Jump to content

hellbraker9

Honorary Members
  • Posts

    38
  • Joined

  • Last visited

Reputation

0 Neutral
  1. system wide (all text based fields, notepad,word,search bar etc). I tried testing it in Ubuntu 16, in there the Backspace key works fine while the other two keys still has the issue.
  2. my Down Arrow key, Spacebar and Backspace does not work as intended. Down Arrow: Pressing it moves the cursor down at the same time inserts a space where it was in the beginning Spacebar: Inserts space and brings the cursor down (only if characters are present below) Backspace: Can not delete by long pressing but instead has to press every single time
  3. done. here's the fixlog and the new FRST log Fix result of Farbar Recovery Scan Tool (x86) Version: 29-07-2017 Ran by Admin (30-07-2017 02:19:27) Run:8 Running from C:\Users\Admin\Downloads Loaded Profiles: Admin (Available Profiles: Admin) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: HKU\S-1-5-18\...A8F59079A8D5}\localserver32: <==== ATTENTION ***************** Processes closed successfully. HKU\S-1-5-18\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 => key not found. HKU\S-1-5-18\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => key removed successfully. The system needed a reboot. ==== End of Fixlog 02:19:27 ==== FRST.txt Addition.txt
  4. I submitted a threat analysis and it said this is a spyware: https://www.hybrid-analysis.com/sample/1e77f9846b6c053789179bfd648f4f1d5a0b66ce2f435f905e8ec0cf188f0eae?environmentId=100
  5. And now in my Temp folder is Au_.exe. I opened it in notepad. Here are some of it's suspicious content: s e t t i n g s l o g g i n g t o % d c r e a t e d u n i n s t a l l e r : % d , " % s " W r i t e R e g : e r r o r c r e a t i n g k e y " % s \ % s " W r i t e R e g : e r r o r w r i t i n g i n t o " % s \ % s " " % s " W r i t e R e g B i n : " % s \ % s " " % s " = " % s " W r i t e R e g D W O R D : " % s \ % s " " % s " = " 0 x % 0 8 x " W r i t e R e g E x p a n d S t r : " % s \ % s " " % s " = " % s " W r i t e R e g S t r : " % s \ % s " " % s " = " % s " D e l e t e R e g K e y : " % s \ % s " D e l e t e R e g V a l u e : " % s \ % s " " % s " ! N ~ W r i t e I N I S t r : w r o t e [ % s ] % s = % s i n % s < R M > C o p y F i l e s " % s " - > " % s " C r e a t e S h o r t C u t : o u t : " % s " , i n : " % s % s " , i c o n : % s , % d , s w = % d , h k = % d E r r o r r e g i s t e r i n g D L L : C o u l d n o t i n i t i a l i z e O L E E r r o r r e g i s t e r i n g D L L : C o u l d n o t l o a d % s E r r o r r e g i s t e r i n g D L L : % s n o t f o u n d i n % s A b o r t f l a g s e t d u r i n g p l u g i n c a l l \ E x e c : f a i l e d c r e a t e p r o c e s s ( " % s " ) ( e r r : % d ) E x e c : s u c c e s s ( " % s " ) E x e c : c o m m a n d = " % s " E x e c S h e l l : s u c c e s s ( " % s " : f i l e : " % s " p a r a m s : " % s " ) E x e c S h e l l : w a r n i n g : e r r o r ( " % s " : f i l e : " % s " p a r a m s : " % s " ) = % d H i d e W i n d o w P o p : s t a c k e m p t y E x c h : s t a c k < % d e l e m e n t s R M D i r : " % s " M e s s a g e B o x : % d , " % s " D e l e t e : " % s " F i l e : w r o t e % d t o " % s " F i l e : e r r o r , u s e r c a n c e l F i l e : s k i p p e d : " % s " ( o v e r w r i t e f l a g = % d ) F i l e : e r r o r , u s e r a b o r t F i l e : e r r o r , u s e r r e t r y F i l e : e r r o r c r e a t i n g " % s " ( e r r : % d ) F i l e : o v e r w r i t e f l a g = % d , a l l o w s k i p f i l e s f l a g = % d , n a m e = " % s " R e n a m e f a i l e d : % s ( e r r : % d ) R e n a m e o n r e b o o t : % s R e n a m e : % s I f F i l e E x i s t s : f i l e " % s " d o e s n o t e x i s t , j u m p i n g % d I f F i l e E x i s t s : f i l e " % s " e x i s t s , j u m p i n g % d C r e a t e D i r e c t o r y : " % s " c r e a t e d C r e a t e D i r e c t o r y : c a n ' t c r e a t e " % s " - a f i l e a l r e a d y e x i s t s C r e a t e D i r e c t o r y : c a n ' t c r e a t e " % s " ( e r r = % d ) C r e a t e D i r e c t o r y : " % s " ( % d ) S e t F i l e A t t r i b u t e s f a i l e d . ( e r r : % d ) S e t F i l e A t t r i b u t e s : " % s " : % 0 8 X B r i n g T o F r o n t S l e e p ( % d ) d e t a i l p r i n t : % s C a l l : % d Q u i t t i n g : G o t q u i t i n s t r u c t i o n A b o r t i n g : " % s " J u m p : % d v e r i f y i n g i n s t a l l e r : % d % % . . . % d % % I n s t a l l e r i n t e g r i t y c h e c k h a s f a i l e d . C o m m o n c a u s e s i n c l u d e i n c o m p l e t e d o w n l o a d a n d d a m a g e d m e d i a . C o n t a c t t h e i n s t a l l e r ' s a u t h o r t o o b t a i n a n e w c o p y . M o r e i n f o r m a t i o n a t : h t t p : / / n s i s . s f . n e t / N S I S _ E r r o r E r r o r l a u n c h i n g i n s t a l l e r S e S h u t d o w n P r i v i l e g e A ~ n s u . t m p E n d o f t h e l i n e ( t h i s p r o c e s s ) : Q : % d A : % d _ ? = \ T e m p / D = N C R C N S I S E r r o r E r r o r w r i t i n g t e m p o r a r y f i l e . M a k e s u r e y o u r t e m p f o l d e r i s v a l i d . Q u i t t i n g : G e t t i n g b y e b y e n o t i f i c a t i o n i n s t a l l . l o g o p e n % u . % u % s % s S k i p p i n g s e c t i o n : " % s " I n s t a l l c o d e d o n e : Q : % d A : % d S e c t i o n : " % s " E x i t i n g : % d R i c h E d i t R i c h E d i t 2 0 A R i c h E d 3 2 R i c h E d 2 0 _ N b . e x e . D E F A U L T \ C o n t r o l P a n e l \ I n t e r n a t i o n a l C o n t r o l P a n e l \ D e s k t o p \ R e s o u r c e L o c a l e SHGetFolderPathW SHFOLDER SHAutoComplete SHLWAPI GetUserDefaultUILanguage AdjustTokenPrivileges LookupPrivilegeValueW OpenProcessToken RegDeleteKeyExW ADVAPI32 MoveFileExW GetDiskFreeSpaceExW KERNEL32 [Rename] % d S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ Q u i c k L a u n c h n s a * ? | < > / " : i n v a l i d r e g i s t r y k e y H K E Y _ D Y N _ D A T A H K E Y _ C U R R E N T _ C O N F I G H K E Y _ P E R F O R M A N C E _ D A T A H K E Y _ U S E R S H K E Y _ L O C A L _ M A C H I N E H K E Y _ C U R R E N T _ U S E R H K E Y _ C L A S S E S _ R O O T . . . % 0 2 x % c % 0 8 d : L i n e % d : Module32NextW Module32FirstW Process32NextW Process32FirstW CreateToolhelp32Snapshot Kernel32.DLL U n k n o w n GetModuleBaseNameW EnumProcessModules EnumProcesses PSAPI.DLL [ %s=%s N U L R M D i r : R e m o v e D i r e c t o r y f a i l e d ( " % s " ) R M D i r : R e m o v e D i r e c t o r y o n R e b o o t ( " % s " ) R M D i r : R e m o v e D i r e c t o r y ( " % s " ) R M D i r : R e m o v e D i r e c t o r y i n v a l i d i n p u t ( " % s " ) D e l e t e : D e l e t e F i l e f a i l e d ( " % s " ) D e l e t e : D e l e t e F i l e o n R e b o o t ( " % s " ) D e l e t e : D e l e t e F i l e ( " % s " ) \ * . * */* Content-Type: application/x-www-form-urlencoded ( % x ) : % s L i s t e n e r % d w a i t i n g f o r m e s s a g e s . . . C o u l d n ' t c r e a t e b u f f e r e v e n t D B N S I S _ B U F F E R _ R E A D Y C o u l d n ' t c r e a t e d a t a e v e n t D B N S I S _ D A T A _ R E A D Y C o u l d n ' t m a p f i l e v i e w F i l e m a p p i n g a l r e a d y e x i s t s C o u l d n ' t c r e a t e f i l e m a p p i n g D B N S I S _ B U F F E R % s Post succeeded Post failed POST /nsis N S I S D r o p b o x D e v d . d r o p b o x . c o m t a r a k . c o r p . g e t d r o p b o x . c o m D r o p b o x & q u i t = % d & a b o r t = % d & r = & i s _ u n i n s t a l l e r = % d & v e r s i o n = w i n - % s b u i l d _ k e y = % s P i n g i n g b a c k F i n a l e x i t c o d e s : q u i t % d a b o r t % d % s ( f r o m c h i l d ) F a i l e d t o g e t a p p d a t a d i r H o s t i n t c o o k i e : % h s \ % s \ h o s t . d b x H o s t c o o k i e : % h s C h e c k i n g l o c a t i o n % s \ % s \ h o s t . d b S P i n f o : % d . % d ( % s ) ; S u i t e % x P r o d % x O S v e r s i o n : % d . % d . % d ( P l a t f o r m % d ) N o i n s t a l l e r t a g s . T a g : " % s " = " % s " B r a n d i n g : " % s " N a m e : " % s " % 0 8 d : p i d % x : [ % 0 4 h u / % 0 2 h u / % 0 2 h u % 0 2 h u : % 0 2 h u : % 0 2 h u ] U A C h w n d i s i n v a l i d U s i n g U A C h w n d % x ( C L : % s ) D B D E V % s % s \ l \ % 0 8 x \ n e w _ t r a c e D r o p b o x \ i n s t a l l e r DeleteFileW 9FindFirstFileW EFindNextFileW .FindClose fSetFilePointer gMultiByteToWideChar ÀReadFile %WriteFile MlstrlenA WideCharToMultiByte BGetPrivateProfileStringW +WritePrivateProfileStringW bFreeLibrary >LoadLibraryExW GetModuleHandleW ºGlobalFree ßGetExitCodeProcess ùWaitForSingleObject ³GlobalAlloc ExpandEnvironmentStringsW BlstrcmpW ElstrcmpiW R CloseHandle jSetFileTime ` CompareFileTime SearchPathW aGetShortPathNameW ûGetFullPathNameW cMoveFileW MSetCurrentDirectoryW êGetFileAttributesW CreateDirectoryW GetLastError aSetFileAttributesW ²Sleep “GetTickCount ðGetFileSize GetModuleFileNameW ÀGetCurrentProcess ExitProcess u CopyFileW ¯GetWindowsDirectoryW …GetTempPathW ‡GetCommandLineW XSetErrorMode JlstrcpynA NlstrlenW KlstrcpynW ÏGetDiskFreeSpaceW ÅGlobalUnlock ¾GlobalLock µ CreateThread ?LoadLibraryW ¨ CreateProcessW DlstrcmpiA CreateFileW ƒGetTempFileNameW ?lstrcatW 9LeaveCriticalSection î EnterCriticalSection EGetProcAddress <LoadLibraryA GetModuleHandleA €OpenProcess HlstrcpyW ¤GetVersionExW pGetSystemDirectoryW ¢GetVersion GlstrcpyA RemoveDirectoryW YSetEvent ÅGetCurrentThreadId ÖUnmapViewOfFile … CreateEventW WMapViewOfFile Œ CreateFileMappingW ŠOutputDebugStringW ‰OutputDebugStringA ÁGetCurrentProcessId GetLocalTime ÜGetEnvironmentVariableW âInitializeCriticalSection ½SystemTimeToFileTime wGetSystemTime ÁGlobalReAlloc ãInitializeCriticalSectionAndSpinCount WFlushFileBuffers KERNEL32.dll Ü EndPaint Ð DrawTextW ö FillRect GetClientRect BeginPaint œ DefWindowProcW |SendMessageW ¾InvalidateRect Ø EnableWindow !GetDC ïLoadImageW ÄSetWindowLongW 'GetDlgItem ÛIsWindow ù FindWindowExW {SendMessageTimeoutW 3wsprintfW ßShowWindow “SetForegroundWindow 7PostQuitMessage ËSetWindowTextW »SetTimer c CreateDialogParamW ¦ DestroyWindow õ ExitWindowsEx 1 CharNextW {GetSysColor –GetWindowLongW ˆSetCursor ëLoadCursorW > CheckDlgButton GetAsyncKeyState ÎIsDlgButtonChecked mScreenToClient [GetMessagePos CallWindowProcW àIsWindowVisible çLoadBitmapW I CloseClipboard †SetClipboardData Õ EmptyClipboard &OpenClipboard öTrackPopupMenu œGetWindowRect AppendMenuW k CreatePopupMenu ~GetSystemMetrics Ú EndDialog Ö EnableMenuItem }GetSystemMenu „SetClassLongW ÜIsWindowEnabled ÆSetWindowPos ¬ DialogBoxParamW GetClassInfoW n CreateWindowExW ìSystemParametersInfoW NRegisterClassW SetDlgItemTextW *GetDlgItemTextW MessageBoxIndirectW / CharNextA < CharUpperW 4 CharPrevW 5wvsprintfW ¯ DispatchMessageW 3PeekMessageW 2wsprintfA USER32.dll wSelectObject ¦SetTextColor SetBkMode @ CreateFontIndirectW , CreateBrushIndirect æ DeleteObject ËGetDeviceCaps ~SetBkColor GDI32.dll ¬ SHFileOperationW "ShellExecuteW ½ SHGetFileInfoW × SHGetPathFromIDListW { SHBrowseForFolderW ß SHGetSpecialFolderLocation à SHGetFolderPathW SHELL32.dll DRegDeleteKeyW 0RegCloseKey PRegEnumKeyW aRegOpenKeyExW RRegEnumValueW nRegQueryValueExW ~RegSetValueExW 9RegCreateKeyExW HRegDeleteValueW ADVAPI32.dll T ImageList_Destroy O ImageList_AddMasked S ImageList_Create COMCTL32.dll CoCreateInstance IOleUninitialize 2OleInitialize h CoTaskMemFree ole32.dll VerQueryValueW GetFileVersionInfoW GetFileVersionInfoSizeW VERSION.dll k InternetCloseHandle Y HttpQueryInfoA [ HttpSendRequestA W HttpOpenRequestA r InternetConnectW š InternetOpenW WININET.dll : PathCombineW SHLWAPI.dll encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.1-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly F i l e s à C o m m o n F i l e s D i r à\ C o m m o n F i l e s à¥4 à€\ 3 0 . 4 . 2 2 0 W r i t e a c c e s s t o f o l d e r i s o k . D o n ' t n e e d e l e v a t i o n . N O E r r o r s w r i t i n g t o f o l d e r . N e e d e l e v a t i o n Y E S à€ à€ à€ à€ > > > L o g f r o m à€\ D r o p b o x . e x e à€\ D r o p b o x . e x e . l o g 1 1 0 0 1 0 2 3 E X E l o g : à€ à € à€ à€ " - 1 / I n s t a l l T y p e : à€ à€ à€à€ ' ` U S E R M A C H I N E / D B D a t a : à,€ S o f t w a r e \ D r o p b o x U p d a t e \ U p d a t e u i d D r o p b o x U p d a t e M a n a g e r u s e r i d : à € % D B D E V _ R U N _ T Y P E % R u n T y p e : à € à€ à\ D r o p b o x \ C l i e n t > > > E n d s W i t h : S t r i n g = à€, P a t t e r n = à € - à€ > > > E n d s W i t h : R e s u l t = à € C l i c k U n i n s t a l l t o r e m o v e D r o p b o x f r o m y o u r c o m p u t e r . à € 0 x 0 0 0 C à"€ # 3 2 7 7 0 à€ à.€ 1 0 0 6 1 0 2 9 1 0 0 0 à2€ 1 0 0 4 1 0 2 7 1 0 1 6 1 0 3 7 7 0 0 à!€ 0 x 0 0 3 0 1 0 3 8 à€\ m o d e r n - h e a d e r . b m p 1 0 3 4 à#€ 1 0 3 9 à$€ 1 0 2 8 à&€ 1 2 5 6 à%€ à € 1 0 3 5 1 0 4 5 % D B D E V _ A U T O _ N O _ E L E V A T I O N % ! ! A U T O M A T I O N : S k i p p i n g e l e v a t i o n 1 2 2 3 à€\ U A C . d l l R u n E l e v a t e d D r o p b o x u n i n s t a l l e r r e q u i r e s a d m i n p r i v i l e g e s , t r y a g a i n D r o p b o x u n i n s t a l l e r r e q u i r e s a d m i n p r i v i l e g e s , a b o r t i n g ! L o g o n s e r v i c e n o t r u n n i n g , a b o r t i n g ! U n a b l e t o e l e v a t e , e r r o r à € 1 0 6 2 " à€\ D r o p b o x . e x e " / k i l l d a t a / I n s t a l l T y p e : à,€ " à\ D r o p b o x \ U p d a t e \ D r o p b o x U p d a t e . e x e " / u n i n s t a l l " à\ D r o p b o x \ U p d a t e \ D r o p b o x U p d a t e . e x e " / u n i n s t a l l D r o p b o x \ b i n D r o p b o x \ \ b i n D r o p b o x \ \ C l i e n t \ à€\ O l d B i n a r i e s à€\ O l d B i n a r i e s \ b i n _ 3 0 . 4 . 2 2 à€- > à€\ O l d B i n a r i e s \ b i n _ 3 0 . 4 . 2 2 R e m o v i n g A p p D a t a d i r e c t o r y à#\ D r o p b o x F a i l e d t o r e m o v e A p p D a t a D i r e c t o r y à#\ D r o p b o x U n I n s t a l l D r o p b o x " à€\ D r o p b o x . e x e " / s e l f _ u n i n s t a l l / I n s t a l l T y p e : à,€ / K i l l E v e r y o n e : Y E S U n i n s t a l l D r o p b o x f a i l e d ( r e t : à €) à7€ à\ D r o p b o x à€ E x e c C o d e S e g m e n t U n i n s t a l l > > > U n i n s t a l l à€ > > > U n I n s t a l l d o n e à€ E r r o r ! C a n ' t i n i t i a l i z e p l u g - i n s d i r e c t o r y . P l e a s e t r y a g a i n l a t e r . 3 2 3 à€\ à€u _ . e x e " à€\ à€u _ . e x e " à € _ ? = à€\ à$$\ w i n i n i t . i n i à€ U n i n s t a l l C a n ' t w r i t e : C o u l d n o t f i n d s y m b o l : C o u l d n o t l o a d : C r e a t e f o l d e r : C r e a t e d u n i n s t a l l e r : D e l e t e f i l e : D e l e t e o n r e b o o t : E r r o r c r e a t i n g : E r r o r d e c o m p r e s s i n g d a t a ! C o r r u p t e d i n s t a l l e r ? E x e c u t e : E x t r a c t : E x t r a c t : e r r o r w r i t i n g t o f i l e I n s t a l l e r c o r r u p t e d : i n v a l i d o p c o d e N o O L E f o r : O u t p u t f o l d e r : R e m o v e f o l d e r : R e n a m e o n r e b o o t : R e n a m e : S k i p p e d : C o p y D e t a i l s T o C l i p b o a r d U n i n s t a l l D r o p b o x R e m o v e D r o p b o x f r o m y o u r c o m p u t e r . U n i n s t a l l i n g P l e a s e w a i t w h i l e D r o p b o x i s b e i n g u n i n s t a l l e d . D r o p b o x U n i n s t a l l e d D r o p b o x h a s b e e n r e m o v e d f r o m t h i s c o m p u t e r . U n i n s t a l l F a i l e d D r o p b o x f a i l e d t o u n i n s t a l l . M S S h e l l D l g E r r o r o p e n i n g f i l e f o r w r i t i n g : à € C l i c k A b o r t t o s t o p t h e i n s t a l l a t i o n , R e t r y t o t r y a g a i n , o r I g n o r e t o s k i p t h i s f i l e . C u s t o m C a n c e l < & B a c k & U n i n s t a l l C l i c k U n i n s t a l l t o s t a r t t h e u n i n s t a l l a t i o n . S h o w & d e t a i l s C o m p l e t e d & N e x t > C l i c k N e x t t o c o n t i n u e . & C l o s e R u n t h e p r o g r a m a s t h e & f o l l o w i n g u s e r : & C u r r e n t u s e r ( % s ) Y o u m a y n o t h a v e t h e n e c e s s a r y p e r m i s s i o n s t o u s e a l l t h e f e a t u r e s o f t h e p r o g r a m y o u a r e a b o u t t o r u n . Y o u m a y r u n t h i s p r o g r a m a s a d i f f e r e n t u s e r o r c o n t i n u e t o r u n t h e p r o g r a m a s t h e c u r r e n t u s e r . R u n a s S H E L L 3 2 . d l l ? M y R u n A s S t r i n g s H i d e C u r r U s e r O p t M y R u n A s C f g D i s a b l e C u r r U s e r O p t C a n c e l O K P w d U s e r n a m e O p t O t h e r U s e r O p t C u r r U s e r H e l p T e x t D l g T i t l e l n g % s % s % s % u N S I S U A C I P C S y s C r e d e n t i a l # 3 2 7 7 0 GetUserNameExW CreateProcessWithLogonW SECUR32 GetUserNameW CheckTokenMembership EqualSid FreeSid AllocateAndInitializeSid GetTokenInformation OpenThreadToken OpenProcessToken AllowSetForegroundWindow U S E R 3 2 AdvAPI32 % s % s % s % s % s " S W _ S H O W N O R M A L S W _ M I N I M I Z E S W _ M A X I M I Z E S W _ R E S T O R E S W _ S H O W S W _ H I D E E n a b l e L U A S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ P o l i c i e s \ S y s t e m s e c l o g o n B u t t o n / U A C : % X / N C R C % s r u n a s S H E L L 3 2 SHGetFolderPathW GlobalAlloc ŒGlobalFree ùGetModuleHandleW GetPrivateProfileStringW GetPrivateProfileIntW õGetModuleFileNameW ìSetLastError C CloseHandle ýLocalFree HFormatMessageW æGetLastError — CreateProcessW ¶lstrlenW ³lstrcpynW ­lstrcmpiW vGetVersionExW ­GetCurrentThreadId ôLoadLibraryW GetProcAddress ñLoadLibraryA ÅGetExitCodeProcess dWaitForSingleObject Ô DuplicateHandle !Sleep ªGetCurrentProcessId £ CreateThread pGetCommandLineW LFreeLibrary 3OpenProcess KERNEL32.dll cSendMessageW GetDlgItem äLoadStringW wsprintfW ¬SetWindowTextW ¸ShowWindow Ñ EnableWindow ‚GetWindowLongW DestroyWindow ÙLoadImageW ¥SetWindowLongW Ó EndDialog ÿMessageBoxW ¦ DialogBoxParamW / CharNextW ÙUnhookWindowsHookEx CallNextHookEx GetClassNameW °SetWindowsHookExW bSendMessageTimeoutW üWaitForInputIdle – DefWindowProcW PostMessageW 8GetLastActivePopup PostQuitMessage zSetForegroundWindow © DispatchMessageW NGetMessageW h CreateWindowExW 6RegisterClassW ßUnregisterClassW GetWindowTextW ÕTranslateMessage ¹IsDialogMessageW PeekMessageW MsgWaitForMultipleObjects ÅIsWindow GetWindowThreadProcessId USER32.dll *RegCloseKey hRegQueryValueExW [RegOpenKeyExW "QueryServiceStatus õOpenServiceW S CloseServiceHandle óOpenSCManagerW AdjustTokenPrivileges LookupPrivilegeValueA ñOpenProcessToken ADVAPI32.dll ShellExecuteExW º SHGetFileInfoW SHELL32.dll k CoUninitialize = CoInitialize CoCreateInstance ole32.dll “$U Dv ¸u ðu (v e Ì] Ce îe /i Öi ùf ‘g mc |e µe ^ |f ok Lv Qv av jv {v ˆv ›v £v ¶v Âv Ìv Úv äv ðv UAC.dll Exec ExecCodeSegment ExecWait GetElevationType GetOuterHwnd GetShellFolderPath IsAdmin ResolveShortcutDir RunElevated ShellExec ShellExecWait StackPush SupportsUAC Unload
  6. Farbar Recovery Scan Tool (x86) Version: 29-07-2017 Ran by Admin (29-07-2017 04:02:01) Running from C:\Users\Admin\Downloads Boot Mode: Normal ================== Search Registry: "localserver32" =========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020800-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020800-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkGRAPHFiles>tW{~$4Q]c@`hQRuxaTO5 /automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020803-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020803-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkGRAPHFiles>tW{~$4Q]c@`hQRuxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5 /automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020827-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020833-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020833-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5 /Automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5 /Automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020D09-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002123D-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002123D-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPubPrimary>tW{~$4Q]c@?F@6kxaTO5 /Automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5 /automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00024502-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00024502-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkGRAPHFiles>tW{~$4Q]c@`hQRuxaTO5 /automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002CE02-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002CE02-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVN)8A$!!!!!MKKSkEquationEditorFilesIntl_1033>BoT]jI{jf(=1&L[-81-]" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F005-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F006-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F011-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F01E-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F01F-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F01F-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOUTLOOKFiles>tW{~$4Q]c@zPX6FxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F020-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F023-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F023-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOUTLOOKFiles>tW{~$4Q]c@zPX6FxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F024-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F030-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F031-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F031-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOUTLOOKFiles>tW{~$4Q]c@zPX6FxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F032-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F032-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOUTLOOKFiles>tW{~$4Q]c@zPX6FxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F033-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F033-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOUTLOOKFiles>tW{~$4Q]c@zPX6FxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F03A-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F03A-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOUTLOOKFiles>tW{~$4Q]c@zPX6FxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F04A-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F04B-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F04C-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F04D-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F04E-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F04F-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F050-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F051-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F053-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F054-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F055-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F056-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F057-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F058-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F059-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F065-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F065-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOUTLOOKFiles>tW{~$4Q]c@zPX6FxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F067-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F068-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F071-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C1237-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{002ABED4-2017-444D-813A-002CC1F8D10B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0039FFEC-A022-4232-8274-6B34787BFC27}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0039FFEC-A022-4232-8274-6B34787BFC27}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOneNoteFiles>tW{~$4Q]c@DsjRPxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00A6A621-72A1-47AF-B86A-9E65C9C72A95}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00B90832-DA6C-47D7-9632-8B0727DE0597}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{016B931D-8430-4988-8510-C69C214CFF32}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0228576F-6E6C-4E1A-B175-0E46A316AFE2}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{031EE060-67BC-460d-8847-E4A7C5E45A27}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837511-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837513-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0383751C-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837521-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837525-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837526-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837527-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837528-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837529-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837530-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837531-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837532-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837538-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837539-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837546-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837547-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{047ea9a0-93bb-415f-a1c3-d7aeb3dd5087}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{069501DC-D776-4778-8C76-81D7A3DFFBB7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{078AEF33-C48A-49F7-AFF3-A0EE810BFE7C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07A774A0-6047-11D1-BA20-006097D2898E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09FD2EFF-5669-11D3-B65F-00C04F8EF32D}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09FD2EFF-5669-11D3-B65F-00C04F8EF32D}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPubPrimary>tW{~$4Q]c@?F@6kxaTO5 /Automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B78978D-2A7A-4B34-99C0-5A0F0E730DC2}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0C776A5A-FC42-4870-8D65-D62ADD9184FF}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0c98b8bc-273c-464d-938a-b9709607e137}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1202DB60-1DAC-42C5-AED5-1ABDD432248E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12E3793C-7C3C-4C00-BC4E-C79849B3F430}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A1F4206-0688-4E7F-BE03-D82EC69DF9A5}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B462D7B-72D8-4544-ACC1-D84E5B9A8A14}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C749B87-568C-4865-8E73-6413F8372CE6}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1CDC7D25-5AA3-4DC4-8E0C-91524280F806}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1CDC7D25-5AA3-4DC4-8E0C-91524280F806}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F602FC8-A070-42E8-BEB3-0AD207182DD4}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21E17C2F-AD3A-4b89-841F-09CFE02D16B7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22148139-F1FC-4EB0-B237-DFCD8A38EFFC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22148139-F1FC-4EB0-B237-DFCD8A38EFFC}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOneNoteFiles>tW{~$4Q]c@DsjRPxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25B25D91-69A2-47fa-A375-FDC98189A06F}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25E8A7CA-5874-4F85-BC00-35210131C444}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{266C72E7-62E8-11D1-AD89-00C04FD8FDFF}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{272EE351-67B1-45C4-87B5-90F8D450257B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D3AC5E6-D557-42EE-AB8A-F95239E9939F}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32BA16FD-77D9-4AFB-9C9F-703E92AD4BFF}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33A86FA9-EBB6-449A-81A2-2BC3B2527A49}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3630AB4B-C0D2-4C1B-B7E7-73A2CF9A4521}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B191048-B0AD-4CFE-902C-F51140AA77ED}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C3A70A7-A468-49B9-8ADA-28E11FCCAD5D}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3eef301f-b596-4c0b-bd92-013beafce793}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FCB7074-EC9E-4AAF-9BE3-C0E356942366}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40CB6EA0-AB2A-45F8-BA45-2DC7756A7B49}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44da8435-b187-4dd6-8f32-9341eb7e4c3c}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{45597c98-80f6-4549-84ff-752cf55e2d29}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48E1B01B-5619-4898-8714-DD1897BA07B2}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49010C18-B110-421a-9047-ADCA421CBC40}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{494C063B-1024-4DD1-89D3-713784E82044}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49B2791A-B1AE-4C90-9B8E-E860BA07F889}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49BD2028-1523-11D1-AD79-00C04FD8FDFF}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B39F507-4D1F-4d40-8517-6E0E8CADD515}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{509443A8-B499-4d72-9222-52B82980D8AB}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59A7120F-AA86-4A1F-9CFC-CB8A85E7E11C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5cc76543-0f98-47a8-afa2-208562ef9454}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5f4baad0-4d59-4fcd-b213-783ce7a92f22}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6295DF2D-35EE-11D1-8707-00C04FD93327}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6316D324-2238-101B-9E66-00AA003BA905}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6316D324-2238-101B-9E66-00AA003BA905}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOutlookMAPI2>cy?1KY)nJA_a5O?ysm'," [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{65235197-874B-4A07-BDC5-E65EA825B718}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6570B2AA-1F63-4959-9D98-C12ABB483DFC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{682159d9-c321-47ca-b3f1-30e36b2ec8b9}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B0FCC1-D874-4C12-B17E-6D45594C5973}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{69127644-2511-4DF5-BC6A-26178254AA40}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{69F9CB25-25E2-4BE1-AB8F-07AA7CB535E8}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B7F33AC-D91D-4563-BF36-0ACCB24E66FB}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6d8ff8e0-730d-11d4-bf42-00b0d0118b56}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6d8ff8e8-730d-11d4-bf42-00b0d0118b56}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E7D4AE2-770B-4F0D-9365-FEAD8DED17CD}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7160A13D-73DA-4CEA-95B9-37356478588A}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73A4C9C1-D68D-11D0-98BF-00A0C90DC8D9}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73A4C9C1-D68D-11D0-98BF-00A0C90DC8D9}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkACCESSFiles>tW{~$4Q]c@jkO)AxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73FDDC80-AEA9-101A-98A7-00AA00374959}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75dff2b7-6936-4c06-a8bb-676a7b00b24b}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{767A19A0-3CC7-415B-9D08-D48DD7B8557D}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{767A19A0-3CC7-415B-9D08-D48DD7B8557D}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7AB36653-1796-484B-BDFA-E74F1DB7C1DC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7B33B0B5-F719-4B0B-B48A-0B8F20CA08A5}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7EA9A8FA-F5D2-49E1-99E8-C26EE07FCEEB}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7F6316B4-4D69-4765-B0A3-B2598F2FA80A}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{80756358-5146-11D5-A672-00B0D022E945}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8075635F-5146-11D5-A672-00B0D022E945}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8086ebd4-43e3-4b19-beb3-f0ea4ecf319c}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8144B6F5-20A8-444a-B8EE-19DF0BB84BDB}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81F9417F-B186-4BB0-AE2B-AB574859E5CC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82780E93-DEDB-4666-8CEF-E83D451CC53E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84F66100-FF7C-4fb4-B0C0-02CD7FB668FE}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87C2B672-22F9-4956-BA84-ADE98273128E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{884e2049-217d-11da-b2a4-000e7bbb2b09}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{884e2050-217d-11da-b2a4-000e7bbb2b09}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8881050C-764C-4C21-ABB5-4AFD7BC1641E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8cec58ae-07a1-11d9-b15e-000d56bfe6ee}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D8B8E30-C451-421B-8553-D2976AFA648C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5 /AUTOMATION" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94E03510-31B9-47a0-A44E-E932AC86BB17}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95142bf8-5f09-452b-b384-44af84a500c6}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98068995-54d2-4136-9bc9-6dbcb0a4683f}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{999276E0-DA71-4743-8F02-0AB0A2D65558}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9a97f12a-6b73-4dc4-b3c1-e9244c03adac}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9acf41ed-d457-4cc1-941b-ab02c26e4686}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B908879-E03F-4D0C-ACB3-9065B1155460}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C38ED61-D565-4728-AEEE-C80952F0ECDE}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9CDC7B1E-53E4-477f-B05E-50C87D3FFA56}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9EB4C4CB-74C2-4BE9-AA5D-8249F16020AD}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1E6E578-A831-4803-8DC3-433843B1E19C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A24BCC4A-448D-41CA-92BB-3DC15D81C16C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A354BD60-4C0A-11d3-B561-00A0C92E6848}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4E118DF-B9E5-4B42-888C-065CEAF8DDC3}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A55803CC-4D53-404c-8557-FD63DBA95D24}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5B020FD-E04B-4e67-B65A-E7DEED25B2CF}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a677570a-2ba2-4e9a-b2e2-8a02cd8b4fd3}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A6C13C9D-54E1-44FC-82F0-DBE2C843E51A}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a8298e0c-7201-470e-84d5-728cff85bcbf}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8CB1D55-99DE-4448-AA2B-69883DEB3037}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{aac1009f-ab33-48f9-9a21-7f5b88426a2e}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB93B6F1-BE76-4185-A488-A9001B105B94}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ADBE6DEC-9B04-4A3D-A09C-4BB38EF1351C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEE3E4A8-EF01-4024-A0F1-809D9B096E14}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF6652B6-3FCC-4D1E-8519-F3B33F733FE7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF9618A1-49AB-44BA-92FD-567DE7D2D4E2}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B20A2538-5E52-4F66-81D9-0B5DEEEEB667}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B43A0C1E-B63F-4691-B68F-CD807A45DA01}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8558612-DF5E-4F95-BB81-8E910B327FB2}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8fb4ad7-ea4a-4b47-bfdc-bfc94160a8ea}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB2B65B0-241E-101B-9E67-00AA003BA905}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB2B65B0-241E-101B-9E67-00AA003BA905}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOutlookMAPI2>cy?1KY)nJA_a5O?ysm'," [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC7ADC2B-CC8C-48d2-A820-1BC605B0D3C7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD170270-BA64-48D0-9664-851EF6B723D3}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bdb57ff2-79b9-4205-9447-f5fe85f37312}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C071C982-2EB2-4D3A-9821-E4B31B0142C8}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C0B3C446-3032-4016-926F-9BAE48BEBFBE}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C282417B-2662-44B8-8A94-3BFF61C50900}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A723EC-9C68-42C6-9BEA-52D103661409}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2BFE331-6739-4270-86C9-493D9A04CD38}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C332C124-340D-4430-AA0D-C75602876FCC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C6A811AB-F8FF-45A4-93E5-FC5CCB650BE7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C947D50F-378E-4FF6-8835-FCB50305244D}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC957078-B838-47C4-A7CF-626E7A82FC58}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD621DE4-2AA5-4468-ADF1-087A05891DA7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cdc32574-7521-4124-90c3-8d5605a34933}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ceff45ee-c862-41de-aee2-a022c81eda92}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF1BF3B6-7AD0-4410-996B-C78EAFCD3269}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFEC0E62-45AF-46A7-867A-4679C7A7EAF3}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D0E55F9F-0021-42fe-A1DB-C41F5B564EFE}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D13E3F25-1688-45A0-9743-759EB35CDF9A}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D38406DA-E8AA-484b-B80D-3D3DBDCC2FB2}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D3E34B21-9D75-101A-8C3D-00AA001A1652}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d54378cd-91d8-4e10-a00b-819f9a9efcb1}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBF82DC7-E750-4CCF-B09C-D8AECEF7158E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCA74850-096D-40CD-BB81-17034E51ACB6}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCB2D492-5F4F-4378-8FF4-DA87062D42E3}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE13E041-1416-430e-9C2F-F7A548D26B3B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF4FCC34-067A-4E0A-8352-4A1A5095346E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E05FDDED-C4A7-4338-80D7-7577655D5412}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1BA41AD-4A1D-418F-AABA-3D1196B423D3}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e3a4e5ca-55b2-4a06-b1ab-8fbecc7bca4b}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E62456F4-62AC-45CB-99DE-4E0F6B6062D7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E70C92A9-4BFD-11d1-8A95-00C04FB951F3}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E81752ED-2885-4624-AE89-5A28DB58874B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E81752ED-2885-4624-AE89-5A28DB58874B}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOneNoteFiles>tW{~$4Q]c@DsjRPxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E8DF2799-8F1B-4b60-B30F-AED6BBF39625}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EABCECDB-CC1C-4A6F-B4E3-7F888A5ADFC8}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ed1d0fdf-4414-470a-a56d-cfb68623fc58}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDC32B80-BB14-444C-A28B-AC4731199BC4}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE2D6561-D63C-11D2-B561-00A0C92E6848}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F1EFACAA-08A1-461B-9D28-7AA8947889A0}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F4E6633D-3404-4F4E-90EE-4B1A336F14CD}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fb479c02-9ec4-4fed-8599-debe037452cb}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE9617F6-E606-42AA-BECC-0E9CDA246D63}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}\LocalServer32] [HKEY_USERS\S-1-5-21-930870075-797504210-1653396246-1000\Software\Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\LocalServer32] [HKEY_USERS\S-1-5-21-930870075-797504210-1653396246-1000\Software\Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\LocalServer32] [HKEY_USERS\S-1-5-21-930870075-797504210-1653396246-1000\Software\Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\LocalServer32] [HKEY_USERS\S-1-5-21-930870075-797504210-1653396246-1000\Software\Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\LocalServer32] [HKEY_USERS\S-1-5-21-930870075-797504210-1653396246-1000\Software\Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\LocalServer32] ====== End of Search ======
  7. yup. lets hope so. did you notice the ATTENTION flagged entry? is it fine?
  8. thank you. but why are these two XWDSXS.exe and GZJK.exe coming back? Is something calling them from my system? Fixlog.txt
  9. But the C:\Users\Admin\AppData\Local\Temp\Paizhao.exe.dmp seems suspicious. so have you checked the FRST log? Is all good? My keyboard still has issues though.
  10. It appears from the program Rogue Killer, which I happen to install myself recently. EGIN BM telemetry GUID:{5E8C7AC0-A2E7-A1C7-5A65-24511226A586} TelemetryName:Behavior:Win32/Critroni.B SignatureID:103025085780290 ProcessID:3508 ProcessCreationTime:131457680341817281 SessionID:1 CreationTime:07-29-2017 14:26:52 ImagePath:C:\Program Files\RogueKiller\RogueKiller.exe ImagePathHash:98FF49F55CDAC9B499EAFFD4BB852E5D422F6812A3F992B840007EE8D1585AD6 TargetFileName:C:\Users\Admin\AppData\Local\Temp\Paizhao.exe.dmp END BM telemetry BEGIN BM telemetry GUID:{7F16FF8D-DE51-825E-BA05-101F69F68D0A} TelemetryName:Behavior:Win32/EMSGen SignatureID:51347397088536 ProcessID:3508 ProcessCreationTime:131457680341817281 SessionID:1 CreationTime:07-29-2017 14:26:54 ImagePath:C:\Program Files\RogueKiller\RogueKiller.exe END BM telemetry 2017-07-29T02:26:56.695Z MAPS Report Send (hr=0x0 httpcode=200) 2017-07-29T02:26:57.787Z Dynamic signature received Dynamic Signature has been received Dynamic Signature Type:Signature Update Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\8f005564c3e2df8efd7bb92059d18708f444959c Dynamic Signature Compilation Timestamp:07-29-2017 14:26:27 Persistence Type:Duration Time remaining:288000000 2017-07-29T02:26:57.803Z MAPS Report Send (hr=0x0 httpcode=200) 2017-07-29T02:26:59.675Z MAPS Report Send (hr=0x0 httpcode=200) Dynamic Signature has been received Dynamic Signature Type:Signature Update Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\525ccd79f0a813ed173cf225bdc9c65f990598c4 Dynamic Signature Compilation Timestamp:07-29-2017 14:26:30 Persistence Type:Duration Time remaining:288000000 Dynamic Signature has been received Dynamic Signature Type:Signature Update Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\b1cf608fd63528b747eeccf2b0781ab89dd17959 Dynamic Signature Compilation Timestamp:07-29-2017 14:26:30 Persistence Type:Duration Time remaining:288000000 2017-07-29T02:26:59.784Z MAPS Report Send (hr=0x0 httpcode=200) 2017-07-29T02:26:59.956Z DETECTIONEVENT Behavior:Win32/Powessere.D behavior:pid:3508:50247080127395;internalbehavior:34ACEB5447D578FD94DEAB30BC3E88C5;process:pid:3508,ProcessStart:131457680341817281; 2017-07-29T02:27:00.268Z DETECTION_ADD Behavior:Win32/Powessere.D behavior:pid:3508:50247080127395 2017-07-29T02:27:00.268Z DETECTION_ADD Behavior:Win32/Powessere.D internalbehavior:34ACEB5447D578FD94DEAB30BC3E88C5 2017-07-29T02:27:00.268Z DETECTION_ADD Behavior:Win32/Powessere.D process:pid:3508,ProcessStart:131457680341817281 Begin Resource Scan Scan ID:{DB57CAE8-35E3-4EFC-BA09-751FF2A3DA63} Scan Source:8 Start Time:07-29-2017 14:26:59 End Time:07-29-2017 14:26:59 Explicit resource to scan Resource Schema:internalbehavior Resource Path:34ACEB5447D578FD94DEAB30BC3E88C5 Result Count:1 Threat Name:Behavior:Win32/Powessere.D ID:2147690011 Severity:5 Number of Resources:3 Resource Schema:process Resource Path:pid:3508,ProcessStart:131457680341817281 Extended Info:50247080127395 Resource Schema:behavior Resource Path:pid:3508:50247080127395 Extended Info:0 Resource Schema:internalbehavior Resource Path:34ACEB5447D578FD94DEAB30BC3E88C5 Extended Info:50247080127395 End Scan
  11. Just had Microsoft Security Essentials pick up Win32/Powessere.D. Not sure from where. Needs to restart.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.