30 02:15 - 00001391 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
    2016-05-30 02:15 - 2016-05-30 02:15 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
    2016-05-30 02:15 - 2016-05-30 02:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
    2016-05-30 02:15 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
    2016-05-30 02:04 - 2016-05-30 02:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MRU-Blaster
    2016-05-30 02:04 - 2016-05-30 02:04 - 00000000 ____D C:\Program Files (x86)\MRU-Blaster
    2016-05-30 00:23 - 2016-05-30 00:23 - 00003458 _____ C:\Users\TKRA7\Desktop\Forum Response RE_Google and Privacy_5-30-16.txt
    2016-05-29 12:48 - 2016-05-30 20:43 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2016-05-29 12:48 - 2016-05-29 12:48 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2016-05-29 12:21 - 2016-05-29 12:21 - 00043608 _____ (ESET spol. s r.o.) C:\Windows\system32\Drivers\ERKRmvrDrv.sys
    2016-05-29 12:06 - 2016-05-29 12:06 - 00115008 _____ (ESET) C:\Windows\SysWOW64\Drivers\efavdrv.sys
    2016-05-27 16:44 - 2016-05-29 13:38 - 44972877 _____ C:\Users\TKRA7\Desktop\RegBak.zip
    2016-05-27 16:38 - 2016-05-27 16:38 - 00000000 ____D C:\Windows\RegBak
    2016-05-27 16:36 - 2016-05-27 16:38 - 00000078 _____ C:\Windows\system32\TKRA7-PC.Windows 7 Ultimate, 64-bit Service Pack 1 (build 7601).txt
    2016-05-27 16:36 - 2016-05-27 16:36 - 00005348 _____ C:\Users\TKRA7\Desktop\REGRES.INI
    2016-05-27 16:36 - 2016-05-27 16:36 - 00004142 _____ C:\Users\TKRA7\Desktop\REGRES.CMD
    2016-05-27 16:36 - 2016-05-27 16:36 - 00000000 ____D C:\Users\TKRA7\Desktop\Windows
    2016-05-27 15:49 - 2016-05-27 15:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Registry Backup and Restore
    2016-05-27 15:49 - 2016-05-27 15:49 - 00000000 ____D C:\Program Files\Acelogix
    2016-05-27 14:46 - 2016-05-27 14:47 - 01118208 _____ C:\Users\TKRA7\Documents\Security2.evtx
    2016-05-27 14:42 - 2016-05-27 14:42 - 00000554 _____ C:\Users\TKRA7\Desktop\New Scan of RegEdit_5-27-16.txt
    2016-05-27 03:02 - 2016-05-27 03:02 - 00000000 ____D C:\Users\TKRA7\AppData\LocalLow\Temp
    2016-05-27 02:59 - 2016-05-27 14:47 - 00000000 ____D C:\Users\TKRA7\Documents\LocaleMetaData
    2016-05-27 02:59 - 2016-05-27 02:59 - 01118208 _____ C:\Users\TKRA7\Documents\Security.evtx
    2016-05-26 17:29 - 2016-05-30 18:47 - 00000000 ____D C:\Users\TKRA7\AppData\Local\NETGEARGenie
    2016-05-26 17:28 - 2016-05-26 17:28 - 00369168 _____ (CACE Technologies, Inc.) C:\Windows\system32\wpcap.dll
    2016-05-26 17:28 - 2016-05-26 17:28 - 00281104 _____ (CACE Technologies, Inc.) C:\Windows\SysWOW64\wpcap.dll
    2016-05-26 17:28 - 2016-05-26 17:28 - 00106000 _____ (CACE Technologies, Inc.) C:\Windows\system32\packet.dll
    2016-05-26 17:28 - 2016-05-26 17:28 - 00096784 _____ (CACE Technologies, Inc.) C:\Windows\SysWOW64\packet.dll
    2016-05-26 17:28 - 2016-05-26 17:28 - 00035344 _____ (CACE Technologies, Inc.) C:\Windows\system32\Drivers\npf.sys
    2016-05-26 17:28 - 2016-05-26 17:28 - 00002062 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NETGEAR Genie.lnk
    2016-05-26 17:28 - 2016-05-26 17:28 - 00002050 _____ C:\Users\Public\Desktop\NETGEAR Genie.lnk
    2016-05-26 17:28 - 2016-05-26 17:28 - 00000000 ____D C:\Program Files (x86)\NETGEAR Genie
    2016-05-26 13:48 - 2016-05-30 18:59 - 00000000 ____D C:\Users\TKRA7\Downloads\Word Docs
    2016-05-26 13:48 - 2016-05-26 13:48 - 00000000 ____D C:\Users\TKRA7\Downloads\WorkPlaceSafety
    2016-05-26 13:48 - 2016-05-26 13:48 - 00000000 ____D C:\Users\TKRA7\Documents\Text + Htm Files
    2016-05-26 13:48 - 2016-05-26 13:48 - 00000000 ____D C:\Users\TKRA7\Documents\Lentil Soup with Ground Beef and Brown Rice Recipe _ Yummly_files
    2016-05-26 13:48 - 2016-05-26 13:48 - 00000000 ____D C:\Users\TKRA7\Documents\HTC
    2016-05-26 13:48 - 2016-05-26 13:48 - 00000000 ____D C:\Users\TKRA7\Documents\EmpMeal
    2016-05-26 13:48 - 2016-05-26 13:48 - 00000000 ____D C:\Users\TKRA7\Documents\Backup Files
    2016-05-26 13:48 - 2016-05-26 13:48 - 00000000 ____D C:\Users\TKRA7\Documents\Amazon MP3
    2016-05-26 13:46 - 2016-05-26 13:46 - 00000000 ____D C:\Users\TKRA7\Downloads\Wallpapers
    2016-05-26 13:46 - 2016-05-26 13:46 - 00000000 ____D C:\Users\TKRA7\Downloads\Uninstallers
    2016-05-26 13:41 - 2016-05-30 02:12 - 00000000 ____D C:\Users\TKRA7\Downloads\SECURITY
    2016-05-26 13:41 - 2016-05-26 13:41 - 00000000 ____D C:\Users\TKRA7\Downloads\PRINTER
    2016-05-26 13:40 - 2016-05-26 13:41 - 00000000 ____D C:\Users\TKRA7\Downloads\Portable Flash Apps
    2016-05-26 13:40 - 2016-05-26 13:40 - 00000000 ____D C:\Users\TKRA7\Downloads\PDF's
    2016-05-26 13:40 - 2016-05-26 13:40 - 00000000 ____D C:\Users\TKRA7\Downloads\MP3
    2016-05-26 13:39 - 2016-05-26 13:40 - 00000000 ____D C:\Users\TKRA7\Downloads\Linux
    2016-05-26 13:39 - 2016-05-26 13:39 - 00000000 ____D C:\Users\TKRA7\Downloads\JWL
    2016-05-26 13:34 - 2016-05-30 02:12 - 00000000 ____D C:\Users\TKRA7\Downloads\HTML & WEB DOCS
    2016-05-26 13:34 - 2016-05-26 13:38 - 00000000 ____D C:\Users\TKRA7\Downloads\ISO Files
    2016-05-26 13:34 - 2016-05-26 13:34 - 00000000 ____D C:\Users\TKRA7\Downloads\INVOICES
    2016-05-26 13:34 - 2016-05-26 13:34 - 00000000 ____D C:\Users\TKRA7\Downloads\HTC
    2016-05-26 13:33 - 2016-05-30 18:59 - 00000000 ____D C:\Users\TKRA7\Downloads\Games
    2016-05-26 13:33 - 2016-05-28 01:25 - 00000000 ____D C:\Users\TKRA7\Downloads\Consumer Issues
    2016-05-26 13:33 - 2016-05-26 13:34 - 00000000 ____D C:\Users\TKRA7\Downloads\Hardware Tools
    2016-05-26 13:33 - 2016-05-26 13:33 - 00000000 ____D C:\Users\TKRA7\Downloads\FLV Files
    2016-05-26 13:33 - 2016-05-26 13:33 - 00000000 ____D C:\Users\TKRA7\Downloads\Fix it portable
    2016-05-26 13:33 - 2016-05-26 13:33 - 00000000 ____D C:\Users\TKRA7\Downloads\Comcast
    2016-05-26 13:32 - 2016-05-26 13:33 - 00000000 ____D C:\Users\TKRA7\Downloads\BOOT & RECOVERY
    2016-05-26 13:32 - 2016-05-26 13:32 - 00000000 ____D C:\Users\TKRA7\Downloads\BIBLE SCHEDULE_files
    2016-05-26 13:32 - 2016-05-26 13:32 - 00000000 ____D C:\Users\TKRA7\Downloads\Bible Downloads
    2016-05-26 13:32 - 2016-05-26 13:32 - 00000000 ____D C:\Users\TKRA7\Downloads\BCEC
    2016-05-26 13:32 - 2016-05-26 13:32 - 00000000 ____D C:\Users\TKRA7\Downloads\BACKUP
    2016-05-26 13:32 - 2016-05-26 13:32 - 00000000 ____D C:\Users\TKRA7\Downloads\Android
    2016-05-26 13:32 - 2016-05-26 13:32 - 00000000 ____D C:\Users\TKRA7\Downloads\Amazon
    2016-05-26 08:33 - 2016-05-26 08:33 - 00016384 _____ C:\Windows\SysWOW64\�p
    2016-05-25 20:28 - 2016-05-25 20:28 - 00001563 _____ C:\Users\TKRA7\Desktop\ComboFix.lnk
    2016-05-25 03:07 - 2016-05-25 03:07 - 00000000 ____D C:\ProgramData\MicroWorld
    2016-05-24 20:50 - 2016-05-24 20:50 - 02383360 _____ (Farbar) C:\Users\TKRA7\Desktop\FRST64.exe
    2016-05-24 20:25 - 2016-05-24 20:47 - 00000000 ____D C:\cce_linux
    2016-05-24 18:26 - 2016-05-30 19:10 - 00000000 ____D C:\Program Files (x86)\HitmanPro.Alert
    2016-05-24 18:26 - 2016-05-30 15:22 - 00825040 _____ (SurfRight B.V.) C:\Windows\system32\hmpalert.dll
    2016-05-24 18:26 - 2016-05-30 15:22 - 00753872 _____ (SurfRight B.V.) C:\Windows\SysWOW64\hmpalert.dll
    2016-05-24 18:26 - 2016-05-30 15:22 - 00175472 _____ (SurfRight B.V.) C:\Windows\system32\Drivers\hmpalert.sys
    2016-05-24 18:26 - 2016-05-30 15:22 - 00084520 _____ (SurfRight B.V.) C:\Windows\system32\Drivers\hmpnet.sys
    2016-05-24 18:26 - 2016-05-24 18:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro.Alert
    2016-05-24 17:27 - 2016-05-24 17:27 - 00001021 _____ C:\Users\TKRA7\Documents\Response to GlarySoft Ltd_RE_Uninstall.txt
    2016-05-24 17:14 - 2016-05-24 17:54 - 00000000 ____D C:\Program Files (x86)\Glarysoft
    2016-05-24 17:14 - 2016-05-24 17:24 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\GlarySoft
    2016-05-24 17:14 - 2016-05-24 17:14 - 00000539 _____ C:\GUDownLoaddebug.txt
    2016-05-24 17:14 - 2016-05-24 17:14 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\DiskDefrag
    2016-05-24 17:11 - 2016-05-24 17:11 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller
    2016-05-24 17:11 - 2016-05-24 17:11 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
    2016-05-24 16:29 - 2016-05-30 20:38 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
    2016-05-24 16:29 - 2016-05-24 16:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
    2016-05-24 16:29 - 2016-05-24 16:29 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
    2016-05-24 16:29 - 2016-03-10 14:09 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
    2016-05-24 16:29 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
    2016-05-24 16:29 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
    2016-05-24 14:04 - 2016-05-24 14:04 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\SUPERAntiSpyware.com
    2016-05-24 14:04 - 2016-05-24 14:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
    2016-05-24 14:03 - 2016-05-24 14:04 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
    2016-05-24 14:03 - 2016-05-24 14:03 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
    2016-05-24 13:29 - 2016-05-24 13:29 - 00016384 _____ C:\Windows\SysWOW64\X�Y
    2016-05-24 10:36 - 2011-06-26 02:45 - 00256000 _____ C:\Windows\PEV.exe
    2016-05-24 10:36 - 2010-11-07 13:20 - 00208896 _____ C:\Windows\MBR.exe
    2016-05-24 10:36 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
    2016-05-24 10:36 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
    2016-05-24 10:36 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
    2016-05-24 10:36 - 2000-08-30 20:00 - 00098816 _____ C:\Windows\sed.exe
    2016-05-24 10:36 - 2000-08-30 20:00 - 00080412 _____ C:\Windows\grep.exe
    2016-05-24 10:36 - 2000-08-30 20:00 - 00068096 _____ C:\Windows\zip.exe
    2016-05-24 10:33 - 2016-05-25 23:33 - 00000000 ____D C:\Qoobox
    2016-05-24 10:33 - 2016-05-24 10:41 - 00000000 ____D C:\Windows\erdnt
    2016-05-24 10:26 - 2016-05-30 20:44 - 00000000 ____D C:\FRST
    2016-05-24 10:20 - 2016-05-24 10:20 - 00898560 _____ C:\Users\TKRA7\Desktop\RGSA.exe
    2016-05-23 02:38 - 2016-05-23 02:39 - 00000000 ____D C:\Users\TKRA7\Downloads\Pics
    2016-05-23 02:25 - 2016-05-23 02:25 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
    2016-05-23 02:00 - 2016-05-30 20:37 - 00000000 ____D C:\ProgramData\HitmanPro.Alert
    2016-05-23 02:00 - 2016-05-27 12:28 - 00000000 ____D C:\Windows\CryptoGuard
    2016-05-23 02:00 - 2016-05-23 02:25 - 00000000 ____D C:\ProgramData\HitmanPro
    2016-05-23 01:50 - 2016-05-24 17:10 - 00000000 ____D C:\ProgramData\TEMP
    2016-05-23 01:50 - 2016-05-23 01:51 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster
    2016-05-23 01:50 - 2016-05-23 01:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
    2016-05-23 01:50 - 2012-05-02 12:17 - 01070152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
    2016-05-23 01:50 - 2009-03-24 13:52 - 00129872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSSTDFMT.DLL
    2016-05-22 23:12 - 2016-05-22 23:12 - 00000000 ____D C:\Users\TKRA7\AppData\Local\niemiro
    2016-05-22 22:57 - 2016-05-22 22:57 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Fortres Grand
    2016-05-22 20:28 - 2016-05-22 20:28 - 00000000 ____D C:\AdwCleaner
    2016-05-22 17:53 - 2016-05-23 02:27 - 00000000 ____D C:\Program Files (x86)\Trojan Remover
    2016-05-22 17:53 - 2014-05-14 12:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
    2016-05-22 17:53 - 2014-05-14 12:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
    2016-05-22 17:53 - 2014-05-14 12:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2016-05-22 17:53 - 2014-05-14 12:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
    2016-05-22 17:53 - 2014-05-14 12:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
    2016-05-22 17:53 - 2014-05-14 12:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
    2016-05-22 17:53 - 2014-05-14 12:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2016-05-22 17:53 - 2014-05-14 12:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
    2016-05-22 17:53 - 2014-05-14 12:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
    2016-05-22 17:53 - 2014-05-14 12:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2016-05-22 17:52 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
    2016-05-22 17:52 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2016-05-22 17:52 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
    2016-05-22 17:52 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2016-05-22 17:45 - 2016-05-22 17:45 - 00000000 ____D C:\inetpub
    2016-05-22 16:58 - 2016-05-22 16:58 - 00000000 ____D C:\ProgramData\WinaeroTweaker
    2016-05-22 12:59 - 2016-05-22 13:01 - 00194292 _____ C:\TDSSKiller.3.1.0.9_22.05.2016_12.59.02_log.txt
    2016-05-22 12:52 - 2016-05-22 13:00 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2016-05-22 12:50 - 2016-05-24 16:29 - 00000000 ____D C:\ProgramData\Malwarebytes
    2016-05-22 12:50 - 2016-05-22 12:50 - 00000000 ____D C:\Program Files\Malwarebytes
    2016-05-22 05:51 - 2016-05-22 21:03 - 00000000 ____D C:\Windows\Microsoft Antimalware
    2016-05-22 00:21 - 2016-05-30 19:07 - 00001945 _____ C:\Windows\epplauncher.mif
    2016-05-21 21:10 - 2016-05-21 21:10 - 00000813 _____ C:\Users\TKRA7\Documents\Freedome driver Installation Error.txt
    2016-05-21 20:59 - 2016-05-21 20:59 - 00036320 _____ (The OpenVPN Project) C:\Windows\system32\Drivers\fsfreedometap.sys
    2016-05-21 20:49 - 2016-05-21 20:49 - 00002790 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
    2016-05-21 20:49 - 2016-05-21 20:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
    2016-05-21 20:49 - 2016-05-21 20:49 - 00000000 ____D C:\Program Files\CCleaner
    2016-05-21 20:48 - 2016-05-30 02:11 - 00000000 ____D C:\Users\TKRA7\Downloads\Software Tools
    2016-05-21 08:55 - 2016-05-24 14:55 - 00190632 _____ C:\Users\TKRA7\AppData\Local\census.cache
    2016-05-21 08:55 - 2016-05-24 14:55 - 00129256 _____ C:\Users\TKRA7\AppData\Local\ars.cache
    2016-05-21 08:31 - 2016-05-24 14:27 - 00000010 _____ C:\Users\TKRA7\AppData\Local\sponge.last.runtime.cache
    2016-05-21 08:29 - 2016-05-21 08:29 - 00000000 ____D C:\ProgramData\Trend Micro
    2016-05-21 08:28 - 2016-05-21 08:28 - 00000036 _____ C:\Users\TKRA7\AppData\Local\housecall.guid.cache
    2016-05-21 08:24 - 2016-05-24 14:23 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\QuickScan
    2016-05-21 08:24 - 2016-05-21 08:24 - 00000000 ____D C:\ProgramData\Bitdefender Agent
    2016-05-21 08:16 - 2016-05-21 21:29 - 00000000 ____D C:\ProgramData\F-Secure
    2016-05-21 08:16 - 2016-05-21 08:16 - 00000000 ____D C:\Users\TKRA7\AppData\Local\F-Secure
    2016-05-21 08:16 - 2016-05-21 08:16 - 00000000 ____D C:\Users\TKRA7\AppData\Local\FSDART
    2016-05-21 08:15 - 2016-05-22 17:47 - 00000000 ____D C:\Program Files (x86)\NortonInstaller
    2016-05-21 08:15 - 2016-05-21 08:15 - 00000000 ____D C:\ProgramData\NortonInstaller
    2016-05-21 08:15 - 2016-05-21 08:15 - 00000000 ____D C:\ProgramData\Norton
    2016-05-21 02:03 - 2016-05-21 02:03 - 00001006 _____ C:\Users\TKRA7\Documents\New_Drive_New_Win_Install_SysInfo - Shortcut.lnk
    2016-05-21 01:47 - 2016-05-21 01:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GWX Control Panel
    2016-05-21 01:47 - 2016-05-21 01:47 - 00000000 ____D C:\Program Files (x86)\UltimateOutsider
    2016-05-21 01:34 - 2014-12-30 13:31 - 07039960 _____ (Zemana Ltd.) C:\Windows\SysWOW64\ZALSDKCore.dll
    2016-05-20 01:30 - 2016-05-23 06:07 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
    2016-05-20 00:55 - 2016-05-20 00:55 - 00000000 ____D C:\Users\TKRA7\AppData\Local\Macromedia
    2016-05-20 00:54 - 2016-05-24 21:23 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2016-05-20 00:54 - 2016-05-24 21:23 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2016-05-20 00:54 - 2016-05-20 00:54 - 00000000 ____D C:\Windows\system32\Macromed
    2016-05-20 00:54 - 2016-05-20 00:54 - 00000000 ____D C:\Users\TKRA7\AppData\Local\Adobe
    2016-05-20 00:42 - 2016-05-20 00:50 - 00000000 ____D C:\Users\TKRA7\AppData\Local\Mozilla
    2016-05-20 00:42 - 2016-05-20 00:42 - 00001159 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
    2016-05-20 00:42 - 2016-05-20 00:42 - 00001147 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
    2016-05-20 00:42 - 2016-05-20 00:42 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Mozilla
    2016-05-20 00:42 - 2016-05-20 00:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2016-05-20 00:42 - 2016-05-20 00:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2016-05-20 00:40 - 2016-05-26 08:19 - 00000000 ____D C:\Program Files (x86)\Zemana AntiLogger Free
    2016-05-20 00:40 - 2016-05-21 01:34 - 00000000 ____D C:\Users\TKRA7\AppData\Local\Zemana
    2016-05-20 00:40 - 2016-05-20 00:40 - 00000000 ____D C:\Users\TKRA7\AppData\Local\AntiLogger Free
    2016-05-20 00:40 - 2015-11-05 15:00 - 00143904 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\KeyCrypt64.sys
    2016-05-20 00:26 - 2013-10-14 18:00 - 00028368 _____ (Microsoft Corporation) C:\Windows\system32\IEUDINIT.EXE
    2016-05-20 00:23 - 2016-05-20 00:23 - 24917504 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 19607040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 14404096 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 12829696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 06026240 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 04305920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2016-05-20 00:23 - 2016-05-20 00:23 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
    2016-05-20 00:23 - 2016-05-20 00:23 - 02426880 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 02278912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
    2016-05-20 00:23 - 2016-05-20 00:23 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2016-05-20 00:23 - 2016-05-20 00:23 - 01950720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 01545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 01309696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00942592 _____ (Microsoft Corporation) C:\Windows\system32\jsIntl.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00720384 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00664064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00645120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsIntl.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00616104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
    2016-05-20 00:23 - 2016-05-20 00:23 - 00616104 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dat
    2016-05-20 00:23 - 2016-05-20 00:23 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00503808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
    2016-05-20 00:23 - 2016-05-20 00:23 - 00389840 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00342728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
    2016-05-20 00:23 - 2016-05-20 00:23 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00247808 _____ (Microsoft Corporation) C:\Windows\system32\msls31.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00235520 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00235008 _____ (Microsoft Corporation) C:\Windows\system32\elshyph.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00233472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00208384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00194048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\elshyph.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00182272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00167424 _____ (Microsoft Corporation) C:\Windows\system32\iexpress.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00151552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00147968 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00143872 _____ (Microsoft Corporation) C:\Windows\system32\wextract.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00139264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00131072 _____ (Microsoft Corporation) C:\Windows\system32\IEAdvpack.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00127488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00116736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00111616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00105984 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00101376 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00090112 _____ (Microsoft Corporation) C:\Windows\system32\SetIEInstalledDate.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00086016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00083456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\icardie.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00077312 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
    2016-05-20 00:23 - 2016-05-20 00:23 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00074240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00069120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
    2016-05-20 00:23 - 2016-05-20 00:23 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\pngfilt.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00056832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00052224 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00048640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\mshtmler.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00048128 _____ (Microsoft Corporation) C:\Windows\system32\imgutil.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\licmgr10.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00024576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00013312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00012800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 05549504 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 03969472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 01903552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
    2016-05-20 00:22 - 2016-05-20 00:22 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 01161216 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00859648 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00640512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00619520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
    2016-05-20 00:22 - 2016-05-20 00:22 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00376688 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
    2016-05-20 00:22 - 2016-05-20 00:22 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 00327168 _____ (Microsoft Corporation) C:\Windows\system32\mswsock.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00288088 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
    2016-05-20 00:22 - 2016-05-20 00:22 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00231424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswsock.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 00068608 _____ (Microsoft Corporation) C:\Windows\system32\taskhost.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
    2016-05-20 00:21 - 2016-05-20 00:21 - 03928064 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 03419136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 02776576 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 02565120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 02284544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01988096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01887232 _____ (Microsoft Corporation) C:\Windows\system32\d3d11.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01682432 _____ (Microsoft Corporation) C:\Windows\system32\XpsPrint.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01643520 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01504768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01238528 _____ (Microsoft Corporation) C:\Windows\system32\d3d10.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01175552 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01158144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01080832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00648192 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00604160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00522752 _____ (Microsoft Corporation) C:\Windows\system32\XpsGdiConverter.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00465920 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00417792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00364544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00363008 _____ (Microsoft Corporation) C:\Windows\system32\dxgi.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00333312 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\d3d10core.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00293376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00249856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00245248 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecsExt.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\UIAnimation.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10core.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00207872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecsExt.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00194560 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00187392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UIAnimation.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00161792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00010752 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00010752 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00009728 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00009728 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00005632 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00005632 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00005632 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00005632 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00002560 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00002560 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
    2016-05-19 23:32 - 2016-05-19 23:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BDAntiRansomware
    2016-05-19 23:32 - 2016-05-19 23:32 - 00000000 ____D C:\Program Files\Bitdefender
    2016-05-19 23:30 - 2016-05-30 02:11 - 00000000 ____D C:\Users\TKRA7\Downloads\Windows
    2016-05-19 23:30 - 2016-05-26 13:33 - 00000000 ____D C:\Users\TKRA7\Downloads\Browsers
    2016-05-19 23:30 - 2016-05-26 08:16 - 00000000 ____D C:\Users\TKRA7\Downloads\Security Tools
    2016-05-19 23:23 - 2016-05-19 23:23 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Macromedia
    2016-05-19 23:09 - 2016-05-19 23:09 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Adobe
    2016-05-19 22:58 - 2016-05-19 22:58 - 00000000 ____D C:\ProgramData\ASUS OC Profiles
    2016-05-19 22:56 - 2016-05-19 22:56 - 00000000 _____ C:\Windows\ativpsrm.bin
    2016-05-19 22:55 - 2016-05-19 22:55 - 00000000 ____D C:\ProgramData\GridinSoft
    2016-05-19 22:51 - 2011-05-24 11:08 - 00166624 _____ C:\Windows\system32\atiapfxx.blb
    2016-05-19 22:51 - 2011-05-24 11:04 - 00462848 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\ATIDEMGX.dll
    2016-05-19 22:51 - 2011-05-24 10:19 - 00058880 _____ (AMD) C:\Windows\system32\coinst.dll
    2016-05-19 22:51 - 2011-05-18 16:13 - 00032635 _____ C:\Windows\atiogl.xml
    2016-05-19 22:51 - 2011-03-17 01:51 - 00003929 _____ C:\Windows\SysWOW64\atipblag.dat
    2016-05-19 22:51 - 2011-03-17 01:51 - 00003929 _____ C:\Windows\system32\atipblag.dat
    2016-05-19 22:49 - 2016-05-19 22:49 - 00001266 _____ C:\Users\TKRA7\Desktop\Windows Update.lnk
    2016-05-19 22:43 - 2016-05-19 22:43 - 00000000 ____D C:\Program Files\ASUS
    2016-05-19 22:42 - 2016-05-19 22:42 - 00000000 ____D C:\Windows\SysWOW64\Macromed
    2016-05-19 22:38 - 2016-05-19 22:43 - 00000000 ____D C:\Windows\System32\Tasks\ASUS
    2016-05-19 22:38 - 2016-05-19 22:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ASUS
    2016-05-19 22:38 - 2010-11-08 14:57 - 00014464 _____ (ASUSTek Computer Inc.) C:\Windows\system32\Drivers\AiChargerPlus.sys
    2016-05-19 22:38 - 2008-12-02 20:05 - 00184320 _____ (ASUSTeK) C:\Windows\SysWOW64\Drivers\UpdateHelper.dll
    2016-05-19 22:37 - 2016-05-19 22:38 - 00000000 ____D C:\Program Files (x86)\ASUS
    2016-05-19 22:37 - 2016-05-19 22:37 - 00000000 ____D C:\ProgramData\ASUS
    2016-05-19 22:37 - 2010-08-24 03:16 - 00013440 ____R C:\Windows\SysWOW64\Drivers\AsIO.sys
    2016-05-19 22:37 - 2010-06-29 03:41 - 00028672 ____R (ASUSTek Computer Inc.) C:\Windows\SysWOW64\AsIO.dll
    2016-05-19 22:37 - 2008-01-04 01:34 - 00011832 ____N C:\Windows\SysWOW64\Drivers\AsInsHelp64.sys
    2016-05-19 22:36 - 2016-05-19 22:36 - 00000000 ____D C:\Windows\RaidTool
    2016-05-19 22:36 - 2010-11-24 23:27 - 00120408 _____ (JMicron Technology Corp.) C:\Windows\system32\Drivers\jraid.sys
    2016-05-19 22:36 - 2009-07-13 21:15 - 00315904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Difxd825.rra
    2016-05-19 22:35 - 2016-05-19 22:35 - 00000000 ____D C:\Program Files\ATI
    2016-05-19 22:35 - 2016-05-19 22:35 - 00000000 ____D C:\Program Files (x86)\AMD APP
    2016-05-19 22:35 - 2011-03-04 14:46 - 00078976 _____ (Advanced Micro Devices) C:\Windows\system32\Drivers\amd_sata.sys
    2016-05-19 22:35 - 2011-03-04 14:46 - 00038528 _____ (Advanced Micro Devices) C:\Windows\system32\Drivers\amd_xata.sys
    2016-05-19 22:35 - 2010-12-15 23:06 - 00047232 ____R (Advanced Micro Devices) C:\Windows\system32\Drivers\usbfilter.sys
    2016-05-19 22:34 - 2016-05-19 22:34 - 00016896 _____ (ASUS) C:\Windows\AsTaskSched.dll
    2016-05-19 22:34 - 2016-05-19 22:34 - 00000000 ____D C:\Program Files\ATI Technologies
    2016-05-19 22:33 - 2011-02-25 02:25 - 00296320 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\volsnap.sys
    2016-05-19 22:32 - 2016-05-19 22:32 - 00000000 ____D C:\Program Files (x86)\ASM104xUSB3
    2016-05-19 22:31 - 2016-05-19 22:43 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
    2016-05-19 22:31 - 2016-05-19 22:31 - 00000000 ____D C:\Program Files (x86)\Realtek
    2016-05-19 22:31 - 2011-08-23 09:57 - 00565352 _____ (Realtek ) C:\Windows\system32\Drivers\Rt64win7.sys
    2016-05-19 22:31 - 2011-08-23 09:57 - 00107552 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RTNUninst64.dll
    2016-05-19 22:31 - 2011-08-23 09:57 - 00074272 _____ C:\Windows\system32\RtNicProp64.dll
    2016-05-19 22:30 - 2016-05-19 22:30 - 00001769 _____ C:\Windows\Language_trs.ini
    2016-05-19 22:29 - 2016-05-19 22:30 - 00028901 _____ C:\Windows\Ascd_tmp.ini
    2016-05-19 22:27 - 2016-05-20 00:28 - 00001413 _____ C:\Users\TKRA7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    2016-05-19 22:27 - 2016-05-19 22:27 - 00000000 ____D C:\Users\TKRA7\AppData\Local\VirtualStore
    2016-05-19 22:25 - 2016-05-22 17:49 - 00000000 ____D C:\Users\TKRA7
    2016-05-19 22:25 - 2016-05-19 22:25 - 00000020 ___SH C:\Users\TKRA7\ntuser.ini
    2016-05-19 22:25 - 2016-05-19 22:25 - 00000000 _SHDL C:\Users\TKRA7\My Documents
    2016-05-19 22:25 - 2016-05-19 22:25 - 00000000 _SHDL C:\Users\TKRA7\Documents\My Videos
    2016-05-19 22:25 - 2016-05-19 22:25 - 00000000 _SHDL C:\Users\TKRA7\Documents\My Pictures
    2016-05-19 22:25 - 2016-05-19 22:25 - 00000000 _SHDL C:\Users\TKRA7\Documents\My Music
    2016-05-19 22:25 - 2011-04-12 04:28 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Media Center Programs
    2016-05-12 10:48 - 2016-05-12 10:48 - 00264552 _____ (ESET) C:\Windows\system32\Drivers\eamonm.sys
    2016-05-12 10:48 - 2016-05-12 10:48 - 00199680 _____ (ESET) C:\Windows\system32\Drivers\edevmon.sys
    2016-05-12 10:48 - 2016-05-12 10:48 - 00186784 _____ (ESET) C:\Windows\system32\Drivers\ehdrv.sys
    2016-05-12 10:48 - 2016-05-12 10:48 - 00170792 _____ (ESET) C:\Windows\system32\Drivers\epfwwfpr.sys

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-05-30 20:44 - 2009-07-14 01:13 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
    2016-05-30 20:37 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2016-05-30 19:30 - 2009-07-14 00:45 - 00020464 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2016-05-30 19:30 - 2009-07-14 00:45 - 00020464 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2016-05-30 19:30 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
    2016-05-25 23:32 - 2009-07-13 22:34 - 00000215 _____ C:\Windows\system.ini
    2016-05-24 02:56 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache
    2016-05-22 17:48 - 2011-04-12 04:28 - 00000000 ___RD C:\Users\Public\Recorded TV
    2016-05-22 17:48 - 2009-07-14 01:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
    2016-05-22 17:48 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\Windows Sidebar
    2016-05-22 17:48 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
    2016-05-22 17:48 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\PolicyDefinitions
    2016-05-22 17:47 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\Microsoft Games
    2016-05-22 17:47 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64\inetsrv
    2016-05-22 17:47 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
    2016-05-22 17:47 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\inetsrv
    2016-05-22 17:47 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration
    2016-05-21 20:52 - 2008-01-01 04:19 - 00000000 ____D C:\Windows\Panther
    2016-05-20 01:38 - 2009-07-13 23:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
    2016-05-19 22:35 - 2009-07-13 23:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

    ==================== Files in the root of some directories =======

    2016-05-21 08:55 - 2016-05-24 14:55 - 0129256 _____ () C:\Users\TKRA7\AppData\Local\ars.cache
    2016-05-21 08:55 - 2016-05-24 14:55 - 0190632 _____ () C:\Users\TKRA7\AppData\Local\census.cache
    2016-05-21 08:28 - 2016-05-21 08:28 - 0000036 _____ () C:\Users\TKRA7\AppData\Local\housecall.guid.cache
    2016-05-21 08:31 - 2016-05-24 14:27 - 0000010 _____ () C:\Users\TKRA7\AppData\Local\sponge.last.runtime.cache

    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\system32\winlogon.exe => File is digitally signed
    C:\Windows\system32\wininit.exe => File is digitally signed
    C:\Windows\SysWOW64\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\system32\services.exe => File is digitally signed
    C:\Windows\system32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\system32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed
    C:\Windows\system32\dnsapi.dll => File is digitally signed
    C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
    C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2016-05-28 14:59

    ==================== End of FRST.txt ============================




    Addition Log:

    Additional scan result of Farbar Recovery Scan Tool (x64) Version:23-05-2016
    Ran by TKRA7 (2016-05-30 20:45:26)
    Running from C:\Users\TKRA7\Desktop
    Windows 7 Ultimate Service Pack 1 (X64) (2016-05-20 02:25:08)
    Boot Mode: Normal
    ==========================================================


    ==================== Accounts: =============================

    Administrator (S-1-5-21-2205198338-1926017667-846148581-500 - Administrator - Disabled)
    Guest (S-1-5-21-2205198338-1926017667-846148581-501 - Limited - Disabled)
    TKRA7 (S-1-5-21-2205198338-1926017667-846148581-1000 - Administrator - Enabled) => C:\Users\TKRA7

    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: ESET NOD32 Antivirus 9.0.381.0 (Enabled - Up to date) {19259FAE-8396-A113-46DB-15B0E7DFA289}
    AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
    AS: ESET NOD32 Antivirus 9.0.381.0 (Enabled - Up to date) {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}

    ==================== Installed Programs ======================

    (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    Adobe Flash Player 21 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 21.0.0.242 - Adobe Systems Incorporated)
    Adobe Flash Player 21 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 21.0.0.242 - Adobe Systems Incorporated)
    AI Suite II (HKLM-x32\...\{34D3688E-A737-44C5-9E2A-FF73618728E1}) (Version: 1.02.03 - ASUSTeK Computer Inc.)
    Asmedia ASM104x USB 3.0 Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.14.1.0 - Asmedia Technology)
    ATI Catalyst Install Manager (HKLM\...\{A39D1D51-E8DE-4B07-016D-73C232E1E1D8}) (Version: 3.0.825.0 - ATI Technologies, Inc.)
    BDAntiRansomware (HKLM\...\{BE40AB1F-558F-4434-B72F-461EF97E7796}_is1) (Version: 1.0.12.1 - Bitdefender)
    CCleaner (HKLM\...\CCleaner) (Version: 5.18 - Piriform)
    ESET NOD32 Antivirus (HKLM\...\{381258D4-0766-4E1B-BE3B-186E47CE4397}) (Version: 9.0.381.0 - ESET, spol. s r.o.)
    GWX Control Panel (HKLM-x32\...\UltimateOutsider_GwxControlPanel) (Version: - UltimateOutsider)
    HitmanPro.Alert 3 (HKLM\...\HitmanPro.Alert) (Version: 3.1.10.373 - SurfRight B.V.)
    JMicron JMB36X Driver (HKLM-x32\...\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}) (Version: 1.17.62.0 - JMicron Technology Corp.)
    Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
    Mozilla Firefox 46.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 46.0.1 (x86 en-US)) (Version: 46.0.1 - Mozilla)
    Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 46.0.1 - Mozilla)
    MRU-Blaster v1.5 (Database 3.28.04) (HKLM-x32\...\MRU-Blaster_is1) (Version: 1.5 - BrightFort LLC)
    NETGEAR Genie (HKLM-x32\...\NETGEAR Genie) (Version: 2.4.15.07 - NETGEAR Inc.)
    Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.48.823.2011 - Realtek)
    Registry Backup and Restore (HKLM\...\Registry Backup and Restore_is1) (Version: - Acelogix)
    Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
    Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
    SpywareBlaster 5.5 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.5.0 - BrightFort LLC)
    SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1218 - SUPERAntiSpyware.com)

    ==================== Custom CLSID (Whitelisted): ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== Scheduled Tasks (Whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    Task: {1409C08E-E440-4805-8EB0-E7F2B6E13332} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-05-24] (Adobe Systems Incorporated)
    Task: {2923ABB0-0A82-4325-95F0-9BC7D18B4D82} - System32\Tasks\ASUS\ASUS AI Suite II Execute => C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe [2010-11-26] (ASUSTeK Computer Inc.)
    Task: {2C446118-C822-4B8B-8455-4A24BF988573} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2016-03-21] (Safer-Networking Ltd.)
    Task: {4AC999A8-229B-40AD-81A1-E36BA02D258C} - System32\Tasks\ASUS\USB 3.0 Boost Service => C:\Program Files (x86)\ASUS\AI Suite II\USB 3.0 Boost\U3BoostSvr.exe [2011-09-09] ()
    Task: {B659F42C-3DE0-4D82-B01F-92E7E3A40E15} - System32\Tasks\ASUS\ASUS DigiVRM Help => C:\Program Files (x86)\ASUS\AI Suite II\DIGI+ VRM\VRMHelp.exe [2011-04-13] (ASUSTeK Computer Inc.)
    Task: {E1FC1A50-7798-44D3-B70F-AC0862BF9FA3} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
    Task: {F840F41A-8D66-46F2-977D-A27E7FDC17D3} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-05-13] (Piriform Ltd)

    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

    Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

    ==================== Shortcuts =============================

    (The entries could be listed to be restored or removed.)

    ==================== Loaded Modules (Whitelisted) ==============

    2011-06-13 04:36 - 2011-06-13 04:36 - 00922240 ____R () C:\Program Files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe
    2010-12-01 22:15 - 2010-12-01 22:15 - 00915584 ____R () C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe
    2016-05-19 22:38 - 2010-10-21 05:52 - 00586880 ____R () C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe
    2016-05-19 22:37 - 2016-05-30 20:37 - 00033280 _____ () C:\Program Files (x86)\ASUS\AXSP\1.00.14\PEbiosinterface32.dll
    2016-05-19 22:37 - 2010-06-28 22:58 - 00104448 ____R () C:\Program Files (x86)\ASUS\AXSP\1.00.14\ATKEX.dll
    2016-05-19 22:42 - 2011-03-04 04:33 - 00053248 ____N () C:\Program Files (x86)\ASUS\AI Suite II\TurboV EVO\HookKey32.dll
    2016-05-19 22:42 - 2009-05-21 10:14 - 00253952 _____ () C:\Program Files (x86)\ASUS\AI Suite II\TurboV EVO\pngio.dll
    2016-05-30 02:15 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
    2016-05-30 02:15 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
    2016-05-30 02:15 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
    2016-05-30 02:15 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
    2016-05-30 02:15 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
    2016-05-19 22:38 - 2011-02-24 10:19 - 00143360 _____ () C:\Program Files (x86)\ASUS\AI Suite II\AssistFunc.dll
    2016-05-19 22:38 - 2010-06-21 15:21 - 00208896 _____ () C:\Program Files (x86)\ASUS\AI Suite II\ImageHelper.dll
    2016-05-19 22:38 - 2009-08-12 20:15 - 00253952 _____ () C:\Program Files (x86)\ASUS\AI Suite II\pngio.dll
    2016-05-19 22:38 - 2011-02-09 09:02 - 00873472 _____ () C:\Program Files (x86)\ASUS\AI Suite II\AI Charger+\AIChargerPlus.dll
    2016-05-19 22:39 - 2011-03-09 14:55 - 01036800 _____ () C:\Program Files (x86)\ASUS\AI Suite II\ASUS Update\Update.dll
    2016-05-19 22:38 - 2011-05-16 17:35 - 00965632 _____ () C:\Program Files (x86)\ASUS\AI Suite II\BarGadget\BarGadget.dll
    2016-05-19 22:41 - 2011-01-06 10:38 - 01027072 _____ () C:\Program Files (x86)\ASUS\AI Suite II\Probe_II\ProbeII.dll
    2016-05-19 22:38 - 2011-05-20 09:12 - 00881152 _____ () C:\Program Files (x86)\ASUS\AI Suite II\Sensor\Sensor.dll
    2016-05-19 22:38 - 2011-04-07 17:33 - 01607168 _____ () C:\Program Files (x86)\ASUS\AI Suite II\Sensor Graph\SensorGraph.dll
    2016-05-19 22:38 - 2011-01-07 16:39 - 01246208 _____ () C:\Program Files (x86)\ASUS\AI Suite II\Settings\Settings.dll
    2016-05-19 22:38 - 2010-08-06 18:11 - 00850944 _____ () C:\Program Files (x86)\ASUS\AI Suite II\Splitter\Splitter.dll
    2016-05-19 22:38 - 2010-08-06 18:13 - 00886272 _____ () C:\Program Files (x86)\ASUS\AI Suite II\TabGadget\TabGadget.dll
    2016-05-19 22:37 - 2010-08-22 22:17 - 00662016 ____R () C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMLib.dll
    2016-05-19 22:38 - 2010-06-21 15:21 - 00208896 _____ () C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\ImageHelper.dll

    ==================== Alternate Data Streams (Whitelisted) =========

    (If an entry is included in the fixlist, only the ADS will be removed.)


    ==================== Safe Mode (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


    ==================== Association (Whitelisted) ===============

    (If an entry is included in the fixlist, the registry item will be restored to default or removed.)


    ==================== Internet Explorer trusted/restricted ===============

    (If an entry is included in the fixlist, it will be removed from the registry.)

    IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
    IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
    IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
    IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
    IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
    IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
    IE restricted site: HKU\.DEFAULT\...\0scan.com -> scan.com
    IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
    IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
    IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
    IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
    IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
    IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
    IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
    IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
    IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
    IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
    IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
    IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
    IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

    There are 7902 more sites.

    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\007guard.com -> install.007guard.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\008i.com -> 008i.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\008k.com -> www.008k.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\00hq.com -> www.00hq.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\010402.com -> 010402.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0190-dialers.com -> 0190-dialers.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\01i.info -> 01i.info
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0411dd.com -> 0411dd.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0511zfhl.com -> 0511zfhl.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\05p.com -> 05p.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0632qyw.com -> 0632qyw.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0calories.net -> 0calories.net
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0cj.net -> 0cj.net
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0scan.com -> scan.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\1-2005-search.com -> www.1-2005-search.com

    There are 12719 more sites.


    ==================== Hosts content: ==========================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2009-07-13 22:34 - 2016-05-30 02:34 - 00451815 ____R C:\Windows\system32\Drivers\etc\hosts

    127.0.0.1 localhost127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 scan.com
    127.0.0.1 0scan.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1001namen.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100888290cs.com
    127.0.0.1 www.100sexlinks.com
    127.0.0.1 100sexlinks.com
    127.0.0.1 10sek.com
    127.0.0.1 www.10sek.com
    127.0.0.1 www.1-2005-search.com
    127.0.0.1 1-2005-search.com
    127.0.0.1 123fporn.info
    127.0.0.1 www.123fporn.info
    127.0.0.1 www.123haustiereundmehr.com
    127.0.0.1 123haustiereundmehr.com
    127.0.0.1 123moviedownload.com
    127.0.0.1 www.123moviedownload.com

    There are 15530 more lines.


    ==================== Other Areas ============================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\TKRA7\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
    DNS Servers: 75.75.75.75 - 75.75.76.76
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
    Windows Firewall is enabled.

    ==================== MSCONFIG/TASK MANAGER disabled items ==

    (Currently there is no automatic fix for this section.)

    MSCONFIG\Services: BDESVC => 3
    MSCONFIG\Services: EFS => 3
    MSCONFIG\Services: ehRecvr => 3
    MSCONFIG\Services: ehSched => 3
    MSCONFIG\Services: IEEtwCollectorService => 3
    MSCONFIG\Services: pla => 3
    MSCONFIG\Services: RemoteRegistry => 3
    MSCONFIG\Services: SensrSvc => 3
    MSCONFIG\Services: SSDPSRV => 3
    MSCONFIG\Services: TabletInputService => 3
    MSCONFIG\Services: TapiSrv => 3
    MSCONFIG\Services: TBS => 3
    MSCONFIG\Services: TrkWks => 2
    MSCONFIG\Services: WbioSrvc => 3
    MSCONFIG\Services: WcsPlugInService => 3
    MSCONFIG\Services: Wecsvc => 3
    MSCONFIG\Services: WerSvc => 3
    MSCONFIG\Services: WMPNetworkSvc => 3
    MSCONFIG\Services: WPCSvc => 3
    MSCONFIG\startupreg: ASUS AiChargerPlus Execute => C:\Program Files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe
    MSCONFIG\startupreg: NETGEARGenie => "C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe" -mini -redirect

    ==================== FirewallRules (Whitelisted) ===============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    FirewallRules: [{C6A1FA50-FDAD-4EAF-813C-E28A2CEF4524}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [{FE7836D1-7D7B-41D8-96BC-6843DB27449F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [TCP Query User{3E26A3C8-1E39-459A-828F-80D3C4922A36}C:\program files (x86)\netgear genie\bin\netgeargenie.exe] => (Allow) C:\program files (x86)\netgear genie\bin\netgeargenie.exe
    FirewallRules: [UDP Query User{FC09A63A-C1E0-4C20-A4A4-0CD7771D0791}C:\program files (x86)\netgear genie\bin\netgeargenie.exe] => (Allow) C:\program files (x86)\netgear genie\bin\netgeargenie.exe
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

    ==================== Restore Points =========================

    19-05-2016 22:30:59 Installed Realtek Ethernet Controller Driver
    19-05-2016 22:32:26 Installed Asmedia ASM104x USB 3.0 Host Controller Driver.
    19-05-2016 22:33:35 Windows Update
    19-05-2016 22:36:18 Installed JMicron JMB36X Driver
    19-05-2016 22:38:10 Installed AI Suite II
    19-05-2016 22:38:39 Installed Ai Charger+
    19-05-2016 22:39:07 Installed ASUS Update
    19-05-2016 22:39:47 Installed DIGI+ VRM
    19-05-2016 22:40:21 Installed EPU
    19-05-2016 22:40:55 Installed FAN Xpert
    19-05-2016 22:41:15 Installed Probe II
    19-05-2016 22:41:40 Installed System Information
    19-05-2016 22:42:25 Installed TurboV EVO
    19-05-2016 22:43:01 Installed USB 3.0 Boost
    20-05-2016 00:20:42 Windows Modules Installer
    21-05-2016 20:59:20 Device Driver Package Install: F-Secure Corporation Network adapters
    21-05-2016 21:14:06 Installed Microsoft Solution - 93689bb7-63fe-4fe7-8eec-97e93e07121f
    21-05-2016 21:22:45 Installed Microsoft Solution - 9c197371-07a7-43f6-9bff-a08e6f6be4e9
    22-05-2016 00:31:28 Windows Update
    22-05-2016 17:16:36 Installed Microsoft Solution - b1fd3df2-4787-461b-8de9-a16614dede1c
    22-05-2016 17:18:25 Windows Update
    22-05-2016 17:39:07 Windows Modules Installer
    22-05-2016 17:45:06 Restore Operation
    22-05-2016 17:52:43 Windows Update
    22-05-2016 23:53:52 Windows Update
    23-05-2016 02:25:11 Checkpoint by HitmanPro
    24-05-2016 17:15:21 Revo Uninstaller's restore point - Glary Utilities 5.51
    24-05-2016 20:53:31 Restore Point Created by FRST
    27-05-2016 02:00:41 Windows Modules Installer
    30-05-2016 02:07:39 Revo Uninstaller's restore point - GridinSoft Anti-Malware

    ==================== Faulty Device Manager Devices =============

    Name: ASUS DRW-24B1ST c SATA CdRom Device
    Description: CD-ROM Drive
    Class Guid: {4d36e965-e325-11ce-bfc1-08002be10318}
    Manufacturer: (Standard CD-ROM drives)
    Service: cdrom
    Problem: : This device is disabled. (Code 22)
    Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (05/30/2016 08:38:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (05/30/2016 07:23:40 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (05/30/2016 07:10:53 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (05/30/2016 03:21:54 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (05/29/2016 11:58:20 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: plugin-container.exe, version: 46.0.1.5966, time stamp: 0x572818c9
    Faulting module name: mozglue.dll, version: 46.0.1.5966, time stamp: 0x572808c3
    Exception code: 0x80000003
    Fault offset: 0x0000efdc
    Faulting process id: 0x8b4
    Faulting application start time: 0xplugin-container.exe0
    Faulting application path: plugin-container.exe1
    Faulting module path: plugin-container.exe2
    Report Id: plugin-container.exe3

    Error: (05/29/2016 10:32:51 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: plugin-container.exe, version: 46.0.1.5966, time stamp: 0x572818c9
    Faulting module name: mozglue.dll, version: 46.0.1.5966, time stamp: 0x572808c3
    Exception code: 0x80000003
    Fault offset: 0x0000efdc
    Faulting process id: 0xcdc
    Faulting application start time: 0xplugin-container.exe0
    Faulting application path: plugin-container.exe1
    Faulting module path: plugin-container.exe2
    Report Id: plugin-container.exe3

    Error: (05/29/2016 08:28:56 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (05/29/2016 12:06:24 PM) (Source: SideBySide) (EventID: 80) (User: )
    Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
    A component version required by the application conflicts with another component version already active.
    Conflicting components are:.
    Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
    Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

    Error: (05/29/2016 12:05:48 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (05/28/2016 02:33:15 PM) (Source: ESENT) (EventID: 474) (User: )
    Description: wuaueng.dll (1076) SUS20ClientDataStore: The database page read from the file "C:\Windows\SoftwareDistribution\DataStore\DataStore.edb" at offset 358219776 (0x00000000155a0000) (database page wuaueng.dll0) for 32768 (0x00008000) bytes failed verification due to a page checksum mismatch. The expected checksum was [15e8ea17df66aca9:69979668e04a2adb:a6d6a6d6fa232abd:538a538a7fa72aa2] and the actual checksum was [15e8ea17d966aaa9:69979668e04a2adb:a0d6a0d6fa232abd:538a538a7fa72aa2]. The read operation will fail with error -1018 (0xfffffc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.


    System errors:
    =============
    Error: (05/30/2016 08:38:08 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The Internet Connection Sharing (ICS) service depends on the Remote Access Connection Manager service which failed to start because of the following error:
    %%1068

    Error: (05/30/2016 08:38:01 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
    %%1058

    Error: (05/30/2016 08:37:53 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
    Description: The following fatal alert was generated: 40. The internal error state is 252.

    Error: (05/30/2016 08:35:32 PM) (Source: DCOM) (EventID: 10010) (User: )
    Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

    Error: (05/30/2016 07:23:36 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The Internet Connection Sharing (ICS) service depends on the Remote Access Connection Manager service which failed to start because of the following error:
    %%1068

    Error: (05/30/2016 07:23:25 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
    %%1058

    Error: (05/30/2016 07:23:17 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
    Description: The following fatal alert was generated: 40. The internal error state is 252.

    Error: (05/30/2016 07:20:53 PM) (Source: DCOM) (EventID: 10010) (User: )
    Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

    Error: (05/30/2016 07:20:01 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
    Description: The following fatal alert was generated: 40. The internal error state is 252.

    Error: (05/30/2016 07:16:32 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
    Description: The following fatal alert was generated: 40. The internal error state is 252.


    CodeIntegrity:
    ===================================
    Date: 2016-05-24 10:40:25.445
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-24 10:40:25.429
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 21:29:10.013
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 21:29:09.998
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 21:16:48.120
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 21:16:48.104
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 20:59:38.349
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 20:59:38.333
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


    ==================== Memory info ===========================

    Processor: AMD FX(tm)-4100 Quad-Core Processor
    Percentage of memory in use: 49%
    Total physical RAM: 8137.36 MB
    Available physical RAM: 4099.2 MB
    Total Virtual: 16272.89 MB
    Available Virtual: 12484.52 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:931.29 GB) (Free:845.39 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 00000000)

    Partition: GPT.

    ==================== End of Addition.txt ============================



    SALog:

    Result of Security Analysis by Rocket Grannie (x86) Updated: 24th May 2016
    Running from:C:\Users\TKRA7\Desktop (20:58:22 - 05/30/2016)
    ***---------------------------------------------------------***
    Microsoft Windows 7 Ultimate X64 Service Pack 1
    UAC is Enabled!
    Internet Explorer 11
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    ***-----------------Anti-Virus - Firewall-------------------***
    ESET NOD32 Antivirus 9.0.381.0 (Enabled - Up to Date)
    Windows Firewall is Enabled!
    Searching for any other Firewall
    *No other Firewall Installed*
    ***----------------AntiSpyware - Miscellaneous---------------***
    Adobe Flash Player Plugin (version 21.0.0.242)
    Java is not installed
    Adobe Flash Player ActiveX (version 21.0.0.242)
    CCleaner (version 5.17)
    HitmanPro (version 3)
    Malwarebytes Anti-Malware (version 2.2.1.1043)
    Mozilla Firefox (version 46)
    Spybot - Search & Destroy (version 2.4)
    SpywareBlaster (version 5.5)
    SUPERAntiSpyware (version 6)

    ***----------------Analysis Complete-------------------------***



    New ComboFix Log:

    ComboFix 16-05-31.01 - TKRA7 05/30/2016 21:03:11.6.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8137.4104 [GMT -4:00]
    Running from: c:\users\TKRA7\Downloads\Security Tools\Special Tools\ComboFix.exe
    AV: ESET NOD32 Antivirus 9.0.381.0 *Disabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
    SP: ESET NOD32 Antivirus 9.0.381.0 *Disabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
    SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\SysWow64\Packet.dll
    c:\windows\SysWow64\wpcap.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NPF
    -------\Service_NPF
    .
    .
    ((((((((((((((((((((((((( Files Created from 2016-04-28 to 2016-05-31 )))))))))))))))))))))))))))))))
    .
    .
    2016-05-31 01:07 . 2016-05-31 01:07 -------- d-----w- c:\users\Default\AppData\Local\temp
    2016-05-30 23:15 . 2016-05-30 23:15 -------- d-----w- c:\program files\ESET
    2016-05-30 06:19 . 2016-05-30 06:19 -------- d-----w- c:\program files\Common Files\AV
    2016-05-30 06:15 . 2013-09-20 14:49 21040 ----a-w- c:\windows\system32\sdnclean64.exe
    2016-05-30 06:15 . 2016-05-30 06:24 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2016-05-30 06:15 . 2016-05-30 06:30 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
    2016-05-30 06:04 . 2016-05-30 06:04 -------- d-----w- c:\program files (x86)\MRU-Blaster
    2016-05-29 16:21 . 2016-05-29 16:21 43608 ----a-w- c:\windows\system32\drivers\ERKRmvrDrv.sys
    2016-05-29 16:06 . 2016-05-29 16:06 115008 ----a-w- c:\windows\SysWow64\drivers\efavdrv.sys
    2016-05-27 20:38 . 2016-05-27 20:38 -------- d-----w- c:\windows\RegBak
    2016-05-27 19:49 . 2016-05-27 19:49 -------- d-----w- c:\program files\Acelogix
    2016-05-26 21:28 . 2016-05-26 21:28 369168 ----a-w- c:\windows\system32\wpcap.dll
    2016-05-26 21:28 . 2016-05-26 21:28 35344 ----a-w- c:\windows\system32\drivers\npf.sys
    2016-05-26 21:28 . 2016-05-26 21:28 106000 ----a-w- c:\windows\system32\packet.dll
    2016-05-26 21:28 . 2016-05-26 21:28 -------- d-----w- c:\program files (x86)\NETGEAR Genie
    2016-05-25 07:07 . 2016-05-25 07:07 -------- d-----w- c:\programdata\MicroWorld
    2016-05-25 00:25 . 2016-05-25 00:47 -------- d---a-w- C:\cce_linux
    2016-05-24 22:26 . 2016-05-30 23:10 -------- d-----w- c:\program files (x86)\HitmanPro.Alert
    2016-05-24 22:26 . 2016-05-30 19:22 825040 ----a-w- c:\windows\system32\hmpalert.dll
    2016-05-24 22:26 . 2016-05-30 19:22 753872 ----a-w- c:\windows\SysWow64\hmpalert.dll
    2016-05-24 22:26 . 2016-05-30 19:22 84520 ----a-w- c:\windows\system32\drivers\hmpnet.sys
    2016-05-24 22:26 . 2016-05-30 19:22 175472 ----a-w- c:\windows\system32\drivers\hmpalert.sys
    2016-05-24 21:14 . 2016-05-24 21:54 -------- d-----w- c:\program files (x86)\Glarysoft
    2016-05-24 21:11 . 2016-05-24 21:11 -------- d-----w- c:\program files (x86)\VS Revo Group
    2016-05-24 20:29 . 2016-05-31 01:10 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2016-05-24 20:29 . 2016-05-24 20:29 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
    2016-05-24 20:29 . 2016-03-10 18:09 64896 ----a-w- c:\windows\system32\drivers\mwac.sys
    2016-05-24 20:29 . 2016-03-10 18:08 140672 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2016-05-24 20:29 . 2016-03-10 18:08 27008 ----a-w- c:\windows\system32\drivers\mbam.sys
    2016-05-24 18:03 . 2016-05-24 18:04 -------- d-----w- c:\program files\SUPERAntiSpyware
    2016-05-24 18:03 . 2016-05-24 18:03 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2016-05-24 14:26 . 2016-05-31 00:47 -------- d-----w- C:\FRST
    2016-05-23 06:25 . 2016-05-23 06:25 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2016-05-23 06:00 . 2016-05-27 16:28 -------- d-----w- c:\windows\CryptoGuard
    2016-05-23 06:00 . 2016-05-23 06:25 -------- d-----w- c:\programdata\HitmanPro
    2016-05-23 05:50 . 2016-05-23 05:50 -------- d-----w- c:\programdata\Licenses
    2016-05-23 05:50 . 2012-05-02 16:17 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
    2016-05-23 05:50 . 2009-03-24 17:52 129872 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
    2016-05-23 05:50 . 2016-05-23 05:51 -------- d-----w- c:\program files (x86)\SpywareBlaster
    2016-05-23 00:28 . 2016-05-23 00:28 -------- d-----w- C:\AdwCleaner
    2016-05-22 21:53 . 2016-05-23 06:27 -------- d-----w- c:\program files (x86)\Trojan Remover
    2016-05-22 21:53 . 2014-05-14 16:23 44512 ----a-w- c:\windows\system32\wups2.dll
    2016-05-22 21:53 . 2014-05-14 16:23 58336 ----a-w- c:\windows\system32\wuauclt.exe
    2016-05-22 21:53 . 2014-05-14 16:23 2477536 ----a-w- c:\windows\system32\wuaueng.dll
    2016-05-22 21:53 . 2014-05-14 16:21 2620928 ----a-w- c:\windows\system32\wucltux.dll
    2016-05-22 21:53 . 2014-05-14 16:23 38880 ----a-w- c:\windows\system32\wups.dll
    2016-05-22 21:53 . 2014-05-14 16:23 36320 ----a-w- c:\windows\SysWow64\wups.dll
    2016-05-22 21:53 . 2014-05-14 16:23 700384 ----a-w- c:\windows\system32\wuapi.dll
    2016-05-22 21:53 . 2014-05-14 16:23 581600 ----a-w- c:\windows\SysWow64\wuapi.dll
    2016-05-22 21:53 . 2014-05-14 16:20 97792 ----a-w- c:\windows\system32\wudriver.dll
    2016-05-22 21:53 . 2014-05-14 16:17 92672 ----a-w- c:\windows\SysWow64\wudriver.dll
    2016-05-22 21:52 . 2014-05-14 13:23 198600 ----a-w- c:\windows\system32\wuwebv.dll
    2016-05-22 21:52 . 2014-05-14 13:23 179656 ----a-w- c:\windows\SysWow64\wuwebv.dll
    2016-05-22 21:52 . 2014-05-14 13:20 36864 ----a-w- c:\windows\system32\wuapp.exe
    2016-05-22 21:52 . 2014-05-14 13:17 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
    2016-05-22 21:45 . 2016-05-22 21:45 -------- d-----w- C:\inetpub
    2016-05-22 20:58 . 2016-05-22 20:58 -------- d-----w- c:\programdata\WinaeroTweaker
    2016-05-22 17:06 . 2016-05-22 17:06 -------- d-----w- c:\program files (x86)\Microsoft.NET
    2016-05-22 17:06 . 2016-05-22 17:06 -------- d-----w- c:\windows\Migration
    2016-05-22 16:52 . 2016-05-22 17:00 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
    2016-05-22 16:50 . 2016-05-24 20:29 -------- d-----w- c:\programdata\Malwarebytes
    2016-05-22 16:50 . 2016-05-22 16:50 -------- d-----w- c:\program files\Malwarebytes
    2016-05-22 09:51 . 2016-05-23 01:03 -------- d-----w- c:\windows\Microsoft Antimalware
    2016-05-22 00:59 . 2016-05-22 00:59 36320 ----a-w- c:\windows\system32\drivers\fsfreedometap.sys
    2016-05-22 00:49 . 2016-05-22 00:49 -------- d-----w- c:\program files\CCleaner
    2016-05-21 12:29 . 2016-05-21 12:29 -------- d-----w- c:\programdata\Trend Micro
    2016-05-21 12:24 . 2016-05-21 12:24 -------- d-----w- c:\programdata\Bitdefender Agent
    2016-05-21 12:16 . 2016-05-22 01:29 -------- d-----w- c:\programdata\F-Secure
    2016-05-21 12:15 . 2016-05-21 12:15 -------- d-----w- c:\programdata\Norton
    2016-05-21 12:15 . 2016-05-22 21:47 -------- d-----w- c:\program files (x86)\NortonInstaller
    2016-05-21 05:47 . 2016-05-21 05:47 -------- d-----w- c:\program files (x86)\UltimateOutsider
    2016-05-21 05:34 . 2014-12-30 17:31 7039960 ----a-w- c:\windows\SysWow64\ZALSDKCore.dll
    2016-05-20 05:30 . 2016-05-23 10:07 -------- d-----w- c:\program files (x86)\Zemana AntiMalware
    2016-05-20 04:54 . 2016-05-25 01:23 797376 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2016-05-20 04:54 . 2016-05-25 01:23 142528 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2016-05-20 04:54 . 2016-05-20 04:54 -------- d-----w- c:\windows\system32\Macromed
    2016-05-20 04:42 . 2016-05-20 04:42 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
    2016-05-20 04:40 . 2015-11-05 19:00 143904 ----a-w- c:\windows\system32\drivers\KeyCrypt64.sys
    2016-05-20 04:40 . 2016-05-26 12:19 -------- d-----w- c:\program files (x86)\Zemana AntiLogger Free
    2016-05-20 04:26 . 2013-10-14 22:00 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE
    2016-05-20 04:22 . 2016-05-20 04:22 878080 ----a-w- c:\windows\system32\advapi32.dll
    2016-05-20 04:21 . 2016-05-20 04:21 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    2016-05-20 03:32 . 2016-05-20 03:32 -------- d-----w- c:\program files\Bitdefender
    2016-05-20 02:58 . 2016-05-20 02:58 -------- d-----w- c:\programdata\ASUS OC Profiles
    2016-05-20 02:56 . 2016-05-20 02:56 0 ----a-w- c:\windows\ativpsrm.bin
    2016-05-20 02:55 . 2016-05-20 02:55 -------- d-----w- c:\programdata\GridinSoft
    2016-05-20 02:51 . 2011-05-24 15:04 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2016-05-20 02:51 . 2011-05-24 14:19 58880 ----a-w- c:\windows\system32\coinst.dll
    2016-05-20 02:43 . 2016-05-20 02:43 -------- d-----w- c:\program files\ASUS
    2016-05-20 02:42 . 2016-05-20 02:42 -------- d-----w- c:\windows\SysWow64\Macromed
    2016-05-20 02:38 . 2010-11-08 18:57 14464 ----a-w- c:\windows\system32\drivers\AiChargerPlus.sys
    2016-05-20 02:38 . 2008-12-03 00:05 184320 ----a-w- c:\windows\SysWow64\drivers\UpdateHelper.dll
    2016-05-20 02:37 . 2016-05-20 02:37 -------- d-----w- c:\programdata\ASUS
    2016-05-20 02:37 . 2016-05-20 02:38 -------- d-----w- c:\program files (x86)\ASUS
    2016-05-20 02:37 . 2010-08-24 07:16 13440 ----a-r- c:\windows\SysWow64\drivers\AsIO.sys
    2016-05-20 02:37 . 2010-06-29 07:41 28672 ----a-r- c:\windows\SysWow64\AsIO.dll
    2016-05-20 02:37 . 2008-01-04 05:34 11832 ------w- c:\windows\SysWow64\drivers\AsInsHelp64.sys
    2016-05-20 02:36 . 2009-07-14 01:15 315904 ----a-w- c:\windows\SysWow64\Difxd825.rra
    2016-05-20 02:36 . 2010-11-25 03:27 120408 ----a-w- c:\windows\system32\drivers\jraid.sys
    2016-05-20 02:36 . 2016-05-20 02:36 -------- d-----w- c:\windows\RaidTool
    2016-05-20 02:36 . 2016-05-20 02:38 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
    2016-05-20 02:35 . 2016-05-20 02:35 -------- d-----w- c:\program files (x86)\AMD APP
    2016-05-20 02:35 . 2016-05-20 02:35 -------- dc----w- c:\windows\system32\DRVSTORE
    2016-05-20 02:35 . 2010-12-16 03:06 47232 ----a-r- c:\windows\system32\drivers\usbfilter.sys
    2016-05-20 02:35 . 2011-03-04 18:46 78976 ----a-w- c:\windows\system32\drivers\amd_sata.sys
    2016-05-20 02:35 . 2011-03-04 18:46 38528 ----a-w- c:\windows\system32\drivers\amd_xata.sys
    2016-05-20 02:35 . 2016-05-20 02:35 -------- d-----w- c:\program files\ATI
    2016-05-20 02:34 . 2016-05-20 02:34 -------- d-----w- c:\program files\ATI Technologies
    2016-05-20 02:34 . 2016-05-20 02:34 16896 ----a-w- c:\windows\AsTaskSched.dll
    2016-05-20 02:33 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
    2016-05-20 02:32 . 2016-05-20 02:32 -------- d-----w- c:\program files (x86)\ASM104xUSB3
    2016-05-20 02:32 . 2016-05-30 23:16 -------- d-sh--w- c:\windows\Installer
    2016-05-20 02:31 . 2011-08-23 13:57 565352 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
    2016-05-20 02:31 . 2011-08-23 13:57 74272 ----a-w- c:\windows\system32\RtNicProp64.dll
    2016-05-20 02:31 . 2011-08-23 13:57 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
    2016-05-20 02:31 . 2016-05-20 02:31 -------- d-----w- c:\program files (x86)\Realtek
    2016-05-20 02:31 . 2016-05-20 02:43 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
    2016-05-20 02:25 . 2016-05-22 21:49 -------- d-----w- c:\users\TKRA7
    2016-05-20 02:25 . 2016-05-20 02:25 -------- d-----w- C:\Recovery
    2016-05-12 14:48 . 2016-05-12 14:48 264552 ----a-w- c:\windows\system32\drivers\eamonm.sys
    2016-05-12 14:48 . 2016-05-12 14:48 199680 ----a-w- c:\windows\system32\drivers\edevmon.sys
    2016-05-12 14:48 . 2016-05-12 14:48 186784 ----a-w- c:\windows\system32\drivers\ehdrv.sys
    2016-05-12 14:48 . 2016-05-12 14:48 170792 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2016-05-20 04:22 . 2016-05-20 04:22 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2016-04-22 07:57 . 2010-11-21 03:27 453288 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotPostWindows10UpgradeReInstall"="c:\program files\Common Files\AV\Spybot - Search and Destroy\Test.exe" [2015-07-28 1011200]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-09-07 43608]
    "SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2014-06-24 4101576]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
    @=""
    .
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
    R3 efavdrv;efavdrv;c:\windows\system32\drivers\efavdrv.sys;c:\windows\SYSNATIVE\drivers\efavdrv.sys [x]
    R3 ERmvrDrv;ESET standalone malware removal tool kernel-mode driver;c:\windows\system32\drivers\ERKRmvrDrv.sys;c:\windows\SYSNATIVE\drivers\ERKRmvrDrv.sys [x]
    R3 keycrypt;keycrypt;c:\windows\system32\DRIVERS\KeyCrypt64.sys;c:\windows\SYSNATIVE\DRIVERS\KeyCrypt64.sys [x]
    R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
    R3 NETGEARGenieDaemon;NETGEARGenieDaemon;c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe;c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
    R4 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
    S0 AiChargerPlus;ASUS Charger Plus Driver;c:\windows\system32\DRIVERS\AiChargerPlus.sys;c:\windows\SYSNATIVE\DRIVERS\AiChargerPlus.sys [x]
    S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
    S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
    S0 edevmon;edevmon;c:\windows\system32\DRIVERS\edevmon.sys;c:\windows\SYSNATIVE\DRIVERS\edevmon.sys [x]
    S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys;SysWow64\drivers\AsUpIO.sys [x]
    S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys;c:\windows\SYSNATIVE\DRIVERS\eamonm.sys [x]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys;c:\windows\SYSNATIVE\DRIVERS\ehdrv.sys [x]
    S1 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
    S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe;c:\program files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe [x]
    S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [x]
    S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [x]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [x]
    S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys;c:\windows\SYSNATIVE\DRIVERS\epfwwfpr.sys [x]
    S2 hmpalertsvc;HitmanPro.Alert service;c:\program files (x86)\HitmanPro.Alert\hmpalert.exe;c:\program files (x86)\HitmanPro.Alert\hmpalert.exe [x]
    S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
    S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
    S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
    S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
    S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
    S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
    S3 ASUSFILTER;ASUSFILTER;SysWow64\drivers\ASUSFILTER.sys;SysWow64\drivers\ASUSFILTER.sys [x]
    S3 hmpalert;HitmanPro.Alert Support Driver;c:\windows\system32\drivers\hmpalert.sys;c:\windows\SYSNATIVE\drivers\hmpalert.sys [x]
    S3 hmpnet;HitmanPro.Alert Network Driver;c:\windows\system32\drivers\hmpnet.sys;c:\windows\SYSNATIVE\drivers\hmpnet.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MBAMSWISSARMY
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2016-05-31 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-05-20 01:23]
    .
    .
    --------- X64 Entries -----------
    .
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = https://duckduckgo.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyServer = localhost:21320
    Trusted Zone: eset.com\help
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    FF - ProfilePath - c:\users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\
    FF - prefs.js: browser.startup.homepage - hxxps://duckduckgo.com/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Notify-SDWinLogon - SDWinLogon.dll
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\F43o6aqLPEF6]
    @Denied: (B 2 3) (Everyone)
    .
    [HKEY_USERS\.Default\Software\Locky]
    @Denied: (B 2 3) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_21_0_0_242_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_21_0_0_242_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_21_0_0_242_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_21_0_0_242_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.21"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\ASUS\AI Suite II\AsRoutineController.exe
    c:\program files (x86)\ASUS\AI Suite II\DIGI+ VRM\VRMHelp.exe
    c:\program files (x86)\ASUS\AI Suite II\TurboV EVO\TurboVHelp.exe
    c:\program files (x86)\ASUS\AI Suite II\EPU\EPUHelp.exe
    c:\program files (x86)\Malwarebytes Anti-Malware\mbam.exe
    c:\program files (x86)\ASUS\AI Suite II\AI Suite II.exe
    c:\program files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe
    .
    **************************************************************************
    .
    Completion time: 2016-05-30 21:13:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2016-05-31 01:13
    ComboFix2.txt 2016-05-26 00:47
    ComboFix3.txt 2016-05-25 02:27
    ComboFix4.txt 2016-05-24 20:47
    ComboFix5.txt 2016-05-26 03:28
    .
    Pre-Run: 909,864,939,520 bytes free
    Post-Run: 909,607,804,928 bytes free
    .
    - - End Of File - - 2820F903117C1028AB0719B395BFC2DA
    A36C5E4F47E84449FF07ED3517B43A31





    JRT Log:

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Malwarebytes
    Version: 8.0.6 (04.25.2016)
    Operating System: Windows 7 Ultimate x64
    Ran by TKRA7 (Administrator) on Tue 05/31/2016 at 0:52:00.01
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    File System: 9

    Successfully deleted: C:\Users\TKRA7\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2620QEGF (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\TKRA7\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8B0GJMXH (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\TKRA7\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EVFNJWM2 (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\TKRA7\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R3YURF3L (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\prefetch\ANTILOGGER FREE.EXE-DB9C5B5E.pf (File)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2620QEGF (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8B0GJMXH (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EVFNJWM2 (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R3YURF3L (Temporary Internet Files Folder)



    Registry: 0





    AVZ AntiViral Toolkit Scan Log:

    AVZ Antiviral Toolkit log; AVZ version is 4.46
    Scanning started at 31.05.2016 01:44:30
    Database loaded: signatures - 297569, NN profile(s) - 2, malware removal microprograms - 56, signature database released 31.05.2016 04:00
    Heuristic microprograms loaded: 408
    PVS microprograms loaded: 10
    Digital signatures of system files loaded: 802091
    Heuristic analyzer mode: Maximum heuristics mode
    Malware removal mode: enabled
    Windows version is: 6.1.7601, Service Pack 1 "Windows 7 Ultimate", install date 19.05.2016 21:25:08 ; AVZ is run with administrator rights (+)
    System Restore: enabled
    1. Searching for Rootkits and other software intercepting API functions
    1.1 Searching for user-mode API hooks
    Analysis: kernel32.dll, export table found in section .text
    Function kernel32.dll:CreateProcessInternalW (170) intercepted, method - APICodeHijack.JmpTo[749FC836]
    >>> Rootkit code in function CreateProcessInternalW blocked
    Analysis: ntdll.dll, export table found in section .text
    Function ntdll.dll:KiUserExceptionDispatcher (112) intercepted, method - APICodeHijack.JmpTo[74A430B6]
    >>> Rootkit code in function KiUserExceptionDispatcher blocked
    Function ntdll.dll:LdrLoadDll (137) intercepted, method - APICodeHijack.JmpTo[749FC416]
    >>> Rootkit code in function LdrLoadDll blocked
    Function ntdll.dll:NtAllocateVirtualMemory (198) intercepted, method - APICodeHijack.JmpTo[749FB316]
    >>> Rootkit code in function NtAllocateVirtualMemory blocked
    Function ntdll.dll:NtFreeVirtualMemory (311) intercepted, method - APICodeHijack.JmpTo[749FB6B6]
    >>> Rootkit code in function NtFreeVirtualMemory blocked
    Function ntdll.dll:NtMapViewOfSection (349) intercepted, method - APICodeHijack.JmpTo[749FBF26]
    >>> Rootkit code in function NtMapViewOfSection blocked
    Function ntdll.dll:NtProtectVirtualMemory (396) intercepted, method - APICodeHijack.JmpTo[749FB7C6]
    >>> Rootkit code in function NtProtectVirtualMemory blocked
    Function ntdll.dll:NtUnmapViewOfSection (566) intercepted, method - APICodeHijack.JmpTo[749FC326]
    >>> Rootkit code in function NtUnmapViewOfSection blocked
    Analysis: user32.dll, export table found in section .text
    Function user32.dll:GetMessageA (1854) intercepted, method - APICodeHijack.JmpTo[74A0DBC6]
    >>> Rootkit code in function GetMessageA blocked
    Function user32.dll:GetMessageW (1858) intercepted, method - APICodeHijack.JmpTo[74A0DC56]
    >>> Rootkit code in function GetMessageW blocked
    Function user32.dll:PeekMessageA (2075) intercepted, method - APICodeHijack.JmpTo[74A0DAA6]
    >>> Rootkit code in function PeekMessageA blocked
    Function user32.dll:PeekMessageW (2076) intercepted, method - APICodeHijack.JmpTo[74A0DB36]
    >>> Rootkit code in function PeekMessageW blocked
    Analysis: advapi32.dll, export table found in section .text
    Analysis: ws2_32.dll, export table found in section .text
    Analysis: wininet.dll, export table found in section .text
    Analysis: rasapi32.dll, export table found in section .text
    Analysis: urlmon.dll, export table found in section .text
    Analysis: netapi32.dll, export table found in section .text
    1.4 Searching for masking processes and drivers
    Checking not performed: extended monitoring driver (AVZPM) is not installed
    2. Scanning RAM
    Number of processes found: 13
    Number of modules loaded: 170
    Scanning RAM - complete
    3. Scanning disks
    Direct reading: C:\Qoobox\BackEnv\SetPath.bat
    Direct reading: C:\Users\TKRA7\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.tmp
    C:\Users\TKRA7\Downloads\Security Tools\SECURITY\Power Tools\rkill\rkill.com - PE file with modified extension that still lets run it (it is often typical for viruses)(dangerousness level is 35%)
    File quarantined succesfully (C:\Users\TKRA7\Downloads\Security Tools\SECURITY\Power Tools\rkill\rkill.com)
    C:\Users\TKRA7\Downloads\Security Tools\SECURITY\Power Tools\rkill\rkill64.com - PE file with modified extension that still lets run it (it is often typical for viruses)(dangerousness level is 35%)
    File quarantined succesfully (C:\Users\TKRA7\Downloads\Security Tools\SECURITY\Power Tools\rkill\rkill64.com)
    4. Checking Winsock Layered Service Provider (SPI/LSP)
    LSP settings checked. No errors detected
    5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
    C:\Windows\SysWOW64\hmpalert.dll --> Suspicion for Keylogger or Trojan DLL
    C:\Windows\SysWOW64\hmpalert.dll>>> Behaviour analysis
    Behaviour typical for keyloggers was not detected
    File quarantined succesfully (C:\Windows\SysWOW64\hmpalert.dll)
    Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
    6. Searching for opened TCP/UDP ports used by malicious software
    In the database 317 port descriptions
    Opened at this PC: 12 TCP ports and 6 UDP ports
    Checking - complete; no suspicious ports detected
    7. Heuristic system check
    Checking - complete
    8. Searching for vulnerabilities
    >> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
    >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
    > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
    >> Security: disk drives' autorun is enabled
    >> Security: administrative shares (C$, D$ ...) are enabled
    >> Security: anonymous user access is enabled
    >> Windows Explorer - show extensions of known file types
    Checking - complete
    9. Troubleshooting wizard
    >> Abnormal SCR files association
    >> HDD autorun is allowed
    >> Network drives autorun is allowed
    >> Removable media autorun is allowed
    Checking - complete
    Files scanned: 45401, extracted from archives: 24006, malicious software found 0, suspicions - 0
    Scanning finished at 31.05.2016 01:47:59
    Time of scanning: 00:03:31
    If you have a suspicion on presence of viruses or questions on the suspected objects,
    you can address http://forum.kaspersky.com/index.php?showforum=19
    For automatic scanning of files from the AVZ quarantine you can use the service http://virusdetector.ru/




  15. #35
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    I ran some new scans of FRST, RGSA, and ComboFix, as well as a scan with JRT from Malwarebytes and the latest version of AVZ Antiviral Toolkit from Kaspersky (of which revealed some odd-looking Rootkit detections once it completed its scan). I've posted the results of the FRST & RGSA scans below first and will include ComboFix, JRT and AVZ results in a subsequent posts...




    New FRST Scan Results:

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:23-05-2016
    Ran by TKRA7 (administrator) on TKRA7-PC (30-05-2016 20:44:38)
    Running from C:\Users\TKRA7\Desktop
    Loaded Profiles: TKRA7 (Available Profiles: TKRA7)
    Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
    Internet Explorer Version 11 (Default browser: FF)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    (SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    (AMD) C:\Windows\System32\atiesrxx.exe
    (AMD) C:\Windows\System32\atieclxx.exe
    (SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
    () C:\Program Files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe
    (SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    () C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe
    () C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\DIGI+ VRM\VRMHelp.exe
    (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\USB 3.0 Boost\U3BoostSvr64.exe
    (ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\TurboV EVO\TurboVHelp.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
    (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\EPU\EPUHelp.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe
    (Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe


    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM-x32\...\Run: [JMB36X IDE Setup] => C:\Windows\RaidTool\xInsIDE.exe
    HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
    Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
    BootExecute: autocheck autochk * sdnclean64.exe
    GroupPolicyScripts: Restriction <======= ATTENTION

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    ProxyEnable: [S-1-5-21-2205198338-1926017667-846148581-1000] => Proxy is enabled.
    ProxyServer: [S-1-5-21-2205198338-1926017667-846148581-1000] => localhost:21320
    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
    Tcpip\..\Interfaces\{C9558C5F-54E7-41D5-A78D-1AC2DCD6718F}: [DhcpNameServer] 75.75.75.75 75.75.76.76
    ManualProxies: 1localhost:21320

    Internet Explorer:
    ==================
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://duckduckgo.com/

    FireFox:
    ========
    FF ProfilePath: C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default
    FF Homepage: hxxps://duckduckgo.com/
    FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_242.dll [2016-05-20] ()
    FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_242.dll [2016-05-20] ()
    FF Extension: HTTPS-Everywhere - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\extensions\https-everywhere@eff.org [2016-05-20]
    FF Extension: NoScript - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-05-20]
    FF Extension: Bitdefender QuickScan - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2016-05-21]
    FF Extension: YouTube Auto Replay - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\extensions\YouTubeAutoReplay@arikv.com.xpi [2016-05-22]
    FF Extension: WOT - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2016-05-27]
    FF Extension: Privacy Badger - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\Extensions\jid1-MnnxcxisBPnSXQ@jetpack.xpi [2016-05-20]

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
    R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe [922240 2011-06-13] ()
    R2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [915584 2010-12-01] ()
    R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [586880 2010-10-21] ()
    R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2519904 2016-04-13] (ESET)
    R2 hmpalertsvc; C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [4397896 2016-05-30] (SurfRight B.V.)
    R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
    R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
    S3 NETGEARGenieDaemon; C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe [232192 2016-03-09] (NETGEAR)
    R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
    R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
    R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
    R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R0 AiChargerPlus; C:\Windows\System32\DRIVERS\AiChargerPlus.sys [14464 2010-11-08] (ASUSTek Computer Inc.)
    R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-08-24] ()
    R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-03] ()
    R3 ASUSFILTER; C:\Windows\SysWow64\drivers\ASUSFILTER.sys [46152 2011-09-20] (MCCI Corporation)
    R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [264552 2016-05-12] (ESET)
    S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
    R0 edevmon; C:\Windows\System32\DRIVERS\edevmon.sys [199680 2016-05-12] (ESET)
    S3 efavdrv; C:\Windows\SysWOW64\drivers\efavdrv.sys [115008 2016-05-29] (ESET)
    R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [186784 2016-05-12] (ESET)
    R2 epfwwfpr; C:\Windows\system32\DRIVERS\epfwwfpr.sys [170792 2016-05-12] (ESET)
    S3 ERmvrDrv; C:\Windows\system32\drivers\ERKRmvrDrv.sys [43608 2016-05-29] (ESET spol. s r.o.)
    R3 hmpalert; C:\Windows\system32\drivers\hmpalert.sys [175472 2016-05-30] (SurfRight B.V.)
    R3 hmpnet; C:\Windows\system32\drivers\hmpnet.sys [84520 2016-05-30] (SurfRight B.V.)
    S3 keycrypt; C:\Windows\System32\DRIVERS\KeyCrypt64.sys [143904 2015-11-05] (Zemana Ltd.)
    R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [140672 2016-03-10] (Malwarebytes)
    R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
    R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-05-30] (Malwarebytes)
    S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
    R2 NPF; C:\Windows\system32\drivers\npf.sys [35344 2016-05-26] (CACE Technologies, Inc.)
    R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-05-30 20:44 - 2016-05-30 20:44 - 00010235 _____ C:\Users\TKRA7\Desktop\FRST.txt
    2016-05-30 20:37 - 2016-05-30 20:37 - 00274320 _____ C:\Windows\system32\FNTCACHE.DAT
    2016-05-30 20:26 - 2016-05-30 20:27 - 07119782 _____ C:\Users\TKRA7\Desktop\eav_logs.zip
    2016-05-30 19:41 - 2016-05-30 19:41 - 00913608 _____ (ESET) C:\Users\TKRA7\Downloads\ESETLogCollector_enu.exe
    2016-05-30 19:15 - 2016-05-30 19:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
    2016-05-30 19:15 - 2016-05-30 19:15 - 00000000 ____D C:\Program Files\ESET
    2016-05-30 19:00 - 2016-05-30 19:15 - 00000000 ____D C:\ProgramData\ESET
    2016-05-30 15:21 - 2016-05-30 15:21 - 00016384 _____ C:\Windows\SysWOW64\p��
    2016-05-30 02:57 - 2016-05-30 02:57 - 00000000 ____D C:\Users\TKRA7\Documents\ProcAlyzer Dumps
    2016-05-30 02:34 - 2016-05-24 10:40 - 00000027 _____ C:\Windows\system32\Drivers\etc\hosts.20160530-023429.backup
    2016-05-30 02:19 - 2016-05-30 02:19 - 00000000 ____D C:\Program Files\Common Files\AV
    2016-05-30 02:15 - 2016-05-30 02:30 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2016-05-30 02:15 - 2016-05-30 02:24 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2016-05-30 02:15 - 2016-05-30 02:15 - 00001391 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
    2016-05-30 02:15 - 2016-05-30 02:15 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
    2016-05-30 02:15 - 2016-05-30 02:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
    2016-05-30 02:15 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
    2016-05-30 02:04 - 2016-05-30 02:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MRU-Blaster
    2016-05-30 02:04 - 2016-05-30 02:04 - 00000000 ____D C:\Program Files (x86)\MRU-Blaster
    2016-05-30 00:23 - 2016-05-30 00:23 - 00003458 _____ C:\Users\TKRA7\Desktop\Forum Response RE_Google and Privacy_5-30-16.txt
    2016-05-29 12:48 - 2016-05-30 20:43 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
    2016-05-29 12:48 - 2016-05-29 12:48 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2016-05-29 12:21 - 2016-05-29 12:21 - 00043608 _____ (ESET spol. s r.o.) C:\Windows\system32\Drivers\ERKRmvrDrv.sys
    2016-05-29 12:06 - 2016-05-29 12:06 - 00115008 _____ (ESET) C:\Windows\SysWOW64\Drivers\efavdrv.sys
    2016-05-27 16:44 - 2016-05-29 13:38 - 44972877 _____ C:\Users\TKRA7\Desktop\RegBak.zip
    2016-05-27 16:38 - 2016-05-27 16:38 - 00000000 ____D C:\Windows\RegBak
    2016-05-27 16:36 - 2016-05-27 16:38 - 00000078 _____ C:\Windows\system32\TKRA7-PC.Windows 7 Ultimate, 64-bit Service Pack 1 (build 7601).txt
    2016-05-27 16:36 - 2016-05-27 16:36 - 00005348 _____ C:\Users\TKRA7\Desktop\REGRES.INI
    2016-05-27 16:36 - 2016-05-27 16:36 - 00004142 _____ C:\Users\TKRA7\Desktop\REGRES.CMD
    2016-05-27 16:36 - 2016-05-27 16:36 - 00000000 ____D C:\Users\TKRA7\Desktop\Windows
    2016-05-27 15:49 - 2016-05-27 15:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Registry Backup and Restore
    2016-05-27 15:49 - 2016-05-27 15:49 - 00000000 ____D C:\Program Files\Acelogix
    2016-05-27 14:46 - 2016-05-27 14:47 - 01118208 _____ C:\Users\TKRA7\Documents\Security2.evtx
    2016-05-27 14:42 - 2016-05-27 14:42 - 00000554 _____ C:\Users\TKRA7\Desktop\New Scan of RegEdit_5-27-16.txt
    2016-05-27 03:02 - 2016-05-27 03:02 - 00000000 ____D C:\Users\TKRA7\AppData\LocalLow\Temp
    2016-05-27 02:59 - 2016-05-27 14:47 - 00000000 ____D C:\Users\TKRA7\Documents\LocaleMetaData
    2016-05-27 02:59 - 2016-05-27 02:59 - 01118208 _____ C:\Users\TKRA7\Documents\Security.evtx
    2016-05-26 17:29 - 2016-05-30 18:47 - 00000000 ____D C:\Users\TKRA7\AppData\Local\NETGEARGenie
    2016-05-26 17:28 - 2016-05-26 17:28 - 00369168 _____ (CACE Technologies, Inc.) C:\Windows\system32\wpcap.dll
    2016-05-26 17:28 - 2016-05-26 17:28 - 00281104 _____ (CACE Technologies, Inc.) C:\Windows\SysWOW64\wpcap.dll
    2016-05-26 17:28 - 2016-05-26 17:28 - 00106000 _____ (CACE Technologies, Inc.) C:\Windows\system32\packet.dll
    2016-05-26 17:28 - 2016-05-26 17:28 - 00096784 _____ (CACE Technologies, Inc.) C:\Windows\SysWOW64\packet.dll
    2016-05-26 17:28 - 2016-05-26 17:28 - 00035344 _____ (CACE Technologies, Inc.) C:\Windows\system32\Drivers\npf.sys
    2016-05-26 17:28 - 2016-05-26 17:28 - 00002062 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NETGEAR Genie.lnk
    2016-05-26 17:28 - 2016-05-26 17:28 - 00002050 _____ C:\Users\Public\Desktop\NETGEAR Genie.lnk
    2016-05-26 17:28 - 2016-05-26 17:28 - 00000000 ____D C:\Program Files (x86)\NETGEAR Genie
    2016-05-26 13:48 - 2016-05-30 18:59 - 00000000 ____D C:\Users\TKRA7\Downloads\Word Docs
    2016-05-26 13:48 - 2016-05-26 13:48 - 00000000 ____D C:\Users\TKRA7\Downloads\WorkPlaceSafety
    2016-05-26 13:48 - 2016-05-26 13:48 - 00000000 ____D C:\Users\TKRA7\Documents\Text + Htm Files
    2016-05-26 13:48 - 2016-05-26 13:48 - 00000000 ____D C:\Users\TKRA7\Documents\Lentil Soup with Ground Beef and Brown Rice Recipe _ Yummly_files
    2016-05-26 13:48 - 2016-05-26 13:48 - 00000000 ____D C:\Users\TKRA7\Documents\HTC
    2016-05-26 13:48 - 2016-05-26 13:48 - 00000000 ____D C:\Users\TKRA7\Documents\EmpMeal
    2016-05-26 13:48 - 2016-05-26 13:48 - 00000000 ____D C:\Users\TKRA7\Documents\Backup Files
    2016-05-26 13:48 - 2016-05-26 13:48 - 00000000 ____D C:\Users\TKRA7\Documents\Amazon MP3
    2016-05-26 13:46 - 2016-05-26 13:46 - 00000000 ____D C:\Users\TKRA7\Downloads\Wallpapers
    2016-05-26 13:46 - 2016-05-26 13:46 - 00000000 ____D C:\Users\TKRA7\Downloads\Uninstallers
    2016-05-26 13:41 - 2016-05-30 02:12 - 00000000 ____D C:\Users\TKRA7\Downloads\SECURITY
    2016-05-26 13:41 - 2016-05-26 13:41 - 00000000 ____D C:\Users\TKRA7\Downloads\PRINTER
    2016-05-26 13:40 - 2016-05-26 13:41 - 00000000 ____D C:\Users\TKRA7\Downloads\Portable Flash Apps
    2016-05-26 13:40 - 2016-05-26 13:40 - 00000000 ____D C:\Users\TKRA7\Downloads\PDF's
    2016-05-26 13:40 - 2016-05-26 13:40 - 00000000 ____D C:\Users\TKRA7\Downloads\MP3
    2016-05-26 13:39 - 2016-05-26 13:40 - 00000000 ____D C:\Users\TKRA7\Downloads\Linux
    2016-05-26 13:39 - 2016-05-26 13:39 - 00000000 ____D C:\Users\TKRA7\Downloads\JWL
    2016-05-26 13:34 - 2016-05-30 02:12 - 00000000 ____D C:\Users\TKRA7\Downloads\HTML & WEB DOCS
    2016-05-26 13:34 - 2016-05-26 13:38 - 00000000 ____D C:\Users\TKRA7\Downloads\ISO Files
    2016-05-26 13:34 - 2016-05-26 13:34 - 00000000 ____D C:\Users\TKRA7\Downloads\INVOICES
    2016-05-26 13:34 - 2016-05-26 13:34 - 00000000 ____D C:\Users\TKRA7\Downloads\HTC
    2016-05-26 13:33 - 2016-05-30 18:59 - 00000000 ____D C:\Users\TKRA7\Downloads\Games
    2016-05-26 13:33 - 2016-05-28 01:25 - 00000000 ____D C:\Users\TKRA7\Downloads\Consumer Issues
    2016-05-26 13:33 - 2016-05-26 13:34 - 00000000 ____D C:\Users\TKRA7\Downloads\Hardware Tools
    2016-05-26 13:33 - 2016-05-26 13:33 - 00000000 ____D C:\Users\TKRA7\Downloads\FLV Files
    2016-05-26 13:33 - 2016-05-26 13:33 - 00000000 ____D C:\Users\TKRA7\Downloads\Fix it portable
    2016-05-26 13:33 - 2016-05-26 13:33 - 00000000 ____D C:\Users\TKRA7\Downloads\Comcast
    2016-05-26 13:32 - 2016-05-26 13:33 - 00000000 ____D C:\Users\TKRA7\Downloads\BOOT & RECOVERY
    2016-05-26 13:32 - 2016-05-26 13:32 - 00000000 ____D C:\Users\TKRA7\Downloads\BIBLE SCHEDULE_files
    2016-05-26 13:32 - 2016-05-26 13:32 - 00000000 ____D C:\Users\TKRA7\Downloads\Bible Downloads
    2016-05-26 13:32 - 2016-05-26 13:32 - 00000000 ____D C:\Users\TKRA7\Downloads\BCEC
    2016-05-26 13:32 - 2016-05-26 13:32 - 00000000 ____D C:\Users\TKRA7\Downloads\BACKUP
    2016-05-26 13:32 - 2016-05-26 13:32 - 00000000 ____D C:\Users\TKRA7\Downloads\Android
    2016-05-26 13:32 - 2016-05-26 13:32 - 00000000 ____D C:\Users\TKRA7\Downloads\Amazon
    2016-05-26 08:33 - 2016-05-26 08:33 - 00016384 _____ C:\Windows\SysWOW64\�p
    2016-05-25 20:28 - 2016-05-25 20:28 - 00001563 _____ C:\Users\TKRA7\Desktop\ComboFix.lnk
    2016-05-25 03:07 - 2016-05-25 03:07 - 00000000 ____D C:\ProgramData\MicroWorld
    2016-05-24 20:50 - 2016-05-24 20:50 - 02383360 _____ (Farbar) C:\Users\TKRA7\Desktop\FRST64.exe
    2016-05-24 20:25 - 2016-05-24 20:47 - 00000000 ____D C:\cce_linux
    2016-05-24 18:26 - 2016-05-30 19:10 - 00000000 ____D C:\Program Files (x86)\HitmanPro.Alert
    2016-05-24 18:26 - 2016-05-30 15:22 - 00825040 _____ (SurfRight B.V.) C:\Windows\system32\hmpalert.dll
    2016-05-24 18:26 - 2016-05-30 15:22 - 00753872 _____ (SurfRight B.V.) C:\Windows\SysWOW64\hmpalert.dll
    2016-05-24 18:26 - 2016-05-30 15:22 - 00175472 _____ (SurfRight B.V.) C:\Windows\system32\Drivers\hmpalert.sys
    2016-05-24 18:26 - 2016-05-30 15:22 - 00084520 _____ (SurfRight B.V.) C:\Windows\system32\Drivers\hmpnet.sys
    2016-05-24 18:26 - 2016-05-24 18:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro.Alert
    2016-05-24 17:27 - 2016-05-24 17:27 - 00001021 _____ C:\Users\TKRA7\Documents\Response to GlarySoft Ltd_RE_Uninstall.txt
    2016-05-24 17:14 - 2016-05-24 17:54 - 00000000 ____D C:\Program Files (x86)\Glarysoft
    2016-05-24 17:14 - 2016-05-24 17:24 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\GlarySoft
    2016-05-24 17:14 - 2016-05-24 17:14 - 00000539 _____ C:\GUDownLoaddebug.txt
    2016-05-24 17:14 - 2016-05-24 17:14 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\DiskDefrag
    2016-05-24 17:11 - 2016-05-24 17:11 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller
    2016-05-24 17:11 - 2016-05-24 17:11 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
    2016-05-24 16:29 - 2016-05-30 20:38 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
    2016-05-24 16:29 - 2016-05-24 16:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
    2016-05-24 16:29 - 2016-05-24 16:29 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
    2016-05-24 16:29 - 2016-03-10 14:09 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
    2016-05-24 16:29 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
    2016-05-24 16:29 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
    2016-05-24 14:04 - 2016-05-24 14:04 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\SUPERAntiSpyware.com
    2016-05-24 14:04 - 2016-05-24 14:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
    2016-05-24 14:03 - 2016-05-24 14:04 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
    2016-05-24 14:03 - 2016-05-24 14:03 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
    2016-05-24 13:29 - 2016-05-24 13:29 - 00016384 _____ C:\Windows\SysWOW64\X�Y
    2016-05-24 10:36 - 2011-06-26 02:45 - 00256000 _____ C:\Windows\PEV.exe
    2016-05-24 10:36 - 2010-11-07 13:20 - 00208896 _____ C:\Windows\MBR.exe
    2016-05-24 10:36 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
    2016-05-24 10:36 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
    2016-05-24 10:36 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
    2016-05-24 10:36 - 2000-08-30 20:00 - 00098816 _____ C:\Windows\sed.exe
    2016-05-24 10:36 - 2000-08-30 20:00 - 00080412 _____ C:\Windows\grep.exe
    2016-05-24 10:36 - 2000-08-30 20:00 - 00068096 _____ C:\Windows\zip.exe
    2016-05-24 10:33 - 2016-05-25 23:33 - 00000000 ____D C:\Qoobox
    2016-05-24 10:33 - 2016-05-24 10:41 - 00000000 ____D C:\Windows\erdnt
    2016-05-24 10:26 - 2016-05-30 20:44 - 00000000 ____D C:\FRST
    2016-05-24 10:20 - 2016-05-24 10:20 - 00898560 _____ C:\Users\TKRA7\Desktop\RGSA.exe
    2016-05-23 02:38 - 2016-05-23 02:39 - 00000000 ____D C:\Users\TKRA7\Downloads\Pics
    2016-05-23 02:25 - 2016-05-23 02:25 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
    2016-05-23 02:00 - 2016-05-30 20:37 - 00000000 ____D C:\ProgramData\HitmanPro.Alert
    2016-05-23 02:00 - 2016-05-27 12:28 - 00000000 ____D C:\Windows\CryptoGuard
    2016-05-23 02:00 - 2016-05-23 02:25 - 00000000 ____D C:\ProgramData\HitmanPro
    2016-05-23 01:50 - 2016-05-24 17:10 - 00000000 ____D C:\ProgramData\TEMP
    2016-05-23 01:50 - 2016-05-23 01:51 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster
    2016-05-23 01:50 - 2016-05-23 01:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
    2016-05-23 01:50 - 2012-05-02 12:17 - 01070152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
    2016-05-23 01:50 - 2009-03-24 13:52 - 00129872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSSTDFMT.DLL
    2016-05-22 23:12 - 2016-05-22 23:12 - 00000000 ____D C:\Users\TKRA7\AppData\Local\niemiro
    2016-05-22 22:57 - 2016-05-22 22:57 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Fortres Grand
    2016-05-22 20:28 - 2016-05-22 20:28 - 00000000 ____D C:\AdwCleaner
    2016-05-22 17:53 - 2016-05-23 02:27 - 00000000 ____D C:\Program Files (x86)\Trojan Remover
    2016-05-22 17:53 - 2014-05-14 12:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
    2016-05-22 17:53 - 2014-05-14 12:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
    2016-05-22 17:53 - 2014-05-14 12:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2016-05-22 17:53 - 2014-05-14 12:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
    2016-05-22 17:53 - 2014-05-14 12:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
    2016-05-22 17:53 - 2014-05-14 12:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
    2016-05-22 17:53 - 2014-05-14 12:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2016-05-22 17:53 - 2014-05-14 12:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
    2016-05-22 17:53 - 2014-05-14 12:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
    2016-05-22 17:53 - 2014-05-14 12:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2016-05-22 17:52 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
    2016-05-22 17:52 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2016-05-22 17:52 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
    2016-05-22 17:52 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2016-05-22 17:45 - 2016-05-22 17:45 - 00000000 ____D C:\inetpub
    2016-05-22 16:58 - 2016-05-22 16:58 - 00000000 ____D C:\ProgramData\WinaeroTweaker
    2016-05-22 12:59 - 2016-05-22 13:01 - 00194292 _____ C:\TDSSKiller.3.1.0.9_22.05.2016_12.59.02_log.txt
    2016-05-22 12:52 - 2016-05-22 13:00 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2016-05-22 12:50 - 2016-05-24 16:29 - 00000000 ____D C:\ProgramData\Malwarebytes
    2016-05-22 12:50 - 2016-05-22 12:50 - 00000000 ____D C:\Program Files\Malwarebytes
    2016-05-22 05:51 - 2016-05-22 21:03 - 00000000 ____D C:\Windows\Microsoft Antimalware
    2016-05-22 00:21 - 2016-05-30 19:07 - 00001945 _____ C:\Windows\epplauncher.mif
    2016-05-21 21:10 - 2016-05-21 21:10 - 00000813 _____ C:\Users\TKRA7\Documents\Freedome driver Installation Error.txt
    2016-05-21 20:59 - 2016-05-21 20:59 - 00036320 _____ (The OpenVPN Project) C:\Windows\system32\Drivers\fsfreedometap.sys
    2016-05-21 20:49 - 2016-05-21 20:49 - 00002790 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
    2016-05-21 20:49 - 2016-05-21 20:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
    2016-05-21 20:49 - 2016-05-21 20:49 - 00000000 ____D C:\Program Files\CCleaner
    2016-05-21 20:48 - 2016-05-30 02:11 - 00000000 ____D C:\Users\TKRA7\Downloads\Software Tools
    2016-05-21 08:55 - 2016-05-24 14:55 - 00190632 _____ C:\Users\TKRA7\AppData\Local\census.cache
    2016-05-21 08:55 - 2016-05-24 14:55 - 00129256 _____ C:\Users\TKRA7\AppData\Local\ars.cache
    2016-05-21 08:31 - 2016-05-24 14:27 - 00000010 _____ C:\Users\TKRA7\AppData\Local\sponge.last.runtime.cache
    2016-05-21 08:29 - 2016-05-21 08:29 - 00000000 ____D C:\ProgramData\Trend Micro
    2016-05-21 08:28 - 2016-05-21 08:28 - 00000036 _____ C:\Users\TKRA7\AppData\Local\housecall.guid.cache
    2016-05-21 08:24 - 2016-05-24 14:23 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\QuickScan
    2016-05-21 08:24 - 2016-05-21 08:24 - 00000000 ____D C:\ProgramData\Bitdefender Agent
    2016-05-21 08:16 - 2016-05-21 21:29 - 00000000 ____D C:\ProgramData\F-Secure
    2016-05-21 08:16 - 2016-05-21 08:16 - 00000000 ____D C:\Users\TKRA7\AppData\Local\F-Secure
    2016-05-21 08:16 - 2016-05-21 08:16 - 00000000 ____D C:\Users\TKRA7\AppData\Local\FSDART
    2016-05-21 08:15 - 2016-05-22 17:47 - 00000000 ____D C:\Program Files (x86)\NortonInstaller
    2016-05-21 08:15 - 2016-05-21 08:15 - 00000000 ____D C:\ProgramData\NortonInstaller
    2016-05-21 08:15 - 2016-05-21 08:15 - 00000000 ____D C:\ProgramData\Norton
    2016-05-21 02:03 - 2016-05-21 02:03 - 00001006 _____ C:\Users\TKRA7\Documents\New_Drive_New_Win_Install_SysInfo - Shortcut.lnk
    2016-05-21 01:47 - 2016-05-21 01:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GWX Control Panel
    2016-05-21 01:47 - 2016-05-21 01:47 - 00000000 ____D C:\Program Files (x86)\UltimateOutsider
    2016-05-21 01:34 - 2014-12-30 13:31 - 07039960 _____ (Zemana Ltd.) C:\Windows\SysWOW64\ZALSDKCore.dll
    2016-05-20 01:30 - 2016-05-23 06:07 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
    2016-05-20 00:55 - 2016-05-20 00:55 - 00000000 ____D C:\Users\TKRA7\AppData\Local\Macromedia
    2016-05-20 00:54 - 2016-05-24 21:23 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2016-05-20 00:54 - 2016-05-24 21:23 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2016-05-20 00:54 - 2016-05-20 00:54 - 00000000 ____D C:\Windows\system32\Macromed
    2016-05-20 00:54 - 2016-05-20 00:54 - 00000000 ____D C:\Users\TKRA7\AppData\Local\Adobe
    2016-05-20 00:42 - 2016-05-20 00:50 - 00000000 ____D C:\Users\TKRA7\AppData\Local\Mozilla
    2016-05-20 00:42 - 2016-05-20 00:42 - 00001159 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
    2016-05-20 00:42 - 2016-05-20 00:42 - 00001147 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
    2016-05-20 00:42 - 2016-05-20 00:42 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Mozilla
    2016-05-20 00:42 - 2016-05-20 00:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2016-05-20 00:42 - 2016-05-20 00:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2016-05-20 00:40 - 2016-05-26 08:19 - 00000000 ____D C:\Program Files (x86)\Zemana AntiLogger Free
    2016-05-20 00:40 - 2016-05-21 01:34 - 00000000 ____D C:\Users\TKRA7\AppData\Local\Zemana
    2016-05-20 00:40 - 2016-05-20 00:40 - 00000000 ____D C:\Users\TKRA7\AppData\Local\AntiLogger Free
    2016-05-20 00:40 - 2015-11-05 15:00 - 00143904 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\KeyCrypt64.sys
    2016-05-20 00:26 - 2013-10-14 18:00 - 00028368 _____ (Microsoft Corporation) C:\Windows\system32\IEUDINIT.EXE
    2016-05-20 00:23 - 2016-05-20 00:23 - 24917504 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 19607040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 14404096 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 12829696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 06026240 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 04305920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2016-05-20 00:23 - 2016-05-20 00:23 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
    2016-05-20 00:23 - 2016-05-20 00:23 - 02426880 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 02278912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
    2016-05-20 00:23 - 2016-05-20 00:23 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2016-05-20 00:23 - 2016-05-20 00:23 - 01950720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 01545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 01309696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00942592 _____ (Microsoft Corporation) C:\Windows\system32\jsIntl.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00720384 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00664064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00645120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsIntl.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00616104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
    2016-05-20 00:23 - 2016-05-20 00:23 - 00616104 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dat
    2016-05-20 00:23 - 2016-05-20 00:23 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00503808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
    2016-05-20 00:23 - 2016-05-20 00:23 - 00389840 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00342728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
    2016-05-20 00:23 - 2016-05-20 00:23 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00247808 _____ (Microsoft Corporation) C:\Windows\system32\msls31.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00235520 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00235008 _____ (Microsoft Corporation) C:\Windows\system32\elshyph.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00233472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00208384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00194048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\elshyph.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00182272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00167424 _____ (Microsoft Corporation) C:\Windows\system32\iexpress.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00151552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00147968 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00143872 _____ (Microsoft Corporation) C:\Windows\system32\wextract.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00139264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00131072 _____ (Microsoft Corporation) C:\Windows\system32\IEAdvpack.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00127488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00116736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00111616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00105984 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00101376 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00090112 _____ (Microsoft Corporation) C:\Windows\system32\SetIEInstalledDate.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00086016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00083456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\icardie.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00077312 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
    2016-05-20 00:23 - 2016-05-20 00:23 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00074240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00069120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
    2016-05-20 00:23 - 2016-05-20 00:23 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\pngfilt.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00056832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00052224 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00048640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\mshtmler.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00048128 _____ (Microsoft Corporation) C:\Windows\system32\imgutil.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\licmgr10.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00024576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00013312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00012800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 05549504 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 03969472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 01903552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
    2016-05-20 00:22 - 2016-05-20 00:22 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 01161216 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00859648 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00640512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00619520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
    2016-05-20 00:22 - 2016-05-20 00:22 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00376688 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
    2016-05-20 00:22 - 2016-05-20 00:22 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 00327168 _____ (Microsoft Corporation) C:\Windows\system32\mswsock.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00288088 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
    2016-05-20 00:22 - 2016-05-20 00:22 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00231424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswsock.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 00068608 _____ (Microsoft Corporation) C:\Windows\system32\taskhost.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
    2016-05-20 00:21 - 2016-05-20 00:21 - 03928064 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 03419136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 02776576 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 02565120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 02284544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01988096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01887232 _____ (Microsoft Corporation) C:\Windows\system32\d3d11.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01682432 _____ (Microsoft Corporation) C:\Windows\system32\XpsPrint.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01643520 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01504768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01238528 _____ (Microsoft Corporation) C:\Windows\system32\d3d10.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01175552 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01158144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01080832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00648192 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00604160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00522752 _____ (Microsoft Corporation) C:\Windows\system32\XpsGdiConverter.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00465920 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00417792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00364544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00363008 _____ (Microsoft Corporation) C:\Windows\system32\dxgi.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00333312 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\d3d10core.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00293376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00249856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00245248 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecsExt.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\UIAnimation.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10core.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00207872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecsExt.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00194560 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00187392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UIAnimation.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00161792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00010752 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00010752 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00009728 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00009728 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00005632 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00005632 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00005632 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00005632 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00002560 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00002560 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
    2016-05-19 23:32 - 2016-05-19 23:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BDAntiRansomware
    2016-05-19 23:32 - 2016-05-19 23:32 - 00000000 ____D C:\Program Files\Bitdefender
    2016-05-19 23:30 - 2016-05-30 02:11 - 00000000 ____D C:\Users\TKRA7\Downloads\Windows
    2016-05-19 23:30 - 2016-05-26 13:33 - 00000000 ____D C:\Users\TKRA7\Downloads\Browsers
    2016-05-19 23:30 - 2016-05-26 08:16 - 00000000 ____D C:\Users\TKRA7\Downloads\Security Tools
    2016-05-19 23:23 - 2016-05-19 23:23 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Macromedia
    2016-05-19 23:09 - 2016-05-19 23:09 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Adobe
    2016-05-19 22:58 - 2016-05-19 22:58 - 00000000 ____D C:\ProgramData\ASUS OC Profiles
    2016-05-19 22:56 - 2016-05-19 22:56 - 00000000 _____ C:\Windows\ativpsrm.bin
    2016-05-19 22:55 - 2016-05-19 22:55 - 00000000 ____D C:\ProgramData\GridinSoft
    2016-05-19 22:51 - 2011-05-24 11:08 - 00166624 _____ C:\Windows\system32\atiapfxx.blb
    2016-05-19 22:51 - 2011-05-24 11:04 - 00462848 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\ATIDEMGX.dll
    2016-05-19 22:51 - 2011-05-24 10:19 - 00058880 _____ (AMD) C:\Windows\system32\coinst.dll
    2016-05-19 22:51 - 2011-05-18 16:13 - 00032635 _____ C:\Windows\atiogl.xml
    2016-05-19 22:51 - 2011-03-17 01:51 - 00003929 _____ C:\Windows\SysWOW64\atipblag.dat
    2016-05-19 22:51 - 2011-03-17 01:51 - 00003929 _____ C:\Windows\system32\atipblag.dat
    2016-05-19 22:49 - 2016-05-19 22:49 - 00001266 _____ C:\Users\TKRA7\Desktop\Windows Update.lnk
    2016-05-19 22:43 - 2016-05-19 22:43 - 00000000 ____D C:\Program Files\ASUS
    2016-05-19 22:42 - 2016-05-19 22:42 - 00000000 ____D C:\Windows\SysWOW64\Macromed
    2016-05-19 22:38 - 2016-05-19 22:43 - 00000000 ____D C:\Windows\System32\Tasks\ASUS
    2016-05-19 22:38 - 2016-05-19 22:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ASUS
    2016-05-19 22:38 - 2010-11-08 14:57 - 00014464 _____ (ASUSTek Computer Inc.) C:\Windows\system32\Drivers\AiChargerPlus.sys
    2016-05-19 22:38 - 2008-12-02 20:05 - 00184320 _____ (ASUSTeK) C:\Windows\SysWOW64\Drivers\UpdateHelper.dll
    2016-05-19 22:37 - 2016-05-19 22:38 - 00000000 ____D C:\Program Files (x86)\ASUS
    2016-05-19 22:37 - 2016-05-19 22:37 - 00000000 ____D C:\ProgramData\ASUS
    2016-05-19 22:37 - 2010-08-24 03:16 - 00013440 ____R C:\Windows\SysWOW64\Drivers\AsIO.sys
    2016-05-19 22:37 - 2010-06-29 03:41 - 00028672 ____R (ASUSTek Computer Inc.) C:\Windows\SysWOW64\AsIO.dll
    2016-05-19 22:37 - 2008-01-04 01:34 - 00011832 ____N C:\Windows\SysWOW64\Drivers\AsInsHelp64.sys
    2016-05-19 22:36 - 2016-05-19 22:36 - 00000000 ____D C:\Windows\RaidTool
    2016-05-19 22:36 - 2010-11-24 23:27 - 00120408 _____ (JMicron Technology Corp.) C:\Windows\system32\Drivers\jraid.sys
    2016-05-19 22:36 - 2009-07-13 21:15 - 00315904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Difxd825.rra
    2016-05-19 22:35 - 2016-05-19 22:35 - 00000000 ____D C:\Program Files\ATI
    2016-05-19 22:35 - 2016-05-19 22:35 - 00000000 ____D C:\Program Files (x86)\AMD APP
    2016-05-19 22:35 - 2011-03-04 14:46 - 00078976 _____ (Advanced Micro Devices) C:\Windows\system32\Drivers\amd_sata.sys
    2016-05-19 22:35 - 2011-03-04 14:46 - 00038528 _____ (Advanced Micro Devices) C:\Windows\system32\Drivers\amd_xata.sys
    2016-05-19 22:35 - 2010-12-15 23:06 - 00047232 ____R (Advanced Micro Devices) C:\Windows\system32\Drivers\usbfilter.sys
    2016-05-19 22:34 - 2016-05-19 22:34 - 00016896 _____ (ASUS) C:\Windows\AsTaskSched.dll
    2016-05-19 22:34 - 2016-05-19 22:34 - 00000000 ____D C:\Program Files\ATI Technologies
    2016-05-19 22:33 - 2011-02-25 02:25 - 00296320 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\volsnap.sys
    2016-05-19 22:32 - 2016-05-19 22:32 - 00000000 ____D C:\Program Files (x86)\ASM104xUSB3
    2016-05-19 22:31 - 2016-05-19 22:43 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
    2016-05-19 22:31 - 2016-05-19 22:31 - 00000000 ____D C:\Program Files (x86)\Realtek
    2016-05-19 22:31 - 2011-08-23 09:57 - 00565352 _____ (Realtek ) C:\Windows\system32\Drivers\Rt64win7.sys
    2016-05-19 22:31 - 2011-08-23 09:57 - 00107552 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RTNUninst64.dll
    2016-05-19 22:31 - 2011-08-23 09:57 - 00074272 _____ C:\Windows\system32\RtNicProp64.dll
    2016-05-19 22:30 - 2016-05-19 22:30 - 00001769 _____ C:\Windows\Language_trs.ini
    2016-05-19 22:29 - 2016-05-19 22:30 - 00028901 _____ C:\Windows\Ascd_tmp.ini
    2016-05-19 22:27 - 2016-05-20 00:28 - 00001413 _____ C:\Users\TKRA7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    2016-05-19 22:27 - 2016-05-19 22:27 - 00000000 ____D C:\Users\TKRA7\AppData\Local\VirtualStore
    2016-05-19 22:25 - 2016-05-22 17:49 - 00000000 ____D C:\Users\TKRA7
    2016-05-19 22:25 - 2016-05-19 22:25 - 00000020 ___SH C:\Users\TKRA7\ntuser.ini
    2016-05-19 22:25 - 2016-05-19 22:25 - 00000000 _SHDL C:\Users\TKRA7\My Documents
    2016-05-19 22:25 - 2016-05-19 22:25 - 00000000 _SHDL C:\Users\TKRA7\Documents\My Videos
    2016-05-19 22:25 - 2016-05-19 22:25 - 00000000 _SHDL C:\Users\TKRA7\Documents\My Pictures
    2016-05-19 22:25 - 2016-05-19 22:25 - 00000000 _SHDL C:\Users\TKRA7\Documents\My Music
    2016-05-19 22:25 - 2011-04-12 04:28 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Media Center Programs
    2016-05-12 10:48 - 2016-05-12 10:48 - 00264552 _____ (ESET) C:\Windows\system32\Drivers\eamonm.sys
    2016-05-12 10:48 - 2016-05-12 10:48 - 00199680 _____ (ESET) C:\Windows\system32\Drivers\edevmon.sys
    2016-05-12 10:48 - 2016-05-12 10:48 - 00186784 _____ (ESET) C:\Windows\system32\Drivers\ehdrv.sys
    2016-05-12 10:48 - 2016-05-12 10:48 - 00170792 _____ (ESET) C:\Windows\system32\Drivers\epfwwfpr.sys

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-05-30 20:44 - 2009-07-14 01:13 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
    2016-05-30 20:37 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2016-05-30 19:30 - 2009-07-14 00:45 - 00020464 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2016-05-30 19:30 - 2009-07-14 00:45 - 00020464 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2016-05-30 19:30 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
    2016-05-25 23:32 - 2009-07-13 22:34 - 00000215 _____ C:\Windows\system.ini
    2016-05-24 02:56 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache
    2016-05-22 17:48 - 2011-04-12 04:28 - 00000000 ___RD C:\Users\Public\Recorded TV
    2016-05-22 17:48 - 2009-07-14 01:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
    2016-05-22 17:48 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\Windows Sidebar
    2016-05-22 17:48 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
    2016-05-22 17:48 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\PolicyDefinitions
    2016-05-22 17:47 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\Microsoft Games
    2016-05-22 17:47 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64\inetsrv
    2016-05-22 17:47 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
    2016-05-22 17:47 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\inetsrv
    2016-05-22 17:47 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration
    2016-05-21 20:52 - 2008-01-01 04:19 - 00000000 ____D C:\Windows\Panther
    2016-05-20 01:38 - 2009-07-13 23:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
    2016-05-19 22:35 - 2009-07-13 23:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

    ==================== Files in the root of some directories =======

    2016-05-21 08:55 - 2016-05-24 14:55 - 0129256 _____ () C:\Users\TKRA7\AppData\Local\ars.cache
    2016-05-21 08:55 - 2016-05-24 14:55 - 0190632 _____ () C:\Users\TKRA7\AppData\Local\census.cache
    2016-05-21 08:28 - 2016-05-21 08:28 - 0000036 _____ () C:\Users\TKRA7\AppData\Local\housecall.guid.cache
    2016-05-21 08:31 - 2016-05-24 14:27 - 0000010 _____ () C:\Users\TKRA7\AppData\Local\sponge.last.runtime.cache

    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\system32\winlogon.exe => File is digitally signed
    C:\Windows\system32\wininit.exe => File is digitally signed
    C:\Windows\SysWOW64\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\system32\services.exe => File is digitally signed
    C:\Windows\system32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\system32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed
    C:\Windows\system32\dnsapi.dll => File is digitally signed
    C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
    C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2016-05-28 14:59

    ==================== End of FRST.txt ============================




    Addition Log:

    Additional scan result of Farbar Recovery Scan Tool (x64) Version:23-05-2016
    Ran by TKRA7 (2016-05-30 20:45:26)
    Running from C:\Users\TKRA7\Desktop
    Windows 7 Ultimate Service Pack 1 (X64) (2016-05-20 02:25:08)
    Boot Mode: Normal
    ==========================================================


    ==================== Accounts: =============================

    Administrator (S-1-5-21-2205198338-1926017667-846148581-500 - Administrator - Disabled)
    Guest (S-1-5-21-2205198338-1926017667-846148581-501 - Limited - Disabled)
    TKRA7 (S-1-5-21-2205198338-1926017667-846148581-1000 - Administrator - Enabled) => C:\Users\TKRA7

    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: ESET NOD32 Antivirus 9.0.381.0 (Enabled - Up to date) {19259FAE-8396-A113-46DB-15B0E7DFA289}
    AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
    AS: ESET NOD32 Antivirus 9.0.381.0 (Enabled - Up to date) {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}

    ==================== Installed Programs ======================

    (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    Adobe Flash Player 21 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 21.0.0.242 - Adobe Systems Incorporated)
    Adobe Flash Player 21 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 21.0.0.242 - Adobe Systems Incorporated)
    AI Suite II (HKLM-x32\...\{34D3688E-A737-44C5-9E2A-FF73618728E1}) (Version: 1.02.03 - ASUSTeK Computer Inc.)
    Asmedia ASM104x USB 3.0 Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.14.1.0 - Asmedia Technology)
    ATI Catalyst Install Manager (HKLM\...\{A39D1D51-E8DE-4B07-016D-73C232E1E1D8}) (Version: 3.0.825.0 - ATI Technologies, Inc.)
    BDAntiRansomware (HKLM\...\{BE40AB1F-558F-4434-B72F-461EF97E7796}_is1) (Version: 1.0.12.1 - Bitdefender)
    CCleaner (HKLM\...\CCleaner) (Version: 5.18 - Piriform)
    ESET NOD32 Antivirus (HKLM\...\{381258D4-0766-4E1B-BE3B-186E47CE4397}) (Version: 9.0.381.0 - ESET, spol. s r.o.)
    GWX Control Panel (HKLM-x32\...\UltimateOutsider_GwxControlPanel) (Version: - UltimateOutsider)
    HitmanPro.Alert 3 (HKLM\...\HitmanPro.Alert) (Version: 3.1.10.373 - SurfRight B.V.)
    JMicron JMB36X Driver (HKLM-x32\...\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}) (Version: 1.17.62.0 - JMicron Technology Corp.)
    Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
    Mozilla Firefox 46.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 46.0.1 (x86 en-US)) (Version: 46.0.1 - Mozilla)
    Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 46.0.1 - Mozilla)
    MRU-Blaster v1.5 (Database 3.28.04) (HKLM-x32\...\MRU-Blaster_is1) (Version: 1.5 - BrightFort LLC)
    NETGEAR Genie (HKLM-x32\...\NETGEAR Genie) (Version: 2.4.15.07 - NETGEAR Inc.)
    Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.48.823.2011 - Realtek)
    Registry Backup and Restore (HKLM\...\Registry Backup and Restore_is1) (Version: - Acelogix)
    Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
    Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
    SpywareBlaster 5.5 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.5.0 - BrightFort LLC)
    SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1218 - SUPERAntiSpyware.com)

    ==================== Custom CLSID (Whitelisted): ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== Scheduled Tasks (Whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    Task: {1409C08E-E440-4805-8EB0-E7F2B6E13332} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-05-24] (Adobe Systems Incorporated)
    Task: {2923ABB0-0A82-4325-95F0-9BC7D18B4D82} - System32\Tasks\ASUS\ASUS AI Suite II Execute => C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe [2010-11-26] (ASUSTeK Computer Inc.)
    Task: {2C446118-C822-4B8B-8455-4A24BF988573} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2016-03-21] (Safer-Networking Ltd.)
    Task: {4AC999A8-229B-40AD-81A1-E36BA02D258C} - System32\Tasks\ASUS\USB 3.0 Boost Service => C:\Program Files (x86)\ASUS\AI Suite II\USB 3.0 Boost\U3BoostSvr.exe [2011-09-09] ()
    Task: {B659F42C-3DE0-4D82-B01F-92E7E3A40E15} - System32\Tasks\ASUS\ASUS DigiVRM Help => C:\Program Files (x86)\ASUS\AI Suite II\DIGI+ VRM\VRMHelp.exe [2011-04-13] (ASUSTeK Computer Inc.)
    Task: {E1FC1A50-7798-44D3-B70F-AC0862BF9FA3} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
    Task: {F840F41A-8D66-46F2-977D-A27E7FDC17D3} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-05-13] (Piriform Ltd)

    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

    Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

    ==================== Shortcuts =============================

    (The entries could be listed to be restored or removed.)

    ==================== Loaded Modules (Whitelisted) ==============

    2011-06-13 04:36 - 2011-06-13 04:36 - 00922240 ____R () C:\Program Files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe
    2010-12-01 22:15 - 2010-12-01 22:15 - 00915584 ____R () C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe
    2016-05-19 22:38 - 2010-10-21 05:52 - 00586880 ____R () C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe
    2016-05-19 22:37 - 2016-05-30 20:37 - 00033280 _____ () C:\Program Files (x86)\ASUS\AXSP\1.00.14\PEbiosinterface32.dll
    2016-05-19 22:37 - 2010-06-28 22:58 - 00104448 ____R () C:\Program Files (x86)\ASUS\AXSP\1.00.14\ATKEX.dll
    2016-05-19 22:42 - 2011-03-04 04:33 - 00053248 ____N () C:\Program Files (x86)\ASUS\AI Suite II\TurboV EVO\HookKey32.dll
    2016-05-19 22:42 - 2009-05-21 10:14 - 00253952 _____ () C:\Program Files (x86)\ASUS\AI Suite II\TurboV EVO\pngio.dll
    2016-05-30 02:15 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
    2016-05-30 02:15 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
    2016-05-30 02:15 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
    2016-05-30 02:15 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
    2016-05-30 02:15 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
    2016-05-19 22:38 - 2011-02-24 10:19 - 00143360 _____ () C:\Program Files (x86)\ASUS\AI Suite II\AssistFunc.dll
    2016-05-19 22:38 - 2010-06-21 15:21 - 00208896 _____ () C:\Program Files (x86)\ASUS\AI Suite II\ImageHelper.dll
    2016-05-19 22:38 - 2009-08-12 20:15 - 00253952 _____ () C:\Program Files (x86)\ASUS\AI Suite II\pngio.dll
    2016-05-19 22:38 - 2011-02-09 09:02 - 00873472 _____ () C:\Program Files (x86)\ASUS\AI Suite II\AI Charger+\AIChargerPlus.dll
    2016-05-19 22:39 - 2011-03-09 14:55 - 01036800 _____ () C:\Program Files (x86)\ASUS\AI Suite II\ASUS Update\Update.dll
    2016-05-19 22:38 - 2011-05-16 17:35 - 00965632 _____ () C:\Program Files (x86)\ASUS\AI Suite II\BarGadget\BarGadget.dll
    2016-05-19 22:41 - 2011-01-06 10:38 - 01027072 _____ () C:\Program Files (x86)\ASUS\AI Suite II\Probe_II\ProbeII.dll
    2016-05-19 22:38 - 2011-05-20 09:12 - 00881152 _____ () C:\Program Files (x86)\ASUS\AI Suite II\Sensor\Sensor.dll
    2016-05-19 22:38 - 2011-04-07 17:33 - 01607168 _____ () C:\Program Files (x86)\ASUS\AI Suite II\Sensor Graph\SensorGraph.dll
    2016-05-19 22:38 - 2011-01-07 16:39 - 01246208 _____ () C:\Program Files (x86)\ASUS\AI Suite II\Settings\Settings.dll
    2016-05-19 22:38 - 2010-08-06 18:11 - 00850944 _____ () C:\Program Files (x86)\ASUS\AI Suite II\Splitter\Splitter.dll
    2016-05-19 22:38 - 2010-08-06 18:13 - 00886272 _____ () C:\Program Files (x86)\ASUS\AI Suite II\TabGadget\TabGadget.dll
    2016-05-19 22:37 - 2010-08-22 22:17 - 00662016 ____R () C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMLib.dll
    2016-05-19 22:38 - 2010-06-21 15:21 - 00208896 _____ () C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\ImageHelper.dll

    ==================== Alternate Data Streams (Whitelisted) =========

    (If an entry is included in the fixlist, only the ADS will be removed.)


    ==================== Safe Mode (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


    ==================== Association (Whitelisted) ===============

    (If an entry is included in the fixlist, the registry item will be restored to default or removed.)


    ==================== Internet Explorer trusted/restricted ===============

    (If an entry is included in the fixlist, it will be removed from the registry.)

    IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
    IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
    IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
    IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
    IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
    IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
    IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
    IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
    IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
    IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
    IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
    IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
    IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
    IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
    IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
    IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
    IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
    IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
    IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
    IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

    There are 7902 more sites.

    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\007guard.com -> install.007guard.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\008i.com -> 008i.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\008k.com -> www.008k.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\00hq.com -> www.00hq.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\010402.com -> 010402.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0190-dialers.com -> 0190-dialers.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\01i.info -> 01i.info
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0411dd.com -> 0411dd.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0511zfhl.com -> 0511zfhl.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\05p.com -> 05p.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0632qyw.com -> 0632qyw.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0calories.net -> 0calories.net
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0cj.net -> 0cj.net
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0scan.com -> www.0scan.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\1-2005-search.com -> www.1-2005-search.com

    There are 12719 more sites.


    ==================== Hosts content: ==========================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2009-07-13 22:34 - 2016-05-30 02:34 - 00451815 ____R C:\Windows\system32\Drivers\etc\hosts

    127.0.0.1 localhost127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1001namen.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100888290cs.com
    127.0.0.1 www.100sexlinks.com
    127.0.0.1 100sexlinks.com
    127.0.0.1 10sek.com
    127.0.0.1 www.10sek.com
    127.0.0.1 www.1-2005-search.com
    127.0.0.1 1-2005-search.com
    127.0.0.1 123fporn.info
    127.0.0.1 www.123fporn.info
    127.0.0.1 www.123haustiereundmehr.com
    127.0.0.1 123haustiereundmehr.com
    127.0.0.1 123moviedownload.com
    127.0.0.1 www.123moviedownload.com

    There are 15530 more lines.


    ==================== Other Areas ============================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\TKRA7\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
    DNS Servers: 75.75.75.75 - 75.75.76.76
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
    Windows Firewall is enabled.

    ==================== MSCONFIG/TASK MANAGER disabled items ==

    (Currently there is no automatic fix for this section.)

    MSCONFIG\Services: BDESVC => 3
    MSCONFIG\Services: EFS => 3
    MSCONFIG\Services: ehRecvr => 3
    MSCONFIG\Services: ehSched => 3
    MSCONFIG\Services: IEEtwCollectorService => 3
    MSCONFIG\Services: pla => 3
    MSCONFIG\Services: RemoteRegistry => 3
    MSCONFIG\Services: SensrSvc => 3
    MSCONFIG\Services: SSDPSRV => 3
    MSCONFIG\Services: TabletInputService => 3
    MSCONFIG\Services: TapiSrv => 3
    MSCONFIG\Services: TBS => 3
    MSCONFIG\Services: TrkWks => 2
    MSCONFIG\Services: WbioSrvc => 3
    MSCONFIG\Services: WcsPlugInService => 3
    MSCONFIG\Services: Wecsvc => 3
    MSCONFIG\Services: WerSvc => 3
    MSCONFIG\Services: WMPNetworkSvc => 3
    MSCONFIG\Services: WPCSvc => 3
    MSCONFIG\startupreg: ASUS AiChargerPlus Execute => C:\Program Files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe
    MSCONFIG\startupreg: NETGEARGenie => "C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe" -mini -redirect

    ==================== FirewallRules (Whitelisted) ===============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    FirewallRules: [{C6A1FA50-FDAD-4EAF-813C-E28A2CEF4524}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [{FE7836D1-7D7B-41D8-96BC-6843DB27449F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [TCP Query User{3E26A3C8-1E39-459A-828F-80D3C4922A36}C:\program files (x86)\netgear genie\bin\netgeargenie.exe] => (Allow) C:\program files (x86)\netgear genie\bin\netgeargenie.exe
    FirewallRules: [UDP Query User{FC09A63A-C1E0-4C20-A4A4-0CD7771D0791}C:\program files (x86)\netgear genie\bin\netgeargenie.exe] => (Allow) C:\program files (x86)\netgear genie\bin\netgeargenie.exe
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

    ==================== Restore Points =========================

    19-05-2016 22:30:59 Installed Realtek Ethernet Controller Driver
    19-05-2016 22:32:26 Installed Asmedia ASM104x USB 3.0 Host Controller Driver.
    19-05-2016 22:33:35 Windows Update
    19-05-2016 22:36:18 Installed JMicron JMB36X Driver
    19-05-2016 22:38:10 Installed AI Suite II
    19-05-2016 22:38:39 Installed Ai Charger+
    19-05-2016 22:39:07 Installed ASUS Update
    19-05-2016 22:39:47 Installed DIGI+ VRM
    19-05-2016 22:40:21 Installed EPU
    19-05-2016 22:40:55 Installed FAN Xpert
    19-05-2016 22:41:15 Installed Probe II
    19-05-2016 22:41:40 Installed System Information
    19-05-2016 22:42:25 Installed TurboV EVO
    19-05-2016 22:43:01 Installed USB 3.0 Boost
    20-05-2016 00:20:42 Windows Modules Installer
    21-05-2016 20:59:20 Device Driver Package Install: F-Secure Corporation Network adapters
    21-05-2016 21:14:06 Installed Microsoft Solution - 93689bb7-63fe-4fe7-8eec-97e93e07121f
    21-05-2016 21:22:45 Installed Microsoft Solution - 9c197371-07a7-43f6-9bff-a08e6f6be4e9
    22-05-2016 00:31:28 Windows Update
    22-05-2016 17:16:36 Installed Microsoft Solution - b1fd3df2-4787-461b-8de9-a16614dede1c
    22-05-2016 17:18:25 Windows Update
    22-05-2016 17:39:07 Windows Modules Installer
    22-05-2016 17:45:06 Restore Operation
    22-05-2016 17:52:43 Windows Update
    22-05-2016 23:53:52 Windows Update
    23-05-2016 02:25:11 Checkpoint by HitmanPro
    24-05-2016 17:15:21 Revo Uninstaller's restore point - Glary Utilities 5.51
    24-05-2016 20:53:31 Restore Point Created by FRST
    27-05-2016 02:00:41 Windows Modules Installer
    30-05-2016 02:07:39 Revo Uninstaller's restore point - GridinSoft Anti-Malware

    ==================== Faulty Device Manager Devices =============

    Name: ASUS DRW-24B1ST c SATA CdRom Device
    Description: CD-ROM Drive
    Class Guid: {4d36e965-e325-11ce-bfc1-08002be10318}
    Manufacturer: (Standard CD-ROM drives)
    Service: cdrom
    Problem: : This device is disabled. (Code 22)
    Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (05/30/2016 08:38:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (05/30/2016 07:23:40 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (05/30/2016 07:10:53 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (05/30/2016 03:21:54 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (05/29/2016 11:58:20 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: plugin-container.exe, version: 46.0.1.5966, time stamp: 0x572818c9
    Faulting module name: mozglue.dll, version: 46.0.1.5966, time stamp: 0x572808c3
    Exception code: 0x80000003
    Fault offset: 0x0000efdc
    Faulting process id: 0x8b4
    Faulting application start time: 0xplugin-container.exe0
    Faulting application path: plugin-container.exe1
    Faulting module path: plugin-container.exe2
    Report Id: plugin-container.exe3

    Error: (05/29/2016 10:32:51 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: plugin-container.exe, version: 46.0.1.5966, time stamp: 0x572818c9
    Faulting module name: mozglue.dll, version: 46.0.1.5966, time stamp: 0x572808c3
    Exception code: 0x80000003
    Fault offset: 0x0000efdc
    Faulting process id: 0xcdc
    Faulting application start time: 0xplugin-container.exe0
    Faulting application path: plugin-container.exe1
    Faulting module path: plugin-container.exe2
    Report Id: plugin-container.exe3

    Error: (05/29/2016 08:28:56 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (05/29/2016 12:06:24 PM) (Source: SideBySide) (EventID: 80) (User: )
    Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
    A component version required by the application conflicts with another component version already active.
    Conflicting components are:.
    Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
    Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

    Error: (05/29/2016 12:05:48 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (05/28/2016 02:33:15 PM) (Source: ESENT) (EventID: 474) (User: )
    Description: wuaueng.dll (1076) SUS20ClientDataStore: The database page read from the file "C:\Windows\SoftwareDistribution\DataStore\DataStore.edb" at offset 358219776 (0x00000000155a0000) (database page wuaueng.dll0) for 32768 (0x00008000) bytes failed verification due to a page checksum mismatch. The expected checksum was [15e8ea17df66aca9:69979668e04a2adb:a6d6a6d6fa232abd:538a538a7fa72aa2] and the actual checksum was [15e8ea17d966aaa9:69979668e04a2adb:a0d6a0d6fa232abd:538a538a7fa72aa2]. The read operation will fail with error -1018 (0xfffffc06). If this condition persists then please restore the database from a previous backup. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.


    System errors:
    =============
    Error: (05/30/2016 08:38:08 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The Internet Connection Sharing (ICS) service depends on the Remote Access Connection Manager service which failed to start because of the following error:
    %%1068

    Error: (05/30/2016 08:38:01 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
    %%1058

    Error: (05/30/2016 08:37:53 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
    Description: The following fatal alert was generated: 40. The internal error state is 252.

    Error: (05/30/2016 08:35:32 PM) (Source: DCOM) (EventID: 10010) (User: )
    Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

    Error: (05/30/2016 07:23:36 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The Internet Connection Sharing (ICS) service depends on the Remote Access Connection Manager service which failed to start because of the following error:
    %%1068

    Error: (05/30/2016 07:23:25 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
    %%1058

    Error: (05/30/2016 07:23:17 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
    Description: The following fatal alert was generated: 40. The internal error state is 252.

    Error: (05/30/2016 07:20:53 PM) (Source: DCOM) (EventID: 10010) (User: )
    Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

    Error: (05/30/2016 07:20:01 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
    Description: The following fatal alert was generated: 40. The internal error state is 252.

    Error: (05/30/2016 07:16:32 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
    Description: The following fatal alert was generated: 40. The internal error state is 252.


    CodeIntegrity:
    ===================================
    Date: 2016-05-24 10:40:25.445
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-24 10:40:25.429
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 21:29:10.013
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 21:29:09.998
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 21:16:48.120
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 21:16:48.104
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 20:59:38.349
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 20:59:38.333
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


    ==================== Memory info ===========================

    Processor: AMD FX(tm)-4100 Quad-Core Processor
    Percentage of memory in use: 49%
    Total physical RAM: 8137.36 MB
    Available physical RAM: 4099.2 MB
    Total Virtual: 16272.89 MB
    Available Virtual: 12484.52 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:931.29 GB) (Free:845.39 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 00000000)

    Partition: GPT.

    ==================== End of Addition.txt ============================



    SALog:

    Result of Security Analysis by Rocket Grannie (x86) Updated: 24th May 2016
    Running from:C:\Users\TKRA7\Desktop (20:58:22 - 05/30/2016)
    ***---------------------------------------------------------***
    Microsoft Windows 7 Ultimate X64 Service Pack 1
    UAC is Enabled!
    Internet Explorer 11
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    ***-----------------Anti-Virus - Firewall-------------------***
    ESET NOD32 Antivirus 9.0.381.0 (Enabled - Up to Date)
    Windows Firewall is Enabled!
    Searching for any other Firewall
    *No other Firewall Installed*
    ***----------------AntiSpyware - Miscellaneous---------------***
    Adobe Flash Player Plugin (version 21.0.0.242)
    Java is not installed
    Adobe Flash Player ActiveX (version 21.0.0.242)
    CCleaner (version 5.17)
    HitmanPro (version 3)
    Malwarebytes Anti-Malware (version 2.2.1.1043)
    Mozilla Firefox (version 46)
    Spybot - Search & Destroy (version 2.4)
    SpywareBlaster (version 5.5)
    SUPERAntiSpyware (version 6)

    ***----------------Analysis Complete-------------------------***



  16. #36
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    Here is my latest ComboFix Scan:


    ComboFix 16-05-31.01 - TKRA7 05/30/2016 21:03:11.6.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8137.4104 [GMT -4:00]
    Running from: c:\users\TKRA7\Downloads\Security Tools\Special Tools\ComboFix.exe
    AV: ESET NOD32 Antivirus 9.0.381.0 *Disabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
    SP: ESET NOD32 Antivirus 9.0.381.0 *Disabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
    SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\SysWow64\Packet.dll
    c:\windows\SysWow64\wpcap.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_NPF
    -------\Service_NPF
    .
    .
    ((((((((((((((((((((((((( Files Created from 2016-04-28 to 2016-05-31 )))))))))))))))))))))))))))))))
    .
    .
    2016-05-31 01:07 . 2016-05-31 01:07 -------- d-----w- c:\users\Default\AppData\Local\temp
    2016-05-30 23:15 . 2016-05-30 23:15 -------- d-----w- c:\program files\ESET
    2016-05-30 06:19 . 2016-05-30 06:19 -------- d-----w- c:\program files\Common Files\AV
    2016-05-30 06:15 . 2013-09-20 14:49 21040 ----a-w- c:\windows\system32\sdnclean64.exe
    2016-05-30 06:15 . 2016-05-30 06:24 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2016-05-30 06:15 . 2016-05-30 06:30 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
    2016-05-30 06:04 . 2016-05-30 06:04 -------- d-----w- c:\program files (x86)\MRU-Blaster
    2016-05-29 16:21 . 2016-05-29 16:21 43608 ----a-w- c:\windows\system32\drivers\ERKRmvrDrv.sys
    2016-05-29 16:06 . 2016-05-29 16:06 115008 ----a-w- c:\windows\SysWow64\drivers\efavdrv.sys
    2016-05-27 20:38 . 2016-05-27 20:38 -------- d-----w- c:\windows\RegBak
    2016-05-27 19:49 . 2016-05-27 19:49 -------- d-----w- c:\program files\Acelogix
    2016-05-26 21:28 . 2016-05-26 21:28 369168 ----a-w- c:\windows\system32\wpcap.dll
    2016-05-26 21:28 . 2016-05-26 21:28 35344 ----a-w- c:\windows\system32\drivers\npf.sys
    2016-05-26 21:28 . 2016-05-26 21:28 106000 ----a-w- c:\windows\system32\packet.dll
    2016-05-26 21:28 . 2016-05-26 21:28 -------- d-----w- c:\program files (x86)\NETGEAR Genie
    2016-05-25 07:07 . 2016-05-25 07:07 -------- d-----w- c:\programdata\MicroWorld
    2016-05-25 00:25 . 2016-05-25 00:47 -------- d---a-w- C:\cce_linux
    2016-05-24 22:26 . 2016-05-30 23:10 -------- d-----w- c:\program files (x86)\HitmanPro.Alert
    2016-05-24 22:26 . 2016-05-30 19:22 825040 ----a-w- c:\windows\system32\hmpalert.dll
    2016-05-24 22:26 . 2016-05-30 19:22 753872 ----a-w- c:\windows\SysWow64\hmpalert.dll
    2016-05-24 22:26 . 2016-05-30 19:22 84520 ----a-w- c:\windows\system32\drivers\hmpnet.sys
    2016-05-24 22:26 . 2016-05-30 19:22 175472 ----a-w- c:\windows\system32\drivers\hmpalert.sys
    2016-05-24 21:14 . 2016-05-24 21:54 -------- d-----w- c:\program files (x86)\Glarysoft
    2016-05-24 21:11 . 2016-05-24 21:11 -------- d-----w- c:\program files (x86)\VS Revo Group
    2016-05-24 20:29 . 2016-05-31 01:10 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2016-05-24 20:29 . 2016-05-24 20:29 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
    2016-05-24 20:29 . 2016-03-10 18:09 64896 ----a-w- c:\windows\system32\drivers\mwac.sys
    2016-05-24 20:29 . 2016-03-10 18:08 140672 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2016-05-24 20:29 . 2016-03-10 18:08 27008 ----a-w- c:\windows\system32\drivers\mbam.sys
    2016-05-24 18:03 . 2016-05-24 18:04 -------- d-----w- c:\program files\SUPERAntiSpyware
    2016-05-24 18:03 . 2016-05-24 18:03 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2016-05-24 14:26 . 2016-05-31 00:47 -------- d-----w- C:\FRST
    2016-05-23 06:25 . 2016-05-23 06:25 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2016-05-23 06:00 . 2016-05-27 16:28 -------- d-----w- c:\windows\CryptoGuard
    2016-05-23 06:00 . 2016-05-23 06:25 -------- d-----w- c:\programdata\HitmanPro
    2016-05-23 05:50 . 2016-05-23 05:50 -------- d-----w- c:\programdata\Licenses
    2016-05-23 05:50 . 2012-05-02 16:17 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
    2016-05-23 05:50 . 2009-03-24 17:52 129872 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
    2016-05-23 05:50 . 2016-05-23 05:51 -------- d-----w- c:\program files (x86)\SpywareBlaster
    2016-05-23 00:28 . 2016-05-23 00:28 -------- d-----w- C:\AdwCleaner
    2016-05-22 21:53 . 2016-05-23 06:27 -------- d-----w- c:\program files (x86)\Trojan Remover
    2016-05-22 21:53 . 2014-05-14 16:23 44512 ----a-w- c:\windows\system32\wups2.dll
    2016-05-22 21:53 . 2014-05-14 16:23 58336 ----a-w- c:\windows\system32\wuauclt.exe
    2016-05-22 21:53 . 2014-05-14 16:23 2477536 ----a-w- c:\windows\system32\wuaueng.dll
    2016-05-22 21:53 . 2014-05-14 16:21 2620928 ----a-w- c:\windows\system32\wucltux.dll
    2016-05-22 21:53 . 2014-05-14 16:23 38880 ----a-w- c:\windows\system32\wups.dll
    2016-05-22 21:53 . 2014-05-14 16:23 36320 ----a-w- c:\windows\SysWow64\wups.dll
    2016-05-22 21:53 . 2014-05-14 16:23 700384 ----a-w- c:\windows\system32\wuapi.dll
    2016-05-22 21:53 . 2014-05-14 16:23 581600 ----a-w- c:\windows\SysWow64\wuapi.dll
    2016-05-22 21:53 . 2014-05-14 16:20 97792 ----a-w- c:\windows\system32\wudriver.dll
    2016-05-22 21:53 . 2014-05-14 16:17 92672 ----a-w- c:\windows\SysWow64\wudriver.dll
    2016-05-22 21:52 . 2014-05-14 13:23 198600 ----a-w- c:\windows\system32\wuwebv.dll
    2016-05-22 21:52 . 2014-05-14 13:23 179656 ----a-w- c:\windows\SysWow64\wuwebv.dll
    2016-05-22 21:52 . 2014-05-14 13:20 36864 ----a-w- c:\windows\system32\wuapp.exe
    2016-05-22 21:52 . 2014-05-14 13:17 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
    2016-05-22 21:45 . 2016-05-22 21:45 -------- d-----w- C:\inetpub
    2016-05-22 20:58 . 2016-05-22 20:58 -------- d-----w- c:\programdata\WinaeroTweaker
    2016-05-22 17:06 . 2016-05-22 17:06 -------- d-----w- c:\program files (x86)\Microsoft.NET
    2016-05-22 17:06 . 2016-05-22 17:06 -------- d-----w- c:\windows\Migration
    2016-05-22 16:52 . 2016-05-22 17:00 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
    2016-05-22 16:50 . 2016-05-24 20:29 -------- d-----w- c:\programdata\Malwarebytes
    2016-05-22 16:50 . 2016-05-22 16:50 -------- d-----w- c:\program files\Malwarebytes
    2016-05-22 09:51 . 2016-05-23 01:03 -------- d-----w- c:\windows\Microsoft Antimalware
    2016-05-22 00:59 . 2016-05-22 00:59 36320 ----a-w- c:\windows\system32\drivers\fsfreedometap.sys
    2016-05-22 00:49 . 2016-05-22 00:49 -------- d-----w- c:\program files\CCleaner
    2016-05-21 12:29 . 2016-05-21 12:29 -------- d-----w- c:\programdata\Trend Micro
    2016-05-21 12:24 . 2016-05-21 12:24 -------- d-----w- c:\programdata\Bitdefender Agent
    2016-05-21 12:16 . 2016-05-22 01:29 -------- d-----w- c:\programdata\F-Secure
    2016-05-21 12:15 . 2016-05-21 12:15 -------- d-----w- c:\programdata\Norton
    2016-05-21 12:15 . 2016-05-22 21:47 -------- d-----w- c:\program files (x86)\NortonInstaller
    2016-05-21 05:47 . 2016-05-21 05:47 -------- d-----w- c:\program files (x86)\UltimateOutsider
    2016-05-21 05:34 . 2014-12-30 17:31 7039960 ----a-w- c:\windows\SysWow64\ZALSDKCore.dll
    2016-05-20 05:30 . 2016-05-23 10:07 -------- d-----w- c:\program files (x86)\Zemana AntiMalware
    2016-05-20 04:54 . 2016-05-25 01:23 797376 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2016-05-20 04:54 . 2016-05-25 01:23 142528 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2016-05-20 04:54 . 2016-05-20 04:54 -------- d-----w- c:\windows\system32\Macromed
    2016-05-20 04:42 . 2016-05-20 04:42 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
    2016-05-20 04:40 . 2015-11-05 19:00 143904 ----a-w- c:\windows\system32\drivers\KeyCrypt64.sys
    2016-05-20 04:40 . 2016-05-26 12:19 -------- d-----w- c:\program files (x86)\Zemana AntiLogger Free
    2016-05-20 04:26 . 2013-10-14 22:00 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE
    2016-05-20 04:22 . 2016-05-20 04:22 878080 ----a-w- c:\windows\system32\advapi32.dll
    2016-05-20 04:21 . 2016-05-20 04:21 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    2016-05-20 03:32 . 2016-05-20 03:32 -------- d-----w- c:\program files\Bitdefender
    2016-05-20 02:58 . 2016-05-20 02:58 -------- d-----w- c:\programdata\ASUS OC Profiles
    2016-05-20 02:56 . 2016-05-20 02:56 0 ----a-w- c:\windows\ativpsrm.bin
    2016-05-20 02:55 . 2016-05-20 02:55 -------- d-----w- c:\programdata\GridinSoft
    2016-05-20 02:51 . 2011-05-24 15:04 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2016-05-20 02:51 . 2011-05-24 14:19 58880 ----a-w- c:\windows\system32\coinst.dll
    2016-05-20 02:43 . 2016-05-20 02:43 -------- d-----w- c:\program files\ASUS
    2016-05-20 02:42 . 2016-05-20 02:42 -------- d-----w- c:\windows\SysWow64\Macromed
    2016-05-20 02:38 . 2010-11-08 18:57 14464 ----a-w- c:\windows\system32\drivers\AiChargerPlus.sys
    2016-05-20 02:38 . 2008-12-03 00:05 184320 ----a-w- c:\windows\SysWow64\drivers\UpdateHelper.dll
    2016-05-20 02:37 . 2016-05-20 02:37 -------- d-----w- c:\programdata\ASUS
    2016-05-20 02:37 . 2016-05-20 02:38 -------- d-----w- c:\program files (x86)\ASUS
    2016-05-20 02:37 . 2010-08-24 07:16 13440 ----a-r- c:\windows\SysWow64\drivers\AsIO.sys
    2016-05-20 02:37 . 2010-06-29 07:41 28672 ----a-r- c:\windows\SysWow64\AsIO.dll
    2016-05-20 02:37 . 2008-01-04 05:34 11832 ------w- c:\windows\SysWow64\drivers\AsInsHelp64.sys
    2016-05-20 02:36 . 2009-07-14 01:15 315904 ----a-w- c:\windows\SysWow64\Difxd825.rra
    2016-05-20 02:36 . 2010-11-25 03:27 120408 ----a-w- c:\windows\system32\drivers\jraid.sys
    2016-05-20 02:36 . 2016-05-20 02:36 -------- d-----w- c:\windows\RaidTool
    2016-05-20 02:36 . 2016-05-20 02:38 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
    2016-05-20 02:35 . 2016-05-20 02:35 -------- d-----w- c:\program files (x86)\AMD APP
    2016-05-20 02:35 . 2016-05-20 02:35 -------- dc----w- c:\windows\system32\DRVSTORE
    2016-05-20 02:35 . 2010-12-16 03:06 47232 ----a-r- c:\windows\system32\drivers\usbfilter.sys
    2016-05-20 02:35 . 2011-03-04 18:46 78976 ----a-w- c:\windows\system32\drivers\amd_sata.sys
    2016-05-20 02:35 . 2011-03-04 18:46 38528 ----a-w- c:\windows\system32\drivers\amd_xata.sys
    2016-05-20 02:35 . 2016-05-20 02:35 -------- d-----w- c:\program files\ATI
    2016-05-20 02:34 . 2016-05-20 02:34 -------- d-----w- c:\program files\ATI Technologies
    2016-05-20 02:34 . 2016-05-20 02:34 16896 ----a-w- c:\windows\AsTaskSched.dll
    2016-05-20 02:33 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
    2016-05-20 02:32 . 2016-05-20 02:32 -------- d-----w- c:\program files (x86)\ASM104xUSB3
    2016-05-20 02:32 . 2016-05-30 23:16 -------- d-sh--w- c:\windows\Installer
    2016-05-20 02:31 . 2011-08-23 13:57 565352 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
    2016-05-20 02:31 . 2011-08-23 13:57 74272 ----a-w- c:\windows\system32\RtNicProp64.dll
    2016-05-20 02:31 . 2011-08-23 13:57 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
    2016-05-20 02:31 . 2016-05-20 02:31 -------- d-----w- c:\program files (x86)\Realtek
    2016-05-20 02:31 . 2016-05-20 02:43 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
    2016-05-20 02:25 . 2016-05-22 21:49 -------- d-----w- c:\users\TKRA7
    2016-05-20 02:25 . 2016-05-20 02:25 -------- d-----w- C:\Recovery
    2016-05-12 14:48 . 2016-05-12 14:48 264552 ----a-w- c:\windows\system32\drivers\eamonm.sys
    2016-05-12 14:48 . 2016-05-12 14:48 199680 ----a-w- c:\windows\system32\drivers\edevmon.sys
    2016-05-12 14:48 . 2016-05-12 14:48 186784 ----a-w- c:\windows\system32\drivers\ehdrv.sys
    2016-05-12 14:48 . 2016-05-12 14:48 170792 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2016-05-20 04:22 . 2016-05-20 04:22 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2016-04-22 07:57 . 2010-11-21 03:27 453288 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotPostWindows10UpgradeReInstall"="c:\program files\Common Files\AV\Spybot - Search and Destroy\Test.exe" [2015-07-28 1011200]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-09-07 43608]
    "SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2014-06-24 4101576]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
    @=""
    .
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
    R3 efavdrv;efavdrv;c:\windows\system32\drivers\efavdrv.sys;c:\windows\SYSNATIVE\drivers\efavdrv.sys [x]
    R3 ERmvrDrv;ESET standalone malware removal tool kernel-mode driver;c:\windows\system32\drivers\ERKRmvrDrv.sys;c:\windows\SYSNATIVE\drivers\ERKRmvrDrv.sys [x]
    R3 keycrypt;keycrypt;c:\windows\system32\DRIVERS\KeyCrypt64.sys;c:\windows\SYSNATIVE\DRIVERS\KeyCrypt64.sys [x]
    R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
    R3 NETGEARGenieDaemon;NETGEARGenieDaemon;c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe;c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
    R4 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
    S0 AiChargerPlus;ASUS Charger Plus Driver;c:\windows\system32\DRIVERS\AiChargerPlus.sys;c:\windows\SYSNATIVE\DRIVERS\AiChargerPlus.sys [x]
    S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
    S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
    S0 edevmon;edevmon;c:\windows\system32\DRIVERS\edevmon.sys;c:\windows\SYSNATIVE\DRIVERS\edevmon.sys [x]
    S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys;SysWow64\drivers\AsUpIO.sys [x]
    S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys;c:\windows\SYSNATIVE\DRIVERS\eamonm.sys [x]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys;c:\windows\SYSNATIVE\DRIVERS\ehdrv.sys [x]
    S1 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
    S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe;c:\program files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe [x]
    S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [x]
    S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [x]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [x]
    S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys;c:\windows\SYSNATIVE\DRIVERS\epfwwfpr.sys [x]
    S2 hmpalertsvc;HitmanPro.Alert service;c:\program files (x86)\HitmanPro.Alert\hmpalert.exe;c:\program files (x86)\HitmanPro.Alert\hmpalert.exe [x]
    S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
    S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
    S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
    S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
    S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
    S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
    S3 ASUSFILTER;ASUSFILTER;SysWow64\drivers\ASUSFILTER.sys;SysWow64\drivers\ASUSFILTER.sys [x]
    S3 hmpalert;HitmanPro.Alert Support Driver;c:\windows\system32\drivers\hmpalert.sys;c:\windows\SYSNATIVE\drivers\hmpalert.sys [x]
    S3 hmpnet;HitmanPro.Alert Network Driver;c:\windows\system32\drivers\hmpnet.sys;c:\windows\SYSNATIVE\drivers\hmpnet.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MBAMSWISSARMY
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2016-05-31 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-05-20 01:23]
    .
    .
    --------- X64 Entries -----------
    .
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = DuckDuckGo
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyServer = localhost:21320
    Trusted Zone: eset.com\help
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    FF - ProfilePath - c:\users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\
    FF - prefs.js: browser.startup.homepage - hxxps://duckduckgo.com/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Notify-SDWinLogon - SDWinLogon.dll
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\F43o6aqLPEF6]
    @Denied: (B 2 3) (Everyone)
    .
    [HKEY_USERS\.Default\Software\Locky]
    @Denied: (B 2 3) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_21_0_0_242_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_21_0_0_242_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_21_0_0_242_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_21_0_0_242_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.21"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\ASUS\AI Suite II\AsRoutineController.exe
    c:\program files (x86)\ASUS\AI Suite II\DIGI+ VRM\VRMHelp.exe
    c:\program files (x86)\ASUS\AI Suite II\TurboV EVO\TurboVHelp.exe
    c:\program files (x86)\ASUS\AI Suite II\EPU\EPUHelp.exe
    c:\program files (x86)\Malwarebytes Anti-Malware\mbam.exe
    c:\program files (x86)\ASUS\AI Suite II\AI Suite II.exe
    c:\program files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe
    .
    **************************************************************************
    .
    Completion time: 2016-05-30 21:13:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2016-05-31 01:13
    ComboFix2.txt 2016-05-26 00:47
    ComboFix3.txt 2016-05-25 02:27
    ComboFix4.txt 2016-05-24 20:47
    ComboFix5.txt 2016-05-26 03:28
    .
    Pre-Run: 909,864,939,520 bytes free
    Post-Run: 909,607,804,928 bytes free
    .
    - - End Of File - - 2820F903117C1028AB0719B395BFC2DA
    A36C5E4F47E84449FF07ED3517B43A31

  17. #37
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    Here are the results from my scans with JRT and AVZ Antiviral Toolkit...





    JRT Log:

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Malwarebytes
    Version: 8.0.6 (04.25.2016)
    Operating System: Windows 7 Ultimate x64
    Ran by TKRA7 (Administrator) on Tue 05/31/2016 at 0:52:00.01
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    File System: 9

    Successfully deleted: C:\Users\TKRA7\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2620QEGF (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\TKRA7\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8B0GJMXH (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\TKRA7\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EVFNJWM2 (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\TKRA7\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R3YURF3L (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\prefetch\ANTILOGGER FREE.EXE-DB9C5B5E.pf (File)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2620QEGF (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8B0GJMXH (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EVFNJWM2 (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R3YURF3L (Temporary Internet Files Folder)



    Registry: 0






    AVZ Antiviral Toolkit Scan Results:


    AVZ Antiviral Toolkit log; AVZ version is 4.46
    Scanning started at 31.05.2016 01:44:30
    Database loaded: signatures - 297569, NN profile(s) - 2, malware removal microprograms - 56, signature database released 31.05.2016 04:00
    Heuristic microprograms loaded: 408
    PVS microprograms loaded: 10
    Digital signatures of system files loaded: 802091
    Heuristic analyzer mode: Maximum heuristics mode
    Malware removal mode: enabled
    Windows version is: 6.1.7601, Service Pack 1 "Windows 7 Ultimate", install date 19.05.2016 21:25:08 ; AVZ is run with administrator rights (+)
    System Restore: enabled
    1. Searching for Rootkits and other software intercepting API functions
    1.1 Searching for user-mode API hooks
    Analysis: kernel32.dll, export table found in section .text
    Function kernel32.dll:CreateProcessInternalW (170) intercepted, method - APICodeHijack.JmpTo[749FC836]
    >>> Rootkit code in function CreateProcessInternalW blocked
    Analysis: ntdll.dll, export table found in section .text
    Function ntdll.dll:KiUserExceptionDispatcher (112) intercepted, method - APICodeHijack.JmpTo[74A430B6]
    >>> Rootkit code in function KiUserExceptionDispatcher blocked
    Function ntdll.dll:LdrLoadDll (137) intercepted, method - APICodeHijack.JmpTo[749FC416]
    >>> Rootkit code in function LdrLoadDll blocked
    Function ntdll.dll:NtAllocateVirtualMemory (198) intercepted, method - APICodeHijack.JmpTo[749FB316]
    >>> Rootkit code in function NtAllocateVirtualMemory blocked
    Function ntdll.dll:NtFreeVirtualMemory (311) intercepted, method - APICodeHijack.JmpTo[749FB6B6]
    >>> Rootkit code in function NtFreeVirtualMemory blocked
    Function ntdll.dll:NtMapViewOfSection (349) intercepted, method - APICodeHijack.JmpTo[749FBF26]
    >>> Rootkit code in function NtMapViewOfSection blocked
    Function ntdll.dll:NtProtectVirtualMemory (396) intercepted, method - APICodeHijack.JmpTo[749FB7C6]
    >>> Rootkit code in function NtProtectVirtualMemory blocked
    Function ntdll.dll:NtUnmapViewOfSection (566) intercepted, method - APICodeHijack.JmpTo[749FC326]
    >>> Rootkit code in function NtUnmapViewOfSection blocked
    Analysis: user32.dll, export table found in section .text
    Function user32.dll:GetMessageA (1854) intercepted, method - APICodeHijack.JmpTo[74A0DBC6]
    >>> Rootkit code in function GetMessageA blocked
    Function user32.dll:GetMessageW (1858) intercepted, method - APICodeHijack.JmpTo[74A0DC56]
    >>> Rootkit code in function GetMessageW blocked
    Function user32.dll:PeekMessageA (2075) intercepted, method - APICodeHijack.JmpTo[74A0DAA6]
    >>> Rootkit code in function PeekMessageA blocked
    Function user32.dll:PeekMessageW (2076) intercepted, method - APICodeHijack.JmpTo[74A0DB36]
    >>> Rootkit code in function PeekMessageW blocked
    Analysis: advapi32.dll, export table found in section .text
    Analysis: ws2_32.dll, export table found in section .text
    Analysis: wininet.dll, export table found in section .text
    Analysis: rasapi32.dll, export table found in section .text
    Analysis: urlmon.dll, export table found in section .text
    Analysis: netapi32.dll, export table found in section .text
    1.4 Searching for masking processes and drivers
    Checking not performed: extended monitoring driver (AVZPM) is not installed
    2. Scanning RAM
    Number of processes found: 13
    Number of modules loaded: 170
    Scanning RAM - complete
    3. Scanning disks
    Direct reading: C:\Qoobox\BackEnv\SetPath.bat
    Direct reading: C:\Users\TKRA7\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.tmp
    C:\Users\TKRA7\Downloads\Security Tools\SECURITY\Power Tools\rkill\rkill.com - PE file with modified extension that still lets run it (it is often typical for viruses)(dangerousness level is 35%)
    File quarantined succesfully (C:\Users\TKRA7\Downloads\Security Tools\SECURITY\Power Tools\rkill\rkill.com)
    C:\Users\TKRA7\Downloads\Security Tools\SECURITY\Power Tools\rkill\rkill64.com - PE file with modified extension that still lets run it (it is often typical for viruses)(dangerousness level is 35%)
    File quarantined succesfully (C:\Users\TKRA7\Downloads\Security Tools\SECURITY\Power Tools\rkill\rkill64.com)
    4. Checking Winsock Layered Service Provider (SPI/LSP)
    LSP settings checked. No errors detected
    5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
    C:\Windows\SysWOW64\hmpalert.dll --> Suspicion for Keylogger or Trojan DLL
    C:\Windows\SysWOW64\hmpalert.dll>>> Behaviour analysis
    Behaviour typical for keyloggers was not detected
    File quarantined succesfully (C:\Windows\SysWOW64\hmpalert.dll)
    Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
    6. Searching for opened TCP/UDP ports used by malicious software
    In the database 317 port descriptions
    Opened at this PC: 12 TCP ports and 6 UDP ports
    Checking - complete; no suspicious ports detected
    7. Heuristic system check
    Checking - complete
    8. Searching for vulnerabilities
    >> Services: potentially dangerous service allowed: TermService (Remote Desktop Services)
    >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
    > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
    >> Security: disk drives' autorun is enabled
    >> Security: administrative shares (C$, D$ ...) are enabled
    >> Security: anonymous user access is enabled
    >> Windows Explorer - show extensions of known file types
    Checking - complete
    9. Troubleshooting wizard
    >> Abnormal SCR files association
    >> HDD autorun is allowed
    >> Network drives autorun is allowed
    >> Removable media autorun is allowed
    Checking - complete
    Files scanned: 45401, extracted from archives: 24006, malicious software found 0, suspicions - 0
    Scanning finished at 31.05.2016 01:47:59
    Time of scanning: 00:03:31
    If you have a suspicion on presence of viruses or questions on the suspected objects,
    you can address Kaspersky Lab Forum -> Virus-related issues
    For automatic scanning of files from the AVZ quarantine you can use the service VirusInfo - VirusDetector - ?????????? ??????-?????? ???????????? ???????? ?????????? (beta)




  18. #38
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,481

    Re: Totally Perplexed by this Locky Ransomware...

    Guess what? It isn't "Locky" that you are seeing. Rather those files are from C:\Program Files\Bitdefender\Tools\BDAntiRansomware\BDAntiRansomware.exe! Thanks to DonnaB for tracking down the information: Combination Crypto-Ransomware Vaccine Released | Bitdefender Labs

    So, with that bit of news, now you can breathe easier!

    As long as everything else is working correctly, we can take care of removing the tools used:

    Please download Delfix from here.

    Ensure the following boxes are checked:
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    • Click Run

    The program will run for a few moments and then notepad will open with a log. It isn't necessary to post the log.
    niemiro and DonnaB say thanks for this.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  19. #39
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    Quote Originally Posted by Corrine View Post
    Guess what? It isn't "Locky" that you are seeing. Rather those files are from C:\Program Files\Bitdefender\Tools\BDAntiRansomware\BDAntiRansomware.exe! Thanks to DonnaB for tracking down the information: Combination Crypto-Ransomware Vaccine Released | Bitdefender Labs

    I actually checked out this link and after reading through it, I didn't find anything stating that Bitdefender creates these Locky registry entries. I noticed some commenters asking about Locky but that was all I found in the Bitdefender link you provided.

    So I thought I would uninstall Bitdefender too see if that would do the trick. I first uninstalled it, then rebooted. I then ran a CCleaner reg scan-------and no more Locky entries showed up. However, when I ran a RegEdit scan, the Locky entries did appear again. So this time I simply deleted them, (and all of them deleted this time without telling me I didn't have permission or something to that effect). After that I rebooted my system and checked RegEdit again and after the scan was complete-------no Locky entries were found.

    For good measure I actually called Bitdefender Tech Support and explained the scenario to them just like I explained it here on this forum and I asked the Bitdefender Technician if this was how Bitdefender AntiRansomware behaves by creating these Locky registry key entries which appear with restricted permissions and subsequently showed up in my ComboFix log as locked keys-------to which he told me no, Bitdefender does not do that.

    While I'm not doubting the work of your team Corrine, it does concern me that the Bitdefender technician I spoke to told me that it doesn't create those registry keys and he sounded pretty sure of himself.

    Another thing that still worries me a bit is the Rootkit detections which appeared after I scanned my system using Kaspersky's AVZ AntiViral Toolkit (as shown in my previous post above). And after thinking about it, I also remembered Richard mentioning at one point to me that it could be possible that a low-level rootkit might be at work here. If that were true, maybe that could explain why AVZ just recently found these detections. If the Bitdefender technician is telling me he doesn't recognize this behavior in the registry as a part of its applications operation, then maybe my system is infected but in a way which is throwing us off the trail with a fake scent, so to speak.

    Like I said, I'm very grateful that you and your team have been working hard on this one and seem to have figured it out-------but maybe it would help me understand better if you could explain exactly how DonnaB confirmed these Locky entries as associated with Bitdefender, especially since I didn't find any indication of this on the Bitdefender page when I visited that link.

    I suppose it's possible that the Bitdefender tech I spoke with wasn't aware of some of the inner-workings of its AntiRansomware application, however, as I previously mentioned, this technician sounded pretty confident about his assertion that Bitdefender AntiRansomware doesn't behave in this manner.

    Even though the Locky entries have not re-appeared in my registry since I uninstalled BDAR and rebooted a couple of times, I can't help that I still feel a little concerned over the fact that Bitdefender asserts that BDAR doesn't act in this way.

    If you could just explain the details or even have DonnaB elaborate on how she made this determination, that might put my mind at ease, especially since I couldn't find any definitive confirmation regarding this conclusion of hers at that link from Bitdefender Labs.

    One last thing I wanted to mention which also concerns me a little bit, is that my Firefox browser has been crashing a lot lately, which I know, depending on the circumstance, can sometimes indicate an infection of some kind. I also know that browsers can be tricky because there are a lot of variables at play generally speaking, however, I did as you mentioned in one of your previous posts about making sure my IE extensions and Flash Player were up to date, as I also did with my Firefox (which is currently the latest version).

    Thanks again for your help. I know you've all been working hard on this...

  20. #40
    DonnaB's Avatar
    Join Date
    Jun 2012
    Location
    Illiana area, Ill. USA
    Posts
    454
    • specs System Specs
      • Operating System:
        Vista Home Premium / XP Home Edition / XP Pro / Win7 Home Premium 64-bit / VM-W2K SP4 IE6

    Re: Totally Perplexed by this Locky Ransomware...

    Hello YOnGodsGreenEarth,

    I would be more than happy to share how I came to the conclusion that these registry keys are associated with BDAR.

    You confirmed my thoughts when you pointed out that you uninstalled BDAR, deleted the reg keys, rebooted and they never came back. That alone proves that the technician you spoke with at BD was in the dark about the newest updates to BDAR. I am not only suprised but very disappointed that the technician had no knowledge of BDAR creating these registry keys.

    Please read the articles in SecurityWeek and SpiceWorks. Both articles discuss the following:

    As disclosed in SecurityWeek;

    However, what users could do is to create the HKCU\Software\Locky registry key, which is the first thing that the ransomware tries to create on the compromised machine. The malware terminates if the creation process fails, and having the registry key already present on the computer ensures that the malicious application is not executed.
    As disclosed in SpiceWorks;

    At present, however, it works by taking advantage of a slew of built-in tests shared by Locky, TeslaCrypt, and CTB-Locker, which scan their host computer to see if it is already infected. "The new Bitdefender tool takes advantage of these ransomware checks by making it appear as if computers are already infected with current variants of Locky, TeslaCrypt or CTB-Locker," Computerworld writes.
    You said that you read the BiteDefender article I shared with my associates. If you read it thoroughly then I am sure you came across the following comment by David:

    62. David says:
    April 4, 2016 at 12:35 pm

    I’ve read article
    Free Bitdefender tool protects against ransomware infections | PCWorld
    but still want to know how does it actually do?
    “The new Bitdefender tool takes advantage of these ransomware checks by making it appear as if computers are already infected with current variants of Locky, TeslaCrypt or CTB-Locker. This prevents those programs from infecting them again.”

    What does it “vaccines”? What part of Windows tells ransomware it is already infected by it?
    I am almost certain that he also started the topic found at Simoch on the same day just hours later. Davidenko just shortened his name to David. If you have a look at his second post, he went out on a limb and installed BDAR to find out for himself since he wasn't getting the answers he needed to confirm his suspicions, just as you did by uninstalling BDAR.

    The security guru's that be won't necessarily put this information out there in the internet for just anyone to find. As pointed out in the first paragraph of the SpiceWorks article:

    The new Bitdefender Anti-Ransomware vaccine is built on the same principle as a previous tool that the company designed to prevent CryptoWall infections." That tool was later made obsolete and ineffective after CryptoWall's creators updated their ransomware. Something similar is expected to happen to Bitdefender's tool.
    The sooner that the bad guys find out that the good guys created a vaccine they will alter the code and the good guys will have to start all over again trying to find out how the bad guys altered the code so the good guys can update their tools and release an update. Honestly, it is a never ending battle between the good and the bad.

    Think about the BDAR vaccine from a medical point of view.. Researchers create vaccines using the virus itself then inoculate the human population with that vaccine. Since a potential victim already has the antibodies of any particular virus, such as the flu, diphtheria, measles, mumps, etc., the virus can detect this and the potential victim will not get the full blown virus, if at all.

    Truly, I would not be worried that you are infected, BDAR creates those registry keys to prevent you from becoming infected. As pointed out in the SecurityWeek article, if the registry keys already exist on the computer the malware will terminate itself and the creation process fails.

    If you really are that worried about becoming infected, protect yourself by creating back ups pf personal data that you just couldn't bear to live without. You could eve go as far as cloning your drive. Never a bad idea to have more than one back up.
    Last edited by DonnaB; 06-04-2016 at 01:13 AM.
    Corrine and niemiro say thanks for this.
    “What we do for ourselves dies with us. What we do for others and the world remains and is immortal.” - Albert Pine

Page 2 of 3 First 123 Last

Similar Threads

  1. Incidents of Ransomware on the Rise
    By JMH in forum Security News
    Replies: 0
    Last Post: 04-30-2016, 07:09 PM
  2. How to respond to ransomware threats
    By JMH in forum Security News
    Replies: 0
    Last Post: 03-20-2016, 05:51 PM
  3. Replies: 0
    Last Post: 02-13-2016, 06:14 PM
  4. Ransomware: To pay or not to pay
    By JMH in forum Security News
    Replies: 0
    Last Post: 10-14-2015, 10:44 PM
  5. CryptoLocker Ransomware
    By Corrine in forum General Help & Information
    Replies: 8
    Last Post: 11-16-2013, 01:49 PM

Log in

Log in