Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

dllhost.exe COM surrogate problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: dllhost.exe COM surrogate problem

Unread postby lynda » November 2nd, 2014, 11:15 pm

Step 2: No malicious Items were detected.
lynda
Regular Member
 
Posts: 47
Joined: October 29th, 2014, 6:21 pm
Advertisement
Register to Remove

Re: dllhost.exe COM surrogate problem

Unread postby lynda » November 3rd, 2014, 12:18 am

Step 3: results of ESET SCan:

C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\Community Alerts\Alert.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application
C:\AdwCleaner\Quarantine\C\ProgramData\Updater\Uninstall.exe.vir multiple threats
C:\Windows\Installer\MSID7EA.tmp a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
lynda
Regular Member
 
Posts: 47
Joined: October 29th, 2014, 6:21 pm

Re: dllhost.exe COM surrogate problem

Unread postby lynda » November 3rd, 2014, 12:19 am

No changes in behavior
lynda
Regular Member
 
Posts: 47
Joined: October 29th, 2014, 6:21 pm

Re: dllhost.exe COM surrogate problem

Unread postby pgmigg » November 3rd, 2014, 5:17 pm

Hello lynda,

No changes in behavior
It is not good! :( Sorry for delay - it was needed to make additional research...

Please do the following:

ComboFix Image
Please download ComboFix.exe... © Copyrighted to sUBs. Save it to your desktop. <<--- IMPORTANT!! .
If you previously downloaded ComboFix, please delete that version and download it again. This tool is frequently updated.

The first thing you need to do is print out How-To-Use-ComboFix. Read these instructions thoroughly.
You will not have Internet access when you execute ComboFix.
Please disable any Antivirus or Firewall you have active, as shown in this topic. Close all open application windows.

  1. Double click the ComboFix.exe icon on your desktop to begin execution. If you receive the "Open File - Security Warning"... press Run.
  2. Press I Agree to the Disclaimer prompt.
    ComboFix screen appears... preparing to run. ComboFix will now begin creating a System Restore Point and then backup your registry.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
    ComboFix may reboot your computer allow this and follow all directions given.
    When finished... Notepad will open ... ComboFix will produce a log file called "ComboFix.txt".
  3. Please copy/paste the contents of ComboFix.txt... in your next reply.
Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, NOT for general public or personal use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer.


** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of the ComboFix.txt log file
  3. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
MRU Teacher
MRU Teacher
 
Posts: 3186
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: dllhost.exe COM surrogate problem

Unread postby lynda » November 3rd, 2014, 6:52 pm

A: no problems
C: the issue seems to be contained. However after the reboot I do not have all my tasks running in the task tray. To reenable Virus Protection I had to go to the control panel (for example). I also notice a lot of svchost.exe processes running in the task manager. Not sure if those are bad or not, but wanted you to know.
B: results.
ComboFix 14-10-29.01 - Dworaks 11/03/2014 16:29:00.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6062.4153 [GMT -6:00]
Running from: c:\users\Dworaks\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\@system.att
c:\programdata\@system2.att
c:\windows\SysWow64\u
.
.
CLSID={AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} - infected with Poweliks and removed.
You should verify if current CLSID data is correct:
.
HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
(Default) REG_SZ Thumbnail Cache Class Factory for Out of Proc Server
AppID REG_SZ {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
.
HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32
(Default) REG_SZ c:\windows\system32\thumbcache.dll
ThreadingModel REG_SZ Apartment
.
.
((((((((((((((((((((((((( Files Created from 2014-10-03 to 2014-11-03 )))))))))))))))))))))))))))))))
.
.
2014-11-03 22:37 . 2014-11-03 22:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-11-03 03:19 . 2014-11-03 03:19 -------- d-----w- c:\program files (x86)\ESET
2014-11-03 03:16 . 2014-10-14 19:59 11627712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{538EA532-1806-4F35-AA66-F44D793BBE68}\mpengine.dll
2014-11-01 19:45 . 2014-11-03 03:40 -------- d-----w- c:\users\Dworaks\AppData\Local\CrashDumps
2014-11-01 19:27 . 2014-11-01 19:27 34808 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-11-01 19:27 . 2014-11-01 19:27 -------- d-----w- c:\programdata\RogueKiller
2014-11-01 14:50 . 2014-10-14 19:59 11627712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-10-31 16:16 . 2014-11-03 22:37 -------- d-----w- c:\users\Dworaks\AppData\Local\Temp
2014-10-31 16:06 . 2014-10-31 16:14 -------- d-----w- C:\zoek_backup
2014-10-31 12:26 . 2014-11-02 11:09 -------- d-----w- C:\_OTL
2014-10-30 21:47 . 2014-10-30 21:47 -------- d-----w- c:\windows\ERUNT
2014-10-30 21:21 . 2014-10-30 22:26 -------- d-----w- C:\AdwCleaner
2014-10-29 00:02 . 2014-10-29 00:04 -------- d-----w- C:\FRST
2014-10-28 22:40 . 2014-10-28 22:40 -------- d-----w- c:\users\Dworaks\AppData\Roaming\ProductData
2014-10-28 12:48 . 2014-10-30 20:52 -------- d-----w- c:\program files (x86)\AVG Web TuneUp
2014-10-28 04:13 . 2014-10-28 04:13 -------- d-----w- c:\users\Dworaks\AppData\Roaming\TuneUp Software
2014-10-28 02:56 . 2014-10-30 21:05 -------- d-----w- c:\programdata\MFAData
2014-10-28 02:56 . 2014-10-28 02:56 -------- d-----w- c:\users\Dworaks\AppData\Local\MFAData
2014-10-28 02:29 . 2014-11-03 22:39 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-28 02:28 . 2014-10-01 16:11 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-10-28 02:28 . 2014-10-01 16:11 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-28 02:28 . 2014-10-28 02:28 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-10-28 02:28 . 2014-10-28 02:28 -------- d-----w- c:\programdata\Malwarebytes
2014-10-28 02:28 . 2014-10-01 16:11 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-10-27 22:54 . 2014-10-27 22:55 -------- d--h--w- c:\programdata\CanonIJMIG
2014-10-27 22:54 . 2014-10-27 22:54 -------- d--h--w- c:\programdata\CanonIJQuickMenu
2014-10-27 22:51 . 2014-10-27 22:52 -------- d--h--w- c:\programdata\CanonIJScan
2014-10-27 22:51 . 2014-10-27 22:54 -------- d-----w- c:\users\Dworaks\AppData\Roaming\canon
2014-10-27 22:51 . 2014-11-02 13:48 -------- d-----w- c:\programdata\CanonIJPLM
2014-10-27 22:50 . 2014-10-27 22:50 -------- d-----w- c:\programdata\Canon IJ Network Tool
2014-10-27 22:50 . 2013-02-04 20:10 321536 ----a-w- c:\windows\SysWow64\CNC_BUL.dll
2014-10-27 22:50 . 2008-08-25 23:02 15872 ----a-w- c:\windows\SysWow64\CNHMCA.dll
2014-10-27 22:49 . 2014-10-27 22:49 -------- d-----w- c:\windows\system32\STRING
2014-10-27 22:49 . 2013-01-24 21:24 39424 ----a-w- c:\windows\system32\CNMN6UI.DLL
2014-10-27 22:49 . 2013-01-24 21:24 359936 ----a-w- c:\windows\system32\CNMN6PPM.DLL
2014-10-27 22:49 . 2013-01-24 21:23 366592 ----a-w- c:\windows\SysWow64\CNMNPPM.DLL
2014-10-27 22:46 . 2014-10-27 22:46 -------- d-----w- c:\programdata\CanonIJWSpt
2014-10-27 22:29 . 2014-10-27 22:48 -------- d-----w- c:\program files\Canon
2014-10-27 21:33 . 2014-10-27 22:52 -------- d-----w- c:\program files (x86)\Canon
2014-10-26 22:54 . 2014-10-28 02:46 -------- d-----w- c:\users\Dworaks\AppData\Roaming\Ushafehu
2014-10-25 22:31 . 2014-10-25 22:31 0 ----a-w- c:\windows\system32\iaowsy.dll
2014-10-25 15:19 . 2014-10-25 15:19 -------- d-----w- c:\program files\iPod
2014-10-25 15:19 . 2014-10-25 15:19 -------- d-----w- c:\programdata\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2014-10-25 15:19 . 2014-10-25 15:19 -------- d-----w- c:\program files\iTunes
2014-10-25 15:19 . 2014-10-25 15:19 -------- d-----w- c:\program files (x86)\iTunes
2014-10-15 07:27 . 2014-09-04 05:23 424448 ----a-w- c:\windows\system32\rastls.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-30 11:25 . 2010-11-21 03:27 275080 ------w- c:\windows\system32\MpSigStub.exe
2014-10-27 10:34 . 2014-10-27 10:34 163504 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10145.bin
2014-10-03 15:02 . 2013-12-31 17:17 103265616 ----a-w- c:\windows\system32\MRT.exe
2014-09-26 13:03 . 2013-08-08 22:51 590536 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2014-09-25 02:08 . 2014-09-30 18:32 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-09-25 01:40 . 2014-09-30 18:32 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-09-24 01:16 . 2013-08-01 12:37 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-24 01:16 . 2013-08-01 12:37 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-09-17 01:36 . 2014-10-02 13:28 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{088848B9-2884-48CD-A8AC-B8E99CE8B98F}\gapaengine.dll
2014-09-17 01:36 . 2013-08-22 13:43 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-09-09 22:11 . 2014-09-24 01:28 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-09 21:47 . 2014-09-24 01:28 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-09-07 14:32 . 2012-07-17 19:37 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-08-23 02:07 . 2014-08-27 17:49 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-08-23 01:45 . 2014-08-27 17:49 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-09-25 08:18 1729232 ----a-w- c:\program files\Microsoft Office 15\root\office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-09-25 08:18 1729232 ----a-w- c:\program files\Microsoft Office 15\root\office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-09-25 08:18 1729232 ----a-w- c:\program files\Microsoft Office 15\root\office15\grooveex.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fitbit Service Monitor"="c:\program files (x86)\Fitbit\fitbit-tray.exe" [2012-06-22 2177056]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"EADM"="c:\program files (x86)\Origin\Origin.exe" [2014-09-24 3600216]
"Fitbit Connect"="c:\program files (x86)\Fitbit Connect\Fitbit Connect.exe" [2013-10-02 3264544]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2013-02-22 292088]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe" [2012-06-07 56128]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-10-11 60712]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2013-06-14 395656]
"Redirector"="c:\program files (x86)\Citrix\ICA Client\redirector.exe" [2013-06-14 153992]
"Fitbit Connect"="c:\program files (x86)\Fitbit Connect\Fitbit Connect.exe" [2013-10-02 3264544]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-10-15 157480]
"CanonQuickMenu"="c:\program files (x86)\Canon\Quick Menu\CNQMMAIN.EXE" [2014-03-25 1284680]
"IJNetworkScannerSelectorEX"="c:\program files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2013-02-19 453736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 WvPCR;WvPCR;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe [x]
R3 ICCS;Intel(R) Integrated Clock Controller Service - Intel(R) ICCS;c:\program files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe;c:\program files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x]
S2 ClickToRunSvc;Microsoft Office ClickToRun Service;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [x]
S2 EmbassyService;EmbassyService;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe [x]
S2 Fitbit Connect;Fitbit Connect Service;c:\program files (x86)\Fitbit Connect\FitbitConnectService.exe;c:\program files (x86)\Fitbit Connect\FitbitConnectService.exe [x]
S2 Fitbit;Fitbit Data Uploader;c:\program files (x86)\Fitbit\fitbit.exe;c:\program files (x86)\Fitbit\fitbit.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S2 PbaDrvSvc_x64;Dell PBA x64 Service;c:\program files\Dell\Dell Data Protection\Access\Advanced\hapi64\pbadrvsvc.exe;c:\program files\Dell\Dell Data Protection\Access\Advanced\hapi64\pbadrvsvc.exe [x]
S2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [x]
S3 dcdbas;System Management Driver;c:\windows\system32\DRIVERS\dcdbas64.sys;c:\windows\SYSNATIVE\DRIVERS\dcdbas64.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys;c:\windows\SYSNATIVE\drivers\SiUSBXp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2014-11-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-08-01 01:16]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-09-25 10:10 2334416 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-09-25 10:10 2334416 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-09-25 10:10 2334416 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2013-03-05 19:32 136024 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2013-03-05 19:32 136024 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtDCpl64.exe" [2013-08-15 2908888]
"TdmNotify"="c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe" [2013-03-05 371024]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
"Greenshot"="c:\program files\Greenshot\Greenshot.exe" [2012-10-31 462848]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2014-06-03 172016]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2014-06-03 399856]
"Persistence"="c:\windows\system32\igfxpers.exe" [2014-06-03 442352]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page =
uInternet Settings,ProxyOverride = <-loopback>
Trusted Zone: skillport.com
Trusted Zone: skillwsa.com
TCP: DhcpNameServer = 8.8.8.8 97.64.168.12 97.64.183.165
FF - ProfilePath - c:\users\Dworaks\AppData\Roaming\Mozilla\Firefox\Profiles\0jdc2wdu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-CitrixReceiver - c:\programdata\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
BHO-{10921475-03CE-4E04-90CE-E2E7EF20C814} - c:\program files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll
AddRemove-FITBIT&10C4&84C4 - c:\program files (x86)\Fitbit\Base Station\DriverUninstaller.exe USBXpress\FITBIT&10C4&84C4
AddRemove-swtor_swtor - c:\programdata\BitRaider\brwc.exe
AddRemove-{ce085a78-074e-4823-8dc1-8a721b94b76d} - c:\programdata\Package Cache\{ce085a78-074e-4823-8dc1-8a721b94b76d}\vcredist_x86.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1962258163-3716458331-2083168627-1001\Software\SecuROM\License information*]
"datasecu"=hex:76,e7,f8,ac,83,fb,6f,de,b1,03,28,98,e5,97,85,03,4a,5e,03,23,35,
1a,90,bc,89,5f,e7,dc,55,38,ec,24,fd,d6,31,6e,fd,2a,85,8f,58,68,9f,57,67,eb,\
"rkeysecu"=hex:46,72,65,5c,77,d6,96,ee,8d,6f,79,7a,8c,c0,d6,b4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Canon\IJPLM\IJPLMSVC.EXE
c:\program files (x86)\Malwarebytes Anti-Malware\mbam.exe
c:\program files\Microsoft Office 15\Root\Office15\MsoSync.exe
.
**************************************************************************
.
Completion time: 2014-11-03 16:44:54 - machine was rebooted
ComboFix-quarantined-files.txt 2014-11-03 22:44
.
Pre-Run: 811,150,958,592 bytes free
Post-Run: 810,751,250,432 bytes free
.
- - End Of File - - 8004D2E5181803C41B53C46D3595DCD6
lynda
Regular Member
 
Posts: 47
Joined: October 29th, 2014, 6:21 pm

Re: dllhost.exe COM surrogate problem

Unread postby lynda » November 3rd, 2014, 7:28 pm

The computer rebooted and looks much betternow. None of the dllhost.exes running, none of the svchost.exe running either. All my system tasks are avaliable.
lynda
Regular Member
 
Posts: 47
Joined: October 29th, 2014, 6:21 pm

Re: dllhost.exe COM surrogate problem

Unread postby pgmigg » November 4th, 2014, 1:31 am

Hello lynda,

The computer rebooted and looks much betternow. None of the dllhost.exes running, none of the svchost.exe running either. All my system tasks are avaliable.
I am glad to read it! :D But again we are not finished yet...

Step 1.
ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below into the window:
    (Do not include the words Code: Select all - instead of it please click the Select all button next to Code: to select the entire script.)
    Code: Select all
    File::
    C:\Windows\Installer\MSID7EA.tmp
    
    reglock::
    [HKEY_USERS\S-1-5-21-1962258163-3716458331-2083168627-1001\Software\SecuROM\License information*]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    
  2. Save it to your Desktop as CFScript.txt
  3. Please disable any Antivirus and Firewall you have active, as shown in this topic. Please close all open application windows.
    *Only* when the 2 items above (Step 3) have been taken care of...
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon which you should still have on your Desktop, as seen in the image below:
    Image
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
  5. When finished ComboFix will create a log file... You can save this file to a convenient place.
  6. Restart your computer.
  7. Please copy/paste the ComboFix log file in your next reply.

Step 2.
SystemLook
You should still have SystemLook_x64.exe on your desktop.
  1. Right click on SystemLook_x64.exe, select "Run As Administrator..." to run it. If prompted by UAC, please allow it.
    If you receive an "Open file - security warning"... asking "Do you want to run this file?", press the Run button.
  2. Highlight and copy the following entries: into SystemLook's main text entry window.
    (Do not include the words Code: Select all - instead of it please click the Select all button next to Code: to select the entire script.)
    Code: Select all
    :Regfind
    AB8902B4-09CA-4bb6-B78D-A8F59079A8D5
    
  3. Press the Look button to start the scan. Please be patient - it may take a while...
    When finished, a Notepad window will open with the results of the scan.
    A file will be created (on your Desktop) with the results of the scan, named SystemLook.txt
  4. Please post the contents of the SystemLook.txt file in your next reply.

Step 3.
Fresh OTL Scan
You should still have OTL.exe on your desktop.
Important! Close all applications and windows so that you have nothing open and are at your Desktop.
  1. Right click on OTL.exe, select "Run As Administrator..." to run it. If prompted by UAC, please allow it.
  2. Under Output, ensure that Standard Output is selected.
  3. Check the boxes labeled:
    • Include 64 bit scans
    • Scan All Users
    • LOP check
    • Extra Registry > Use SafeList
  4. Click on Run Scan at the top left hand corner.
  5. When done, one Notepad file OTL.txt <-- Will be opened, maximized
  6. Please post the content of OTL.txt file ONLY in your next reply.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of ComboFix log file.
  3. Contents of the SystemLook.txt log file
  4. Contents of a OTL.txt log file after OTL fresh scan
  5. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
MRU Teacher
MRU Teacher
 
Posts: 3186
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: dllhost.exe COM surrogate problem

Unread postby lynda » November 5th, 2014, 8:20 pm

Results of Combofix:

ComboFix 14-10-29.01 - Dworaks 11/04/2014 6:38.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6062.4225 [GMT -6:00]
Running from: c:\users\Dworaks\Desktop\ComboFix.exe
Command switches used :: c:\users\Dworaks\Desktop\cfscript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\Installer\MSID7EA.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Installer\MSID7EA.tmp
.
.
((((((((((((((((((((((((( Files Created from 2014-10-04 to 2014-11-04 )))))))))))))))))))))))))))))))
.
.
2014-11-04 12:46 . 2014-11-04 12:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-11-03 22:49 . 2014-10-14 19:59 11627712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2074751C-7ABC-4A15-AA4F-2EC82300372A}\mpengine.dll
2014-11-03 03:19 . 2014-11-03 03:19 -------- d-----w- c:\program files (x86)\ESET
2014-11-01 19:45 . 2014-11-03 03:40 -------- d-----w- c:\users\Dworaks\AppData\Local\CrashDumps
2014-11-01 19:27 . 2014-11-01 19:27 34808 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-11-01 19:27 . 2014-11-01 19:27 -------- d-----w- c:\programdata\RogueKiller
2014-11-01 14:50 . 2014-10-14 19:59 11627712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-10-31 16:16 . 2014-11-04 12:46 -------- d-----w- c:\users\Dworaks\AppData\Local\Temp
2014-10-31 16:06 . 2014-10-31 16:14 -------- d-----w- C:\zoek_backup
2014-10-31 12:26 . 2014-11-02 11:09 -------- d-----w- C:\_OTL
2014-10-30 21:47 . 2014-10-30 21:47 -------- d-----w- c:\windows\ERUNT
2014-10-30 21:21 . 2014-10-30 22:26 -------- d-----w- C:\AdwCleaner
2014-10-29 00:02 . 2014-10-29 00:04 -------- d-----w- C:\FRST
2014-10-28 22:40 . 2014-10-28 22:40 -------- d-----w- c:\users\Dworaks\AppData\Roaming\ProductData
2014-10-28 12:48 . 2014-10-30 20:52 -------- d-----w- c:\program files (x86)\AVG Web TuneUp
2014-10-28 04:13 . 2014-10-28 04:13 -------- d-----w- c:\users\Dworaks\AppData\Roaming\TuneUp Software
2014-10-28 02:56 . 2014-10-30 21:05 -------- d-----w- c:\programdata\MFAData
2014-10-28 02:56 . 2014-10-28 02:56 -------- d-----w- c:\users\Dworaks\AppData\Local\MFAData
2014-10-28 02:29 . 2014-11-04 11:42 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-28 02:28 . 2014-10-01 16:11 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-10-28 02:28 . 2014-10-01 16:11 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-28 02:28 . 2014-10-28 02:28 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-10-28 02:28 . 2014-10-28 02:28 -------- d-----w- c:\programdata\Malwarebytes
2014-10-28 02:28 . 2014-10-01 16:11 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-10-27 22:54 . 2014-10-27 22:55 -------- d--h--w- c:\programdata\CanonIJMIG
2014-10-27 22:54 . 2014-10-27 22:54 -------- d--h--w- c:\programdata\CanonIJQuickMenu
2014-10-27 22:51 . 2014-10-27 22:52 -------- d--h--w- c:\programdata\CanonIJScan
2014-10-27 22:51 . 2014-10-27 22:54 -------- d-----w- c:\users\Dworaks\AppData\Roaming\canon
2014-10-27 22:51 . 2014-11-02 13:48 -------- d-----w- c:\programdata\CanonIJPLM
2014-10-27 22:50 . 2014-10-27 22:50 -------- d-----w- c:\programdata\Canon IJ Network Tool
2014-10-27 22:50 . 2013-02-04 20:10 321536 ----a-w- c:\windows\SysWow64\CNC_BUL.dll
2014-10-27 22:50 . 2008-08-25 23:02 15872 ----a-w- c:\windows\SysWow64\CNHMCA.dll
2014-10-27 22:49 . 2014-10-27 22:49 -------- d-----w- c:\windows\system32\STRING
2014-10-27 22:49 . 2013-01-24 21:24 39424 ----a-w- c:\windows\system32\CNMN6UI.DLL
2014-10-27 22:49 . 2013-01-24 21:24 359936 ----a-w- c:\windows\system32\CNMN6PPM.DLL
2014-10-27 22:49 . 2013-01-24 21:23 366592 ----a-w- c:\windows\SysWow64\CNMNPPM.DLL
2014-10-27 22:46 . 2014-10-27 22:46 -------- d-----w- c:\programdata\CanonIJWSpt
2014-10-27 22:29 . 2014-10-27 22:48 -------- d-----w- c:\program files\Canon
2014-10-27 21:33 . 2014-10-27 22:52 -------- d-----w- c:\program files (x86)\Canon
2014-10-27 10:34 . 2014-10-27 10:34 163504 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10145.bin
2014-10-26 22:54 . 2014-10-28 02:46 -------- d-----w- c:\users\Dworaks\AppData\Roaming\Ushafehu
2014-10-25 22:31 . 2014-10-25 22:31 0 ----a-w- c:\windows\system32\iaowsy.dll
2014-10-25 15:19 . 2014-10-25 15:19 -------- d-----w- c:\program files\iPod
2014-10-25 15:19 . 2014-10-25 15:19 -------- d-----w- c:\programdata\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2014-10-25 15:19 . 2014-10-25 15:19 -------- d-----w- c:\program files\iTunes
2014-10-25 15:19 . 2014-10-25 15:19 -------- d-----w- c:\program files (x86)\iTunes
2014-10-15 07:27 . 2014-09-04 05:23 424448 ----a-w- c:\windows\system32\rastls.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-30 11:25 . 2010-11-21 03:27 275080 ------w- c:\windows\system32\MpSigStub.exe
2014-10-03 15:02 . 2013-12-31 17:17 103265616 ----a-w- c:\windows\system32\MRT.exe
2014-09-26 13:03 . 2013-08-08 22:51 590536 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2014-09-25 02:08 . 2014-09-30 18:32 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-09-25 01:40 . 2014-09-30 18:32 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-09-24 01:16 . 2013-08-01 12:37 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-24 01:16 . 2013-08-01 12:37 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-09-17 01:36 . 2014-10-02 13:28 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{088848B9-2884-48CD-A8AC-B8E99CE8B98F}\gapaengine.dll
2014-09-17 01:36 . 2013-08-22 13:43 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-09-09 22:11 . 2014-09-24 01:28 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-09 21:47 . 2014-09-24 01:28 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-09-07 14:32 . 2012-07-17 19:37 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-08-23 02:07 . 2014-08-27 17:49 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-08-23 01:45 . 2014-08-27 17:49 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-09-25 08:18 1729232 ----a-w- c:\program files\Microsoft Office 15\root\office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-09-25 08:18 1729232 ----a-w- c:\program files\Microsoft Office 15\root\office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-09-25 08:18 1729232 ----a-w- c:\program files\Microsoft Office 15\root\office15\grooveex.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fitbit Service Monitor"="c:\program files (x86)\Fitbit\fitbit-tray.exe" [2012-06-22 2177056]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"EADM"="c:\program files (x86)\Origin\Origin.exe" [2014-09-24 3600216]
"Fitbit Connect"="c:\program files (x86)\Fitbit Connect\Fitbit Connect.exe" [2013-10-02 3264544]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2013-02-22 292088]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe" [2012-06-07 56128]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-10-11 60712]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2013-06-14 395656]
"Redirector"="c:\program files (x86)\Citrix\ICA Client\redirector.exe" [2013-06-14 153992]
"Fitbit Connect"="c:\program files (x86)\Fitbit Connect\Fitbit Connect.exe" [2013-10-02 3264544]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-10-15 157480]
"CanonQuickMenu"="c:\program files (x86)\Canon\Quick Menu\CNQMMAIN.EXE" [2014-03-25 1284680]
"IJNetworkScannerSelectorEX"="c:\program files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2013-02-19 453736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 WvPCR;WvPCR;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x]
S2 ClickToRunSvc;Microsoft Office ClickToRun Service;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [x]
S2 EmbassyService;EmbassyService;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe [x]
S2 Fitbit Connect;Fitbit Connect Service;c:\program files (x86)\Fitbit Connect\FitbitConnectService.exe;c:\program files (x86)\Fitbit Connect\FitbitConnectService.exe [x]
S2 Fitbit;Fitbit Data Uploader;c:\program files (x86)\Fitbit\fitbit.exe;c:\program files (x86)\Fitbit\fitbit.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S2 PbaDrvSvc_x64;Dell PBA x64 Service;c:\program files\Dell\Dell Data Protection\Access\Advanced\hapi64\pbadrvsvc.exe;c:\program files\Dell\Dell Data Protection\Access\Advanced\hapi64\pbadrvsvc.exe [x]
S2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [x]
S3 dcdbas;System Management Driver;c:\windows\system32\DRIVERS\dcdbas64.sys;c:\windows\SYSNATIVE\DRIVERS\dcdbas64.sys [x]
S3 ICCS;Intel(R) Integrated Clock Controller Service - Intel(R) ICCS;c:\program files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe;c:\program files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys;c:\windows\SYSNATIVE\drivers\SiUSBXp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder
.
2014-11-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-08-01 01:16]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}]
c:\program files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-09-25 10:10 2334416 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-09-25 10:10 2334416 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-09-25 10:10 2334416 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2013-03-05 19:32 136024 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2013-03-05 19:32 136024 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtDCpl64.exe" [2013-08-15 2908888]
"TdmNotify"="c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe" [2013-03-05 371024]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
"Greenshot"="c:\program files\Greenshot\Greenshot.exe" [2012-10-31 462848]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2014-06-03 172016]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2014-06-03 399856]
"Persistence"="c:\windows\system32\igfxpers.exe" [2014-06-03 442352]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page =
uInternet Settings,ProxyOverride = <-loopback>
Trusted Zone: skillport.com
Trusted Zone: skillwsa.com
TCP: DhcpNameServer = 8.8.8.8 97.64.168.12 97.64.183.165
FF - ProfilePath - c:\users\Dworaks\AppData\Roaming\Mozilla\Firefox\Profiles\0jdc2wdu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-FITBIT&10C4&84C4 - c:\program files (x86)\Fitbit\Base Station\DriverUninstaller.exe USBXpress\FITBIT&10C4&84C4
AddRemove-swtor_swtor - c:\programdata\BitRaider\brwc.exe
AddRemove-{ce085a78-074e-4823-8dc1-8a721b94b76d} - c:\programdata\Package Cache\{ce085a78-074e-4823-8dc1-8a721b94b76d}\vcredist_x86.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1962258163-3716458331-2083168627-1001\Software\SecuROM\License information*]
"datasecu"=hex:76,e7,f8,ac,83,fb,6f,de,b1,03,28,98,e5,97,85,03,4a,5e,03,23,35,
1a,90,bc,89,5f,e7,dc,55,38,ec,24,fd,d6,31,6e,fd,2a,85,8f,58,68,9f,57,67,eb,\
"rkeysecu"=hex:46,72,65,5c,77,d6,96,ee,8d,6f,79,7a,8c,c0,d6,b4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2014-11-04 06:47:58
ComboFix-quarantined-files.txt 2014-11-04 12:47
ComboFix2.txt 2014-11-03 22:44
.
Pre-Run: 810,883,739,648 bytes free
Post-Run: 810,810,830,848 bytes free
.
- - End Of File - - 6A0412E42B975802F544793078D6FD7A
lynda
Regular Member
 
Posts: 47
Joined: October 29th, 2014, 6:21 pm

Re: dllhost.exe COM surrogate problem

Unread postby lynda » November 5th, 2014, 8:23 pm

Results from Systemlook:

SystemLook 30.07.11 by jpshortstuff
Log created at 18:21 on 05/11/2014 by Dworaks
Administrator - Elevation successful

========== Regfind ==========

Searching for "AB8902B4-09CA-4bb6-B78D-A8F59079A8D5"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
"AppID"="{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
"AppID"="{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
"AppID"="{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]

-= EOF =-
lynda
Regular Member
 
Posts: 47
Joined: October 29th, 2014, 6:21 pm

Re: dllhost.exe COM surrogate problem

Unread postby lynda » November 5th, 2014, 8:32 pm

OTL results:

OTL logfile created on: 11/5/2014 6:25:23 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Dworaks\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17358)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.92 Gb Total Physical Memory | 3.97 Gb Available Physical Memory | 67.00% Memory free
11.84 Gb Paging File | 9.81 Gb Available in Paging File | 82.86% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 930.74 Gb Total Space | 754.92 Gb Free Space | 81.11% Space Free | Partition Type: NTFS

Computer Name: DWORAKS-PC | User Name: Dworaks | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014/10/30 15:45:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Dworaks\Desktop\OTL.exe
PRC - [2014/10/01 10:09:30 | 000,968,504 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
PRC - [2014/10/01 10:09:28 | 001,871,160 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
PRC - [2014/10/01 10:09:20 | 007,229,752 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
PRC - [2013/12/05 13:34:42 | 000,275,568 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2013/10/02 12:36:40 | 003,264,544 | R--- | M] (Fitbit, Inc.) -- C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
PRC - [2013/10/02 12:36:38 | 001,384,992 | R--- | M] (Fitbit, Inc.) -- C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
PRC - [2013/06/14 15:45:20 | 000,924,040 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
PRC - [2013/06/14 15:44:24 | 000,153,992 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\ICA Client\redirector.exe
PRC - [2013/06/14 15:43:52 | 000,395,656 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
PRC - [2013/06/13 20:00:38 | 001,505,608 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
PRC - [2013/06/09 18:55:00 | 000,054,152 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
PRC - [2013/05/11 04:37:26 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2013/02/22 04:42:44 | 000,292,088 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
PRC - [2013/02/19 15:38:58 | 000,453,736 | ---- | M] (CANON INC.) -- C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
PRC - [2012/06/22 12:40:50 | 000,773,152 | ---- | M] (Fitbit, Inc.) -- C:\Program Files (x86)\Fitbit\fitbit.exe
PRC - [2012/06/22 12:40:24 | 002,177,056 | ---- | M] (Fitbit, Inc.) -- C:\Program Files (x86)\Fitbit\fitbit-tray.exe
PRC - [2012/05/30 13:00:02 | 000,013,632 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
PRC - [2012/05/30 13:00:00 | 000,284,480 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
PRC - [2012/04/24 13:37:56 | 000,169,752 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
PRC - [2012/03/28 11:49:12 | 000,140,456 | ---- | M] () -- C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe


========== Modules (No Company Name) ==========

MOD - [2014/10/15 02:34:39 | 000,489,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\07d2f1ab8192b165b752d2fc9e3225ba\IAStorUtil.ni.dll
MOD - [2014/10/15 02:32:44 | 000,774,144 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b3011370dcbf33751d3b9dce8091c6c6\System.Runtime.Remoting.ni.dll
MOD - [2014/10/15 02:32:26 | 012,435,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\1453d9e9a4989833ef3db4b22549ba1a\System.Windows.Forms.ni.dll
MOD - [2014/10/15 02:32:22 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\836e10dfd0811b303553216f5cb092ef\System.Drawing.ni.dll
MOD - [2014/10/15 02:32:18 | 005,467,648 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d49908aa93a23c84847b1f8b1b667860\System.Xml.ni.dll
MOD - [2014/10/15 02:32:16 | 000,978,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\237d509a79aeef6e4635b09450d98f2a\System.Configuration.ni.dll
MOD - [2014/10/15 02:32:08 | 003,348,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\d97a5aa0eb7697aca7c6e90ae471af2b\WindowsBase.ni.dll
MOD - [2014/10/15 02:32:05 | 007,991,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\908ba9e296e92b4e14bdc2437edac603\System.ni.dll
MOD - [2014/10/15 02:09:02 | 012,894,208 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\db563d596d76daed04e9b5d25b2f4cb9\System.Windows.Forms.ni.dll
MOD - [2014/10/15 02:08:54 | 001,644,544 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\b4c08872c259018b17b2801da33ac80f\System.Drawing.ni.dll
MOD - [2014/10/15 02:08:53 | 010,100,736 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\17a393b77ae757f0768501fb95ff5af6\System.ni.dll
MOD - [2014/09/11 02:36:14 | 000,014,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\eea1bb5d7447f7a6f982afbc0a952ebc\IAStorCommon.ni.dll
MOD - [2014/09/11 02:33:24 | 011,497,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
MOD - [2014/09/09 07:12:52 | 008,896,160 | ---- | M] () -- C:\Program Files\Microsoft Office 15\root\office15\1033\grooveintlresource.dll
MOD - [2014/02/26 03:03:12 | 016,953,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\ce5f61c5754789df97be8dc991c47d07\mscorlib.ni.dll
MOD - [2013/12/05 13:36:56 | 003,559,024 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll


========== Services (SafeList) ==========

SRV:64bit: - [2014/09/25 02:10:24 | 002,436,280 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe -- (ClickToRunSvc)
SRV:64bit: - [2014/09/18 19:25:49 | 000,111,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV:64bit: - [2014/08/22 14:14:34 | 000,368,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2014/08/22 14:14:34 | 000,023,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2013/05/26 23:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2013/03/11 09:05:06 | 000,231,792 | ---- | M] () [Auto | Running] -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe -- (EmbassyService)
SRV:64bit: - [2013/03/08 11:13:56 | 000,254,824 | ---- | M] (Wave Systems Corp.) [Auto | Stopped] -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe -- (WvPCR)
SRV:64bit: - [2013/03/05 13:31:54 | 005,159,760 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe -- (TdmService)
SRV:64bit: - [2013/02/26 14:17:16 | 001,773,056 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe -- (Wave Authentication Manager Service)
SRV:64bit: - [2013/02/01 13:21:52 | 002,215,272 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe -- (SecureStorageService)
SRV:64bit: - [2013/01/21 11:05:12 | 000,021,504 | ---- | M] (Dell, Inc.) [Auto | Running] -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\hapi64\pbadrvsvc.exe -- (PbaDrvSvc_x64)
SRV:64bit: - [2012/06/05 16:40:38 | 000,190,824 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Windows\SysNative\IPROSetMonitor.exe -- (Intel(R)
SRV - [2014/10/01 10:09:30 | 000,968,504 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2014/10/01 10:09:28 | 001,871,160 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2014/09/23 19:16:49 | 000,267,440 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2014/06/03 14:55:46 | 000,279,024 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\IntelCpHeciSvc.exe -- (cphs)
SRV - [2014/03/20 16:49:18 | 000,067,224 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2013/12/05 13:36:33 | 000,119,408 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/10/02 12:36:38 | 001,384,992 | R--- | M] (Fitbit, Inc.) [Auto | Running] -- C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe -- (Fitbit Connect)
SRV - [2013/09/11 21:21:54 | 000,105,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2013/05/11 04:37:26 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/06/22 12:40:50 | 000,773,152 | ---- | M] (Fitbit, Inc.) [Auto | Running] -- C:\Program Files (x86)\Fitbit\fitbit.exe -- (Fitbit)
SRV - [2012/05/30 13:00:02 | 000,013,632 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc)
SRV - [2012/05/11 08:42:24 | 001,643,520 | ---- | M] () [Auto | Stopped] -- C:\Program Files (x86)\Security Innovation\SI TSS\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV - [2012/04/24 13:37:56 | 000,169,752 | ---- | M] (Intel Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe -- (ICCS)
SRV - [2012/03/28 11:49:12 | 000,140,456 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2014/11/05 18:23:31 | 000,129,752 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys -- (MBAMSwissArmy)
DRV:64bit: - [2014/11/01 13:27:03 | 000,034,808 | ---- | M] () [Kernel | On_Demand | Unknown] -- C:\Windows\SysNative\drivers\TrueSight.sys -- (TrueSight)
DRV:64bit: - [2014/10/01 10:11:26 | 000,063,704 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mwac.sys -- (MBAMWebAccessControl)
DRV:64bit: - [2014/10/01 10:11:12 | 000,025,816 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2014/07/17 17:05:06 | 000,125,584 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2014/03/20 07:40:44 | 005,363,520 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2013/08/15 16:05:50 | 002,191,832 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RTDVHD64.sys -- (IntcAzAudAddService)
DRV:64bit: - [2013/08/01 08:28:58 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2013/08/01 08:28:55 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2013/08/01 08:28:55 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2013/06/04 18:07:44 | 000,095,152 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ctxusbm.sys -- (ctxusbm)
DRV:64bit: - [2013/02/27 11:58:36 | 000,342,528 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud)
DRV:64bit: - [2013/02/22 04:40:14 | 000,792,560 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\iusb3xhc.sys -- (iusb3xhc)
DRV:64bit: - [2013/02/22 04:40:14 | 000,358,896 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\iusb3hub.sys -- (iusb3hub)
DRV:64bit: - [2013/02/22 04:40:14 | 000,020,464 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iusb3hcs.sys -- (iusb3hcs)
DRV:64bit: - [2012/12/13 12:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012/09/23 02:18:58 | 000,039,016 | ---- | M] (Dell Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dcdbas64.sys -- (dcdbas)
DRV:64bit: - [2012/09/12 14:20:04 | 000,057,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2012/08/21 12:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012/07/17 18:12:08 | 000,062,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64)
DRV:64bit: - [2012/06/15 19:21:08 | 000,515,440 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1c62x64.sys -- (e1cexpress)
DRV:64bit: - [2012/05/30 15:42:10 | 000,569,152 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2012/04/02 13:47:26 | 000,026,856 | ---- | M] (Silicon Laboratories) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SiUSBXp.sys -- (SIUSBXP)
DRV:64bit: - [2010/11/20 21:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 21:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 21:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2009/07/13 19:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 19:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 19:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 14:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 14:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 14:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 14:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2008/05/06 15:06:00 | 000,014,464 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wdcsam64.sys -- (WDC_SAM)
DRV - [2009/07/13 19:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{1}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1962258163-3716458331-2083168627-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1962258163-3716458331-2083168627-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-1962258163-3716458331-2083168627-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1962258163-3716458331-2083168627-1001\..\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66}: "URL" = http://www.google.com/search?q={searchTerms}
IE - HKU\S-1-5-21-1962258163-3716458331-2083168627-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1962258163-3716458331-2083168627-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1962258163-3716458331-2083168627-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "about:home"
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:26.0
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Citrix.com/npagee64,version=10.0.75.7: C:\Program Files\Citrix\Secure Access Client\npagee64.dll (Citrix Systems, Inc.)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@Citrix.com/npagee,version=10.0.75.7: C:\Program Files\Citrix\Secure Access Client\npagee.dll (Citrix Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Citrix.com/npican: C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/Lync,version=15.0: C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=16.4.3505.0912: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 26.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 26.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2013/12/03 16:41:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dworaks\AppData\Roaming\Mozilla\Extensions
[2013/12/15 15:53:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dworaks\AppData\Roaming\Mozilla\Firefox\extensions
[2014/10/30 14:52:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dworaks\AppData\Roaming\Mozilla\Firefox\Profiles\0jdc2wdu.default\extensions
[2013/12/31 12:50:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions
[2013/12/31 12:50:00 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
File not found (No name found) -- C:\USERS\DWORAKS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\0JDC2WDU.DEFAULT\EXTENSIONS\IOBITASCSURFINGPROTECTION@IOBIT.COM

O1 HOSTS File: ([2014/11/04 06:46:02 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (ExplorerWnd Helper) - {10921475-03CE-4E04-90CE-E2E7EF20C814} - C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll File not found
O2:64bit: - BHO: (Lync Browser Helper) - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ochelper.dll (Microsoft Corporation)
O2:64bit: - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\urlredir.dll (Microsoft Corporation)
O2:64bit: - BHO: (Microsoft SkyDrive Pro Browser Helper) - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll (Microsoft Corporation)
O2 - BHO: (Lync Browser Helper) - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\ochelper.dll (Microsoft Corporation)
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\urlredir.dll (Microsoft Corporation)
O2 - BHO: (Microsoft SkyDrive Pro Browser Helper) - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\office15\grooveex.dll (Microsoft Corporation)
O3:64bit: - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O4:64bit: - HKLM..\Run: [Greenshot] C:\Program Files\Greenshot\Greenshot.exe (Greenshot)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Logitech Download Assistant] C:\Windows\SysNative\LogiLDA.dll (Logitech, Inc.)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe (Realtek Semiconductor Corp.)
O4:64bit: - HKLM..\Run: [TdmNotify] C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [CanonQuickMenu] C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE (CANON INC.)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files (x86)\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [Fitbit Connect] C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe (Fitbit, Inc.)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe (Intel Corporation)
O4 - HKLM..\Run: [IJNetworkScannerSelectorEX] C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe (CANON INC.)
O4 - HKLM..\Run: [Redirector] C:\Program Files (x86)\Citrix\ICA Client\redirector.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [USB3MON] C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe (Intel Corporation)
O4 - HKU\S-1-5-21-1962258163-3716458331-2083168627-1001..\Run: [EADM] C:\Program Files (x86)\Origin\Origin.exe (Electronic Arts)
O4 - HKU\S-1-5-21-1962258163-3716458331-2083168627-1001..\Run: [Fitbit Connect] C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe (Fitbit, Inc.)
O4 - HKU\S-1-5-21-1962258163-3716458331-2083168627-1001..\Run: [Fitbit Service Monitor] C:\Program Files (x86)\Fitbit\fitbit-tray.exe (Fitbit, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1962258163-3716458331-2083168627-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1962258163-3716458331-2083168627-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1962258163-3716458331-2083168627-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9:64bit: - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\onbttnie.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\onbttnie.dll (Microsoft Corporation)
O9:64bit: - Extra Button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ochelper.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ochelper.dll (Microsoft Corporation)
O9:64bit: - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\onbttnielinkednotes.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\onbttnielinkednotes.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\office15\onbttnie.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\office15\onbttnie.dll (Microsoft Corporation)
O9 - Extra Button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\ochelper.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\ochelper.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\office15\onbttnielinkednotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\office15\onbttnielinkednotes.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-1962258163-3716458331-2083168627-1001\..Trusted Domains: skillport.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1962258163-3716458331-2083168627-1001\..Trusted Domains: skillwsa.com ([]* in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 8.8.8.8 97.64.168.12 97.64.183.165
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{34CB43D5-985D-4A3A-AC1B-62EF2E9CF302}: DhcpNameServer = 8.8.8.8 97.64.168.12 97.64.183.165
O18:64bit: - Protocol\Handler\osf - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\osf {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/x-ica - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=euc-jp - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=ISO-8859-1 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=MS936 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=MS949 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=MS950 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=UTF8 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica; charset=UTF-8 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=euc-jp - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=ISO-8859-1 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=MS936 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=MS949 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=MS950 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=UTF8 - No CLSID value found
O18:64bit: - Protocol\Filter\application/x-ica;charset=UTF-8 - No CLSID value found
O18:64bit: - Protocol\Filter\ica - No CLSID value found
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica; charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\application/x-ica;charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O20:64bit: - Winlogon\Notify\spba: DllName - (C:\Program Files\Common Files\SPBA\homefus2.dll) - C:\Program Files\Common Files\SPBA\homefus2.dll (Authentec Inc.)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2014/10/28 15:25:45 | 000,000,000 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2014/11/04 06:48:03 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2014/11/03 16:27:22 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2014/11/03 16:27:22 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2014/11/03 16:27:22 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2014/11/03 16:27:06 | 000,000,000 | ---D | C] -- C:\Qoobox
[2014/11/03 16:25:59 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2014/11/03 16:20:33 | 005,591,672 | R--- | C] (Swearware) -- C:\Users\Dworaks\Desktop\ComboFix.exe
[2014/11/02 21:19:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2014/11/02 07:48:39 | 004,184,008 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Dworaks\Desktop\tdsskiller.exe
[2014/11/01 18:03:32 | 001,944,824 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\Dworaks\Desktop\rkill.exe
[2014/11/01 13:45:07 | 000,000,000 | ---D | C] -- C:\Users\Dworaks\AppData\Local\CrashDumps
[2014/11/01 13:27:01 | 000,000,000 | ---D | C] -- C:\ProgramData\RogueKiller
[2014/10/31 10:16:45 | 000,000,000 | ---D | C] -- C:\Windows\Temp
[2014/10/31 10:16:45 | 000,000,000 | ---D | C] -- C:\Users\Dworaks\AppData\Local\Temp
[2014/10/31 10:06:01 | 000,000,000 | ---D | C] -- C:\zoek_backup
[2014/10/31 06:26:22 | 000,000,000 | ---D | C] -- C:\_OTL
[2014/10/30 15:47:52 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2014/10/30 15:45:33 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Dworaks\Desktop\OTL.exe
[2014/10/30 15:21:05 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/10/30 15:19:35 | 001,706,144 | ---- | C] (Thisisu) -- C:\Users\Dworaks\Desktop\JRT.exe
[2014/10/30 14:54:18 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2014/10/29 16:26:30 | 000,688,992 | R--- | C] (Swearware) -- C:\Users\Dworaks\Desktop\dds.scr
[2014/10/28 18:02:54 | 000,000,000 | ---D | C] -- C:\FRST
[2014/10/28 16:52:38 | 000,000,000 | ---D | C] -- C:\Windows\tasks\ImCleanDisabled
[2014/10/28 16:40:25 | 000,000,000 | ---D | C] -- C:\Users\Dworaks\AppData\Roaming\ProductData
[2014/10/28 06:48:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG Web TuneUp
[2014/10/27 22:13:41 | 000,000,000 | ---D | C] -- C:\Users\Dworaks\AppData\Roaming\TuneUp Software
[2014/10/27 20:56:07 | 000,000,000 | ---D | C] -- C:\Users\Dworaks\AppData\Local\MFAData
[2014/10/27 20:56:07 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2014/10/27 20:29:09 | 000,129,752 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2014/10/27 20:28:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
[2014/10/27 20:28:47 | 000,093,400 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2014/10/27 20:28:47 | 000,063,704 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mwac.sys
[2014/10/27 20:28:46 | 000,025,816 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2014/10/27 20:28:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes Anti-Malware
[2014/10/27 20:28:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2014/10/27 16:54:27 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonIJMIG
[2014/10/27 16:54:12 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonIJQuickMenu
[2014/10/27 16:51:56 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonIJScan
[2014/10/27 16:51:12 | 000,000,000 | ---D | C] -- C:\Users\Dworaks\AppData\Roaming\canon
[2014/10/27 16:51:05 | 000,000,000 | ---D | C] -- C:\ProgramData\CanonIJPLM
[2014/10/27 16:50:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Canon IJ Network Tool
[2014/10/27 16:50:17 | 000,321,536 | ---- | C] (CANON INC.) -- C:\Windows\SysWow64\CNC_BUL.dll
[2014/10/27 16:50:17 | 000,015,872 | ---- | C] (CANON INC.) -- C:\Windows\SysWow64\CNHMCA.dll
[2014/10/27 16:49:22 | 000,366,592 | ---- | C] (CANON INC.) -- C:\Windows\SysWow64\CNMNPPM.DLL
[2014/10/27 16:49:22 | 000,359,936 | ---- | C] (CANON INC.) -- C:\Windows\SysNative\CNMN6PPM.DLL
[2014/10/27 16:49:22 | 000,039,424 | ---- | C] (CANON INC.) -- C:\Windows\SysNative\CNMN6UI.DLL
[2014/10/27 16:49:22 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\STRING
[2014/10/27 16:49:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MG5500 series User Registration
[2014/10/27 16:46:02 | 000,000,000 | ---D | C] -- C:\ProgramData\CanonIJWSpt
[2014/10/27 16:29:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon Utilities
[2014/10/27 16:29:10 | 000,000,000 | ---D | C] -- C:\Program Files\Canon
[2014/10/27 16:28:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MG5500 series Manual
[2014/10/27 16:26:53 | 000,000,000 | -H-D | C] -- C:\Program Files\CanonBJ
[2014/10/27 15:33:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Canon
[2014/10/26 16:54:10 | 000,000,000 | ---D | C] -- C:\Users\Dworaks\AppData\Roaming\Ushafehu
[2014/10/25 16:30:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Windows Genuine Advantage
[2014/10/25 09:19:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2014/10/25 09:19:25 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2014/10/25 09:19:24 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2014/10/25 09:19:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2014/10/25 09:19:24 | 000,000,000 | ---D | C] -- C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
[2014/10/15 01:28:49 | 001,943,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dfshim.dll
[2014/10/15 01:28:49 | 001,131,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dfshim.dll
[2014/10/15 01:28:49 | 000,156,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mscorier.dll
[2014/10/15 01:28:49 | 000,156,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mscorier.dll
[2014/10/15 01:28:48 | 000,081,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mscories.dll
[2014/10/15 01:28:48 | 000,073,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mscories.dll
[2014/10/15 01:28:44 | 001,202,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drmv2clt.dll
[2014/10/15 01:28:44 | 000,842,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\blackbox.dll
[2014/10/15 01:28:44 | 000,744,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\blackbox.dll
[2014/10/15 01:28:43 | 014,632,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wmp.dll
[2014/10/15 01:28:43 | 000,988,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\drmv2clt.dll
[2014/10/15 01:28:42 | 011,411,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wmp.dll
[2014/10/15 01:28:42 | 004,120,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mf.dll
[2014/10/15 01:28:42 | 000,782,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wmdrmsdk.dll
[2014/10/15 01:28:42 | 000,617,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wmdrmsdk.dll
[2014/10/15 01:28:42 | 000,500,224 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\AUDIOKSE.dll
[2014/10/15 01:28:41 | 003,208,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mf.dll
[2014/10/15 01:28:41 | 000,497,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drmmgrtn.dll
[2014/10/15 01:28:41 | 000,457,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ci.dll
[2014/10/15 01:28:41 | 000,406,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\drmmgrtn.dll
[2014/10/15 01:28:40 | 005,551,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2014/10/15 01:28:40 | 001,574,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\quartz.dll
[2014/10/15 01:28:40 | 000,693,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winload.efi
[2014/10/15 01:28:40 | 000,619,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winload.exe
[2014/10/15 01:28:40 | 000,616,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winresume.efi
[2014/10/15 01:28:40 | 000,532,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winresume.exe
[2014/10/15 01:28:40 | 000,442,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\AUDIOKSE.dll
[2014/10/15 01:28:40 | 000,440,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\AudioEng.dll
[2014/10/15 01:28:40 | 000,229,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wintrust.dll
[2014/10/15 01:28:39 | 003,970,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2014/10/15 01:28:39 | 003,914,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2014/10/15 01:28:39 | 001,480,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\crypt32.dll
[2014/10/15 01:28:39 | 001,069,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptui.dll
[2014/10/15 01:28:39 | 000,631,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\evr.dll
[2014/10/15 01:28:39 | 000,296,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\AudioSes.dll
[2014/10/15 01:28:39 | 000,284,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\EncDump.dll
[2014/10/15 01:28:38 | 001,329,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\quartz.dll
[2014/10/15 01:28:38 | 001,005,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\cryptui.dll
[2014/10/15 01:28:38 | 000,503,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srcore.dll
[2014/10/15 01:28:38 | 000,489,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\evr.dll
[2014/10/15 01:28:38 | 000,432,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mfplat.dll
[2014/10/15 01:28:38 | 000,354,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mfplat.dll
[2014/10/15 01:28:38 | 000,082,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptsp.dll
[2014/10/15 01:28:37 | 000,641,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msscp.dll
[2014/10/15 01:28:37 | 000,504,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msscp.dll
[2014/10/15 01:28:37 | 000,325,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msnetobj.dll
[2014/10/15 01:28:37 | 000,296,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rstrui.exe
[2014/10/15 01:28:37 | 000,265,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msnetobj.dll
[2014/10/15 01:28:37 | 000,126,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\audiodg.exe
[2014/10/15 01:28:37 | 000,058,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\appidapi.dll
[2014/10/15 01:28:37 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rrinstaller.exe
[2014/10/15 01:28:37 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\rrinstaller.exe
[2014/10/15 01:28:36 | 000,206,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mfps.dll
[2014/10/15 01:28:36 | 000,146,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\appidpolicyconverter.exe
[2014/10/15 01:28:36 | 000,103,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mfps.dll
[2014/10/15 01:28:36 | 000,063,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\setbcdlocale.dll
[2014/10/15 01:28:36 | 000,050,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\appidapi.dll
[2014/10/15 01:28:36 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srclient.dll
[2014/10/15 01:28:36 | 000,024,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mfpmp.exe
[2014/10/15 01:28:36 | 000,023,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mfpmp.exe
[2014/10/15 01:28:36 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\appidcertstorecheck.exe
[2014/10/15 01:28:35 | 012,625,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wmploc.DLL
[2014/10/15 01:28:35 | 012,625,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wmploc.DLL
[2014/10/15 01:28:35 | 000,009,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\spwmp.dll
[2014/10/15 01:28:35 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\spwmp.dll
[2014/10/15 01:28:35 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msdxm.ocx
[2014/10/15 01:28:35 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxmasf.dll
[2014/10/15 01:28:35 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msdxm.ocx
[2014/10/15 01:28:35 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dxmasf.dll
[2014/10/15 01:28:35 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mferror.dll
[2014/10/15 01:28:35 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mferror.dll
[2014/10/15 01:28:31 | 000,507,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\aepdu.dll
[2014/10/15 01:28:31 | 000,276,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\generaltel.dll
[2014/10/15 01:28:30 | 000,597,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript9diag.dll
[2014/10/15 01:28:30 | 000,424,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\aeinv.dll
[2014/10/15 01:28:30 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2014/10/15 01:28:30 | 000,051,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieetwproxystub.dll
[2014/10/15 01:28:30 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2014/10/15 01:28:29 | 000,710,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2014/10/15 01:28:29 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\JavaScriptCollectionAgent.dll
[2014/10/15 01:28:29 | 000,060,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
[2014/10/15 01:28:29 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwproxystub.dll
[2014/10/15 01:28:29 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2014/10/15 01:28:28 | 002,017,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2014/10/15 01:28:28 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2014/10/15 01:28:27 | 000,731,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2014/10/15 01:28:27 | 000,446,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtmsft.dll
[2014/10/15 01:28:27 | 000,440,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2014/10/15 01:28:27 | 000,111,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollector.exe
[2014/10/15 01:28:27 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollectorres.dll
[2014/10/15 01:28:26 | 002,108,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2014/10/15 01:28:26 | 001,068,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmlmedia.dll
[2014/10/15 01:28:26 | 000,066,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2014/10/15 01:28:25 | 000,678,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieapfltr.dll
[2014/10/15 01:28:25 | 000,164,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msrating.dll
[2014/10/15 01:28:25 | 000,112,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2014/10/15 01:28:25 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MshtmlDac.dll
[2014/10/15 01:28:24 | 001,249,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmlmedia.dll
[2014/10/15 01:28:24 | 000,595,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2014/10/15 01:28:24 | 000,289,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtrans.dll
[2014/10/15 01:28:24 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2014/10/15 01:28:23 | 005,829,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2014/10/15 01:28:23 | 000,775,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieapfltr.dll
[2014/10/15 01:28:23 | 000,758,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9diag.dll
[2014/10/15 01:28:23 | 000,547,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2014/10/15 01:28:23 | 000,139,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2014/10/15 01:28:22 | 000,940,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MsSpellCheckingFacility.exe
[2014/10/15 01:28:22 | 000,195,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msrating.dll
[2014/10/15 01:28:22 | 000,083,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MshtmlDac.dll
[2014/10/15 01:28:00 | 003,241,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msi.dll
[2014/10/15 01:27:58 | 000,424,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rastls.dll
[2014/10/15 01:27:58 | 000,372,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\rastls.dll
[2014/10/15 01:27:54 | 003,722,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstscax.dll
[2014/10/15 01:27:54 | 003,221,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstscax.dll
[2014/10/15 01:27:53 | 001,118,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mstsc.exe
[2014/10/15 01:27:53 | 001,051,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mstsc.exe
[2014/10/15 01:27:53 | 000,235,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsta.dll
[2014/10/15 01:27:52 | 000,455,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winlogon.exe
[2014/10/15 01:27:52 | 000,150,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpcorekmts.dll
[2014/10/15 01:27:52 | 000,131,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\aaclient.dll
[2014/10/15 01:27:48 | 000,077,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\packager.dll
[2014/10/15 01:27:48 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\packager.dll
[1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2014/11/05 18:23:31 | 000,129,752 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2014/11/05 18:23:17 | 000,028,352 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/11/05 18:23:17 | 000,028,352 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/11/05 18:20:41 | 000,677,384 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2014/11/05 18:20:41 | 000,126,996 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2014/11/05 18:15:45 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/11/05 18:15:39 | 472,739,839 | -HS- | M] () -- C:\hiberfil.sys
[2014/11/05 17:50:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/11/04 20:19:06 | 000,798,884 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2014/11/04 06:46:02 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2014/11/03 17:29:25 | 000,781,790 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2014/11/03 16:20:42 | 005,591,672 | R--- | M] (Swearware) -- C:\Users\Dworaks\Desktop\ComboFix.exe
[2014/11/02 07:48:54 | 004,184,008 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Dworaks\Desktop\tdsskiller.exe
[2014/11/01 18:03:34 | 001,944,824 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\Dworaks\Desktop\rkill.exe
[2014/11/01 13:27:03 | 000,034,808 | ---- | M] () -- C:\Windows\SysNative\drivers\TrueSight.sys
[2014/11/01 13:26:02 | 014,670,424 | ---- | M] () -- C:\Users\Dworaks\Desktop\RogueKiller.exe
[2014/10/31 15:17:34 | 000,000,272 | ---- | M] () -- C:\Users\Dworaks\INSTALL_TOR.URL
[2014/10/31 14:39:28 | 000,000,272 | ---- | M] () -- C:\Users\Dworaks\Documents\INSTALL_TOR.URL
[2014/10/31 14:35:13 | 000,000,272 | ---- | M] () -- C:\Users\Dworaks\AppData\Roaming\INSTALL_TOR.URL
[2014/10/31 14:30:18 | 000,000,272 | ---- | M] () -- C:\Users\Dworaks\AppData\Local\INSTALL_TOR.URL
[2014/10/31 14:29:43 | 000,000,272 | ---- | M] () -- C:\ProgramData\INSTALL_TOR.URL
[2014/10/31 11:14:56 | 000,000,008 | RHS- | M] () -- C:\Users\Dworaks\ntuser.pol
[2014/10/31 10:03:05 | 001,292,800 | ---- | M] () -- C:\Users\Dworaks\Desktop\zoek.exe
[2014/10/30 17:34:14 | 000,484,032 | ---- | M] () -- C:\Users\Dworaks\Documents\IMG_20141030_0001.pdf
[2014/10/30 17:19:36 | 000,165,376 | ---- | M] () -- C:\Users\Dworaks\Desktop\SystemLook_x64.exe
[2014/10/30 15:45:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Dworaks\Desktop\OTL.exe
[2014/10/30 15:19:38 | 001,706,144 | ---- | M] (Thisisu) -- C:\Users\Dworaks\Desktop\JRT.exe
[2014/10/30 15:10:06 | 001,375,089 | ---- | M] () -- C:\Users\Dworaks\Desktop\adwcleaner_3.311.exe
[2014/10/30 08:07:15 | 000,025,088 | ---- | M] () -- C:\Users\Dworaks\Desktop\codecheck.exe
[2014/10/30 08:06:28 | 000,468,480 | ---- | M] () -- C:\Users\Dworaks\Desktop\CKScanner.exe
[2014/10/29 16:26:33 | 000,688,992 | R--- | M] (Swearware) -- C:\Users\Dworaks\Desktop\dds.scr
[2014/10/28 15:25:45 | 000,000,000 | ---- | M] () -- C:\autoexec.bat
[2014/10/27 20:28:58 | 000,001,108 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2014/10/27 16:57:54 | 000,466,048 | ---- | M] () -- C:\Users\Dworaks\Documents\IMG_20141027_0002.pdf
[2014/10/27 16:56:49 | 000,670,192 | ---- | M] () -- C:\Users\Dworaks\Documents\IMG_20141027_0001.pdf
[2014/10/27 16:46:10 | 000,002,027 | ---- | M] () -- C:\Users\Public\Desktop\Canon Quick Menu.lnk
[2014/10/27 16:28:40 | 000,002,364 | ---- | M] () -- C:\Users\Public\Desktop\Canon MG5500 series On-screen Manual.lnk
[2014/10/26 21:12:16 | 000,010,112 | ---- | M] () -- C:\bootsqm.dat
[2014/10/25 16:31:49 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\iaowsy.dll
[2014/10/25 09:19:57 | 000,001,785 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2014/10/15 02:26:43 | 000,437,872 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2014/10/09 20:05:59 | 000,276,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\generaltel.dll
[2014/10/09 20:05:42 | 000,507,392 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\aepdu.dll
[2014/10/09 20:00:38 | 000,424,448 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\aeinv.dll
[2014/10/06 21:41:16 | 000,016,138 | ---- | M] () -- C:\Windows\SysNative\results.xml
[1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]

========== Files Created - No Company Name ==========

[2014/11/03 16:27:22 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2014/11/03 16:27:22 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2014/11/03 16:27:22 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2014/11/03 16:27:22 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2014/11/03 16:27:22 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2014/11/01 13:27:03 | 000,034,808 | ---- | C] () -- C:\Windows\SysNative\drivers\TrueSight.sys
[2014/11/01 13:24:41 | 014,670,424 | ---- | C] () -- C:\Users\Dworaks\Desktop\RogueKiller.exe
[2014/10/31 15:17:34 | 000,000,272 | ---- | C] () -- C:\Users\Dworaks\INSTALL_TOR.URL
[2014/10/31 14:39:28 | 000,000,272 | ---- | C] () -- C:\Users\Dworaks\Documents\INSTALL_TOR.URL
[2014/10/31 14:35:13 | 000,000,272 | ---- | C] () -- C:\Users\Dworaks\AppData\Roaming\INSTALL_TOR.URL
[2014/10/31 14:30:18 | 000,000,272 | ---- | C] () -- C:\Users\Dworaks\AppData\Local\INSTALL_TOR.URL
[2014/10/31 14:29:43 | 000,000,272 | ---- | C] () -- C:\ProgramData\INSTALL_TOR.URL
[2014/10/31 10:03:00 | 001,292,800 | ---- | C] () -- C:\Users\Dworaks\Desktop\zoek.exe
[2014/10/30 17:34:11 | 000,484,032 | ---- | C] () -- C:\Users\Dworaks\Documents\IMG_20141030_0001.pdf
[2014/10/30 17:19:30 | 000,165,376 | ---- | C] () -- C:\Users\Dworaks\Desktop\SystemLook_x64.exe
[2014/10/30 15:10:03 | 001,375,089 | ---- | C] () -- C:\Users\Dworaks\Desktop\adwcleaner_3.311.exe
[2014/10/30 08:07:14 | 000,025,088 | ---- | C] () -- C:\Users\Dworaks\Desktop\codecheck.exe
[2014/10/30 08:06:26 | 000,468,480 | ---- | C] () -- C:\Users\Dworaks\Desktop\CKScanner.exe
[2014/10/28 15:25:45 | 000,000,000 | ---- | C] () -- C:\autoexec.bat
[2014/10/27 20:28:58 | 000,001,108 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2014/10/27 16:57:43 | 000,466,048 | ---- | C] () -- C:\Users\Dworaks\Documents\IMG_20141027_0002.pdf
[2014/10/27 16:56:44 | 000,670,192 | ---- | C] () -- C:\Users\Dworaks\Documents\IMG_20141027_0001.pdf
[2014/10/27 16:50:17 | 000,095,744 | ---- | C] () -- C:\Windows\SysWow64\CNC1771D.TBL
[2014/10/27 16:46:10 | 000,002,027 | ---- | C] () -- C:\Users\Public\Desktop\Canon Quick Menu.lnk
[2014/10/27 16:28:40 | 000,002,364 | ---- | C] () -- C:\Users\Public\Desktop\Canon MG5500 series On-screen Manual.lnk
[2014/10/26 21:12:16 | 000,010,112 | ---- | C] () -- C:\bootsqm.dat
[2014/10/25 16:31:49 | 000,000,000 | ---- | C] () -- C:\Windows\SysNative\iaowsy.dll
[2014/10/25 09:19:57 | 000,001,785 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2014/08/26 09:21:35 | 000,000,600 | ---- | C] () -- C:\Users\Dworaks\AppData\Local\PUTTY.RND
[2014/07/08 23:16:33 | 000,078,848 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll
[2014/01/06 04:06:54 | 000,001,536 | ---- | C] () -- C:\Windows\SysWow64\RtkMsgs.dll
[2013/10/10 19:08:33 | 000,005,120 | ---- | C] () -- C:\Users\Dworaks\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/10/10 19:04:48 | 000,000,008 | RHS- | C] () -- C:\Users\Dworaks\ntuser.pol
[2013/10/09 14:38:01 | 000,000,115 | ---- | C] () -- C:\Users\Dworaks\AppData\Roaming\WB.CFG
[2013/10/09 14:38:01 | 000,000,006 | ---- | C] () -- C:\Users\Dworaks\AppData\Roaming\WBPU-TTL.DAT
[2013/08/07 19:45:18 | 000,598,384 | ---- | C] () -- C:\Windows\SysWow64\igvpkrng700.bin
[2013/08/07 19:45:17 | 000,754,652 | ---- | C] () -- C:\Windows\SysWow64\igcodeckrng700.bin
[2013/08/01 08:17:04 | 000,735,796 | ---- | C] () -- C:\Windows\SysWow64\igkrng700.bin
[2013/08/01 08:17:02 | 000,561,508 | ---- | C] () -- C:\Windows\SysWow64\igfcg700m.bin
[2013/03/08 10:37:36 | 000,075,264 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_zh-HK.dll
[2013/03/08 10:37:34 | 000,091,648 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_hr.dll
[2013/03/08 10:37:34 | 000,090,112 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_sl.dll
[2013/03/08 10:37:34 | 000,090,112 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_sk.dll
[2013/03/08 10:37:32 | 000,089,088 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_tr.dll
[2013/03/08 10:37:30 | 000,093,184 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_ro.dll
[2013/03/08 10:37:30 | 000,093,184 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_pt-BR.dll
[2013/03/08 10:37:30 | 000,092,672 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_hu.dll
[2013/03/08 10:37:28 | 000,090,112 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_fi.dll
[2013/03/08 10:37:28 | 000,084,992 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_he.dll
[2013/03/08 10:37:26 | 000,097,280 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_el.dll
[2013/03/08 10:37:26 | 000,091,136 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_cs.dll
[2013/03/08 10:37:26 | 000,087,040 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_ar.dll
[2013/03/08 10:37:24 | 000,075,264 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_zh-CHT.dll
[2013/03/08 10:37:24 | 000,074,752 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_zh-CHS.dll
[2013/03/08 10:37:22 | 000,091,648 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_sv.dll
[2013/03/08 10:37:22 | 000,091,648 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_ru.dll
[2013/03/08 10:37:20 | 000,094,720 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_pt.dll
[2013/03/08 10:37:20 | 000,093,184 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_pl.dll
[2013/03/08 10:37:20 | 000,090,112 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_no.dll
[2013/03/08 10:37:18 | 000,097,792 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_nl.dll
[2013/03/08 10:37:18 | 000,079,360 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_ko.dll
[2013/03/08 10:37:16 | 000,095,232 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_it.dll
[2013/03/08 10:37:16 | 000,095,232 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_fr.dll
[2013/03/08 10:37:16 | 000,080,896 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_ja.dll
[2013/03/08 10:37:14 | 000,094,720 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_es.dll
[2013/03/08 10:37:12 | 000,095,744 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_de.dll
[2013/03/08 10:37:12 | 000,093,184 | ---- | C] () -- C:\Windows\SysWow64\Internationalization_da.dll

========== ZeroAccess Check ==========

[2009/07/13 22:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2014/06/24 20:05:42 | 014,175,744 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014/06/24 19:41:30 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 19:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 21:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 19:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2014/11/01 08:24:07 | 000,000,000 | ---D | M] -- C:\Users\Dworaks\AppData\Roaming\.minecraft
[2014/11/01 08:24:07 | 000,000,000 | ---D | M] -- C:\Users\Dworaks\AppData\Roaming\.technic
[2013/10/09 13:39:00 | 000,000,000 | ---D | M] -- C:\Users\Dworaks\AppData\Roaming\0D0S1L2Z1P1B
[2014/10/27 16:54:34 | 000,000,000 | ---D | M] -- C:\Users\Dworaks\AppData\Roaming\canon
[2014/11/01 08:24:07 | 000,000,000 | ---D | M] -- C:\Users\Dworaks\AppData\Roaming\GoPro
[2013/08/25 16:59:07 | 000,000,000 | ---D | M] -- C:\Users\Dworaks\AppData\Roaming\Greenshot
[2013/08/21 22:53:54 | 000,000,000 | ---D | M] -- C:\Users\Dworaks\AppData\Roaming\Helios
[2013/08/25 13:30:53 | 000,000,000 | ---D | M] -- C:\Users\Dworaks\AppData\Roaming\ICAClient
[2014/11/01 08:24:06 | 000,000,000 | ---D | M] -- C:\Users\Dworaks\AppData\Roaming\Origin
[2014/10/28 16:40:25 | 000,000,000 | ---D | M] -- C:\Users\Dworaks\AppData\Roaming\ProductData
[2014/11/01 08:24:06 | 000,000,000 | ---D | M] -- C:\Users\Dworaks\AppData\Roaming\TaxCut
[2014/10/27 22:13:41 | 000,000,000 | ---D | M] -- C:\Users\Dworaks\AppData\Roaming\TuneUp Software
[2014/10/27 20:46:21 | 000,000,000 | ---D | M] -- C:\Users\Dworaks\AppData\Roaming\Ushafehu

< End of report >
lynda
Regular Member
 
Posts: 47
Joined: October 29th, 2014, 6:21 pm

Re: dllhost.exe COM surrogate problem

Unread postby lynda » November 5th, 2014, 8:34 pm

Not sure if this is relevant, but opend on my desktop too: Says it is part of OTL.

OTL Extras logfile created on: 11/5/2014 6:25:23 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Dworaks\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17358)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.92 Gb Total Physical Memory | 3.97 Gb Available Physical Memory | 67.00% Memory free
11.84 Gb Paging File | 9.81 Gb Available in Paging File | 82.86% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 930.74 Gb Total Space | 754.92 Gb Free Space | 81.11% Space Free | Partition Type: NTFS

Computer Name: DWORAKS-PC | User Name: Dworaks | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error.

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{05471B7A-4EF5-4FD7-A932-AB38140B5F2D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{1B0C8070-11FA-4E7F-8C7C-83678319CC2F}" = lport=445 | protocol=6 | dir=in | app=system |
"{280A08AC-1C5C-429B-A960-AEBE50FF1110}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{282416C8-A697-4A66-9576-68EAA3605DB6}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{2BAF1592-0E59-422E-8AB0-1A20FD4A996C}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{3A9706DA-F0C9-4789-A2C6-53EC882B9EAC}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{3B0C0D10-BD50-4782-BAB1-D15E92271947}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{48A6EAC8-7CAB-4F2C-B12A-4CEAB55DDF6D}" = lport=10243 | protocol=6 | dir=in | app=system |
"{48D0CA8F-0F95-449F-AB23-8874D4105EED}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office 15\root\office15\outlook.exe |
"{4A203658-2954-4463-AE31-F1EA4F1AC78D}" = lport=139 | protocol=6 | dir=in | app=system |
"{4C288051-CA21-498B-AA95-8FE5DE4A4B71}" = lport=445 | protocol=6 | dir=in | app=system |
"{5713D55E-50EA-4A61-BAA0-0571C577E65B}" = rport=445 | protocol=6 | dir=out | app=system |
"{5B7C6888-B387-4020-96A5-69ACA48AD0ED}" = lport=135 | protocol=6 | dir=in | svc=rpcss | app=%systemroot%\system32\svchost.exe |
"{6C6231BC-9E8C-46A1-82E6-583E48B5F00E}" = lport=445 | protocol=6 | dir=in | app=system |
"{6CCAD775-E209-42FD-B0B9-2063E58BD5F7}" = rport=139 | protocol=6 | dir=out | app=system |
"{7931BE64-93FB-4C51-A907-3ABD2B5CCDD4}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{7B3D3159-286E-4430-BFD4-565BB835CB4B}" = rport=137 | protocol=17 | dir=out | app=system |
"{7EC11011-180E-4C41-B9E5-B3F024A6DF75}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{87DD8583-6E9D-4744-9F95-FD7E3D7EE8C2}" = lport=2869 | protocol=6 | dir=in | app=system |
"{89F4D92B-FF74-463F-9D84-BD0EBDDF2D88}" = lport=138 | protocol=17 | dir=in | app=system |
"{98CC59F1-D036-4FD1-9176-E3046C64494B}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{AE3BE358-08CB-4966-96D0-2A0B28AA7BB4}" = lport=137 | protocol=17 | dir=in | app=system |
"{B30443C9-561C-4CF8-A35D-E3A2801E3916}" = rport=10243 | protocol=6 | dir=out | app=system |
"{B825D024-D6E8-4154-9B73-8C0DB66BDA28}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{BF017563-4C95-43E8-8DBC-36C75DC6B05B}" = lport=135 | protocol=6 | dir=in | svc=rpcss | app=%systemroot%\system32\svchost.exe |
"{C4F2952E-57DD-45C2-BB69-2EEA2FC3C18F}" = lport=rpc | protocol=6 | dir=in | svc=* | app=%systemroot%\system32\svchost.exe |
"{D9B3DD78-770F-42B7-ACE1-1BBE12A8A983}" = lport=rpc | protocol=6 | dir=in | svc=* | app=%systemroot%\system32\svchost.exe |
"{E75908F3-0D04-4A78-AECB-F290EBC00366}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{F6B30A1E-C4B5-4AF2-924D-0E5DB1EFD64B}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{F8CC5B9C-88B0-41D2-BFDD-41F668941558}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{FD5A703E-FFE6-48ED-ABDF-1CC809E7926A}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{FF706383-DB35-4F72-B43C-B69B8F05DECB}" = rport=138 | protocol=17 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{09CC68FB-2F49-40BF-B39C-ABD8140ED13C}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{0BE175C2-5278-485B-894E-4EAD644F1C69}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{0FF7805E-F2F4-43C3-B2F8-EDA178D89006}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{12F0EE9C-F61D-472B-8247-590B12CAF68D}" = protocol=58 | dir=in | name=@firewallapi.dll,-26078 |
"{12F38EFA-5D26-4205-83F9-DDACD2BF7A47}" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars - the old republic\swtor\retailclient\swtor.exe |
"{17DA868F-BFE4-4B98-9A67-EAE1CBA39681}" = protocol=6 | dir=in | app=c:\program files\microsoft office 15\root\office15\lync.exe |
"{1BD30484-13B9-483C-A35B-2B3B1D812C22}" = dir=out | app=c:\program files\citrix\secure access client\nsepa.exe |
"{1E696280-F116-420E-AC7B-2FADB56AAAEB}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{1E9DD273-41CB-4455-939B-EC9BF86EAEFD}" = protocol=58 | dir=in | name=@firewallapi.dll,-26078 |
"{20457272-B558-48E9-97B5-5CB67872C7E5}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{2E693AD7-84D8-4EB8-9464-E9D2C71F2BCE}" = protocol=17 | dir=in | app=c:\program files\microsoft office 15\root\office15\ucmapi.exe |
"{34E5960B-4047-4141-8D8E-47132FEDAEDB}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{38F804CC-630F-40B8-B9DF-710FF805CB51}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{3C338C07-7653-44E1-A97F-DE24309A6DE2}" = protocol=1 | dir=out | name=@firewallapi.dll,-26023 |
"{427984FF-0763-429B-81D5-C6D39F173AE2}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |
"{42D01ECD-1FA9-442A-9D0F-9D9A187877B7}" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars - the old republic\launcher.exe |
"{4659665F-80E0-4010-9B8C-EF19EF8AE1C6}" = protocol=17 | dir=in | app=c:\program files\microsoft office 15\root\office15\lync.exe |
"{4DB58D50-20CA-4D26-94EC-CF74EF57EA98}" = protocol=58 | dir=out | name=@firewallapi.dll,-26079 |
"{4E98937B-53FF-4C10-9CCE-F5955AB27179}" = protocol=58 | dir=in | name=@firewallapi.dll,-26142 |
"{60A43B89-876F-485C-A09B-2054ADF76FF2}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{67EC324F-22EB-4108-A069-0AE687A9283E}" = protocol=1 | dir=out | name=@firewallapi.dll,-26023 |
"{6C8FA165-A198-40D1-B3C6-5D23B4FE7083}" = protocol=6 | dir=in | app=c:\program files\microsoft office 15\root\office15\ucmapi.exe |
"{6F612A50-DF9A-4160-B070-6E520FADEA09}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{718B7693-1F32-41AB-AA40-117B9262FEA1}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{77ACDF89-B001-4EB4-8235-74E215E8B9F3}" = protocol=1 | dir=in | name=@firewallapi.dll,-26022 |
"{78C195AA-4E5D-40B8-A293-8410FA886D6D}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{78D9973E-FD22-44AF-BFCC-9090CF0D0A37}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{7FA4ED24-4DF6-4870-AE9D-39AAB6FBF5AD}" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars - the old republic\swtor\retailclient\swtor.exe |
"{81C0C870-4CB7-4B9B-A4EF-2B7FED9836BA}" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars - the old republic\launcher.exe |
"{83E2A092-AF0D-40C3-A5E8-3C2870692657}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{8776F0DD-7CF7-4526-BF88-B4DE0A01974A}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{A58E2510-6653-4D88-8838-BC32C5F6E262}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{AC4590BA-3337-45B9-8FBE-62ACD7CC56C0}" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars - the old republic\launcher.exe |
"{B0CC24C7-2544-40FF-A6DA-68D026DE318D}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{B1121C03-7238-46C7-9088-311AD0255B98}" = protocol=17 | dir=in | app=c:\program files (x86)\avg\avg2015\avgmfapx.exe |
"{B4ED6F77-8BDD-4ADC-9D28-B62357C26B4D}" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars - the old republic\swtor\retailclient\swtor.exe |
"{B9491639-4DCA-46CA-A3B3-BC3B5CD15EE1}" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars - the old republic\swtor\retailclient\swtor.exe |
"{BE08C5CA-97D8-4073-976D-3603CED55959}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{BF803531-E6EE-4639-ACC4-910F2E13B8D1}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{BFFB25CD-6DEA-4BD2-9B58-7CCFD615DA4C}" = protocol=6 | dir=in | app=c:\program files (x86)\origin games\the sims 4 create a sim demo\game\bin\ts4cas.exe |
"{C538B644-87D0-47B7-B6CB-3D529326459E}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{C96B2F06-DCAA-4D40-8892-75F510F58975}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{CEBB1C56-8534-4A71-903F-E248C8C10698}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{CEFBE2B1-C340-4F54-B778-C7AAC25105FB}" = protocol=6 | dir=out | app=system |
"{D4BB85FB-AB47-46BF-B560-F02349A5C7D0}" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars - the old republic\launcher.exe |
"{DBFD553B-A4E8-4831-B18E-B83815B9F60A}" = protocol=58 | dir=out | name=@firewallapi.dll,-26079 |
"{E0ABBF80-00E5-4331-87FB-67A055B91AD7}" = protocol=6 | dir=in | app=c:\program files (x86)\avg\avg2015\avgmfapx.exe |
"{E0ACEDF4-C1A3-4588-94AE-6A73E59D2812}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{E5AC4FA6-16F8-41BE-9FEA-28EEB5443FCE}" = protocol=1 | dir=in | name=@firewallapi.dll,-26022 |
"{E934DCEA-620B-4B6C-A2A7-94043835D982}" = protocol=17 | dir=in | app=c:\program files (x86)\origin games\the sims 4 create a sim demo\game\bin\ts4cas.exe |
"{EFDBCA68-A324-4CDA-BC55-0F98D2F7264B}" = protocol=1 | dir=in | name=@firewallapi.dll,-26140 |
"{F40B0F76-66AB-48DA-8BFE-F81DA1C464BC}" = dir=in | app=c:\program files\citrix\secure access client\nsepa.exe |
"{F544B69D-5121-48B2-BE7B-EF837CBB4F7A}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe |
"TCP Query User{21DA5B27-C6D9-4CEA-B98A-FB571F9AF582}C:\program files (x86)\java\jre7\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre7\bin\javaw.exe |
"TCP Query User{63A43E6D-7BB6-412A-BAE3-932FECD6886B}C:\program files (x86)\java\jre7\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files (x86)\java\jre7\bin\javaw.exe |
"UDP Query User{A36D8A59-D685-4A28-A092-A42B3C6BBB94}C:\program files (x86)\java\jre7\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre7\bin\javaw.exe |
"UDP Query User{FCB7E2FC-C519-4103-9DB8-BCC9F87E0A53}C:\program files (x86)\java\jre7\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files (x86)\java\jre7\bin\javaw.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG5500_series" = Canon MG5500 series MP Drivers
"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
"{20A4AA32-B3FF-4A0B-853C-ACDDCD6CB344}" = DellAccess
"{236EBEF4-8DE5-4E0E-8FD0-27D94F772FF0}" = Trusted Drive Manager
"{23F2C78C-E131-4CA0-8F84-3473FB7728BA}" = Microsoft Security Client
"{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}" = iTunes
"{59ACD2BB-FC62-4427-81D2-618CF81A2A32}" = Preboot Manager
"{5F160A36-29D0-4AE0-986C-671A564BC0D4}" = Wave Crypto Runtime 2.0.9.0 x64
"{5F611ADA-B98C-4DBB-ADDE-414F08457ECF}" = Windows Live Family Safety
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{7206B668-FEE0-455B-BB1F-9B5A2E0EC94A}" = Custom
"{7567A068-2F02-40D1-A34C-16D79ECD35A6}" = GemPcCCID
"{7DEBE4EB-6B40-3766-BB35-5CBBC385DA37}" = Microsoft .NET Framework 4.5.1
"{7EC46A4C-E659-418E-A65A-BD7FC82D4C48}" = EMBASSY Client Core
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{858C1B33-C3D5-4377-B77B-1E2F338C7F66}" = Intel(R) Network Connections 17.2.154.0
"{86A9BBDF-9B6D-4E3D-810E-23C9079C6217}" = Wave Support Software Installer
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C775E70-A791-4DA8-BCC3-6AB7136F4484}" = Visual Studio 2012 x64 Redistributables
"{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}" = Dell Edoc Viewer
"{90150000-008F-0000-1000-0000000FF1CE}" = Office 15 Click-to-Run Licensing Component
"{90DB5C39-360F-4187-9D56-E3B013CEEF73}" = Wave Infrastructure Installer
"{91CE5F03-3A2A-4268-935A-04944F058AE9}" = Gemalto
"{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" = Microsoft .NET Framework 4.5.1
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A2309A2F-4BEB-45C8-92E1-84D430AC15AD}" = SI TSS
"{A90F92B7-3C3F-4AEF-B281-31DD17BB73CA}" = Private Information Manager
"{ABBA2EA4-740E-4052-902B-9CA70B081E3F}" = Dell Data Protection | Access
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{C403F3CF-A531-4D11-ADAE-7D002F8264FE}" = Citrix Access Gateway Endpoint Analysis
"{CE52672C-A0E9-4450-8875-88A221D5CD50}" = Windows Live ID Sign-in Assistant
"{D46BCA58-0AF7-4455-8017-34CE3FEEE808}" = ERAS Connector
"{DD317AA5-F0EF-480F-9501-507712B5E0B6}" = SPBA (WBF) 5.9
"{DF5B5BEC-BA44-4669-98C8-2A691C5EA428}" = PBA Driver-x64
"{E9FA781F-3E80-4399-825A-AD3E11C28C77}" = MSVCRT110_amd64
"{F6822EFD-3F7D-4B35-8845-757A26AEC8E2}" = Windows Live MIME IFilter
"0B624A43DD66DBF5CF3EDFA9741A364E688062A4" = Windows Driver Package - GoPro (WinUSB) Universal Serial Bus devices (03/07/2012 )
"Greenshot_is1" = Greenshot 1.0.6.2228
"Microsoft Security Client" = Microsoft Security Essentials
"ProPlusRetail - en-us" = Microsoft Office Professional Plus 2013 - en-us
"PROSetDX" = Intel(R) Network Connections 17.2.154.0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0454BB9A-2A7A-4214-BDFF-937F7A711A44}" = Windows Live Communications Platform
"{04566294-A6B6-4462-9721-031073EB3694}" = Dell Client System Update
"{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}" = Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005
"{1606C5A0-DCD7-4543-A185-FAAD210E5284}" = Citrix Receiver(Aero)
"{18272881-CFC0-434D-A975-E5BE44206AA0}" = Windows Live UX Platform Language Pack
"{23A3E560-069F-4CFC-8F6C-1B526EC735FC}" = Windows Live Writer Resources
"{240C3DDD-C5E9-4029-9DF7-95650D040CF2}" = Intel(R) USB 3.0 eXtensible Host Controller Driver
"{29D07FB4-A026-4E1F-B9A2-8C9EC0E2FEBB}" = Wave Crypto Runtime 2.0.9.0 x86
"{30A6A2A7-7B5B-4595-98B4-6B6D3F376531}" = H&R Block Iowa 2013
"{30F99474-EBE3-4134-A02B-F6CD38CFE243}" = Photo Gallery
"{3B11D799-48E0-48ED-BFD7-EA655676D8BB}" = Star Wars: The Old Republic
"{3BBFD444-5FAB-49F6-98B1-A1954E831399}" = The Sims™ 3 Showtime
"{3DE92282-CB49-434F-81BF-94E5B380E889}" = The Sims™ 3 Seasons
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{3E6D7195-3B74-46AF-9BD1-49EBECD0A455}" = Citrix Receiver(DV)
"{400C31E4-796F-4E86-8FDC-C3C4FACC6847}" = Junk Mail filter update
"{45057FCE-5784-48BE-8176-D9D00AF56C3C}" = The Sims™ 3 Late Night
"{4CCBD1F4-CEEC-452A-9CB8-46564B501315}" = Windows Live UX Platform
"{5BABDA39-61CF-41EE-992D-4054B6649A9B}" = Movie Maker
"{631EFC00-5A7A-4A90-9578-039EDA92DE0F}_is1" = HRBlockDirect version 1.1.2.0
"{6908ED99-F02B-4E99-A202-3FAC99C510ED}" = The Sims™ 4 Create A Sim Demo
"{6A8DB215-7BCD-4377-B015-2E4541A3E7C6}" = Windows Live PIMT Platform
"{6BDC0D7C-9E42-4667-8FA9-2F26A2FEF4D0}" = Citrix Receiver(USB)
"{6C487153-A286-48F7-BE55-717552E90E20}" = Self-service Plug-in
"{70854FE6-3BF1-4C69-94D0-BEB821102E34}" = Windows Live Mail
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71828142-5A24-4BD0-97E7-976DA08CE6CF}" = The Sims™ 3 High-End Loft Stuff
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7B0C5EF6-DE4C-4E20-8889-C17604FFE5CD}" = Windows Live Family Safety
"{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}" = Apple Application Support
"{86C40513-B5A4-476E-9EAB-EC118DCF4502}" = Windows Live Writer
"{8A642ACD-CE3A-4A23-A8B1-A0F7EB12B214}" = Windows Live SOXE Definitions
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8E14DDC8-EA60-4E18-B3E3-1937104D5BDA}" = MSVCRT110
"{90150000-008C-0000-0000-0000000FF1CE}" = Office 15 Click-to-Run Extensibility Component
"{90150000-008C-0409-0000-0000000FF1CE}" = Office 15 Click-to-Run Localization Component
"{97C79BEC-43F7-4BD8-A6A7-85C0257E488A}" = Windows Live Writer
"{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}" = Visual Studio 2012 x86 Redistributables
"{9A0FE2C0-7A7E-444E-8BD4-087178A91865}" = Online Plug-in
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9F53AC20-2D32-4341-9DA1-29DD40E2199E}" = TextPad 7
"{A0BBD6C7-B546-4048-B33A-F21F5C9F5B09}" = The Sims™ 3 Into the Future
"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI (11.0.03)
"{B37DAFA5-717D-41F8-BDFB-3A4B68C0B3A1}" = The Sims™ 3 Supernatural
"{B80D3EA9-A252-4AE5-AC51-81729F5C586F}" = Windows Live Mail
"{BA26FFA5-6D47-47DB-BE56-34C357B5F8CC}" = The Sims™ 3 World Adventures
"{C034A6F9-6569-491B-B3BF-F5D15221A708}" = Windows Live Essentials
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C12631C6-804D-4B32-B0DD-8A496462F106}" = The Sims™ 3 Pets
"{C257E096-67B0-4122-98F3-EE0D8798E03B}" = Fitbit Connect
"{C424CD5E-EA05-4D3E-B5DA-F9F149E1D3AC}" = Windows Live Installer
"{C9B6EFD0-4F01-4BBA-8374-39AD99A3ED72}" = Windows Live Photo Common
"{CB63285D-990D-4207-AE31-000025626917}" = toolkit32for64bit
"{ce085a78-074e-4823-8dc1-8a721b94b76d}" = Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005
"{D0087539-3C57-44E0-BEE7-D779D546CBE1}" = The Sims™ 3 Movie Stuff
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D2C146B1-948D-47EF-8387-5D1C6B980F7C}" = Windows Live Writer
"{D67AEDE1-BCCF-4C5D-BF4F-A08FE92075B7}" = Citrix Receiver Inside
"{D888F114-7537-4D48-AF03-5DA9C82D7540}" = Photo Common
"{DB1C49C7-AC32-4785-A281-774744FC78F5}" = Citrix Authentication Manager
"{DB21639E-FE55-432C-BCA2-0C5249E3F79E}" = The Sims™ 3 Island Paradise
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E6B88BD6-E4B2-4701-A648-B6DAC6E491CC}" = The Sims™ 3 Generations
"{EC94A726-7636-4693-9627-D8A8B44793EE}" = Citrix Receiver (HDX Flash Redirection)
"{ED6C77F9-4D7E-447C-9EC0-9A212D075535}" = Movie Maker
"{EDE796DE-0A72-464D-9D21-F04BC41A092B}" = H&R Block Deluxe + Efile + State 2013
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F26DE8EF-F2CF-40DC-8CDA-CC0D82D11B36}" = The Sims™ 3 University Life
"{F8A9085D-4C7A-41a9-8A77-C8998A96C421}" = Intel(R) Control Center
"{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}" = Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005
"{FC6C7107-7D72-41A1-A031-3CE751159BAB}" = Photo Gallery
"{FCB3772C-B7D0-4933-B1A9-3707EBACC573}" = Intel(R) SDK for OpenCL - CPU Only Runtime Package
"{FE7C0B3D-50B9-4951-BE78-A321CBF86552}" = Windows Live SOXE
"Adobe Flash Player ActiveX" = Adobe Flash Player 15 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 15 Plugin
"Canon MG5500 series On-screen Manual" = Canon MG5500 series On-screen Manual
"Canon MG5500 series User Registration" = Canon MG5500 series User Registration
"Canon My Image Garden" = Canon My Image Garden
"Canon My Image Garden Design Files" = Canon My Image Garden Design Files
"Canon_IJ_Network_Scanner_Selector_EX" = Canon IJ Network Scanner Selector EX
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"Canon_IJ_Scan_Utility" = Canon IJ Scan Utility
"CANONIJPLM100" = Canon Inkjet Printer/Scanner/Fax Extended Survey Program
"CanonMyPrinter" = Canon My Printer
"CanonQuickMenu" = Canon Quick Menu
"CitrixOnlinePluginPackWeb" = Citrix Receiver
"Easy-WebPrint EX" = Canon Easy-WebPrint EX
"ESET Online Scanner" = ESET Online Scanner v3
"Fitbit Data Uploader_is1" = Fitbit v2.1.0.9
"FITBIT&10C4&84C4" = Fitbit Base Station (Driver Removal)
"GoPro Studio" = GoPro Studio 2.0.1
"Malwarebytes Anti-Malware_is1" = Malwarebytes Anti-Malware version 2.0.3.1025
"Mozilla Firefox 26.0 (x86 en-US)" = Mozilla Firefox 26.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Origin" = Origin
"swtor_swtor" = Star Wars The Old Republic
"WinLiveSuite" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1962258163-3716458331-2083168627-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ActiveTouchMeetingClient" = Cisco WebEx Meetings

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 11/3/2014 7:25:55 PM | Computer Name = Dworaks-PC | Source = WinMgmt | ID = 10
Description =

Error - 11/4/2014 5:40:14 AM | Computer Name = Dworaks-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

Error - 11/4/2014 10:21:39 PM | Computer Name = Dworaks-PC | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "C:\Program Files\Microsoft
Office 15\root\office15\lync.exe.Manifest".Error in manifest or policy file "C:\Program
Files\Microsoft Office 15\root\office15\UccApi.DLL" on line 1. Component identity
found in manifest does not match the identity of the component requested. Reference
is UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0". Definition
is UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0". Please use
sxstrace.exe for detailed diagnosis.

Error - 11/4/2014 10:21:39 PM | Computer Name = Dworaks-PC | Source = SideBySide | ID = 16842787
Description = Activation context generation failed for "C:\Program Files\Microsoft
Office 15\root\office15\lync.exe.Manifest".Error in manifest or policy file "C:\Program
Files\Microsoft Office 15\root\office15\UccApi.DLL" on line 1. Component identity
found in manifest does not match the identity of the component requested. Reference
is UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0". Definition
is UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0". Please use
sxstrace.exe for detailed diagnosis.

Error - 11/5/2014 12:16:34 AM | Computer Name = Dworaks-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

Error - 11/5/2014 7:34:11 PM | Computer Name = Dworaks-PC | Source = Customer Experience Improvement Program | ID = 1008
Description =

Error - 11/5/2014 8:17:34 PM | Computer Name = Dworaks-PC | Source = WinMgmt | ID = 10
Description =

Error - 11/5/2014 8:20:38 PM | Computer Name = Dworaks-PC | Source = Microsoft-Windows-LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is not formatted
correctly. The malformed string is 12834. The first DWORD in the Data section contains
the index value to the malformed string while the second and third DWORDs in the
Data section contain the last valid index values.

Error - 11/5/2014 8:20:38 PM | Computer Name = Dworaks-PC | Source = Microsoft-Windows-LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The first DWORD in the Data section contains the error code.

Error - 11/5/2014 8:20:41 PM | Computer Name = Dworaks-PC | Source = Microsoft-Windows-LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is not formatted
correctly. The malformed string is 12834. The first DWORD in the Data section contains
the index value to the malformed string while the second and third DWORDs in the
Data section contain the last valid index values.

[ System Events ]
Error - 11/3/2014 7:24:42 PM | Computer Name = Dworaks-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the MBAMScheduler
service to connect.

Error - 11/3/2014 7:24:42 PM | Computer Name = Dworaks-PC | Source = Service Control Manager | ID = 7000
Description = The MBAMScheduler service failed to start due to the following error:
%%1053

Error - 11/4/2014 8:43:56 AM | Computer Name = Dworaks-PC | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.

Error - 11/4/2014 8:45:46 AM | Computer Name = Dworaks-PC | Source = Application Popup | ID = 1060
Description = \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility
with this system. Please contact your software vendor for a compatible version
of the driver.

Error - 11/4/2014 8:45:46 AM | Computer Name = Dworaks-PC | Source = Application Popup | ID = 1060
Description = \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility
with this system. Please contact your software vendor for a compatible version
of the driver.

Error - 11/4/2014 8:46:05 AM | Computer Name = Dworaks-PC | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service. However,
the system is configured to not allow interactive services. This service may not
function properly.

Error - 11/4/2014 10:04:32 AM | Computer Name = Dworaks-PC | Source = DCOM | ID = 10010
Description =

Error - 11/5/2014 8:13:30 PM | Computer Name = Dworaks-PC | Source = DCOM | ID = 10010
Description =

Error - 11/5/2014 8:15:51 PM | Computer Name = Dworaks-PC | Source = Service Control Manager | ID = 7001
Description = The SI TSS v1.2.1.41 TCS service depends on the TPM Base Services
service which failed to start because of the following error: %%0

Error - 11/5/2014 8:15:51 PM | Computer Name = Dworaks-PC | Source = Service Control Manager | ID = 7001
Description = The WvPCR service depends on the TPM Base Services service which failed
to start because of the following error: %%0


< End of report >
lynda
Regular Member
 
Posts: 47
Joined: October 29th, 2014, 6:21 pm

Re: dllhost.exe COM surrogate problem

Unread postby lynda » November 5th, 2014, 8:36 pm

The behavior seems to have improved since the past two tasks. I do not see the DLLHOST.EXEs running anymore. I do not see the malwarebytes pop ups either.

Thanks again!
lynda
Regular Member
 
Posts: 47
Joined: October 29th, 2014, 6:21 pm

Re: dllhost.exe COM surrogate problem

Unread postby pgmigg » November 6th, 2014, 3:25 pm

Hello lynda,

Thanks again!
You are very welcome! :D

The behavior seems to have improved since the past two tasks. I do not see the DLLHOST.EXEs running anymore. I do not see the malwarebytes pop ups either.
Actually the last set of logs indicates that you don't have any more infections. But...

10/27/2014 4:51:09 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
From the firstly posted DDS logs I remembered this issue (not critical and not related to any kind of infections, but important) to which I would like to return now.

Please do the following:

Step 1.
Run CHKDSK with the /F (fix) option
  1. Please open the Start Menu, type cmd in the search box, right click on cmd.exe (at top), and click on "Run as administrator...". The elevated command prompt opens to C:\Windows\System32>
  2. In the elevated command prompt, type chkdsk c: /F, and press Enter. System will have message saying it cannot be done because the drive is in use, and ask if you want to do it at reboot. Say YES.
  3. Close the elevated command prompt window.
  4. Reboot the system. It will make repairs when it reboots.

Step 2.
Verify Hard Disk After Repairs
  1. Please open the Start Menu, type cmd in the search box, right click on cmd.exe (at top), and click on "Run as administrator...". The elevated command prompt opens to C:\Windows\System32>
  2. In the elevated command prompt, copy and paste the command below, and press Enter.
    Code: Select all
     chkdsk c: |find /v "percent" >> "%userprofile%\desktop\verifyhd.txt" 
  3. Please be patience - it may take a while...
  4. Wait for the prompt. When the scan is complete, a file icon named verifyhd.txt should appear on your Desktop.
  5. Close the elevated command prompt window.
  6. Find and open the verifyhd.txt file by Notepad.
  7. Please copy and paste the contents of the verifyhd.txt file in your next reply.

Step 3.
Hard Disk De-fragmentation by Defraggler
  1. Please download Defraggler by Piriform and safe the dfsetup218.exe to your Desktop.
  2. Close all open programs and Internet browsers.
  3. Right click on dfsetup218.exe, select "Run As Administrator..." to run it. If prompted by UAC, please allow it.
  4. Click on Next on the opened welcome window.
  5. Uncheck all additional option excluding the first one "Add Desktop Shortcut". Then click on Next.
  6. Uncheck Piriform recommendation to "Install Google Chrome as my default browser". Then click on Install.
  7. When installation completed, please uncheck "View release Notes" and click on Finish.
  8. The Defraggler will be opened. Same time your default browser will be opened with suggestion to buy professional version of Defraggler - please close it.
  9. You will see some information about your local drive C:\ including Disk Health status: Good or Error.
  10. Please click on Analyze button in the left bottom corner. Be patient - the process may take a while...
  11. When scan finished, you will see Analyze Results - if the percent of fragmentation is equal or grater then 10, please click on Defrag button. Then wait...
    It may take a long period of time - even hours, depends on summary size of files saved on your hard drive and value of percent of fragmentation.
  12. After the occurrence of the inscription "Defrag Complete" please post in your next reply the Disk Health status and percent of fragmentation before and after de-fragmentation.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of verifyhd.txt file
  3. The Disk Health status and percent of fragmentation before and after de-fragmentation.
  4. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
MRU Teacher
MRU Teacher
 
Posts: 3186
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: dllhost.exe COM surrogate problem

Unread postby lynda » November 7th, 2014, 1:47 pm

I ran the chkdsk, and defraggler. But when I attempt to access this page from that computer I get a script error in both IE and Firefox. I cannot paste either result.
I'll try to put both of those results on a thumb drive and submit shortly.
lynda
Regular Member
 
Posts: 47
Joined: October 29th, 2014, 6:21 pm

Re: dllhost.exe COM surrogate problem

Unread postby lynda » November 7th, 2014, 5:47 pm

Here are the results from the Chkdsk as well as some info from the Script issue in both Browsers:

The type of the file system is NTFS.
Volume label is OS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
752 large file records processed.

0 bad file records processed.

0 EA records processed.

44 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.
0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 3)...
Security descriptor verification completed.
32486 data files processed.

CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
Windows has checked the file system and found no problems.

975951871 KB total disk space.
182999868 KB in 187859 files.
126140 KB in 32487 indexes.
0 KB in bad sectors.
1685979 KB in use by the system.
65536 KB occupied by the log file.
791139884 KB available on disk.

4096 bytes in each allocation unit.
243987967 total allocation units on disk.
197784971 allocation units available on disk.





A script on this page may be busy, or it may have stopped responding. you can stop the script now, or you can continue to see if the script will complete.
Script: http://ajax.cloudflare.com/cdn-cgi/nexp ... e.min.js:4

* the last part of that varies each time I say "Stop Script"


Defraggler says the Analysis is complete and is "GOOD" the fragmentation is 0%

the analysis took 7+ hours and the PC shut off afterwards so i cannot see any historical info about before and after.
lynda
Regular Member
 
Posts: 47
Joined: October 29th, 2014, 6:21 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 27 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware