Page 1 of 3 123 Last
  1. #1
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Totally Perplexed by this Locky Ransomware...

    My experience with Locky has been daunting to say the least.

    From the very first time I noticed it in my registry (which to be honest, if I didn't have CCleaner installed I prolly wouldn't have caught this thing in time), I have been on a long and frustrating road to attempt to remove this unrelenting infection. It never got the chance to hold my system ransom----presumably because I perform CCleaner scans often and also because I had a couple of anti-ransomware applications installed, however I'm still perplexed by how this thing got on my system and how it continues to cling to it regardless of my attempts to remove it...

    I had VeraCrypt installed too and it was set to fully encrypt my entire HDD, however I don't know if Locky appeared on my system before or after I chose to encrypt my drive with VeraCrypt. Needless to say when I found this infection (with CCleaner of all things), I then attempted to remove it with several methods, including rebooting into safe mode and using Malwarebytes RegAssassin in order to reset the Locky Reg Key permissions to then delete them.

    I did this several times and each time I rebooted, the Locky entries re-appeared in my registry. I even rebooted to my copy of Kaspersky Rescue Disk 10, so that I could use its special "WindowsUnlocker" function, then deleted the keys again, yet when I booted back into normal mode the Locky keys were still there and some of these Locky keys had changed their folder names to different values upon reboot and continued to persist after subsequent reboots and attempts to delete the Locky reg key entries...

    I should point out a couple of things here:


    • I had ESET NOD32, Malwarebytes AntiMalware and HitmanProAlert installed on my system at the time I noticed the Locky infection.
    • I ran scans with the aforementioned security apps while in Safe Mode, yet none of them found Locky.
    • It's also possible Locky latched onto my system before I installed these security apps and I just didn't find out until later on.
    • I also located and deleted the temp directories.
    • I located the Winlogon folder as well to see if it was set to it's original default and it was.
    • I ran subsequent scans with Kaspersky's Rescue Disk as well as Blitz Blank from Emsisoft.
    • Of course, I did all of this only after I ran these important tools first: (Rkill, Rogue Killer, SFC)
    • Rogue Killer didn't find Locky in neither Normal Mode nor Safe Mode.


    I eventually installed my copy of GridinSoft's Anti-Malware (formally Trojan Killer) and after it's initial scan, it found Locky right away and indicated it as: [ Ransom.RPL.Filecoder.ad ]. I chose to quarantine and remove it. However, Locky still re-appeared after subsequent reboots. Since none of my files were held ransom and I had backups anyway, I decided to decrypt my drive that was encrypted with my VeraCrypt and I attempted to delete the reg keys in Safe Mode again, but Locky still persisted. I then re-installed Windows after reformatting the drive to see if that would do the trick, using DISKPART to clean the MBR----yet Locky returned with this new install of Windows...

    What's even more frustrating is that I had two other empty HDD's installed on this same system with the originally infected drive and when I attempted to re-install Windows onto to one of them, Locky appeared in the Win Registry on that drive as well. Fed up over this insidious Filecoder, I then decided to wipe all three drives hooked up to my system with Hiren's Boot CD and then I used one of the MBR cleaning tools from Hiren's. After re-installing Windows again, Locky returned to the registry...

    While I'm sure there's additional methods I can try, I was just getting extremely frustrated with the time I already invested into attempting to remove this relentless infection, that I decided to get a new hard drive (I was planning to get one anyway and this just gave me the impetus to finally do it). But now, this is where it gets scary...

    After pulling the old drives, clearing the CMOS RTC RAM data on my MOBO, installing the new drive and subsequently performing a clean install of Windows on this new HDD-------I was completely blown away to see that Locky re-appeared again in my registry on the new drive I installed...

    Since my drives were securely wiped with Hiren's I now have no way to recover the Windows Event Logs from the originally infected drive, however, the fact that this infection made it on to the brand new hard-drive I installed, leads me to suspect either of the following:


    • Locky somehow has the ability to infect other hardware besides the HDD and possibly even other areas of the MOBO -or-
    • Maybe it corrupted my Windows Installation CD-ROM, thus causing any subsequent re-install to automatically load the infection -or-
    • Locky somehow infected my NetGear CableModem, which in turn re-infected my machine after every new install of Windows -or-
    • Locky is terminating all of my security settings in a very stealthy way, thus preventing me from discovering its actions...


    I know the 2nd one may sound like a long-shot to some, especially since I would expect Microsoft to incorporate some protection on the installation disk itself but I also read somewhere that Locky has the ability to infect any storage media that is attached to the system. I suppose it's possible if this infection were sophisticated enough but that being said-------I feel like I'm now out an entire computer system because I just can't shake this thing nor determine how it got onto to my system. And for all you whom may ask, before I re-installed Windows the 2nd time, I enabled the Clear Page File function on shutdown, however this did not seem to matter...

    Just to clarify, I'm not looking to recover lost files since Locky never got the chance to hold my system ransom, but I am hoping there's a way to remove this infection without damaging the drive if possible. Either way, if anyone has had success in completely removing Locky from their system, please feel free to provide your insight. I'll take all the resources I can get at this point...
    Last edited by niemiro; 05-23-2016 at 09:43 AM. Reason: Edited on original poster's request


    • Ad Bot

      advertising
      Beep.

        
       

  2. #2
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,476

    Re: Totally Perplexed by this Locky Ransomware...

    Hi,

    Please post the requested logs in the Malware Removal Posting Instructions.

    Thank you.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  3. #3
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    Thank you for pointing that out for my Corrine. Per your request I will post the requested logs...

  4. #4
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    Quote Originally Posted by YOnGodsGreenEarth View Post
    Thank you for pointing that out for my Corrine. Per your request I will post the requested logs...

    FRST Scan Log:


    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:23-05-2016
    Ran by TKRA7 (administrator) on TKRA7-PC (24-05-2016 11:23:44)
    Running from C:\Users\TKRA7\Desktop
    Loaded Profiles: TKRA7 (Available Profiles: TKRA7)
    Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
    Internet Explorer Version 11 (Default browser: FF)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    (AMD) C:\Windows\System32\atiesrxx.exe
    () C:\Program Files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe
    () C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe
    () C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe
    (AMD) C:\Windows\System32\atieclxx.exe
    (SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\DIGI+ VRM\VRMHelp.exe
    () C:\Program Files\Bitdefender\Tools\BDAntiRansomware\BDAntiRansomware.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\TurboV EVO\TurboVHelp.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\EPU\EPUHelp.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe


    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
    HKLM-x32\...\Run: [JMB36X IDE Setup] => C:\Windows\RaidTool\xInsIDE.exe
    HKLM-x32\...\Run: [ASUS AiChargerPlus Execute] => C:\Program Files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe [465536 2010-11-08] (ASUSTek Computer Inc.)
    HKLM-x32\...\Run: [ZALFree] => C:\Program Files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe [8980016 2015-11-05] (Zemana Ltd.)
    AppInit_DLLs: C:\PROGRA~2\KEYCRY~1\KeyCrypt64(6).dll => C:\Program Files (x86)\KeyCryptSDK\KeyCrypt64(6).dll [95712 2015-11-05] (Zemana Ltd.)
    AppInit_DLLs-x32: C:\PROGRA~2\KEYCRY~1\KeyCrypt32(6).dll => C:\Program Files (x86)\KeyCryptSDK\KeyCrypt32(6).dll [86936 2015-11-05] (Zemana Ltd.)
    GroupPolicyScripts: Restriction <======= ATTENTION

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
    Tcpip\..\Interfaces\{C9558C5F-54E7-41D5-A78D-1AC2DCD6718F}: [DhcpNameServer] 75.75.75.75 75.75.76.76

    Internet Explorer:
    ==================
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://duckduckgo.com/

    FireFox:
    ========
    FF ProfilePath: C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default
    FF Homepage: hxxps://duckduckgo.com/
    FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_242.dll [2016-05-20] ()
    FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_242.dll [2016-05-20] ()
    FF Extension: HTTPS-Everywhere - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\extensions\https-everywhere@eff.org [2016-05-20]
    FF Extension: NoScript - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-05-20]
    FF Extension: Bitdefender QuickScan - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2016-05-21]
    FF Extension: YouTube Auto Replay - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\extensions\YouTubeAutoReplay@arikv.com.xpi [2016-05-22]
    FF Extension: Privacy Badger - C:\Users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\Extensions\jid1-MnnxcxisBPnSXQ@jetpack.xpi [2016-05-20]

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe [922240 2011-06-13] ()
    R2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [915584 2010-12-01] ()
    R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [586880 2010-10-21] ()
    R2 hmpalertsvc; C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [4383952 2016-05-22] (SurfRight B.V.)
    R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
    S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
    S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R0 AiChargerPlus; C:\Windows\System32\DRIVERS\AiChargerPlus.sys [14464 2010-11-08] (ASUSTek Computer Inc.)
    R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-08-24] ()
    R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-03] ()
    R3 ASUSFILTER; C:\Windows\SysWow64\drivers\ASUSFILTER.sys [46152 2011-09-20] (MCCI Corporation)
    S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
    R3 hmpalert; C:\Windows\system32\drivers\hmpalert.sys [177040 2016-05-23] (SurfRight B.V.)
    R3 keycrypt; C:\Windows\System32\DRIVERS\KeyCrypt64.sys [143904 2015-11-05] (Zemana Ltd.)
    R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
    S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
    S3 TrojanKillerDriver; C:\Windows\System32\DRIVERS\gtkdrv.sys [17568 2016-05-18] (Windows (R) Win 7 DDK provider)
    U3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]
    S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
    S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-05-24 11:23 - 2016-05-24 11:23 - 02383360 _____ (Farbar) C:\Users\TKRA7\Desktop\FRST64.exe
    2016-05-24 11:23 - 2016-05-24 11:23 - 00007652 _____ C:\Users\TKRA7\Desktop\FRST.txt
    2016-05-24 10:45 - 2016-05-24 10:45 - 00021088 _____ C:\Users\TKRA7\Desktop\ComboFix Log.txt
    2016-05-24 10:42 - 2016-05-24 10:42 - 00021088 _____ C:\ComboFix.txt
    2016-05-24 10:36 - 2011-06-26 02:45 - 00256000 _____ C:\Windows\PEV.exe
    2016-05-24 10:36 - 2010-11-07 13:20 - 00208896 _____ C:\Windows\MBR.exe
    2016-05-24 10:36 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
    2016-05-24 10:36 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
    2016-05-24 10:36 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
    2016-05-24 10:36 - 2000-08-30 20:00 - 00098816 _____ C:\Windows\sed.exe
    2016-05-24 10:36 - 2000-08-30 20:00 - 00080412 _____ C:\Windows\grep.exe
    2016-05-24 10:36 - 2000-08-30 20:00 - 00068096 _____ C:\Windows\zip.exe
    2016-05-24 10:33 - 2016-05-24 10:42 - 00000000 ____D C:\Qoobox
    2016-05-24 10:33 - 2016-05-24 10:41 - 00000000 ____D C:\Windows\erdnt
    2016-05-24 10:31 - 2016-05-24 10:31 - 00000930 _____ C:\Users\TKRA7\Desktop\SALog.txt
    2016-05-24 10:26 - 2016-05-24 11:23 - 00000000 ____D C:\FRST
    2016-05-24 10:20 - 2016-05-24 10:20 - 00898560 _____ C:\Users\TKRA7\Desktop\RGSA.exe
    2016-05-24 10:19 - 2016-05-24 10:19 - 05659526 ____R (Swearware) C:\Users\TKRA7\Desktop\ComboFix.exe
    2016-05-23 20:29 - 2016-05-23 20:29 - 00016384 _____ C:\Windows\SysWOW64\�bQ
    2016-05-23 06:07 - 2016-05-23 06:07 - 00016384 _____ C:\Windows\SysWOW64\hbK
    2016-05-23 02:38 - 2016-05-23 02:39 - 00000000 ____D C:\Users\TKRA7\Downloads\Pics
    2016-05-23 02:25 - 2016-05-23 02:25 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
    2016-05-23 02:00 - 2016-05-23 20:29 - 00000000 ____D C:\ProgramData\HitmanPro.Alert
    2016-05-23 02:00 - 2016-05-23 02:39 - 00000000 ____D C:\Windows\CryptoGuard
    2016-05-23 02:00 - 2016-05-23 02:25 - 00000000 ____D C:\ProgramData\HitmanPro
    2016-05-23 02:00 - 2016-05-23 02:00 - 00177040 _____ (SurfRight B.V.) C:\Windows\system32\Drivers\hmpalert.sys
    2016-05-23 02:00 - 2016-05-23 02:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro.Alert
    2016-05-23 02:00 - 2016-05-23 02:00 - 00000000 ____D C:\Program Files (x86)\HitmanPro.Alert
    2016-05-23 01:50 - 2016-05-23 01:53 - 00000000 ____D C:\ProgramData\TEMP
    2016-05-23 01:50 - 2016-05-23 01:51 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster
    2016-05-23 01:50 - 2016-05-23 01:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
    2016-05-23 01:50 - 2012-05-02 12:17 - 01070152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
    2016-05-23 01:50 - 2009-03-24 13:52 - 00129872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSSTDFMT.DLL
    2016-05-22 23:12 - 2016-05-22 23:12 - 00000000 ____D C:\Users\TKRA7\AppData\Local\niemiro
    2016-05-22 22:57 - 2016-05-22 22:57 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Fortres Grand
    2016-05-22 20:28 - 2016-05-22 20:28 - 00000000 ____D C:\AdwCleaner
    2016-05-22 17:53 - 2016-05-23 02:27 - 00000000 ____D C:\Program Files (x86)\Trojan Remover
    2016-05-22 17:53 - 2014-05-14 12:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
    2016-05-22 17:53 - 2014-05-14 12:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
    2016-05-22 17:53 - 2014-05-14 12:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2016-05-22 17:53 - 2014-05-14 12:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
    2016-05-22 17:53 - 2014-05-14 12:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
    2016-05-22 17:53 - 2014-05-14 12:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
    2016-05-22 17:53 - 2014-05-14 12:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2016-05-22 17:53 - 2014-05-14 12:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
    2016-05-22 17:53 - 2014-05-14 12:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
    2016-05-22 17:53 - 2014-05-14 12:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2016-05-22 17:52 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
    2016-05-22 17:52 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2016-05-22 17:52 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
    2016-05-22 17:52 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2016-05-22 17:45 - 2016-05-22 17:45 - 00000000 ____D C:\inetpub
    2016-05-22 16:58 - 2016-05-22 16:58 - 00000000 ____D C:\ProgramData\WinaeroTweaker
    2016-05-22 12:59 - 2016-05-22 13:01 - 00194292 _____ C:\TDSSKiller.3.1.0.9_22.05.2016_12.59.02_log.txt
    2016-05-22 12:52 - 2016-05-22 13:00 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2016-05-22 12:50 - 2016-05-22 12:53 - 00000000 ____D C:\ProgramData\Malwarebytes
    2016-05-22 12:50 - 2016-05-22 12:50 - 00000000 ____D C:\Program Files\Malwarebytes
    2016-05-22 05:51 - 2016-05-22 21:03 - 00000000 ____D C:\Windows\Microsoft Antimalware
    2016-05-22 00:21 - 2016-05-22 00:21 - 00002117 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
    2016-05-22 00:21 - 2016-05-22 00:21 - 00001945 _____ C:\Windows\epplauncher.mif
    2016-05-22 00:21 - 2016-05-22 00:21 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2016-05-22 00:21 - 2016-05-22 00:21 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2016-05-22 00:14 - 2016-05-22 00:18 - 00005728 _____ C:\Users\TKRA7\Documents\Forum response for removing infection.txt
    2016-05-21 21:31 - 2016-05-21 21:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiLogger Free
    2016-05-21 21:10 - 2016-05-21 21:10 - 00000813 _____ C:\Users\TKRA7\Documents\Freedome driver Installation Error.txt
    2016-05-21 20:59 - 2016-05-21 20:59 - 00036320 _____ (The OpenVPN Project) C:\Windows\system32\Drivers\fsfreedometap.sys
    2016-05-21 20:49 - 2016-05-21 20:49 - 00002790 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
    2016-05-21 20:49 - 2016-05-21 20:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
    2016-05-21 20:49 - 2016-05-21 20:49 - 00000000 ____D C:\Program Files\CCleaner
    2016-05-21 20:48 - 2016-05-24 11:11 - 00000000 ____D C:\Users\TKRA7\Downloads\Software Tools
    2016-05-21 08:55 - 2016-05-21 08:55 - 00176751 _____ C:\Users\TKRA7\AppData\Local\census.cache
    2016-05-21 08:55 - 2016-05-21 08:55 - 00129256 _____ C:\Users\TKRA7\AppData\Local\ars.cache
    2016-05-21 08:31 - 2016-05-21 08:31 - 00000010 _____ C:\Users\TKRA7\AppData\Local\sponge.last.runtime.cache
    2016-05-21 08:29 - 2016-05-21 08:29 - 00000000 ____D C:\ProgramData\Trend Micro
    2016-05-21 08:28 - 2016-05-21 08:28 - 00000036 _____ C:\Users\TKRA7\AppData\Local\housecall.guid.cache
    2016-05-21 08:24 - 2016-05-21 08:26 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\QuickScan
    2016-05-21 08:24 - 2016-05-21 08:24 - 00000000 ____D C:\ProgramData\Bitdefender Agent
    2016-05-21 08:16 - 2016-05-21 21:29 - 00000000 ____D C:\ProgramData\F-Secure
    2016-05-21 08:16 - 2016-05-21 08:16 - 00000000 ____D C:\Users\TKRA7\AppData\Local\F-Secure
    2016-05-21 08:16 - 2016-05-21 08:16 - 00000000 ____D C:\Users\TKRA7\AppData\Local\FSDART
    2016-05-21 08:15 - 2016-05-22 17:47 - 00000000 ____D C:\Program Files (x86)\NortonInstaller
    2016-05-21 08:15 - 2016-05-21 08:15 - 00000000 ____D C:\ProgramData\NortonInstaller
    2016-05-21 08:15 - 2016-05-21 08:15 - 00000000 ____D C:\ProgramData\Norton
    2016-05-21 02:03 - 2016-05-21 02:03 - 00001006 _____ C:\Users\TKRA7\Documents\New_Drive_New_Win_Install_SysInfo - Shortcut.lnk
    2016-05-21 01:47 - 2016-05-21 01:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GWX Control Panel
    2016-05-21 01:47 - 2016-05-21 01:47 - 00000000 ____D C:\Program Files (x86)\UltimateOutsider
    2016-05-21 01:34 - 2016-05-21 20:46 - 00000000 ____D C:\Windows\SysWOW64\ZALSDK_uninst
    2016-05-21 01:34 - 2014-12-30 13:31 - 07039960 _____ (Zemana Ltd.) C:\Windows\SysWOW64\ZALSDKCore.dll
    2016-05-20 01:30 - 2016-05-23 06:07 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
    2016-05-20 01:30 - 2016-05-23 02:27 - 00000737 _____ C:\Windows\ZAM_Guard.krnl.trace
    2016-05-20 01:30 - 2016-05-23 02:01 - 00031416 _____ C:\Windows\ZAM.krnl.trace
    2016-05-20 00:55 - 2016-05-20 00:55 - 00000000 ____D C:\Users\TKRA7\AppData\Local\Macromedia
    2016-05-20 00:54 - 2016-05-20 00:54 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2016-05-20 00:54 - 2016-05-20 00:54 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2016-05-20 00:54 - 2016-05-20 00:54 - 00000000 ____D C:\Windows\system32\Macromed
    2016-05-20 00:54 - 2016-05-20 00:54 - 00000000 ____D C:\Users\TKRA7\AppData\Local\Adobe
    2016-05-20 00:42 - 2016-05-20 00:50 - 00000000 ____D C:\Users\TKRA7\AppData\Local\Mozilla
    2016-05-20 00:42 - 2016-05-20 00:42 - 00001159 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
    2016-05-20 00:42 - 2016-05-20 00:42 - 00001147 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
    2016-05-20 00:42 - 2016-05-20 00:42 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Mozilla
    2016-05-20 00:42 - 2016-05-20 00:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2016-05-20 00:42 - 2016-05-20 00:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2016-05-20 00:40 - 2016-05-21 23:06 - 00000000 ____D C:\Program Files (x86)\KeyCryptSDK
    2016-05-20 00:40 - 2016-05-21 21:31 - 00000000 ____D C:\Program Files (x86)\Zemana AntiLogger Free
    2016-05-20 00:40 - 2016-05-21 01:34 - 00000000 ____D C:\Users\TKRA7\AppData\Local\Zemana
    2016-05-20 00:40 - 2016-05-20 00:40 - 00000000 ____D C:\Users\TKRA7\AppData\Local\AntiLogger Free
    2016-05-20 00:40 - 2015-11-05 15:00 - 00143904 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\KeyCrypt64.sys
    2016-05-20 00:26 - 2016-05-23 06:33 - 00003108 _____ C:\Windows\System32\Tasks\BDAntiCryptoWallTask
    2016-05-20 00:26 - 2013-10-14 18:00 - 00028368 _____ (Microsoft Corporation) C:\Windows\system32\IEUDINIT.EXE
    2016-05-20 00:23 - 2016-05-20 00:23 - 24917504 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 19607040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 14404096 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 12829696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 06026240 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 04305920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2016-05-20 00:23 - 2016-05-20 00:23 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
    2016-05-20 00:23 - 2016-05-20 00:23 - 02426880 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 02278912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
    2016-05-20 00:23 - 2016-05-20 00:23 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2016-05-20 00:23 - 2016-05-20 00:23 - 01950720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 01545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 01309696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00942592 _____ (Microsoft Corporation) C:\Windows\system32\jsIntl.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00720384 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00664064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00645120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsIntl.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00616104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
    2016-05-20 00:23 - 2016-05-20 00:23 - 00616104 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dat
    2016-05-20 00:23 - 2016-05-20 00:23 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00503808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
    2016-05-20 00:23 - 2016-05-20 00:23 - 00389840 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00342728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
    2016-05-20 00:23 - 2016-05-20 00:23 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00247808 _____ (Microsoft Corporation) C:\Windows\system32\msls31.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00235520 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00235008 _____ (Microsoft Corporation) C:\Windows\system32\elshyph.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00233472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00208384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00194048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\elshyph.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00182272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00167424 _____ (Microsoft Corporation) C:\Windows\system32\iexpress.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00151552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00147968 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00143872 _____ (Microsoft Corporation) C:\Windows\system32\wextract.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00139264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00131072 _____ (Microsoft Corporation) C:\Windows\system32\IEAdvpack.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00127488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00116736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00111616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00105984 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00101376 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00090112 _____ (Microsoft Corporation) C:\Windows\system32\SetIEInstalledDate.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00086016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00083456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\icardie.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00077312 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
    2016-05-20 00:23 - 2016-05-20 00:23 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00074240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00069120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
    2016-05-20 00:23 - 2016-05-20 00:23 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\pngfilt.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00056832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00052224 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00048640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\mshtmler.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00048128 _____ (Microsoft Corporation) C:\Windows\system32\imgutil.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\licmgr10.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00024576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
    2016-05-20 00:23 - 2016-05-20 00:23 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00013312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00012800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
    2016-05-20 00:23 - 2016-05-20 00:23 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 05549504 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 03969472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 01903552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
    2016-05-20 00:22 - 2016-05-20 00:22 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 01161216 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00859648 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00640512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00619520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
    2016-05-20 00:22 - 2016-05-20 00:22 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00376688 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
    2016-05-20 00:22 - 2016-05-20 00:22 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 00327168 _____ (Microsoft Corporation) C:\Windows\system32\mswsock.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00288088 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
    2016-05-20 00:22 - 2016-05-20 00:22 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00231424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswsock.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 00068608 _____ (Microsoft Corporation) C:\Windows\system32\taskhost.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
    2016-05-20 00:22 - 2016-05-20 00:22 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
    2016-05-20 00:22 - 2016-05-20 00:22 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
    2016-05-20 00:21 - 2016-05-20 00:21 - 03928064 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 03419136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 02776576 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 02565120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 02284544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01988096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01682432 _____ (Microsoft Corporation) C:\Windows\system32\XpsPrint.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01643520 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01238528 _____ (Microsoft Corporation) C:\Windows\system32\d3d10.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01175552 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01158144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 01080832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00648192 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00604160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00522752 _____ (Microsoft Corporation) C:\Windows\system32\XpsGdiConverter.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00465920 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00417792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00364544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00363008 _____ (Microsoft Corporation) C:\Windows\system32\dxgi.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00333312 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\d3d10core.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00293376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00249856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00245248 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecsExt.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\UIAnimation.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10core.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00207872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecsExt.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00194560 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00187392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UIAnimation.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00161792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00010752 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00010752 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00009728 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00009728 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00005632 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00005632 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00005632 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00005632 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00002560 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll
    2016-05-20 00:21 - 2016-05-20 00:21 - 00002560 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
    2016-05-20 00:20 - 2016-05-20 00:20 - 01887232 _____ (Microsoft Corporation) C:\Windows\system32\d3d11.dll
    2016-05-20 00:20 - 2016-05-20 00:20 - 01505280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
    2016-05-19 23:32 - 2016-05-19 23:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BDAntiRansomware
    2016-05-19 23:32 - 2016-05-19 23:32 - 00000000 ____D C:\Program Files\Bitdefender
    2016-05-19 23:30 - 2016-05-24 11:09 - 00000000 ____D C:\Users\TKRA7\Downloads\Windows
    2016-05-19 23:30 - 2016-05-23 02:38 - 00000000 ____D C:\Users\TKRA7\Downloads\Security Tools
    2016-05-19 23:30 - 2016-05-20 00:40 - 00000000 ____D C:\Users\TKRA7\Downloads\Browsers
    2016-05-19 23:23 - 2016-05-19 23:23 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Macromedia
    2016-05-19 23:09 - 2016-05-19 23:09 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Adobe
    2016-05-19 23:03 - 2016-05-24 11:23 - 00003228 _____ C:\Windows\System32\Tasks\GridinSoft Anti-Malware
    2016-05-19 22:58 - 2016-05-19 22:58 - 00000000 ____D C:\ProgramData\ASUS OC Profiles
    2016-05-19 22:56 - 2016-05-19 22:56 - 00000000 _____ C:\Windows\ativpsrm.bin
    2016-05-19 22:55 - 2016-05-20 00:27 - 00000000 ____D C:\Program Files\GridinSoft Anti-Malware
    2016-05-19 22:55 - 2016-05-19 23:04 - 00000893 _____ C:\Users\Public\Desktop\GridinSoft Anti-Malware.lnk
    2016-05-19 22:55 - 2016-05-19 22:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GridinSoft Anti-Malware
    2016-05-19 22:55 - 2016-05-19 22:55 - 00000000 ____D C:\ProgramData\GridinSoft
    2016-05-19 22:51 - 2011-05-24 11:08 - 00166624 _____ C:\Windows\system32\atiapfxx.blb
    2016-05-19 22:51 - 2011-05-24 11:04 - 00462848 _____ (Advanced Micro Devices, Inc.) C:\Windows\system32\ATIDEMGX.dll
    2016-05-19 22:51 - 2011-05-24 10:19 - 00058880 _____ (AMD) C:\Windows\system32\coinst.dll
    2016-05-19 22:51 - 2011-05-18 16:13 - 00032635 _____ C:\Windows\atiogl.xml
    2016-05-19 22:51 - 2011-03-17 01:51 - 00003929 _____ C:\Windows\SysWOW64\atipblag.dat
    2016-05-19 22:51 - 2011-03-17 01:51 - 00003929 _____ C:\Windows\system32\atipblag.dat
    2016-05-19 22:49 - 2016-05-19 22:49 - 00001266 _____ C:\Users\TKRA7\Desktop\Windows Update.lnk
    2016-05-19 22:43 - 2016-05-19 22:43 - 00000000 ____D C:\Program Files\ASUS
    2016-05-19 22:42 - 2016-05-19 22:42 - 00000000 ____D C:\Windows\SysWOW64\Macromed
    2016-05-19 22:38 - 2016-05-19 22:43 - 00000000 ____D C:\Windows\System32\Tasks\ASUS
    2016-05-19 22:38 - 2016-05-19 22:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ASUS
    2016-05-19 22:38 - 2010-11-08 14:57 - 00014464 _____ (ASUSTek Computer Inc.) C:\Windows\system32\Drivers\AiChargerPlus.sys
    2016-05-19 22:38 - 2008-12-02 20:05 - 00184320 _____ (ASUSTeK) C:\Windows\SysWOW64\Drivers\UpdateHelper.dll
    2016-05-19 22:37 - 2016-05-19 22:38 - 00000000 ____D C:\Program Files (x86)\ASUS
    2016-05-19 22:37 - 2016-05-19 22:37 - 00000000 ____D C:\ProgramData\ASUS
    2016-05-19 22:37 - 2010-08-24 03:16 - 00013440 ____R C:\Windows\SysWOW64\Drivers\AsIO.sys
    2016-05-19 22:37 - 2010-06-29 03:41 - 00028672 ____R (ASUSTek Computer Inc.) C:\Windows\SysWOW64\AsIO.dll
    2016-05-19 22:37 - 2008-01-04 01:34 - 00011832 ____N C:\Windows\SysWOW64\Drivers\AsInsHelp64.sys
    2016-05-19 22:36 - 2016-05-19 22:36 - 00000000 ____D C:\Windows\RaidTool
    2016-05-19 22:36 - 2010-11-24 23:27 - 00120408 _____ (JMicron Technology Corp.) C:\Windows\system32\Drivers\jraid.sys
    2016-05-19 22:36 - 2009-07-13 21:15 - 00315904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Difxd825.rra
    2016-05-19 22:35 - 2016-05-19 22:35 - 00000000 ____D C:\Program Files\ATI
    2016-05-19 22:35 - 2016-05-19 22:35 - 00000000 ____D C:\Program Files (x86)\AMD APP
    2016-05-19 22:35 - 2011-03-04 14:46 - 00078976 _____ (Advanced Micro Devices) C:\Windows\system32\Drivers\amd_sata.sys
    2016-05-19 22:35 - 2011-03-04 14:46 - 00038528 _____ (Advanced Micro Devices) C:\Windows\system32\Drivers\amd_xata.sys
    2016-05-19 22:35 - 2010-12-15 23:06 - 00047232 ____R (Advanced Micro Devices) C:\Windows\system32\Drivers\usbfilter.sys
    2016-05-19 22:34 - 2016-05-19 22:34 - 00016896 _____ (ASUS) C:\Windows\AsTaskSched.dll
    2016-05-19 22:34 - 2016-05-19 22:34 - 00000000 ____D C:\Program Files\ATI Technologies
    2016-05-19 22:33 - 2011-02-25 02:25 - 00296320 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\volsnap.sys
    2016-05-19 22:32 - 2016-05-19 22:32 - 00000000 ____D C:\Program Files (x86)\ASM104xUSB3
    2016-05-19 22:31 - 2016-05-19 22:43 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
    2016-05-19 22:31 - 2016-05-19 22:31 - 00000000 ____D C:\Program Files (x86)\Realtek
    2016-05-19 22:31 - 2011-08-23 09:57 - 00565352 _____ (Realtek ) C:\Windows\system32\Drivers\Rt64win7.sys
    2016-05-19 22:31 - 2011-08-23 09:57 - 00107552 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RTNUninst64.dll
    2016-05-19 22:31 - 2011-08-23 09:57 - 00074272 _____ C:\Windows\system32\RtNicProp64.dll
    2016-05-19 22:30 - 2016-05-19 22:30 - 00001769 _____ C:\Windows\Language_trs.ini
    2016-05-19 22:29 - 2016-05-19 22:30 - 00028901 _____ C:\Windows\Ascd_tmp.ini
    2016-05-19 22:27 - 2016-05-20 00:28 - 00001413 _____ C:\Users\TKRA7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    2016-05-19 22:27 - 2016-05-19 22:27 - 00000000 ____D C:\Users\TKRA7\AppData\Local\VirtualStore
    2016-05-19 22:25 - 2016-05-22 17:49 - 00000000 ____D C:\Users\TKRA7
    2016-05-19 22:25 - 2016-05-19 22:25 - 00000020 ___SH C:\Users\TKRA7\ntuser.ini
    2016-05-19 22:25 - 2016-05-19 22:25 - 00000000 _SHDL C:\Users\TKRA7\My Documents
    2016-05-19 22:25 - 2016-05-19 22:25 - 00000000 _SHDL C:\Users\TKRA7\Documents\My Videos
    2016-05-19 22:25 - 2016-05-19 22:25 - 00000000 _SHDL C:\Users\TKRA7\Documents\My Pictures
    2016-05-19 22:25 - 2016-05-19 22:25 - 00000000 _SHDL C:\Users\TKRA7\Documents\My Music
    2016-05-19 22:25 - 2011-04-12 04:28 - 00000000 ____D C:\Users\TKRA7\AppData\Roaming\Media Center Programs
    2016-05-18 04:27 - 2016-05-18 04:27 - 00017568 _____ (Windows (R) Win 7 DDK provider) C:\Windows\system32\Drivers\gtkdrv.sys

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-05-24 10:40 - 2009-07-13 22:34 - 00000215 _____ C:\Windows\system.ini
    2016-05-24 02:56 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache
    2016-05-23 20:36 - 2009-07-14 00:45 - 00020464 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2016-05-23 20:36 - 2009-07-14 00:45 - 00020464 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2016-05-23 20:33 - 2009-07-14 01:13 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
    2016-05-23 20:33 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
    2016-05-23 20:29 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2016-05-22 17:48 - 2011-04-12 04:28 - 00000000 ___RD C:\Users\Public\Recorded TV
    2016-05-22 17:48 - 2009-07-14 01:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
    2016-05-22 17:48 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\Windows Sidebar
    2016-05-22 17:48 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
    2016-05-22 17:48 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\PolicyDefinitions
    2016-05-22 17:47 - 2009-07-14 01:32 - 00000000 ____D C:\Program Files\Microsoft Games
    2016-05-22 17:47 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64\inetsrv
    2016-05-22 17:47 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
    2016-05-22 17:47 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\inetsrv
    2016-05-22 17:47 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration
    2016-05-21 20:52 - 2008-01-01 04:19 - 00000000 ____D C:\Windows\Panther
    2016-05-20 01:38 - 2009-07-13 23:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
    2016-05-19 22:35 - 2009-07-13 23:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared

    ==================== Files in the root of some directories =======

    2016-05-21 08:55 - 2016-05-21 08:55 - 0129256 _____ () C:\Users\TKRA7\AppData\Local\ars.cache
    2016-05-21 08:55 - 2016-05-21 08:55 - 0176751 _____ () C:\Users\TKRA7\AppData\Local\census.cache
    2016-05-21 08:28 - 2016-05-21 08:28 - 0000036 _____ () C:\Users\TKRA7\AppData\Local\housecall.guid.cache
    2016-05-21 08:31 - 2016-05-21 08:31 - 0000010 _____ () C:\Users\TKRA7\AppData\Local\sponge.last.runtime.cache

    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\system32\winlogon.exe => File is digitally signed
    C:\Windows\system32\wininit.exe => File is digitally signed
    C:\Windows\SysWOW64\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\system32\services.exe => File is digitally signed
    C:\Windows\system32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\system32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed
    C:\Windows\system32\dnsapi.dll => File is digitally signed
    C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
    C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2016-05-19 23:57

    ==================== End of FRST.txt ============================




    Addition Log:


    Additional scan result of Farbar Recovery Scan Tool (x64) Version:23-05-2016
    Ran by TKRA7 (2016-05-24 11:24:22)
    Running from C:\Users\TKRA7\Desktop
    Windows 7 Ultimate Service Pack 1 (X64) (2016-05-20 02:25:08)
    Boot Mode: Normal
    ==========================================================


    ==================== Accounts: =============================

    Administrator (S-1-5-21-2205198338-1926017667-846148581-500 - Administrator - Disabled)
    Guest (S-1-5-21-2205198338-1926017667-846148581-501 - Limited - Disabled)
    TKRA7 (S-1-5-21-2205198338-1926017667-846148581-1000 - Administrator - Enabled) => C:\Users\TKRA7

    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: Microsoft Security Essentials (Enabled - Up to date) {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
    AS: Microsoft Security Essentials (Enabled - Up to date) {CDE0C533-D3CD-62A1-E772-AFADDF863628}
    AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ==================== Installed Programs ======================

    (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    Adobe Flash Player 10 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 10.0.42.34 - Adobe Systems Incorporated)
    Adobe Flash Player 21 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 21.0.0.242 - Adobe Systems Incorporated)
    AI Suite II (HKLM-x32\...\{34D3688E-A737-44C5-9E2A-FF73618728E1}) (Version: 1.02.03 - ASUSTeK Computer Inc.)
    AntiLogger Free version 1.8.2.320 (HKLM-x32\...\{A80DB23D-0618-405B-89D9-28F99814E287}_is1) (Version: 1.8.2.320 - Zemana Ltd.)
    Asmedia ASM104x USB 3.0 Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.14.1.0 - Asmedia Technology)
    ATI Catalyst Install Manager (HKLM\...\{A39D1D51-E8DE-4B07-016D-73C232E1E1D8}) (Version: 3.0.825.0 - ATI Technologies, Inc.)
    BDAntiRansomware (HKLM\...\{BE40AB1F-558F-4434-B72F-461EF97E7796}_is1) (Version: 1.0.12.1 - Bitdefender)
    CCleaner (HKLM\...\CCleaner) (Version: 5.18 - Piriform)
    GridinSoft Anti-Malware (HKLM-x32\...\GridinSoft Anti-Malware) (Version: 3.0.37 - GridinSoft LLC)
    GWX Control Panel (HKLM-x32\...\UltimateOutsider_GwxControlPanel) (Version: - UltimateOutsider)
    HitmanPro.Alert 3 (CryptoGuard) (HKLM\...\HitmanPro.Alert) (Version: 3.1.9.368 - SurfRight B.V.)
    JMicron JMB36X Driver (HKLM-x32\...\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}) (Version: 1.17.62.0 - JMicron Technology Corp.)
    KeyCrypt SDK version 1.8.1.199 (HKLM-x32\...\{5575EADE-4685-4E15-A9CD-6036BC2A3F75}_is1) (Version: 1.8.1.199 - Zemana Ltd.)
    Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.9.218.0 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
    Mozilla Firefox 46.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 46.0.1 (x86 en-US)) (Version: 46.0.1 - Mozilla)
    Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 46.0.1 - Mozilla)
    Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.48.823.2011 - Realtek)
    SpywareBlaster 5.5 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.5.0 - BrightFort LLC)

    ==================== Custom CLSID (Whitelisted): ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== Scheduled Tasks (Whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    Task: {2923ABB0-0A82-4325-95F0-9BC7D18B4D82} - System32\Tasks\ASUS\ASUS AI Suite II Execute => C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe [2010-11-26] (ASUSTeK Computer Inc.)
    Task: {4AC999A8-229B-40AD-81A1-E36BA02D258C} - System32\Tasks\ASUS\USB 3.0 Boost Service => C:\Program Files (x86)\ASUS\AI Suite II\USB 3.0 Boost\U3BoostSvr.exe [2011-09-09] ()
    Task: {B659F42C-3DE0-4D82-B01F-92E7E3A40E15} - System32\Tasks\ASUS\ASUS DigiVRM Help => C:\Program Files (x86)\ASUS\AI Suite II\DIGI+ VRM\VRMHelp.exe [2011-04-13] (ASUSTeK Computer Inc.)
    Task: {DB652C3D-48CA-4EFB-BF1E-34F4064D7F62} - System32\Tasks\BDAntiCryptoWallTask => C:\Program Files\Bitdefender\Tools\BDAntiRansomware\BDAntiRansomware.exe [2016-05-16] ()
    Task: {DFF34AA5-7E84-4E9E-BE22-C5166C36CC00} - System32\Tasks\GridinSoft Anti-Malware => C:\Program Files\GridinSoft Anti-Malware\gsam.exe [2016-05-18] (GridinSoft LLC)
    Task: {F840F41A-8D66-46F2-977D-A27E7FDC17D3} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-05-13] (Piriform Ltd)

    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


    ==================== Shortcuts =============================

    (The entries could be listed to be restored or removed.)

    ==================== Loaded Modules (Whitelisted) ==============

    2011-06-13 04:36 - 2011-06-13 04:36 - 00922240 ____R () C:\Program Files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe
    2010-12-01 22:15 - 2010-12-01 22:15 - 00915584 ____R () C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe
    2016-05-19 22:38 - 2010-10-21 05:52 - 00586880 ____R () C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe
    2016-05-19 23:32 - 2016-05-16 16:25 - 01318488 _____ () C:\Program Files\Bitdefender\Tools\BDAntiRansomware\BDAntiRansomware.exe
    2016-05-19 23:32 - 2015-08-14 14:49 - 00614400 _____ () C:\Program Files\Bitdefender\Tools\BDAntiRansomware\BDMetrics.dll
    2016-05-19 22:37 - 2016-05-23 20:29 - 00033280 _____ () C:\Program Files (x86)\ASUS\AXSP\1.00.14\PEbiosinterface32.dll
    2016-05-19 22:37 - 2010-06-28 22:58 - 00104448 ____R () C:\Program Files (x86)\ASUS\AXSP\1.00.14\ATKEX.dll
    2016-05-19 22:42 - 2011-03-04 04:33 - 00053248 ____N () C:\Program Files (x86)\ASUS\AI Suite II\TurboV EVO\HookKey32.dll
    2016-05-19 22:42 - 2009-05-21 10:14 - 00253952 _____ () C:\Program Files (x86)\ASUS\AI Suite II\TurboV EVO\pngio.dll

    ==================== Alternate Data Streams (Whitelisted) =========

    (If an entry is included in the fixlist, only the ADS will be removed.)

    AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]

    ==================== Safe Mode (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


    ==================== Association (Whitelisted) ===============

    (If an entry is included in the fixlist, the registry item will be restored to default or removed.)


    ==================== Internet Explorer trusted/restricted ===============

    (If an entry is included in the fixlist, it will be removed from the registry.)

    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\008i.com -> 008i.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\008k.com -> 008k.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\00hq.com -> 00hq.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0190-dialers.com -> 0190-dialers.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\01i.info -> 01i.info
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0411dd.com -> 0411dd.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0511zfhl.com -> 0511zfhl.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\05p.com -> 05p.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0632qyw.com -> 0632qyw.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0calories.net -> 0calories.net
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0cj.net -> 0cj.net
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\0scan.com -> 0scan.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\1-domains-registrations.com -> 1-domains-registrations.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\1-se.com -> 1-se.com
    IE restricted site: HKU\S-1-5-21-2205198338-1926017667-846148581-1000\...\1001movie.com -> 1001movie.com

    There are 6091 more sites.


    ==================== Hosts content: ===============================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2009-07-13 22:34 - 2016-05-24 10:40 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts

    127.0.0.1 localhost

    ==================== Other Areas ============================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\TKRA7\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
    DNS Servers: 75.75.75.75 - 75.75.76.76
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
    Windows Firewall is enabled.

    ==================== MSCONFIG/TASK MANAGER disabled items ==

    (Currently there is no automatic fix for this section.)

    MSCONFIG\Services: BDESVC => 3
    MSCONFIG\Services: EFS => 3
    MSCONFIG\Services: pla => 3
    MSCONFIG\Services: RemoteRegistry => 3
    MSCONFIG\Services: SensrSvc => 3
    MSCONFIG\Services: TabletInputService => 3
    MSCONFIG\Services: TapiSrv => 3
    MSCONFIG\Services: TBS => 3
    MSCONFIG\Services: TrkWks => 2
    MSCONFIG\Services: WbioSrvc => 3
    MSCONFIG\Services: WMPNetworkSvc => 3

    ==================== FirewallRules (Whitelisted) ===============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    FirewallRules: [{C6A1FA50-FDAD-4EAF-813C-E28A2CEF4524}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [{FE7836D1-7D7B-41D8-96BC-6843DB27449F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

    ==================== Restore Points =========================

    19-05-2016 22:30:59 Installed Realtek Ethernet Controller Driver
    19-05-2016 22:32:26 Installed Asmedia ASM104x USB 3.0 Host Controller Driver.
    19-05-2016 22:33:35 Windows Update
    19-05-2016 22:36:18 Installed JMicron JMB36X Driver
    19-05-2016 22:38:10 Installed AI Suite II
    19-05-2016 22:38:39 Installed Ai Charger+
    19-05-2016 22:39:07 Installed ASUS Update
    19-05-2016 22:39:47 Installed DIGI+ VRM
    19-05-2016 22:40:21 Installed EPU
    19-05-2016 22:40:55 Installed FAN Xpert
    19-05-2016 22:41:15 Installed Probe II
    19-05-2016 22:41:40 Installed System Information
    19-05-2016 22:42:25 Installed TurboV EVO
    19-05-2016 22:43:01 Installed USB 3.0 Boost
    20-05-2016 00:20:42 Windows Modules Installer
    21-05-2016 20:59:20 Device Driver Package Install: F-Secure Corporation Network adapters
    21-05-2016 21:14:06 Installed Microsoft Solution - 93689bb7-63fe-4fe7-8eec-97e93e07121f
    21-05-2016 21:22:45 Installed Microsoft Solution - 9c197371-07a7-43f6-9bff-a08e6f6be4e9
    22-05-2016 00:31:28 Windows Update
    22-05-2016 17:16:36 Installed Microsoft Solution - b1fd3df2-4787-461b-8de9-a16614dede1c
    22-05-2016 17:18:25 Windows Update
    22-05-2016 17:39:07 Windows Modules Installer
    22-05-2016 17:45:06 Restore Operation
    22-05-2016 17:52:43 Windows Update
    22-05-2016 23:53:52 Windows Update
    23-05-2016 02:25:11 Checkpoint by HitmanPro

    ==================== Faulty Device Manager Devices =============

    Name: ZAM Helper Driver
    Description: ZAM Helper Driver
    Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Manufacturer:
    Service: ZAM
    Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
    Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
    Devices stay in this state if they have been prepared for removal.
    After you remove the device, this error disappears.Remove the device, and this error should be resolved.

    Name: ZAM Guard Driver
    Description: ZAM Guard Driver
    Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Manufacturer:
    Service: ZAM_Guard
    Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
    Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
    Devices stay in this state if they have been prepared for removal.
    After you remove the device, this error disappears.Remove the device, and this error should be resolved.


    ==================== Event log errors: =========================

    Application errors:
    ==================

    System errors:
    =============

    CodeIntegrity:
    ===================================
    Date: 2016-05-24 10:40:25.445
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-24 10:40:25.429
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 21:29:10.013
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 21:29:09.998
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 21:16:48.120
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 21:16:48.104
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 20:59:38.349
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Date: 2016-05-21 20:59:38.333
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\fsfreedometap.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


    ==================== Memory info ===========================

    Processor: AMD FX(tm)-4100 Quad-Core Processor
    Percentage of memory in use: 20%
    Total physical RAM: 8137.36 MB
    Available physical RAM: 6434.25 MB
    Total Virtual: 16272.89 MB
    Available Virtual: 14439.41 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:931.29 GB) (Free:887.69 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 00000000)

    Partition: GPT.

    ==================== End of Addition.txt ============================




    RSGA Log:

    Result of Security Analysis by Rocket Grannie (x86) Updated: 24th May 2016
    Running from:C:\Users\TKRA7\Desktop (10:31:45 - 05/24/2016)
    ***---------------------------------------------------------***
    Microsoft Windows 7 Ultimate X64 Service Pack 1
    UAC is Enabled!
    Internet Explorer 11
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    ***-----------------Anti-Virus - Firewall-------------------***
    Microsoft Security Essentials (Enabled - Up to Date)
    Windows Firewall is Enabled!
    Searching for any other Firewall
    *No other Firewall Installed*
    ***----------------AntiSpyware - Miscellaneous---------------***
    Adobe Flash Player Plugin (version 21.0.0.242)
    Java is not installed
    CCleaner (version 5.17)
    HitmanPro (version 3)
    Microsoft Security Essentials (version 0)
    Mozilla Firefox (version 46)
    SpywareBlaster (version 5.5)

    ***----------------Analysis Complete-------------------------***





    As an extra measure, I also generated a ComboFix log, of which I did not include with this post but I can do so per anyone's request.

    One thing I noticed after the ComboFix scan was the existence of about 28 locked Registry Keys on this new drive, which strikes me as unusual considering the fact that a former ComboFix scan of my originally infected hard-drive (which was already pulled from my system prior to installing my new current drive as aforementioned in my original post), showed only 2 locked Registry keys.

    If it would be permissible to do so in this forum, I will gladly post my current ComboFix log...

  5. #5
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,476

    Re: Totally Perplexed by this Locky Ransomware...

    Let's take one step at a time, particularly as ComboFix hasn't been updated in quite a while. For that reason, I'll leave the CF files on the computer for now and not include in the instructions. I also wanted to mention that the only place that "Ransom.RPL.Filecoder.ad" showed up in search results in either Bing or Google is your post here. In addition, the file name does not match the names shown in the Locky materials I have reviewed.

    1. Please do the following to run FRST:

    Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

    NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
    • Open Notepad (Start =>All Programs => Accessories => Notepad).
    • Copy/Paste the entire contents of the code box below into Notepad.
    Code:
    start
    CreateRestorePoint:
    CloseProcesses:
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]
    S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
    S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
    2016-05-23 20:29 - 2016-05-23 20:29 - 00016384 _____ C:\Windows\SysWOW64\�bQ
    2016-05-23 06:07 - 2016-05-23 06:07 - 00016384 _____ C:\Windows\SysWOW64\hbK
    AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]
    C:\ProgramData\TEMP:5C321E34 [125] 
    EmptyTemp:
    end
    • Click Format and ensure Wordwrap is unchecked.
    • Important: Save the code to the same folder/directory that FRST.exe is located in, naming it as fixlist.txt
    • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
      • Press the Fix button once and wait.
      • FRST will process fixlist.txt
      • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
      • Please post the log in your next reply.


    2. Even though Firefox is your default browser, you still need to keep Flash Player updated for IE. The direct download link for the most recent version of the ActiveX version for IE is as follows:

    Flash Player For Internet Explorer, Windows 7 and earlier: http://download.macromedia.com/get/f...1_active_x.exe

    3. Please let me know how your computer is after running FRST and restarting. It also wouldn't hurt to see a fresh FRST log (The Addition.txt isn't necessary).
    YOnGodsGreenEarth says thanks for this.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  6. #6
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    I followed your instructions with the script for FRST and I also updated the latest Flash Player for IE. Here are the results of the Fixlog:


    Fix result of Farbar Recovery Scan Tool (x64) Version:23-05-2016
    Ran by TKRA7 (2016-05-24 20:53:25) Run:1
    Running from C:\Users\TKRA7\Desktop
    Loaded Profiles: TKRA7 (Available Profiles: TKRA7)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    start
    CreateRestorePoint:
    CloseProcesses:
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-2205198338-1926017667-846148581-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]
    S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
    S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
    2016-05-23 20:29 - 2016-05-23 20:29 - 00016384 _____ C:\Windows\SysWOW64\�bQ
    2016-05-23 06:07 - 2016-05-23 06:07 - 00016384 _____ C:\Windows\SysWOW64\hbK
    AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]
    C:\ProgramData\TEMP:5C321E34 [125]
    EmptyTemp:
    end
    *****************

    Restore point was successfully created.
    Processes closed successfully.
    "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
    "HKU\S-1-5-21-2205198338-1926017667-846148581-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
    VGPU => service removed successfully
    ZAM => service removed successfully
    ZAM_Guard => service removed successfully
    C:\Windows\SysWOW64\�bQ => moved successfully
    C:\Windows\SysWOW64\hbK => moved successfully
    C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully.
    "C:\ProgramData\TEMP:5C321E34 [125]" => not found.
    EmptyTemp: => 24.5 MB temporary data Removed.


    The system needed a reboot.

    ==== End of Fixlog 20:53:47 ====





    After a reboot of my system the following keys continue to re-appear in my registry:



    • HKEY_CLASSES_ROOT\Software\F43o6aqLPEF6
    • HKEY_CLASSES_ROOT\Software\Locky


    • HKEY_USERS\.DEFAULT\Software\F43o6aqLPEF6
    • HKEY_USERS\.DEFAULT\Software\Locky


    • HKEY_USERS\S-1-5-19\Software\F43o6aqLPEF6
    • HKEY_USERS\S-1-5-19\Software\Locky


    • HKEY_USERS\S-1-5-20\Software\F43o6aqLPEF6
    • HKEY_USERS\S-1-5-20\Software\Locky



    After every reboot of my system, I have consistently deleted these keys as a matter of principle, however they continue to persist and while my copy of GridinSoft's Anti-Malware continually prompts me to quarantine Locky after it performs it's initial scan of my system upon startup, GSAM isn't the only application that finds these Locky keys. Subsequent reg scans with CCleaner also turn up Locky entries, although CCleaner only finds one or two of them at a time, when I run regedit and use the search term "Locky," that is when I find the rest of them. Locky and its associated Reg Key entries are always shown just like I've displayed them above (adjacent to each other in each instance of discovery in regedit).

    I should mention that I found Locky only after first performing a random scan of my system with CCleaner's Registry scanner several weeks ago. CCleaner indicates it as an obsolete reg key. This is when I first found any Locky entry on the old drive. Of course I initially deleted it with CCleaner and continued to do. I also tried the other methods I mentioned in a continued attempt to remove them. It wasn't until sometime after this that I installed GSAM and it found one of these Locky keys and named it: [ Ransom.RPL.Filecoder.ad ]

    GSAM now continues to find this Locky Filecoder after every reboot, even after this latest reboot after running FRST with the script you just provided to me.

    I sincerely appreciate you conducting research to help me and I must admit, it sounds a bit strange that the only reference to that Filecoder name you could find was in reference to my post. I should think GridinSoft must have determined it from another source since it wasn't until I scanned my system with GSAM that Locky was found and subsequently labeled as such by GSAM. Either way I still find this very puzzling...

  7. #7
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,476

    Re: Totally Perplexed by this Locky Ransomware...

    Ok, I need a clear head (it is close to my bed time) and want to think about this as well as consult with someone else. I'll be much of the day again tomorrow but will get back to you ASAP. In the meantime, why don't you go ahead and post a fresh ComboFix log in case that provides additional information.
    YOnGodsGreenEarth says thanks for this.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  8. #8
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    That's no problem Corrine. It's about time I call it a nite too.

    You'll have to forgive my lamenting about my issue so much. While I know that details are important, sometimes I can get a little carried away a little too fast but by no means am I trying to rush anyone. No need to worry.

    Anyway, I will post the ComboFix logs now that I have your go ahead. Please note them below at a time that is convenient for you...




    ComboFix Run In Normal Mode:

    ComboFix 16-05-18.01 - TKRA7 05/24/2016 10:37:14.1.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8137.6670 [GMT -4:00]
    Running from: c:\users\TKRA7\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
    SP: Microsoft Security Essentials *Disabled/Updated* {CDE0C533-D3CD-62A1-E772-AFADDF863628}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\1463833487.bdinstall.bin
    c:\programdata\1463833495.bdinstall.bin
    c:\programdata\1463833497.bdinstall.bin
    c:\programdata\1463833500.bdinstall.bin
    c:\programdata\1463833519.bdinstall.bin
    c:\programdata\1463833561.bdinstall.bin
    c:\programdata\1463833563.bdinstall.bin
    c:\programdata\1463833565.bdinstall.bin
    c:\programdata\1463833567.bdinstall.bin
    c:\programdata\1463833569.bdinstall.bin
    c:\programdata\1463833575.bdinstall.bin
    c:\programdata\1463833589.bdinstall.bin
    c:\programdata\1463878422.bdinstall.bin
    .
    .
    ((((((((((((((((((((((((( Files Created from 2016-04-24 to 2016-05-24 )))))))))))))))))))))))))))))))
    .
    .
    2016-05-24 14:40 . 2016-05-24 14:40 -------- d-----w- c:\users\Default\AppData\Local\temp
    2016-05-24 14:26 . 2016-05-24 14:27 -------- d-----w- C:\FRST
    2016-05-23 06:46 . 2016-05-17 19:56 11898512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{96E9405F-513A-4865-8DC0-22A23478E04C}\mpengine.dll
    2016-05-23 06:25 . 2016-05-23 06:25 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2016-05-23 06:00 . 2016-05-23 06:39 -------- d-----w- c:\windows\CryptoGuard
    2016-05-23 06:00 . 2016-05-23 06:25 -------- d-----w- c:\programdata\HitmanPro
    2016-05-23 06:00 . 2016-05-23 06:00 177040 ----a-w- c:\windows\system32\drivers\hmpalert.sys
    2016-05-23 06:00 . 2016-05-23 06:00 -------- d-----w- c:\program files (x86)\HitmanPro.Alert
    2016-05-23 05:50 . 2016-05-23 05:50 -------- d-----w- c:\programdata\Licenses
    2016-05-23 05:50 . 2012-05-02 16:17 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
    2016-05-23 05:50 . 2009-03-24 17:52 129872 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
    2016-05-23 05:50 . 2016-05-23 05:51 -------- d-----w- c:\program files (x86)\SpywareBlaster
    2016-05-23 00:28 . 2016-05-23 00:28 -------- d-----w- C:\AdwCleaner
    2016-05-22 21:53 . 2016-05-23 06:27 -------- d-----w- c:\program files (x86)\Trojan Remover
    2016-05-22 21:53 . 2014-05-14 16:23 44512 ----a-w- c:\windows\system32\wups2.dll
    2016-05-22 21:53 . 2014-05-14 16:23 58336 ----a-w- c:\windows\system32\wuauclt.exe
    2016-05-22 21:53 . 2014-05-14 16:23 2477536 ----a-w- c:\windows\system32\wuaueng.dll
    2016-05-22 21:53 . 2014-05-14 16:21 2620928 ----a-w- c:\windows\system32\wucltux.dll
    2016-05-22 21:53 . 2014-05-14 16:23 38880 ----a-w- c:\windows\system32\wups.dll
    2016-05-22 21:53 . 2014-05-14 16:23 36320 ----a-w- c:\windows\SysWow64\wups.dll
    2016-05-22 21:53 . 2014-05-14 16:23 700384 ----a-w- c:\windows\system32\wuapi.dll
    2016-05-22 21:53 . 2014-05-14 16:23 581600 ----a-w- c:\windows\SysWow64\wuapi.dll
    2016-05-22 21:53 . 2014-05-14 16:20 97792 ----a-w- c:\windows\system32\wudriver.dll
    2016-05-22 21:53 . 2014-05-14 16:17 92672 ----a-w- c:\windows\SysWow64\wudriver.dll
    2016-05-22 21:52 . 2014-05-14 13:23 198600 ----a-w- c:\windows\system32\wuwebv.dll
    2016-05-22 21:52 . 2014-05-14 13:23 179656 ----a-w- c:\windows\SysWow64\wuwebv.dll
    2016-05-22 21:52 . 2014-05-14 13:20 36864 ----a-w- c:\windows\system32\wuapp.exe
    2016-05-22 21:52 . 2014-05-14 13:17 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
    2016-05-22 21:45 . 2016-05-22 21:45 -------- d-----w- C:\inetpub
    2016-05-22 20:58 . 2016-05-22 20:58 -------- d-----w- c:\programdata\WinaeroTweaker
    2016-05-22 17:06 . 2016-05-22 17:06 -------- d-----w- c:\program files (x86)\Microsoft.NET
    2016-05-22 17:06 . 2016-05-22 17:06 -------- d-----w- c:\windows\Migration
    2016-05-22 16:52 . 2016-05-22 17:00 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
    2016-05-22 16:50 . 2016-05-22 16:53 -------- d-----w- c:\programdata\Malwarebytes
    2016-05-22 16:50 . 2016-05-22 16:50 -------- d-----w- c:\program files\Malwarebytes
    2016-05-22 09:51 . 2016-05-23 01:03 -------- d-----w- c:\windows\Microsoft Antimalware
    2016-05-22 04:22 . 2016-05-22 04:22 1167568 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{70835893-0157-485C-878F-862E12B6BA28}\gapaengine.dll
    2016-05-22 04:22 . 2016-05-17 19:56 11898512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2016-05-22 04:21 . 2016-05-22 04:21 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2016-05-22 04:21 . 2016-05-22 04:21 -------- d-----w- c:\program files\Microsoft Security Client
    2016-05-22 00:59 . 2016-05-22 00:59 36320 ----a-w- c:\windows\system32\drivers\fsfreedometap.sys
    2016-05-22 00:49 . 2016-05-22 00:49 -------- d-----w- c:\program files\CCleaner
    2016-05-21 12:29 . 2016-05-21 12:29 -------- d-----w- c:\programdata\Trend Micro
    2016-05-21 12:24 . 2016-05-21 12:24 -------- d-----w- c:\programdata\Bitdefender Agent
    2016-05-21 12:16 . 2016-05-22 01:29 -------- d-----w- c:\programdata\F-Secure
    2016-05-21 12:15 . 2016-05-21 12:15 -------- d-----w- c:\programdata\Norton
    2016-05-21 12:15 . 2016-05-22 21:47 -------- d-----w- c:\program files (x86)\NortonInstaller
    2016-05-21 05:47 . 2016-05-21 05:47 -------- d-----w- c:\program files (x86)\UltimateOutsider
    2016-05-21 05:34 . 2016-05-22 00:46 -------- d-----w- c:\windows\SysWow64\ZALSDK_uninst
    2016-05-21 05:34 . 2014-12-30 17:31 7039960 ----a-w- c:\windows\SysWow64\ZALSDKCore.dll
    2016-05-20 05:30 . 2016-05-23 10:07 -------- d-----w- c:\program files (x86)\Zemana AntiMalware
    2016-05-20 04:54 . 2016-05-20 04:54 797376 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2016-05-20 04:54 . 2016-05-20 04:54 142528 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2016-05-20 04:54 . 2016-05-20 04:54 -------- d-----w- c:\windows\system32\Macromed
    2016-05-20 04:42 . 2016-05-20 04:42 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
    2016-05-20 04:40 . 2016-05-22 03:06 -------- d-----w- c:\program files (x86)\KeyCryptSDK
    2016-05-20 04:40 . 2015-11-05 19:00 143904 ----a-w- c:\windows\system32\drivers\KeyCrypt64.sys
    2016-05-20 04:40 . 2016-05-22 01:31 -------- d-----w- c:\program files (x86)\Zemana AntiLogger Free
    2016-05-20 04:26 . 2013-10-14 22:00 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE
    2016-05-20 04:22 . 2016-05-20 04:22 878080 ----a-w- c:\windows\system32\advapi32.dll
    2016-05-20 04:21 . 2016-05-20 04:21 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    2016-05-20 04:20 . 2016-05-20 04:20 1887232 ----a-w- c:\windows\system32\d3d11.dll
    2016-05-20 04:20 . 2016-05-20 04:20 1505280 ----a-w- c:\windows\SysWow64\d3d11.dll
    2016-05-20 03:32 . 2016-05-20 03:32 -------- d-----w- c:\program files\Bitdefender
    2016-05-20 02:58 . 2016-05-20 02:58 -------- d-----w- c:\programdata\ASUS OC Profiles
    2016-05-20 02:56 . 2016-05-20 02:56 0 ----a-w- c:\windows\ativpsrm.bin
    2016-05-20 02:55 . 2016-05-20 02:55 -------- d-----w- c:\programdata\GridinSoft
    2016-05-20 02:55 . 2016-05-20 04:27 -------- d-----w- c:\program files\GridinSoft Anti-Malware
    2016-05-20 02:51 . 2011-05-24 15:04 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2016-05-20 02:51 . 2011-05-24 14:19 58880 ----a-w- c:\windows\system32\coinst.dll
    2016-05-20 02:43 . 2016-05-20 02:43 -------- d-----w- c:\program files\ASUS
    2016-05-20 02:42 . 2016-05-20 02:42 -------- d-----w- c:\windows\SysWow64\Macromed
    2016-05-20 02:38 . 2010-11-08 18:57 14464 ----a-w- c:\windows\system32\drivers\AiChargerPlus.sys
    2016-05-20 02:38 . 2008-12-03 00:05 184320 ----a-w- c:\windows\SysWow64\drivers\UpdateHelper.dll
    2016-05-20 02:37 . 2016-05-20 02:37 -------- d-----w- c:\programdata\ASUS
    2016-05-20 02:37 . 2016-05-20 02:38 -------- d-----w- c:\program files (x86)\ASUS
    2016-05-20 02:37 . 2010-08-24 07:16 13440 ----a-r- c:\windows\SysWow64\drivers\AsIO.sys
    2016-05-20 02:37 . 2010-06-29 07:41 28672 ----a-r- c:\windows\SysWow64\AsIO.dll
    2016-05-20 02:37 . 2008-01-04 05:34 11832 ------w- c:\windows\SysWow64\drivers\AsInsHelp64.sys
    2016-05-20 02:36 . 2009-07-14 01:15 315904 ----a-w- c:\windows\SysWow64\Difxd825.rra
    2016-05-20 02:36 . 2010-11-25 03:27 120408 ----a-w- c:\windows\system32\drivers\jraid.sys
    2016-05-20 02:36 . 2016-05-20 02:36 -------- d-----w- c:\windows\RaidTool
    2016-05-20 02:36 . 2016-05-20 02:38 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
    2016-05-20 02:35 . 2016-05-20 02:35 -------- d-----w- c:\program files (x86)\AMD APP
    2016-05-20 02:35 . 2016-05-20 02:35 -------- dc----w- c:\windows\system32\DRVSTORE
    2016-05-20 02:35 . 2010-12-16 03:06 47232 ----a-r- c:\windows\system32\drivers\usbfilter.sys
    2016-05-20 02:35 . 2011-03-04 18:46 78976 ----a-w- c:\windows\system32\drivers\amd_sata.sys
    2016-05-20 02:35 . 2011-03-04 18:46 38528 ----a-w- c:\windows\system32\drivers\amd_xata.sys
    2016-05-20 02:35 . 2016-05-20 02:35 -------- d-----w- c:\program files\ATI
    2016-05-20 02:34 . 2016-05-20 02:34 -------- d-----w- c:\program files\ATI Technologies
    2016-05-20 02:34 . 2016-05-20 02:34 16896 ----a-w- c:\windows\AsTaskSched.dll
    2016-05-20 02:33 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
    2016-05-20 02:32 . 2016-05-20 02:32 -------- d-----w- c:\program files (x86)\ASM104xUSB3
    2016-05-20 02:32 . 2016-05-22 04:21 -------- d-sh--w- c:\windows\Installer
    2016-05-20 02:31 . 2011-08-23 13:57 565352 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
    2016-05-20 02:31 . 2011-08-23 13:57 74272 ----a-w- c:\windows\system32\RtNicProp64.dll
    2016-05-20 02:31 . 2011-08-23 13:57 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
    2016-05-20 02:31 . 2016-05-20 02:31 -------- d-----w- c:\program files (x86)\Realtek
    2016-05-20 02:31 . 2016-05-20 02:43 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
    2016-05-20 02:25 . 2016-05-22 21:49 -------- d-----w- c:\users\TKRA7
    2016-05-20 02:25 . 2016-05-20 02:25 -------- d-----w- C:\Recovery
    2016-05-18 08:27 . 2016-05-18 08:27 17568 ----a-w- c:\windows\system32\drivers\gtkdrv.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2016-05-20 04:22 . 2016-05-20 04:22 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2016-04-22 07:57 . 2010-11-21 03:27 453288 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-09-07 43608]
    "ASUS AiChargerPlus Execute"="c:\program files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe" [2010-11-08 465536]
    "ZALFree"="c:\program files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe" [2015-11-05 8980016]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    "AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt32(6).dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R1 ZAM;ZAM Helper Driver;c:\windows\System32\drivers\zam64.sys;c:\windows\SYSNATIVE\drivers\zam64.sys [x]
    R1 ZAM_Guard;ZAM Guard Driver;c:\windows\System32\drivers\zamguard64.sys;c:\windows\SYSNATIVE\drivers\zamguard64.sys [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
    R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
    R3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\DRIVERS\gtkdrv.sys;c:\windows\SYSNATIVE\DRIVERS\gtkdrv.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
    S0 AiChargerPlus;ASUS Charger Plus Driver;c:\windows\system32\DRIVERS\AiChargerPlus.sys;c:\windows\SYSNATIVE\DRIVERS\AiChargerPlus.sys [x]
    S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
    S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
    S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys;SysWow64\drivers\AsUpIO.sys [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
    S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe;c:\program files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe [x]
    S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [x]
    S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [x]
    S2 hmpalertsvc;HitmanPro.Alert service;c:\program files (x86)\HitmanPro.Alert\hmpalert.exe;c:\program files (x86)\HitmanPro.Alert\hmpalert.exe [x]
    S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
    S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
    S3 ASUSFILTER;ASUSFILTER;SysWow64\drivers\ASUSFILTER.sys;SysWow64\drivers\ASUSFILTER.sys [x]
    S3 hmpalert;HitmanPro.Alert Support Driver;c:\windows\system32\drivers\hmpalert.sys;c:\windows\SYSNATIVE\drivers\hmpalert.sys [x]
    S3 keycrypt;keycrypt;c:\windows\system32\DRIVERS\KeyCrypt64.sys;c:\windows\SYSNATIVE\DRIVERS\KeyCrypt64.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
    .
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2016-01-29 1340192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt64(6).dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = DuckDuckGo
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    FF - ProfilePath - c:\users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\
    FF - prefs.js: browser.startup.homepage - hxxps://duckduckgo.com/
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\F43o6aqLPEF6]
    @Denied: (B 2 3) (Everyone)
    .
    [HKEY_USERS\.Default\Software\Locky]
    @Denied: (B 2 3) (Everyone)
    .
    [HKEY_USERS\S-1-5-21-2205198338-1926017667-846148581-1000\Software\F43o6aqLPEF6]
    @Denied: (B 2 3) (Everyone)
    .
    [HKEY_USERS\S-1-5-21-2205198338-1926017667-846148581-1000_Classes\Software\F43o6aqLPEF6]
    @Denied: (B 2 3) (Everyone)
    .
    [HKEY_USERS\S-1-5-21-2205198338-1926017667-846148581-1000_Classes\Software\Locky]
    @Denied: (B 2 3) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker3"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2016-05-24 10:42:28
    ComboFix-quarantined-files.txt 2016-05-24 14:42
    .
    Pre-Run: 953,388,605,440 bytes free
    Post-Run: 953,079,984,128 bytes free
    .
    - - End Of File - - CC19656FAEC9B36E560BFB8AC4024906
    A36C5E4F47E84449FF07ED3517B43A31





    ComboFix Run In Safe Mode:


    ComboFix 16-05-18.01 - TKRA7 05/24/2016 16:43:29.2.4 - x64 NETWORK
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8137.7115 [GMT -4:00]
    Running from: c:\users\TKRA7\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Enabled/Updated* {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
    SP: Microsoft Security Essentials *Enabled/Updated* {CDE0C533-D3CD-62A1-E772-AFADDF863628}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2016-04-24 to 2016-05-24 )))))))))))))))))))))))))))))))
    .
    .
    2016-05-24 20:46 . 2016-05-24 20:46 -------- d-----w- c:\users\Default\AppData\Local\temp
    2016-05-24 20:29 . 2016-05-24 20:30 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2016-05-24 20:29 . 2016-05-24 20:29 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
    2016-05-24 20:29 . 2016-03-10 18:09 64896 ----a-w- c:\windows\system32\drivers\mwac.sys
    2016-05-24 20:29 . 2016-03-10 18:08 140672 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2016-05-24 20:29 . 2016-03-10 18:08 27008 ----a-w- c:\windows\system32\drivers\mbam.sys
    2016-05-24 18:03 . 2016-05-24 18:04 -------- d-----w- c:\program files\SUPERAntiSpyware
    2016-05-24 18:03 . 2016-05-24 18:03 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2016-05-24 14:59 . 2016-05-22 04:22 1167568 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2016-05-24 14:59 . 2016-05-09 16:10 1167568 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DCBBBEB1-CFD8-487F-BED8-80E1E95CC6A8}\gapaengine.dll
    2016-05-24 14:58 . 2016-05-17 19:56 11898512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A6542E93-0F4F-438C-95F2-104C4E98E4AC}\mpengine.dll
    2016-05-24 14:48 . 2016-05-17 19:56 11898512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2016-05-24 14:26 . 2016-05-24 15:24 -------- d-----w- C:\FRST
    2016-05-23 06:25 . 2016-05-23 06:25 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2016-05-23 06:00 . 2016-05-23 06:39 -------- d-----w- c:\windows\CryptoGuard
    2016-05-23 06:00 . 2016-05-23 06:25 -------- d-----w- c:\programdata\HitmanPro
    2016-05-23 06:00 . 2016-05-23 06:00 177040 ----a-w- c:\windows\system32\drivers\hmpalert.sys
    2016-05-23 06:00 . 2016-05-23 06:00 -------- d-----w- c:\program files (x86)\HitmanPro.Alert
    2016-05-23 05:50 . 2016-05-23 05:50 -------- d-----w- c:\programdata\Licenses
    2016-05-23 05:50 . 2012-05-02 16:17 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
    2016-05-23 05:50 . 2009-03-24 17:52 129872 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
    2016-05-23 05:50 . 2016-05-23 05:51 -------- d-----w- c:\program files (x86)\SpywareBlaster
    2016-05-23 00:28 . 2016-05-23 00:28 -------- d-----w- C:\AdwCleaner
    2016-05-22 21:53 . 2016-05-23 06:27 -------- d-----w- c:\program files (x86)\Trojan Remover
    2016-05-22 21:53 . 2014-05-14 16:23 44512 ----a-w- c:\windows\system32\wups2.dll
    2016-05-22 21:53 . 2014-05-14 16:23 58336 ----a-w- c:\windows\system32\wuauclt.exe
    2016-05-22 21:53 . 2014-05-14 16:23 2477536 ----a-w- c:\windows\system32\wuaueng.dll
    2016-05-22 21:53 . 2014-05-14 16:21 2620928 ----a-w- c:\windows\system32\wucltux.dll
    2016-05-22 21:53 . 2014-05-14 16:23 38880 ----a-w- c:\windows\system32\wups.dll
    2016-05-22 21:53 . 2014-05-14 16:23 36320 ----a-w- c:\windows\SysWow64\wups.dll
    2016-05-22 21:53 . 2014-05-14 16:23 700384 ----a-w- c:\windows\system32\wuapi.dll
    2016-05-22 21:53 . 2014-05-14 16:23 581600 ----a-w- c:\windows\SysWow64\wuapi.dll
    2016-05-22 21:53 . 2014-05-14 16:20 97792 ----a-w- c:\windows\system32\wudriver.dll
    2016-05-22 21:53 . 2014-05-14 16:17 92672 ----a-w- c:\windows\SysWow64\wudriver.dll
    2016-05-22 21:52 . 2014-05-14 13:23 198600 ----a-w- c:\windows\system32\wuwebv.dll
    2016-05-22 21:52 . 2014-05-14 13:23 179656 ----a-w- c:\windows\SysWow64\wuwebv.dll
    2016-05-22 21:52 . 2014-05-14 13:20 36864 ----a-w- c:\windows\system32\wuapp.exe
    2016-05-22 21:52 . 2014-05-14 13:17 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
    2016-05-22 21:45 . 2016-05-22 21:45 -------- d-----w- C:\inetpub
    2016-05-22 20:58 . 2016-05-22 20:58 -------- d-----w- c:\programdata\WinaeroTweaker
    2016-05-22 17:06 . 2016-05-22 17:06 -------- d-----w- c:\program files (x86)\Microsoft.NET
    2016-05-22 17:06 . 2016-05-22 17:06 -------- d-----w- c:\windows\Migration
    2016-05-22 16:52 . 2016-05-22 17:00 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
    2016-05-22 16:50 . 2016-05-24 20:29 -------- d-----w- c:\programdata\Malwarebytes
    2016-05-22 16:50 . 2016-05-22 16:50 -------- d-----w- c:\program files\Malwarebytes
    2016-05-22 09:51 . 2016-05-23 01:03 -------- d-----w- c:\windows\Microsoft Antimalware
    2016-05-22 04:21 . 2016-05-22 04:21 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2016-05-22 04:21 . 2016-05-22 04:21 -------- d-----w- c:\program files\Microsoft Security Client
    2016-05-22 00:59 . 2016-05-22 00:59 36320 ----a-w- c:\windows\system32\drivers\fsfreedometap.sys
    2016-05-22 00:49 . 2016-05-22 00:49 -------- d-----w- c:\program files\CCleaner
    2016-05-21 12:29 . 2016-05-21 12:29 -------- d-----w- c:\programdata\Trend Micro
    2016-05-21 12:24 . 2016-05-21 12:24 -------- d-----w- c:\programdata\Bitdefender Agent
    2016-05-21 12:16 . 2016-05-22 01:29 -------- d-----w- c:\programdata\F-Secure
    2016-05-21 12:15 . 2016-05-21 12:15 -------- d-----w- c:\programdata\Norton
    2016-05-21 12:15 . 2016-05-22 21:47 -------- d-----w- c:\program files (x86)\NortonInstaller
    2016-05-21 05:47 . 2016-05-21 05:47 -------- d-----w- c:\program files (x86)\UltimateOutsider
    2016-05-21 05:34 . 2016-05-22 00:46 -------- d-----w- c:\windows\SysWow64\ZALSDK_uninst
    2016-05-21 05:34 . 2014-12-30 17:31 7039960 ----a-w- c:\windows\SysWow64\ZALSDKCore.dll
    2016-05-20 05:30 . 2016-05-23 10:07 -------- d-----w- c:\program files (x86)\Zemana AntiMalware
    2016-05-20 04:54 . 2016-05-20 04:54 797376 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2016-05-20 04:54 . 2016-05-20 04:54 142528 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2016-05-20 04:54 . 2016-05-20 04:54 -------- d-----w- c:\windows\system32\Macromed
    2016-05-20 04:42 . 2016-05-20 04:42 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
    2016-05-20 04:40 . 2016-05-22 03:06 -------- d-----w- c:\program files (x86)\KeyCryptSDK
    2016-05-20 04:40 . 2015-11-05 19:00 143904 ----a-w- c:\windows\system32\drivers\KeyCrypt64.sys
    2016-05-20 04:40 . 2016-05-22 01:31 -------- d-----w- c:\program files (x86)\Zemana AntiLogger Free
    2016-05-20 04:26 . 2013-10-14 22:00 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE
    2016-05-20 04:22 . 2016-05-20 04:22 878080 ----a-w- c:\windows\system32\advapi32.dll
    2016-05-20 04:21 . 2016-05-20 04:21 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    2016-05-20 04:20 . 2016-05-20 04:20 1887232 ----a-w- c:\windows\system32\d3d11.dll
    2016-05-20 04:20 . 2016-05-20 04:20 1505280 ----a-w- c:\windows\SysWow64\d3d11.dll
    2016-05-20 03:32 . 2016-05-20 03:32 -------- d-----w- c:\program files\Bitdefender
    2016-05-20 02:58 . 2016-05-20 02:58 -------- d-----w- c:\programdata\ASUS OC Profiles
    2016-05-20 02:56 . 2016-05-20 02:56 0 ----a-w- c:\windows\ativpsrm.bin
    2016-05-20 02:55 . 2016-05-20 02:55 -------- d-----w- c:\programdata\GridinSoft
    2016-05-20 02:55 . 2016-05-20 04:27 -------- d-----w- c:\program files\GridinSoft Anti-Malware
    2016-05-20 02:51 . 2011-05-24 15:04 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2016-05-20 02:51 . 2011-05-24 14:19 58880 ----a-w- c:\windows\system32\coinst.dll
    2016-05-20 02:43 . 2016-05-20 02:43 -------- d-----w- c:\program files\ASUS
    2016-05-20 02:42 . 2016-05-20 02:42 -------- d-----w- c:\windows\SysWow64\Macromed
    2016-05-20 02:38 . 2010-11-08 18:57 14464 ----a-w- c:\windows\system32\drivers\AiChargerPlus.sys
    2016-05-20 02:38 . 2008-12-03 00:05 184320 ----a-w- c:\windows\SysWow64\drivers\UpdateHelper.dll
    2016-05-20 02:37 . 2016-05-20 02:37 -------- d-----w- c:\programdata\ASUS
    2016-05-20 02:37 . 2016-05-20 02:38 -------- d-----w- c:\program files (x86)\ASUS
    2016-05-20 02:37 . 2010-08-24 07:16 13440 ----a-r- c:\windows\SysWow64\drivers\AsIO.sys
    2016-05-20 02:37 . 2010-06-29 07:41 28672 ----a-r- c:\windows\SysWow64\AsIO.dll
    2016-05-20 02:37 . 2008-01-04 05:34 11832 ------w- c:\windows\SysWow64\drivers\AsInsHelp64.sys
    2016-05-20 02:36 . 2009-07-14 01:15 315904 ----a-w- c:\windows\SysWow64\Difxd825.rra
    2016-05-20 02:36 . 2010-11-25 03:27 120408 ----a-w- c:\windows\system32\drivers\jraid.sys
    2016-05-20 02:36 . 2016-05-20 02:36 -------- d-----w- c:\windows\RaidTool
    2016-05-20 02:36 . 2016-05-20 02:38 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
    2016-05-20 02:35 . 2016-05-20 02:35 -------- d-----w- c:\program files (x86)\AMD APP
    2016-05-20 02:35 . 2016-05-20 02:35 -------- dc----w- c:\windows\system32\DRVSTORE
    2016-05-20 02:35 . 2010-12-16 03:06 47232 ----a-r- c:\windows\system32\drivers\usbfilter.sys
    2016-05-20 02:35 . 2011-03-04 18:46 78976 ----a-w- c:\windows\system32\drivers\amd_sata.sys
    2016-05-20 02:35 . 2011-03-04 18:46 38528 ----a-w- c:\windows\system32\drivers\amd_xata.sys
    2016-05-20 02:35 . 2016-05-20 02:35 -------- d-----w- c:\program files\ATI
    2016-05-20 02:34 . 2016-05-20 02:34 -------- d-----w- c:\program files\ATI Technologies
    2016-05-20 02:34 . 2016-05-20 02:34 16896 ----a-w- c:\windows\AsTaskSched.dll
    2016-05-20 02:33 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
    2016-05-20 02:32 . 2016-05-20 02:32 -------- d-----w- c:\program files (x86)\ASM104xUSB3
    2016-05-20 02:32 . 2016-05-22 04:21 -------- d-sh--w- c:\windows\Installer
    2016-05-20 02:31 . 2011-08-23 13:57 565352 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
    2016-05-20 02:31 . 2011-08-23 13:57 74272 ----a-w- c:\windows\system32\RtNicProp64.dll
    2016-05-20 02:31 . 2011-08-23 13:57 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
    2016-05-20 02:31 . 2016-05-20 02:31 -------- d-----w- c:\program files (x86)\Realtek
    2016-05-20 02:31 . 2016-05-20 02:43 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
    2016-05-20 02:25 . 2016-05-22 21:49 -------- d-----w- c:\users\TKRA7
    2016-05-20 02:25 . 2016-05-20 02:25 -------- d-----w- C:\Recovery
    2016-05-18 08:27 . 2016-05-18 08:27 17568 ----a-w- c:\windows\system32\drivers\gtkdrv.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2016-05-20 04:22 . 2016-05-20 04:22 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2016-04-22 07:57 . 2010-11-21 03:27 453288 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-09-07 43608]
    "ASUS AiChargerPlus Execute"="c:\program files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe" [2010-11-08 465536]
    "ZALFree"="c:\program files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe" [2015-11-05 8980016]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    "AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt32(6).dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys;SysWow64\drivers\AsUpIO.sys [x]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
    R1 ZAM;ZAM Helper Driver;c:\windows\System32\drivers\zam64.sys;c:\windows\SYSNATIVE\drivers\zam64.sys [x]
    R1 ZAM_Guard;ZAM Guard Driver;c:\windows\System32\drivers\zamguard64.sys;c:\windows\SYSNATIVE\drivers\zamguard64.sys [x]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
    R2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe;c:\program files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe [x]
    R2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [x]
    R2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [x]
    R2 hmpalertsvc;HitmanPro.Alert service;c:\program files (x86)\HitmanPro.Alert\hmpalert.exe;c:\program files (x86)\HitmanPro.Alert\hmpalert.exe [x]
    R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
    R3 hmpalert;HitmanPro.Alert Support Driver;c:\windows\system32\drivers\hmpalert.sys;c:\windows\SYSNATIVE\drivers\hmpalert.sys [x]
    R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
    R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
    R3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\DRIVERS\gtkdrv.sys;c:\windows\SYSNATIVE\DRIVERS\gtkdrv.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
    S0 AiChargerPlus;ASUS Charger Plus Driver;c:\windows\system32\DRIVERS\AiChargerPlus.sys;c:\windows\SYSNATIVE\DRIVERS\AiChargerPlus.sys [x]
    S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
    S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
    S1 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
    S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
    S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
    S3 ASUSFILTER;ASUSFILTER;SysWow64\drivers\ASUSFILTER.sys;SysWow64\drivers\ASUSFILTER.sys [x]
    S3 keycrypt;keycrypt;c:\windows\system32\DRIVERS\KeyCrypt64.sys;c:\windows\SYSNATIVE\DRIVERS\KeyCrypt64.sys [x]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MBAMCHAMELEON
    *NewlyCreated* - MBAMSWISSARMY
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2016-01-29 1340192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt64(6).dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = DuckDuckGo
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    FF - ProfilePath - c:\users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\
    FF - prefs.js: browser.startup.homepage - hxxps://duckduckgo.com/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    SafeBoot-mbamchameleon
    SafeBoot-MBAMSwissArmy
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker3"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2016-05-24 16:47:33
    ComboFix-quarantined-files.txt 2016-05-24 20:47
    ComboFix2.txt 2016-05-24 14:42
    .
    Pre-Run: 952,757,608,448 bytes free
    Post-Run: 952,940,068,864 bytes free
    .
    - - End Of File - - A0CCC6F0CE4C5D5014E3F97368052D3A
    A36C5E4F47E84449FF07ED3517B43A31





  9. #9
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    After realizing the aforementioned ComboFix logs were generated before I ran FRST with the special script, I decided to run a new scan with ComboFix and have included the results below. Please consider at your leisure:


    New ComboFix Log (Normal Mode):

    ComboFix 16-05-18.01 - TKRA7 05/24/2016 22:21:20.3.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8137.4397 [GMT -4:00]
    Running from: c:\users\TKRA7\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
    SP: Microsoft Security Essentials *Disabled/Updated* {CDE0C533-D3CD-62A1-E772-AFADDF863628}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2016-04-25 to 2016-05-25 )))))))))))))))))))))))))))))))
    .
    .
    2016-05-25 02:25 . 2016-05-25 02:25 -------- d-----w- c:\users\Default\AppData\Local\temp
    2016-05-25 01:00 . 2016-05-17 19:56 11898512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BDA77E23-0B68-47ED-AA8C-ED556AB39550}\mpengine.dll
    2016-05-24 22:26 . 2016-05-24 22:26 848592 ----a-w- c:\windows\system32\hmpalert.dll
    2016-05-24 22:26 . 2016-05-24 22:26 84520 ----a-w- c:\windows\system32\drivers\hmpnet.sys
    2016-05-24 22:26 . 2016-05-24 22:26 767696 ----a-w- c:\windows\SysWow64\hmpalert.dll
    2016-05-24 22:26 . 2016-05-24 22:26 177040 ----a-w- c:\windows\system32\drivers\hmpalert.sys
    2016-05-24 22:26 . 2016-05-24 22:26 -------- d-----w- c:\program files (x86)\HitmanPro.Alert
    2016-05-24 21:14 . 2016-05-24 21:54 -------- d-----w- c:\program files (x86)\Glarysoft
    2016-05-24 21:11 . 2016-05-24 21:11 -------- d-----w- c:\program files (x86)\VS Revo Group
    2016-05-24 20:29 . 2016-05-25 00:56 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2016-05-24 20:29 . 2016-05-24 20:29 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
    2016-05-24 20:29 . 2016-03-10 18:09 64896 ----a-w- c:\windows\system32\drivers\mwac.sys
    2016-05-24 20:29 . 2016-03-10 18:08 140672 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2016-05-24 20:29 . 2016-03-10 18:08 27008 ----a-w- c:\windows\system32\drivers\mbam.sys
    2016-05-24 18:03 . 2016-05-24 18:04 -------- d-----w- c:\program files\SUPERAntiSpyware
    2016-05-24 18:03 . 2016-05-24 18:03 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2016-05-24 14:59 . 2016-05-22 04:22 1167568 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2016-05-24 14:59 . 2016-05-09 16:10 1167568 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DCBBBEB1-CFD8-487F-BED8-80E1E95CC6A8}\gapaengine.dll
    2016-05-24 14:48 . 2016-05-17 19:56 11898512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2016-05-24 14:26 . 2016-05-25 00:56 -------- d-----w- C:\FRST
    2016-05-23 06:25 . 2016-05-23 06:25 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2016-05-23 06:00 . 2016-05-25 00:13 -------- d-----w- c:\windows\CryptoGuard
    2016-05-23 06:00 . 2016-05-23 06:25 -------- d-----w- c:\programdata\HitmanPro
    2016-05-23 05:50 . 2016-05-23 05:50 -------- d-----w- c:\programdata\Licenses
    2016-05-23 05:50 . 2012-05-02 16:17 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
    2016-05-23 05:50 . 2009-03-24 17:52 129872 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
    2016-05-23 05:50 . 2016-05-23 05:51 -------- d-----w- c:\program files (x86)\SpywareBlaster
    2016-05-23 00:28 . 2016-05-23 00:28 -------- d-----w- C:\AdwCleaner
    2016-05-22 21:53 . 2016-05-23 06:27 -------- d-----w- c:\program files (x86)\Trojan Remover
    2016-05-22 21:53 . 2014-05-14 16:23 44512 ----a-w- c:\windows\system32\wups2.dll
    2016-05-22 21:53 . 2014-05-14 16:23 58336 ----a-w- c:\windows\system32\wuauclt.exe
    2016-05-22 21:53 . 2014-05-14 16:23 2477536 ----a-w- c:\windows\system32\wuaueng.dll
    2016-05-22 21:53 . 2014-05-14 16:21 2620928 ----a-w- c:\windows\system32\wucltux.dll
    2016-05-22 21:53 . 2014-05-14 16:23 38880 ----a-w- c:\windows\system32\wups.dll
    2016-05-22 21:53 . 2014-05-14 16:23 36320 ----a-w- c:\windows\SysWow64\wups.dll
    2016-05-22 21:53 . 2014-05-14 16:23 700384 ----a-w- c:\windows\system32\wuapi.dll
    2016-05-22 21:53 . 2014-05-14 16:23 581600 ----a-w- c:\windows\SysWow64\wuapi.dll
    2016-05-22 21:53 . 2014-05-14 16:20 97792 ----a-w- c:\windows\system32\wudriver.dll
    2016-05-22 21:53 . 2014-05-14 16:17 92672 ----a-w- c:\windows\SysWow64\wudriver.dll
    2016-05-22 21:52 . 2014-05-14 13:23 198600 ----a-w- c:\windows\system32\wuwebv.dll
    2016-05-22 21:52 . 2014-05-14 13:23 179656 ----a-w- c:\windows\SysWow64\wuwebv.dll
    2016-05-22 21:52 . 2014-05-14 13:20 36864 ----a-w- c:\windows\system32\wuapp.exe
    2016-05-22 21:52 . 2014-05-14 13:17 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
    2016-05-22 21:45 . 2016-05-22 21:45 -------- d-----w- C:\inetpub
    2016-05-22 20:58 . 2016-05-22 20:58 -------- d-----w- c:\programdata\WinaeroTweaker
    2016-05-22 17:06 . 2016-05-22 17:06 -------- d-----w- c:\program files (x86)\Microsoft.NET
    2016-05-22 17:06 . 2016-05-22 17:06 -------- d-----w- c:\windows\Migration
    2016-05-22 16:52 . 2016-05-22 17:00 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
    2016-05-22 16:50 . 2016-05-24 20:29 -------- d-----w- c:\programdata\Malwarebytes
    2016-05-22 16:50 . 2016-05-22 16:50 -------- d-----w- c:\program files\Malwarebytes
    2016-05-22 09:51 . 2016-05-23 01:03 -------- d-----w- c:\windows\Microsoft Antimalware
    2016-05-22 04:21 . 2016-05-22 04:21 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2016-05-22 04:21 . 2016-05-22 04:21 -------- d-----w- c:\program files\Microsoft Security Client
    2016-05-22 00:59 . 2016-05-22 00:59 36320 ----a-w- c:\windows\system32\drivers\fsfreedometap.sys
    2016-05-22 00:49 . 2016-05-22 00:49 -------- d-----w- c:\program files\CCleaner
    2016-05-21 12:29 . 2016-05-21 12:29 -------- d-----w- c:\programdata\Trend Micro
    2016-05-21 12:24 . 2016-05-21 12:24 -------- d-----w- c:\programdata\Bitdefender Agent
    2016-05-21 12:16 . 2016-05-22 01:29 -------- d-----w- c:\programdata\F-Secure
    2016-05-21 12:15 . 2016-05-21 12:15 -------- d-----w- c:\programdata\Norton
    2016-05-21 12:15 . 2016-05-22 21:47 -------- d-----w- c:\program files (x86)\NortonInstaller
    2016-05-21 05:47 . 2016-05-21 05:47 -------- d-----w- c:\program files (x86)\UltimateOutsider
    2016-05-21 05:34 . 2016-05-22 00:46 -------- d-----w- c:\windows\SysWow64\ZALSDK_uninst
    2016-05-21 05:34 . 2014-12-30 17:31 7039960 ----a-w- c:\windows\SysWow64\ZALSDKCore.dll
    2016-05-20 05:30 . 2016-05-23 10:07 -------- d-----w- c:\program files (x86)\Zemana AntiMalware
    2016-05-20 04:54 . 2016-05-25 01:23 797376 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2016-05-20 04:54 . 2016-05-25 01:23 142528 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2016-05-20 04:54 . 2016-05-20 04:54 -------- d-----w- c:\windows\system32\Macromed
    2016-05-20 04:42 . 2016-05-20 04:42 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
    2016-05-20 04:40 . 2016-05-22 03:06 -------- d-----w- c:\program files (x86)\KeyCryptSDK
    2016-05-20 04:40 . 2015-11-05 19:00 143904 ----a-w- c:\windows\system32\drivers\KeyCrypt64.sys
    2016-05-20 04:40 . 2016-05-22 01:31 -------- d-----w- c:\program files (x86)\Zemana AntiLogger Free
    2016-05-20 04:26 . 2013-10-14 22:00 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE
    2016-05-20 04:22 . 2016-05-20 04:22 878080 ----a-w- c:\windows\system32\advapi32.dll
    2016-05-20 04:21 . 2016-05-20 04:21 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    2016-05-20 04:20 . 2016-05-20 04:20 1887232 ----a-w- c:\windows\system32\d3d11.dll
    2016-05-20 04:20 . 2016-05-20 04:20 1505280 ----a-w- c:\windows\SysWow64\d3d11.dll
    2016-05-20 03:32 . 2016-05-20 03:32 -------- d-----w- c:\program files\Bitdefender
    2016-05-20 02:58 . 2016-05-20 02:58 -------- d-----w- c:\programdata\ASUS OC Profiles
    2016-05-20 02:56 . 2016-05-20 02:56 0 ----a-w- c:\windows\ativpsrm.bin
    2016-05-20 02:55 . 2016-05-20 02:55 -------- d-----w- c:\programdata\GridinSoft
    2016-05-20 02:55 . 2016-05-20 04:27 -------- d-----w- c:\program files\GridinSoft Anti-Malware
    2016-05-20 02:51 . 2011-05-24 15:04 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2016-05-20 02:51 . 2011-05-24 14:19 58880 ----a-w- c:\windows\system32\coinst.dll
    2016-05-20 02:43 . 2016-05-20 02:43 -------- d-----w- c:\program files\ASUS
    2016-05-20 02:42 . 2016-05-20 02:42 -------- d-----w- c:\windows\SysWow64\Macromed
    2016-05-20 02:38 . 2010-11-08 18:57 14464 ----a-w- c:\windows\system32\drivers\AiChargerPlus.sys
    2016-05-20 02:38 . 2008-12-03 00:05 184320 ----a-w- c:\windows\SysWow64\drivers\UpdateHelper.dll
    2016-05-20 02:37 . 2016-05-20 02:37 -------- d-----w- c:\programdata\ASUS
    2016-05-20 02:37 . 2016-05-20 02:38 -------- d-----w- c:\program files (x86)\ASUS
    2016-05-20 02:37 . 2010-08-24 07:16 13440 ----a-r- c:\windows\SysWow64\drivers\AsIO.sys
    2016-05-20 02:37 . 2010-06-29 07:41 28672 ----a-r- c:\windows\SysWow64\AsIO.dll
    2016-05-20 02:37 . 2008-01-04 05:34 11832 ------w- c:\windows\SysWow64\drivers\AsInsHelp64.sys
    2016-05-20 02:36 . 2009-07-14 01:15 315904 ----a-w- c:\windows\SysWow64\Difxd825.rra
    2016-05-20 02:36 . 2010-11-25 03:27 120408 ----a-w- c:\windows\system32\drivers\jraid.sys
    2016-05-20 02:36 . 2016-05-20 02:36 -------- d-----w- c:\windows\RaidTool
    2016-05-20 02:36 . 2016-05-20 02:38 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
    2016-05-20 02:35 . 2016-05-20 02:35 -------- d-----w- c:\program files (x86)\AMD APP
    2016-05-20 02:35 . 2016-05-20 02:35 -------- dc----w- c:\windows\system32\DRVSTORE
    2016-05-20 02:35 . 2010-12-16 03:06 47232 ----a-r- c:\windows\system32\drivers\usbfilter.sys
    2016-05-20 02:35 . 2011-03-04 18:46 78976 ----a-w- c:\windows\system32\drivers\amd_sata.sys
    2016-05-20 02:35 . 2011-03-04 18:46 38528 ----a-w- c:\windows\system32\drivers\amd_xata.sys
    2016-05-20 02:35 . 2016-05-20 02:35 -------- d-----w- c:\program files\ATI
    2016-05-20 02:34 . 2016-05-20 02:34 -------- d-----w- c:\program files\ATI Technologies
    2016-05-20 02:34 . 2016-05-20 02:34 16896 ----a-w- c:\windows\AsTaskSched.dll
    2016-05-20 02:33 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
    2016-05-20 02:32 . 2016-05-20 02:32 -------- d-----w- c:\program files (x86)\ASM104xUSB3
    2016-05-20 02:32 . 2016-05-22 04:21 -------- d-sh--w- c:\windows\Installer
    2016-05-20 02:31 . 2011-08-23 13:57 565352 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
    2016-05-20 02:31 . 2011-08-23 13:57 74272 ----a-w- c:\windows\system32\RtNicProp64.dll
    2016-05-20 02:31 . 2011-08-23 13:57 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
    2016-05-20 02:31 . 2016-05-20 02:31 -------- d-----w- c:\program files (x86)\Realtek
    2016-05-20 02:31 . 2016-05-20 02:43 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
    2016-05-20 02:25 . 2016-05-22 21:49 -------- d-----w- c:\users\TKRA7
    2016-05-20 02:25 . 2016-05-20 02:25 -------- d-----w- C:\Recovery
    2016-05-18 08:27 . 2016-05-18 08:27 17568 ----a-w- c:\windows\system32\drivers\gtkdrv.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2016-05-20 04:22 . 2016-05-20 04:22 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2016-04-22 07:57 . 2010-11-21 03:27 453288 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-09-07 43608]
    "ASUS AiChargerPlus Execute"="c:\program files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe" [2010-11-08 465536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    "AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt32(6).dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
    R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
    R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
    R3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\DRIVERS\gtkdrv.sys;c:\windows\SYSNATIVE\DRIVERS\gtkdrv.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
    S0 AiChargerPlus;ASUS Charger Plus Driver;c:\windows\system32\DRIVERS\AiChargerPlus.sys;c:\windows\SYSNATIVE\DRIVERS\AiChargerPlus.sys [x]
    S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
    S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
    S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys;SysWow64\drivers\AsUpIO.sys [x]
    S1 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
    S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe;c:\program files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe [x]
    S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [x]
    S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [x]
    S2 hmpalertsvc;HitmanPro.Alert service;c:\program files (x86)\HitmanPro.Alert\hmpalert.exe;c:\program files (x86)\HitmanPro.Alert\hmpalert.exe [x]
    S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
    S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
    S3 ASUSFILTER;ASUSFILTER;SysWow64\drivers\ASUSFILTER.sys;SysWow64\drivers\ASUSFILTER.sys [x]
    S3 hmpalert;HitmanPro.Alert Support Driver;c:\windows\system32\drivers\hmpalert.sys;c:\windows\SYSNATIVE\drivers\hmpalert.sys [x]
    S3 hmpnet;HitmanPro.Alert Network Driver;c:\windows\system32\drivers\hmpnet.sys;c:\windows\SYSNATIVE\drivers\hmpnet.sys [x]
    S3 keycrypt;keycrypt;c:\windows\system32\DRIVERS\KeyCrypt64.sys;c:\windows\SYSNATIVE\DRIVERS\KeyCrypt64.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
    .
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2016-01-29 1340192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt64(6).dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = DuckDuckGo
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    FF - ProfilePath - c:\users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\
    FF - prefs.js: browser.startup.homepage - hxxps://duckduckgo.com/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_21_0_0_242_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_21_0_0_242_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_21_0_0_242_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_21_0_0_242_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.21"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2016-05-24 22:27:36
    ComboFix-quarantined-files.txt 2016-05-25 02:27
    ComboFix2.txt 2016-05-24 20:47
    ComboFix3.txt 2016-05-24 14:42
    .
    Pre-Run: 947,220,377,600 bytes free
    Post-Run: 947,155,451,904 bytes free
    .
    - - End Of File - - EBECD2CA0E85A37150E3A15AC52973DF
    A36C5E4F47E84449FF07ED3517B43A31




  10. #10
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,476

    Re: Totally Perplexed by this Locky Ransomware...

    After pulling the old drives, clearing the CMOS RTC RAM data on my MOBO, installing the new drive and subsequently performing a clean install of Windows on this new HDD-------I was completely blown away to see that Locky re-appeared again in my registry on the new drive I installed
    What did you use for the clean install on the new hard drive?

    First, you should also know that TrojanKiller/GridinSoft does not have the best reputation. (WOT: trojan-killer.net | WOT Reputation Scorecard | WOT (Web of Trust) and anti-malware.gridinsoft.com | WOT Reputation Scorecard | WOT (Web of Trust)). In addition, it doesn't make sense that GridinSoft continues to show those keys yet, although in the ComboFix scan prior to running FRST they appeared in the log but not in the last log.

    That said, let's just see what happens running a custom ComboFix script based on the first log.

    Custom CFScript

    Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.[/size]

    • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:
    Code:
    RegLockDel::
    [HKEY_USERS\.Default\Software\F43o6aqLPEF6]
    @Denied: (B 2 3) (Everyone)
    [HKEY_USERS\.Default\Software\Locky]
    @Denied: (B 2 3) (Everyone)
    [HKEY_USERS\S-1-5-21-2205198338-1926017667-846148581-1000\Software\F43o6aqLPEF6]
    @Denied: (B 2 3) (Everyone)
    [HKEY_USERS\S-1-5-21-2205198338-1926017667-846148581-1000_Classes\Software\F43o6aqLPEF6]
    @Denied: (B 2 3) (Everyone)
    [HKEY_USERS\S-1-5-21-2205198338-1926017667-846148581-1000_Classes\Software\Locky]
    @Denied: (B 2 3) (Everyone)
    • Save this as CFScript.txt and place it on your desktop.
    • Close any open browsers.
    • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.



    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  11. #11
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    Quote Originally Posted by Corrine View Post
    After pulling the old drives, clearing the CMOS RTC RAM data on my MOBO, installing the new drive and subsequently performing a clean install of Windows on this new HDD-------I was completely blown away to see that Locky re-appeared again in my registry on the new drive I installed
    What did you use for the clean install on the new hard drive?
    Thank you for getting back to me so soon Corrine. I actually used my Windows 7 Ultimate installation Disk, which was a genuine package from Microsoft (It came with both disks, 32-bit & 64-bit). It was a special shipment from Microsoft that I recieved because when I originally installed an OEM Win 7 I purchased online several years ago, it turned out to be a non-genuine version. Naturally, now, after every clean install of Windows, I have to go through the activation process from scratch. This is the only media I was using for each instance of a Windows install since my trouble with Locky began.

    As far as discovering Locky with GSAM, it only found and continues to find only one of the Locky Reg Keys. As mentioned, I originally found several different Locky keys when I ran just RegEdit alone (As Administrator of course). Since the first time I noticed Locky, I've always been able to find and I continue to find, even presently, most of these same keys using RegEdit.

    At this point, I consider what GSAM found, simply corroborates what both RegEdit and CCleaner already showed----Locky keys in my registry. But I would still trust your judgement of GSAM more than I would take GridinSofts word for it anyway. However, even without relying on GSAM, these keys still show up...

    I appreciate you providing me with a special script to use with ComboFix. I will definitely give it a go once I return home from work. Thanks again for the further instruction. I will post back with the results once I give it a try---possibly within the next couple of hours.

  12. #12
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,476

    Re: Totally Perplexed by this Locky Ransomware...

    I guess we'll see what happens with the CF script. Then if it still shows up, I'll see if other team members have any suggestions.
    YOnGodsGreenEarth says thanks for this.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  13. #13
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,476

    Re: Totally Perplexed by this Locky Ransomware...

    BTW, if TrojanKiller/GridinSoft still show any of those files, please post the log from the scan showing those results.

    Thanks.
    YOnGodsGreenEarth says thanks for this.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  14. #14
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    Okay. Ran ComboFix with the scan you gave me. I've posted it below. One thing, I'd thought I'd mention, I noticed that ComboFix did not automatically reboot my system, of which I have not done manually yet either, so I will post the Log right now and then I'll reboot to see what happens...


    ComboFix Log:

    ComboFix 16-05-18.01 - TKRA7 05/25/2016 20:40:48.4.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8137.4288 [GMT -4:00]
    Running from: c:\users\TKRA7\Downloads\Security Tools\Special Tools\ComboFix.exe
    Command switches used :: c:\users\TKRA7\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
    SP: Microsoft Security Essentials *Disabled/Updated* {CDE0C533-D3CD-62A1-E772-AFADDF863628}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2016-04-26 to 2016-05-26 )))))))))))))))))))))))))))))))
    .
    .
    2016-05-26 00:45 . 2016-05-26 00:45 -------- d-----w- c:\users\Default\AppData\Local\temp
    2016-05-25 07:07 . 2016-05-25 07:07 -------- d-----w- c:\programdata\MicroWorld
    2016-05-25 02:38 . 2016-05-17 19:56 11898512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B1066D84-A6B5-4C23-B7D7-01A6E845F3AB}\mpengine.dll
    2016-05-25 00:25 . 2016-05-25 00:47 -------- d---a-w- C:\cce_linux
    2016-05-24 22:26 . 2016-05-24 22:26 848592 ----a-w- c:\windows\system32\hmpalert.dll
    2016-05-24 22:26 . 2016-05-24 22:26 84520 ----a-w- c:\windows\system32\drivers\hmpnet.sys
    2016-05-24 22:26 . 2016-05-24 22:26 767696 ----a-w- c:\windows\SysWow64\hmpalert.dll
    2016-05-24 22:26 . 2016-05-24 22:26 177040 ----a-w- c:\windows\system32\drivers\hmpalert.sys
    2016-05-24 22:26 . 2016-05-24 22:26 -------- d-----w- c:\program files (x86)\HitmanPro.Alert
    2016-05-24 21:14 . 2016-05-24 21:54 -------- d-----w- c:\program files (x86)\Glarysoft
    2016-05-24 21:11 . 2016-05-24 21:11 -------- d-----w- c:\program files (x86)\VS Revo Group
    2016-05-24 20:29 . 2016-05-25 22:39 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2016-05-24 20:29 . 2016-05-24 20:29 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
    2016-05-24 20:29 . 2016-03-10 18:09 64896 ----a-w- c:\windows\system32\drivers\mwac.sys
    2016-05-24 20:29 . 2016-03-10 18:08 140672 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2016-05-24 20:29 . 2016-03-10 18:08 27008 ----a-w- c:\windows\system32\drivers\mbam.sys
    2016-05-24 18:03 . 2016-05-24 18:04 -------- d-----w- c:\program files\SUPERAntiSpyware
    2016-05-24 18:03 . 2016-05-24 18:03 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2016-05-24 14:59 . 2016-05-22 04:22 1167568 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2016-05-24 14:59 . 2016-05-09 16:10 1167568 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DCBBBEB1-CFD8-487F-BED8-80E1E95CC6A8}\gapaengine.dll
    2016-05-24 14:48 . 2016-05-17 19:56 11898512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2016-05-24 14:26 . 2016-05-25 00:56 -------- d-----w- C:\FRST
    2016-05-23 06:25 . 2016-05-23 06:25 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2016-05-23 06:00 . 2016-05-25 00:13 -------- d-----w- c:\windows\CryptoGuard
    2016-05-23 06:00 . 2016-05-23 06:25 -------- d-----w- c:\programdata\HitmanPro
    2016-05-23 05:50 . 2016-05-23 05:50 -------- d-----w- c:\programdata\Licenses
    2016-05-23 05:50 . 2012-05-02 16:17 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
    2016-05-23 05:50 . 2009-03-24 17:52 129872 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
    2016-05-23 05:50 . 2016-05-23 05:51 -------- d-----w- c:\program files (x86)\SpywareBlaster
    2016-05-23 00:28 . 2016-05-23 00:28 -------- d-----w- C:\AdwCleaner
    2016-05-22 21:53 . 2016-05-23 06:27 -------- d-----w- c:\program files (x86)\Trojan Remover
    2016-05-22 21:53 . 2014-05-14 16:23 44512 ----a-w- c:\windows\system32\wups2.dll
    2016-05-22 21:53 . 2014-05-14 16:23 58336 ----a-w- c:\windows\system32\wuauclt.exe
    2016-05-22 21:53 . 2014-05-14 16:23 2477536 ----a-w- c:\windows\system32\wuaueng.dll
    2016-05-22 21:53 . 2014-05-14 16:21 2620928 ----a-w- c:\windows\system32\wucltux.dll
    2016-05-22 21:53 . 2014-05-14 16:23 38880 ----a-w- c:\windows\system32\wups.dll
    2016-05-22 21:53 . 2014-05-14 16:23 36320 ----a-w- c:\windows\SysWow64\wups.dll
    2016-05-22 21:53 . 2014-05-14 16:23 700384 ----a-w- c:\windows\system32\wuapi.dll
    2016-05-22 21:53 . 2014-05-14 16:23 581600 ----a-w- c:\windows\SysWow64\wuapi.dll
    2016-05-22 21:53 . 2014-05-14 16:20 97792 ----a-w- c:\windows\system32\wudriver.dll
    2016-05-22 21:53 . 2014-05-14 16:17 92672 ----a-w- c:\windows\SysWow64\wudriver.dll
    2016-05-22 21:52 . 2014-05-14 13:23 198600 ----a-w- c:\windows\system32\wuwebv.dll
    2016-05-22 21:52 . 2014-05-14 13:23 179656 ----a-w- c:\windows\SysWow64\wuwebv.dll
    2016-05-22 21:52 . 2014-05-14 13:20 36864 ----a-w- c:\windows\system32\wuapp.exe
    2016-05-22 21:52 . 2014-05-14 13:17 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
    2016-05-22 21:45 . 2016-05-22 21:45 -------- d-----w- C:\inetpub
    2016-05-22 20:58 . 2016-05-22 20:58 -------- d-----w- c:\programdata\WinaeroTweaker
    2016-05-22 17:06 . 2016-05-22 17:06 -------- d-----w- c:\program files (x86)\Microsoft.NET
    2016-05-22 17:06 . 2016-05-22 17:06 -------- d-----w- c:\windows\Migration
    2016-05-22 16:52 . 2016-05-22 17:00 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
    2016-05-22 16:50 . 2016-05-24 20:29 -------- d-----w- c:\programdata\Malwarebytes
    2016-05-22 16:50 . 2016-05-22 16:50 -------- d-----w- c:\program files\Malwarebytes
    2016-05-22 09:51 . 2016-05-23 01:03 -------- d-----w- c:\windows\Microsoft Antimalware
    2016-05-22 04:21 . 2016-05-22 04:21 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2016-05-22 04:21 . 2016-05-22 04:21 -------- d-----w- c:\program files\Microsoft Security Client
    2016-05-22 00:59 . 2016-05-22 00:59 36320 ----a-w- c:\windows\system32\drivers\fsfreedometap.sys
    2016-05-22 00:49 . 2016-05-22 00:49 -------- d-----w- c:\program files\CCleaner
    2016-05-21 12:29 . 2016-05-21 12:29 -------- d-----w- c:\programdata\Trend Micro
    2016-05-21 12:24 . 2016-05-21 12:24 -------- d-----w- c:\programdata\Bitdefender Agent
    2016-05-21 12:16 . 2016-05-22 01:29 -------- d-----w- c:\programdata\F-Secure
    2016-05-21 12:15 . 2016-05-21 12:15 -------- d-----w- c:\programdata\Norton
    2016-05-21 12:15 . 2016-05-22 21:47 -------- d-----w- c:\program files (x86)\NortonInstaller
    2016-05-21 05:47 . 2016-05-21 05:47 -------- d-----w- c:\program files (x86)\UltimateOutsider
    2016-05-21 05:34 . 2016-05-22 00:46 -------- d-----w- c:\windows\SysWow64\ZALSDK_uninst
    2016-05-21 05:34 . 2014-12-30 17:31 7039960 ----a-w- c:\windows\SysWow64\ZALSDKCore.dll
    2016-05-20 05:30 . 2016-05-23 10:07 -------- d-----w- c:\program files (x86)\Zemana AntiMalware
    2016-05-20 04:54 . 2016-05-25 01:23 797376 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2016-05-20 04:54 . 2016-05-25 01:23 142528 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2016-05-20 04:54 . 2016-05-20 04:54 -------- d-----w- c:\windows\system32\Macromed
    2016-05-20 04:42 . 2016-05-20 04:42 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
    2016-05-20 04:40 . 2016-05-22 03:06 -------- d-----w- c:\program files (x86)\KeyCryptSDK
    2016-05-20 04:40 . 2015-11-05 19:00 143904 ----a-w- c:\windows\system32\drivers\KeyCrypt64.sys
    2016-05-20 04:40 . 2016-05-22 01:31 -------- d-----w- c:\program files (x86)\Zemana AntiLogger Free
    2016-05-20 04:26 . 2013-10-14 22:00 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE
    2016-05-20 04:22 . 2016-05-20 04:22 878080 ----a-w- c:\windows\system32\advapi32.dll
    2016-05-20 04:21 . 2016-05-20 04:21 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    2016-05-20 04:20 . 2016-05-20 04:20 1887232 ----a-w- c:\windows\system32\d3d11.dll
    2016-05-20 04:20 . 2016-05-20 04:20 1505280 ----a-w- c:\windows\SysWow64\d3d11.dll
    2016-05-20 03:32 . 2016-05-20 03:32 -------- d-----w- c:\program files\Bitdefender
    2016-05-20 02:58 . 2016-05-20 02:58 -------- d-----w- c:\programdata\ASUS OC Profiles
    2016-05-20 02:56 . 2016-05-20 02:56 0 ----a-w- c:\windows\ativpsrm.bin
    2016-05-20 02:55 . 2016-05-20 02:55 -------- d-----w- c:\programdata\GridinSoft
    2016-05-20 02:55 . 2016-05-20 04:27 -------- d-----w- c:\program files\GridinSoft Anti-Malware
    2016-05-20 02:51 . 2011-05-24 15:04 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2016-05-20 02:51 . 2011-05-24 14:19 58880 ----a-w- c:\windows\system32\coinst.dll
    2016-05-20 02:43 . 2016-05-20 02:43 -------- d-----w- c:\program files\ASUS
    2016-05-20 02:42 . 2016-05-20 02:42 -------- d-----w- c:\windows\SysWow64\Macromed
    2016-05-20 02:38 . 2010-11-08 18:57 14464 ----a-w- c:\windows\system32\drivers\AiChargerPlus.sys
    2016-05-20 02:38 . 2008-12-03 00:05 184320 ----a-w- c:\windows\SysWow64\drivers\UpdateHelper.dll
    2016-05-20 02:37 . 2016-05-20 02:37 -------- d-----w- c:\programdata\ASUS
    2016-05-20 02:37 . 2016-05-20 02:38 -------- d-----w- c:\program files (x86)\ASUS
    2016-05-20 02:37 . 2010-08-24 07:16 13440 ----a-r- c:\windows\SysWow64\drivers\AsIO.sys
    2016-05-20 02:37 . 2010-06-29 07:41 28672 ----a-r- c:\windows\SysWow64\AsIO.dll
    2016-05-20 02:37 . 2008-01-04 05:34 11832 ------w- c:\windows\SysWow64\drivers\AsInsHelp64.sys
    2016-05-20 02:36 . 2009-07-14 01:15 315904 ----a-w- c:\windows\SysWow64\Difxd825.rra
    2016-05-20 02:36 . 2010-11-25 03:27 120408 ----a-w- c:\windows\system32\drivers\jraid.sys
    2016-05-20 02:36 . 2016-05-20 02:36 -------- d-----w- c:\windows\RaidTool
    2016-05-20 02:36 . 2016-05-20 02:38 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
    2016-05-20 02:35 . 2016-05-20 02:35 -------- d-----w- c:\program files (x86)\AMD APP
    2016-05-20 02:35 . 2016-05-20 02:35 -------- dc----w- c:\windows\system32\DRVSTORE
    2016-05-20 02:35 . 2010-12-16 03:06 47232 ----a-r- c:\windows\system32\drivers\usbfilter.sys
    2016-05-20 02:35 . 2011-03-04 18:46 78976 ----a-w- c:\windows\system32\drivers\amd_sata.sys
    2016-05-20 02:35 . 2011-03-04 18:46 38528 ----a-w- c:\windows\system32\drivers\amd_xata.sys
    2016-05-20 02:35 . 2016-05-20 02:35 -------- d-----w- c:\program files\ATI
    2016-05-20 02:34 . 2016-05-20 02:34 -------- d-----w- c:\program files\ATI Technologies
    2016-05-20 02:34 . 2016-05-20 02:34 16896 ----a-w- c:\windows\AsTaskSched.dll
    2016-05-20 02:33 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
    2016-05-20 02:32 . 2016-05-20 02:32 -------- d-----w- c:\program files (x86)\ASM104xUSB3
    2016-05-20 02:32 . 2016-05-22 04:21 -------- d-sh--w- c:\windows\Installer
    2016-05-20 02:31 . 2011-08-23 13:57 565352 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
    2016-05-20 02:31 . 2011-08-23 13:57 74272 ----a-w- c:\windows\system32\RtNicProp64.dll
    2016-05-20 02:31 . 2011-08-23 13:57 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
    2016-05-20 02:31 . 2016-05-20 02:31 -------- d-----w- c:\program files (x86)\Realtek
    2016-05-20 02:31 . 2016-05-20 02:43 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
    2016-05-20 02:25 . 2016-05-22 21:49 -------- d-----w- c:\users\TKRA7
    2016-05-20 02:25 . 2016-05-20 02:25 -------- d-----w- C:\Recovery
    2016-05-18 08:27 . 2016-05-18 08:27 17568 ----a-w- c:\windows\system32\drivers\gtkdrv.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2016-05-20 04:22 . 2016-05-20 04:22 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2016-04-22 07:57 . 2010-11-21 03:27 453288 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-09-07 43608]
    "ASUS AiChargerPlus Execute"="c:\program files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe" [2010-11-08 465536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    "AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt32(6).dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
    R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
    R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
    R3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\DRIVERS\gtkdrv.sys;c:\windows\SYSNATIVE\DRIVERS\gtkdrv.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
    S0 AiChargerPlus;ASUS Charger Plus Driver;c:\windows\system32\DRIVERS\AiChargerPlus.sys;c:\windows\SYSNATIVE\DRIVERS\AiChargerPlus.sys [x]
    S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
    S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
    S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys;SysWow64\drivers\AsUpIO.sys [x]
    S1 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
    S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe;c:\program files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe [x]
    S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [x]
    S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [x]
    S2 hmpalertsvc;HitmanPro.Alert service;c:\program files (x86)\HitmanPro.Alert\hmpalert.exe;c:\program files (x86)\HitmanPro.Alert\hmpalert.exe [x]
    S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
    S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
    S3 ASUSFILTER;ASUSFILTER;SysWow64\drivers\ASUSFILTER.sys;SysWow64\drivers\ASUSFILTER.sys [x]
    S3 hmpalert;HitmanPro.Alert Support Driver;c:\windows\system32\drivers\hmpalert.sys;c:\windows\SYSNATIVE\drivers\hmpalert.sys [x]
    S3 hmpnet;HitmanPro.Alert Network Driver;c:\windows\system32\drivers\hmpnet.sys;c:\windows\SYSNATIVE\drivers\hmpnet.sys [x]
    S3 keycrypt;keycrypt;c:\windows\system32\DRIVERS\KeyCrypt64.sys;c:\windows\SYSNATIVE\DRIVERS\KeyCrypt64.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
    .
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2016-01-29 1340192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt64(6).dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = DuckDuckGo
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    FF - ProfilePath - c:\users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\
    FF - prefs.js: browser.startup.homepage - hxxps://duckduckgo.com/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2205198338-1926017667-846148581-1000\Software\locky]
    @Denied: (B 2 3) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_21_0_0_242_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_21_0_0_242_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_21_0_0_242_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_21_0_0_242_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.21"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2016-05-25 20:47:19
    ComboFix-quarantined-files.txt 2016-05-26 00:47
    ComboFix2.txt 2016-05-25 02:27
    ComboFix3.txt 2016-05-24 20:47
    ComboFix4.txt 2016-05-24 14:42
    .
    Pre-Run: 946,853,986,304 bytes free
    Post-Run: 946,788,552,704 bytes free
    .
    - - End Of File - - 194F54C9B11C211F1A52FCFBA650F143
    A36C5E4F47E84449FF07ED3517B43A31




  15. #15
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    I rebooted my machine after running ComboFix with that script. Sure enough, GSAM performed a startup scan and found Locky again.


    Just to confirm, I also ran a search for Locky in Regedit, and Locky was in fact there-------and this time, it seems as though Locky made its way into a few more places within my registry than before. I will paste the GSAM logs for you to look at and also the results from my Regedit scan down below...




    RegEdit Scan (As Administrator):

    HKEY_CLASSES_ROOT\Software\F43o6aqLPEF6
    HKEY_CLASSES_ROOT\Software\Locky

    HKEY_CURRENT_USER\Software\Classes\Software\F43o6aqLPEF6
    HKEY_CURRENT_USER\Software\Classes\Software\Locky

    HKEY_USERS\.DEFAULT\Software\F43o6aqLPEF6
    HKEY_USERS\.DEFAULT\Software\Locky

    HKEY_USERS\S-1-5-18\Software\F43o6aqLPEF6
    HKEY_USERS\S-1-5-18\Software\Locky

    HKEY_USERS\S-1-5-19\Software\F43o6aqLPEF6
    HKEY_USERS\S-1-5-19\Software\Locky

    HKEY_USERS\S-1-5-20\Software\F43o6aqLPEF6
    HKEY_USERS\S-1-5-20\Software\Locky

    HKEY_USERS\S-1-5-21-2205198338-1926017667-846148581-1000\Software\Classes\Software\F43o6aqLPEF6
    HKEY_USERS\S-1-5-21-2205198338-1926017667-846148581-1000\Software\Classes\Software\Locky

    HKEY_USERS\S-1-5-21-2205198338-1926017667-846148581-1000_Classes\Software\F43o6aqLPEF6
    HKEY_USERS\S-1-5-21-2205198338-1926017667-846148581-1000_Classes\Software\Locky






    GSAM's Startup Scan Results:

    GridinSoft Anti-Malware (64-bit) v.3.0.37
    Report file date: 5/25/2016 9:26:00 PM
    Last update: 5/25/2016 9:26:00 PM

    Scanning for 778936 virus strains and unwanted programs.

    Licensed for: xxx
    Windows version: Windows 7 Ultimate x64 (version 6.1)
    Username: TKRA7
    Computer name: TKRA7-PC

    Starting the file scan:

    System startup scan started
    Scanning process...
    ----- HKCU\Software\locky ---- Registry Threat
    Ransom.RPL.Filecoder.ad


    Scan completed

    Scan result: 1 detected items
    Scan completed in: Scan completed in 1 minute(s) 1 sec.
    Files were scanned: 556







    GSAM's_Sys_Info_Log:

    {"Application":{"Id":"gsam","FileName":"C:\\Program Files\\GridinSoft Anti-Malware\\gsam.exe","Hash":"7E65645FFF9256FCC65EF8AB2D9561A6","Size":"15782864","License":"1","Skin":"Default","Proactive":"0","UserId":"92ADFAEB-D22B-4E33-998B-8A6E1D7A70BA","ScanId":"513955D004053B840FA3D10E6DCDE8F4","LastUpdate":"25.05.2016 21:26:00","DBVersion":"26.05.2016 01:03:57[PL:26.05.2016 00:02:54,AMD:26.05.2016 01:03:57,ASMD:26.05.2016 01:03:21,RICO:25.05.2016 20:02:34,RI:30.12.1899 00:00:00,NACO:25.05.2016 17:14:54,FH:26.05.2016 01:02:42,SESI:25.05.2016 17:16:30,ID:25.05.2016 17:15:21,AVS:30.12.1899 00:00:00,WL:25.05.2016 17:15:46]","CollectDateTime":"25.05.2016 21:29:29"},"System":{"Processor":"AMD FX(tm)-4100 Quad-Core Processor","Memory":"8137 Mb","Version":"Windows 7 Ultimate x64 (version 6.1)","Build":"7601","Update":"Service Pack 1","Country":"United States","Language":"English","Location":"US","AntiVirus":{"Microsoft Security Essentials":"0"},"AntiSpyware":{"Microsoft Security Essentials":"0","Windows Defender":"0"}},"Processes":{"300":{"action":"%system%\\smss.exe","fileinfo":"WhiteList"},"420":{"action":"%system%\\csrss.exe","fileinfo":"WhiteList"},"500":{"action":"%system%\\wininit.exe","fileinfo":"WhiteList"},"520":{"action":"%system%\\csrss.exe","fileinfo":"WhiteList"},"564":{"action":"%system%\\services.exe","fileinfo":"WhiteList"},"592":{"action":"%system%\\winlogon.exe","fileinfo":"WhiteList"},"620":{"action":"%system%\\lsass.exe","fileinfo":"WhiteList"},"628":{"action":"%system%\\lsm.exe","fileinfo":"WhiteList"},"732":{"action":"%system%\\svchost.exe","fileinfo":"WhiteList"},"800":{"action":"%programfiles(x86)%\\hitmanpro.alert\\hmpalert.exe","fileinfo":{"sent":"-1","md5":{"hash":"CC8BFF0700193E8F22184FC77BF45EF2","size":"4383952"},"certificates":"SurfRight B.V.;","prodver":"3.1.9.368","filever":"3.1.9.368","name":"HitmanPro.Alert","company":"SurfRight B.V.","nac":{"hash":"1814E5D47926E4C01B7E0F28F99CA313","size":"29"},"ric":{"hash":"D7044A76FD994B76B352ECD58A343C15","size":"94104"},"rfh":{"size":"768","hash1":"ok%2Bkv95X67d53HwhwTS00p00Yo4507GJ07%2Ff07Ml00mHR000moC0600mlHVHiOHr","hash2":"w7dBswoK89UVV"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00205590","ibase":"00400000","ep":"E816060000E978FEFFFFFF25F0A764008B4DF464890D00000000595F5F5E5B8BE55D51F2C38B4DF033CDF2E88DF8FFFFF2E9DAFFFFFF8B4DEC33CDF2E87CF8FFFF","sec":[{"name":".text","hash":"710EAE65405B9A7563D14BC2FBD41128","size":"2394624","attr":"60000020"},{"name":".rdata","hash":"4DAC5E22B2917C08C0EC51B87A0076DE","size":"542720","attr":"40000040"},{"name":".data","hash":"A4FB101393D6DF2EADFDF49308A53C6E","size":"49152","attr":"C0000040"},{"name":".rsrc","hash":"8FCF930F82B8FDDCD34D92F0CFA5C240","size":"1201664","attr":"40000040"},{"name":".reloc","hash":"4C7E09FC05A348AFD88DF84E0DEF33A2","size":"119296","attr":"42000040"}]}},"916":{"action":"%system%\\svchost.exe","fileinfo":"WhiteList"},"124":{"action":"%programfiles%\\microsoft security client\\msmpeng.exe","fileinfo":"WhiteList"},"328":{"action":"%system%\\atiesrxx.exe","fileinfo":"WhiteList"},"388":{"action":"%system%\\svchost.exe","fileinfo":"WhiteList"},"680":{"action":"%system%\\svchost.exe","fileinfo":"WhiteList"},"940":{"action":"%system%\\svchost.exe","fileinfo":"WhiteList"},"1052":{"action":"%system%\\svchost.exe","fileinfo":"WhiteList"},"1236":{"action":"%system%\\atieclxx.exe","fileinfo":{"sent":"-1","md5":{"hash":"15AB7C82C9B5D276815CBD3BC25C5648","size":"485376"},"prodver":"6.14.11.1096","filever":"6.14.11.1096","name":"AMD External Events","company":"AMD","nac":{"hash":"2D9BBA196594EDB75656D7589BD20854","size":"22"},"subs":"Win32 GUI","pe":"x64","epsec":"0","eprva":"0002DD74","ibase":"0000000140000000","ep":"4883EC28E8FF6000004883C428E986FDFFFFCCCCC20000CC488D055D630000488D0DE26F000048890567440400488D050463000048890D514404004889055A4404","sec":[{"name":".text","hash":"13E7F879488329555AEADB8420ACE0CD","size":"331264","attr":"60000020"},{"name":".rdata","hash":"75D9677A927BB9E4FF6781EED96D179B","size":"120832","attr":"40000040"},{"name":".data","hash":"227D18DF2F308DEA314C1F41219F4361","size":"13312","attr":"C0000040"},{"name":".pdata","hash":"A644505EC01CCD066EF8EB86C4BBA353","size":"17408","attr":"40000040"},{"name":".rsrc","hash":"30AD80A50FC7A19DEFEBABF0B38223E7","size":"1536","attr":"40000040"}]}},"1392":{"action":"%system%\\svchost.exe","fileinfo":"WhiteList"},"1500":{"action":"%system%\\spoolsv.exe","fileinfo":"WhiteList"},"1532":{"action":"%system%\\svchost.exe","fileinfo":"WhiteList"},"1608":{"action":"%programfiles%\\superantispyware\\sascore64.exe","fileinfo":"WhiteList"},"1652":{"action":"%programfiles(x86)%\\asus\\axsp\\1.00.14\\atkexcomsvc.exe","fileinfo":{"sent":"-1","md5":{"hash":"6E3F4538B33BC19259E99BE1826286A3","size":"922240"},"certificates":"ASUSTeK Computer Inc.;","ric":{"hash":"F4D31819D8658063F6F17DCE07AD6E9A","size":"8992"},"rfh":{"size":"192","hash1":"mOoHnZLxSkZf5Sv5qlXNihGsEc8OZEc59SC","hash2":"mOoHZLxSkPG5KXYhhEc8cjMC"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0000147C","ibase":"00400000","ep":"EB1066623A432B2B484F4F4B90E99CF04A00A18FF04A00C1E002A393F04A00526A00E839CF0A008BD0E8965109005AE8744D0900E87F5609006A00E8A867090059","sec":[{"name":".text","hash":"59A5CD2D82BBE6F48F16B09D751BC8AF","size":"712192","attr":"60000020"},{"name":".data","hash":"500786AB1BDC15FFE4B9E189272058B4","size":"77824","attr":"C0000040"},{"name":".tls","hash":"BF619EAC0CDF3F68D496EA9344137E8B","size":"512","attr":"C0000040"},{"name":".rdata","hash":"1A78F1F8473263B1B6DBF27D432B3A2A","size":"512","attr":"50000040"},{"name":".idata","hash":"A5E7C94ECA04433DB8C15239D6175351","size":"12800","attr":"40000040"},{"name":".edata","hash":"080C63F1D323578AE9FF96B29B1581A0","size":"512","attr":"40000040"},{"name":".rsrc","hash":"AAAFDEFA121B50BF4E9A01C0A8933E14","size":"63488","attr":"40000040"},{"name":".reloc","hash":"6E16725D04DF889C793BDCFFBE6CB2F5","size":"46080","attr":"50000040"}]}},"1788":{"action":"%programfiles(x86)%\\hitmanpro.alert\\hmpalert.exe","fileinfo":{"sent":"-1","md5":{"hash":"CC8BFF0700193E8F22184FC77BF45EF2","size":"4383952"},"certificates":"SurfRight B.V.;","prodver":"3.1.9.368","filever":"3.1.9.368","name":"HitmanPro.Alert","company":"SurfRight B.V.","nac":{"hash":"1814E5D47926E4C01B7E0F28F99CA313","size":"29"},"ric":{"hash":"D7044A76FD994B76B352ECD58A343C15","size":"94104"},"rfh":{"size":"768","hash1":"ok%2Bkv95X67d53HwhwTS00p00Yo4507GJ07%2Ff07Ml00mHR000moC0600mlHVHiOHr","hash2":"w7dBswoK89UVV"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00205590","ibase":"00400000","ep":"E816060000E978FEFFFFFF25F0A764008B4DF464890D00000000595F5F5E5B8BE55D51F2C38B4DF033CDF2E88DF8FFFFF2E9DAFFFFFF8B4DEC33CDF2E87CF8FFFF","sec":[{"name":".text","hash":"710EAE65405B9A7563D14BC2FBD41128","size":"2394624","attr":"60000020"},{"name":".rdata","hash":"4DAC5E22B2917C08C0EC51B87A0076DE","size":"542720","attr":"40000040"},{"name":".data","hash":"A4FB101393D6DF2EADFDF49308A53C6E","size":"49152","attr":"C0000040"},{"name":".rsrc","hash":"8FCF930F82B8FDDCD34D92F0CFA5C240","size":"1201664","attr":"40000040"},{"name":".reloc","hash":"4C7E09FC05A348AFD88DF84E0DEF33A2","size":"119296","attr":"42000040"}]}},"1796":{"action":"%programfiles(x86)%\\asus\\aahm\\1.00.14\\aahmsvc.exe","fileinfo":{"sent":"-1","md5":{"hash":"A63173897EA1A73A75D0E65036DE5B15","size":"915584"},"certificates":"ASUSTeK Computer Inc.;","ric":{"hash":"F4D31819D8658063F6F17DCE07AD6E9A","size":"8992"},"rfh":{"size":"192","hash1":"mOoHnZLxSkZf5Sv5qlXNihGsEc8OZEc59SC","hash2":"mOoHZLxSkPG5KXYhhEc8cjMC"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00001494","ibase":"00400000","ep":"EB1066623A432B2B484F4F4B90E99CE04A00A18FE04A00C1E002A393E04A00526A00E8A7BB0A008BD0E8C23409005AE8A0300900E8AB3909006A00E89C4A090059","sec":[{"name":".text","hash":"A519C7CBCCF80F91BAF71A039E134E8E","size":"707584","attr":"60000020"},{"name":".data","hash":"B2DFCCDE32AFD22292B1DA9AB046D87B","size":"75264","attr":"C0000040"},{"name":".tls","hash":"BF619EAC0CDF3F68D496EA9344137E8B","size":"512","attr":"C0000040"},{"name":".rdata","hash":"DCD207A2E8F355379EA40EA1EF21AE1F","size":"512","attr":"50000040"},{"name":".idata","hash":"CB02E2511D5FA27CAF02C6DECA1B0D0A","size":"13312","attr":"40000040"},{"name":".edata","hash":"153A3664D82CD3802ED63EA83965BE43","size":"1024","attr":"40000040"},{"name":".rsrc","hash":"B3DF7DE3285E8F994E25CB5B24D83456","size":"62464","attr":"40000040"},{"name":".reloc","hash":"AFF1E6F8A7AFFE1E28BC8D0787EFE739","size":"46592","attr":"50000040"}]}},"1880":{"action":"%system%\\dwm.exe","fileinfo":"WhiteList"},"1888":{"action":"%system%\\taskhost.exe","fileinfo":"WhiteList"},"1956":{"action":"%programfiles(x86)%\\asus\\assysctrlservice\\1.00.11\\assysctrlservice.exe","fileinfo":{"sent":"-1","md5":{"hash":"5C31DFB196CB3A488A041881634D86D2","size":"586880"},"certificates":"ASUSTeK Computer Inc.;","subs":"Win32 GUI","pe":"x86","epsec":"1","eprva":"00038BD5","ibase":"00400000","ep":"E966690100E9D1F80100E91C220100E9E77B0000E9E27E0200E95DA20000E9A80F0600E9938A0500E97EE90400E989E70300E9F4AF0200E9CF0D0600E94AA70100","sec":[{"name":".textbss","hash":"00000000000000000000000000000000","size":"0","attr":"E00000A0"},{"name":".text","hash":"3F3557AE784EBCA7DB8A2BBF4EDA5A05","size":"471040","attr":"60000020"},{"name":".rdata","hash":"8BFF960E81A4C865DA6C988A1D17F177","size":"92672","attr":"40000040"},{"name":".data","hash":"1A44B4A96430D094AD066895821DDD02","size":"6144","attr":"C0000040"},{"name":".idata","hash":"BE4C9CA9CED6EAABEDA860D9C5A5ABB9","size":"5632","attr":"C0000040"},{"name":".rsrc","hash":"149A82D785A94248C9A60CDDECE1AA6D","size":"3584","attr":"40000040"}]}},"2028":{"action":"%programfiles(x86)%\\malwarebytes anti-malware\\mbamscheduler.exe","fileinfo":{"sent":"-1","md5":{"hash":"9611577752E293259C7DCE19E9026362","size":"1514464"},"certificates":"Malwarebytes Corporation;","prodver":"3.1.7.0","filever":"3.1.7.0","name":"Malwarebytes Anti-Malware","company":"Malwarebytes","nac":{"hash":"775E982D3F6A96593903565A833EA228","size":"37"},"subs":"Win32 Console","pe":"x86","epsec":"0","eprva":"000CC688","ibase":"00400000","ep":"E8F6060000E9B3FDFFFFFF258C255000FF25F8255000FF25F4255000FF25F0255000CCCCCCCCCCCC8B4424088B4C24100BC88B4C240C75098B442404F7E1C21000","sec":[{"name":".text","hash":"09C6CABF6564C9D761BEFB6A8283BBFB","size":"1051648","attr":"60000020"},{"name":".rdata","hash":"78571205DDFA5BE7BD3D7DA10B3F6E2F","size":"275968","attr":"40000040"},{"name":".data","hash":"BD77A98FA01CAA7D19A62F7254E57233","size":"52736","attr":"C0000040"},{"name":".tls","hash":"BF619EAC0CDF3F68D496EA9344137E8B","size":"512","attr":"C0000040"},{"name":".rsrc","hash":"25610B965FDEB9EDD04AFBE4C77FF9F7","size":"1536","attr":"40000040"},{"name":".reloc","hash":"0B94A16F7C833ABF4DB244EC2B71CA2F","size":"123392","attr":"42000040"}]}},"280":{"action":"%windir%\\explorer.exe","fileinfo":"WhiteList"},"2076":{"action":"%programfiles(x86)%\\malwarebytes anti-malware\\mbamservice.exe","fileinfo":{"sent":"-1","md5":{"hash":"F1A89A34388B5626F1548D393B23ECB1","size":"1136608"},"certificates":"Malwarebytes Corporation;","prodver":"3.2.21.0","filever":"3.2.21.0","name":"Malwarebytes Anti-Malware","company":"Malwarebytes","nac":{"hash":"775E982D3F6A96593903565A833EA228","size":"37"},"subs":"Win32 Console","pe":"x86","epsec":"0","eprva":"000A788E","ibase":"00400000","ep":"E8AEC90000E995FEFFFF8BFF558BECE8B9BC00008B4D088948145DC3E8ACBC00008BC88B411469C0FD43030005C39E2600894114C1E81025FF7F0000C38BFF558B","sec":[{"name":".text","hash":"3C3587DADD678328EFFD079514DF4ADA","size":"870400","attr":"60000020"},{"name":".rdata","hash":"693D666A65532AAFF9F9566893C248BF","size":"174080","attr":"40000040"},{"name":".data","hash":"1811E1CAE59A780EB44884802E2CF912","size":"25088","attr":"C0000040"},{"name":".rsrc","hash":"774A1FBDF946C89C4582390737963B14","size":"1536","attr":"40000040"},{"name":".reloc","hash":"4746F405732B92D62997A251EC124AD6","size":"56832","attr":"42000040"}]}},"2152":{"action":"%system%\\taskeng.exe","fileinfo":"WhiteList"},"2180":{"action":"%programfiles%\\microsoft security client\\msseces.exe","fileinfo":"WhiteList"},"2720":{"action":"%programfiles(x86)%\\malwarebytes anti-malware\\mbam.exe","fileinfo":{"sent":"-1","md5":{"hash":"8E98E3EC16D2641005B4748CD330FB45","size":"9926112"},"certificates":"Malwarebytes Corporation;","prodver":"2.3.173.0","filever":"2.3.173.0","name":"Malwarebytes Anti-Malware","company":"Malwarebytes","nac":{"hash":"775E982D3F6A96593903565A833EA228","size":"37"},"ric":{"hash":"B40076DD57A3C48CDB8430535B6A8118","size":"118488"},"rfh":{"size":"3072","hash1":"ZrU5P92Bzlr5q1dWN%2FRN6hBepDvuXclxo%2BcPqfvJ5H","hash2":"EPQl3eyEI"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0033A498","ibase":"00400000","ep":"E876090000E963FDFFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCC518D4C24042BC81BC0F7D023C88BC42500F0FFFF3BC8720A8BC159948B00890424C32D001000008500","sec":[{"name":".text","hash":"6B4022B61DDC7E4F2AE6D043A6F6040F","size":"4226048","attr":"60000020"},{"name":".rdata","hash":"9EF5532F699053703EBD0536E5ABEB06","size":"4907008","attr":"40000040"},{"name":".data","hash":"6E82C6040E5016316C52DB7F78771771","size":"166400","attr":"C0000040"},{"name":".tls","hash":"BF619EAC0CDF3F68D496EA9344137E8B","size":"512","attr":"C0000040"},{"name":".rsrc","hash":"ED15C6F697CFD766E12E083D8324C5ED","size":"120832","attr":"40000040"},{"name":".reloc","hash":"A1F17FD14176DC188245710C8901125C","size":"496640","attr":"42000040"}]}},"2972":{"action":"%programfiles(x86)%\\asus\\ai suite ii\\asroutinecontroller.exe","fileinfo":{"sent":"-1","md5":{"hash":"576C72830E3FD6ACE2910545B6130803","size":"2931328"},"certificates":"ASUSTeK Computer Inc.;","prodver":"1.0.0.1","filever":"1.0.0.1","name":"ASUS Routine Controller","company":"ASUSTeK Computer Inc.","nac":{"hash":"4770350B96E2858867D8328B2ECB1093","size":"44"},"ric":{"hash":"F0C23848525B6BF7B1C4E19BEC00AC56","size":"21480"},"rfh":{"size":"384","hash1":"SMc6QM504AAAkzmEXeu3vQBK4V7wmdUmgS6oaIPAAAs","hash2":"W6Qy0siFCvJ4V7wmdUm1a8kT"},"subs":"Win32 GUI","pe":"x86","epsec":"1","eprva":"000DE83A","ibase":"00400000","ep":"E971AD1300E99CB20900E967E90500E942791A00E9AD381300E978520A00E9B39C0400E9EE1C0400E9392E0300E9B4771B00E93FFF0B00E9BA1C0600E915D60400","sec":[{"name":".textbss","hash":"00000000000000000000000000000000","size":"0","attr":"E00000A0"},{"name":".text","hash":"AB3FEF054DA253EE024A6727D512476F","size":"1884160","attr":"60000020"},{"name":".rdata","hash":"0983B636ED04FA14B68246757DCB5113","size":"933888","attr":"40000040"},{"name":".data","hash":"51FA95445A98B624D85CA11C568904B2","size":"24576","attr":"C0000040"},{"name":".idata","hash":"859A250705A89CD501C39F9070D28462","size":"24576","attr":"C0000040"},{"name":".didat","hash":"F7E676CAFB8FC22255A15F030A638FC0","size":"4096","attr":"C0000040"},{"name":".rsrc","hash":"693D8D769229980410CFCA83DC86117F","size":"49152","attr":"40000040"}]}},"3004":{"action":"%programfiles%\\gridinsoft anti-malware\\gsam.exe","fileinfo":"WhiteList"},"3012":{"action":"%programfiles%\\bitdefender\\tools\\bdantiransomware\\bdantiransomware.exe","fileinfo":{"sent":"-1","md5":{"hash":"6B8366AA47F166C89848A7FB1103BB24","size":"1318488"},"certificates":"Bitdefender SRL;","prodver":"1,0,12,1","filever":"1,0,12,1","name":"Bitdefender Anti-Ransomware","company":"Bitdefender LLC","nac":{"hash":"309D8BCCD03A3517D5CFB22B59B6FF88","size":"42"},"ric":{"hash":"4A00A441F34FEDC53C90B23C00F298FB","size":"199530"},"rfh":{"size":"384","hash1":"n2BnGyJOLXAiJorDhX2TiJvuu7ufPutuw9AktGICOSUVJjcraQN3Xxy","hash2":"n2Bn%2FALwme14%2BSgVAkDjS2yaQNHx"},"subs":"Win32 GUI","pe":"x64","epsec":"0","eprva":"000090A4","ibase":"0000000140000000","ep":"4883EC28E8DB7500004883C428E902000000CCCC48895C24104889742418574883EC30E8E43700000FB7F0B902000000E867750000B84D5A0000488D3D1B6FFFFF","sec":[{"name":".text","hash":"7F3CCD6397D48D014CC51E88EBB3A611","size":"224768","attr":"60000020"},{"name":".rdata","hash":"A283FFD076BA355D1346829EF622AACC","size":"102400","attr":"40000040"},{"name":".data","hash":"694AFB941E03AB6C56A4E02CE90D4CFD","size":"8704","attr":"C0000040"},{"name":".pdata","hash":"E496112198BCDF09BF24BD9A7640E267","size":"12288","attr":"40000040"},{"name":".rsrc","hash":"FFC698847D714DDB20C0C5D1805856AA","size":"928768","attr":"40000040"},{"name":".reloc","hash":"843D5D38F1835016301D200B0515EEBB","size":"3072","attr":"42000040"}]}},"3040":{"action":"%programfiles(x86)%\\asus\\ai suite ii\\digi\u002B vrm\\vrmhelp.exe","fileinfo":{"sent":"-1","md5":{"hash":"5394E45877580696BBEE7C923EB08663","size":"1116800"},"certificates":"ASUSTeK Computer Inc.;","prodver":"1.0.0.8","filever":"1.0.0.8","company":"ASUSTeK Computer Inc.","nac":{"hash":"951AD119D7FF3B2717DDDBD1BCCF8BA9","size":"21"},"ric":{"hash":"14DAFCB5D7F4815DDF8B921953C8E204","size":"429664"},"rfh":{"size":"6144","hash1":"q45JY6hJ1dlw5YuXarGyHrpOmpMV5WZCgXqAGpmiOMNbrF","hash2":"55pIvr"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00001428","ibase":"00400000","ep":"EB1066623A432B2B484F4F4B90E99C704800A18F704800C1E002A393704800526A00E8914C08008BD0E8D67407005AE8B4700700E8BF7907006A00E8E88A070059","sec":[{"name":".text","hash":"377473F13B05FEE9E12601F0DBDFCA80","size":"547328","attr":"60000020"},{"name":".data","hash":"CAB7452190E3333EF52AE77AB2930D78","size":"35328","attr":"C0000040"},{"name":".tls","hash":"BF619EAC0CDF3F68D496EA9344137E8B","size":"512","attr":"C0000040"},{"name":".rdata","hash":"F26DB6C4C0084FB1677DB2A86BEB7528","size":"512","attr":"50000040"},{"name":".idata","hash":"DF26B880F144FC22A29AAEB63B675312","size":"10240","attr":"40000040"},{"name":".edata","hash":"BBE4E7FAA5E2CB00A700A0C7B9A5B00E","size":"512","attr":"40000040"},{"name":".rsrc","hash":"91E22E3D0C4CC29004F4D163192CE964","size":"478720","attr":"40000040"},{"name":".reloc","hash":"CF134650E55E30522E825A9B91179F9D","size":"35328","attr":"50000040"}]}},"1860":{"action":"%system%\\wudfhost.exe","fileinfo":"WhiteList"},"1828":{"action":"%programfiles(x86)%\\installshield installation information\\{e6931688-da2b-4e16-8539-3d323d69c677}\\aichargerplus.exe","fileinfo":{"sent":"-1","md5":{"hash":"6BA433E1E4C815CFB819DD99447F847A","size":"465536"},"certificates":"ASUSTeK Computer Inc.;","prodver":"1, 0, 0, 0","filever":"1, 0, 0, 0","name":"AiChargerPlus Application","company":"ASUSTek Computer Inc.","nac":{"hash":"CC41A9879C49E235FB8C505589896A18","size":"46"},"ric":{"hash":"00E412B4C3EC56C97E3ECFEAFE2AFE90","size":"353032"},"rfh":{"size":"6144","hash1":"uMrryxBnrK6%2ByIKspEm00x7lPXXQgLvMtbqBb","hash2":"u%2FtbE"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00002802","ibase":"00400000","ep":"558BEC6AFF689015410068A857400064A100000000506489250000000083EC585356578965E8FF158401410033D28AD48915188441008BC881E1FF000000890D14","sec":[{"name":".text","hash":"AA0FDAA8452B484BAB22E55A7EC62932","size":"61440","attr":"60000020"},{"name":".rdata","hash":"10AD2AF6F16C8E1A71457D29C7B9A2EC","size":"20480","attr":"40000040"},{"name":".data","hash":"D9E26872C7495A6B3CE960F85E381130","size":"8192","attr":"C0000040"},{"name":".rsrc","hash":"44D5C14377D2241370728556A9B3AD6B","size":"364544","attr":"40000040"}]}},"2488":{"action":"%programfiles(x86)%\\asus\\ai suite ii\\usb 3.0 boost\\u3boostsvr64.exe","fileinfo":{"sent":"-1","md5":{"hash":"ACC37A14D8D697BBB9A209B33B820CB0","size":"454576"},"certificates":"ASUSTeK Computer Inc.;","prodver":"1.0.0.3","filever":"1.0.0.3","name":"USB 3.0 Boost Service","company":"ASUSTeK Computer Inc.","nac":{"hash":"3280B889031744F88032DAABC99A4031","size":"42"},"ric":{"hash":"F0C23848525B6BF7B1C4E19BEC00AC56","size":"21480"},"rfh":{"size":"384","hash1":"SMc6QM504AAAkzmEXeu3vQBK4V7wmdUmgS6oaIPAAAs","hash2":"W6Qy0siFCvJ4V7wmdUm1a8kT"},"subs":"Win32 GUI","pe":"x64","epsec":"0","eprva":"00029CA0","ibase":"0000000000400000","ep":"4883EC28E8575500004883C428E90EFDFFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC66666690666666906690483B0D39600300751148C1C11066F7C1FF","sec":[{"name":".text","hash":"EA759F038D84850763112450D8BAB961","size":"279552","attr":"60000020"},{"name":".rdata","hash":"61D47EEADF98D4E2E3782E8E38BCBBFF","size":"95744","attr":"40000040"},{"name":".data","hash":"49B2473737D3D971F69385B750B61421","size":"13824","attr":"C0000040"},{"name":".pdata","hash":"B3BCE8F008C98B59BCA9286E022D7B78","size":"21504","attr":"40000040"},{"name":".rsrc","hash":"BCE51054C8028A5998EE411F84DCB318","size":"38400","attr":"40000040"}]}},"3060":{"action":"%programfiles(x86)%\\asus\\ai suite ii\\turbov evo\\turbovhelp.exe","fileinfo":{"sent":"-1","md5":{"hash":"D75897977764753E4ECCE8E4C7A1B5A1","size":"1101440"},"certificates":"ASUSTeK Computer Inc.;","prodver":"1.0.1.18","filever":"1.0.1.18","company":"ASUSTeK Computer Inc.","nac":{"hash":"951AD119D7FF3B2717DDDBD1BCCF8BA9","size":"21"},"ric":{"hash":"14DAFCB5D7F4815DDF8B921953C8E204","size":"429664"},"rfh":{"size":"6144","hash1":"q45JY6hJ1dlw5YuXarGyHrpOmpMV5WZCgXqAGpmiOMNbrF","hash2":"55pIvr"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00001000","ibase":"00400000","ep":"EB1066623A432B2B484F4F4B90E95C534800A14F534800C1E002A353534800526A00E8453208008BD0E8FA1306005AE858130600E82F1406006A00E8A44E060059","sec":[{"name":".text","hash":"C41F56B478A4F3AAF7EFA34695BD6A30","size":"539648","attr":"60000020"},{"name":".data","hash":"70AFE2E8CCC6BB08FBE83ED4F1B643F6","size":"68096","attr":"C0000040"},{"name":".tls","hash":"BF619EAC0CDF3F68D496EA9344137E8B","size":"512","attr":"C0000040"},{"name":".rdata","hash":"D85A423A7D5F39F0699B40DD872138C1","size":"512","attr":"50000040"},{"name":".idata","hash":"8A89E6038E44BE2C580A1C0052457CF2","size":"10240","attr":"40000040"},{"name":".edata","hash":"B58AB3B5F193821517D841F1D7B04791","size":"512","attr":"40000040"},{"name":".rsrc","hash":"732A559D952B913D84B8F52AC5EC7776","size":"443392","attr":"40000040"},{"name":".reloc","hash":"B516F269DE09E1C4F4C630A55523379B","size":"30208","attr":"50000040"}]}},"3240":{"action":"%programfiles(x86)%\\asus\\ai suite ii\\epu\\epuhelp.exe","fileinfo":{"sent":"-1","md5":{"hash":"5ACAB3F63F619CCBCF2FBC5EA2FD5B2A","size":"1216640"},"certificates":"ASUSTeK Computer Inc.;","prodver":"1.0.0.23","filever":"1.0.0.23","company":"ASUSTeK Computer Inc.","nac":{"hash":"951AD119D7FF3B2717DDDBD1BCCF8BA9","size":"21"},"ric":{"hash":"14DAFCB5D7F4815DDF8B921953C8E204","size":"429664"},"rfh":{"size":"6144","hash1":"q45JY6hJ1dlw5YuXarGyHrpOmpMV5WZCgXqAGpmiOMNbrF","hash2":"55pIvr"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00001458","ibase":"00400000","ep":"EB1066623A432B2B484F4F4B90E99C804900A18F804900C1E002A393804900526A00E8D35909008BD0E8427F08005AE8207B0800E82B8408006A00E88C95080059","sec":[{"name":".text","hash":"2CF4ED090DA43613F018303B153B7580","size":"616448","attr":"60000020"},{"name":".data","hash":"591EEC8219667E643B16FFD0D817667F","size":"61440","attr":"C0000040"},{"name":".tls","hash":"BF619EAC0CDF3F68D496EA9344137E8B","size":"512","attr":"C0000040"},{"name":".rdata","hash":"CC743621AA2344A82F54419FEC2636EB","size":"512","attr":"50000040"},{"name":".idata","hash":"2E21E6411741C7E85C843F443549FF94","size":"10752","attr":"40000040"},{"name":".edata","hash":"F8DEA1FC83431097A7E8486A0A2432BE","size":"1024","attr":"40000040"},{"name":".rsrc","hash":"CFE0A125EEB1C2F706B7F920008A2D76","size":"478720","attr":"40000040"},{"name":".reloc","hash":"C2BBC1420031EFCD275D82404281A481","size":"38912","attr":"50000040"}]}},"3284":{"action":"%system%\\searchindexer.exe","fileinfo":"WhiteList"},"3824":{"action":"%programfiles(x86)%\\asus\\ai suite ii\\ai suite ii.exe","fileinfo":{"sent":"-1","md5":{"hash":"BE118A4AB449F15B3799874EC0058BFE","size":"1426048"},"certificates":"ASUSTeK Computer Inc.;","prodver":"1.0.0.40","filever":"1.0.0.40","name":"AI Suite II","company":"ASUSTeK Computer Inc.","nac":{"hash":"F535B0E71C83F6609E7713C3812C0154","size":"32"},"ric":{"hash":"69EA886CDA3129C7E895C9921D83AB32","size":"353032"},"rfh":{"size":"3072","hash1":"z22ztYrsxgUtkAykkk8kkk1kkkgtCV444hJRKMALqFXVVQsf","hash2":"C2zat4kAjgz4TFALq"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00001464","ibase":"00400000","ep":"EB1066623A432B2B484F4F4B90E99CF04C00A18FF04C00C1E002A393F04C00526A00E803D20C008BD0E872660B005AE850620B00E85B6B0B006A00E8F47E0B0059","sec":[{"name":".text","hash":"E5B44CE90CAE11D9D9BD0BB1FEAA53E7","size":"843776","attr":"60000020"},{"name":".data","hash":"7BCFA12C797F197134C4B32ED41ECEDB","size":"89088","attr":"C0000040"},{"name":".tls","hash":"BF619EAC0CDF3F68D496EA9344137E8B","size":"512","attr":"C0000040"},{"name":".rdata","hash":"6705EE35625B15560ECD14961B6399AE","size":"512","attr":"50000040"},{"name":".idata","hash":"44BE4105D3574E194E8108365A824EEC","size":"11776","attr":"40000040"},{"name":".edata","hash":"31979F3229F7E447817A7F0963E16474","size":"15360","attr":"40000040"},{"name":".rsrc","hash":"935E8D7F0F2BC5D01CB10120A8426095","size":"409088","attr":"40000040"},{"name":".reloc","hash":"D8110CFCB168A36DE23322856419EF25","size":"47616","attr":"50000040"}]}},"3872":{"action":"%programfiles(x86)%\\asus\\ai suite ii\\sensor\\alerthelper\\alerthelper.exe","fileinfo":{"sent":"-1","md5":{"hash":"8549F4D70BDD647DAB1562731F4E4BFB","size":"1115776"},"certificates":"ASUSTeK Computer Inc.;","prodver":"1.0.0.5","filever":"1.0.0.5","name":"AlertHelper","company":"ASUSTeK Computer Inc.","nac":{"hash":"F6A0ADD36C1C34E035EF17243246A349","size":"32"},"ric":{"hash":"69EA886CDA3129C7E895C9921D83AB32","size":"353032"},"rfh":{"size":"3072","hash1":"z22ztYrsxgUtkAykkk8kkk1kkkgtCV444hJRKMALqFXVVQsf","hash2":"C2zat4kAjgz4TFALq"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0000141C","ibase":"00400000","ep":"EB1066623A432B2B484F4F4B90E99C604900A18F604900C1E002A393604900526A00E8BF3E09008BD0E8067C08005AE8E4770800E8EF8008006A00E8AC93080059","sec":[{"name":".text","hash":"7CF96026A447BFE65AF33573B9550873","size":"609280","attr":"60000020"},{"name":".data","hash":"AF3D732F4ADA34B9B808F407FACE4495","size":"44032","attr":"C0000040"},{"name":".tls","hash":"BF619EAC0CDF3F68D496EA9344137E8B","size":"512","attr":"C0000040"},{"name":".rdata","hash":"6334A27A1A1B812FE7764AB81E381FE6","size":"512","attr":"50000040"},{"name":".idata","hash":"78CE1CB3659C5D86F8F8B248533F9D79","size":"10752","attr":"40000040"},{"name":".edata","hash":"9B11F00790DC4C989C045BD8E6BC35B2","size":"1024","attr":"40000040"},{"name":".rsrc","hash":"4FC7BF4F1EC07F89041078B16B4ECEFD","size":"402432","attr":"40000040"},{"name":".reloc","hash":"B8F8FDAEFE04ED787F97425F1B3A3B84","size":"38912","attr":"50000040"}]}},"2108":{"action":"%system%\\sppsvc.exe","fileinfo":"WhiteList"},"3796":{"action":"%system%\\wbem\\wmiprvse.exe","fileinfo":"WhiteList"},"1720":{"action":"%windir%\\servicing\\trustedinstaller.exe","fileinfo":"WhiteList"},"2988":{"action":"%system%\\searchprotocolhost.exe","fileinfo":"WhiteList"},"3676":{"action":"%system%\\searchfilterhost.exe","fileinfo":"WhiteList"}},"StartUp":{"HKLM/Software/Microsoft/Windows/CurrentVersion/Run/MSC":{"type":"Registry","action":""%programfiles%\\microsoft security client\\msseces.exe" -hide -runkey","fileinfo":"WhiteList"},"HKLM/Software/Microsoft/Windows/CurrentVersion/Run/JMB36X IDE Setup":{"type":"Registry","action":"%windir%\\raidtool\\xinside.exe","fileinfo":{"sent":"-1","md5":{"hash":"FC77F245431D4DA5A9E2A53F3A14B162","size":"43608"},"certificates":"JMicron Technology Corp.;","subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00002152","ibase":"00400000","ep":"558BEC6AFF68E870400068283A400064A100000000506489250000000083EC585356578965E8FF154470400033D28AD48915708A40008BC881E1FF000000890D6C","sec":[{"name":".text","hash":"7FDF3DD3BB16E6A7317A910C079EA836","size":"24576","attr":"60000020"},{"name":".rdata","hash":"34EACEAFD83B534DDF838951CB6B9A97","size":"4096","attr":"40000040"},{"name":".data","hash":"CCB770034F37C8CB3EAA6A13AE447543","size":"4096","attr":"C0000040"}]}},"HKLM/Software/Microsoft/Windows/CurrentVersion/Run/ASUS AiChargerPlus Execute":{"type":"Registry","action":"%programfiles(x86)%\\installshield installation information\\{e6931688-da2b-4e16-8539-3d323d69c677}\\aichargerplus.exe","fileinfo":{"sent":"-1","md5":{"hash":"6BA433E1E4C815CFB819DD99447F847A","size":"465536"},"certificates":"ASUSTeK Computer Inc.;","prodver":"1, 0, 0, 0","filever":"1, 0, 0, 0","name":"AiChargerPlus Application","company":"ASUSTek Computer Inc.","nac":{"hash":"CC41A9879C49E235FB8C505589896A18","size":"46"},"ric":{"hash":"00E412B4C3EC56C97E3ECFEAFE2AFE90","size":"353032"},"rfh":{"size":"6144","hash1":"uMrryxBnrK6%2ByIKspEm00x7lPXXQgLvMtbqBb","hash2":"u%2FtbE"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00002802","ibase":"00400000","ep":"558BEC6AFF689015410068A857400064A100000000506489250000000083EC585356578965E8FF158401410033D28AD48915188441008BC881E1FF000000890D14","sec":[{"name":".text","hash":"AA0FDAA8452B484BAB22E55A7EC62932","size":"61440","attr":"60000020"},{"name":".rdata","hash":"10AD2AF6F16C8E1A71457D29C7B9A2EC","size":"20480","attr":"40000040"},{"name":".data","hash":"D9E26872C7495A6B3CE960F85E381130","size":"8192","attr":"C0000040"},{"name":".rsrc","hash":"44D5C14377D2241370728556A9B3AD6B","size":"364544","attr":"40000040"}]}}},"Tasks":{"/BDAntiCryptoWallTask":{"location":"%system%\\Tasks\\BDAntiCryptoWallTask","action":"%programfiles%\\Bitdefender\\Tools\\BDAntiRansomware\\BDAntiRansomware.exe ","fileinfo":{"sent":"-1","md5":{"hash":"6B8366AA47F166C89848A7FB1103BB24","size":"1318488"},"certificates":"Bitdefender SRL;","prodver":"1,0,12,1","filever":"1,0,12,1","name":"Bitdefender Anti-Ransomware","company":"Bitdefender LLC","nac":{"hash":"309D8BCCD03A3517D5CFB22B59B6FF88","size":"42"},"ric":{"hash":"4A00A441F34FEDC53C90B23C00F298FB","size":"199530"},"rfh":{"size":"384","hash1":"n2BnGyJOLXAiJorDhX2TiJvuu7ufPutuw9AktGICOSUVJjcraQN3Xxy","hash2":"n2Bn%2FALwme14%2BSgVAkDjS2yaQNHx"},"subs":"Win32 GUI","pe":"x64","epsec":"0","eprva":"000090A4","ibase":"0000000140000000","ep":"4883EC28E8DB7500004883C428E902000000CCCC48895C24104889742418574883EC30E8E43700000FB7F0B902000000E867750000B84D5A0000488D3D1B6FFFFF","sec":[{"name":".text","hash":"7F3CCD6397D48D014CC51E88EBB3A611","size":"224768","attr":"60000020"},{"name":".rdata","hash":"A283FFD076BA355D1346829EF622AACC","size":"102400","attr":"40000040"},{"name":".data","hash":"694AFB941E03AB6C56A4E02CE90D4CFD","size":"8704","attr":"C0000040"},{"name":".pdata","hash":"E496112198BCDF09BF24BD9A7640E267","size":"12288","attr":"40000040"},{"name":".rsrc","hash":"FFC698847D714DDB20C0C5D1805856AA","size":"928768","attr":"40000040"},{"name":".reloc","hash":"843D5D38F1835016301D200B0515EEBB","size":"3072","attr":"42000040"}]}},"/CCleanerSkipUAC":{"location":"%system%\\Tasks\\CCleanerSkipUAC","action":"%programfiles%\\CCleaner\\CCleaner.exe $(Arg0)","fileinfo":{"sent":"-1","md5":{"hash":"370B330D3166549626D6CFCA3BEC0684","size":"6690008"},"certificates":"Piriform Ltd;","prodver":"5, 18, 00, 5607","filever":"5, 18, 00, 5607","name":"CCleaner","company":"Piriform Ltd","nac":{"hash":"D3EB534B74622AEF45B3E3ECBA6C7049","size":"20"},"ric":{"hash":"1C66C5878E120908FB9197878D4B3F71","size":"71211"},"rfh":{"size":"1536","hash1":"gn7BDEWqna77o4Ep3pM3Tzvd8I47dVGZJ%2FaEAHUAQBIuH","hash2":"sNDCOSp3CvdHOcJnOUAQBRH"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"000BA4BB","ibase":"00400000","ep":"E8FFE30000E989FEFFFF8BFF568BF185F6741B85C074173BC67413576A36598BF8F3A583200050E8D5910000595F5EC36A086810437700E8B99E00008B750885F6","sec":[{"name":".text","hash":"31C8F1F08EBA9E7E77D115EF3BE7C9A9","size":"3073536","attr":"60000020"},{"name":".rdata","hash":"6026940ED625ED6F8B3391A0991809F0","size":"864768","attr":"40000040"},{"name":".data","hash":"2CB87A824146A2F3C324E0C128771718","size":"356864","attr":"C0000040"},{"name":".tls","hash":"BF619EAC0CDF3F68D496EA9344137E8B","size":"512","attr":"C0000040"},{"name":".rsrc","hash":"8C3F6DB66112B02209E0F8DAE10FB602","size":"2081280","attr":"40000040"},{"name":".reloc","hash":"57EB47958C510F2C02B298CD591CF30B","size":"299008","attr":"42000040"}]}},"/GridinSoft Anti-Malware":{"location":"%system%\\Tasks\\GridinSoft Anti-Malware","action":"%programfiles%\\GridinSoft Anti-Malware\\gsam.exe -startupscan","fileinfo":"WhiteList"},"/ASUS/ASUS AI Suite II Execute":{"location":"%system%\\Tasks\\ASUS\\ASUS AI Suite II Execute","action":"%programfiles(x86)%\\ASUS\\AI Suite II\\AsRoutineController.exe -open","fileinfo":{"sent":"-1","md5":{"hash":"576C72830E3FD6ACE2910545B6130803","size":"2931328"},"certificates":"ASUSTeK Computer Inc.;","prodver":"1.0.0.1","filever":"1.0.0.1","name":"ASUS Routine Controller","company":"ASUSTeK Computer Inc.","nac":{"hash":"4770350B96E2858867D8328B2ECB1093","size":"44"},"ric":{"hash":"F0C23848525B6BF7B1C4E19BEC00AC56","size":"21480"},"rfh":{"size":"384","hash1":"SMc6QM504AAAkzmEXeu3vQBK4V7wmdUmgS6oaIPAAAs","hash2":"W6Qy0siFCvJ4V7wmdUm1a8kT"},"subs":"Win32 GUI","pe":"x86","epsec":"1","eprva":"000DE83A","ibase":"00400000","ep":"E971AD1300E99CB20900E967E90500E942791A00E9AD381300E978520A00E9B39C0400E9EE1C0400E9392E0300E9B4771B00E93FFF0B00E9BA1C0600E915D60400","sec":[{"name":".textbss","hash":"00000000000000000000000000000000","size":"0","attr":"E00000A0"},{"name":".text","hash":"AB3FEF054DA253EE024A6727D512476F","size":"1884160","attr":"60000020"},{"name":".rdata","hash":"0983B636ED04FA14B68246757DCB5113","size":"933888","attr":"40000040"},{"name":".data","hash":"51FA95445A98B624D85CA11C568904B2","size":"24576","attr":"C0000040"},{"name":".idata","hash":"859A250705A89CD501C39F9070D28462","size":"24576","attr":"C0000040"},{"name":".didat","hash":"F7E676CAFB8FC22255A15F030A638FC0","size":"4096","attr":"C0000040"},{"name":".rsrc","hash":"693D8D769229980410CFCA83DC86117F","size":"49152","attr":"40000040"}]}},"/ASUS/ASUS DigiVRM Help":{"location":"%system%\\Tasks\\ASUS\\ASUS DigiVRM Help","action":"%programfiles(x86)%\\ASUS\\AI Suite II\\DIGI\u002B VRM\\VRMHelp.exe ","fileinfo":{"sent":"-1","md5":{"hash":"5394E45877580696BBEE7C923EB08663","size":"1116800"},"certificates":"ASUSTeK Computer Inc.;","prodver":"1.0.0.8","filever":"1.0.0.8","company":"ASUSTeK Computer Inc.","nac":{"hash":"951AD119D7FF3B2717DDDBD1BCCF8BA9","size":"21"},"ric":{"hash":"14DAFCB5D7F4815DDF8B921953C8E204","size":"429664"},"rfh":{"size":"6144","hash1":"q45JY6hJ1dlw5YuXarGyHrpOmpMV5WZCgXqAGpmiOMNbrF","hash2":"55pIvr"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00001428","ibase":"00400000","ep":"EB1066623A432B2B484F4F4B90E99C704800A18F704800C1E002A393704800526A00E8914C08008BD0E8D67407005AE8B4700700E8BF7907006A00E8E88A070059","sec":[{"name":".text","hash":"377473F13B05FEE9E12601F0DBDFCA80","size":"547328","attr":"60000020"},{"name":".data","hash":"CAB7452190E3333EF52AE77AB2930D78","size":"35328","attr":"C0000040"},{"name":".tls","hash":"BF619EAC0CDF3F68D496EA9344137E8B","size":"512","attr":"C0000040"},{"name":".rdata","hash":"F26DB6C4C0084FB1677DB2A86BEB7528","size":"512","attr":"50000040"},{"name":".idata","hash":"DF26B880F144FC22A29AAEB63B675312","size":"10240","attr":"40000040"},{"name":".edata","hash":"BBE4E7FAA5E2CB00A700A0C7B9A5B00E","size":"512","attr":"40000040"},{"name":".rsrc","hash":"91E22E3D0C4CC29004F4D163192CE964","size":"478720","attr":"40000040"},{"name":".reloc","hash":"CF134650E55E30522E825A9B91179F9D","size":"35328","attr":"50000040"}]}},"/ASUS/USB 3.0 Boost Service":{"location":"%system%\\Tasks\\ASUS\\USB 3.0 Boost Service","action":"%programfiles(x86)%\\ASUS\\AI Suite II\\USB 3.0 Boost\\U3BoostSvr.exe ","fileinfo":{"sent":"-1","md5":{"hash":"2642FF237C75CC6058D281BDDBB060AC","size":"90112"},"prodver":"1, 0, 0, 1","filever":"1, 0, 0, 1","name":"U3Checker Application","nac":{"hash":"7F00B802F5FEDBF41F4E95F6BC4ACCCA","size":"21"},"ric":{"hash":"01DD9658E06817738BFD89E21B994BFA","size":"1040"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00001E2E","ibase":"00400000","ep":"558BEC6AFF68D0F24000680C43400064A100000000506489250000000083EC585356578965E8FF1568E1400033D28AD489156C5041008BC881E1FF000000890D68","sec":[{"name":".text","hash":"4B1343755669164173800C3C66D86820","size":"53248","attr":"60000020"},{"name":".rdata","hash":"42FFA7BAD5DB6AECD8AC7B4AA5B14D35","size":"16384","attr":"40000040"},{"name":".data","hash":"16C591D375A56083136A0665EF70E9E0","size":"4096","attr":"C0000040"},{"name":".rsrc","hash":"C29C62C0CD863EAB8A18448638E48268","size":"12288","attr":"40000040"}]}},"/Microsoft/Microsoft Antimalware/Microsoft Antimalware Scheduled Scan":{"location":"%system%\\Tasks\\Microsoft\\Microsoft Antimalware\\Microsoft Antimalware Scheduled Scan","action":"%programfiles%\\Microsoft Security Client\\MpCmdRun.exe Scan -ScheduleJob -RestrictPrivileges","fileinfo":"WhiteList"},"/Microsoft/Windows/AppID/PolicyConverter":{"location":"%system%\\Tasks\\Microsoft\\Windows\\AppID\\PolicyConverter","action":"%system%\\appidpolicyconverter.exe ","fileinfo":"WhiteList"},"/Microsoft/Windows/AppID/VerifiedPublisherCertStoreCheck":{"location":"%system%\\Tasks\\Microsoft\\Windows\\AppID\\VerifiedPublisherCertStoreCheck","action":"%system%\\appidcertstorecheck.exe ","fileinfo":"WhiteList"},"/Microsoft/Windows/Application Experience/AitAgent":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Application Experience\\AitAgent","action":"%system%\\aitagent.exe ","fileinfo":"WhiteList"},"/Microsoft/Windows/Application Experience/ProgramDataUpdater":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Application Experience\\ProgramDataUpdater","action":"%system%\\rundll32.exe aepdu.dll,AePduRunUpdate","fileinfo":"WhiteList"},"/Microsoft/Windows/Autochk/Proxy":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Autochk\\Proxy","action":"%system%\\rundll32.exe \/d acproxy.dll,PerformAutochkOperations","fileinfo":"WhiteList"},"/Microsoft/Windows/Bluetooth/UninstallDeviceTask":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Bluetooth\\UninstallDeviceTask","action":"%system%\\BthUdTask.exe $(Arg0)","fileinfo":"WhiteList"},"/Microsoft/Windows/Customer Experience Improvement Program/Consolidator":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator","action":"%system%\\wsqmcons.exe ","fileinfo":"WhiteList"},"/Microsoft/Windows/Defrag/ScheduledDefrag":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Defrag\\ScheduledDefrag","action":"%system%\\defrag.exe -c","fileinfo":"WhiteList"},"/Microsoft/Windows/DiskDiagnostic/Microsoft-Windows-DiskDiagnosticDataCollector":{"location":"%system%\\Tasks\\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticDataCollector","action":"%system%\\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART","fileinfo":"WhiteList"},"/Microsoft/Windows/DiskDiagnostic/Microsoft-Windows-DiskDiagnosticResolver":{"location":"%system%\\Tasks\\Microsoft\\Windows\\DiskDiagnostic\\Microsoft-Windows-DiskDiagnosticResolver","action":"%system%\\DFDWiz.exe ","fileinfo":"WhiteList"},"/Microsoft/Windows/Location/Notifications":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Location\\Notifications","action":"%system%\\LocationNotifications.exe ","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/ActivateWindowsSearch":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\ActivateWindowsSearch","action":"%windir%\\ehome\\ehPrivJob.exe \/DoActivateWindowsSearch","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/ConfigureInternetTimeService":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\ConfigureInternetTimeService","action":"%windir%\\ehome\\ehPrivJob.exe \/DoConfigureInternetTimeService","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/DispatchRecoveryTasks":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\DispatchRecoveryTasks","action":"%windir%\\ehome\\ehPrivJob.exe \/DoRecoveryTasks $(Arg0)","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/ehDRMInit":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\ehDRMInit","action":"%windir%\\ehome\\ehPrivJob.exe \/DRMInit","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/InstallPlayReady":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\InstallPlayReady","action":"%windir%\\ehome\\ehPrivJob.exe \/InstallPlayReady $(Arg0)","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/mcupdate":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\mcupdate","action":"%windir%\\ehome\\mcupdate.exe $(Arg0)","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/MediaCenterRecoveryTask":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\MediaCenterRecoveryTask","action":"%windir%\\ehome\\mcupdate.exe -MediaCenterRecoveryTask","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/ObjectStoreRecoveryTask":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\ObjectStoreRecoveryTask","action":"%windir%\\ehome\\mcupdate.exe -ObjectStoreRecoveryTask","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/OCURActivate":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\OCURActivate","action":"%windir%\\ehome\\ehPrivJob.exe \/OCURActivate","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/OCURDiscovery":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\OCURDiscovery","action":"%windir%\\ehome\\ehPrivJob.exe \/OCURDiscovery $(Arg0)","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/PBDADiscovery":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\PBDADiscovery","action":"%windir%\\ehome\\ehPrivJob.exe \/PBDADiscovery","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/PBDADiscoveryW1":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\PBDADiscoveryW1","action":"%windir%\\ehome\\ehPrivJob.exe \/wait:7 \/PBDADiscovery","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/PBDADiscoveryW2":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\PBDADiscoveryW2","action":"%windir%\\ehome\\ehPrivJob.exe \/wait:90 \/PBDADiscovery","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/PeriodicScanRetry":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\PeriodicScanRetry","action":"%windir%\\ehome\\MCUpdate.exe -pscn 0","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/PvrRecoveryTask":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\PvrRecoveryTask","action":"%windir%\\ehome\\mcupdate.exe -PvrRecoveryTask","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/PvrScheduleTask":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\PvrScheduleTask","action":"%windir%\\ehome\\mcupdate.exe -PvrSchedule","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/RecordingRestart":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\RecordingRestart","action":"%windir%\\ehome\\ehrec.exe \/RestartRecording","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/RegisterSearch":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\RegisterSearch","action":"%windir%\\ehome\\ehPrivJob.exe \/DoRegisterSearch $(Arg0)","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/ReindexSearchRoot":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\ReindexSearchRoot","action":"%windir%\\ehome\\ehPrivJob.exe \/DoReindexSearchRoot","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/SqlLiteRecoveryTask":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\SqlLiteRecoveryTask","action":"%windir%\\ehome\\mcupdate.exe -SqlLiteRecoveryTask","fileinfo":"WhiteList"},"/Microsoft/Windows/Media Center/UpdateRecordPath":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Media Center\\UpdateRecordPath","action":"%windir%\\ehome\\ehPrivJob.exe \/DoUpdateRecordPath $(Arg0)","fileinfo":"WhiteList"},"/Microsoft/Windows/MUI/LPRemove":{"location":"%system%\\Tasks\\Microsoft\\Windows\\MUI\\LPRemove","action":"%system%\\lpremove.exe ","fileinfo":"WhiteList"},"/Microsoft/Windows/NetTrace/GatherNetworkInfo":{"location":"%system%\\Tasks\\Microsoft\\Windows\\NetTrace\\GatherNetworkInfo","action":"%system%\\gatherNetworkInfo.vbs ","fileinfo":{"sent":"-1","md5":{"hash":"2AE808CB0D9A667B0CF41EA74B3B9BAC","size":"40552"}}},"/Microsoft/Windows/Power Efficiency Diagnostics/AnalyzeSystem":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeSystem","action":"%system%\\powercfg.exe -energy -auto","fileinfo":"WhiteList"},"/Microsoft/Windows/RemoteAssistance/RemoteAssistanceTask":{"location":"%system%\\Tasks\\Microsoft\\Windows\\RemoteAssistance\\RemoteAssistanceTask","action":"%system%\\RAServer.exe \/offerraupdate","fileinfo":"WhiteList"},"/Microsoft/Windows/SoftwareProtectionPlatform/SvcRestartTask":{"location":"%system%\\Tasks\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask","action":"%system%\\sc.exe start sppsvc","fileinfo":"WhiteList"},"/Microsoft/Windows/SystemRestore/SR":{"location":"%system%\\Tasks\\Microsoft\\Windows\\SystemRestore\\SR","action":"%system%\\rundll32.exe \/d srrstr.dll,ExecuteScheduledSPPCreation","fileinfo":"WhiteList"},"/Microsoft/Windows/Tcpip/IpAddressConflict1":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Tcpip\\IpAddressConflict1","action":"%system%\\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem","fileinfo":"WhiteList"},"/Microsoft/Windows/Tcpip/IpAddressConflict2":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Tcpip\\IpAddressConflict2","action":"%system%\\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem","fileinfo":"WhiteList"},"/Microsoft/Windows/Time Synchronization/SynchronizeTime":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Time Synchronization\\SynchronizeTime","action":"%system%\\sc.exe start w32time task_started","fileinfo":"WhiteList"},"/Microsoft/Windows/UPnP/UPnPHostConfig":{"location":"%system%\\Tasks\\Microsoft\\Windows\\UPnP\\UPnPHostConfig","action":"%system%\\sc.exe config upnphost start= auto","fileinfo":"WhiteList"},"/Microsoft/Windows/Windows Error Reporting/QueueReporting":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Windows Error Reporting\\QueueReporting","action":"%system%\\wermgr.exe -queuereporting","fileinfo":"WhiteList"},"/Microsoft/Windows/Windows Filtering Platform/BfeOnServiceStartTypeChange":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Windows Filtering Platform\\BfeOnServiceStartTypeChange","action":"%system%\\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange","fileinfo":"WhiteList"},"/Microsoft/Windows/Windows Media Sharing/UpdateLibrary":{"location":"%system%\\Tasks\\Microsoft\\Windows\\Windows Media Sharing\\UpdateLibrary","action":"%programfiles%\\Windows Media Player\\wmpnscfg.exe ","fileinfo":"WhiteList"},"/Microsoft/Windows/WindowsBackup/ConfigNotification":{"location":"%system%\\Tasks\\Microsoft\\Windows\\WindowsBackup\\ConfigNotification","action":"%system%\\sdclt.exe \/CONFIGNOTIFICATION","fileinfo":"WhiteList"}},"Services":{"!sascore":{"action":""%programfiles%\\SUPERAntiSpyware\\SASCORE64.EXE"","fileinfo":"WhiteList"},"1394ohci":{"action":"system32\\DRIVERS\\1394ohci.sys","fileinfo":"WhiteList"},"acpi":{"action":"system32\\drivers\\ACPI.sys","fileinfo":"WhiteList"},"acpipmi":{"action":"%system%\\drivers\\acpipmi.sys","fileinfo":"WhiteList"},"adp94xx":{"action":"%system%\\drivers\\adp94xx.sys","fileinfo":"WhiteList"},"adpahci":{"action":"%system%\\drivers\\adpahci.sys","fileinfo":"WhiteList"},"adpu320":{"action":"%system%\\drivers\\adpu320.sys","fileinfo":"WhiteList"},"aelookupsvc":{"action":"%SystemRoot%\\System32\\aelupsvc.dll","fileinfo":"WhiteList"},"afd":{"action":"%system%\\drivers\\afd.sys","fileinfo":"WhiteList"},"agp440":{"action":"%system%\\drivers\\agp440.sys","fileinfo":"WhiteList"},"aichargerplus":{"action":"system32\\DRIVERS\\AiChargerPlus.sys","fileinfo":"WhiteList"},"alg":{"action":"%SystemRoot%\\System32\\alg.exe","fileinfo":"WhiteList"},"aliide":{"action":"%system%\\drivers\\aliide.sys","fileinfo":"WhiteList"},"amd external events utility":{"action":"%SystemRoot%\\system32\\atiesrxx.exe","fileinfo":"WhiteList"},"amdide":{"action":"%system%\\drivers\\amdide.sys","fileinfo":"WhiteList"},"amdk8":{"action":"%system%\\drivers\\amdk8.sys","fileinfo":"WhiteList"},"amdkmdag":{"action":"system32\\DRIVERS\\atikmdag.sys","fileinfo":{"sent":"-1","md5":{"hash":"9A4B92150A5E259A7159D914CC3A60D7","size":"9359872"},"prodver":"8.01.01.1162","filever":"8.01.01.1162","name":"ATI Radeon Family","company":"ATI Technologies Inc.","nac":{"hash":"49A375EAEF9C0A377FB0A7DDCB335BCF","size":"38"},"subs":"Native","pe":"x64","epsec":"0","eprva":"00027F50","ibase":"0000000000010000","ep":"48895C2408574881EC10030000488BF9488BDA488D4C243833D241B830020000C744243000000000E853D008004885FF0F84000500004885DB0F84F7040000488D","sec":[{"name":".text","hash":"E1D4A70A12464AFA767371F7AF56AB92","size":"4730880","attr":"E8000020"},{"name":"_wtext","hash":"84CF30A563A5D73E88CBBFD3433376C3","size":"512","attr":"E8000020"},{"name":".rdata","hash":"8F92F080F15EBA3F0BCD922C1ED6E393","size":"1015296","attr":"C8000040"},{"name":".data","hash":"7EF4428EC567AEEE98F8D12167168090","size":"2726400","attr":"E8000040"},{"name":".pdata","hash":"3F1DE5E497BB7FDA8BFB80DA5095EC36","size":"259584","attr":"48000040"},{"name":"PAGE_COM","hash":"D2C101CBACA3C0CEB279300789EA2FAB","size":"59904","attr":"60000020"},{"name":"PAGE_INI","hash":"757F50D52D0B01D33ABCC9A0F991A63B","size":"1024","attr":"60000020"},{"name":"PAGE_DDC","hash":"FA212FC062B7C55E2782D404E4690D58","size":"3584","attr":"60000020"},{"name":"PAGE","hash":"DA231CD655167D41E9D34C671DB074A5","size":"7168","attr":"60000020"},{"name":"PAGE","hash":"75132AC1657C63C6746E4E21067040C3","size":"451072","attr":"C0000040"},{"name":"INIT","hash":"AF2E003F7E9A98DDBE7E130DC4F8B1D7","size":"5632","attr":"E0000020"},{"name":".rsrc","hash":"8F0DD1CB090190D4DA0D00EF9B7F37AE","size":"2560","attr":"42000040"},{"name":".reloc","hash":"5DFA5966B02532185242CF51285949C0","size":"94720","attr":"40000040"}]}},"amdkmdap":{"action":"system32\\DRIVERS\\atikmpag.sys","fileinfo":{"sent":"-1","md5":{"hash":"9DEB889D152F9C9DBA98BE8986084535","size":"309760"},"prodver":"8.14.01.6214","filever":"8.14.01.6214","name":"AMD driver","company":"Advanced Micro Devices, Inc.","nac":{"hash":"7CF6659D2A6F4BE996F5DAA9D2279442","size":"38"},"subs":"Win32 Console","pe":"x64","epsec":"4","eprva":"0004C658","ibase":"0000000140000000","ep":"4883EC284C8BC24C8BC9E895FFFFFF498BD0498BC94883C428E992F9FFFF0000000000000000000000000000000000000000000000000000000000000000000000","sec":[{"name":".text","hash":"523F99D4D30D4CAF6F08885FC230F979","size":"177152","attr":"60000020"},{"name":"PAGE","hash":"9DB82E95E35AB1AD141579C174DA33BD","size":"7680","attr":"60000020"},{"name":".data","hash":"4316302D7545D77595E51CF9F35936A9","size":"102400","attr":"C0000040"},{"name":".pdata","hash":"047D8944ED85F50BAB3D04AB346891E1","size":"7168","attr":"40000040"},{"name":"INIT","hash":"CC0B9AF3AABC808E40E152A17DC30D62","size":"2048","attr":"62000020"},{"name":".rsrc","hash":"BE3DE9E673CA7BBC4373BA15BC42D70F","size":"1024","attr":"40000040"},{"name":".reloc","hash":"3E08101B993B8FF9B1CB37C4C0060562","size":"11264","attr":"42000040"}]}},"amdppm":{"action":"system32\\DRIVERS\\amdppm.sys","fileinfo":"WhiteList"},"amdsata":{"action":"%system%\\drivers\\amdsata.sys","fileinfo":"WhiteList"},"amdsbs":{"action":"%system%\\drivers\\amdsbs.sys","fileinfo":"WhiteList"},"amdxata":{"action":"system32\\drivers\\amdxata.sys","fileinfo":"WhiteList"},"amd_sata":{"action":"system32\\DRIVERS\\amd_sata.sys","fileinfo":{"sent":"-1","md5":{"hash":"2FBB00A7616106B95104574C6CD640C2","size":"78976"},"certificates":"Advanced Micro Devices, Inc.;","prodver":"1.2.001.0292","filever":"1.2.001.0292 built by: WinDDK","name":"AHCI 1.2 Device Driver","company":"Advanced Micro Devices","nac":{"hash":"FD0631738FD082C9A85B9350C08CFC07","size":"44"},"subs":"Native","pe":"x64","epsec":"4","eprva":"00013064","ibase":"0000000000010000","ep":"4883EC284C8BC24C8BC9E895FFFFFF498BD0498BC94883C428E99E10FFFFCCCCD030010000000000000000009E33010010F00000C03001000000000000000000AC","sec":[{"name":".text","hash":"FEAFF8260AEFE65A2D89177D32222EB7","size":"56320","attr":"68000020"},{"name":".rdata","hash":"026560545C46EA627845FAA2A53CC9B4","size":"3584","attr":"48000040"},{"name":".data","hash":"4F5E45A1774033530132BCDA6206A6E1","size":"1536","attr":"C8000040"},{"name":".pdata","hash":"56594D03DD73493638521D16DD147563","size":"2560","attr":"48000040"},{"name":"INIT","hash":"1C0349E0234B75E5C72D40B8CB126332","size":"1024","attr":"E2000020"},{"name":".rsrc","hash":"18195DCA8C8513451E941DE029019747","size":"5632","attr":"42000040"},{"name":".reloc","hash":"546E7ADBA9DDC942EBE8CB3FA1EA5163","size":"512","attr":"42000040"}]}},"amd_xata":{"action":"system32\\DRIVERS\\amd_xata.sys","fileinfo":{"sent":"-1","md5":{"hash":"87D0D7645CB0D53220649BD5FE15D93E","size":"38528"},"certificates":"Advanced Micro Devices, Inc.;","prodver":"1.2.001.0292","filever":"1.2.001.0292 built by: WinDDK","name":"Stor Filter Driver","company":"Advanced Micro Devices","nac":{"hash":"8B2FA124CB9BD78F0602FD236FF983BB","size":"40"},"subs":"Native","pe":"x64","epsec":"5","eprva":"0000B554","ibase":"0000000000010000","ep":"4883EC284C8BC24C8BC9E895FFFFFF498BD0498BC94883C428E996FAFFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCC61006D0064005F0078006100740061005C00500061","sec":[{"name":".text","hash":"0C834D088D3FE1BFA69EBE7E07B9C2E7","size":"9216","attr":"68000020"},{"name":".rdata","hash":"00442FADBDA929FF0FAA1DF8B9EB7EC4","size":"1536","attr":"48000040"},{"name":".data","hash":"BC70FA0A497BD9264A828BB653BCC572","size":"1024","attr":"C8000040"},{"name":".pdata","hash":"A9193E879C1777BEBA13E76F48E78FDF","size":"1024","attr":"48000040"},{"name":"PAGE","hash":"310F2398A180DBDE0E8189B9E8A18352","size":"12800","attr":"60000020"},{"name":"INIT","hash":"4AF839BC840E674231DE42CA2CA20835","size":"3584","attr":"E2000020"},{"name":".rsrc","hash":"9F606858A04BD5CB4C529BF414E33104","size":"1024","attr":"42000040"},{"name":".reloc","hash":"3E0C2FE6F7F1A01D27BB3378E5B77731","size":"512","attr":"42000040"}]}},"appid":{"action":"%system%\\drivers\\appid.sys","fileinfo":"WhiteList"},"appidsvc":{"action":"%SystemRoot%\\System32\\appidsvc.dll","fileinfo":"WhiteList"},"appinfo":{"action":"%SystemRoot%\\System32\\appinfo.dll","fileinfo":"WhiteList"},"appmgmt":{"action":"%SystemRoot%\\System32\\appmgmts.dll","fileinfo":"WhiteList"},"arc":{"action":"%system%\\drivers\\arc.sys","fileinfo":"WhiteList"},"arcsas":{"action":"%system%\\drivers\\arcsas.sys","fileinfo":"WhiteList"},"ascomsvc":{"action":"%programfiles(x86)%\\ASUS\\AXSP\\1.00.14\\atkexComSvc.exe","fileinfo":{"sent":"-1","md5":{"hash":"6E3F4538B33BC19259E99BE1826286A3","size":"922240"},"certificates":"ASUSTeK Computer Inc.;","ric":{"hash":"F4D31819D8658063F6F17DCE07AD6E9A","size":"8992"},"rfh":{"size":"192","hash1":"mOoHnZLxSkZf5Sv5qlXNihGsEc8OZEc59SC","hash2":"mOoHZLxSkPG5KXYhhEc8cjMC"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0000147C","ibase":"00400000","ep":"EB1066623A432B2B484F4F4B90E99CF04A00A18FF04A00C1E002A393F04A00526A00E839CF0A008BD0E8965109005AE8744D0900E87F5609006A00E8A867090059","sec":[{"name":".text","hash":"59A5CD2D82BBE6F48F16B09D751BC8AF","size":"712192","attr":"60000020"},{"name":".data","hash":"500786AB1BDC15FFE4B9E189272058B4","size":"77824","attr":"C0000040"},{"name":".tls","hash":"BF619EAC0CDF3F68D496EA9344137E8B","size":"512","attr":"C0000040"},{"name":".rdata","hash":"1A78F1F8473263B1B6DBF27D432B3A2A","size":"512","attr":"50000040"},{"name":".idata","hash":"A5E7C94ECA04433DB8C15239D6175351","size":"12800","attr":"40000040"},{"name":".edata","hash":"080C63F1D323578AE9FF96B29B1581A0","size":"512","attr":"40000040"},{"name":".rsrc","hash":"AAAFDEFA121B50BF4E9A01C0A8933E14","size":"63488","attr":"40000040"},{"name":".reloc","hash":"6E16725D04DF889C793BDCFFBE6CB2F5","size":"46080","attr":"50000040"}]}},"ashmcomsvc":{"action":"%programfiles(x86)%\\ASUS\\AAHM\\1.00.14\\aaHMSvc.exe","fileinfo":{"sent":"-1","md5":{"hash":"A63173897EA1A73A75D0E65036DE5B15","size":"915584"},"certificates":"ASUSTeK Computer Inc.;","ric":{"hash":"F4D31819D8658063F6F17DCE07AD6E9A","size":"8992"},"rfh":{"size":"192","hash1":"mOoHnZLxSkZf5Sv5qlXNihGsEc8OZEc59SC","hash2":"mOoHZLxSkPG5KXYhhEc8cjMC"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00001494","ibase":"00400000","ep":"EB1066623A432B2B484F4F4B90E99CE04A00A18FE04A00C1E002A393E04A00526A00E8A7BB0A008BD0E8C23409005AE8A0300900E8AB3909006A00E89C4A090059","sec":[{"name":".text","hash":"A519C7CBCCF80F91BAF71A039E134E8E","size":"707584","attr":"60000020"},{"name":".data","hash":"B2DFCCDE32AFD22292B1DA9AB046D87B","size":"75264","attr":"C0000040"},{"name":".tls","hash":"BF619EAC0CDF3F68D496EA9344137E8B","size":"512","attr":"C0000040"},{"name":".rdata","hash":"DCD207A2E8F355379EA40EA1EF21AE1F","size":"512","attr":"50000040"},{"name":".idata","hash":"CB02E2511D5FA27CAF02C6DECA1B0D0A","size":"13312","attr":"40000040"},{"name":".edata","hash":"153A3664D82CD3802ED63EA83965BE43","size":"1024","attr":"40000040"},{"name":".rsrc","hash":"B3DF7DE3285E8F994E25CB5B24D83456","size":"62464","attr":"40000040"},{"name":".reloc","hash":"AFF1E6F8A7AFFE1E28BC8D0787EFE739","size":"46592","attr":"50000040"}]}},"asio":{"action":"SysWow64\\drivers\\AsIO.sys","fileinfo":"WhiteList"},"asmthub3":{"action":"system32\\DRIVERS\\asmthub3.sys","fileinfo":{"sent":"-1","md5":{"hash":"6D9C024AA8F24065A6DBEAB1F431D854","size":"129000"},"certificates":"MCCI Internal Testing Software;","subs":"Native","pe":"x64","epsec":"5","eprva":"00021064","ibase":"0000000000010000","ep":"4883EC284C8BC24C8BC9E895FFFFFF498BD0498BC94883C428E986FFFDFFCCCCD810020000000000000000002814020018900100C01002000000000000000000C2","sec":[{"name":".text","hash":"839050620E35016D03BB390074B672D6","size":"95744","attr":"68000020"},{"name":".rdata","hash":"092C023C5BB711AFB401113F4395552E","size":"8704","attr":"48000040"},{"name":".data","hash":"0E43950E80804CBA86DCF48DF0BBE388","size":"1024","attr":"C8000040"},{"name":".pdata","hash":"D8651A5E8545D6E9240B4332EC2CAB64","size":"5120","attr":"48000040"},{"name":"PAGE","hash":"47058360951CFD99952BF20762BBCFD0","size":"7168","attr":"60000020"},{"name":"INIT","hash":"2D3A9EC92BBB3FCA09E25DE3D77FD00A","size":"3584","attr":"E2000020"},{"name":".rsrc","hash":"0FA6B6100F0C6F6EC5FB1DCE36F5E902","size":"1024","attr":"42000040"},{"name":".reloc","hash":"E190CFD012DF74291BFB09DBAEA0CD5C","size":"1024","attr":"42000040"}]}},"asmtxhci":{"action":"system32\\DRIVERS\\asmtxhci.sys","fileinfo":{"sent":"-1","md5":{"hash":"ECAD22F15D8F17CC04F24E9A6FB00F2F","size":"394216"},"certificates":"MCCI Internal Testing Software;","subs":"Native","pe":"x64","epsec":"5","eprva":"00061064","ibase":"0000000000010000","ep":"4883EC284C8BC24C8BC9E895FFFFFF498BD0498BC94883C428E986FFF9FFCCCCE010060000000000000000009814060020500500C01006000000000000000000C2","sec":[{"name":".text","hash":"8D135E4AA1F818D75A05EDFE0973DF26","size":"342528","attr":"68000020"},{"name":".rdata","hash":"224E2302B0F49511EB84F8967B35312B","size":"16896","attr":"48000040"},{"name":".data","hash":"9C6C0BF4D2AD97CCD264AA009ECC554D","size":"1024","attr":"C8000040"},{"name":".pdata","hash":"DC1CF2061B7451EB8B23731BFE87C563","size":"13824","attr":"48000040"},{"name":"PAGE","hash":"0BD93D416845B5A652F1D2228BED8113","size":"7168","attr":"60000020"},{"name":"INIT","hash":"B363015AC895BA7A095CEAE196649EA0","size":"4096","attr":"E2000020"},{"name":".rsrc","hash":"514AE04E4748B8C82E8CBBDA7C1E57C7","size":"1024","attr":"42000040"},{"name":".reloc","hash":"98F4FFB188A71AEE14895A2193EDF83D","size":"2048","attr":"42000040"}]}},"assysctrlservice":{"action":"%programfiles(x86)%\\ASUS\\AsSysCtrlService\\1.00.11\\AsSysCtrlService.exe","fileinfo":{"sent":"-1","md5":{"hash":"5C31DFB196CB3A488A041881634D86D2","size":"586880"},"certificates":"ASUSTeK Computer Inc.;","subs":"Win32 GUI","pe":"x86","epsec":"1","eprva":"00038BD5","ibase":"00400000","ep":"E966690100E9D1F80100E91C220100E9E77B0000E9E27E0200E95DA20000E9A80F0600E9938A0500E97EE90400E989E70300E9F4AF0200E9CF0D0600E94AA70100","sec":[{"name":".textbss","hash":"00000000000000000000000000000000","size":"0","attr":"E00000A0"},{"name":".text","hash":"3F3557AE784EBCA7DB8A2BBF4EDA5A05","size":"471040","attr":"60000020"},{"name":".rdata","hash":"8BFF960E81A4C865DA6C988A1D17F177","size":"92672","attr":"40000040"},{"name":".data","hash":"1A44B4A96430D094AD066895821DDD02","size":"6144","attr":"C0000040"},{"name":".idata","hash":"BE4C9CA9CED6EAABEDA860D9C5A5ABB9","size":"5632","attr":"C0000040"},{"name":".rsrc","hash":"149A82D785A94248C9A60CDDECE1AA6D","size":"3584","attr":"40000040"}]}},"asupio":{"action":"SysWow64\\drivers\\AsUpIO.sys","fileinfo":{"sent":"-1","md5":{"hash":"1392B92179B07B672720763D9B1028A5","size":"14464"},"certificates":"ASUSTeK Computer Inc.;","subs":"Native","pe":"x64","epsec":"0","eprva":"00001FF0","ibase":"0000000000010000","ep":"534883EC70488BD9488D0571FCFFFF4889437048898380000000488983E0000000488D0598F9FFFF48894368488D15AD000000488D4C2448FF15FA0F0000488D44","sec":[{"name":".text","hash":"46E7B6808C927DC91A4C904975EC2CA3","size":"4608","attr":"68000020"},{"name":".rdata","hash":"7AC4945A84F0C2BF02C20DFA9248893B","size":"512","attr":"48000040"},{"name":".data","hash":"00000000000000000000000000000000","size":"0","attr":"C8000040"},{"name":".pdata","hash":"3FE88F94FCB2F86DE4024005A5EF625B","size":"512","attr":"48000040"},{"name":"INIT","hash":"9095BE895313DA06546D159E61AA976E","size":"1024","attr":"E2000020"}]}},"asusfilter":{"action":"SysWow64\\drivers\\ASUSFILTER.sys","fileinfo":{"sent":"-1","md5":{"hash":"A5E4CDB420540095D1293C874B5F89AA","size":"46152"},"certificates":"MCCI Corporation;","prodver":"V5.28","filever":"V5.28 built by: WinDDK","name":"ASUS USB Hub filter driver","company":"MCCI Corporation","nac":{"hash":"A0D1B341FCDE05C450ADE4C270E94FBE","size":"42"},"subs":"Native","pe":"x64","epsec":"5","eprva":"0000B064","ibase":"0000000000010000","ep":"4883EC284C8BC24C8BC9E895FFFFFF498BD0498BC94883C428E9865FFFFFCCCCB0B00000000000000000000000B300000050000000000000000000000000000000","sec":[{"name":".text","hash":"18C90C77AE2ECADE522F6E1341323E74","size":"16384","attr":"68000020"},{"name":".rdata","hash":"00F18DE3595AD11F1DE40CC2BDB5CA84","size":"4096","attr":"48000040"},{"name":".data","hash":"BBEF61147182F3E6CCE3713D7B4B5FFE","size":"1024","attr":"C8000040"},{"name":".pdata","hash":"83BF6F8DC6169EFEFC8AD6BAB007B438","size":"1536","attr":"48000040"},{"name":"PAGE","hash":"6D573630C776C05EEBDD8277EBDE14E1","size":"11264","attr":"60000020"},{"name":"INIT","hash":"BD53C5D47DB3315518894BE2B3932B21","size":"2560","attr":"E2000020"},{"name":".rsrc","hash":"BBBEDC7A4B77B92ABC590145B6090CA3","size":"1024","attr":"42000040"},{"name":".reloc","hash":"28F0C95E682805E80DACC4ED2DD2FAF8","size":"512","attr":"42000040"}]}},"asyncmac":{"action":"system32\\DRIVERS\\asyncmac.sys","fileinfo":"WhiteList"},"atapi":{"action":"system32\\drivers\\atapi.sys","fileinfo":"WhiteList"},"audioendpointbuilder":{"action":"%SystemRoot%\\System32\\Audiosrv.dll","fileinfo":"WhiteList"},"audiosrv":{"action":"%SystemRoot%\\System32\\Audiosrv.dll","fileinfo":"WhiteList"},"axinstsv":{"action":"%SystemRoot%\\System32\\AxInstSV.dll","fileinfo":"WhiteList"},"b06bdrv":{"action":"%system%\\drivers\\bxvbda.sys","fileinfo":"WhiteList"},"b57nd60a":{"action":"system32\\DRIVERS\\b57nd60a.sys","fileinfo":"WhiteList"},"bdesvc":{"action":"%SystemRoot%\\System32\\bdesvc.dll","fileinfo":"WhiteList"},"bfe":{"action":"%SystemRoot%\\System32\\bfe.dll","fileinfo":"WhiteList"},"bits":{"action":"%systemroot%\\system32\\qmgr.dll","fileinfo":"WhiteList"},"blbdrive":{"action":"system32\\DRIVERS\\blbdrive.sys","fileinfo":"WhiteList"},"bowser":{"action":"system32\\DRIVERS\\bowser.sys","fileinfo":"WhiteList"},"brfiltlo":{"action":"%system%\\drivers\\BrFiltLo.sys","fileinfo":"WhiteList"},"brfiltup":{"action":"%system%\\drivers\\BrFiltUp.sys","fileinfo":"WhiteList"},"bridgemp":{"action":"system32\\DRIVERS\\bridge.sys","fileinfo":"WhiteList"},"browser":{"action":"%SystemRoot%\\System32\\browser.dll","fileinfo":"WhiteList"},"brserid":{"action":"%system%\\Drivers\\Brserid.sys","fileinfo":"WhiteList"},"brserwdm":{"action":"%system%\\Drivers\\BrSerWdm.sys","fileinfo":"WhiteList"},"brusbmdm":{"action":"%system%\\Drivers\\BrUsbMdm.sys","fileinfo":"WhiteList"},"brusbser":{"action":"%system%\\Drivers\\BrUsbSer.sys","fileinfo":"WhiteList"},"bthmodem":{"action":"%system%\\drivers\\bthmodem.sys","fileinfo":"WhiteList"},"bthserv":{"action":"%SystemRoot%\\system32\\bthserv.dll","fileinfo":"WhiteList"},"cdfs":{"action":"system32\\DRIVERS\\cdfs.sys","fileinfo":"WhiteList"},"cdrom":{"action":"system32\\DRIVERS\\cdrom.sys","fileinfo":"WhiteList"},"certpropsvc":{"action":"%SystemRoot%\\System32\\certprop.dll","fileinfo":"WhiteList"},"circlass":{"action":"%system%\\drivers\\circlass.sys","fileinfo":"WhiteList"},"clfs":{"action":"System32\\CLFS.sys","fileinfo":"WhiteList"},"clr_optimization_v2.0.50727_32":{"action":"%systemroot%\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe","fileinfo":"WhiteList"},"clr_optimization_v2.0.50727_64":{"action":"%systemroot%\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorsvw.exe","fileinfo":"WhiteList"},"cmbatt":{"action":"%system%\\drivers\\CmBatt.sys","fileinfo":"WhiteList"},"cmdide":{"action":"%system%\\drivers\\cmdide.sys","fileinfo":"WhiteList"},"cng":{"action":"System32\\Drivers\\cng.sys","fileinfo":"WhiteList"},"compbatt":{"action":"%system%\\drivers\\compbatt.sys","fileinfo":"WhiteList"},"compositebus":{"action":"system32\\DRIVERS\\CompositeBus.sys","fileinfo":"WhiteList"},"comsysapp":{"action":"%SystemRoot%\\system32\\dllhost.exe \/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}","fileinfo":"WhiteList"},"crcdisk":{"action":"%system%\\drivers\\crcdisk.sys","fileinfo":"WhiteList"},"cryptsvc":{"action":"%SystemRoot%\\system32\\cryptsvc.dll","fileinfo":"WhiteList"},"csc":{"action":"system32\\drivers\\csc.sys","fileinfo":"WhiteList"},"cscservice":{"action":"%SystemRoot%\\System32\\cscsvc.dll","fileinfo":"WhiteList"},"dcomlaunch":{"action":"%SystemRoot%\\system32\\rpcss.dll","fileinfo":"WhiteList"},"defragsvc":{"action":"%Systemroot%\\System32\\defragsvc.dll","fileinfo":"WhiteList"},"dfsc":{"action":"System32\\Drivers\\dfsc.sys","fileinfo":"WhiteList"},"dhcp":{"action":"%SystemRoot%\\system32\\dhcpcore.dll","fileinfo":"WhiteList"},"discache":{"action":"System32\\drivers\\discache.sys","fileinfo":"WhiteList"},"disk":{"action":"system32\\drivers\\disk.sys","fileinfo":"WhiteList"},"dmvsc":{"action":"%system%\\drivers\\dmvsc.sys","fileinfo":"WhiteList"},"dnscache":{"action":"%SystemRoot%\\System32\\dnsrslvr.dll","fileinfo":"WhiteList"},"dot3svc":{"action":"%SystemRoot%\\System32\\dot3svc.dll","fileinfo":"WhiteList"},"dps":{"action":"%SystemRoot%\\system32\\dps.dll","fileinfo":"WhiteList"},"drmkaud":{"action":"system32\\drivers\\drmkaud.sys","fileinfo":"WhiteList"},"dxgkrnl":{"action":"%system%\\drivers\\dxgkrnl.sys","fileinfo":"WhiteList"},"eaphost":{"action":"%SystemRoot%\\System32\\eapsvc.dll","fileinfo":"WhiteList"},"ebdrv":{"action":"%system%\\drivers\\evbda.sys","fileinfo":"WhiteList"},"efs":{"action":"%SystemRoot%\\System32\\lsass.exe","fileinfo":"WhiteList"},"ehrecvr":{"action":"%systemroot%\\ehome\\ehRecvr.exe","fileinfo":"WhiteList"},"ehsched":{"action":"%systemroot%\\ehome\\ehsched.exe","fileinfo":"WhiteList"},"elxstor":{"action":"%system%\\drivers\\elxstor.sys","fileinfo":"WhiteList"},"errdev":{"action":"%system%\\drivers\\errdev.sys","fileinfo":"WhiteList"},"eventlog":{"action":"%SystemRoot%\\System32\\wevtsvc.dll","fileinfo":"WhiteList"},"eventsystem":{"action":"%systemroot%\\system32\\es.dll","fileinfo":"WhiteList"},"fax":{"action":"%systemroot%\\system32\\fxssvc.exe","fileinfo":"WhiteList"},"fdc":{"action":"%system%\\drivers\\fdc.sys","fileinfo":"WhiteList"},"fdphost":{"action":"%SystemRoot%\\system32\\fdPHost.dll","fileinfo":"WhiteList"},"fdrespub":{"action":"%SystemRoot%\\system32\\fdrespub.dll","fileinfo":"WhiteList"},"fileinfo":{"action":"system32\\drivers\\fileinfo.sys","fileinfo":"WhiteList"},"filetrace":{"action":"system32\\drivers\\filetrace.sys","fileinfo":"WhiteList"},"flpydisk":{"action":"%system%\\drivers\\flpydisk.sys","fileinfo":"WhiteList"},"fltmgr":{"action":"system32\\drivers\\fltmgr.sys","fileinfo":"WhiteList"},"fontcache":{"action":"%SystemRoot%\\system32\\FntCache.dll","fileinfo":"WhiteList"},"fontcache3.0.0.0":{"action":"%systemroot%\\Microsoft.Net\\Framework64\\v3.0\\WPF\\PresentationFontCache.exe","fileinfo":"WhiteList"},"fsdepends":{"action":"System32\\drivers\\FsDepends.sys","fileinfo":"WhiteList"},"fvevol":{"action":"System32\\DRIVERS\\fvevol.sys","fileinfo":"WhiteList"},"gagp30kx":{"action":"%system%\\drivers\\gagp30kx.sys","fileinfo":"WhiteList"},"gpsvc":{"action":"%SystemRoot%\\System32\\gpsvc.dll","fileinfo":"WhiteList"},"hcw85cir":{"action":"%system%\\drivers\\hcw85cir.sys","fileinfo":"WhiteList"},"hdaudaddservice":{"action":"system32\\drivers\\HdAudio.sys","fileinfo":"WhiteList"},"hdaudbus":{"action":"system32\\DRIVERS\\HDAudBus.sys","fileinfo":"WhiteList"},"hidbatt":{"action":"%system%\\drivers\\HidBatt.sys","fileinfo":"WhiteList"},"hidbth":{"action":"%system%\\drivers\\hidbth.sys","fileinfo":"WhiteList"},"hidir":{"action":"%system%\\drivers\\hidir.sys","fileinfo":"WhiteList"},"hidserv":{"action":"%SystemRoot%\\System32\\hidserv.dll","fileinfo":"WhiteList"},"hidusb":{"action":"system32\\DRIVERS\\hidusb.sys","fileinfo":"WhiteList"},"hkmsvc":{"action":"%SystemRoot%\\system32\\kmsvc.dll","fileinfo":"WhiteList"},"hmpalert":{"action":"%system%\\drivers\\hmpalert.sys","fileinfo":{"sent":"-1","md5":{"hash":"45EF9126652AF7C6892F9E2E750DD171","size":"177040"},"certificates":"SurfRight B.V.;","prodver":"3.1.9.368","filever":"3.1.9.368","name":"HitmanPro.Alert","company":"SurfRight B.V.","nac":{"hash":"1814E5D47926E4C01B7E0F28F99CA313","size":"29"},"subs":"Native","pe":"x64","epsec":"0","eprva":"0000CC10","ibase":"0000000080000000","ep":"4053564883EC68488BF2488BD9E8CEBF000085C00F88EE020000488D159F1A0100488D4C2450FF15C4D80000488D4C2450FF1589D80000488905CA8A01004885C0","sec":[{"name":".text","hash":"6233877EA9CA332D82EF206FEB38245F","size":"98816","attr":"68000020"},{"name":".rdata","hash":"C552432BE20E224A2DE2A8E3D434874F","size":"29184","attr":"48000040"},{"name":".data","hash":"8CF962EF8BC6C05B8B8CFE9B54BE9525","size":"13312","attr":"C8000040"},{"name":".pdata","hash":"0264C46DC829BF87A6FE85BA52CD1F1D","size":"7680","attr":"48000040"},{"name":"INIT","hash":"A4338C98348F5EEDCAFBD73C934CF9AC","size":"5632","attr":"CA000040"},{"name":".rsrc","hash":"6AD55ABC0E38F518F31B8ADD4BC48EC7","size":"1024","attr":"42000040"},{"name":".reloc","hash":"FB7FB2426F9F8AF66EF354746249280C","size":"512","attr":"42000040"}]}},"hmpalertsvc":{"action":""%programfiles(x86)%\\HitmanPro.Alert\\hmpalert.exe" \/service","fileinfo":{"sent":"-1","md5":{"hash":"CC8BFF0700193E8F22184FC77BF45EF2","size":"4383952"},"certificates":"SurfRight B.V.;","prodver":"3.1.9.368","filever":"3.1.9.368","name":"HitmanPro.Alert","company":"SurfRight B.V.","nac":{"hash":"1814E5D47926E4C01B7E0F28F99CA313","size":"29"},"ric":{"hash":"D7044A76FD994B76B352ECD58A343C15","size":"94104"},"rfh":{"size":"768","hash1":"ok%2Bkv95X67d53HwhwTS00p00Yo4507GJ07%2Ff07Ml00mHR000moC0600mlHVHiOHr","hash2":"w7dBswoK89UVV"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00205590","ibase":"00400000","ep":"E816060000E978FEFFFFFF25F0A764008B4DF464890D00000000595F5F5E5B8BE55D51F2C38B4DF033CDF2E88DF8FFFFF2E9DAFFFFFF8B4DEC33CDF2E87CF8FFFF","sec":[{"name":".text","hash":"710EAE65405B9A7563D14BC2FBD41128","size":"2394624","attr":"60000020"},{"name":".rdata","hash":"4DAC5E22B2917C08C0EC51B87A0076DE","size":"542720","attr":"40000040"},{"name":".data","hash":"A4FB101393D6DF2EADFDF49308A53C6E","size":"49152","attr":"C0000040"},{"name":".rsrc","hash":"8FCF930F82B8FDDCD34D92F0CFA5C240","size":"1201664","attr":"40000040"},{"name":".reloc","hash":"4C7E09FC05A348AFD88DF84E0DEF33A2","size":"119296","attr":"42000040"}]}},"hmpnet":{"action":"%system%\\drivers\\hmpnet.sys","fileinfo":{"sent":"-1","md5":{"hash":"D50F107322185557F556ACD19408DE41","size":"84520"},"certificates":"SurfRight B.V.;","prodver":"1.4.8.6","filever":"1.4.8.4 built by: WinDDK","name":"HitmanPro.Alert TDI Driver","company":"SurfRight B.V.","nac":{"hash":"686DAC609BFAECB633992ACDD52D52BC","size":"40"},"subs":"Native","pe":"x64","epsec":"5","eprva":"00013064","ibase":"0000000000010000","ep":"4883EC284C8BC24C8BC9E895FFFFFF498BD0498BC94883C428E9CE8BFFFFCCCCD03001000000000000000000C436010010D00000C03001000000000000000000E6","sec":[{"name":".text","hash":"775D5826376F79E37D43BAF970F393CD","size":"47104","attr":"68000020"},{"name":".rdata","hash":"21BB0FF1B40A3737BC1A45BC0316EEBA","size":"3584","attr":"48000040"},{"name":".data","hash":"44A8678AA56EE554C22068C3791832EF","size":"1024","attr":"C8000040"},{"name":".pdata","hash":"7B2BF87E9B70C669E3F7FE84E9EED0D0","size":"2048","attr":"48000040"},{"name":"PAGE","hash":"B40D7B752AFAC952BD89A94F0A929B9D","size":"7168","attr":"60000020"},{"name":"INIT","hash":"EDC20E08A4AC83DBF2918661E077DDA1","size":"2560","attr":"E2000020"},{"name":".rsrc","hash":"7DD4E7826C1968480143526449C239AB","size":"1024","attr":"42000040"},{"name":".reloc","hash":"781E6346BD183CE6E40C073B5462082D","size":"512","attr":"42000040"}]}},"homegrouplistener":{"action":"%SystemRoot%\\system32\\ListSvc.dll","fileinfo":"WhiteList"},"homegroupprovider":{"action":"%SystemRoot%\\system32\\provsvc.dll","fileinfo":"WhiteList"},"hpsamd":{"action":"%system%\\drivers\\HpSAMD.sys","fileinfo":"WhiteList"},"http":{"action":"system32\\drivers\\HTTP.sys","fileinfo":"WhiteList"},"hwpolicy":{"action":"System32\\drivers\\hwpolicy.sys","fileinfo":"WhiteList"},"i8042prt":{"action":"system32\\DRIVERS\\i8042prt.sys","fileinfo":"WhiteList"},"iastorv":{"action":"%system%\\drivers\\iaStorV.sys","fileinfo":"WhiteList"},"idsvc":{"action":""%systemroot%\\Microsoft.NET\\Framework64\\v3.0\\Windows Communication Foundation\\infocard.exe"","fileinfo":"WhiteList"},"ieetwcollectorservice":{"action":"%SystemRoot%\\system32\\IEEtwCollector.exe \/V","fileinfo":"WhiteList"},"iirsp":{"action":"%system%\\drivers\\iirsp.sys","fileinfo":"WhiteList"},"ikeext":{"action":"%SystemRoot%\\System32\\ikeext.dll","fileinfo":"WhiteList"},"intelide":{"action":"%system%\\drivers\\intelide.sys","fileinfo":"WhiteList"},"intelppm":{"action":"%system%\\drivers\\intelppm.sys","fileinfo":"WhiteList"},"ipbusenum":{"action":"%SystemRoot%\\system32\\ipbusenum.dll","fileinfo":"WhiteList"},"ipfilterdriver":{"action":"system32\\DRIVERS\\ipfltdrv.sys","fileinfo":"WhiteList"},"iphlpsvc":{"action":"%SystemRoot%\\System32\\iphlpsvc.dll","fileinfo":"WhiteList"},"ipmidrv":{"action":"%system%\\drivers\\IPMIDrv.sys","fileinfo":"WhiteList"},"ipnat":{"action":"System32\\drivers\\ipnat.sys","fileinfo":"WhiteList"},"irenum":{"action":"system32\\drivers\\irenum.sys","fileinfo":"WhiteList"},"isapnp":{"action":"%system%\\drivers\\isapnp.sys","fileinfo":"WhiteList"},"iscsiprt":{"action":"%system%\\drivers\\msiscsi.sys","fileinfo":"WhiteList"},"jraid":{"action":"system32\\DRIVERS\\jraid.sys","fileinfo":"WhiteList"},"kbdclass":{"action":"system32\\DRIVERS\\kbdclass.sys","fileinfo":"WhiteList"},"kbdhid":{"action":"system32\\DRIVERS\\kbdhid.sys","fileinfo":"WhiteList"},"keycrypt":{"action":"system32\\DRIVERS\\KeyCrypt64.sys","fileinfo":{"sent":"-1","md5":{"hash":"3E5A98FE53578111377B315760BC72D4","size":"143904"},"certificates":"Zemana Ltd.;","prodver":"1.8.2.320","filever":"1.8.2.320","name":"AntiLogger Free","company":"Zemana Ltd.","nac":{"hash":"CBCDF85DCFDDF75BDE9FE2240979C603","size":"26"},"subs":"Native","pe":"x64","epsec":"5","eprva":"00034070","ibase":"0000000140000000","ep":"48895C2408574883EC20488BDA488BF9E883FFFFFF488BD3488BCF488B5C24304883C4205FE92210FDFFCCCCC840030000000000000000001E4703000010010000","sec":[{"name":".text","hash":"9C21FEB3C7B1B6B37D41D7BCA40256A7","size":"65024","attr":"68000020"},{"name":".rdata","hash":"49C508A4440DFE96504CF58F1220A725","size":"47616","attr":"48000040"},{"name":".data","hash":"7F87FE276F35B26A39856E8221FB1427","size":"7680","attr":"C8000040"},{"name":".pdata","hash":"D4E77821D9F57AEF59A93C0467CC789F","size":"1536","attr":"48000040"},{"name":"PAGE","hash":"79D6D2F7A1AAB1ADD9DC9CE5E845E67F","size":"6656","attr":"60000020"},{"name":"INIT","hash":"AA74AC094913EBE50EC3CACBF3366B4D","size":"2560","attr":"E2000020"},{"name":".rsrc","hash":"9AA696E2D05981C34F135FD82825162C","size":"1024","attr":"42000040"},{"name":".reloc","hash":"CCD2BC4156ACAB028D10E6049184C168","size":"2048","attr":"42000040"}]}},"keyiso":{"action":"%SystemRoot%\\system32\\lsass.exe","fileinfo":"WhiteList"},"ksecdd":{"action":"System32\\Drivers\\ksecdd.sys","fileinfo":"WhiteList"},"ksecpkg":{"action":"System32\\Drivers\\ksecpkg.sys","fileinfo":"WhiteList"},"ksthunk":{"action":"%system%\\drivers\\ksthunk.sys","fileinfo":"WhiteList"},"ktmrm":{"action":"%systemroot%\\system32\\msdtckrm.dll","fileinfo":"WhiteList"},"lanmanserver":{"action":"%SystemRoot%\\System32\\srvsvc.dll","fileinfo":"WhiteList"},"lanmanworkstation":{"action":"%SystemRoot%\\System32\\wkssvc.dll","fileinfo":"WhiteList"},"lltdio":{"action":"system32\\DRIVERS\\lltdio.sys","fileinfo":"WhiteList"},"lltdsvc":{"action":"%SystemRoot%\\System32\\lltdsvc.dll","fileinfo":"WhiteList"},"lmhosts":{"action":"%SystemRoot%\\System32\\lmhsvc.dll","fileinfo":"WhiteList"},"lsi_fc":{"action":"%system%\\drivers\\lsi_fc.sys","fileinfo":"WhiteList"},"lsi_sas":{"action":"%system%\\drivers\\lsi_sas.sys","fileinfo":"WhiteList"},"lsi_sas2":{"action":"%system%\\drivers\\lsi_sas2.sys","fileinfo":"WhiteList"},"lsi_scsi":{"action":"%system%\\drivers\\lsi_scsi.sys","fileinfo":"WhiteList"},"luafv":{"action":"%system%\\drivers\\luafv.sys","fileinfo":"WhiteList"},"mbamchameleon":{"action":"%system%\\drivers\\mbamchameleon.sys","fileinfo":{"sent":"-1","md5":{"hash":"1239597BAB7EED2BB16D035AF87E65D9","size":"140672"},"certificates":"Malwarebytes Corporation;","prodver":"1.1.22.0","filever":"1.1.22.0","name":"Malwarebytes Chameleon","company":"Malwarebytes","nac":{"hash":"E4431DF5A1A5E7388BEDCE799FA5E4F6","size":"34"},"subs":"Native","pe":"x64","epsec":"6","eprva":"00022508","ibase":"0000000000010000","ep":"4883EC284C8BC24C8BC9E895FFFFFF498BD0498BC94883C428E9E2FAFFFFCCCCCCCCCCCCCCCCCCCC5C004400650076006900630065005C006400650076006D0062","sec":[{"name":".text","hash":"5E44067F4E2F12EDCEBDA8D044C112E3","size":"110080","attr":"68000020"},{"name":"NONPAGE","hash":"ACEDCA23777AD644713729C27E033888","size":"512","attr":"68000020"},{"name":".rdata","hash":"7FF8D88287983F2E8A29B67345320D7C","size":"5120","attr":"48000040"},{"name":".data","hash":"0DEDD9437EDAB87519A1C99E1CBB230C","size":"2048","attr":"C8000040"},{"name":".pdata","hash":"1AF7FEB1507CC2E8BD475170A680ADC8","size":"2048","attr":"48000040"},{"name":"PAGE","hash":"9E48BD9A1BC6F4102C617C1DABD6F54E","size":"1536","attr":"60000020"},{"name":"INIT","hash":"8E88CA29A554207B122CA87E432CBDCA","size":"5632","attr":"E2000020"},{"name":".rsrc","hash":"2E46CF2D0359EC368F7FDEC9934170F8","size":"3072","attr":"42000040"},{"name":".reloc","hash":"0A317A9D9ACC8C6DE72154D88C51C517","size":"512","attr":"42000040"}]}},"mbamprotector":{"action":"%system%\\drivers\\mbam.sys","fileinfo":{"sent":"-1","md5":{"hash":"78BFF5425E044086E74E78650A359FBB","size":"27008"},"certificates":"Malwarebytes Corporation;","prodver":"0.1.16.0","filever":"0.1.16.0","name":"Malwarebytes Anti-Malware","company":"Malwarebytes","nac":{"hash":"775E982D3F6A96593903565A833EA228","size":"37"},"subs":"Native","pe":"x64","epsec":"4","eprva":"00007064","ibase":"0000000000010000","ep":"4883EC284C8BC24C8BC9E895FFFFFF498BD0498BC94883C428E9869FFFFFCCCCA0710000000000000000000026750000C840000090710000000000000000000050","sec":[{"name":".text","hash":"5D1E56DE23734FCC0B56072D974561AF","size":"10240","attr":"68000020"},{"name":".rdata","hash":"904CF9FE0C4F647328B6F139E165EF20","size":"1536","attr":"48000040"},{"name":".data","hash":"56D25D512706066C30BE3B6FD5FEDBEE","size":"1024","attr":"C8000040"},{"name":".pdata","hash":"CEE19C37C7FE62EDB90E7ADB3A59BF3F","size":"512","attr":"48000040"},{"name":"INIT","hash":"C61D26BAA2C5D6ED33DE5E7E545DD3FF","size":"2048","attr":"E2000020"},{"name":".rsrc","hash":"B1D98109BD69E15F4BFD7D487EBCCB61","size":"1024","attr":"42000040"},{"name":".reloc","hash":"4DE2735E6CAD44BB4C51DE674879B3B3","size":"512","attr":"42000040"}]}},"mbamscheduler":{"action":""%programfiles(x86)%\\Malwarebytes Anti-Malware\\mbamscheduler.exe"","fileinfo":{"sent":"-1","md5":{"hash":"9611577752E293259C7DCE19E9026362","size":"1514464"},"certificates":"Malwarebytes Corporation;","prodver":"3.1.7.0","filever":"3.1.7.0","name":"Malwarebytes Anti-Malware","company":"Malwarebytes","nac":{"hash":"775E982D3F6A96593903565A833EA228","size":"37"},"subs":"Win32 Console","pe":"x86","epsec":"0","eprva":"000CC688","ibase":"00400000","ep":"E8F6060000E9B3FDFFFFFF258C255000FF25F8255000FF25F4255000FF25F0255000CCCCCCCCCCCC8B4424088B4C24100BC88B4C240C75098B442404F7E1C21000","sec":[{"name":".text","hash":"09C6CABF6564C9D761BEFB6A8283BBFB","size":"1051648","attr":"60000020"},{"name":".rdata","hash":"78571205DDFA5BE7BD3D7DA10B3F6E2F","size":"275968","attr":"40000040"},{"name":".data","hash":"BD77A98FA01CAA7D19A62F7254E57233","size":"52736","attr":"C0000040"},{"name":".tls","hash":"BF619EAC0CDF3F68D496EA9344137E8B","size":"512","attr":"C0000040"},{"name":".rsrc","hash":"25610B965FDEB9EDD04AFBE4C77FF9F7","size":"1536","attr":"40000040"},{"name":".reloc","hash":"0B94A16F7C833ABF4DB244EC2B71CA2F","size":"123392","attr":"42000040"}]}},"mbamservice":{"action":""%programfiles(x86)%\\Malwarebytes Anti-Malware\\mbamservice.exe"","fileinfo":{"sent":"-1","md5":{"hash":"F1A89A34388B5626F1548D393B23ECB1","size":"1136608"},"certificates":"Malwarebytes Corporation;","prodver":"3.2.21.0","filever":"3.2.21.0","name":"Malwarebytes Anti-Malware","company":"Malwarebytes","nac":{"hash":"775E982D3F6A96593903565A833EA228","size":"37"},"subs":"Win32 Console","pe":"x86","epsec":"0","eprva":"000A788E","ibase":"00400000","ep":"E8AEC90000E995FEFFFF8BFF558BECE8B9BC00008B4D088948145DC3E8ACBC00008BC88B411469C0FD43030005C39E2600894114C1E81025FF7F0000C38BFF558B","sec":[{"name":".text","hash":"3C3587DADD678328EFFD079514DF4ADA","size":"870400","attr":"60000020"},{"name":".rdata","hash":"693D666A65532AAFF9F9566893C248BF","size":"174080","attr":"40000040"},{"name":".data","hash":"1811E1CAE59A780EB44884802E2CF912","size":"25088","attr":"C0000040"},{"name":".rsrc","hash":"774A1FBDF946C89C4582390737963B14","size":"1536","attr":"40000040"},{"name":".reloc","hash":"4746F405732B92D62997A251EC124AD6","size":"56832","attr":"42000040"}]}},"mbamswissarmy":{"action":"%system%\\drivers\\MBAMSwissArmy.sys","fileinfo":{"sent":"-1","md5":{"hash":"78488AF2AB2111D67B3C4044707A519B","size":"192216"},"certificates":"Malwarebytes Corporation;","prodver":"0.3.0.0","filever":"0.3.0.0","name":"Malwarebytes Anti-Malware","company":"Malwarebytes","nac":{"hash":"775E982D3F6A96593903565A833EA228","size":"37"},"subs":"Native","pe":"x64","epsec":"5","eprva":"0002F2AC","ibase":"0000000000010000","ep":"4883EC284C8BC24C8BC9E895FFFFFF498BD0498BC94883C428E93EFDFFFFCCCCCCCCCCCC4400720069007600650072002000760065007200730069006F006E003A","sec":[{"name":".text","hash":"087EC8187DE21CC575527217AEA5069D","size":"147456","attr":"68000020"},{"name":".rdata","hash":"8CA4767B7723EE698BA4723A493E7AA3","size":"6656","attr":"48000040"},{"name":".data","hash":"2B9629B1E499C85C10074D049DDF2603","size":"16384","attr":"C8000040"},{"name":".pdata","hash":"9DFAD85951DEAB862BF487050D4A57E2","size":"3072","attr":"48000040"},{"name":"PAGE","hash":"8018764BFEF136DE193F3FBB3230ACA7","size":"2560","attr":"60000020"},{"name":"INIT","hash":"24517BA6098CF60DE273ACD6C7B73798","size":"5632","attr":"E2000020"},{"name":".rsrc","hash":"48B321E6969C04889BFEEF91CA1CA668","size":"1024","attr":"42000040"},{"name":".reloc","hash":"EC50709277D5B6D6FC822866D9FB6F45","size":"512","attr":"42000040"}]}},"mbamwebaccesscontrol":{"action":"%system%\\drivers\\mwac.sys","fileinfo":{"sent":"-1","md5":{"hash":"452ACB7A9914398D9E18CCCFFCF92208","size":"64896"},"certificates":"Malwarebytes Corporation;","prodver":"1.0.6.0","filever":"1.0.6.0","name":"Malwarebytes Web Access Control","company":"Malwarebytes Corporation","nac":{"hash":"5DC12C647302E02B7A25B966635CF695","size":"55"},"subs":"Native","pe":"x64","epsec":"4","eprva":"0000F070","ibase":"0000000140000000","ep":"48895C2408574883EC20488BDA488BF9E883FFFFFF488BD3488BCF488B5C24304883C4205FE93E95FFFFCCCC40F200000000000000000000E6F8000050B10000F0","sec":[{"name":".text","hash":"6DA10BF41D1F0693FA4A366C53216F52","size":"40960","attr":"68000020"},{"name":".rdata","hash":"06E92DC10F5D477CEA14CDF5C2718476","size":"5632","attr":"48000040"},{"name":".data","hash":"0B9D549E7F0ED53AFE800058AEE14FF6","size":"512","attr":"C8000040"},{"name":".pdata","hash":"AC235A07CB290B369042FFC4271C1CB5","size":"2560","attr":"48000040"},{"name":"INIT","hash":"E5D04005D4764AF8BC433B9ECFA49820","size":"3584","attr":"E2000020"},{"name":".rsrc","hash":"20DFCD2CBD9858B6E2A1AA2CC9DEB2E3","size":"1024","attr":"42000040"},{"name":".reloc","hash":"5A0636D047584B1C69A492659D55DAE5","size":"512","attr":"42000040"}]}},"mcx2svc":{"action":"%SystemRoot%\\system32\\Mcx2Svc.dll","fileinfo":"WhiteList"},"megasas":{"action":"%system%\\drivers\\megasas.sys","fileinfo":"WhiteList"},"megasr":{"action":"%system%\\drivers\\MegaSR.sys","fileinfo":"WhiteList"},"mmcss":{"action":"%SystemRoot%\\system32\\mmcss.dll","fileinfo":"WhiteList"},"modem":{"action":"system32\\drivers\\modem.sys","fileinfo":"WhiteList"},"monitor":{"action":"system32\\DRIVERS\\monitor.sys","fileinfo":"WhiteList"},"mouclass":{"action":"system32\\DRIVERS\\mouclass.sys","fileinfo":"WhiteList"},"mouhid":{"action":"system32\\DRIVERS\\mouhid.sys","fileinfo":"WhiteList"},"mountmgr":{"action":"System32\\drivers\\mountmgr.sys","fileinfo":"WhiteList"},"mozillamaintenance":{"action":""%programfiles(x86)%\\Mozilla Maintenance Service\\maintenanceservice.exe"","fileinfo":"WhiteList"},"mpfilter":{"action":"system32\\DRIVERS\\MpFilter.sys","fileinfo":"WhiteList"},"mpio":{"action":"%system%\\drivers\\mpio.sys","fileinfo":"WhiteList"},"mpsdrv":{"action":"System32\\drivers\\mpsdrv.sys","fileinfo":"WhiteList"},"mpssvc":{"action":"%SystemRoot%\\system32\\mpssvc.dll","fileinfo":"WhiteList"},"mrxdav":{"action":"%system%\\drivers\\mrxdav.sys","fileinfo":"WhiteList"},"mrxsmb":{"action":"system32\\DRIVERS\\mrxsmb.sys","fileinfo":"WhiteList"},"mrxsmb10":{"action":"system32\\DRIVERS\\mrxsmb10.sys","fileinfo":"WhiteList"},"mrxsmb20":{"action":"system32\\DRIVERS\\mrxsmb20.sys","fileinfo":"WhiteList"},"msahci":{"action":"system32\\drivers\\msahci.sys","fileinfo":"WhiteList"},"msdsm":{"action":"%system%\\drivers\\msdsm.sys","fileinfo":"WhiteList"},"msdtc":{"action":"%SystemRoot%\\System32\\msdtc.exe","fileinfo":"WhiteList"},"mshidkmdf":{"action":"%system%\\drivers\\mshidkmdf.sys","fileinfo":"WhiteList"},"msisadrv":{"action":"system32\\drivers\\msisadrv.sys","fileinfo":"WhiteList"},"msiscsi":{"action":"%systemroot%\\system32\\iscsiexe.dll","fileinfo":"WhiteList"},"msiserver":{"action":"%systemroot%\\system32\\msiexec.exe \/V","fileinfo":"WhiteList"},"mskssrv":{"action":"system32\\drivers\\MSKSSRV.sys","fileinfo":"WhiteList"},"msmpsvc":{"action":""%programfiles%\\Microsoft Security Client\\MsMpEng.exe"","fileinfo":"WhiteList"},"mspclock":{"action":"system32\\drivers\\MSPCLOCK.sys","fileinfo":"WhiteList"},"mspqm":{"action":"system32\\drivers\\MSPQM.sys","fileinfo":"WhiteList"},"mssmbios":{"action":"system32\\DRIVERS\\mssmbios.sys","fileinfo":"WhiteList"},"mstee":{"action":"system32\\drivers\\MSTEE.sys","fileinfo":"WhiteList"},"mtconfig":{"action":"%system%\\drivers\\MTConfig.sys","fileinfo":"WhiteList"},"mup":{"action":"System32\\Drivers\\mup.sys","fileinfo":"WhiteList"},"napagent":{"action":"%SystemRoot%\\system32\\qagentRT.dll","fileinfo":"WhiteList"},"nativewifip":{"action":"system32\\DRIVERS\\nwifi.sys","fileinfo":"WhiteList"},"ndis":{"action":"system32\\drivers\\ndis.sys","fileinfo":"WhiteList"},"ndiscap":{"action":"system32\\DRIVERS\\ndiscap.sys","fileinfo":"WhiteList"},"ndistapi":{"action":"system32\\DRIVERS\\ndistapi.sys","fileinfo":"WhiteList"},"ndisuio":{"action":"system32\\DRIVERS\\ndisuio.sys","fileinfo":"WhiteList"},"ndiswan":{"action":"system32\\DRIVERS\\ndiswan.sys","fileinfo":"WhiteList"},"netbios":{"action":"system32\\DRIVERS\\netbios.sys","fileinfo":"WhiteList"},"netbt":{"action":"System32\\DRIVERS\\netbt.sys","fileinfo":"WhiteList"},"netlogon":{"action":"%SystemRoot%\\system32\\lsass.exe","fileinfo":"WhiteList"},"netman":{"action":"%SystemRoot%\\System32\\netman.dll","fileinfo":"WhiteList"},"netprofm":{"action":"%SystemRoot%\\System32\\netprofm.dll","fileinfo":"WhiteList"},"nettcpportsharing":{"action":""%systemroot%\\Microsoft.NET\\Framework64\\v3.0\\Windows Communication Foundation\\SMSvcHost.exe"","fileinfo":"WhiteList"},"nfrd960":{"action":"%system%\\drivers\\nfrd960.sys","fileinfo":"WhiteList"},"nisdrv":{"action":"system32\\DRIVERS\\NisDrvWFP.sys","fileinfo":"WhiteList"},"nissrv":{"action":""%programfiles%\\Microsoft Security Client\\NisSrv.exe"","fileinfo":"WhiteList"},"nlasvc":{"action":"%SystemRoot%\\System32\\nlasvc.dll","fileinfo":"WhiteList"},"nsi":{"action":"%systemroot%\\system32\\nsisvc.dll","fileinfo":"WhiteList"},"nsiproxy":{"action":"system32\\drivers\\nsiproxy.sys","fileinfo":"WhiteList"},"nvraid":{"action":"%system%\\drivers\\nvraid.sys","fileinfo":"WhiteList"},"nvstor":{"action":"%system%\\drivers\\nvstor.sys","fileinfo":"WhiteList"},"nv_agp":{"action":"%system%\\drivers\\nv_agp.sys","fileinfo":"WhiteList"},"ohci1394":{"action":"%system%\\drivers\\ohci1394.sys","fileinfo":"WhiteList"},"p2pimsvc":{"action":"%SystemRoot%\\system32\\pnrpsvc.dll","fileinfo":"WhiteList"},"p2psvc":{"action":"%SystemRoot%\\system32\\p2psvc.dll","fileinfo":"WhiteList"},"parport":{"action":"%system%\\drivers\\parport.sys","fileinfo":"WhiteList"},"partmgr":{"action":"System32\\drivers\\partmgr.sys","fileinfo":"WhiteList"},"pcasvc":{"action":"%SystemRoot%\\System32\\pcasvc.dll","fileinfo":"WhiteList"},"pci":{"action":"system32\\drivers\\pci.sys","fileinfo":"WhiteList"},"pciide":{"action":"system32\\drivers\\pciide.sys","fileinfo":"WhiteList"},"pcmcia":{"action":"%system%\\drivers\\pcmcia.sys","fileinfo":"WhiteList"},"pcw":{"action":"System32\\drivers\\pcw.sys","fileinfo":"WhiteList"},"peauth":{"action":"system32\\drivers\\peauth.sys","fileinfo":"WhiteList"},"peerdistsvc":{"action":"%SystemRoot%\\system32\\peerdistsvc.dll","fileinfo":"WhiteList"},"perfhost":{"action":"%SystemRoot%\\SysWow64\\perfhost.exe","fileinfo":"WhiteList"},"pla":{"action":"%systemroot%\\system32\\pla.dll","fileinfo":"WhiteList"},"plugplay":{"action":"%SystemRoot%\\system32\\umpnpmgr.dll","fileinfo":"WhiteList"},"pnrpautoreg":{"action":"%SystemRoot%\\system32\\pnrpauto.dll","fileinfo":"WhiteList"},"pnrpsvc":{"action":"%SystemRoot%\\system32\\pnrpsvc.dll","fileinfo":"WhiteList"},"policyagent":{"action":"%SystemRoot%\\System32\\ipsecsvc.dll","fileinfo":"WhiteList"},"power":{"action":"%SystemRoot%\\system32\\umpo.dll","fileinfo":"WhiteList"},"pptpminiport":{"action":"system32\\DRIVERS\\raspptp.sys","fileinfo":"WhiteList"},"processor":{"action":"%system%\\drivers\\processr.sys","fileinfo":"WhiteList"},"profsvc":{"action":"%systemroot%\\system32\\profsvc.dll","fileinfo":"WhiteList"},"protectedstorage":{"action":"%SystemRoot%\\system32\\lsass.exe","fileinfo":"WhiteList"},"psched":{"action":"system32\\DRIVERS\\pacer.sys","fileinfo":"WhiteList"},"ql2300":{"action":"%system%\\drivers\\ql2300.sys","fileinfo":"WhiteList"},"ql40xx":{"action":"%system%\\drivers\\ql40xx.sys","fileinfo":"WhiteList"},"qwave":{"action":"%windir%\\system32\\qwave.dll","fileinfo":"WhiteList"},"qwavedrv":{"action":"%system%\\drivers\\qwavedrv.sys","fileinfo":"WhiteList"},"rasacd":{"action":"System32\\DRIVERS\\rasacd.sys","fileinfo":"WhiteList"},"rasagilevpn":{"action":"system32\\DRIVERS\\AgileVpn.sys","fileinfo":"WhiteList"},"rasauto":{"action":"%SystemRoot%\\System32\\rasauto.dll","fileinfo":"WhiteList"},"rasl2tp":{"action":"system32\\DRIVERS\\rasl2tp.sys","fileinfo":"WhiteList"},"rasman":{"action":"%SystemRoot%\\System32\\rasmans.dll","fileinfo":"WhiteList"},"raspppoe":{"action":"system32\\DRIVERS\\raspppoe.sys","fileinfo":"WhiteList"},"rassstp":{"action":"system32\\DRIVERS\\rassstp.sys","fileinfo":"WhiteList"},"rdbss":{"action":"system32\\DRIVERS\\rdbss.sys","fileinfo":"WhiteList"},"rdpbus":{"action":"system32\\DRIVERS\\rdpbus.sys","fileinfo":"WhiteList"},"rdpcdd":{"action":"System32\\DRIVERS\\RDPCDD.sys","fileinfo":"WhiteList"},"rdpdr":{"action":"System32\\drivers\\rdpdr.sys","fileinfo":"WhiteList"},"rdpencdd":{"action":"system32\\drivers\\rdpencdd.sys","fileinfo":"WhiteList"},"rdprefmp":{"action":"system32\\drivers\\rdprefmp.sys","fileinfo":"WhiteList"},"rdpvideominiport":{"action":"System32\\drivers\\rdpvideominiport.sys","fileinfo":"WhiteList"},"rdyboost":{"action":"System32\\drivers\\rdyboost.sys","fileinfo":"WhiteList"},"remoteaccess":{"action":"%SystemRoot%\\System32\\mprdim.dll","fileinfo":"WhiteList"},"remoteregistry":{"action":"%SystemRoot%\\system32\\regsvc.dll","fileinfo":"WhiteList"},"rpceptmapper":{"action":"%SystemRoot%\\System32\\RpcEpMap.dll","fileinfo":"WhiteList"},"rpclocator":{"action":"%SystemRoot%\\system32\\locator.exe","fileinfo":"WhiteList"},"rpcss":{"action":"%SystemRoot%\\system32\\rpcss.dll","fileinfo":"WhiteList"},"rspndr":{"action":"system32\\DRIVERS\\rspndr.sys","fileinfo":"WhiteList"},"rtl8167":{"action":"system32\\DRIVERS\\Rt64win7.sys","fileinfo":"WhiteList"},"s3cap":{"action":"%system%\\drivers\\vms3cap.sys","fileinfo":"WhiteList"},"samss":{"action":"%SystemRoot%\\system32\\lsass.exe","fileinfo":"WhiteList"},"sasdifsv":{"action":"%programfiles%\\SUPERAntiSpyware\\SASDIFSV64.SYS","fileinfo":{"sent":"-1","md5":{"hash":"3289766038DB2CB14D07DC84392138D5","size":"14928"},"certificates":"Support.com, Inc.;","prodver":"1, 0, 0, 1016","filever":"1, 0, 0, 1016","name":"SUPERAntiSpyware","company":"SUPERAdBlocker.com and SUPERAntiSpyware.com","nac":{"hash":"E41D52CF15329049929E3B234ECC4591","size":"59"},"subs":"Native","pe":"x64","epsec":"4","eprva":"00008008","ibase":"0000000000010000","ep":"488B05F1B0FFFF49B932A2DF2D992B00004885C07405493BC1752F4C8D05D6B0FFFF48B82003000080F7FFFF488B004933C049B8FFFFFFFFFFFF00004923C0490F","sec":[{"name":".text","hash":"9A40CB47BF773B97D9CF439796634A3C","size":"3584","attr":"68000020"},{"name":".rdata","hash":"D873CD9E0D53FFDEE14D3ED2BCEC75C8","size":"512","attr":"48000040"},{"name":".data","hash":"043C46095689123E1F5BE96C109C2F46","size":"512","attr":"C8000040"},{"name":".pdata","hash":"2777A4ED35D7B8AFC389C821BDF4AE07","size":"512","attr":"48000040"},{"name":"INIT","hash":"CDA754051D13918E381186753CC8BC92","size":"1024","attr":"E2000020"},{"name":".rsrc","hash":"6AD1A83410F583927480CBEE344C95B7","size":"1024","attr":"42000040"}]}},"saskutil":{"action":"%programfiles%\\SUPERAntiSpyware\\SASKUTIL64.SYS","fileinfo":{"sent":"-1","md5":{"hash":"58A38E75F3316A83C23DF6173D41F2B5","size":"12368"},"certificates":"Support.com, Inc.;","prodver":"1, 0, 0, 1016","filever":"1, 0, 0, 1016","name":"SUPERAntiSpyware","company":"SUPERAdBlocker.com and SUPERAntiSpyware.com","nac":{"hash":"E41D52CF15329049929E3B234ECC4591","size":"59"},"subs":"Native","pe":"x64","epsec":"4","eprva":"00008008","ibase":"0000000000010000","ep":"488B05F1B0FFFF49B932A2DF2D992B00004885C07405493BC1752F4C8D05D6B0FFFF48B82003000080F7FFFF488B004933C049B8FFFFFFFFFFFF00004923C0490F","sec":[{"name":".text","hash":"86FD3CF6825B874D104FADD4E044E40F","size":"1024","attr":"68000020"},{"name":".rdata","hash":"D3B947F74ED8658CB8D47B83D1D79B6E","size":"512","attr":"48000040"},{"name":".data","hash":"043C46095689123E1F5BE96C109C2F46","size":"512","attr":"C8000040"},{"name":".pdata","hash":"DA733255BBF83CA93DBEAAAED5C70E54","size":"512","attr":"48000040"},{"name":"INIT","hash":"72A4E25CE85C8628BB2B523A5DC9006E","size":"1024","attr":"E2000020"},{"name":".rsrc","hash":"7D4524EA609B98D68785A21959427D08","size":"1024","attr":"42000040"}]}},"sbp2port":{"action":"%system%\\drivers\\sbp2port.sys","fileinfo":"WhiteList"},"scardsvr":{"action":"%SystemRoot%\\System32\\SCardSvr.dll","fileinfo":"WhiteList"},"scfilter":{"action":"System32\\DRIVERS\\scfilter.sys","fileinfo":"WhiteList"},"schedule":{"action":"%systemroot%\\system32\\schedsvc.dll","fileinfo":"WhiteList"},"scpolicysvc":{"action":"%SystemRoot%\\System32\\certprop.dll","fileinfo":"WhiteList"},"sdrsvc":{"action":"%Systemroot%\\System32\\SDRSVC.dll","fileinfo":"WhiteList"},"seclogon":{"action":"%windir%\\system32\\seclogon.dll","fileinfo":"WhiteList"},"sens":{"action":"%SystemRoot%\\system32\\sens.dll","fileinfo":"WhiteList"},"sensrsvc":{"action":"%SystemRoot%\\system32\\sensrsvc.dll","fileinfo":"WhiteList"},"serenum":{"action":"system32\\DRIVERS\\serenum.sys","fileinfo":"WhiteList"},"serial":{"action":"system32\\DRIVERS\\serial.sys","fileinfo":"WhiteList"},"sermouse":{"action":"%system%\\drivers\\sermouse.sys","fileinfo":"WhiteList"},"sessionenv":{"action":"%SystemRoot%\\system32\\sessenv.dll","fileinfo":"WhiteList"},"sffdisk":{"action":"%system%\\drivers\\sffdisk.sys","fileinfo":"WhiteList"},"sffp_mmc":{"action":"%system%\\drivers\\sffp_mmc.sys","fileinfo":"WhiteList"},"sffp_sd":{"action":"%system%\\drivers\\sffp_sd.sys","fileinfo":"WhiteList"},"sfloppy":{"action":"%system%\\drivers\\sfloppy.sys","fileinfo":"WhiteList"},"sharedaccess":{"action":"%SystemRoot%\\System32\\ipnathlp.dll","fileinfo":"WhiteList"},"shellhwdetection":{"action":"%SystemRoot%\\System32\\shsvcs.dll","fileinfo":"WhiteList"},"sisraid2":{"action":"%system%\\drivers\\SiSRaid2.sys","fileinfo":"WhiteList"},"sisraid4":{"action":"%system%\\drivers\\sisraid4.sys","fileinfo":"WhiteList"},"smb":{"action":"system32\\DRIVERS\\smb.sys","fileinfo":"WhiteList"},"snmptrap":{"action":"%SystemRoot%\\System32\\snmptrap.exe","fileinfo":"WhiteList"},"spooler":{"action":"%SystemRoot%\\System32\\spoolsv.exe","fileinfo":"WhiteList"},"sppsvc":{"action":"%SystemRoot%\\system32\\sppsvc.exe","fileinfo":"WhiteList"},"sppuinotify":{"action":"%SystemRoot%\\system32\\sppuinotify.dll","fileinfo":"WhiteList"},"srv":{"action":"System32\\DRIVERS\\srv.sys","fileinfo":"WhiteList"},"srv2":{"action":"System32\\DRIVERS\\srv2.sys","fileinfo":"WhiteList"},"srvnet":{"action":"System32\\DRIVERS\\srvnet.sys","fileinfo":"WhiteList"},"ssdpsrv":{"action":"%SystemRoot%\\System32\\ssdpsrv.dll","fileinfo":"WhiteList"},"sstpsvc":{"action":"%SystemRoot%\\system32\\sstpsvc.dll","fileinfo":"WhiteList"},"stexstor":{"action":"%system%\\drivers\\stexstor.sys","fileinfo":"WhiteList"},"stisvc":{"action":"%SystemRoot%\\System32\\wiaservc.dll","fileinfo":"WhiteList"},"storflt":{"action":"system32\\drivers\\vmstorfl.sys","fileinfo":"WhiteList"},"storvsc":{"action":"%system%\\drivers\\storvsc.sys","fileinfo":"WhiteList"},"swenum":{"action":"system32\\DRIVERS\\swenum.sys","fileinfo":"WhiteList"},"swprv":{"action":"%Systemroot%\\System32\\swprv.dll","fileinfo":"WhiteList"},"synth3dvsc":{"action":"System32\\drivers\\synth3dvsc.sys","fileinfo":"WhiteList"},"sysmain":{"action":"%systemroot%\\system32\\sysmain.dll","fileinfo":"WhiteList"},"tabletinputservice":{"action":"%SystemRoot%\\System32\\TabSvc.dll","fileinfo":"WhiteList"},"tapisrv":{"action":"%SystemRoot%\\System32\\tapisrv.dll","fileinfo":"WhiteList"},"tbs":{"action":"%SystemRoot%\\System32\\tbssvc.dll","fileinfo":"WhiteList"},"tcpip":{"action":"System32\\drivers\\tcpip.sys","fileinfo":"WhiteList"},"tcpip6":{"action":"system32\\DRIVERS\\tcpip.sys","fileinfo":"WhiteList"},"tcpipreg":{"action":"System32\\drivers\\tcpipreg.sys","fileinfo":"WhiteList"},"tdpipe":{"action":"system32\\drivers\\tdpipe.sys","fileinfo":"WhiteList"},"tdtcp":{"action":"system32\\drivers\\tdtcp.sys","fileinfo":"WhiteList"},"tdx":{"action":"system32\\DRIVERS\\tdx.sys","fileinfo":"WhiteList"},"termdd":{"action":"system32\\DRIVERS\\termdd.sys","fileinfo":"WhiteList"},"terminpt":{"action":"%system%\\drivers\\terminpt.sys","fileinfo":"WhiteList"},"termservice":{"action":"%SystemRoot%\\System32\\termsrv.dll","fileinfo":"WhiteList"},"themes":{"action":"%SystemRoot%\\system32\\themeservice.dll","fileinfo":"WhiteList"},"threadorder":{"action":"%SystemRoot%\\system32\\mmcss.dll","fileinfo":"WhiteList"},"trkwks":{"action":"%SystemRoot%\\System32\\trkwks.dll","fileinfo":"WhiteList"},"trojankillerdriver":{"action":"system32\\DRIVERS\\gtkdrv.sys","fileinfo":"WhiteList"},"trustedinstaller":{"action":"%SystemRoot%\\servicing\\TrustedInstaller.exe","fileinfo":"WhiteList"},"tssecsrv":{"action":"System32\\DRIVERS\\tssecsrv.sys","fileinfo":"WhiteList"},"tsusbflt":{"action":"system32\\drivers\\tsusbflt.sys","fileinfo":"WhiteList"},"tsusbgd":{"action":"%system%\\drivers\\TsUsbGD.sys","fileinfo":"WhiteList"},"tsusbhub":{"action":"system32\\drivers\\tsusbhub.sys","fileinfo":"WhiteList"},"tunnel":{"action":"system32\\DRIVERS\\tunnel.sys","fileinfo":"WhiteList"},"uagp35":{"action":"%system%\\drivers\\uagp35.sys","fileinfo":"WhiteList"},"udfs":{"action":"system32\\DRIVERS\\udfs.sys","fileinfo":"WhiteList"},"ui0detect":{"action":"%SystemRoot%\\system32\\UI0Detect.exe","fileinfo":"WhiteList"},"uliagpkx":{"action":"%system%\\drivers\\uliagpkx.sys","fileinfo":"WhiteList"},"umbus":{"action":"system32\\DRIVERS\\umbus.sys","fileinfo":"WhiteList"},"umpass":{"action":"%system%\\drivers\\umpass.sys","fileinfo":"WhiteList"},"umrdpservice":{"action":"%SystemRoot%\\System32\\umrdp.dll","fileinfo":"WhiteList"},"upnphost":{"action":"%SystemRoot%\\System32\\upnphost.dll","fileinfo":"WhiteList"},"usbaudio":{"action":"system32\\drivers\\usbaudio.sys","fileinfo":"WhiteList"},"usbccgp":{"action":"system32\\DRIVERS\\usbccgp.sys","fileinfo":"WhiteList"},"usbcir":{"action":"%system%\\drivers\\usbcir.sys","fileinfo":"WhiteList"},"usbehci":{"action":"system32\\DRIVERS\\usbehci.sys","fileinfo":"WhiteList"},"usbfilter":{"action":"system32\\DRIVERS\\usbfilter.sys","fileinfo":{"sent":"-1","md5":{"hash":"573D192E268F0C5B486B7E96F661E538","size":"47232"},"certificates":"Advanced Micro Devices, Inc.;","prodver":"1.0.20.122","filever":"1.0.20.122 built by: WinDDK","name":"AMD USB Filter Driver","company":"Advanced Micro Devices","nac":{"hash":"64F0254CFA84A4C75BF31884F4546E84","size":"43"},"subs":"Native","pe":"x64","epsec":"5","eprva":"0000C67C","ibase":"0000000000010000","ep":"488B057DCAFFFF49B932A2DF2D992B00004885C07405493BC1752F4C8D0562CAFFFF48B82003000080F7FFFF488B004933C049B8FFFFFFFFFFFF00004923C0490F","sec":[{"name":".text","hash":"80440FF8420475C7D345DABE3E4EDD4B","size":"26112","attr":"68000020"},{"name":".rdata","hash":"50C9161B187EABB3CE24594351CD6CC0","size":"3072","attr":"48000040"},{"name":".data","hash":"CEB61F137638E898677820D6D7826F75","size":"2560","attr":"C8000040"},{"name":".pdata","hash":"4D2F7B7CFADC7317438C625A0777DD64","size":"1536","attr":"48000040"},{"name":"PAGE","hash":"1DE32118D36F79BEABDD20F128486432","size":"512","attr":"60000020"},{"name":"INIT","hash":"142389A1FA987144A3FB0955D728DB81","size":"3584","attr":"E2000020"},{"name":".rsrc","hash":"A783B6CD546ED1FF75A54E3AD2DAED30","size":"1024","attr":"42000040"},{"name":".reloc","hash":"3575C8FD600664CC6D5EA6B1B839338D","size":"1024","attr":"42000040"}]}},"usbhub":{"action":"system32\\DRIVERS\\usbhub.sys","fileinfo":"WhiteList"},"usbohci":{"action":"system32\\DRIVERS\\usbohci.sys","fileinfo":"WhiteList"},"usbprint":{"action":"%system%\\drivers\\usbprint.sys","fileinfo":"WhiteList"},"usbstor":{"action":"system32\\DRIVERS\\USBSTOR.SYS","fileinfo":"WhiteList"},"usbuhci":{"action":"%system%\\drivers\\usbuhci.sys","fileinfo":"WhiteList"},"usbvideo":{"action":"System32\\Drivers\\usbvideo.sys","fileinfo":"WhiteList"},"uxsms":{"action":"%SystemRoot%\\System32\\uxsms.dll","fileinfo":"WhiteList"},"vaultsvc":{"action":"%SystemRoot%\\system32\\lsass.exe","fileinfo":"WhiteList"},"vdrvroot":{"action":"system32\\drivers\\vdrvroot.sys","fileinfo":"WhiteList"},"vds":{"action":"%SystemRoot%\\System32\\vds.exe","fileinfo":"WhiteList"},"vga":{"action":"system32\\DRIVERS\\vgapnp.sys","fileinfo":"WhiteList"},"vgasave":{"action":"%system%\\drivers\\vga.sys","fileinfo":"WhiteList"},"vhdmp":{"action":"%system%\\drivers\\vhdmp.sys","fileinfo":"WhiteList"},"viaide":{"action":"%system%\\drivers\\viaide.sys","fileinfo":"WhiteList"},"vmbus":{"action":"%system%\\drivers\\vmbus.sys","fileinfo":"WhiteList"},"vmbushid":{"action":"%system%\\drivers\\VMBusHID.sys","fileinfo":"WhiteList"},"volmgr":{"action":"system32\\drivers\\volmgr.sys","fileinfo":"WhiteList"},"volmgrx":{"action":"System32\\drivers\\volmgrx.sys","fileinfo":"WhiteList"},"volsnap":{"action":"system32\\drivers\\volsnap.sys","fileinfo":"WhiteList"},"vsmraid":{"action":"%system%\\drivers\\vsmraid.sys","fileinfo":"WhiteList"},"vss":{"action":"%systemroot%\\system32\\vssvc.exe","fileinfo":"WhiteList"},"vwifibus":{"action":"%system%\\drivers\\vwifibus.sys","fileinfo":"WhiteList"},"w32time":{"action":"%systemroot%\\system32\\w32time.dll","fileinfo":"WhiteList"},"wacompen":{"action":"%system%\\drivers\\wacompen.sys","fileinfo":"WhiteList"},"wanarp":{"action":"system32\\DRIVERS\\wanarp.sys","fileinfo":"WhiteList"},"wanarpv6":{"action":"system32\\DRIVERS\\wanarp.sys","fileinfo":"WhiteList"},"wbengine":{"action":""%systemroot%\\system32\\wbengine.exe"","fileinfo":"WhiteList"},"wbiosrvc":{"action":"%SystemRoot%\\System32\\wbiosrvc.dll","fileinfo":"WhiteList"},"wcncsvc":{"action":"%SystemRoot%\\System32\\wcncsvc.dll","fileinfo":"WhiteList"},"wcspluginservice":{"action":"%SystemRoot%\\System32\\WcsPlugInService.dll","fileinfo":"WhiteList"},"wd":{"action":"%system%\\drivers\\wd.sys","fileinfo":"WhiteList"},"wdf01000":{"action":"system32\\drivers\\Wdf01000.sys","fileinfo":"WhiteList"},"wdiservicehost":{"action":"%SystemRoot%\\system32\\wdi.dll","fileinfo":"WhiteList"},"wdisystemhost":{"action":"%SystemRoot%\\system32\\wdi.dll","fileinfo":"WhiteList"},"webclient":{"action":"%SystemRoot%\\System32\\webclnt.dll","fileinfo":"WhiteList"},"wecsvc":{"action":"%SystemRoot%\\system32\\wecsvc.dll","fileinfo":"WhiteList"},"wercplsupport":{"action":"%SystemRoot%\\System32\\wercplsupport.dll","fileinfo":"WhiteList"},"wersvc":{"action":"%SystemRoot%\\System32\\WerSvc.dll","fileinfo":"WhiteList"},"wfplwf":{"action":"system32\\DRIVERS\\wfplwf.sys","fileinfo":"WhiteList"},"wimmount":{"action":"system32\\drivers\\wimmount.sys","fileinfo":"WhiteList"},"windefend":{"action":"%ProgramFiles%\\Windows Defender\\mpsvc.dll","fileinfo":"WhiteList"},"winhttpautoproxysvc":{"action":"winhttp.dll","fileinfo":"WhiteList"},"winmgmt":{"action":"%SystemRoot%\\system32\\wbem\\WMIsvc.dll","fileinfo":"WhiteList"},"winrm":{"action":"%SystemRoot%\\system32\\WsmSvc.dll","fileinfo":"WhiteList"},"wlansvc":{"action":"%SystemRoot%\\System32\\wlansvc.dll","fileinfo":"WhiteList"},"wmiacpi":{"action":"system32\\DRIVERS\\wmiacpi.sys","fileinfo":"WhiteList"},"wmiapsrv":{"action":"%systemroot%\\system32\\wbem\\WmiApSrv.exe","fileinfo":"WhiteList"},"wmpnetworksvc":{"action":""%PROGRAMFILES%\\Windows Media Player\\wmpnetwk.exe"","fileinfo":"WhiteList"},"wpcsvc":{"action":"%SystemRoot%\\System32\\wpcsvc.dll","fileinfo":"WhiteList"},"wpdbusenum":{"action":"%SystemRoot%\\system32\\wpdbusenum.dll","fileinfo":"WhiteList"},"ws2ifsl":{"action":"%system%\\drivers\\ws2ifsl.sys","fileinfo":"WhiteList"},"wscsvc":{"action":"%SYSTEMROOT%\\system32\\wscsvc.dll","fileinfo":"WhiteList"},"wsearch":{"action":"%systemroot%\\system32\\SearchIndexer.exe \/Embedding","fileinfo":"WhiteList"},"wuauserv":{"action":"%systemroot%\\system32\\wuaueng.dll","fileinfo":"WhiteList"},"wudfpf":{"action":"system32\\drivers\\WudfPf.sys","fileinfo":"WhiteList"},"wudfrd":{"action":"system32\\DRIVERS\\WUDFRd.sys","fileinfo":"WhiteList"},"wudfsvc":{"action":"%SystemRoot%\\System32\\WUDFSvc.dll","fileinfo":"WhiteList"},"wwansvc":{"action":"%SystemRoot%\\System32\\wwansvc.dll","fileinfo":"WhiteList"}},"BHO":{},"LSP":{"MSAFD Tcpip [TCP/IP]":{"guid":"{E70F1AA0-AB8B-11CF-8CA3-00805F48A192}","action":"%system%\\mswsock.dll","fileinfo":"WhiteList"},"MSAFD Tcpip [UDP/IP]":{"guid":"{E70F1AA0-AB8B-11CF-8CA3-00805F48A192}","action":"%system%\\mswsock.dll","fileinfo":"WhiteList"},"MSAFD Tcpip [RAW/IP]":{"guid":"{E70F1AA0-AB8B-11CF-8CA3-00805F48A192}","action":"%system%\\mswsock.dll","fileinfo":"WhiteList"},"MSAFD Tcpip [TCP/IPv6]":{"guid":"{F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}","action":"%system%\\mswsock.dll","fileinfo":"WhiteList"},"MSAFD Tcpip [UDP/IPv6]":{"guid":"{F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}","action":"%system%\\mswsock.dll","fileinfo":"WhiteList"},"MSAFD Tcpip [RAW/IPv6]":{"guid":"{F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}","action":"%system%\\mswsock.dll","fileinfo":"WhiteList"},"RSVP TCPv6 Service Provider":{"guid":"{9D60A9E0-337A-11D0-BD88-0000C082E69A}","action":"%system%\\mswsock.dll","fileinfo":"WhiteList"},"RSVP TCP Service Provider":{"guid":"{9D60A9E0-337A-11D0-BD88-0000C082E69A}","action":"%system%\\mswsock.dll","fileinfo":"WhiteList"},"RSVP UDPv6 Service Provider":{"guid":"{9D60A9E0-337A-11D0-BD88-0000C082E69A}","action":"%system%\\mswsock.dll","fileinfo":"WhiteList"},"RSVP UDP Service Provider":{"guid":"{9D60A9E0-337A-11D0-BD88-0000C082E69A}","action":"%system%\\mswsock.dll","fileinfo":"WhiteList"}},"Browsers":{"Internet Explorer":{"%programfiles(x86)%/Internet Explorer/D3DCompiler_47.dll":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/DiagnosticsTap.dll":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/ExtExport.exe":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/F12Tools.dll":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/iedvtool.dll":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/ieinstal.exe":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/ielowutil.exe":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/ieproxy.dll":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/IEShims.dll":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/iexplore.exe":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/jsdbgui.dll":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/jsdebuggeride.dll":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/JSProfilerCore.dll":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/jsprofilerui.dll":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/msdbg2.dll":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/networkinspection.dll":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/pdm.dll":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/pdmproxy100.dll":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"},"%programfiles(x86)%/Internet Explorer/sqmapi.dll":{"Type":"File","LastWriteTime":"20.05.2016 00:23","fileinfo":"WhiteList"}},"Firefox":{"%programfiles(x86)%/Mozilla Firefox/AccessibleMarshal.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:30","fileinfo":{"sent":"-1","md5":{"hash":"09BF897FED0D825D7BCAC10E04FAA138","size":"19912"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Foundation","nac":{"hash":"BD86ABC464D4B35C26B1BFDB72400F1C","size":"25"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0000137C","ibase":"10000000","ep":"558BEC837D0C017505E8D1040000FF7510FF750CFF7508E80700000083C40C5DC20C006A1068D83B0010E8A505000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"ABC5F5FBD39D27C003E3B93A95D63200","size":"3072","attr":"60000020"},{"name":".orpc","hash":"4677740376D67BB91B99FA6388C224B5","size":"512","attr":"60000020"},{"name":".rdata","hash":"90A51DF08994C28C1C7FC4AB31E5BD67","size":"5120","attr":"40000040"},{"name":".data","hash":"985DB7E52192A9A6B772AF95E51CC056","size":"512","attr":"C0000040"},{"name":".rsrc","hash":"B03AB83A679E83ECE299BB639F4D05E7","size":"1024","attr":"40000040"},{"name":".reloc","hash":"5193FE5C63C7DEB117349411075F5CAC","size":"1024","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/breakpadinjector.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:30","fileinfo":{"sent":"-1","md5":{"hash":"A5AB617B91242B0E2BA02D593B514EE1","size":"109000"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Foundation","nac":{"hash":"BD86ABC464D4B35C26B1BFDB72400F1C","size":"25"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00001196","ibase":"10000000","ep":"CC33C0C20C00558BEC83EC20A18882011033C58945FC53568B75085733FF576A018BDF57895DE0E8D21F0000686693011068C8000000E812230000595985C07425","sec":[{"name":".text","hash":"CF35F239DC29D4B8B5064AB6C1C6C0BD","size":"62464","attr":"60000020"},{"name":".rdata","hash":"4670CE1A68AFC75DB740928CAE7543E1","size":"26624","attr":"40000040"},{"name":".data","hash":"F67B44AAF97A0B17737A987EC043244C","size":"5120","attr":"C0000040"},{"name":".rsrc","hash":"BC2081B41BAA264E19107F86482E3C35","size":"1024","attr":"40000040"},{"name":".reloc","hash":"857379B5EDC8E7AFB371F48144DC15F3","size":"5120","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/crashreporter.exe":{"Type":"File","LastWriteTime":"02.05.2016 23:30","fileinfo":{"sent":"-1","md5":{"hash":"5F453B4C274F97B9A358CAE2800D0F8E","size":"282568"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Foundation","nac":{"hash":"BD86ABC464D4B35C26B1BFDB72400F1C","size":"25"},"ric":{"hash":"76839ED5EE2D972516FAFFC4962DD68F","size":"25064"},"rfh":{"size":"384","hash1":"GjDnwCSy4eRW%2FfB65wsF5AzRT4NnASi9eQQA%2By","hash2":"GjDtSh7hE7F5W6Nn4%2B"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00013CF8","ibase":"00400000","ep":"E807DA0000E97FFEFFFFE85B8300008BD08B426C3B051C99430074108B0DE0994300854A707505E83E8100008B4004C3E8358300008BD08B426C3B051C99430074","sec":[{"name":".text","hash":"ECB016C62142DC2104474A2294EA5A99","size":"185344","attr":"60000020"},{"name":".rdata","hash":"32EC4D15BC8D8A7A898A6565C70588FB","size":"39424","attr":"40000040"},{"name":".data","hash":"F38B294692851B3E2F5985E24E5DBAB9","size":"6656","attr":"C0000040"},{"name":".rsrc","hash":"02FD76C5C0C71FEE2E4273C794535757","size":"33280","attr":"40000040"},{"name":".reloc","hash":"43E4BCB563A287C3E0DD1F67505CD99A","size":"9216","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/D3DCompiler_43.dll":{"Type":"File","LastWriteTime":"26.05.2010 14:41","fileinfo":"WhiteList"},"%programfiles(x86)%/Mozilla Firefox/d3dcompiler_47.dll":{"Type":"File","LastWriteTime":"21.08.2013 18:03","fileinfo":"WhiteList"},"%programfiles(x86)%/Mozilla Firefox/firefox.exe":{"Type":"File","LastWriteTime":"02.05.2016 23:30","fileinfo":{"sent":"-1","md5":{"hash":"7DF8845A1CF92C227E81DBBC6F6434DF","size":"392136"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Corporation","nac":{"hash":"E95DFC679D6717452EA5F3F37DFC8472","size":"26"},"ric":{"hash":"F6B6AA27B845287C437C2DDDF1759ABD","size":"85919"},"rfh":{"size":"1536","hash1":"mD5PzjZyK7ALoYXc5fRSDzFVMNwdo4i%2BzESlLU6fIb3Od0MJ2","hash2":"UR7TFRKjMNwdod8ZtU6fgOKf"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"000024EB","ibase":"00400000","ep":"E8131D0000E97BFEFFFF3B0DD0B241007502F3C3E937080000558BEC568BF18B4D08C6460C0085C9756657E8CB0F00008BF8897E088B576C89168B4F68894E043B","sec":[{"name":".text","hash":"E8F596F307C800783161815440BC14AF","size":"80896","attr":"60000020"},{"name":".rdata","hash":"B20CA535CCEDB8280A7525DBB47E2146","size":"23552","attr":"40000040"},{"name":".data","hash":"B045BF6E78AA9C578F5441C21C28071B","size":"5120","attr":"C0000040"},{"name":".rsrc","hash":"5D65C98052F1BF9A77875ADAABB573FB","size":"268800","attr":"40000040"},{"name":".reloc","hash":"09FE1D210D711276DA80C4FC585B9AEC","size":"5120","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/freebl3.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:30","fileinfo":{"sent":"-1","md5":{"hash":"816AEE4CA1A04C333212DFC6E029E025","size":"330184"},"certificates":"Mozilla Corporation;","prodver":"3.22.3 Basic ECC","filever":"3.22.3 Basic ECC","name":"Network Security Services","company":"Mozilla Foundation","nac":{"hash":"D1A7E0E9313691D23382C8F96CFCBA1C","size":"43"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0003D357","ibase":"10000000","ep":"558BEC837D0C017505E846060000FF7510FF750CFF7508E80700000083C40C5DC20C006A106888D10410E84A07000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"0BF1B462B231D2F11EB79F24F204E8A6","size":"248832","attr":"60000020"},{"name":".rdata","hash":"24532425FCBA01D9281B11A1C1CF09B6","size":"64000","attr":"40000040"},{"name":".data","hash":"1B16EC751C4DECEA0C5159A92DBBB1F2","size":"1024","attr":"C0000040"},{"name":".rsrc","hash":"052DC45F2F4DB0E53A049748E7263823","size":"1024","attr":"40000040"},{"name":".reloc","hash":"9D5C080BF695DAD37BF5A10FC249DE7A","size":"6656","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/icudt56.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:30","fileinfo":{"sent":"-1","md5":{"hash":"C0410742BD7FB7D1CEB351FDF0E5E796","size":"10437576"},"certificates":"Mozilla Corporation;","prodver":"56, 1, 0, 0","filever":"56, 1, 0, 0","name":"International Components for Unicode","company":"The ICU Project","nac":{"hash":"CF27FABBC0D688A667460B6D8AF81404","size":"51"},"subs":"Win32 GUI","pe":"x86","ep":"4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000C80000000E","sec":[{"name":".rdata","hash":"E5F3EA6B21003C702B34EC023BC42E88","size":"10427392","attr":"40000040"},{"name":".rsrc","hash":"6CFB42E531DFB148C474104885FCB9F7","size":"1536","attr":"40000040"}]}},"%programfiles(x86)%/Mozilla Firefox/icuin56.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:30","fileinfo":{"sent":"-1","md5":{"hash":"03390F01DC876973103FF32A8A68109B","size":"1399752"},"certificates":"Mozilla Corporation;","prodver":"56, 1, 0, 0","filever":"56, 1, 0, 0","name":"International Components for Unicode","company":"The ICU Project","nac":{"hash":"CF27FABBC0D688A667460B6D8AF81404","size":"51"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"000B2233","ibase":"4A900000","ep":"558BEC837D0C017505E8D7040000FF7510FF750CFF7508E80700000083C40C5DC20C006A1068E08B9F4AE82E01000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"73CA250C1F8FFCFAA76AD8CE30D634D3","size":"800256","attr":"60000020"},{"name":".rdata","hash":"0F80C70E9EF201D9B7ACD40A238E109D","size":"512512","attr":"40000040"},{"name":".data","hash":"D4E6AF12E61287FB8489254A3315E850","size":"13312","attr":"C0000040"},{"name":".rsrc","hash":"A34ADC3F0826242F63FBF9E4C30994A6","size":"1536","attr":"40000040"},{"name":".reloc","hash":"29497FBE316C1D971EE2A41A8CA5BAE2","size":"63488","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/icuuc56.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:30","fileinfo":{"sent":"-1","md5":{"hash":"01123BD8D5F390D018D04263F4D99F1F","size":"935880"},"certificates":"Mozilla Corporation;","prodver":"56, 1, 0, 0","filever":"56, 1, 0, 0","name":"International Components for Unicode","company":"The ICU Project","nac":{"hash":"CF27FABBC0D688A667460B6D8AF81404","size":"51"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0006CB58","ibase":"4A800000","ep":"558BEC837D0C017505E8DB040000FF7510FF750CFF7508E80700000083C40C5DC20C006A106870D68B4AE83901000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"F6F3A0A5F3F90EC69D7D26E82CE69DB9","size":"458240","attr":"60000020"},{"name":".rdata","hash":"EE77CA77F5F46DB4411960FF006BFE63","size":"442880","attr":"40000040"},{"name":".data","hash":"10534D32F57225BE773F1926D0F51CD3","size":"3584","attr":"C0000040"},{"name":".rsrc","hash":"8BB9FA7628CB6298360723BFBFAD64F2","size":"1536","attr":"40000040"},{"name":".reloc","hash":"6DCFE1EFC653699E459D8B58938CF233","size":"20992","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/lgpllibs.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:30","fileinfo":{"sent":"-1","md5":{"hash":"3676DC48C2D5428BDED419F04E3693BE","size":"58824"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Foundation","nac":{"hash":"BD86ABC464D4B35C26B1BFDB72400F1C","size":"25"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"000091CD","ibase":"10000000","ep":"558BEC837D0C017505E8B0030000FF7510FF750CFF7508E80700000083C40C5DC20C006A106838B90010E8B404000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"9195492CEAF85E8F52C665419013A137","size":"35328","attr":"60000020"},{"name":".rdata","hash":"2A912DDFF4B637BF04B459671A29999A","size":"9216","attr":"40000040"},{"name":".data","hash":"453E7647D8A9B5E7A08A4BC29D302BD0","size":"1536","attr":"C0000040"},{"name":".rodata","hash":"B8DD04A1BCD9105E6C705FEBFD53FC6F","size":"512","attr":"40000040"},{"name":".rsrc","hash":"9EAD1223560A8DA0A348A0F0811818DB","size":"1024","attr":"40000040"},{"name":".reloc","hash":"5585985AAE1F58FD29A916C4C2B6E32A","size":"2560","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/libEGL.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:30","fileinfo":{"sent":"-1","md5":{"hash":"102D9F1423481B47DE67B27CA01BEB76","size":"80840"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Foundation","nac":{"hash":"BD86ABC464D4B35C26B1BFDB72400F1C","size":"25"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00001AF6","ibase":"10000000","ep":"558BEC837D0C017505E86D040000FF7510FF750CFF7508E80700000083C40C5DC20C006A1068D8160110E87B02000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"2009CDDE2ECE70FA179A9F8357F98ED8","size":"5632","attr":"60000020"},{"name":".rdata","hash":"E31A854877145C8BA0A3549CAC47CB72","size":"64000","attr":"40000040"},{"name":".data","hash":"46EA98549BAC521B89A2DA1043FE94C3","size":"512","attr":"C0000040"},{"name":".rsrc","hash":"0DF5B584FC808A3DB27D5E832F4927C3","size":"1024","attr":"40000040"},{"name":".reloc","hash":"9C257EA7E3C56E4F2A3474FA0C751567","size":"1024","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/libGLESv2.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:31","fileinfo":{"sent":"-1","md5":{"hash":"12B501450D4D1B3AF5BD08FEBA833C47","size":"1183688"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Foundation","nac":{"hash":"BD86ABC464D4B35C26B1BFDB72400F1C","size":"25"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"000E054C","ibase":"10000000","ep":"558BEC837D0C017505E867040000FF7510FF750CFF7508E80700000083C40C5DC20C006A106858E01010E87502000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"EED62C812BCFC6796D55C19097AC241A","size":"920576","attr":"60000020"},{"name":".rdata","hash":"C1C44F183B41AC51DE2B3035B96583C4","size":"208384","attr":"40000040"},{"name":".data","hash":"BA3754C64437874B99328EA4B655CCF3","size":"512","attr":"C0000040"},{"name":".rsrc","hash":"F615142FA352373E883F58BB4049B1EC","size":"1024","attr":"40000040"},{"name":".reloc","hash":"7373ADA1D3715E728F291B94ED78044A","size":"44544","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/maintenanceservice.exe":{"Type":"File","LastWriteTime":"02.05.2016 23:31","fileinfo":"WhiteList"},"%programfiles(x86)%/Mozilla Firefox/maintenanceservice_installer.exe":{"Type":"File","LastWriteTime":"02.05.2016 23:31","fileinfo":{"sent":"-1","md5":{"hash":"C6CFD8921E953B80B4E7BE77CB6A0A77","size":"155976"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Corporation","nac":{"hash":"E95DFC679D6717452EA5F3F37DFC8472","size":"26"},"ric":{"hash":"95BDEEB6367B100CD554E0453354CEBE","size":"25064"},"rfh":{"size":"384","hash1":"Lksp7QIkIMDzLFKNrcTtwbM3raGFIvZ0oK78hUZZZgYa8I6Dn","hash2":"0IkRDzLsYib67CqkhUZZZ3DI"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0000322E","ibase":"00400000","ep":"81ECD8020000535556576A2033ED5E896C2418C7442410D8A24000896C2414FF15348040006801800000FF153481400055FF15AC8240006A09A3784F4300E8FD2E","sec":[{"name":".text","hash":"9DCA43F07E072B6AB5B47217E8148626","size":"25088","attr":"60000020"},{"name":".rdata","hash":"0AA2DC336F7337ED3785EE2AFEACAE36","size":"5632","attr":"40000040"},{"name":".data","hash":"25A0547494FC1187F1C34D41F766D083","size":"1536","attr":"C0000040"},{"name":".ndata","hash":"00000000000000000000000000000000","size":"0","attr":"C0000080"},{"name":".rsrc","hash":"3BF37A9259D5B92B71734B2B953F8760","size":"29696","attr":"40000040"}]}},"%programfiles(x86)%/Mozilla Firefox/mozavcodec.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:31","fileinfo":{"sent":"-1","md5":{"hash":"D53FFDED47F919DC090757415385CFD1","size":"1545160"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Foundation","nac":{"hash":"BD86ABC464D4B35C26B1BFDB72400F1C","size":"25"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0008953C","ibase":"10000000","ep":"558BEC837D0C017505E8A1030000FF7510FF750CFF7508E80700000083C40C5DC20C006A1068F8561610E8A504000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"A68008BB163F39F84A61F22D122B616C","size":"1350144","attr":"60000020"},{"name":".rdata","hash":"EE46A86A5584A5164D23B8C6901C6CC8","size":"116224","attr":"40000040"},{"name":".data","hash":"EBEFBAEA02F29BF64395D29F6ADC786A","size":"512","attr":"C0000040"},{"name":".rodata","hash":"F515C9F22F97F981646DA027A208EEE8","size":"23552","attr":"40000040"},{"name":".rsrc","hash":"D07132CDD63814EFE31131E080B33B11","size":"1024","attr":"40000040"},{"name":".reloc","hash":"B2840E8ACFBAAE5232DAE49A2463082E","size":"45056","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/mozavutil.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:31","fileinfo":{"sent":"-1","md5":{"hash":"62044BD9E936734A8C28EE7E0F682FD9","size":"169416"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Foundation","nac":{"hash":"BD86ABC464D4B35C26B1BFDB72400F1C","size":"25"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00001E86","ibase":"10000000","ep":"558BEC837D0C017505E8A7030000FF7510FF750CFF7508E80700000083C40C5DC20C006A106898430210E8AB04000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"0BE6D71FBE549D408F38FFC41BC3BB98","size":"68096","attr":"60000020"},{"name":".rdata","hash":"B20C7F8B529E654DD3D076DF0C26105D","size":"87040","attr":"40000040"},{"name":".data","hash":"82E81B111C1DFC085BEA1D99626C5489","size":"512","attr":"C0000040"},{"name":".rsrc","hash":"39BE81C1A33B5148EA814AF1773AF9B7","size":"1024","attr":"40000040"},{"name":".reloc","hash":"0D341EA70AD646A3577E608E5C9A8C85","size":"4096","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/mozglue.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:31","fileinfo":{"sent":"-1","md5":{"hash":"782E779928FAA30CCDAF4B5D4D205D2B","size":"113608"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Foundation","nac":{"hash":"BD86ABC464D4B35C26B1BFDB72400F1C","size":"25"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0000B7F7","ibase":"10000000","ep":"558BEC837D0C017505E83C030000FF7510FF750CFF7508E80700000083C40C5DC20C006A106848750110E83A01000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"5403EF6ED5010F5A474C47BC49A3196C","size":"82944","attr":"60000020"},{"name":".rdata","hash":"BDB55CEFDC2F38C0845F441A479FA6B0","size":"16384","attr":"40000040"},{"name":".data","hash":"6A6E48CF1CFE586D34EDDDDDB87C59B0","size":"1536","attr":"C0000040"},{"name":".rsrc","hash":"E63B91FD06A30B33C6D2B926FD47CE79","size":"1024","attr":"40000040"},{"name":".reloc","hash":"618457A97E122CC704579821443F99FA","size":"3072","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/msvcp120.dll":{"Type":"File","LastWriteTime":"04.10.2013 22:38","fileinfo":"WhiteList"},"%programfiles(x86)%/Mozilla Firefox/msvcr120.dll":{"Type":"File","LastWriteTime":"04.10.2013 22:38","fileinfo":"WhiteList"},"%programfiles(x86)%/Mozilla Firefox/nss3.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:31","fileinfo":{"sent":"-1","md5":{"hash":"7A49A20CF6EDB4EC72973C3E120EF4B1","size":"1713096"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Foundation","nac":{"hash":"BD86ABC464D4B35C26B1BFDB72400F1C","size":"25"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00102485","ibase":"10000000","ep":"558BEC837D0C017505E8A8030000FF7510FF750CFF7508E80700000083C40C5DC20C006A1068289C1810E87C04000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"DF910EE99CD7A76A410D50A8C3C19049","size":"1397248","attr":"60000020"},{"name":".rdata","hash":"B966D8ECDD21D6FD040BA3518E4414FA","size":"253440","attr":"40000040"},{"name":".data","hash":"E9EE82795F7F517F09DC925A50364BE9","size":"9728","attr":"C0000040"},{"name":".rsrc","hash":"6B454EE1141015648AD7D211661C5DD4","size":"1024","attr":"40000040"},{"name":".reloc","hash":"3DB9ED5A7D6C1E2C50B0C8ADE57916FE","size":"43008","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/nssckbi.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:31","fileinfo":{"sent":"-1","md5":{"hash":"624113F82AC6EF9FB3B637778587903C","size":"402888"},"certificates":"Mozilla Corporation;","prodver":"2.7","filever":"2.7","name":"Network Security Services","company":"Mozilla Foundation","nac":{"hash":"D1A7E0E9313691D23382C8F96CFCBA1C","size":"43"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0000A807","ibase":"10000000","ep":"558BEC837D0C017505E8A6030000FF7510FF750CFF7508E80700000083C40C5DC20C006A1068F87C0510E8AA04000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"3560E9C1FF9717E8D62563B64D5489F8","size":"40960","attr":"60000020"},{"name":".rdata","hash":"45E69D21D555F1AEB4041744F4508928","size":"316416","attr":"40000040"},{"name":".data","hash":"937A619FEB5AA50CC4A93FE1D1649ABF","size":"23552","attr":"C0000040"},{"name":".rsrc","hash":"421EEEE159A722345B6C078CE5C4C08B","size":"1024","attr":"40000040"},{"name":".reloc","hash":"042A4DACFDFB23C32F5B301EB48BEA06","size":"12288","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/nssdbm3.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:31","fileinfo":{"sent":"-1","md5":{"hash":"1C71EA2921C45E2C9A24294286209E19","size":"93640"},"certificates":"Mozilla Corporation;","prodver":"3.22.3 Basic ECC","filever":"3.22.3 Basic ECC","name":"Network Security Services","company":"Mozilla Foundation","nac":{"hash":"D1A7E0E9313691D23382C8F96CFCBA1C","size":"43"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00012757","ibase":"10000000","ep":"558BEC837D0C017505E8D6040000FF7510FF750CFF7508E80700000083C40C5DC20C006A1068D83C0110E8DA05000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"65F1B809C8F6ADDEE766A18CAD2BBCBB","size":"73728","attr":"60000020"},{"name":".rdata","hash":"4AEBFA9394F97841AD0C34B63693E896","size":"7680","attr":"40000040"},{"name":".data","hash":"72FD007589445CD8F2D0EFDCE4152BB4","size":"512","attr":"C0000040"},{"name":".rsrc","hash":"E824340397A214ABDA5993CD72340A08","size":"1024","attr":"40000040"},{"name":".reloc","hash":"0AB6874EE334EE6193746F492E8763C1","size":"2048","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/plugin-container.exe":{"Type":"File","LastWriteTime":"02.05.2016 23:31","fileinfo":{"sent":"-1","md5":{"hash":"2F7F595945B6F2E23D1B1423AF8C5186","size":"276936"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Corporation","nac":{"hash":"E95DFC679D6717452EA5F3F37DFC8472","size":"26"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0000ECCD","ibase":"00400000","ep":"E8B1280000E97BFEFFFF3B0DB0F443007502F3C3E90B2C0000CCCCCCCCCCCCCCCCCCCC57568B7424108B4C24148B7C240C8BC18BD103C63BFE76083BF80F826803","sec":[{"name":".text","hash":"C2A59DF52A348ECFC3CF60B056692AC6","size":"139776","attr":"60000020"},{"name":".rdata","hash":"198AB7672BAFA52E6BEB71F60E4F4BB2","size":"110080","attr":"40000040"},{"name":".data","hash":"50FBEFD0F34BFFDDB34B6BFCF8C66921","size":"6144","attr":"C0000040"},{"name":".rsrc","hash":"88857F238CF62A7D6DA34DFC603006F6","size":"3072","attr":"40000040"},{"name":".reloc","hash":"A6F5D7A1CA12AC82BD2BE05B0958C8F2","size":"9216","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/plugin-hang-ui.exe":{"Type":"File","LastWriteTime":"02.05.2016 23:31","fileinfo":{"sent":"-1","md5":{"hash":"B8171BF0724A29FD798176941951EE95","size":"171464"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Corporation","nac":{"hash":"E95DFC679D6717452EA5F3F37DFC8472","size":"26"},"subs":"Win32 Console","pe":"x86","epsec":"0","eprva":"0000B216","ibase":"00400000","ep":"E826670000E97BFEFFFFE8245700008BD08B426C3B058C57420074108B0D48584200854A707505E8075500008B4004C3E8FE5600008BD08B426C3B058C57420074","sec":[{"name":".text","hash":"570C58666D9BCF531BE5CE602774C4F9","size":"114688","attr":"60000020"},{"name":".rdata","hash":"9F7901B32DC66C148AA55564EEF47133","size":"32768","attr":"40000040"},{"name":".data","hash":"2197E465A97582B23473D5A5F78F4874","size":"6144","attr":"C0000040"},{"name":".rsrc","hash":"94023C13F2CCA9D1E4D47825B9C1701B","size":"3072","attr":"40000040"},{"name":".reloc","hash":"46CBFBE3A927D03EAB3738925048187B","size":"6144","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/sandboxbroker.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:31","fileinfo":{"sent":"-1","md5":{"hash":"882E4E97D6497C803A114F927B3AF9E6","size":"209864"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Foundation","nac":{"hash":"BD86ABC464D4B35C26B1BFDB72400F1C","size":"25"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"000190C9","ibase":"10000000","ep":"558BEC837D0C017505E86A040000FF7510FF750CFF7508E80700000083C40C5DC20C006A106808E00210E87802000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"BF58982671E8880868350B2DEFDB40D2","size":"100864","attr":"60000020"},{"name":".rdata","hash":"48C30F0CAA7A7A1FE4D7E9617E5DCE74","size":"92160","attr":"40000040"},{"name":".data","hash":"1E53233A0C9EB842E2D80716243CDF96","size":"512","attr":"C0000040"},{"name":".rsrc","hash":"A0807D504AF0984AE050C8CA534FC04C","size":"1024","attr":"40000040"},{"name":".reloc","hash":"3F290F6CD7C2589426E852C357D4E704","size":"6656","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/softokn3.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:31","fileinfo":{"sent":"-1","md5":{"hash":"3FE05F87CEB9343DE33283059E52B653","size":"153032"},"certificates":"Mozilla Corporation;","prodver":"3.22.3 Basic ECC","filever":"3.22.3 Basic ECC","name":"Network Security Services","company":"Mozilla Foundation","nac":{"hash":"D1A7E0E9313691D23382C8F96CFCBA1C","size":"43"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0001D07E","ibase":"10000000","ep":"558BEC837D0C017505E8AF030000FF7510FF750CFF7508E80700000083C40C5DC20C006A1068A8200210E8B304000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"42599947540C9CB40B9336D66D8C4C71","size":"116224","attr":"60000020"},{"name":".rdata","hash":"8577BD224B6B6ABE9A146978D1B23D4C","size":"20992","attr":"40000040"},{"name":".data","hash":"1237127CC9AFB22267B20B991781620B","size":"1024","attr":"C0000040"},{"name":".rsrc","hash":"6D7C6F10D70547D101491B5E98A9E4C6","size":"1024","attr":"40000040"},{"name":".reloc","hash":"2BCF277E7F00A05786AAB7E6D7A2C6B3","size":"5120","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/uninstall/helper.exe":{"Type":"File","LastWriteTime":"02.05.2016 23:32","fileinfo":{"sent":"-1","md5":{"hash":"8EA95B3E66A960C5EA722553E4A8807B","size":"888464"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Corporation","nac":{"hash":"E95DFC679D6717452EA5F3F37DFC8472","size":"26"},"ric":{"hash":"95BDEEB6367B100CD554E0453354CEBE","size":"25064"},"rfh":{"size":"384","hash1":"Lksp7QIkIMDzLFKNrcTtwbM3raGFIvZ0oK78hUZZZgYa8I6Dn","hash2":"0IkRDzLsYib67CqkhUZZZ3DI"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0000322E","ibase":"00400000","ep":"81ECD8020000535556576A2033ED5E896C2418C7442410D8A24000896C2414FF15348040006801800000FF153481400055FF15AC8240006A09A3784F4300E8FD2E","sec":[{"name":".text","hash":"9DCA43F07E072B6AB5B47217E8148626","size":"25088","attr":"60000020"},{"name":".rdata","hash":"0AA2DC336F7337ED3785EE2AFEACAE36","size":"5632","attr":"40000040"},{"name":".data","hash":"25A0547494FC1187F1C34D41F766D083","size":"1536","attr":"C0000040"},{"name":".ndata","hash":"00000000000000000000000000000000","size":"0","attr":"C0000080"},{"name":".rsrc","hash":"B1293C3587159C8B83F64B5200BFA4DD","size":"29184","attr":"40000040"}]}},"%programfiles(x86)%/Mozilla Firefox/updater.exe":{"Type":"File","LastWriteTime":"02.05.2016 23:31","fileinfo":{"sent":"-1","md5":{"hash":"303AA150350B4D7991562D11FEFCFB34","size":"300488"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Foundation","nac":{"hash":"BD86ABC464D4B35C26B1BFDB72400F1C","size":"25"},"ric":{"hash":"43E6FABB59D2DBB954D389E0F872ED75","size":"92688"},"rfh":{"size":"1536","hash1":"xC7fLqOtPL3cyVxpCStaVKh0EjsQKvw816w6z","hash2":"xC7fptD3cyVxpC8aVKhtsQKY8ow6"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0000BDB1","ibase":"00400000","ep":"E881530000E97BFEFFFF3B0D40E442007502F3C3E97D120000538BDC515183E4F083C404558B6B04896C24048BEC8B4B0883EC20833D3402430001668B530C7C48","sec":[{"name":".text","hash":"659C46DB53CE079B5143665DF13F39C8","size":"136704","attr":"60000020"},{"name":".rdata","hash":"41668C818C9D4EE7940F636A6AB4176A","size":"44032","attr":"40000040"},{"name":".data","hash":"8C6CAC043F73AD37984DA019348595F2","size":"5632","attr":"C0000040"},{"name":".rsrc","hash":"18ADBA4A1869545B1533B29279E05E03","size":"97792","attr":"40000040"},{"name":".reloc","hash":"332B4DB1853E80C4FFBFD190A4F64E1F","size":"7680","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/webapp-uninstaller.exe":{"Type":"File","LastWriteTime":"02.05.2016 23:32","fileinfo":{"sent":"-1","md5":{"hash":"438C5457B59479B236D2166ADD9C0232","size":"86880"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Mozilla Webapp Runtime App Uninstaller","company":"Mozilla Corporation","nac":{"hash":"9A3F6A2B2093AE205E25D489E3D39C10","size":"57"},"ric":{"hash":"F00E9D9F29BAD0B3F02CCF494A4F3A1F","size":"744"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"000030E2","ibase":"00400000","ep":"81EC8401000053555633DB57895C2418C744241090914000895C2420C644241420FF15347040006801800000FF151C71400053FF158C7240006A09A378E44200E8","sec":[{"name":".text","hash":"49ECA36854976BACB03E52A2EDB00B18","size":"24064","attr":"60000020"},{"name":".rdata","hash":"BED60C9116DBFF6D06B51530A732C0C9","size":"5120","attr":"40000040"},{"name":".data","hash":"DDD201FFF50B7E7D81A3D7828B1CC9D4","size":"1024","attr":"C0000040"},{"name":".ndata","hash":"00000000000000000000000000000000","size":"0","attr":"C0000080"},{"name":".rsrc","hash":"A50842B06846F6B81A3D35C59A60D8D4","size":"3584","attr":"40000040"}]}},"%programfiles(x86)%/Mozilla Firefox/webapprt-stub.exe":{"Type":"File","LastWriteTime":"02.05.2016 23:32","fileinfo":{"sent":"-1","md5":{"hash":"D1559206A03CCE769806841F5A7E6410","size":"231880"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Foundation","nac":{"hash":"BD86ABC464D4B35C26B1BFDB72400F1C","size":"25"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0000F3ED","ibase":"00400000","ep":"E8B4760000E97BFEFFFF3B0D504743007502F3C3E99B030000558BEC8B4D1056578B7D088BF785C974298B550C2BD70FB7043A66890783C7026685C074034975EE","sec":[{"name":".text","hash":"AD09FA97C0548D33E307865A48625929","size":"164864","attr":"60000020"},{"name":".rdata","hash":"05FD6244A48FDA6B43739F22DACECB0E","size":"40960","attr":"40000040"},{"name":".data","hash":"C4B4B488328869B7B8CB2EFDD64D358E","size":"6656","attr":"C0000040"},{"name":".rsrc","hash":"FEE5AC039F1972F6B08FBA90512E31D0","size":"3072","attr":"40000040"},{"name":".reloc","hash":"8EBDA42CCC17170B74AFCFD60671F9A6","size":"7680","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/wow_helper.exe":{"Type":"File","LastWriteTime":"02.05.2016 23:32","fileinfo":{"sent":"-1","md5":{"hash":"BC9A2DC41E0DD096C495871CDECE24B3","size":"107976"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Foundation","nac":{"hash":"BD86ABC464D4B35C26B1BFDB72400F1C","size":"25"},"subs":"Win32 GUI","pe":"x64","epsec":"0","eprva":"00002AC4","ibase":"0000000140000000","ep":"4883EC28E8C73000004883C428E936FEFFFFCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC66660F1F840000000000488BC148F7D948A907000000740F66908A1048FFC0","sec":[{"name":".text","hash":"04F3C5420A889BB3A155B1E0A07B54D2","size":"49664","attr":"60000020"},{"name":".TargetC","hash":"997E716A08DC646D9034676B93DB31C1","size":"512","attr":"60000020"},{"name":".rdata","hash":"2CBFC6C1F122A1113B3791AF516DA5D5","size":"35840","attr":"40000040"},{"name":".data","hash":"D057B6A229D2E90AB5E5DC9D4A42C094","size":"6656","attr":"C0000040"},{"name":".pdata","hash":"23330E9F9C2E4ACBDD58BA72EAD4E652","size":"3072","attr":"40000040"},{"name":".rsrc","hash":"71155C5E7470F9DA05EFD4C28F2F2752","size":"1024","attr":"40000040"},{"name":".reloc","hash":"ED65D9C13206CA2D273EA14F28391153","size":"2560","attr":"42000040"}]}},"%programfiles(x86)%/Mozilla Firefox/xul.dll":{"Type":"File","LastWriteTime":"02.05.2016 23:32","fileinfo":{"sent":"-1","md5":{"hash":"E874C85384D5A361130CBCD25F124CDC","size":"41215944"},"certificates":"Mozilla Corporation;","prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Foundation","nac":{"hash":"BD86ABC464D4B35C26B1BFDB72400F1C","size":"25"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"006F6173","ibase":"10000000","ep":"558BEC837D0C017505E880030000FF7510FF750CFF7508E80700000083C40C5DC20C006A106898065112E85E01000033C0408BF08975E433DB895DFC8B7D0C893D","sec":[{"name":".text","hash":"8CF2231EB0C157E14C02C45C8BF3AC8C","size":"31331840","attr":"60000020"},{"name":".rdata","hash":"46112AA5B1E81C3BB52CFC07542F9B81","size":"7666688","attr":"40000040"},{"name":".data","hash":"79E85F97AD15A2901FE34DE15822716A","size":"588800","attr":"C0000040"},{"name":".rodata","hash":"94E6BB301C3BAC139B6EDB681388BF22","size":"4096","attr":"40000040"},{"name":".tls","hash":"BF619EAC0CDF3F68D496EA9344137E8B","size":"512","attr":"C0000040"},{"name":".rsrc","hash":"EE0DE553CBD85165EF352BC5AA05601B","size":"6144","attr":"40000040"},{"name":".reloc","hash":"1906BD98086957503A87E1CCC3D91FAE","size":"1609216","attr":"42000040"}]}}}},"Host":{"1":"127.0.0.1 localhost"},"Uninstall":{"CCleaner":{"Registry":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CCleaner","UninstallString":"C:\\Program Files\\CCleaner\\uninst.exe"},"HitmanPro.Alert 3":{"Registry":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\HitmanPro.Alert","UninstallString":""C:\\Program Files (x86)\\HitmanPro.Alert\\hmpalert.exe" \/uninstall"},"Microsoft Security Essentials":{"Registry":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Security Client","InstallDate":"20160522","UninstallString":""C:\\Program Files\\Microsoft Security Client\\Setup.exe" \/x"},"Microsoft Security Client":{"Registry":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{3061DCA5-2D0B-48F9-800F-9D7C1FEB5E78}","InstallDate":"20160522","UninstallString":"MsiExec.exe \/X{3061DCA5-2D0B-48F9-800F-9D7C1FEB5E78}"},"AMD APP SDK Runtime":{"Registry":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{503F672D-6C84-448A-8F8F-4BC35AC83441}","InstallDate":"20160519","UninstallString":"MsiExec.exe \/I{503F672D-6C84-448A-8F8F-4BC35AC83441}"},"ATI Catalyst Install Manager":{"Registry":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{A39D1D51-E8DE-4B07-016D-73C232E1E1D8}","InstallDate":"20160519","UninstallString":"msiexec \/q\/x{A39D1D51-E8DE-4B07-016D-73C232E1E1D8} REBOOT=ReallySuppress"},"BDAntiRansomware":{"Registry":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{BE40AB1F-558F-4434-B72F-461EF97E7796}_is1","InstallDate":"20160519","UninstallString":"C:\\Program Files\\Bitdefender\\Tools\\BDAntiRansomware\\unins000.exe"},"SUPERAntiSpyware":{"Registry":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}","UninstallString":"C:\\Program Files\\SUPERAntiSpyware\\Uninstall.exe"},"Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319":{"Registry":"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}","InstallDate":"20160519","UninstallString":"MsiExec.exe \/X{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}"}},"Network":{"{C9558C5F-54E7-41D5-A78D-1AC2DCD6718F}":{"Description":"Realtek PCIe GBE Family Controller","Type":"6","IpAddressList":[{"Ip":"192.168.0.11","Mask":"255.255.255.0"}],"DhcpEnabled":"1","DhcpServer":[{"Ip":"192.168.0.1","Mask":"255.255.255.255"}],"GatewayList":[{"Ip":"192.168.0.1","Mask":"255.255.255.255"}],"HaveWins":"0","AutoconfigEnabled":"1","AutoconfigActive":"0","DnsServerList":[{"Ip":"75.75.75.75","Mask":"255.255.255.255"},{"Ip":"75.75.76.76","Mask":"255.255.255.255"}]}},"Files":{"%userprofile%":{"AppData":{"Type":"Folder","LastWriteTime":"19.05.2016 22:25"},"Contacts":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Desktop":{"Type":"Folder","LastWriteTime":"25.05.2016 20:40"},"Documents":{"Type":"Folder","LastWriteTime":"24.05.2016 17:27"},"Downloads":{"Type":"Folder","LastWriteTime":"24.05.2016 22:58"},"Favorites":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Links":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Music":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Pictures":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Saved Games":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Searches":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Videos":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"}},"%programfiles%/Common Files":{"Microsoft Shared":{"Type":"Folder","LastWriteTime":"19.05.2016 22:35"},"Services":{"Type":"Folder","LastWriteTime":"13.07.2009 23:20"},"SpeechEngines":{"Type":"Folder","LastWriteTime":"13.07.2009 23:20"},"System":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"}},"%appdata%":{"Adobe":{"Type":"Folder","LastWriteTime":"19.05.2016 23:09"},"Adobe/Flash Player":{"Type":"Folder","LastWriteTime":"25.05.2016 21:23"},"DiskDefrag":{"Type":"Folder","LastWriteTime":"24.05.2016 17:14"},"Fortres Grand":{"Type":"Folder","LastWriteTime":"22.05.2016 22:57"},"Fortres Grand/Privacy Fence":{"Type":"Folder","LastWriteTime":"22.05.2016 22:57"},"GlarySoft":{"Type":"Folder","LastWriteTime":"24.05.2016 17:24"},"Identities":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Identities/{358D48C0-8612-4689-8BAD-3C7D1A6A7BC5}":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Macromedia":{"Type":"Folder","LastWriteTime":"19.05.2016 23:23"},"Macromedia/Flash Player":{"Type":"Folder","LastWriteTime":"19.05.2016 23:23"},"Media Center Programs":{"Type":"Folder","LastWriteTime":"12.04.2011 04:28"},"Microsoft":{"Type":"Folder","LastWriteTime":"20.05.2016 00:55"},"Microsoft/Credentials":{"Type":"Folder","LastWriteTime":"19.05.2016 22:25"},"Microsoft/Crypto":{"Type":"Folder","LastWriteTime":"19.05.2016 22:34"},"Microsoft/Internet Explorer":{"Type":"Folder","LastWriteTime":"20.05.2016 00:28"},"Microsoft/MMC":{"Type":"Folder","LastWriteTime":"19.05.2016 22:47"},"Microsoft/Network":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Microsoft/Protect":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Microsoft/Speech":{"Type":"Folder","LastWriteTime":"20.05.2016 00:55"},"Microsoft/SystemCertificates":{"Type":"Folder","LastWriteTime":"19.05.2016 22:25"},"Microsoft/Windows":{"Type":"Folder","LastWriteTime":"20.05.2016 00:29"},"Mozilla":{"Type":"Folder","LastWriteTime":"20.05.2016 00:42"},"Mozilla/Extensions":{"Type":"Folder","LastWriteTime":"20.05.2016 00:42"},"Mozilla/Firefox":{"Type":"Folder","LastWriteTime":"20.05.2016 00:42"},"QuickScan":{"Type":"Folder","LastWriteTime":"24.05.2016 14:23"},"SUPERAntiSpyware.com":{"Type":"Folder","LastWriteTime":"24.05.2016 14:04"},"SUPERAntiSpyware.com/SUPERAntiSpyware":{"Type":"Folder","LastWriteTime":"24.05.2016 17:43"}},"%localappdata%":{"Adobe":{"Type":"Folder","LastWriteTime":"20.05.2016 00:54"},"AntiLogger Free":{"Type":"Folder","LastWriteTime":"20.05.2016 00:40"},"F-Secure":{"Type":"Folder","LastWriteTime":"21.05.2016 08:16"},"F-Secure/stubdl":{"Type":"Folder","LastWriteTime":"21.05.2016 08:16"},"FSDART":{"Type":"Folder","LastWriteTime":"21.05.2016 08:16"},"FSDART/9afa8986-2b6a-4f14-9d30-e46243c2e699":{"Type":"Folder","LastWriteTime":"21.05.2016 08:22"},"Macromedia":{"Type":"Folder","LastWriteTime":"20.05.2016 00:55"},"Macromedia/Flash Player":{"Type":"Folder","LastWriteTime":"20.05.2016 00:55"},"Microsoft":{"Type":"Folder","LastWriteTime":"21.05.2016 21:18"},"Microsoft/Credentials":{"Type":"Folder","LastWriteTime":"19.05.2016 22:25"},"Microsoft/Event Viewer":{"Type":"Folder","LastWriteTime":"19.05.2016 23:15"},"Microsoft/Feeds":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Microsoft/Feeds Cache":{"Type":"Folder","LastWriteTime":"24.05.2016 21:23"},"Microsoft/Internet Explorer":{"Type":"Folder","LastWriteTime":"24.05.2016 11:14"},"Microsoft/Media Player":{"Type":"Folder","LastWriteTime":"21.05.2016 02:39"},"Microsoft/NetTraces":{"Type":"Folder","LastWriteTime":"22.05.2016 02:05"},"Microsoft/PlayReady":{"Type":"Folder","LastWriteTime":"20.05.2016 00:28"},"Microsoft/Windows":{"Type":"Folder","LastWriteTime":"24.05.2016 20:53"},"Microsoft/Windows Mail":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Microsoft/Windows Media":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Microsoft/Windows Sidebar":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Mozilla":{"Type":"Folder","LastWriteTime":"20.05.2016 00:50"},"Mozilla/Firefox":{"Type":"Folder","LastWriteTime":"20.05.2016 00:42"},"Mozilla/updates":{"Type":"Folder","LastWriteTime":"20.05.2016 00:50"},"niemiro":{"Type":"Folder","LastWriteTime":"22.05.2016 23:12"},"niemiro/Temp":{"Type":"Folder","LastWriteTime":"22.05.2016 23:12"},"Programs":{"Type":"Folder","LastWriteTime":"19.05.2016 23:32"},"Programs/Common":{"Type":"Folder","LastWriteTime":"19.05.2016 23:32"},"Temp":{"Type":"Folder","LastWriteTime":"25.05.2016 21:27"},"Temp/acro_rd_dir":{"Type":"Folder","LastWriteTime":"25.05.2016 21:14"},"Temp/bdantiransomware_update":{"Type":"Folder","LastWriteTime":"25.05.2016 21:25"},"Temp/WPDNSE":{"Type":"Folder","LastWriteTime":"25.05.2016 21:25"},"VirtualStore":{"Type":"Folder","LastWriteTime":"19.05.2016 22:27"},"Zemana":{"Type":"Folder","LastWriteTime":"21.05.2016 01:34"},"Zemana/Tracer":{"Type":"Folder","LastWriteTime":"24.05.2016 19:47"},"Zemana/ZALSDK":{"Type":"Folder","LastWriteTime":"21.05.2016 01:34"},"Zemana/Zemana AntiMalware":{"Type":"Folder","LastWriteTime":"20.05.2016 01:35"}},"%commonappdata%":{"ASUS":{"Type":"Folder","LastWriteTime":"19.05.2016 22:37"},"ASUS/AI Suite II":{"Type":"Folder","LastWriteTime":"19.05.2016 22:43"},"ASUS OC Profiles":{"Type":"Folder","LastWriteTime":"19.05.2016 22:58"},"ASUS OC Profiles/Default":{"Type":"Folder","LastWriteTime":"19.05.2016 22:58"},"Bitdefender Agent":{"Type":"Folder","LastWriteTime":"21.05.2016 08:24"},"Bitdefender Agent/bdch":{"Type":"Folder","LastWriteTime":"21.05.2016 08:24"},"F-Secure":{"Type":"Folder","LastWriteTime":"21.05.2016 21:29"},"F-Secure/Logs":{"Type":"Folder","LastWriteTime":"21.05.2016 20:59"},"GridinSoft":{"Type":"Folder","LastWriteTime":"19.05.2016 22:55"},"GridinSoft/Anti-Malware":{"Type":"Folder","LastWriteTime":"25.05.2016 20:36"},"HitmanPro":{"Type":"Folder","LastWriteTime":"23.05.2016 02:25"},"HitmanPro/Logs":{"Type":"Folder","LastWriteTime":"23.05.2016 02:25"},"HitmanPro/Quarantine":{"Type":"Folder","LastWriteTime":"23.05.2016 02:25"},"HitmanPro.Alert":{"Type":"Folder","LastWriteTime":"25.05.2016 21:25"},"HitmanPro.Alert/reports":{"Type":"Folder","LastWriteTime":"25.05.2016 21:25"},"Licenses":{"Type":"Folder","LastWriteTime":"23.05.2016 01:50"},"Malwarebytes":{"Type":"Folder","LastWriteTime":"24.05.2016 16:29"},"Malwarebytes/Malwarebytes Anti-Malware":{"Type":"Folder","LastWriteTime":"24.05.2016 16:36"},"Malwarebytes/Malwarebytes Anti-Ransomware":{"Type":"Folder","LastWriteTime":"22.05.2016 17:37"},"Malwarebytes/Malwarebytes' Anti-Malware":{"Type":"Folder","LastWriteTime":"22.05.2016 12:53"},"Malwarebytes/MBAMService":{"Type":"Folder","LastWriteTime":"22.05.2016 15:30"},"Malwarebytes' Anti-Malware (portable)":{"Type":"Folder","LastWriteTime":"22.05.2016 13:00"},"Microsoft":{"Type":"Folder","LastWriteTime":"22.05.2016 17:46"},"Microsoft/Assistance":{"Type":"Folder","LastWriteTime":"14.07.2009 01:38"},"Microsoft/Crypto":{"Type":"Folder","LastWriteTime":"13.07.2009 23:20"},"Microsoft/Device Stage":{"Type":"Folder","LastWriteTime":"13.07.2009 23:20"},"Microsoft/DeviceSync":{"Type":"Folder","LastWriteTime":"13.07.2009 22:36"},"Microsoft/DRM":{"Type":"Folder","LastWriteTime":"13.07.2009 23:20"},"Microsoft/Event Viewer":{"Type":"Folder","LastWriteTime":"19.05.2016 23:15"},"Microsoft/IdentityCRL":{"Type":"Folder","LastWriteTime":"13.07.2009 23:20"},"Microsoft/Media Player":{"Type":"Folder","LastWriteTime":"14.07.2009 01:09"},"Microsoft/MF":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"Microsoft/Microsoft Antimalware":{"Type":"Folder","LastWriteTime":"25.05.2016 21:25"},"Microsoft/Microsoft Security Client":{"Type":"Folder","LastWriteTime":"22.05.2016 00:19"},"Microsoft/Microsoft Standalone System Sweeper Tool":{"Type":"Folder","LastWriteTime":"22.05.2016 00:58"},"Microsoft/NetFramework":{"Type":"Folder","LastWriteTime":"22.05.2016 13:06"},"Microsoft/Network":{"Type":"Folder","LastWriteTime":"13.07.2009 23:20"},"Microsoft/RAC":{"Type":"Folder","LastWriteTime":"13.07.2009 23:20"},"Microsoft/Search":{"Type":"Folder","LastWriteTime":"01.01.2008 04:31"},"Microsoft/User Account Pictures":{"Type":"Folder","LastWriteTime":"19.05.2016 22:25"},"Microsoft/Vault":{"Type":"Folder","LastWriteTime":"13.07.2009 22:35"},"Microsoft/Windows":{"Type":"Folder","LastWriteTime":"01.01.2008 04:20"},"Microsoft/Windows Defender":{"Type":"Folder","LastWriteTime":"22.05.2016 00:22"},"Microsoft/Windows NT":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"Microsoft/WPD":{"Type":"Folder","LastWriteTime":"01.01.2008 04:21"},"Microsoft/WwanSvc":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"MicroWorld":{"Type":"Folder","LastWriteTime":"25.05.2016 03:07"},"MicroWorld/MWAV":{"Type":"Folder","LastWriteTime":"25.05.2016 03:07"},"Norton":{"Type":"Folder","LastWriteTime":"21.05.2016 08:15"},"Norton/{086A63F0-6B13-4F29-9695-134E7A01E963}":{"Type":"Folder","LastWriteTime":"21.05.2016 08:15"},"NortonInstaller":{"Type":"Folder","LastWriteTime":"21.05.2016 08:15"},"NortonInstaller/Logs":{"Type":"Folder","LastWriteTime":"21.05.2016 23:10"},"SUPERAntiSpyware.com":{"Type":"Folder","LastWriteTime":"24.05.2016 14:03"},"SUPERAntiSpyware.com/SUPERAntiSpyware":{"Type":"Folder","LastWriteTime":"24.05.2016 17:43"},"TEMP":{"Type":"Folder","LastWriteTime":"24.05.2016 17:10"},"Trend Micro":{"Type":"Folder","LastWriteTime":"21.05.2016 08:29"},"Trend Micro/DiamondRing":{"Type":"Folder","LastWriteTime":"21.05.2016 08:29"},"Trend Micro/DRScanner":{"Type":"Folder","LastWriteTime":"21.05.2016 08:29"},"WinaeroTweaker":{"Type":"Folder","LastWriteTime":"22.05.2016 16:58"},"WinaeroTweaker/ShellIcons":{"Type":"Folder","LastWriteTime":"22.05.2016 17:52"}},"%programfiles%":{"ASUS":{"Type":"Folder","LastWriteTime":"19.05.2016 22:43"},"ASUS/ASUS USB 3.0 Boost Storage Driver":{"Type":"Folder","LastWriteTime":"19.05.2016 22:43"},"ATI":{"Type":"Folder","LastWriteTime":"19.05.2016 22:35"},"ATI/CIM":{"Type":"Folder","LastWriteTime":"19.05.2016 22:35"},"ATI Technologies":{"Type":"Folder","LastWriteTime":"19.05.2016 22:34"},"Bitdefender":{"Type":"Folder","LastWriteTime":"19.05.2016 23:32"},"Bitdefender/Tools":{"Type":"Folder","LastWriteTime":"19.05.2016 23:32"},"CCleaner":{"Type":"Folder","LastWriteTime":"21.05.2016 20:49"},"CCleaner/Lang":{"Type":"Folder","LastWriteTime":"21.05.2016 20:49"},"Common Files":{"Type":"Folder","LastWriteTime":"13.07.2009 23:20"},"Common Files/Microsoft Shared":{"Type":"Folder","LastWriteTime":"19.05.2016 22:35"},"Common Files/Services":{"Type":"Folder","LastWriteTime":"13.07.2009 23:20"},"Common Files/SpeechEngines":{"Type":"Folder","LastWriteTime":"13.07.2009 23:20"},"Common Files/System":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"DVD Maker":{"Type":"Folder","LastWriteTime":"12.04.2011 04:28"},"DVD Maker/en-US":{"Type":"Folder","LastWriteTime":"12.04.2011 04:28"},"DVD Maker/Shared":{"Type":"Folder","LastWriteTime":"12.04.2011 04:28"},"GridinSoft Anti-Malware":{"Type":"Folder","LastWriteTime":"20.05.2016 00:27"},"GridinSoft Anti-Malware/Driver":{"Type":"Folder","LastWriteTime":"19.05.2016 22:55"},"GridinSoft Anti-Malware/Languages":{"Type":"Folder","LastWriteTime":"19.05.2016 22:55"},"Internet Explorer":{"Type":"Folder","LastWriteTime":"20.05.2016 00:26"},"Internet Explorer/en-US":{"Type":"Folder","LastWriteTime":"20.05.2016 00:26"},"Internet Explorer/images":{"Type":"Folder","LastWriteTime":"20.05.2016 00:26"},"Internet Explorer/SIGNUP":{"Type":"Folder","LastWriteTime":"24.05.2016 11:14"},"Malwarebytes":{"Type":"Folder","LastWriteTime":"22.05.2016 12:50"},"Malwarebytes/Anti-Ransomware":{"Type":"Folder","LastWriteTime":"22.05.2016 17:47"},"Microsoft Games":{"Type":"Folder","LastWriteTime":"22.05.2016 17:47"},"Microsoft Games/Chess":{"Type":"Folder","LastWriteTime":"01.01.2008 04:23"},"Microsoft Games/FreeCell":{"Type":"Folder","LastWriteTime":"22.05.2016 17:48"},"Microsoft Games/Hearts":{"Type":"Folder","LastWriteTime":"22.05.2016 17:48"},"Microsoft Games/Mahjong":{"Type":"Folder","LastWriteTime":"22.05.2016 17:48"},"Microsoft Games/Minesweeper":{"Type":"Folder","LastWriteTime":"22.05.2016 17:48"},"Microsoft Games/More Games":{"Type":"Folder","LastWriteTime":"22.05.2016 17:48"},"Microsoft Games/Multiplayer":{"Type":"Folder","LastWriteTime":"22.05.2016 17:47"},"Microsoft Games/Purble Place":{"Type":"Folder","LastWriteTime":"22.05.2016 17:48"},"Microsoft Games/Solitaire":{"Type":"Folder","LastWriteTime":"22.05.2016 17:48"},"Microsoft Games/SpiderSolitaire":{"Type":"Folder","LastWriteTime":"22.05.2016 17:48"},"Microsoft Security Client":{"Type":"Folder","LastWriteTime":"22.05.2016 00:21"},"Microsoft Security Client/Backup":{"Type":"Folder","LastWriteTime":"22.05.2016 00:21"},"Microsoft Security Client/Drivers":{"Type":"Folder","LastWriteTime":"22.05.2016 00:21"},"Microsoft Security Client/en-us":{"Type":"Folder","LastWriteTime":"22.05.2016 00:21"},"MSBuild":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"MSBuild/Microsoft":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"Reference Assemblies":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"Reference Assemblies/Microsoft":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"SUPERAntiSpyware":{"Type":"Folder","LastWriteTime":"24.05.2016 14:04"},"SUPERAntiSpyware/Plugins":{"Type":"Folder","LastWriteTime":"24.05.2016 14:04"},"Uninstall Information":{"Type":"Folder","LastWriteTime":"14.07.2009 01:09"},"Windows Defender":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Defender/en-US":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Journal":{"Type":"Folder","LastWriteTime":"12.04.2011 04:28"},"Windows Journal/en-US":{"Type":"Folder","LastWriteTime":"12.04.2011 04:28"},"Windows Journal/Templates":{"Type":"Folder","LastWriteTime":"12.04.2011 04:28"},"Windows Mail":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Mail/en-US":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Media Player":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Media Player/en-US":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Media Player/Icons":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"Windows Media Player/Media Renderer":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"Windows Media Player/Network Sharing":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"Windows Media Player/Skins":{"Type":"Folder","LastWriteTime":"20.11.2010 23:31"},"Windows Media Player/Visualizations":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"Windows NT":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"Windows NT/Accessories":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows NT/TableTextService":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Photo Viewer":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Photo Viewer/en-US":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Portable Devices":{"Type":"Folder","LastWriteTime":"20.11.2010 23:31"},"Windows Sidebar":{"Type":"Folder","LastWriteTime":"22.05.2016 17:48"},"Windows Sidebar/en-US":{"Type":"Folder","LastWriteTime":"22.05.2016 17:48"},"Windows Sidebar/Gadgets":{"Type":"Folder","LastWriteTime":"22.05.2016 17:47"}},"%programfiles(x86)%":{"AMD APP":{"Type":"Folder","LastWriteTime":"19.05.2016 22:35"},"AMD APP/bin":{"Type":"Folder","LastWriteTime":"19.05.2016 22:35"},"ASM104xUSB3":{"Type":"Folder","LastWriteTime":"19.05.2016 22:32"},"ASM104xUSB3/Driver":{"Type":"Folder","LastWriteTime":"19.05.2016 22:32"},"ASUS":{"Type":"Folder","LastWriteTime":"19.05.2016 22:38"},"ASUS/AAHM":{"Type":"Folder","LastWriteTime":"19.05.2016 22:37"},"ASUS/AI Suite II":{"Type":"Folder","LastWriteTime":"19.05.2016 22:43"},"ASUS/AsSysCtrlService":{"Type":"Folder","LastWriteTime":"19.05.2016 22:38"},"ASUS/AXSP":{"Type":"Folder","LastWriteTime":"19.05.2016 22:37"},"ASUS/IO":{"Type":"Folder","LastWriteTime":"19.05.2016 22:37"},"Common Files":{"Type":"Folder","LastWriteTime":"25.05.2016 20:42"},"Common Files/InstallShield":{"Type":"Folder","LastWriteTime":"19.05.2016 22:38"},"Common Files/microsoft shared":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Common Files/Services":{"Type":"Folder","LastWriteTime":"13.07.2009 23:20"},"Common Files/SpeechEngines":{"Type":"Folder","LastWriteTime":"13.07.2009 23:20"},"Common Files/System":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Glarysoft":{"Type":"Folder","LastWriteTime":"24.05.2016 17:54"},"HitmanPro.Alert":{"Type":"Folder","LastWriteTime":"24.05.2016 18:26"},"InstallShield Installation Information":{"Type":"Folder","LastWriteTime":"19.05.2016 22:43"},"InstallShield Installation Information/{015CFA5F-1377-48B2-84DB-F4D3DE8EBAF7}":{"Type":"Folder","LastWriteTime":"19.05.2016 22:43"},"InstallShield Installation Information/{34D3688E-A737-44C5-9E2A-FF73618728E1}":{"Type":"Folder","LastWriteTime":"19.05.2016 22:38"},"InstallShield Installation Information/{36AC4397-6287-4075-A4FB-66A0D81F0A87}":{"Type":"Folder","LastWriteTime":"19.05.2016 22:41"},"InstallShield Installation Information/{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}":{"Type":"Folder","LastWriteTime":"19.05.2016 22:36"},"InstallShield Installation Information/{5153DBF7-58C5-4C3F-A648-6EA91089F851}":{"Type":"Folder","LastWriteTime":"19.05.2016 22:40"},"InstallShield Installation Information/{8833FFB6-5B0C-4764-81AA-06DFEED9A476}":{"Type":"Folder","LastWriteTime":"19.05.2016 22:31"},"InstallShield Installation Information/{9C8C5569-AA0B-4FF2-8C14-AF066E3238FE}":{"Type":"Folder","LastWriteTime":"19.05.2016 22:41"},"InstallShield Installation Information/{B171F5F0-3672-44A1-A501-28837F892408}":{"Type":"Folder","LastWriteTime":"19.05.2016 22:42"},"InstallShield Installation Information/{BEE4C824-BEA3-454F-BC9B-A22BFA52E458}":{"Type":"Folder","LastWriteTime":"19.05.2016 22:39"},"InstallShield Installation Information/{C0FEE440-FA2F-4C0D-B64C-35F1D4B7A009}":{"Type":"Folder","LastWriteTime":"19.05.2016 22:42"},"InstallShield Installation Information/{E6931688-DA2B-4E16-8539-3D323D69C677}":{"Type":"Folder","LastWriteTime":"19.05.2016 22:38"},"InstallShield Installation Information/{F178DD09-E45A-4C29-979A-1EEAEFC35A5F}":{"Type":"Folder","LastWriteTime":"19.05.2016 22:39"},"Internet Explorer":{"Type":"Folder","LastWriteTime":"20.05.2016 00:26"},"Internet Explorer/en-US":{"Type":"Folder","LastWriteTime":"20.05.2016 00:26"},"Internet Explorer/SIGNUP":{"Type":"Folder","LastWriteTime":"20.05.2016 00:28"},"KeyCryptSDK":{"Type":"Folder","LastWriteTime":"21.05.2016 23:06"},"Malwarebytes Anti-Malware":{"Type":"Folder","LastWriteTime":"24.05.2016 16:29"},"Malwarebytes Anti-Malware/Chameleon":{"Type":"Folder","LastWriteTime":"24.05.2016 16:29"},"Malwarebytes Anti-Malware/imageformats":{"Type":"Folder","LastWriteTime":"24.05.2016 16:29"},"Malwarebytes Anti-Malware/Languages":{"Type":"Folder","LastWriteTime":"24.05.2016 16:29"},"Malwarebytes Anti-Malware/platforms":{"Type":"Folder","LastWriteTime":"24.05.2016 16:29"},"Malwarebytes Anti-Malware/Plugins":{"Type":"Folder","LastWriteTime":"24.05.2016 16:29"},"Malwarebytes Anti-Malware/unins000.exe":{"Type":"File","LastWriteTime":"24.05.2016 16:29","fileinfo":{"sent":"-1","md5":{"hash":"F1505D347325C77E3EEEF418495E1F57","size":"720085"},"filever":"51.52.0.0","ric":{"hash":"36301B06D96794B65CE62604C3C03E98","size":"4640"},"rfh":{"size":"48","hash1":"T%2FRx4H4ONkUvOvg9wMSDQPxQV3Po8w%2BRV4yMXU3X9q7ONkUvOvg9wMSDQPxQV3P8","hash2":"MYONfeZEWVArvU3mONfeZEWV4%2BxF9p"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"00099280","ibase":"00400000","ep":"558BEC83C4F4535657E8B6A0F6FFE80DC4F6FFE894D0F6FFE837D1F6FFE8BA06F7FFE8CD74F7FFE83077F7FFE88796F7FFE89AFDF7FFE895BCF8FFE8BC64F9FFE8","sec":[{"name":"CODE","hash":"039BEE5CBAC4E4B70138C1387EE075E1","size":"624128","attr":"60000020"},{"name":"DATA","hash":"52894BD296E6CF44C9E54A308F6E8213","size":"4608","attr":"C0000040"},{"name":"BSS","hash":"00000000000000000000000000000000","size":"0","attr":"C0000000"},{"name":".idata","hash":"5591B7A10CBE1359F07A0FE3901357FB","size":"9728","attr":"C0000040"},{"name":".tls","hash":"00000000000000000000000000000000","size":"0","attr":"C0000000"},{"name":".rdata","hash":"34468F6B6582247E27EA1BBCD0D5435B","size":"512","attr":"50000040"},{"name":".reloc","hash":"00000000000000000000000000000000","size":"0","attr":"50000040"},{"name":".rsrc","hash":"A6CE6745245D0A6644E576F81FABBA86","size":"68608","attr":"50000040"}]}},"Microsoft Security Client":{"Type":"Folder","LastWriteTime":"22.05.2016 00:21"},"Microsoft Security Client/en-US":{"Type":"Folder","LastWriteTime":"22.05.2016 00:21"},"Microsoft.NET":{"Type":"Folder","LastWriteTime":"22.05.2016 13:06"},"Microsoft.NET/RedistList":{"Type":"Folder","LastWriteTime":"22.05.2016 13:06"},"Mozilla Firefox":{"Type":"Folder","LastWriteTime":"20.05.2016 00:42"},"Mozilla Firefox/browser":{"Type":"Folder","LastWriteTime":"20.05.2016 00:42"},"Mozilla Firefox/defaults":{"Type":"Folder","LastWriteTime":"20.05.2016 00:42"},"Mozilla Firefox/dictionaries":{"Type":"Folder","LastWriteTime":"20.05.2016 00:42"},"Mozilla Firefox/gmp-clearkey":{"Type":"Folder","LastWriteTime":"20.05.2016 00:42"},"Mozilla Firefox/uninstall":{"Type":"Folder","LastWriteTime":"20.05.2016 00:42"},"Mozilla Firefox/webapprt":{"Type":"Folder","LastWriteTime":"20.05.2016 00:42"},"Mozilla Maintenance Service":{"Type":"Folder","LastWriteTime":"20.05.2016 00:42"},"Mozilla Maintenance Service/logs":{"Type":"Folder","LastWriteTime":"20.05.2016 00:42"},"Mozilla Maintenance Service/Uninstall.exe":{"Type":"File","LastWriteTime":"20.05.2016 00:42","fileinfo":{"sent":"-1","md5":{"hash":"63939A68F0E77D525ECCB87A20752DD1","size":"88670"},"prodver":"46.0.1","filever":"46.0.1","name":"Firefox","company":"Mozilla Corporation","nac":{"hash":"E95DFC679D6717452EA5F3F37DFC8472","size":"26"},"ric":{"hash":"95BDEEB6367B100CD554E0453354CEBE","size":"25064"},"rfh":{"size":"384","hash1":"Lksp7QIkIMDzLFKNrcTtwbM3raGFIvZ0oK78hUZZZgYa8I6Dn","hash2":"0IkRDzLsYib67CqkhUZZZ3DI"},"subs":"Win32 GUI","pe":"x86","epsec":"0","eprva":"0000322E","ibase":"00400000","ep":"81ECD8020000535556576A2033ED5E896C2418C7442410D8A24000896C2414FF15348040006801800000FF153481400055FF15AC8240006A09A3784F4300E8FD2E","sec":[{"name":".text","hash":"9DCA43F07E072B6AB5B47217E8148626","size":"25088","attr":"60000020"},{"name":".rdata","hash":"0AA2DC336F7337ED3785EE2AFEACAE36","size":"5632","attr":"40000040"},{"name":".data","hash":"25A0547494FC1187F1C34D41F766D083","size":"1536","attr":"C0000040"},{"name":".ndata","hash":"00000000000000000000000000000000","size":"0","attr":"C0000080"},{"name":".rsrc","hash":"3BF37A9259D5B92B71734B2B953F8760","size":"29696","attr":"40000040"}]}},"MSBuild":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"MSBuild/Microsoft":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"NortonInstaller":{"Type":"Folder","LastWriteTime":"22.05.2016 17:47"},"NortonInstaller/{397E31AA-0D78-4649-A01C-339D73A2ED35}":{"Type":"Folder","LastWriteTime":"22.05.2016 17:47"},"Realtek":{"Type":"Folder","LastWriteTime":"19.05.2016 22:31"},"Realtek/NICDRV_8169":{"Type":"Folder","LastWriteTime":"19.05.2016 22:31"},"Reference Assemblies":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"Reference Assemblies/Microsoft":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"SpywareBlaster":{"Type":"Folder","LastWriteTime":"23.05.2016 01:51"},"SpywareBlaster/dep":{"Type":"Folder","LastWriteTime":"23.05.2016 01:50"},"Trojan Remover":{"Type":"Folder","LastWriteTime":"23.05.2016 02:27"},"UltimateOutsider":{"Type":"Folder","LastWriteTime":"21.05.2016 01:47"},"UltimateOutsider/GWX Control Panel":{"Type":"Folder","LastWriteTime":"21.05.2016 01:47"},"Uninstall Information":{"Type":"Folder","LastWriteTime":"14.07.2009 00:57"},"VS Revo Group":{"Type":"Folder","LastWriteTime":"24.05.2016 17:11"},"VS Revo Group/Revo Uninstaller":{"Type":"Folder","LastWriteTime":"24.05.2016 22:55"},"Windows Defender":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Defender/en-US":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Mail":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Mail/en-US":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Media Player":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Media Player/en-US":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Media Player/Icons":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"Windows Media Player/Media Renderer":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"Windows Media Player/Network Sharing":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"Windows Media Player/Skins":{"Type":"Folder","LastWriteTime":"20.11.2010 23:31"},"Windows Media Player/Visualizations":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"Windows NT":{"Type":"Folder","LastWriteTime":"14.07.2009 01:32"},"Windows NT/Accessories":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows NT/TableTextService":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Photo Viewer":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Photo Viewer/en-US":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Windows Portable Devices":{"Type":"Folder","LastWriteTime":"20.11.2010 23:31"},"Windows Sidebar":{"Type":"Folder","LastWriteTime":"22.05.2016 17:48"},"Windows Sidebar/en-US":{"Type":"Folder","LastWriteTime":"22.05.2016 17:48"},"Windows Sidebar/Gadgets":{"Type":"Folder","LastWriteTime":"22.05.2016 17:47"},"Zemana AntiLogger Free":{"Type":"Folder","LastWriteTime":"21.05.2016 21:31"},"Zemana AntiMalware":{"Type":"Folder","LastWriteTime":"23.05.2016 06:07"}},"%programfiles(x86)%/Common Files":{"InstallShield":{"Type":"Folder","LastWriteTime":"19.05.2016 22:38"},"microsoft shared":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"},"Services":{"Type":"Folder","LastWriteTime":"13.07.2009 23:20"},"SpeechEngines":{"Type":"Folder","LastWriteTime":"13.07.2009 23:20"},"System":{"Type":"Folder","LastWriteTime":"12.04.2011 04:17"}}}}






    One thing I notice, which strikes me as a peculiar pattern, is that every time Locky appears in my registry, it's associated (Alpha-numeric) key shows up before it, just as I listed in my Regedit results above. Maybe it doesn't mean much, but the question that arose in my mind was, (why wouldn't the keys labeled "Locky" show up first?)

    Either way, Locky still persists. But now I'm wondering if you think it would make a difference if I ran ComboFix with the same script you last gave me, but only this time in Safe Mode?...

    I'd be willing to try that if you think its worth giving it a shot?
    Last edited by niemiro; 05-26-2016 at 01:53 PM. Reason: Removed Name

  16. #16
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    One other thing I was thinking about while going through all of this is, what if I ran ComboFix also while disconnected from the internet. I'm only guessing at this point, but if Locky keeps re-appearing after every reboot, maybe it's because it's receiving further instructions via the network by dialing back to a C&C server at or before Win Logon. Just a thought, but one I'm now wondering more about...

  17. #17
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    One final thing I wanted to post this evening before I hit the hay is my latest CCleaner scan results. In them, I've found two strange but new reg key entries that have now re-appeared a couple of times, so I thought I'd post that as well. See below...


    Strange New Keys Appearing in Registry after reboot:

    HKEY_CURRENT_USER\Software\Wget

    HKEY_LOCAL_MACHINE\SOFTWARE\swearware






    I just want to say if you don't get back to me right away---not too worry.

    I'm gonna call it a nite until tomorrow anyway. I usually check back periodically, but please take all the time you need with this thing. I'm in no rush and besides, if by my contribution to researching this problem, it gets us all that much closer to gaining an edge over this Locky infection, I'm all for it.

    As I mentioned before, I'm not at a loss for any of my personal files, especially since I haven't re-installed any of them since this Locky problem started to persist. That's not to say that whomever is behind this Locky Filecoder didn't somehow infiltrate some of my info without actually holding my system ransom (maybe even for ID-Theft purposes), but I haven't noticed anything else out of the ordinary at this point---just this infection on my machine which I would at least like to attempt a removal of from the new hard-drive I installed which got infected.

    I don't have any certs and not a whole lot of formal training in Malware removal, but I did take Electronics in Highschool as a vocation for 3 years and so I do have exceptional experience navigating Windows as well as pc-building/testing/setup and I would be willing to attempt any form of removal just to see if it would actually work. Hopefully this doesn't sound too weird or anything but consider me your guinea pig at this point...

  18. #18
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    8,476

    Re: Totally Perplexed by this Locky Ransomware...

    That isn't the log showing the results of the ComboFix script. Based on the date and time, it appears what we need to cee is Combofix2.txt

    Completion time: 2016-05-25 20:47:19
    ComboFix-quarantined-files.txt 2016-05-26 00:47
    ComboFix2.txt 2016-05-25 02:27
    ComboFix3.txt 2016-05-24 20:47
    ComboFix4.txt 2016-05-24 14:42

    Please hold down the Windows Key and the "R" key. A run box will appear. Copy and paste the following: C:\Qoobox\ComboFix2.txt then click OK. Notepad will open with a log. Post the contents of that log in your next reply.

    In the meantime, niemiro had an idea so I am going to ask him to provide the instructions and we'll see what happens.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  19. #19
    niemiro's Avatar
    Join Date
    Mar 2012
    Location
    District 12
    Posts
    7,813

    Re: Totally Perplexed by this Locky Ransomware...

    Hello there! I think we've met before

    I'm going to step in briefly to try out a few tools and techniques which may be applicable here. What I'm going to do is set up some loggers and audit policies to try to track down precisely what process or program is recreating these registry keys. In essence I'm going to try to monitor the system and watch what's fiddling with these registry keys. If we can find an explicit process or service name then at least we'll have something to go on/analyse.

    The first technique we shall try will be to use Windows's own built in registry auditor.

    Step 0: Restart your computer such that the Locky keys reappear (we need them to exist).

    Step 1: Press Windows Key + R, type in cmd, paste in
    auditpol /set /subcategory:"Registry" /success:enable /failure:enable

    and press enter.

    Step 2: Open regedit in a similar way and navigate to each of the following four keys in turn (just these ones - I do not wish you to touch the .DEFAULT or S-1-5-18 etc. keys):

    Code:
    HKEY_CLASSES_ROOT\Software\F43o6aqLPEF6
    HKEY_CLASSES_ROOT\Software\Locky
    
    HKEY_CURRENT_USER\Software\Classes\Software\F43o6aqLPEF6
    HKEY_CURRENT_USER\Software\Classes\Software\Locky
    For each key separately, right click on it > Permissions > Advanced > Auditing > Add > Select a Principal > Advanced > Find Now > double click on Everyone > OK > and then:

    Type dropdown: All
    Applies to dropdown: This key and subkeys
    Put a tick in "Full Control"

    OK x2

    Step 3:

    Navigate to each of:

    Code:
    HKEY_CLASSES_ROOT\Software
    HKEY_CURRENT_USER\Software\Classes\Software
    in turn.

    Do exactly the same as above except this time, instead of putting a tick in Full Control, click "Show Advanced Permissions" and put a tick in Create Subkey, Create Link, Write DAC, Write Owner.

    Step 4: Restart your computer. Once again, do not delete or touch any Locky keys/run any other tools. You must leave them alone for the time being.

    Step 5: Search for "Event Viewer"/eventvwr.msc and press enter. Navigate through Windows > Security log and on the right, Save All Events As. Name it "Security.evtx" and press enter. Select "Display Information for these languages" in the next popup if it appears. Click OK.

    Step 6: Upload security.evtx to OneDrop/DropBox/similar and post a public link here.

    Step 7:

    Any questions or similar don't hesitate to let me know. Some of these instructions are based on Windows 10 although should be similar under Windows 7. If anything doesn't look quite right and you can't figure it out, more than happy to help out.

    Richard
    DonnaB and YOnGodsGreenEarth say thanks for this.

  20. #20
    YOnGodsGreenEarth's Avatar
    Join Date
    May 2016
    Location
    Somewhere in the Land of the Free
    Posts
    27
    • specs System Specs
      • Motherboard:
        ASUS M5A99X EVO
      • CPU:
        AMD FX 4100
      • Memory:
        8GB
      • Graphics:
        ASUS EAH6570 Series
      • Sound Card:
        High Definition Audio Device
      • Hard Drives:
        WD Black 1TB SATA 64MB Cache
      • Case:
        Thermaltake V3 Black Edition
      • Cooling:
        Multiple Fan Configuration
      • Operating System:
        Win7 Ultimate 64-bit SP1

    Re: Totally Perplexed by this Locky Ransomware...

    So sorry for the delay in my response. I found the proper log and have posted it below.

    Judging by the difference in timestamps, I'm not sure if this one is correct, but it is the only ComboFix log that popped up when I followed your instructions...


    ComboFix 16-05-18.01 - TKRA7 05/25/2016 20:40:48.4.4 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8137.4288 [GMT -4:00]
    Running from: c:\users\TKRA7\Downloads\Security Tools\Special Tools\ComboFix.exe
    Command switches used :: c:\users\TKRA7\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
    SP: Microsoft Security Essentials *Disabled/Updated* {CDE0C533-D3CD-62A1-E772-AFADDF863628}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2016-04-26 to 2016-05-26 )))))))))))))))))))))))))))))))
    .
    .
    2016-05-26 00:45 . 2016-05-26 00:45 -------- d-----w- c:\users\Default\AppData\Local\temp
    2016-05-25 07:07 . 2016-05-25 07:07 -------- d-----w- c:\programdata\MicroWorld
    2016-05-25 02:38 . 2016-05-17 19:56 11898512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B1066D84-A6B5-4C23-B7D7-01A6E845F3AB}\mpengine.dll
    2016-05-25 00:25 . 2016-05-25 00:47 -------- d---a-w- C:\cce_linux
    2016-05-24 22:26 . 2016-05-24 22:26 848592 ----a-w- c:\windows\system32\hmpalert.dll
    2016-05-24 22:26 . 2016-05-24 22:26 84520 ----a-w- c:\windows\system32\drivers\hmpnet.sys
    2016-05-24 22:26 . 2016-05-24 22:26 767696 ----a-w- c:\windows\SysWow64\hmpalert.dll
    2016-05-24 22:26 . 2016-05-24 22:26 177040 ----a-w- c:\windows\system32\drivers\hmpalert.sys
    2016-05-24 22:26 . 2016-05-24 22:26 -------- d-----w- c:\program files (x86)\HitmanPro.Alert
    2016-05-24 21:14 . 2016-05-24 21:54 -------- d-----w- c:\program files (x86)\Glarysoft
    2016-05-24 21:11 . 2016-05-24 21:11 -------- d-----w- c:\program files (x86)\VS Revo Group
    2016-05-24 20:29 . 2016-05-25 22:39 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2016-05-24 20:29 . 2016-05-24 20:29 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
    2016-05-24 20:29 . 2016-03-10 18:09 64896 ----a-w- c:\windows\system32\drivers\mwac.sys
    2016-05-24 20:29 . 2016-03-10 18:08 140672 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2016-05-24 20:29 . 2016-03-10 18:08 27008 ----a-w- c:\windows\system32\drivers\mbam.sys
    2016-05-24 18:03 . 2016-05-24 18:04 -------- d-----w- c:\program files\SUPERAntiSpyware
    2016-05-24 18:03 . 2016-05-24 18:03 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2016-05-24 14:59 . 2016-05-22 04:22 1167568 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2016-05-24 14:59 . 2016-05-09 16:10 1167568 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DCBBBEB1-CFD8-487F-BED8-80E1E95CC6A8}\gapaengine.dll
    2016-05-24 14:48 . 2016-05-17 19:56 11898512 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2016-05-24 14:26 . 2016-05-25 00:56 -------- d-----w- C:\FRST
    2016-05-23 06:25 . 2016-05-23 06:25 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2016-05-23 06:00 . 2016-05-25 00:13 -------- d-----w- c:\windows\CryptoGuard
    2016-05-23 06:00 . 2016-05-23 06:25 -------- d-----w- c:\programdata\HitmanPro
    2016-05-23 05:50 . 2016-05-23 05:50 -------- d-----w- c:\programdata\Licenses
    2016-05-23 05:50 . 2012-05-02 16:17 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
    2016-05-23 05:50 . 2009-03-24 17:52 129872 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
    2016-05-23 05:50 . 2016-05-23 05:51 -------- d-----w- c:\program files (x86)\SpywareBlaster
    2016-05-23 00:28 . 2016-05-23 00:28 -------- d-----w- C:\AdwCleaner
    2016-05-22 21:53 . 2016-05-23 06:27 -------- d-----w- c:\program files (x86)\Trojan Remover
    2016-05-22 21:53 . 2014-05-14 16:23 44512 ----a-w- c:\windows\system32\wups2.dll
    2016-05-22 21:53 . 2014-05-14 16:23 58336 ----a-w- c:\windows\system32\wuauclt.exe
    2016-05-22 21:53 . 2014-05-14 16:23 2477536 ----a-w- c:\windows\system32\wuaueng.dll
    2016-05-22 21:53 . 2014-05-14 16:21 2620928 ----a-w- c:\windows\system32\wucltux.dll
    2016-05-22 21:53 . 2014-05-14 16:23 38880 ----a-w- c:\windows\system32\wups.dll
    2016-05-22 21:53 . 2014-05-14 16:23 36320 ----a-w- c:\windows\SysWow64\wups.dll
    2016-05-22 21:53 . 2014-05-14 16:23 700384 ----a-w- c:\windows\system32\wuapi.dll
    2016-05-22 21:53 . 2014-05-14 16:23 581600 ----a-w- c:\windows\SysWow64\wuapi.dll
    2016-05-22 21:53 . 2014-05-14 16:20 97792 ----a-w- c:\windows\system32\wudriver.dll
    2016-05-22 21:53 . 2014-05-14 16:17 92672 ----a-w- c:\windows\SysWow64\wudriver.dll
    2016-05-22 21:52 . 2014-05-14 13:23 198600 ----a-w- c:\windows\system32\wuwebv.dll
    2016-05-22 21:52 . 2014-05-14 13:23 179656 ----a-w- c:\windows\SysWow64\wuwebv.dll
    2016-05-22 21:52 . 2014-05-14 13:20 36864 ----a-w- c:\windows\system32\wuapp.exe
    2016-05-22 21:52 . 2014-05-14 13:17 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
    2016-05-22 21:45 . 2016-05-22 21:45 -------- d-----w- C:\inetpub
    2016-05-22 20:58 . 2016-05-22 20:58 -------- d-----w- c:\programdata\WinaeroTweaker
    2016-05-22 17:06 . 2016-05-22 17:06 -------- d-----w- c:\program files (x86)\Microsoft.NET
    2016-05-22 17:06 . 2016-05-22 17:06 -------- d-----w- c:\windows\Migration
    2016-05-22 16:52 . 2016-05-22 17:00 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
    2016-05-22 16:50 . 2016-05-24 20:29 -------- d-----w- c:\programdata\Malwarebytes
    2016-05-22 16:50 . 2016-05-22 16:50 -------- d-----w- c:\program files\Malwarebytes
    2016-05-22 09:51 . 2016-05-23 01:03 -------- d-----w- c:\windows\Microsoft Antimalware
    2016-05-22 04:21 . 2016-05-22 04:21 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2016-05-22 04:21 . 2016-05-22 04:21 -------- d-----w- c:\program files\Microsoft Security Client
    2016-05-22 00:59 . 2016-05-22 00:59 36320 ----a-w- c:\windows\system32\drivers\fsfreedometap.sys
    2016-05-22 00:49 . 2016-05-22 00:49 -------- d-----w- c:\program files\CCleaner
    2016-05-21 12:29 . 2016-05-21 12:29 -------- d-----w- c:\programdata\Trend Micro
    2016-05-21 12:24 . 2016-05-21 12:24 -------- d-----w- c:\programdata\Bitdefender Agent
    2016-05-21 12:16 . 2016-05-22 01:29 -------- d-----w- c:\programdata\F-Secure
    2016-05-21 12:15 . 2016-05-21 12:15 -------- d-----w- c:\programdata\Norton
    2016-05-21 12:15 . 2016-05-22 21:47 -------- d-----w- c:\program files (x86)\NortonInstaller
    2016-05-21 05:47 . 2016-05-21 05:47 -------- d-----w- c:\program files (x86)\UltimateOutsider
    2016-05-21 05:34 . 2016-05-22 00:46 -------- d-----w- c:\windows\SysWow64\ZALSDK_uninst
    2016-05-21 05:34 . 2014-12-30 17:31 7039960 ----a-w- c:\windows\SysWow64\ZALSDKCore.dll
    2016-05-20 05:30 . 2016-05-23 10:07 -------- d-----w- c:\program files (x86)\Zemana AntiMalware
    2016-05-20 04:54 . 2016-05-25 01:23 797376 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2016-05-20 04:54 . 2016-05-25 01:23 142528 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2016-05-20 04:54 . 2016-05-20 04:54 -------- d-----w- c:\windows\system32\Macromed
    2016-05-20 04:42 . 2016-05-20 04:42 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
    2016-05-20 04:40 . 2016-05-22 03:06 -------- d-----w- c:\program files (x86)\KeyCryptSDK
    2016-05-20 04:40 . 2015-11-05 19:00 143904 ----a-w- c:\windows\system32\drivers\KeyCrypt64.sys
    2016-05-20 04:40 . 2016-05-22 01:31 -------- d-----w- c:\program files (x86)\Zemana AntiLogger Free
    2016-05-20 04:26 . 2013-10-14 22:00 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE
    2016-05-20 04:22 . 2016-05-20 04:22 878080 ----a-w- c:\windows\system32\advapi32.dll
    2016-05-20 04:21 . 2016-05-20 04:21 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    2016-05-20 04:20 . 2016-05-20 04:20 1887232 ----a-w- c:\windows\system32\d3d11.dll
    2016-05-20 04:20 . 2016-05-20 04:20 1505280 ----a-w- c:\windows\SysWow64\d3d11.dll
    2016-05-20 03:32 . 2016-05-20 03:32 -------- d-----w- c:\program files\Bitdefender
    2016-05-20 02:58 . 2016-05-20 02:58 -------- d-----w- c:\programdata\ASUS OC Profiles
    2016-05-20 02:56 . 2016-05-20 02:56 0 ----a-w- c:\windows\ativpsrm.bin
    2016-05-20 02:55 . 2016-05-20 02:55 -------- d-----w- c:\programdata\GridinSoft
    2016-05-20 02:55 . 2016-05-20 04:27 -------- d-----w- c:\program files\GridinSoft Anti-Malware
    2016-05-20 02:51 . 2011-05-24 15:04 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2016-05-20 02:51 . 2011-05-24 14:19 58880 ----a-w- c:\windows\system32\coinst.dll
    2016-05-20 02:43 . 2016-05-20 02:43 -------- d-----w- c:\program files\ASUS
    2016-05-20 02:42 . 2016-05-20 02:42 -------- d-----w- c:\windows\SysWow64\Macromed
    2016-05-20 02:38 . 2010-11-08 18:57 14464 ----a-w- c:\windows\system32\drivers\AiChargerPlus.sys
    2016-05-20 02:38 . 2008-12-03 00:05 184320 ----a-w- c:\windows\SysWow64\drivers\UpdateHelper.dll
    2016-05-20 02:37 . 2016-05-20 02:37 -------- d-----w- c:\programdata\ASUS
    2016-05-20 02:37 . 2016-05-20 02:38 -------- d-----w- c:\program files (x86)\ASUS
    2016-05-20 02:37 . 2010-08-24 07:16 13440 ----a-r- c:\windows\SysWow64\drivers\AsIO.sys
    2016-05-20 02:37 . 2010-06-29 07:41 28672 ----a-r- c:\windows\SysWow64\AsIO.dll
    2016-05-20 02:37 . 2008-01-04 05:34 11832 ------w- c:\windows\SysWow64\drivers\AsInsHelp64.sys
    2016-05-20 02:36 . 2009-07-14 01:15 315904 ----a-w- c:\windows\SysWow64\Difxd825.rra
    2016-05-20 02:36 . 2010-11-25 03:27 120408 ----a-w- c:\windows\system32\drivers\jraid.sys
    2016-05-20 02:36 . 2016-05-20 02:36 -------- d-----w- c:\windows\RaidTool
    2016-05-20 02:36 . 2016-05-20 02:38 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
    2016-05-20 02:35 . 2016-05-20 02:35 -------- d-----w- c:\program files (x86)\AMD APP
    2016-05-20 02:35 . 2016-05-20 02:35 -------- dc----w- c:\windows\system32\DRVSTORE
    2016-05-20 02:35 . 2010-12-16 03:06 47232 ----a-r- c:\windows\system32\drivers\usbfilter.sys
    2016-05-20 02:35 . 2011-03-04 18:46 78976 ----a-w- c:\windows\system32\drivers\amd_sata.sys
    2016-05-20 02:35 . 2011-03-04 18:46 38528 ----a-w- c:\windows\system32\drivers\amd_xata.sys
    2016-05-20 02:35 . 2016-05-20 02:35 -------- d-----w- c:\program files\ATI
    2016-05-20 02:34 . 2016-05-20 02:34 -------- d-----w- c:\program files\ATI Technologies
    2016-05-20 02:34 . 2016-05-20 02:34 16896 ----a-w- c:\windows\AsTaskSched.dll
    2016-05-20 02:33 . 2011-02-25 06:25 296320 ----a-w- c:\windows\system32\drivers\volsnap.sys
    2016-05-20 02:32 . 2016-05-20 02:32 -------- d-----w- c:\program files (x86)\ASM104xUSB3
    2016-05-20 02:32 . 2016-05-22 04:21 -------- d-sh--w- c:\windows\Installer
    2016-05-20 02:31 . 2011-08-23 13:57 565352 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
    2016-05-20 02:31 . 2011-08-23 13:57 74272 ----a-w- c:\windows\system32\RtNicProp64.dll
    2016-05-20 02:31 . 2011-08-23 13:57 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
    2016-05-20 02:31 . 2016-05-20 02:31 -------- d-----w- c:\program files (x86)\Realtek
    2016-05-20 02:31 . 2016-05-20 02:43 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
    2016-05-20 02:25 . 2016-05-22 21:49 -------- d-----w- c:\users\TKRA7
    2016-05-20 02:25 . 2016-05-20 02:25 -------- d-----w- C:\Recovery
    2016-05-18 08:27 . 2016-05-18 08:27 17568 ----a-w- c:\windows\system32\drivers\gtkdrv.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2016-05-20 04:22 . 2016-05-20 04:22 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2016-04-22 07:57 . 2010-11-21 03:27 453288 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-09-07 43608]
    "ASUS AiChargerPlus Execute"="c:\program files (x86)\InstallShield Installation Information\{E6931688-DA2B-4E16-8539-3D323D69C677}\AiChargerPlus.exe" [2010-11-08 465536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    "AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt32(6).dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
    R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
    R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
    R3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\DRIVERS\gtkdrv.sys;c:\windows\SYSNATIVE\DRIVERS\gtkdrv.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
    S0 AiChargerPlus;ASUS Charger Plus Driver;c:\windows\system32\DRIVERS\AiChargerPlus.sys;c:\windows\SYSNATIVE\DRIVERS\AiChargerPlus.sys [x]
    S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
    S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
    S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys;SysWow64\drivers\AsUpIO.sys [x]
    S1 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
    S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe;c:\program files (x86)\ASUS\AXSP\1.00.14\atkexComSvc.exe [x]
    S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [x]
    S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [x]
    S2 hmpalertsvc;HitmanPro.Alert service;c:\program files (x86)\HitmanPro.Alert\hmpalert.exe;c:\program files (x86)\HitmanPro.Alert\hmpalert.exe [x]
    S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
    S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
    S3 ASUSFILTER;ASUSFILTER;SysWow64\drivers\ASUSFILTER.sys;SysWow64\drivers\ASUSFILTER.sys [x]
    S3 hmpalert;HitmanPro.Alert Support Driver;c:\windows\system32\drivers\hmpalert.sys;c:\windows\SYSNATIVE\drivers\hmpalert.sys [x]
    S3 hmpnet;HitmanPro.Alert Network Driver;c:\windows\system32\drivers\hmpnet.sys;c:\windows\SYSNATIVE\drivers\hmpnet.sys [x]
    S3 keycrypt;keycrypt;c:\windows\system32\DRIVERS\KeyCrypt64.sys;c:\windows\SYSNATIVE\DRIVERS\KeyCrypt64.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
    .
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2016-01-29 1340192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt64(6).dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = DuckDuckGo
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    FF - ProfilePath - c:\users\TKRA7\AppData\Roaming\Mozilla\Firefox\Profiles\gd012hhu.default\
    FF - prefs.js: browser.startup.homepage - hxxps://duckduckgo.com/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2205198338-1926017667-846148581-1000\Software\locky]
    @Denied: (B 2 3) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_21_0_0_242_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_21_0_0_242_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_21_0_0_242_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_21_0_0_242_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.21"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_242.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2016-05-25 20:47:19
    ComboFix-quarantined-files.txt 2016-05-26 00:47
    ComboFix2.txt 2016-05-25 02:27
    ComboFix3.txt 2016-05-24 20:47
    ComboFix4.txt 2016-05-24 14:42
    .
    Pre-Run: 946,853,986,304 bytes free
    Post-Run: 946,788,552,704 bytes free
    .
    - - End Of File - - 194F54C9B11C211F1A52FCFBA650F143
    A36C5E4F47E84449FF07ED3517B43A31

Page 1 of 3 123 Last

Similar Threads

  1. Incidents of Ransomware on the Rise
    By JMH in forum Security News
    Replies: 0
    Last Post: 04-30-2016, 07:09 PM
  2. How to respond to ransomware threats
    By JMH in forum Security News
    Replies: 0
    Last Post: 03-20-2016, 05:51 PM
  3. Replies: 0
    Last Post: 02-13-2016, 06:14 PM
  4. Ransomware: To pay or not to pay
    By JMH in forum Security News
    Replies: 0
    Last Post: 10-14-2015, 10:44 PM
  5. CryptoLocker Ransomware
    By Corrine in forum General Help & Information
    Replies: 8
    Last Post: 11-16-2013, 01:49 PM

Log in

Log in