hellbraker9
Honorary Members-
Posts
38 -
Joined
-
Last visited
Reputation
0 Neutral-
my Down Arrow key, Spacebar and Backspace does not work as intended. Down Arrow: Pressing it moves the cursor down at the same time inserts a space where it was in the beginning Spacebar: Inserts space and brings the cursor down (only if characters are present below) Backspace: Can not delete by long pressing but instead has to press every single time
-
done. here's the fixlog and the new FRST log Fix result of Farbar Recovery Scan Tool (x86) Version: 29-07-2017 Ran by Admin (30-07-2017 02:19:27) Run:8 Running from C:\Users\Admin\Downloads Loaded Profiles: Admin (Available Profiles: Admin) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: HKU\S-1-5-18\...A8F59079A8D5}\localserver32: <==== ATTENTION ***************** Processes closed successfully. HKU\S-1-5-18\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 => key not found. HKU\S-1-5-18\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => key removed successfully. The system needed a reboot. ==== End of Fixlog 02:19:27 ==== FRST.txt Addition.txt
-
And now in my Temp folder is Au_.exe. I opened it in notepad. Here are some of it's suspicious content: s e t t i n g s l o g g i n g t o % d c r e a t e d u n i n s t a l l e r : % d , " % s " W r i t e R e g : e r r o r c r e a t i n g k e y " % s \ % s " W r i t e R e g : e r r o r w r i t i n g i n t o " % s \ % s " " % s " W r i t e R e g B i n : " % s \ % s " " % s " = " % s " W r i t e R e g D W O R D : " % s \ % s " " % s " = " 0 x % 0 8 x " W r i t e R e g E x p a n d S t r : " % s \ % s " " % s " = " % s " W r i t e R e g S t r : " % s \ % s " " % s " = " % s " D e l e t e R e g K e y : " % s \ % s " D e l e t e R e g V a l u e : " % s \ % s " " % s " ! N ~ W r i t e I N I S t r : w r o t e [ % s ] % s = % s i n % s < R M > C o p y F i l e s " % s " - > " % s " C r e a t e S h o r t C u t : o u t : " % s " , i n : " % s % s " , i c o n : % s , % d , s w = % d , h k = % d E r r o r r e g i s t e r i n g D L L : C o u l d n o t i n i t i a l i z e O L E E r r o r r e g i s t e r i n g D L L : C o u l d n o t l o a d % s E r r o r r e g i s t e r i n g D L L : % s n o t f o u n d i n % s A b o r t f l a g s e t d u r i n g p l u g i n c a l l \ E x e c : f a i l e d c r e a t e p r o c e s s ( " % s " ) ( e r r : % d ) E x e c : s u c c e s s ( " % s " ) E x e c : c o m m a n d = " % s " E x e c S h e l l : s u c c e s s ( " % s " : f i l e : " % s " p a r a m s : " % s " ) E x e c S h e l l : w a r n i n g : e r r o r ( " % s " : f i l e : " % s " p a r a m s : " % s " ) = % d H i d e W i n d o w P o p : s t a c k e m p t y E x c h : s t a c k < % d e l e m e n t s R M D i r : " % s " M e s s a g e B o x : % d , " % s " D e l e t e : " % s " F i l e : w r o t e % d t o " % s " F i l e : e r r o r , u s e r c a n c e l F i l e : s k i p p e d : " % s " ( o v e r w r i t e f l a g = % d ) F i l e : e r r o r , u s e r a b o r t F i l e : e r r o r , u s e r r e t r y F i l e : e r r o r c r e a t i n g " % s " ( e r r : % d ) F i l e : o v e r w r i t e f l a g = % d , a l l o w s k i p f i l e s f l a g = % d , n a m e = " % s " R e n a m e f a i l e d : % s ( e r r : % d ) R e n a m e o n r e b o o t : % s R e n a m e : % s I f F i l e E x i s t s : f i l e " % s " d o e s n o t e x i s t , j u m p i n g % d I f F i l e E x i s t s : f i l e " % s " e x i s t s , j u m p i n g % d C r e a t e D i r e c t o r y : " % s " c r e a t e d C r e a t e D i r e c t o r y : c a n ' t c r e a t e " % s " - a f i l e a l r e a d y e x i s t s C r e a t e D i r e c t o r y : c a n ' t c r e a t e " % s " ( e r r = % d ) C r e a t e D i r e c t o r y : " % s " ( % d ) S e t F i l e A t t r i b u t e s f a i l e d . ( e r r : % d ) S e t F i l e A t t r i b u t e s : " % s " : % 0 8 X B r i n g T o F r o n t S l e e p ( % d ) d e t a i l p r i n t : % s C a l l : % d Q u i t t i n g : G o t q u i t i n s t r u c t i o n A b o r t i n g : " % s " J u m p : % d v e r i f y i n g i n s t a l l e r : % d % % . . . % d % % I n s t a l l e r i n t e g r i t y c h e c k h a s f a i l e d . C o m m o n c a u s e s i n c l u d e i n c o m p l e t e d o w n l o a d a n d d a m a g e d m e d i a . C o n t a c t t h e i n s t a l l e r ' s a u t h o r t o o b t a i n a n e w c o p y . M o r e i n f o r m a t i o n a t : h t t p : / / n s i s . s f . n e t / N S I S _ E r r o r E r r o r l a u n c h i n g i n s t a l l e r S e S h u t d o w n P r i v i l e g e A ~ n s u . t m p E n d o f t h e l i n e ( t h i s p r o c e s s ) : Q : % d A : % d _ ? = \ T e m p / D = N C R C N S I S E r r o r E r r o r w r i t i n g t e m p o r a r y f i l e . M a k e s u r e y o u r t e m p f o l d e r i s v a l i d . Q u i t t i n g : G e t t i n g b y e b y e n o t i f i c a t i o n i n s t a l l . l o g o p e n % u . % u % s % s S k i p p i n g s e c t i o n : " % s " I n s t a l l c o d e d o n e : Q : % d A : % d S e c t i o n : " % s " E x i t i n g : % d R i c h E d i t R i c h E d i t 2 0 A R i c h E d 3 2 R i c h E d 2 0 _ N b . e x e . D E F A U L T \ C o n t r o l P a n e l \ I n t e r n a t i o n a l C o n t r o l P a n e l \ D e s k t o p \ R e s o u r c e L o c a l e SHGetFolderPathW SHFOLDER SHAutoComplete SHLWAPI GetUserDefaultUILanguage AdjustTokenPrivileges LookupPrivilegeValueW OpenProcessToken RegDeleteKeyExW ADVAPI32 MoveFileExW GetDiskFreeSpaceExW KERNEL32 [Rename] % d S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ Q u i c k L a u n c h n s a * ? | < > / " : i n v a l i d r e g i s t r y k e y H K E Y _ D Y N _ D A T A H K E Y _ C U R R E N T _ C O N F I G H K E Y _ P E R F O R M A N C E _ D A T A H K E Y _ U S E R S H K E Y _ L O C A L _ M A C H I N E H K E Y _ C U R R E N T _ U S E R H K E Y _ C L A S S E S _ R O O T . . . % 0 2 x % c % 0 8 d : L i n e % d : Module32NextW Module32FirstW Process32NextW Process32FirstW CreateToolhelp32Snapshot Kernel32.DLL U n k n o w n GetModuleBaseNameW EnumProcessModules EnumProcesses PSAPI.DLL [ %s=%s N U L R M D i r : R e m o v e D i r e c t o r y f a i l e d ( " % s " ) R M D i r : R e m o v e D i r e c t o r y o n R e b o o t ( " % s " ) R M D i r : R e m o v e D i r e c t o r y ( " % s " ) R M D i r : R e m o v e D i r e c t o r y i n v a l i d i n p u t ( " % s " ) D e l e t e : D e l e t e F i l e f a i l e d ( " % s " ) D e l e t e : D e l e t e F i l e o n R e b o o t ( " % s " ) D e l e t e : D e l e t e F i l e ( " % s " ) \ * . * */* Content-Type: application/x-www-form-urlencoded ( % x ) : % s L i s t e n e r % d w a i t i n g f o r m e s s a g e s . . . C o u l d n ' t c r e a t e b u f f e r e v e n t D B N S I S _ B U F F E R _ R E A D Y C o u l d n ' t c r e a t e d a t a e v e n t D B N S I S _ D A T A _ R E A D Y C o u l d n ' t m a p f i l e v i e w F i l e m a p p i n g a l r e a d y e x i s t s C o u l d n ' t c r e a t e f i l e m a p p i n g D B N S I S _ B U F F E R % s Post succeeded Post failed POST /nsis N S I S D r o p b o x D e v d . d r o p b o x . c o m t a r a k . c o r p . g e t d r o p b o x . c o m D r o p b o x & q u i t = % d & a b o r t = % d & r = & i s _ u n i n s t a l l e r = % d & v e r s i o n = w i n - % s b u i l d _ k e y = % s P i n g i n g b a c k F i n a l e x i t c o d e s : q u i t % d a b o r t % d % s ( f r o m c h i l d ) F a i l e d t o g e t a p p d a t a d i r H o s t i n t c o o k i e : % h s \ % s \ h o s t . d b x H o s t c o o k i e : % h s C h e c k i n g l o c a t i o n % s \ % s \ h o s t . d b S P i n f o : % d . % d ( % s ) ; S u i t e % x P r o d % x O S v e r s i o n : % d . % d . % d ( P l a t f o r m % d ) N o i n s t a l l e r t a g s . T a g : " % s " = " % s " B r a n d i n g : " % s " N a m e : " % s " % 0 8 d : p i d % x : [ % 0 4 h u / % 0 2 h u / % 0 2 h u % 0 2 h u : % 0 2 h u : % 0 2 h u ] U A C h w n d i s i n v a l i d U s i n g U A C h w n d % x ( C L : % s ) D B D E V % s % s \ l \ % 0 8 x \ n e w _ t r a c e D r o p b o x \ i n s t a l l e r DeleteFileW 9FindFirstFileW EFindNextFileW .FindClose fSetFilePointer gMultiByteToWideChar ÀReadFile %WriteFile MlstrlenA WideCharToMultiByte BGetPrivateProfileStringW +WritePrivateProfileStringW bFreeLibrary >LoadLibraryExW GetModuleHandleW ºGlobalFree ßGetExitCodeProcess ùWaitForSingleObject ³GlobalAlloc ExpandEnvironmentStringsW BlstrcmpW ElstrcmpiW R CloseHandle jSetFileTime ` CompareFileTime SearchPathW aGetShortPathNameW ûGetFullPathNameW cMoveFileW MSetCurrentDirectoryW êGetFileAttributesW CreateDirectoryW GetLastError aSetFileAttributesW ²Sleep “GetTickCount ðGetFileSize GetModuleFileNameW ÀGetCurrentProcess ExitProcess u CopyFileW ¯GetWindowsDirectoryW …GetTempPathW ‡GetCommandLineW XSetErrorMode JlstrcpynA NlstrlenW KlstrcpynW ÏGetDiskFreeSpaceW ÅGlobalUnlock ¾GlobalLock µ CreateThread ?LoadLibraryW ¨ CreateProcessW DlstrcmpiA CreateFileW ƒGetTempFileNameW ?lstrcatW 9LeaveCriticalSection î EnterCriticalSection EGetProcAddress <LoadLibraryA GetModuleHandleA €OpenProcess HlstrcpyW ¤GetVersionExW pGetSystemDirectoryW ¢GetVersion GlstrcpyA RemoveDirectoryW YSetEvent ÅGetCurrentThreadId ÖUnmapViewOfFile … CreateEventW WMapViewOfFile Œ CreateFileMappingW ŠOutputDebugStringW ‰OutputDebugStringA ÁGetCurrentProcessId GetLocalTime ÜGetEnvironmentVariableW âInitializeCriticalSection ½SystemTimeToFileTime wGetSystemTime ÁGlobalReAlloc ãInitializeCriticalSectionAndSpinCount WFlushFileBuffers KERNEL32.dll Ü EndPaint Ð DrawTextW ö FillRect GetClientRect BeginPaint œ DefWindowProcW |SendMessageW ¾InvalidateRect Ø EnableWindow !GetDC ïLoadImageW ÄSetWindowLongW 'GetDlgItem ÛIsWindow ù FindWindowExW {SendMessageTimeoutW 3wsprintfW ßShowWindow “SetForegroundWindow 7PostQuitMessage ËSetWindowTextW »SetTimer c CreateDialogParamW ¦ DestroyWindow õ ExitWindowsEx 1 CharNextW {GetSysColor –GetWindowLongW ˆSetCursor ëLoadCursorW > CheckDlgButton GetAsyncKeyState ÎIsDlgButtonChecked mScreenToClient [GetMessagePos CallWindowProcW àIsWindowVisible çLoadBitmapW I CloseClipboard †SetClipboardData Õ EmptyClipboard &OpenClipboard öTrackPopupMenu œGetWindowRect AppendMenuW k CreatePopupMenu ~GetSystemMetrics Ú EndDialog Ö EnableMenuItem }GetSystemMenu „SetClassLongW ÜIsWindowEnabled ÆSetWindowPos ¬ DialogBoxParamW GetClassInfoW n CreateWindowExW ìSystemParametersInfoW NRegisterClassW SetDlgItemTextW *GetDlgItemTextW MessageBoxIndirectW / CharNextA < CharUpperW 4 CharPrevW 5wvsprintfW ¯ DispatchMessageW 3PeekMessageW 2wsprintfA USER32.dll wSelectObject ¦SetTextColor SetBkMode @ CreateFontIndirectW , CreateBrushIndirect æ DeleteObject ËGetDeviceCaps ~SetBkColor GDI32.dll ¬ SHFileOperationW "ShellExecuteW ½ SHGetFileInfoW × SHGetPathFromIDListW { SHBrowseForFolderW ß SHGetSpecialFolderLocation à SHGetFolderPathW SHELL32.dll DRegDeleteKeyW 0RegCloseKey PRegEnumKeyW aRegOpenKeyExW RRegEnumValueW nRegQueryValueExW ~RegSetValueExW 9RegCreateKeyExW HRegDeleteValueW ADVAPI32.dll T ImageList_Destroy O ImageList_AddMasked S ImageList_Create COMCTL32.dll CoCreateInstance IOleUninitialize 2OleInitialize h CoTaskMemFree ole32.dll VerQueryValueW GetFileVersionInfoW GetFileVersionInfoSizeW VERSION.dll k InternetCloseHandle Y HttpQueryInfoA [ HttpSendRequestA W HttpOpenRequestA r InternetConnectW š InternetOpenW WININET.dll : PathCombineW SHLWAPI.dll encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.1-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly F i l e s à C o m m o n F i l e s D i r à\ C o m m o n F i l e s à¥4 à€\ 3 0 . 4 . 2 2 0 W r i t e a c c e s s t o f o l d e r i s o k . D o n ' t n e e d e l e v a t i o n . N O E r r o r s w r i t i n g t o f o l d e r . N e e d e l e v a t i o n Y E S à€ à€ à€ à€ > > > L o g f r o m à€\ D r o p b o x . e x e à€\ D r o p b o x . e x e . l o g 1 1 0 0 1 0 2 3 E X E l o g : à€ à € à€ à€ " - 1 / I n s t a l l T y p e : à€ à€ à€à€ ' ` U S E R M A C H I N E / D B D a t a : à,€ S o f t w a r e \ D r o p b o x U p d a t e \ U p d a t e u i d D r o p b o x U p d a t e M a n a g e r u s e r i d : à € % D B D E V _ R U N _ T Y P E % R u n T y p e : à € à€ à\ D r o p b o x \ C l i e n t > > > E n d s W i t h : S t r i n g = à€, P a t t e r n = à € - à€ > > > E n d s W i t h : R e s u l t = à € C l i c k U n i n s t a l l t o r e m o v e D r o p b o x f r o m y o u r c o m p u t e r . à € 0 x 0 0 0 C à"€ # 3 2 7 7 0 à€ à.€ 1 0 0 6 1 0 2 9 1 0 0 0 à2€ 1 0 0 4 1 0 2 7 1 0 1 6 1 0 3 7 7 0 0 à!€ 0 x 0 0 3 0 1 0 3 8 à€\ m o d e r n - h e a d e r . b m p 1 0 3 4 à#€ 1 0 3 9 à$€ 1 0 2 8 à&€ 1 2 5 6 à%€ à € 1 0 3 5 1 0 4 5 % D B D E V _ A U T O _ N O _ E L E V A T I O N % ! ! A U T O M A T I O N : S k i p p i n g e l e v a t i o n 1 2 2 3 à€\ U A C . d l l R u n E l e v a t e d D r o p b o x u n i n s t a l l e r r e q u i r e s a d m i n p r i v i l e g e s , t r y a g a i n D r o p b o x u n i n s t a l l e r r e q u i r e s a d m i n p r i v i l e g e s , a b o r t i n g ! L o g o n s e r v i c e n o t r u n n i n g , a b o r t i n g ! U n a b l e t o e l e v a t e , e r r o r à € 1 0 6 2 " à€\ D r o p b o x . e x e " / k i l l d a t a / I n s t a l l T y p e : à,€ " à\ D r o p b o x \ U p d a t e \ D r o p b o x U p d a t e . e x e " / u n i n s t a l l " à\ D r o p b o x \ U p d a t e \ D r o p b o x U p d a t e . e x e " / u n i n s t a l l D r o p b o x \ b i n D r o p b o x \ \ b i n D r o p b o x \ \ C l i e n t \ à€\ O l d B i n a r i e s à€\ O l d B i n a r i e s \ b i n _ 3 0 . 4 . 2 2 à€- > à€\ O l d B i n a r i e s \ b i n _ 3 0 . 4 . 2 2 R e m o v i n g A p p D a t a d i r e c t o r y à#\ D r o p b o x F a i l e d t o r e m o v e A p p D a t a D i r e c t o r y à#\ D r o p b o x U n I n s t a l l D r o p b o x " à€\ D r o p b o x . e x e " / s e l f _ u n i n s t a l l / I n s t a l l T y p e : à,€ / K i l l E v e r y o n e : Y E S U n i n s t a l l D r o p b o x f a i l e d ( r e t : à €) à7€ à\ D r o p b o x à€ E x e c C o d e S e g m e n t U n i n s t a l l > > > U n i n s t a l l à€ > > > U n I n s t a l l d o n e à€ E r r o r ! C a n ' t i n i t i a l i z e p l u g - i n s d i r e c t o r y . P l e a s e t r y a g a i n l a t e r . 3 2 3 à€\ à€u _ . e x e " à€\ à€u _ . e x e " à € _ ? = à€\ à$$\ w i n i n i t . i n i à€ U n i n s t a l l C a n ' t w r i t e : C o u l d n o t f i n d s y m b o l : C o u l d n o t l o a d : C r e a t e f o l d e r : C r e a t e d u n i n s t a l l e r : D e l e t e f i l e : D e l e t e o n r e b o o t : E r r o r c r e a t i n g : E r r o r d e c o m p r e s s i n g d a t a ! C o r r u p t e d i n s t a l l e r ? E x e c u t e : E x t r a c t : E x t r a c t : e r r o r w r i t i n g t o f i l e I n s t a l l e r c o r r u p t e d : i n v a l i d o p c o d e N o O L E f o r : O u t p u t f o l d e r : R e m o v e f o l d e r : R e n a m e o n r e b o o t : R e n a m e : S k i p p e d : C o p y D e t a i l s T o C l i p b o a r d U n i n s t a l l D r o p b o x R e m o v e D r o p b o x f r o m y o u r c o m p u t e r . U n i n s t a l l i n g P l e a s e w a i t w h i l e D r o p b o x i s b e i n g u n i n s t a l l e d . D r o p b o x U n i n s t a l l e d D r o p b o x h a s b e e n r e m o v e d f r o m t h i s c o m p u t e r . U n i n s t a l l F a i l e d D r o p b o x f a i l e d t o u n i n s t a l l . M S S h e l l D l g E r r o r o p e n i n g f i l e f o r w r i t i n g : à € C l i c k A b o r t t o s t o p t h e i n s t a l l a t i o n , R e t r y t o t r y a g a i n , o r I g n o r e t o s k i p t h i s f i l e . C u s t o m C a n c e l < & B a c k & U n i n s t a l l C l i c k U n i n s t a l l t o s t a r t t h e u n i n s t a l l a t i o n . S h o w & d e t a i l s C o m p l e t e d & N e x t > C l i c k N e x t t o c o n t i n u e . & C l o s e R u n t h e p r o g r a m a s t h e & f o l l o w i n g u s e r : & C u r r e n t u s e r ( % s ) Y o u m a y n o t h a v e t h e n e c e s s a r y p e r m i s s i o n s t o u s e a l l t h e f e a t u r e s o f t h e p r o g r a m y o u a r e a b o u t t o r u n . Y o u m a y r u n t h i s p r o g r a m a s a d i f f e r e n t u s e r o r c o n t i n u e t o r u n t h e p r o g r a m a s t h e c u r r e n t u s e r . R u n a s S H E L L 3 2 . d l l ? M y R u n A s S t r i n g s H i d e C u r r U s e r O p t M y R u n A s C f g D i s a b l e C u r r U s e r O p t C a n c e l O K P w d U s e r n a m e O p t O t h e r U s e r O p t C u r r U s e r H e l p T e x t D l g T i t l e l n g % s % s % s % u N S I S U A C I P C S y s C r e d e n t i a l # 3 2 7 7 0 GetUserNameExW CreateProcessWithLogonW SECUR32 GetUserNameW CheckTokenMembership EqualSid FreeSid AllocateAndInitializeSid GetTokenInformation OpenThreadToken OpenProcessToken AllowSetForegroundWindow U S E R 3 2 AdvAPI32 % s % s % s % s % s " S W _ S H O W N O R M A L S W _ M I N I M I Z E S W _ M A X I M I Z E S W _ R E S T O R E S W _ S H O W S W _ H I D E E n a b l e L U A S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ P o l i c i e s \ S y s t e m s e c l o g o n B u t t o n / U A C : % X / N C R C % s r u n a s S H E L L 3 2 SHGetFolderPathW GlobalAlloc ŒGlobalFree ùGetModuleHandleW GetPrivateProfileStringW GetPrivateProfileIntW õGetModuleFileNameW ìSetLastError C CloseHandle ýLocalFree HFormatMessageW æGetLastError — CreateProcessW ¶lstrlenW ³lstrcpynW lstrcmpiW vGetVersionExW GetCurrentThreadId ôLoadLibraryW GetProcAddress ñLoadLibraryA ÅGetExitCodeProcess dWaitForSingleObject Ô DuplicateHandle !Sleep ªGetCurrentProcessId £ CreateThread pGetCommandLineW LFreeLibrary 3OpenProcess KERNEL32.dll cSendMessageW GetDlgItem äLoadStringW wsprintfW ¬SetWindowTextW ¸ShowWindow Ñ EnableWindow ‚GetWindowLongW DestroyWindow ÙLoadImageW ¥SetWindowLongW Ó EndDialog ÿMessageBoxW ¦ DialogBoxParamW / CharNextW ÙUnhookWindowsHookEx CallNextHookEx GetClassNameW °SetWindowsHookExW bSendMessageTimeoutW üWaitForInputIdle – DefWindowProcW PostMessageW 8GetLastActivePopup PostQuitMessage zSetForegroundWindow © DispatchMessageW NGetMessageW h CreateWindowExW 6RegisterClassW ßUnregisterClassW GetWindowTextW ÕTranslateMessage ¹IsDialogMessageW PeekMessageW MsgWaitForMultipleObjects ÅIsWindow GetWindowThreadProcessId USER32.dll *RegCloseKey hRegQueryValueExW [RegOpenKeyExW "QueryServiceStatus õOpenServiceW S CloseServiceHandle óOpenSCManagerW AdjustTokenPrivileges LookupPrivilegeValueA ñOpenProcessToken ADVAPI32.dll ShellExecuteExW º SHGetFileInfoW SHELL32.dll k CoUninitialize = CoInitialize CoCreateInstance ole32.dll “$U Dv ¸u ðu (v e Ì] Ce îe /i Öi ùf ‘g mc |e µe ^ |f ok Lv Qv av jv {v ˆv ›v £v ¶v Âv Ìv Úv äv ðv UAC.dll Exec ExecCodeSegment ExecWait GetElevationType GetOuterHwnd GetShellFolderPath IsAdmin ResolveShortcutDir RunElevated ShellExec ShellExecWait StackPush SupportsUAC Unload
-
Farbar Recovery Scan Tool (x86) Version: 29-07-2017 Ran by Admin (29-07-2017 04:02:01) Running from C:\Users\Admin\Downloads Boot Mode: Normal ================== Search Registry: "localserver32" =========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020800-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020800-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkGRAPHFiles>tW{~$4Q]c@`hQRuxaTO5 /automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020803-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020803-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkGRAPHFiles>tW{~$4Q]c@`hQRuxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5 /automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020820-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020821-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020827-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020830-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020832-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020833-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020833-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020907-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000209FE-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5 /Automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5 /Automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020D09-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002123D-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002123D-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPubPrimary>tW{~$4Q]c@?F@6kxaTO5 /Automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00024500-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5 /automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00024502-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00024502-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkGRAPHFiles>tW{~$4Q]c@`hQRuxaTO5 /automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002CE02-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002CE02-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVN)8A$!!!!!MKKSkEquationEditorFilesIntl_1033>BoT]jI{jf(=1&L[-81-]" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F005-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F006-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F011-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F01E-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F01F-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F01F-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOUTLOOKFiles>tW{~$4Q]c@zPX6FxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F020-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F023-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F023-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOUTLOOKFiles>tW{~$4Q]c@zPX6FxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F024-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F030-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F031-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F031-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOUTLOOKFiles>tW{~$4Q]c@zPX6FxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F032-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F032-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOUTLOOKFiles>tW{~$4Q]c@zPX6FxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F033-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F033-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOUTLOOKFiles>tW{~$4Q]c@zPX6FxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F03A-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F03A-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOUTLOOKFiles>tW{~$4Q]c@zPX6FxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F04A-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F04B-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F04C-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F04D-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F04E-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F04F-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F050-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F051-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F053-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F054-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F055-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F056-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F057-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F058-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F059-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F065-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F065-0000-0000-C000-000000000046}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOUTLOOKFiles>tW{~$4Q]c@zPX6FxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F067-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F068-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0006F071-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C1237-0000-0000-C000-000000000046}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{002ABED4-2017-444D-813A-002CC1F8D10B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0039FFEC-A022-4232-8274-6B34787BFC27}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0039FFEC-A022-4232-8274-6B34787BFC27}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOneNoteFiles>tW{~$4Q]c@DsjRPxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00A6A621-72A1-47AF-B86A-9E65C9C72A95}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00B90832-DA6C-47D7-9632-8B0727DE0597}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00f2b433-44e4-4d88-b2b0-2698a0a91dba}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{016B931D-8430-4988-8510-C69C214CFF32}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0228576F-6E6C-4E1A-B175-0E46A316AFE2}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{031EE060-67BC-460d-8847-E4A7C5E45A27}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837511-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837513-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0383751C-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837521-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837525-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837526-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837527-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837528-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837529-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837530-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837531-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837532-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837538-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837539-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837546-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03837547-098B-11D8-9414-505054503030}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{047ea9a0-93bb-415f-a1c3-d7aeb3dd5087}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{069501DC-D776-4778-8C76-81D7A3DFFBB7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{078AEF33-C48A-49F7-AFF3-A0EE810BFE7C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07A774A0-6047-11D1-BA20-006097D2898E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09FD2EFF-5669-11D3-B65F-00C04F8EF32D}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09FD2EFF-5669-11D3-B65F-00C04F8EF32D}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPubPrimary>tW{~$4Q]c@?F@6kxaTO5 /Automation" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B78978D-2A7A-4B34-99C0-5A0F0E730DC2}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0C776A5A-FC42-4870-8D65-D62ADD9184FF}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0c98b8bc-273c-464d-938a-b9709607e137}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1202DB60-1DAC-42C5-AED5-1ABDD432248E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12E3793C-7C3C-4C00-BC4E-C79849B3F430}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A1F4206-0688-4E7F-BE03-D82EC69DF9A5}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B462D7B-72D8-4544-ACC1-D84E5B9A8A14}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C749B87-568C-4865-8E73-6413F8372CE6}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1CDC7D25-5AA3-4DC4-8E0C-91524280F806}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1CDC7D25-5AA3-4DC4-8E0C-91524280F806}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F602FC8-A070-42E8-BEB3-0AD207182DD4}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44d5-8C73-4EFFB68962F2}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21E17C2F-AD3A-4b89-841F-09CFE02D16B7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22148139-F1FC-4EB0-B237-DFCD8A38EFFC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22148139-F1FC-4EB0-B237-DFCD8A38EFFC}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOneNoteFiles>tW{~$4Q]c@DsjRPxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25B25D91-69A2-47fa-A375-FDC98189A06F}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25E8A7CA-5874-4F85-BC00-35210131C444}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{266C72E7-62E8-11D1-AD89-00C04FD8FDFF}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{272EE351-67B1-45C4-87B5-90F8D450257B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D3AC5E6-D557-42EE-AB8A-F95239E9939F}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32BA16FD-77D9-4AFB-9C9F-703E92AD4BFF}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33A86FA9-EBB6-449A-81A2-2BC3B2527A49}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3630AB4B-C0D2-4C1B-B7E7-73A2CF9A4521}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B191048-B0AD-4CFE-902C-F51140AA77ED}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C3A70A7-A468-49B9-8ADA-28E11FCCAD5D}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3eef301f-b596-4c0b-bd92-013beafce793}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FCB7074-EC9E-4AAF-9BE3-C0E356942366}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40CB6EA0-AB2A-45F8-BA45-2DC7756A7B49}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44da8435-b187-4dd6-8f32-9341eb7e4c3c}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{45597c98-80f6-4549-84ff-752cf55e2d29}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48E1B01B-5619-4898-8714-DD1897BA07B2}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49010C18-B110-421a-9047-ADCA421CBC40}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{494C063B-1024-4DD1-89D3-713784E82044}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49B2791A-B1AE-4C90-9B8E-E860BA07F889}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{49BD2028-1523-11D1-AD79-00C04FD8FDFF}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B39F507-4D1F-4d40-8517-6E0E8CADD515}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{509443A8-B499-4d72-9222-52B82980D8AB}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59A7120F-AA86-4A1F-9CFC-CB8A85E7E11C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5cc76543-0f98-47a8-afa2-208562ef9454}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5f4baad0-4d59-4fcd-b213-783ce7a92f22}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6295DF2D-35EE-11D1-8707-00C04FD93327}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6316D324-2238-101B-9E66-00AA003BA905}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6316D324-2238-101B-9E66-00AA003BA905}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOutlookMAPI2>cy?1KY)nJA_a5O?ysm'," [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{65235197-874B-4A07-BDC5-E65EA825B718}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6570B2AA-1F63-4959-9D98-C12ABB483DFC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{682159d9-c321-47ca-b3f1-30e36b2ec8b9}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68B0FCC1-D874-4C12-B17E-6D45594C5973}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{69127644-2511-4DF5-BC6A-26178254AA40}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{69F9CB25-25E2-4BE1-AB8F-07AA7CB535E8}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B7F33AC-D91D-4563-BF36-0ACCB24E66FB}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6d8ff8e0-730d-11d4-bf42-00b0d0118b56}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6d8ff8e8-730d-11d4-bf42-00b0d0118b56}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E7D4AE2-770B-4F0D-9365-FEAD8DED17CD}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7160A13D-73DA-4CEA-95B9-37356478588A}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{722b3793-5367-4446-b6bb-db89b05c1f24}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73A4C9C1-D68D-11D0-98BF-00A0C90DC8D9}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73A4C9C1-D68D-11D0-98BF-00A0C90DC8D9}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkACCESSFiles>tW{~$4Q]c@jkO)AxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73FDDC80-AEA9-101A-98A7-00AA00374959}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{75dff2b7-6936-4c06-a8bb-676a7b00b24b}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{767A19A0-3CC7-415B-9D08-D48DD7B8557D}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{767A19A0-3CC7-415B-9D08-D48DD7B8557D}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7AB36653-1796-484B-BDFA-E74F1DB7C1DC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7B33B0B5-F719-4B0B-B48A-0B8F20CA08A5}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7EA9A8FA-F5D2-49E1-99E8-C26EE07FCEEB}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7F6316B4-4D69-4765-B0A3-B2598F2FA80A}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{80756358-5146-11D5-A672-00B0D022E945}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8075635F-5146-11D5-A672-00B0D022E945}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8086ebd4-43e3-4b19-beb3-f0ea4ecf319c}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8144B6F5-20A8-444a-B8EE-19DF0BB84BDB}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81F9417F-B186-4BB0-AE2B-AB574859E5CC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82780E93-DEDB-4666-8CEF-E83D451CC53E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84F66100-FF7C-4fb4-B0C0-02CD7FB668FE}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87C2B672-22F9-4956-BA84-ADE98273128E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{884e2049-217d-11da-b2a4-000e7bbb2b09}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{884e2050-217d-11da-b2a4-000e7bbb2b09}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8881050C-764C-4C21-ABB5-4AFD7BC1641E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8cec58ae-07a1-11d9-b15e-000d56bfe6ee}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D8B8E30-C451-421B-8553-D2976AFA648C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5 /AUTOMATION" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94E03510-31B9-47a0-A44E-E932AC86BB17}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95142bf8-5f09-452b-b384-44af84a500c6}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98068995-54d2-4136-9bc9-6dbcb0a4683f}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{999276E0-DA71-4743-8F02-0AB0A2D65558}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9a97f12a-6b73-4dc4-b3c1-e9244c03adac}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9acf41ed-d457-4cc1-941b-ab02c26e4686}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B908879-E03F-4D0C-ACB3-9065B1155460}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C38ED61-D565-4728-AEEE-C80952F0ECDE}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9CDC7B1E-53E4-477f-B05E-50C87D3FFA56}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9EB4C4CB-74C2-4BE9-AA5D-8249F16020AD}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1E6E578-A831-4803-8DC3-433843B1E19C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A24BCC4A-448D-41CA-92BB-3DC15D81C16C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A354BD60-4C0A-11d3-B561-00A0C92E6848}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A4E118DF-B9E5-4B42-888C-065CEAF8DDC3}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A55803CC-4D53-404c-8557-FD63DBA95D24}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5B020FD-E04B-4e67-B65A-E7DEED25B2CF}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a677570a-2ba2-4e9a-b2e2-8a02cd8b4fd3}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A6C13C9D-54E1-44FC-82F0-DBE2C843E51A}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a8298e0c-7201-470e-84d5-728cff85bcbf}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8CB1D55-99DE-4448-AA2B-69883DEB3037}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{aac1009f-ab33-48f9-9a21-7f5b88426a2e}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB93B6F1-BE76-4185-A488-A9001B105B94}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ADBE6DEC-9B04-4A3D-A09C-4BB38EF1351C}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEE3E4A8-EF01-4024-A0F1-809D9B096E14}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF6652B6-3FCC-4D1E-8519-F3B33F733FE7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF9618A1-49AB-44BA-92FD-567DE7D2D4E2}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B20A2538-5E52-4F66-81D9-0B5DEEEEB667}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B43A0C1E-B63F-4691-B68F-CD807A45DA01}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B801CA65-A1FC-11D0-85AD-444553540000}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8558612-DF5E-4F95-BB81-8E910B327FB2}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8fb4ad7-ea4a-4b47-bfdc-bfc94160a8ea}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB2B65B0-241E-101B-9E67-00AA003BA905}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB2B65B0-241E-101B-9E67-00AA003BA905}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOutlookMAPI2>cy?1KY)nJA_a5O?ysm'," [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC7ADC2B-CC8C-48d2-A820-1BC605B0D3C7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD170270-BA64-48D0-9664-851EF6B723D3}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bdb57ff2-79b9-4205-9447-f5fe85f37312}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C071C982-2EB2-4D3A-9821-E4B31B0142C8}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C0B3C446-3032-4016-926F-9BAE48BEBFBE}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C282417B-2662-44B8-8A94-3BFF61C50900}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2A723EC-9C68-42C6-9BEA-52D103661409}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2BFE331-6739-4270-86C9-493D9A04CD38}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C332C124-340D-4430-AA0D-C75602876FCC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C6A811AB-F8FF-45A4-93E5-FC5CCB650BE7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C947D50F-378E-4FF6-8835-FCB50305244D}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC957078-B838-47C4-A7CF-626E7A82FC58}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD621DE4-2AA5-4468-ADF1-087A05891DA7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cdc32574-7521-4124-90c3-8d5605a34933}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ceff45ee-c862-41de-aee2-a022c81eda92}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF1BF3B6-7AD0-4410-996B-C78EAFCD3269}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFEC0E62-45AF-46A7-867A-4679C7A7EAF3}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D0E55F9F-0021-42fe-A1DB-C41F5B564EFE}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D0FB58BB-2C07-492F-8BD0-A587E4874B4E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D13E3F25-1688-45A0-9743-759EB35CDF9A}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D38406DA-E8AA-484b-B80D-3D3DBDCC2FB2}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D3E34B21-9D75-101A-8C3D-00AA001A1652}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d54378cd-91d8-4e10-a00b-819f9a9efcb1}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBF82DC7-E750-4CCF-B09C-D8AECEF7158E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkPPTFiles>tW{~$4Q]c@Y*Gx7xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCA74850-096D-40CD-BB81-17034E51ACB6}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCB2D492-5F4F-4378-8FF4-DA87062D42E3}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE13E041-1416-430e-9C2F-F7A548D26B3B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF4FCC34-067A-4E0A-8352-4A1A5095346E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E05FDDED-C4A7-4338-80D7-7577655D5412}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1BA41AD-4A1D-418F-AABA-3D1196B423D3}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e3a4e5ca-55b2-4a06-b1ab-8fbecc7bca4b}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E62456F4-62AC-45CB-99DE-4E0F6B6062D7}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E70C92A9-4BFD-11d1-8A95-00C04FB951F3}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E81752ED-2885-4624-AE89-5A28DB58874B}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E81752ED-2885-4624-AE89-5A28DB58874B}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkOneNoteFiles>tW{~$4Q]c@DsjRPxaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E8DF2799-8F1B-4b60-B30F-AED6BBF39625}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EABCECDB-CC1C-4A6F-B4E3-7F888A5ADFC8}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ed1d0fdf-4414-470a-a56d-cfb68623fc58}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDC32B80-BB14-444C-A28B-AC4731199BC4}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE2D6561-D63C-11D2-B561-00A0C92E6848}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F1EFACAA-08A1-461B-9D28-7AA8947889A0}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\LocalServer32] "LocalServer32"="vUpAVX!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F4E6633D-3404-4F4E-90EE-4B1A336F14CD}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fb479c02-9ec4-4fed-8599-debe037452cb}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE9617F6-E606-42AA-BECC-0E9CDA246D63}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}\LocalServer32] [HKEY_USERS\S-1-5-21-930870075-797504210-1653396246-1000\Software\Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\LocalServer32] [HKEY_USERS\S-1-5-21-930870075-797504210-1653396246-1000\Software\Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\LocalServer32] [HKEY_USERS\S-1-5-21-930870075-797504210-1653396246-1000\Software\Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\LocalServer32] [HKEY_USERS\S-1-5-21-930870075-797504210-1653396246-1000\Software\Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\LocalServer32] [HKEY_USERS\S-1-5-21-930870075-797504210-1653396246-1000\Software\Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\LocalServer32] ====== End of Search ======
-
It appears from the program Rogue Killer, which I happen to install myself recently. EGIN BM telemetry GUID:{5E8C7AC0-A2E7-A1C7-5A65-24511226A586} TelemetryName:Behavior:Win32/Critroni.B SignatureID:103025085780290 ProcessID:3508 ProcessCreationTime:131457680341817281 SessionID:1 CreationTime:07-29-2017 14:26:52 ImagePath:C:\Program Files\RogueKiller\RogueKiller.exe ImagePathHash:98FF49F55CDAC9B499EAFFD4BB852E5D422F6812A3F992B840007EE8D1585AD6 TargetFileName:C:\Users\Admin\AppData\Local\Temp\Paizhao.exe.dmp END BM telemetry BEGIN BM telemetry GUID:{7F16FF8D-DE51-825E-BA05-101F69F68D0A} TelemetryName:Behavior:Win32/EMSGen SignatureID:51347397088536 ProcessID:3508 ProcessCreationTime:131457680341817281 SessionID:1 CreationTime:07-29-2017 14:26:54 ImagePath:C:\Program Files\RogueKiller\RogueKiller.exe END BM telemetry 2017-07-29T02:26:56.695Z MAPS Report Send (hr=0x0 httpcode=200) 2017-07-29T02:26:57.787Z Dynamic signature received Dynamic Signature has been received Dynamic Signature Type:Signature Update Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\8f005564c3e2df8efd7bb92059d18708f444959c Dynamic Signature Compilation Timestamp:07-29-2017 14:26:27 Persistence Type:Duration Time remaining:288000000 2017-07-29T02:26:57.803Z MAPS Report Send (hr=0x0 httpcode=200) 2017-07-29T02:26:59.675Z MAPS Report Send (hr=0x0 httpcode=200) Dynamic Signature has been received Dynamic Signature Type:Signature Update Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\525ccd79f0a813ed173cf225bdc9c65f990598c4 Dynamic Signature Compilation Timestamp:07-29-2017 14:26:30 Persistence Type:Duration Time remaining:288000000 Dynamic Signature has been received Dynamic Signature Type:Signature Update Signature Path:C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\\RtSigs\Data\b1cf608fd63528b747eeccf2b0781ab89dd17959 Dynamic Signature Compilation Timestamp:07-29-2017 14:26:30 Persistence Type:Duration Time remaining:288000000 2017-07-29T02:26:59.784Z MAPS Report Send (hr=0x0 httpcode=200) 2017-07-29T02:26:59.956Z DETECTIONEVENT Behavior:Win32/Powessere.D behavior:pid:3508:50247080127395;internalbehavior:34ACEB5447D578FD94DEAB30BC3E88C5;process:pid:3508,ProcessStart:131457680341817281; 2017-07-29T02:27:00.268Z DETECTION_ADD Behavior:Win32/Powessere.D behavior:pid:3508:50247080127395 2017-07-29T02:27:00.268Z DETECTION_ADD Behavior:Win32/Powessere.D internalbehavior:34ACEB5447D578FD94DEAB30BC3E88C5 2017-07-29T02:27:00.268Z DETECTION_ADD Behavior:Win32/Powessere.D process:pid:3508,ProcessStart:131457680341817281 Begin Resource Scan Scan ID:{DB57CAE8-35E3-4EFC-BA09-751FF2A3DA63} Scan Source:8 Start Time:07-29-2017 14:26:59 End Time:07-29-2017 14:26:59 Explicit resource to scan Resource Schema:internalbehavior Resource Path:34ACEB5447D578FD94DEAB30BC3E88C5 Result Count:1 Threat Name:Behavior:Win32/Powessere.D ID:2147690011 Severity:5 Number of Resources:3 Resource Schema:process Resource Path:pid:3508,ProcessStart:131457680341817281 Extended Info:50247080127395 Resource Schema:behavior Resource Path:pid:3508:50247080127395 Extended Info:0 Resource Schema:internalbehavior Resource Path:34ACEB5447D578FD94DEAB30BC3E88C5 Extended Info:50247080127395 End Scan