Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

All PC's infected, no antivirus/antimalware helps

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

All PC's infected, no antivirus/antimalware helps

Unread postby Ishabari » January 27th, 2016, 4:04 am

Firstly, I need to mention that whatever problems I am experiencing are ALWAYS on an alonestanding, single PC, NOT a PC that is part of a homegroup or domain, NOT a PC that is shared in any way, not a PC that is not supposed to be on any network. My PC's are owned by myself, from having been brand new out the box, purchased anonymously from Mass retailers. I live alone, with nobody having any physical access to any of my PC's.

My computers get infected before I even install the drivers. All I have to do is install the OS. Windows 7. (Or any operating system for that matter, XP, Windows 8, Windows 8.1, Windows 10, all the same infections eventually occur.) With XP, the infections just happens quicker. After installation of the OS, changes start happening to my PC's settings. I get a message when I try to log off that 'other users are connected to the computer and switching off will cause them to lose unsaved work'! (I have a screenshot of this.) I am the only user, on a PC that hasn't even got drivers installed yet! Yet the firewall states public connections are 'connected' if I change the firewall settings under 'advanced settings', WHILE I AM STILL CHANGING A SETTING some settings GET ADDED AGAIN. So I would change, e.g. HOMEGROUP OUT, from ALLOWED to BLOCKED, and the second I am finished, another entry would be added to the list, with the BLOCKED changed to ALLOWED. All this before I have even installed a single driver. Typical ports that get changes back from "blocked" to "unblocked" would be:
Windows Firewall Remote Management
Wireless Portable Devices
Homegroup Out & In
File & Printer Sharing
Media Centre Extenders
Netlogon
Network Discovery
Core Networking
Connect to a Network Projector
Windows Communication Foundation Net.TCP Listener Adapter
It is almost as if someone is able to access my PC via a network but I am not able to get on the internet yet because I haven't yet installed the LAN drivers. Or any other drivers for that matter. Then, when I install drivers, to be able to get on the Internet and get to an antivirus program, more settings gets changed, like services gets started that can now no longer get stopped by me (where before I could still stop that particular services under Computer management). A service like SERVER now is not only impossible to be stopped, but is password protected as well. There are now many services running that I cannot control, and many ANONYMOUS logons of users. (Sometimes many users log on, other than Updatususer which is Nvidia, and SYSTEM, and TRUSTEDINSTALLER. Mostly logons are called ANONYMOUS.
The Microsoft technology seemingly gets used to infiltrate my private documents, I don't know how else to put this. Because on all my PC's over time (I had many, because of this problem, and not knowing what the cause is/was, and I reformatted them all many many times over, up to once a week) Microsoft Silverlight gets installed, as well as Windows Sign-in Assistant. Then, as soon as I uninstall these two programs, it would be the end: I would lose all my documents. When I navigate to the C folder I would get: ACCESS DENIED, and all the icons on my desktop would disappear, shortcuts and actual documents. There will always be this 'user' logged on when I try to log off, my passwords on my email would get compromised and changed and generally my PC would not work, like I would not be able to get into the Internet and websites and my PC would be very slow. My various PC's, all the same problem. The problem is so pervasive that I initially thought it had to be hardware, which is why I changed PC's. I am running Commodo Security with Geekbuddy Complete and their Trustconnect VPN program and their online Team are at a loss for words. They themselves have advised me to reformat even though they guarantee that customers will never end up in that position.

But even reformatting does not help, nor did changing my wireless router or the password thereof, a few times. (This is where I think I get compromised, but I am not sure how.) This has been going on for 6 years. I have reason to believe that this is being done by a specific person, whom I know. Not only does he has this type of knowledge but he has motive I suppose. He has threatened in the past that he could and would do this although the amount of interest he has in me has exceeded my expectations by far.

Out of desperation I have disabled many network services and blocked all the windows firewall ports, as you may see on the logs. I still have a good internet connection. I find it interesting that, as mentioned, WHILE I am busy changing firewall settings, they get added again at the top of the list. I would maybe BLOCK the Remote Access Connection Manager, then the rule would be re-written and placed at the top of the list of firewall rules again. I did not even think that Windows firewall rules mattered, with Comodo installed, but for some reason, the rules gets changed back when I change them. Some of them.

Sometimes I can hear the computer running many programs and it gets incredibly hot - too hot to touch. It is definitely background processes, not a hardware issue. Because when I stopped some background processes with Comodo killswitch, immediately the PC slowed down audibly, cooled down and ran slower. The problem is that the processes running in the background, I believe, is masked as genuined Windows programmes, so it is very diffucult to know what to stop, and sometimes I have lost connectivity because of it, needing to re-trace my steps. When I want to log off I also always get notified about background processes running, none of which is familiar to me, or started by me. Lots of audio & audiovisual processes, seemingly. I have also set my sound settings to make a certain sound when new feeds are detected, so I hear all the time when this happens.

In Chromodo, the amount of networks trying to gain access to the system (my PC) is abnormally large, according to Comodo Geekbuddy staff, something like 150 - odd networks at any given time. It differs from PC to PC, and whether I have many features installed. The more apps and features like Windows features I have installed, the worse my PC gets infiltrated; the quicker, and the faster I lose control over my personal documents. But Comodo is the best I have ever had it, my computers are more stable now than they have ever been, thanks, probably to the Geekbuddy system of online intervention. Before that, I literally re-formatted a computer once a week.

It is the rule rather than the exception for my g-mail account to get broken into and the password changed. I have many witnesses who can attest to being with me while I got a notification out of the blue, via e-mail, that my e-mail password had just been changed, without any input from myself. This has obviously cost me a lot of money, time and productivity over the six years that the problems have been occuring.

Any assistance would be tremendously appreciated.

Best regards


Isha
You do not have the required permissions to view the files attached to this post.
Ishabari
Active Member
 
Posts: 10
Joined: January 23rd, 2016, 1:41 pm
Advertisement
Register to Remove

Re: All PC's infected, no antivirus/antimalware helps

Unread postby capnkrunch » January 29th, 2016, 4:01 am

Warning!
The steps presented in these posts are for this person and machine ONLY. Do not apply these steps to your own system, without the guidance of a trained malware removal helper. Doing so, may possibly damage your system, preventing it from starting.

Hello Isha and welcome to the Malware Removal Forums :)

My name is capnkrunch and I will be helping you with your malware problems. I'm an Undergraduate trainee here, and as such my posts to you have to first be checked by a Teacher, because of this my replies to your posts may be slightly delayed. Please be patient and I'm sure we'll be able to resolve your problems.

Before we begin, please read and follow these important guidelines, so things will proceed smoothly.
  • The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  • You must have Administrator rights, permissions for this computer.
  • DO NOT run any other fix or removal tools unless instructed to do so.
  • DO NOT install any other software (or hardware) during the cleaning process.
  • Only post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  • Print each set of instructions, if possible. Your Internet connection will not be available during some fix processes.
  • Only reply to this thread, do not start another ... Please, continue responding, until I give you the "All Clean".
    Remember, absence of symptoms does mean the infection is all gone.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Failure to respond for 3 days, will result in your topic being closed.

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care, not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


For your safety and protection, I would advise backing up all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process. The safest practice is not to backup any files with the following file extensions:
exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: All PC's infected, no antivirus/antimalware helps

Unread postby Ishabari » January 29th, 2016, 11:24 am

Hi capnkrunch

Many thanks for responding to my post, I appreciate it tremendously.

I have read all you have asked me to read, and my files (My Documents) are safely backed up on an external HDD. Due to the volume of the backed-up files, I can not sift through them to find all the onerous file extentions that you mentioned. Is there a way to find them maybe? The backup is 150 GB with thousands of files and folders.

Look forward to hearing from you

Regards

Isha
Ishabari
Active Member
 
Posts: 10
Joined: January 23rd, 2016, 1:41 pm

Re: All PC's infected, no antivirus/antimalware helps

Unread postby capnkrunch » January 30th, 2016, 1:09 am

Hello Isha :)

Ishabari wrote:Due to the volume of the backed-up files, I can not sift through them to find all the onerous file extentions that you mentioned. Is there a way to find them maybe?

For now the important thing is that your files are backed up. We can check your external hard drive after we take care of your computer.

Step one...

MGA Diagnostic Tool
  • Please download MGA Diagnostic Tool and save it to your Desktop.
  • Right click on MGADiag.exe and select Run as adminsitrator.
  • Click on Continue to run the scan.
  • Once the scan is finished click Copy to copy the results. Paste them in your reply.

Step two...

CKScanner
Please download CKScanner and save it to your Desktop.
This program should only be run once!
Make sure that CKScanner.exe is on the your desktop before running the application!

  • Right lick on the CKScanner.exe icon and select Run as administrator.
  • Click the Search For Files button.
  • When the scan is finished (the cursor hourglass disappears) click the Save List To File button.
    A text file will be created on your desktop named "ckfiles.txt"
  • Click OK at the file saved message box. Double-click on the ckfiles.txt icon on your desktop.
  • Please copy/paste the contents of ckfiles.txt in your next reply.

TSG SysInfo
  • Please download TSG SysInfo and save it to your Desktop.
  • Right click on SysInfo.exe and select Run as administrator.
  • Copy and paste the text from the TSG SysInfo window in your next reply.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections...

In your next reply please include:
  • Did you have any problems with the instructions?
  • The MGADiag log
  • ckfiles.txt
  • TSG SysInfo report
  • Are there any changes in computer behavior?
User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: All PC's infected, no antivirus/antimalware helps

Unread postby capnkrunch » February 1st, 2016, 1:17 am

Hello Isha :)

It has been 48 hours since my last post.
  • Do you still need help?
  • Do you need more time?
  • Are you having problems following my instructions?
  • According to Malware Removal's latest policy, topics can be closed after 3 days without a response.
  • If you do not reply within the next 24 hours, this topic will be closed.
User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: All PC's infected, no antivirus/antimalware helps

Unread postby Ishabari » February 1st, 2016, 7:55 am

Hello capnkrunch

Apologies, I was having some difficulties with your instructions as I was not sure what to copy - there was more than one page of information. I will try again, maybe I did something wrong. Sorry about that

Regards

Isha
Ishabari
Active Member
 
Posts: 10
Joined: January 23rd, 2016, 1:41 pm

Re: All PC's infected, no antivirus/antimalware helps

Unread postby Ishabari » February 1st, 2016, 8:08 am

Hello capnkrunch

Herewith the CKScanner report, I will send the Step 2 report in my following report. I hope this is the report you were looking for as there was other tabs with reports as well.

Regards

Isha



Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-74XYM-BH4JX-XM76F
Windows Product Key Hash: KeYfcvXg/a1Q01x73+f8IL/JC4Y=
Windows Product ID: 00359-112-0000007-85128
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {E9114DA0-C7D8-4C40-84A2-3D28793CB4DC}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.151230-0600
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Ultimate 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Comodo\Chromodo\chromodo.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{E9114DA0-C7D8-4C40-84A2-3D28793CB4DC}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-XM76F</PKey><PID>00359-112-0000007-85128</PID><PIDType>5</PIDType><SID>S-1-5-21-3370641451-1649227579-245031742</SID><SYSTEM><Manufacturer>Acer</Manufacturer><Model>TravelMate 5744</Model></SYSTEM><BIOS><Manufacturer>Insyde Corp.</Manufacturer><Version>V1.07</Version><SMBIOSVersion major="2" minor="7"/><Date>20120810000000.000000+000</Date></BIOS><HWID>37133C07018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>South Africa Standard Time(GMT+02:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>ACRSYS</OEMID><OEMTableID>ACRPRDCT</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-002E-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Ultimate 2007</Name><Ver>12</Ver><Val>6DC730CF5FC270E</Val><Hash>isbcZ1KY2ybna/9V4m9OQo2UClw=</Hash><Pid>81608-903-0599005-65723</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, HomePremium edition
Description: Windows Operating System - Windows(R) 7, RETAIL channel
Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00359-00170-112-000000-00-1033-7601.0000-0242016
Installation ID: 013480730364080002163035752443492682431821945103530373
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: XM76F
License Status: Initial grace period
Time remaining: 32700 minute(s) (22 day(s))
Remaining Windows rearm count: 3
Trusted time: 2/1/2016 2:03:00 PM

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 1:25:2016 18:22
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: KgAAAAEAAQABAAEAAAABAAAAAQABAAEAln04e7BpUAC2lBJxaEyOJ1xd

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC ACRSYS ACRPRDCT
FACP ACRSYS ACRPRDCT
HPET ACRSYS ACRPRDCT
BOOT ACRSYS ACRPRDCT
MCFG ACRSYS ACRPRDCT
WDAT ACRSYS ACRPRDCT
ASF! ACRSYS ACRPRDCT
SLIC ACRSYS ACRPRDCT
MSDM ACRSYS ACRPRDCT
ASPT ACRSYS ACRPRDCT
SSDT ACRSYS ACRPRDCT
Ishabari
Active Member
 
Posts: 10
Joined: January 23rd, 2016, 1:41 pm

Re: All PC's infected, no antivirus/antimalware helps

Unread postby Ishabari » February 1st, 2016, 8:35 am

Hello capbkrunch

After running the previous MGA Diagnostic Tool (which I sent to you in my last mail), a message came up that I should register Windows online, which I did. I don't know if it would make any difference, but just in case you require a MGA Diagnostic Tool report AFTER I registered my Windows online, herewith the report after the registration, replacing the previous one I mailed to you:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-WPC4C-Q3MXK-T2MRG
Windows Product Key Hash: X23xNOiV+Qz+9FizHkiu8u9a/bA=
Windows Product ID: 00359-OEM-9739806-08074
Windows Product ID Type: 8
Windows License Type: COA SLP
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {E9114DA0-C7D8-4C40-84A2-3D28793CB4DC}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.151230-0600
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Ultimate 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Comodo\Chromodo\chromodo.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{E9114DA0-C7D8-4C40-84A2-3D28793CB4DC}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-T2MRG</PKey><PID>00359-OEM-9739806-08074</PID><PIDType>8</PIDType><SID>S-1-5-21-3370641451-1649227579-245031742</SID><SYSTEM><Manufacturer>Acer</Manufacturer><Model>TravelMate 5744</Model></SYSTEM><BIOS><Manufacturer>Insyde Corp.</Manufacturer><Version>V1.07</Version><SMBIOSVersion major="2" minor="7"/><Date>20120810000000.000000+000</Date></BIOS><HWID>37F33407018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>South Africa Standard Time(GMT+02:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>ACRSYS</OEMID><OEMTableID>ACRPRDCT</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-002E-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Ultimate 2007</Name><Ver>12</Ver><Val>6DC730CF5FC270E</Val><Hash>isbcZ1KY2ybna/9V4m9OQo2UClw=</Hash><Pid>81608-903-0599005-65723</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, HomePremium edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_SLP channel
Activation ID: 6a7d5d8a-92af-4e6a-af4b-8fddaec800e5
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00359-00194-398-008074-02-1033-7601.0000-0322016
Installation ID: 018281084513943021969185656942391574686066273246053685
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: T2MRG
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 2/1/2016 2:25:22 PM

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 1:25:2016 18:22
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: KgAAAAEAAQABAAEAAAABAAAAAQABAAEAln04e7BpUAC2lBJxaEyOJ1xd

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC ACRSYS ACRPRDCT
FACP ACRSYS ACRPRDCT
HPET ACRSYS ACRPRDCT
BOOT ACRSYS ACRPRDCT
MCFG ACRSYS ACRPRDCT
WDAT ACRSYS ACRPRDCT
ASF! ACRSYS ACRPRDCT
SLIC ACRSYS ACRPRDCT
MSDM ACRSYS ACRPRDCT
ASPT ACRSYS ACRPRDCT
SSDT ACRSYS ACRPRDCT
Ishabari
Active Member
 
Posts: 10
Joined: January 23rd, 2016, 1:41 pm

Re: All PC's infected, no antivirus/antimalware helps

Unread postby Ishabari » February 1st, 2016, 9:04 am

Hello capbkrunch

Herewith the 2nd report.

(I notice the word "crack" was searched for: I don't have any programs on my PC which I did not pay for. The two files that were found are:
1: A file that I CALLED ................-crack, referring to a crackled ceramic item in my store
2: A file that comes standard installed with Coreldraw, with "crack" in the filename, referring to a drawn pattern, similar to other files called ...swirls, ....veins, ripples, rings, dunes, all referring to drawn patterns in Coreldraw.)

Best regards

Isha
You do not have the required permissions to view the files attached to this post.
Ishabari
Active Member
 
Posts: 10
Joined: January 23rd, 2016, 1:41 pm

Re: All PC's infected, no antivirus/antimalware helps

Unread postby Ishabari » February 1st, 2016, 9:16 am

Hello Capncrunch

Herewith the 3rd report, apologies that it took so long, it was actually quite easy and your instructions clear :-)

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 64 bit
Processor: Intel(R) Core(TM) i5 CPU M 460 @ 2.53GHz, Intel64 Family 6 Model 37 Stepping 5
Processor Count: 4
RAM: 7860 Mb
Graphics Card: Intel(R) HD Graphics, -293 Mb
Hard Drives: C: Total - 476837 MB, Free - 380648 MB;
Motherboard: Acer, BA52_CP
Antivirus: COMODO Antivirus, Updated and Enabled
Ishabari
Active Member
 
Posts: 10
Joined: January 23rd, 2016, 1:41 pm

Re: All PC's infected, no antivirus/antimalware helps

Unread postby Ishabari » February 1st, 2016, 9:22 am

ckfiles.txt


Dear capnkrunch

Apologies, the 2nd report looks like I attached the wrong file. Herewith the correct one:

I also have copied and pasted the contents here:

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\dropbox\dropbox\pictures antiques etc\s e l m a\32 gb\a n t i q u e s e t c\all suppliers\ib products\ib-cer-ftbath-crack.cdr
c:\program files (x86)\corel\coreldraw home & student suite x7\custom data\bumpmap\cracks.cpt
scanner sequence 3.AA.11.TQAPPZ
----- EOF -----
You do not have the required permissions to view the files attached to this post.
Ishabari
Active Member
 
Posts: 10
Joined: January 23rd, 2016, 1:41 pm

Re: All PC's infected, no antivirus/antimalware helps

Unread postby capnkrunch » February 1st, 2016, 7:07 pm

Hello Isha :)

Before we continue there are a couple things that I need to clarify with you so that things will proceed smoothly.

Ishabari wrote:Apologies, I was having some difficulties with your instructions as I was not sure what to copy - there was more than one page of information.

If you ever have questions or need clarification about any of my instructions please do not hesitate to ask. I would much rather you do that than get stuck trying to figure them out on your own.

Running Scans Multiple Times Warning
Ishabari wrote:I don't know if it would make any difference, but just in case you require a MGA Diagnostic Tool report AFTER I registered my Windows online, herewith the report after the registration, replacing the previous one I mailed to you:

It turned out OK this time but in the future do not run any scan or fix more than once unless I specifically tell you to. The tools we use are very powerful and doing so may damage your system, even rendering it unbootable.

Multiple and Attached Logs Warning
You posted the CKScanner logs twice. Please take care to only post each log once. Having to sort through multiples of the same logs wastes time and makes your posts harder to read.

You also attached ckfiles.txt in those posts. Unless I give you specific instructions otherwise please copy and paste all logs from now on instead of attaching them. If a log gets cut off by the forum limiter you will need split it into multiple posts.

Moving on...

Part of the auto-sandbox feature of COMODO works in a way that is impossible to distinguish from malware using the same method. Because of this I'd like you to disable it for the time being. I am also going to clear your firewall rules because I want to see how your system behaves under normal conditions and because it is generally not a good idea to mess with Windows components by blocking them or disabling services unless you are absolutely sure that you know what you are doing.

Step one...

Create a Backup With Tweaking.com Registry Backup (TCRB)
There is also a tutorial with pictures available HERE.
  • Download TCRB from HERE and save it to your Desktop.
  • Double-click on tweaking.com_registry_backup_setup.exe and follow the prompts to install TCRB.
  • Launch TCRB.
  • Click the Backup Registry tab and make sure all the boxes are checked.
  • Click on Backup Now.
  • Once the backup is finished you can now exit the program.
STOP! If you were unable to complete this step do not proceed. Please reply back and let me know what happened. If you successfully made a backup with TCRB please continue with the rest of the steps.

Step two...

Disable COMODO Auto-Sandbox
  • Open COMODO by right clicking on the icon in your system tray and selecting Open ....
  • Click on Tasks near the top-right.
  • Click Sandbox Tasks to expand the menu and then click Open Advanced Settings.
  • In the left hand pane, select Security Settings > Defense+ > Sandbox > Auto-Sandbox.
  • Uncheck the box next to Enable file source tracking.
  • Click OK. You can now exit the COMODO interface.

Step three...

FRST Fix
  • You should still have FRST64.exe on your Desktop. If not please download it HERE.
  • Click Start.
  • Type notepad.exe into the Search programs and files box and press Enter.
  • A blank Notepad page should open.
    • Copy and Paste the following script into Notepad, Do not include the words Code: Select all.
    • (Click the Select all button next to Code: to select the entire script).
    Code: Select all
    CreateRestorePoint:
    HKU\S-1-5-21-3370641451-1649227579-245031742-1000\...\MountPoints2: {ccb98961-c2d8-11e5-a738-806e6f6e6963} - D:\setupARP.exe
    HKU\S-1-5-21-3370641451-1649227579-245031742-1000\...\MountPoints2: {d898dcc7-c31e-11e5-9d79-806e6f6e6963} - D:\.\AutorunX\AutorunX.exe
    AlternateDataStreams: C:\Windows\notepad.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\aaclient.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\adprovider.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\adtschema.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\advapi32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\apisetschema.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\appidapi.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\appidcertstorecheck.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\appidpolicyconverter.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\appidsvc.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\appinfo.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\atmfd.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\atmlib.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\audiodg.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\AudioEng.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\AUDIOKSE.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\AudioSes.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\audiosrv.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\auditpol.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\authui.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\basesrv.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\bcryptprimitives.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\blackbox.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\browcli.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\browser.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\capiprovider.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\catsrvut.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\cdd.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\cdosys.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\certcli.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\certenc.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\certutil.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\cewmdm.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\ci.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\clfs.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\clfsw32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\cngprovider.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\COLORCNV.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\comctl32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\comsvcs.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\conhost.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\consent.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\CPFilters.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\credssp.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\crypt32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\cryptbase.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\cryptnet.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\cryptsp.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\cryptsvc.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\cryptui.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\cscript.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\csrsrv.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\d3d10warp.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\davclnt.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\dciman32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\devenum.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\dfshim.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\dimsroam.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\dnsapi.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\dnscacheugc.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\dnsrslvr.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\dpapiprovider.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\dpnet.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\drmmgrtn.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\drmv2clt.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\DWrite.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\els.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\EncDec.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\EncDump.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\evr.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\ExplorerFrame.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\fixmapi.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\FntCache.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\fontsub.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\FWPUCLNT.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\gdi32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\IKEEXT.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\imagehlp.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\IMJP10K.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\inetcomm.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\InkEd.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\kd1394.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\kdcom.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\kdusb.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\kerberos.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\kernel32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\KernelBase.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\ksproxy.ax:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\ksuser.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\localspl.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\lpk.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\lsasrv.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\lsass.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\mapi32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\mapistub.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\mf.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\mfc42.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\mfc42u.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\mferror.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\mfplat.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\mfpmp.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\mfps.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\mfvdsp.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\MFWMAAEC.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\MP3DMOD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\MP43DECD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\MP4SDECD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\mpg2splt.ax:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\MPG4DECD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\MpSigStub.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\MRT.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msaudite.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\mscorier.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\mscories.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msctf.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msi.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msiexec.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msihnd.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msimsg.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msmmsp.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msmpeg2adec.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\MSMPEG2ENC.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msmpeg2vdec.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msnetobj.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msobjs.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msscp.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\mstsc.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\mstscax.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msv1_0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msvcrt.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msxml3.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msxml3r.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msxml6.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\msxml6r.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\ncrypt.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\ncsi.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\netapi32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\nlaapi.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\nlasvc.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\notepad.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\nshwfp.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\ntdll.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\ntoskrnl.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\ntvdm64.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\objsel.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\odbccp32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\odbccr32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\odbccu32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\odbctrac.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\ole32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\oleacc.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\oleaut32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\osk.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\packager.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\pcadm.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\pcaevts.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\pcalua.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\pcasvc.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\pcawrk.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\pku2u.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\poqexec.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\profsvc.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\psisdecd.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\psisrndr.ax:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\qasf.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\qdvd.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\qedit.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\quartz.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\rastls.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\rdpcore.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\rdpcorekmts.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\rdpwsx.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\rdrmemptylst.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\RESAMPLEDMO.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\rpcrt4.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\rrinstaller.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\rstrui.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\sbe.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\scesrv.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\schannel.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\schedsvc.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\scrrun.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\secur32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\services.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\setbcdlocale.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\shdocvw.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\shell32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\smss.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\srclient.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\srcore.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\sspicli.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\sspisrv.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\synceng.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\SysFxUI.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\sysmain.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\taskhost.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\termsrv.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\tsgqec.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\TSpkg.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\TSWbPrxy.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\ubpm.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\umpnpmgr.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\user32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\usp10.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\VIDRESZR.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Wdfres.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wdigest.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\WebClnt.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\webio.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wer.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\win32k.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\win32spl.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wincredprovider.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\WindowsCodecs.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\winload.efi:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\winload.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\winlogon.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\winresume.efi:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\winresume.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\WinSetupUI.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\winsrv.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\winsta.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wintrust.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\WMADMOD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\WMADMOE.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\WMALFXGFXDSP.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wmdrmsdk.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\WMPhoto.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\WMSPDMOD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\WMSPDMOE.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\WMVDECOD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\WMVENCOD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\WMVSDECD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\WMVSENCD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\WMVXENCD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wow64.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wow64cpu.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wow64win.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wscript.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wshom.ocx:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wshrm.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wu.upgrade.ps.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wuapi.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wuapp.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wuauclt.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wuaueng.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wucltux.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wudriver.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wups.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wups2.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\wuwebv.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\aaclient.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\adprovider.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\adtschema.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\advapi32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\apisetschema.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\appidapi.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\atmfd.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\atmlib.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\AudioEng.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\AUDIOKSE.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\AudioSes.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\auditpol.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\authui.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\bcryptprimitives.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\blackbox.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\browcli.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\capiprovider.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\catsrvut.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\cdosys.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\certcli.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\certenc.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\certutil.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\cewmdm.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\cfgmgr32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\clfsw32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\cngprovider.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\COLORCNV.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\comctl32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\comsvcs.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\CPFilters.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\credssp.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\crypt32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\cryptbase.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\cryptnet.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\cryptsp.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\cryptsvc.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\cryptui.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\cscript.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\d3d10warp.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\davclnt.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\dciman32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\devenum.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\devobj.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\devrtl.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\dfshim.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\dimsroam.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\dnsapi.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\dnscacheugc.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\dpapiprovider.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\dpnet.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\drmmgrtn.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\drmv2clt.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\drvinst.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\DWrite.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\els.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\EncDec.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\evr.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\ExplorerFrame.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\fixmapi.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\fontsub.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\FWPUCLNT.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\gdi32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\imagehlp.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\IMJP10K.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\inetcomm.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\InkEd.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\instnm.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\kerberos.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\kernel32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\KernelBase.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\ksproxy.ax:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\ksuser.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\lpk.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mapi32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mapistub.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mf.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mfc100fra.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mfc42.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mfc42u.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mferror.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mfplat.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mfpmp.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mfps.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mfvdsp.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\MFWMAAEC.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\MP3DMOD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\MP43DECD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\MP4SDECD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mpg2splt.ax:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\MPG4DECD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msaudite.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mscorier.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mscories.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msctf.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msi.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msiexec.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msihnd.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msimsg.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msmpeg2adec.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\MSMPEG2ENC.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msmpeg2vdec.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msnetobj.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msobjs.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msscp.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mstsc.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\mstscax.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msv1_0.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msvcrt.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msxml3.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msxml3r.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msxml6.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\msxml6r.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\ncrypt.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\ncsi.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\netapi32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\nlaapi.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\notepad.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\nshwfp.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\ntdll.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\ntkrnlpa.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\ntoskrnl.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\ntvdm64.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\objsel.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\odbccp32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\odbccr32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\odbccu32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\odbcjt32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\odbctrac.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\ole32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\oleacc.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\oleaut32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\osk.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\packager.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\pku2u.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\poqexec.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\psisdecd.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\psisrndr.ax:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\qasf.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\qdvd.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\qedit.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\quartz.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\rastls.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\rdpcore.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\RESAMPLEDMO.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\rpcrt4.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\rrinstaller.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\sbe.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\scesrv.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\schannel.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\scrrun.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\secur32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\setup16.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\shdocvw.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\shell32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\srclient.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\sspicli.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\synceng.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\tsgqec.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\TSpkg.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\ubpm.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\user.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\user32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\usp10.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\vcomp100.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\VIDRESZR.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\wdigest.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\WebClnt.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\webio.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\wer.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\win32spl.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\wincredprovider.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\WindowsCodecs.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\winsta.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\wintrust.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\WISPTIS.EXE:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\WMADMOD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\WMADMOE.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\wmdrmsdk.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\WMPhoto.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\WMSPDMOD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\WMSPDMOE.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\WMVDECOD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\WMVENCOD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\WMVSDECD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\WMVSENCD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\WMVXENCD.DLL:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\wow32.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\wscript.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\wshom.ocx:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\wshrm.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\wuapi.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\wuapp.exe:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\wudriver.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\wups.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\SysWOW64\wuwebv.dll:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\afd.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\appid.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\bowser.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\cng.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\drmk.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\drmkaud.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\dxgkrnl.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\dxgmms1.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\FWPKCLNT.SYS:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\hidclass.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\hidparse.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\http.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\ksecdd.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\ksecpkg.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\mountmgr.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\mrxdav.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\mrxsmb.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\mrxsmb10.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\mrxsmb20.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\ndis.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\netio.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\ntfs.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\partmgr.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\PEAuth.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\portcls.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\rdpwd.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\rmcast.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\srv.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\srv2.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\srvnet.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\tcpip.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\tdtcp.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\tdx.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\tssecsrv.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\usb8023.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\usbccgp.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\usbcir.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\usbd.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\usbehci.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\usbhub.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\usbport.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\usbvideo.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\Wdf01000.sys:$CmdTcID
    AlternateDataStreams: C:\Windows\system32\Drivers\WdfLdr.sys:$CmdTcID
    AlternateDataStreams: C:\Users\JANA\Desktop\FRST64 (1).exe:$CmdTcID
    AlternateDataStreams: C:\Users\JANA\Desktop\FRST64 (1).exe:$CmdZnID
    AlternateDataStreams: C:\Users\JANA\Downloads\FRST64.exe:$CmdTcID
    AlternateDataStreams: C:\Users\JANA\Downloads\FRST64.exe:$CmdZnID
    AlternateDataStreams: C:\Users\JANA\Downloads\IMG_1905.JPG:$CmdZnID
    AlternateDataStreams: C:\Users\JANA\Downloads\IMG_1910.JPG:$CmdZnID
    AlternateDataStreams: C:\Users\JANA\Downloads\IMG_1911.JPG:$CmdZnID
    AlternateDataStreams: C:\Users\JANA\Downloads\IMG_1913.JPG:$CmdZnID
    AlternateDataStreams: C:\Users\JANA\Downloads\IMG_1914.JPG:$CmdZnID
    AlternateDataStreams: C:\Users\JANA\Downloads\Windows6.1-KB2742599-ia64.msu:$CmdZnID
    AlternateDataStreams: C:\Users\JANA\Downloads\Windows6.1-KB2742599-x86.msu:$CmdZnID
    FirewallRules: [RemoteAssistance-PnrpSvc-UDP-OUT-Active] => (Block) %systemroot%\system32\svchost.exe
    FirewallRules: [RemoteAssistance-PnrpSvc-UDP-In-EdgeScope-Active] => (Block) %systemroot%\system32\svchost.exe
    FirewallRules: [RemoteAssistance-SSDPSrv-Out-TCP-Active] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteAssistance-SSDPSrv-In-TCP-Active] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteAssistance-SSDPSrv-Out-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteAssistance-SSDPSrv-In-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteAssistance-Out-TCP-Active] => (Block) %SystemRoot%\system32\msra.exe
    FirewallRules: [RemoteAssistance-In-TCP-EdgeScope-Active] => (Block) %SystemRoot%\system32\msra.exe
    FirewallRules: [RemoteAssistance-DCOM-In-TCP-NoScope-Active] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteAssistance-RAServer-Out-TCP-NoScope-Active] => (Block) %SystemRoot%\system32\raserver.exe
    FirewallRules: [RemoteAssistance-RAServer-In-TCP-NoScope-Active] => (Block) %SystemRoot%\system32\raserver.exe
    FirewallRules: [RemoteAssistance-PnrpSvc-UDP-OUT] => (Block) %systemroot%\system32\svchost.exe
    FirewallRules: [RemoteAssistance-PnrpSvc-UDP-In-EdgeScope] => (Block) %systemroot%\system32\svchost.exe
    FirewallRules: [RemoteAssistance-Out-TCP] => (Block) %SystemRoot%\system32\msra.exe
    FirewallRules: [RemoteAssistance-In-TCP-EdgeScope] => (Block) %SystemRoot%\system32\msra.exe
    FirewallRules: [RemoteFwAdmin-RPCSS-In-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteFwAdmin-In-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteFwAdmin-RPCSS-In-TCP-NoScope] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteFwAdmin-In-TCP-NoScope] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteEventLogSvc-RPCSS-In-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteEventLogSvc-In-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteEventLogSvc-RPCSS-In-TCP-NoScope] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteEventLogSvc-In-TCP-NoScope] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MSDTC-RPCSS-In-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MSDTC-KTMRM-In-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MSDTC-Out-TCP] => (Block) %SystemRoot%\system32\msdtc.exe
    FirewallRules: [MSDTC-In-TCP] => (Block) %SystemRoot%\system32\msdtc.exe
    FirewallRules: [MSDTC-RPCSS-In-TCP-NoScope] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MSDTC-KTMRM-In-TCP-NoScope] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MSDTC-Out-TCP-NoScope] => (Block) %SystemRoot%\system32\msdtc.exe
    FirewallRules: [MSDTC-In-TCP-NoScope] => (Block) %SystemRoot%\system32\msdtc.exe
    FirewallRules: [RemoteTask-RPCSS-In-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteTask-In-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteTask-RPCSS-In-TCP-NoScope] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteTask-In-TCP-NoScope] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteSvcAdmin-RPCSS-In-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteSvcAdmin-In-TCP] => (Block) %SystemRoot%\system32\services.exe
    FirewallRules: [RemoteSvcAdmin-RPCSS-In-TCP-NoScope] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RemoteSvcAdmin-In-TCP-NoScope] => (Block) %SystemRoot%\system32\services.exe
    FirewallRules: [NETDIS-FDRESPUB-WSD-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-FDRESPUB-WSD-In-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-LLMNR-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-LLMNR-In-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-FDPHOST-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-FDPHOST-In-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-UPnP-Out-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-SSDPSrv-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-SSDPSrv-In-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-FDRESPUB-WSD-Out-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-FDRESPUB-WSD-In-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-LLMNR-Out-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-LLMNR-In-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-FDPHOST-Out-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-FDPHOST-In-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-UPnP-Out-TCP-Active] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-SSDPSrv-Out-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [NETDIS-SSDPSrv-In-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [WMI-ASYNC-In-TCP] => (Block) %systemroot%\system32\wbem\unsecapp.exe
    FirewallRules: [WMI-WINMGMT-Out-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [WMI-WINMGMT-In-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [WMI-RPCSS-In-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [WMI-ASYNC-In-TCP-NoScope] => (Block) %systemroot%\system32\wbem\unsecapp.exe
    FirewallRules: [WMI-WINMGMT-Out-TCP-NoScope] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [WMI-WINMGMT-In-TCP-NoScope] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [WMI-RPCSS-In-TCP-NoScope] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MsiScsi-Out-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MsiScsi-In-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MsiScsi-Out-TCP-NoScope] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MsiScsi-In-TCP-NoScope] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [PerfLogsAlerts-DCOM-In-TCP-NoScope] => (Block) %systemroot%\system32\svchost.exe
    FirewallRules: [PerfLogsAlerts-PLASrv-In-TCP-NoScope] => (Block) %systemroot%\system32\plasrv.exe
    FirewallRules: [PerfLogsAlerts-DCOM-In-TCP] => (Block) %systemroot%\system32\svchost.exe
    FirewallRules: [PerfLogsAlerts-PLASrv-In-TCP] => (Block) %systemroot%\system32\plasrv.exe
    FirewallRules: [CoreNet-GP-LSASS-Out-TCP] => (Block) %SystemRoot%\system32\lsass.exe
    FirewallRules: [CoreNet-DNS-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [CoreNet-GP-Out-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [CoreNet-IPHTTPS-Out] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [CoreNet-Teredo-Out] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [CoreNet-Teredo-In] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [CoreNet-DHCPV6-Out] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [CoreNet-DHCPV6-In] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [CoreNet-DHCP-Out] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [CoreNet-DHCP-In] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [FPS-LLMNR-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [FPS-LLMNR-In-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [FPS-SpoolSvc-In-TCP] => (Block) %SystemRoot%\system32\spoolsv.exe
    FirewallRules: [FPS-SpoolSvc-In-TCP-NoScope] => (Block) %SystemRoot%\system32\spoolsv.exe
    FirewallRules: [Collab-PNRP-SSDPSrv-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [Collab-PNRP-SSDPSrv-In-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [Collab-PNRP-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [Collab-PNRP-In-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [Collab-P2PHost-WSD-Out-UDP] => (Block) %SystemRoot%\system32\p2phost.exe
    FirewallRules: [Collab-P2PHost-WSD-In-UDP] => (Block) %SystemRoot%\system32\p2phost.exe
    FirewallRules: [Collab-P2PHost-Out-TCP] => (Block) %SystemRoot%\system32\p2phost.exe
    FirewallRules: [Collab-P2PHost-In-TCP] => (Block) %SystemRoot%\system32\p2phost.exe
    FirewallRules: [RVM-RPCSS-In-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RVM-VDSLDR-In-TCP] => (Block) %SystemRoot%\system32\vdsldr.exe
    FirewallRules: [RVM-VDS-In-TCP] => (Block) %SystemRoot%\system32\vds.exe
    FirewallRules: [RVM-RPCSS-In-TCP-NoScope] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [RVM-VDSLDR-In-TCP-NoScope] => (Block) %SystemRoot%\system32\vdsldr.exe
    FirewallRules: [RVM-VDS-In-TCP-NoScope] => (Block) %SystemRoot%\system32\vds.exe
    FirewallRules: [PNRPMNRS-SSDPSrv-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [PNRPMNRS-SSDPSrv-In-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [PNRPMNRS-PNRP-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [PNRPMNRS-PNRP-In-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-Out] => (Block) %systemroot%\system32\svchost.exe
    FirewallRules: [Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-In] => (Block) %systemroot%\system32\svchost.exe
    FirewallRules: [Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-Out] => (Block) %systemroot%\system32\svchost.exe
    FirewallRules: [Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-In] => (Block) %systemroot%\system32\svchost.exe
    FirewallRules: [SNMPTRAP-In-UDP-NoScope] => (Block) %SystemRoot%\system32\snmptrap.exe
    FirewallRules: [SNMPTRAP-In-UDP] => (Block) %SystemRoot%\system32\snmptrap.exe
    FirewallRules: [NetPres-In-TCP-NoScope] => (Block) %SystemRoot%\system32\netproj.exe
    FirewallRules: [NetPres-Out-TCP-NoScope] => (Block) %SystemRoot%\system32\netproj.exe
    FirewallRules: [NetPres-WSD-In-UDP] => (Block) %SystemRoot%\system32\netproj.exe
    FirewallRules: [NetPres-WSD-Out-UDP] => (Block) %SystemRoot%\system32\netproj.exe
    FirewallRules: [NetPres-In-TCP] => (Block) %SystemRoot%\system32\netproj.exe
    FirewallRules: [NetPres-Out-TCP] => (Block) %SystemRoot%\system32\netproj.exe
    FirewallRules: [WPDMTP-Out-TCP-NoScope] => (Block) %SystemRoot%\system32\wudfhost.exe
    FirewallRules: [WPDMTP-Out-TCP] => (Block) %SystemRoot%\system32\wudfhost.exe
    FirewallRules: [WPDMTP-SSDPSrv-In-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [WPDMTP-SSDPSrv-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [WPDMTP-UPnPHost-Out-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [WPDMTP-UPnP-Out-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MCX-SSDPSrv-In-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MCX-SSDPSrv-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MCX-In-TCP] => (Block) %SystemRoot%\ehome\ehshell.exe
    FirewallRules: [MCX-Out-TCP] => (Block) %SystemRoot%\ehome\ehshell.exe
    FirewallRules: [MCX-QWave-In-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MCX-QWave-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MCX-QWave-In-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MCX-QWave-Out-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MCX-In-UDP] => (Block) %SystemRoot%\ehome\ehshell.exe
    FirewallRules: [MCX-Out-UDP] => (Block) %SystemRoot%\ehome\ehshell.exe
    FirewallRules: [MCX-MCX2SVC-Out-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MCX-Prov-Out-TCP] => (Block) %SystemRoot%\ehome\mcx2prov.exe
    FirewallRules: [MCX-PlayTo-Out-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MCX-McrMgr-Out-TCP] => (Block) %SystemRoot%\ehome\mcrmgr.exe
    FirewallRules: [MCX-PlayTo-Out-UDP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [MCX-FDPHost-Out-TCP] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [{A1773A56-136F-4E8E-8F74-17A0F0D2F15B}] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [{40357F6E-BA13-45A0-AAAD-EF9AEC9292D3}] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [{8BC325C0-6B78-4A9C-98CB-F40ED9999B8A}] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [{E17EBD67-949B-460D-9CD9-139933C03D4D}] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [{34317ED4-4072-49D9-8247-87E365A01356}] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [{B80B4A88-CC1E-4BF3-8F66-3F5D84B8035C}] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [{C035AC00-6634-43A7-9F9B-2B9C3119C250}] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [{77D1EABC-8C63-4DA3-AC17-78E8F7302706}] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [{ED448381-E0D6-478C-8F3B-DA2A646DC02F}] => (Block) %SystemRoot%\system32\msra.exe
    FirewallRules: [{69B55D66-1668-4A1D-B232-BEEC7B58DCF3}] => (Block) %SystemRoot%\system32\msra.exe
    FirewallRules: [{8173A40F-BC4E-4466-B6A5-BDFE87BF4718}] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [{1CACD29B-D1C5-4419-95CD-4AF6333093B8}] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [{E675DC64-698F-40C7-99AB-FE091DC05FE7}] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [{83759109-0599-4F8D-A2E4-D07555BC7064}] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [{1F7CEADE-8E9F-4E23-B458-5740ADD2295B}] => (Block) %systemroot%\system32\svchost.exe
    FirewallRules: [{085D4415-B149-4AA1-8CE5-5A2D77656D5E}] => (Block) %systemroot%\system32\svchost.exe
    FirewallRules: [{CCAB2298-75ED-4F31-91F7-F5995F751E20}] => (Block) %SystemRoot%\system32\svchost.exe
    FirewallRules: [{EB335DF9-167A-4014-B4C7-C24475DE6382}] => (Block) %SystemRoot%\system32\vdsldr.exe
    FirewallRules: [{CC087F8F-3CEA-4695-BF81-33AEE8757768}] => (Block) c:\Program Files (x86)\Corel\CorelDRAW Home & Student Suite X7\Programs\DrawHome.exe
    FirewallRules: [{55F86580-8DFD-4B32-A4B9-5475576EE010}] => (Block) c:\Program Files (x86)\Corel\CorelDRAW Home & Student Suite X7\Programs\PPHome.exe
    
    Hosts:
    EmptyTemp:
    CMD: ipconfig /flushdns
  • Save it next to FRST64.exe as fixlist.txt.
    Important! fixlist.txt must be saved in the same directory as FRST64.exe to work.
  • Right click on FRST64.exe and select Run as administrator.
  • Press the Fix button one time only and wait.
  • When FRST finishes you will be prompted to reboot your computer. Click OK.
  • Your computer should now restart. On reboot navigate to your Desktop where you should find Fixlog.txt. Copy and paste the contents in your reply.

Step four...

TDSSKiller - Scan Only
  • Please download TDSSKiller by Kaspersky Lab and save it to your Desktop.
  • Close all open programs and windows so that you are at your Desktop.
  • Right click on tdsskiller.exe and select Run as administrator.
    • If you are not able to run it then right click tdsskiller.exe and select Rename.
    • Rename it to a random string of letters with a .com extension (for example eajkxiga.com).
  • If UAC prompts you to allow it to make changes to your computer please click Yes.
  • When the End User License Agreement opens click Accept.
  • Click Accept again for the KSN Statement.
  • Click on Change parameters and check Verify file digital signatures.
    IMPORTANT: ensure that Detect TDLFS file system remains UNCHECKED.
  • Click on OK to close the Settings window.
  • Click on Start Scan. Do not use your computer during the scan.
  • If malicious objects are found change the action from Cure to Skip.
    DO NOT attempt to Cure anything at this point.
  • Once the scan is finished click on Report in the top right corner. Copy and paste the contents of that log in your next reply.
    The log can also be found at C:\TDSSKiller.version_dd.mm.yyyy_hh.mm.ss_log.txt.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections...

In your next reply please include:
  • Did you have any problems with the instructions?
  • Please confirm that you read and understood my warnings
  • Fixlog.txt
  • TDSSKiller.version_dd.mm.yyyy_hh.mm.ss_log.txt
  • Are there any changes in computer behavior?
User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: All PC's infected, no antivirus/antimalware helps

Unread postby pgmigg » February 4th, 2016, 10:32 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
pgmigg
MRU Teacher
MRU Teacher
 
Posts: 3178
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 62 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware