Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan win32/Anaki.A!plock or SAPE.Heur.3185 unable to remove


  • This topic is locked This topic is locked
16 replies to this topic

#1 Redders1970

Redders1970

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 13 January 2015 - 05:32 AM

Hi,

I hope you can help. A few months ago Microsoft Security Essentials (MSE) detected and attempted to remove a trojan called win32/Anaki.A!plock. MSE would display an information window which said it had successfully removed the treat and no further action was required only for it to reappear again within a minute. See a screenshot of the MSE history tab attached. The information that Microsoft has about win32/Anaki.A!plock is very vague/generic and I cannot find any more information on it or if other vendors have it listed under another name. After trying many different scanners with no luck I discovered that in the same folder as the infected file was another suspicious looking file (see attached). I tried to remove that file but windows would not let me because it was "open by the WMI Driver Service" I was able to remove the suspect file by starting the PC with a portable Linux OS. I restarted the PC and the trojan was gone. A month passed with no infection and then it reappeared. I removed it again using the same method. This time it was only a couple of weeks before the trojan reappeared. I did it again and this time it was less than a week before it appeared again.

I decided to remove MSE and the offending file then install a trial version of Norton AV. I was hoping it would detect the same infection and remove it fully. Also Norton's may have more information on it. Four days after the install Norton's it detected it as SAPE.Heur.3185. The behaviour of Norton's is the same as MSE in that it says that it has removed the threat and no further action is required only for it to pop up again almost immediately. Also Norton's did not have any further information on the trojan.

Any assistance would be greatly appreciated.

Thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 PM

Posted 13 January 2015 - 10:46 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

  • Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.

 
 
 
 
HijackThis is not the preferred initial scanning tool in this forum. With today's malware, a more comprehensive set of logs is required to determine the presence of malware.
 
 
  
Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)
 
  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 
 
Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please attach this file to your next reply.
 


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Redders1970

Redders1970
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 14 January 2015 - 06:27 AM

Hi Marius,

 

Thanks for your quick reply. The logs that you requested are below.

 

I could not get FRST to download correctly. It would download but the file would disappear. I tried it with IE and Firefox several times but it still didn't work. I had to download it on another PC and then copy it across to get it to run.

 

FRST.TXT

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-01-2015 02
Ran by NetAdmin (administrator) on OFPC-MYOB on 14-01-2015 19:50:35
Running from C:\Users\NetAdmin\Desktop
Loaded Profiles: NetAdmin & POS3 & GS1 & CM2 (Available profiles: NetAdmin & POS1 & POS2 & POS3 & YRDMGR & SREP & GS1 & GS2 & GS3 & GS4 & GS5 & CM1 & CM2 & CM3 & CM4 & Administrator)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Symantec Corporation) C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\nav.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Identity Safe\Engine\2014.6.0.27\NST.exe
() C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
(Terminal Service Plus) C:\Program Files (x86)\RDPLUS\UserDesktop\files\svcmain.exe
(Incentives Pro) C:\Windows\System32\usbredirectortssrv.exe
() C:\Program Files (x86)\RDPLUS\UserDesktop\files\svcac.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(InterVideo) C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Symantec Corporation) C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\nav.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Identity Safe\Engine\2014.6.0.27\NST.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
() C:\wsession\logonsession.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\ControlCenter3\BrccMCtl.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe
(Acronis International GmbH) C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\ONENOTE.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\WarningDialog.exe
(MYOB Australia Pty Ltd) E:\RetailM\POS3\RetailM\RetailManager.exe
(MYOB Australia Pty Ltd) E:\RetailM\POS3\RetailM\RMHWSvr.exe
(Symantec Corporation) C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\nav.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Identity Safe\Engine\2014.6.0.27\NST.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis International GmbH) C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\ControlCenter3\BrccMCtl.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
(MYOB Australia Pty Ltd) E:\RetailM\GS1\RetailM\RetailManager.exe
(MYOB Australia Pty Ltd) E:\RetailM\GS1\RetailM\RMHWSvr.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Identity Safe\Engine\2014.6.0.27\NST.exe
(Symantec Corporation) C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\nav.exe
() C:\wsession\logonsession.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\ControlCenter3\BrccMCtl.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis International GmbH) C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Symantec Corporation) C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\nav.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Identity Safe\Engine\2014.6.0.27\NST.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
() C:\wsession\logonsession.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\ControlCenter3\BrccMCtl.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis International GmbH) C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nView\nwiz.exe [1694016 2011-09-08] ()
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10143264 2010-04-01] (Realtek Semiconductor)
HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-21] (Hewlett-Packard)
HKLM\...\Run: [walogon] => C:\Program Files (x86)\RDPLUS\UserDesktop\files\logonconsole.exe [848528 2013-05-10] ()
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [518424 2013-07-18] (Acronis)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe [112408 2011-04-15] (Intel Corporation)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [2629632 2011-10-07] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrMfcWnd] => C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [ControlCenter3] => C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46368 2010-03-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [29984 2010-03-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PPort12reminder] => C:\Program Files (x86)\Nuance\PaperPort\Ereg\Ereg.exe [328992 2010-02-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDFHook] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDF5 Registry Controller] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [139264 2011-04-20] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKLM-x32\...\Run: [TrueImageMonitor.exe] => C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [7805936 2014-02-04] (Acronis)
HKLM-x32\...\Run: [AcronisTibMounterMonitor] => C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [1102192 2013-10-10] (Acronis International GmbH)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM\...\Policies\Explorer: [NoCDBurning] 1
HKU\S-1-5-21-3777378854-3807207529-1244416889-1000\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-3777378854-3807207529-1244416889-1000\...\Winlogon: [Shell] C:\Windows\explorer.exe [2871808 2012-07-18] (Microsoft Corporation) <==== ATTENTION 
HKU\S-1-5-21-3777378854-3807207529-1244416889-1003\...\Run: [RetailM] => C:\Windows\RetailM.cmd [31 2013-06-28] ()
HKU\S-1-5-21-3777378854-3807207529-1244416889-1003\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-3777378854-3807207529-1244416889-1003\...\MountPoints2: {c24c7bde-230c-11e4-90a3-24be05280700} - F:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-3777378854-3807207529-1244416889-1003\...\MountPoints2: {c88c9b2c-d18d-11e2-b9ae-806e6f6e6963} - D:\start.exe
HKU\S-1-5-21-3777378854-3807207529-1244416889-1003\...\Winlogon: [Shell] C:\Windows\explorer.exe [2871808 2012-07-18] (Microsoft Corporation) <==== ATTENTION 
HKU\S-1-5-21-3777378854-3807207529-1244416889-1006\...\Run: [RetailM] => C:\Windows\RetailM.cmd [31 2013-06-28] ()
HKU\S-1-5-21-3777378854-3807207529-1244416889-1006\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-3777378854-3807207529-1244416889-1006\...\MountPoints2: F - F:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-3777378854-3807207529-1244416889-1006\...\MountPoints2: {b0d0f622-556f-11e4-a785-24be05280700} - F:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-3777378854-3807207529-1244416889-1006\...\MountPoints2: {c24c7bde-230c-11e4-90a3-24be05280700} - F:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-3777378854-3807207529-1244416889-1006\...\Winlogon: [Shell] C:\Windows\explorer.exe [2871808 2012-07-18] (Microsoft Corporation) <==== ATTENTION 
HKU\S-1-5-21-3777378854-3807207529-1244416889-1012\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-3777378854-3807207529-1244416889-1012\...\MountPoints2: {c88c9b2c-d18d-11e2-b9ae-806e6f6e6963} - D:\start.exe
HKU\S-1-5-21-3777378854-3807207529-1244416889-1012\...\Winlogon: [Shell] C:\Windows\explorer.exe [2871808 2012-07-18] (Microsoft Corporation) <==== ATTENTION 
HKU\S-1-5-18\...\Policies\Explorer: [NoFavoritesMenu] 1
Startup: C:\Users\CM1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive for Business.lnk
ShortcutTarget: OneDrive for Business.lnk -> C:\Program Files\Microsoft Office 15\root\office15\groove.exe (Microsoft Corporation)
Startup: C:\Users\GS1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\GS2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\GS3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\GS4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\GS5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive for Business.lnk
ShortcutTarget: OneDrive for Business.lnk -> C:\Program Files\Microsoft Office 15\root\office15\groove.exe (Microsoft Corporation)
Startup: C:\Users\GS5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\NetAdmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\POS1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MYOB RetailManager v12.lnk
ShortcutTarget: MYOB RetailManager v12.lnk -> E:\RetailM\POS1\RetailM\RetailManager.exe (MYOB Australia Pty Ltd)
Startup: C:\Users\POS1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\POS2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MYOB RetailManager v12 - Copy.lnk
ShortcutTarget: MYOB RetailManager v12 - Copy.lnk -> E:\RetailM\POS1\RetailM\RetailManager.exe (MYOB Australia Pty Ltd)
Startup: C:\Users\POS2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\POS3\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\SREP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MYOB RetailManager v12 (2).lnk
ShortcutTarget: MYOB RetailManager v12 (2).lnk -> E:\RetailM\POS1\RetailM\RetailManager.exe (MYOB Australia Pty Ltd)
Startup: C:\Users\SREP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\YRDMGR\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll ()
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll ()
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll ()
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3777378854-3807207529-1244416889-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3777378854-3807207529-1244416889-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.jp.msn.com/HPALL/53
HKU\S-1-5-21-3777378854-3807207529-1244416889-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3777378854-3807207529-1244416889-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.jp.msn.com/HPALL/53
HKU\S-1-5-21-3777378854-3807207529-1244416889-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.jp.msn.com/HPALL/53
HKU\S-1-5-21-3777378854-3807207529-1244416889-1006\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.jp.msn.com/HPALL/53
HKU\S-1-5-21-3777378854-3807207529-1244416889-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.jp.msn.com/HPALL/53
HKU\S-1-5-21-3777378854-3807207529-1244416889-1012\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.jp.msn.com/HPALL/53
HKU\S-1-5-21-3777378854-3807207529-1244416889-1012\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.jp.msn.com/HPALL/53
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
SearchScopes: HKU\S-1-5-21-3777378854-3807207529-1244416889-1000 -> DefaultScope {4314F3B3-17FC-47F9-8EF2-112D6D254026} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3777378854-3807207529-1244416889-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3777378854-3807207529-1244416889-1000 -> {4314F3B3-17FC-47F9-8EF2-112D6D254026} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3777378854-3807207529-1244416889-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3777378854-3807207529-1244416889-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3777378854-3807207529-1244416889-1006 -> DefaultScope {8091C25F-88C8-449E-BAF8-D31DC89C35A7} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3777378854-3807207529-1244416889-1006 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3777378854-3807207529-1244416889-1006 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKU\S-1-5-21-3777378854-3807207529-1244416889-1006 -> {8091C25F-88C8-449E-BAF8-D31DC89C35A7} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3777378854-3807207529-1244416889-1012 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3777378854-3807207529-1244416889-1012 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3777378854-3807207529-1244416889-1012 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Norton Identity Protection -> {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} -> C:\Program Files (x86)\Norton Identity Safe\Engine64\2014.6.0.27\coIEPlg.dll (Symantec Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> c:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll (Zeon Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Norton Identity Protection -> {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} -> C:\Program Files (x86)\Norton Identity Safe\Engine\2014.6.0.27\coIEPlg.dll (Symantec Corporation)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
Toolbar: HKLM - Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine64\2014.6.0.27\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine\2014.6.0.27\coIEPlg.dll (Symantec Corporation)
Toolbar: HKU\S-1-5-21-3777378854-3807207529-1244416889-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: HKLM-x32 {357A8DEC-0CAC-4D8D-9869-C2C356B844F7} http://192.168.20.6/RSVideoOcx.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Tcpip\..\Interfaces\{4AB62830-B6A2-4525-9D3E-FFFE9798F90D}: [NameServer] 192.168.20.254

FireFox:
========
FF ProfilePath: C:\Users\NetAdmin\AppData\Roaming\Mozilla\Firefox\Profiles\zovvwc9k.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_257.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_257.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2014-11-09]
FF HKLM-x32\...\Firefox\Extensions: [{F04D2D30-776C-4d02-8627-8E4385ECA58D}] - C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.6.0.27\coFFPlgn
FF Extension: Norton Identity Safe Toolbar - C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.6.0.27\coFFPlgn [2015-01-12]

Chrome: 
=======
CHR Profile: C:\Users\NetAdmin\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\NetAdmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-04-03]
CHR Extension: (Google Drive) - C:\Users\NetAdmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-04-03]
CHR Extension: (YouTube) - C:\Users\NetAdmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-04-03]
CHR Extension: (Google Search) - C:\Users\NetAdmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-04-03]
CHR Extension: (Gmail) - C:\Users\NetAdmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-04-03]
CHR HKLM-x32\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files (x86)\Norton Identity Safe\Engine\2014.6.0.27\Exts\Chrome.crx [2015-01-07]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [245760 2010-01-25] (Brother Industries, Ltd.) [File not signed]
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2449592 2014-11-12] (Microsoft Corporation)
R2 NAV; C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [262968 2014-09-21] (Symantec Corporation)
R2 NCO; C:\Program Files (x86)\Norton Identity Safe\Engine\2014.6.0.27\NST.exe [129424 2013-10-06] (Symantec Corporation)
R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [167424 2012-12-07] () [File not signed]
R2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2010-03-09] (Nuance Communications, Inc.)
R2 TerminalService; C:\Program Files (x86)\RDPLUS\UserDesktop\files\svcmain.exe [262248 2013-05-03] (Terminal Service Plus)
R2 usbredirectortssrv; C:\Windows\system32\usbredirectortssrv.exe [320000 2013-06-13] (Incentives Pro) [File not signed]
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
R2 FastUserSwitchingCompatibility; C:\Windows\Temp\ntshrui.dll [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 BHDrvx64; C:\Program Files (x86)\Norton AntiVirus\NortonData\21.1.0.18\Definitions\BASHDefs\20141209.001\BHDrvx64.sys [1587416 2014-12-09] (Symantec Corporation)
R1 ccSet_NAV; C:\Windows\system32\drivers\NAVx64\1506000.020\ccSetx64.sys [162392 2013-09-26] (Symantec Corporation)
R1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\7DE06000.01B\ccSetx64.sys [162392 2013-09-28] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2015-01-07] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2015-01-07] (Symantec Corporation)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [43664 2014-12-08] ()
R1 IDSVia64; C:\Program Files (x86)\Norton AntiVirus\NortonData\21.1.0.18\Definitions\IPSDefs\20150108.002\IDSvia64.sys [668888 2015-01-10] (Symantec Corporation)
S3 IFCoEMP; C:\Windows\system32\drivers\ifM52x64.sys [339728 2010-08-14] (Intel(R) Corporation)
S3 IFCoEVB; C:\Windows\system32\drivers\ifP52X64.sys [65808 2010-08-14] (Intel(R) Corporation)
S3 ltmodem5; C:\Windows\System32\DRIVERS\ltmdm64.sys [543744 2009-06-11] (Agere Systems)
R3 NAVENG; C:\Program Files (x86)\Norton AntiVirus\NortonData\21.1.0.18\Definitions\VirusDefs\20150113.020\ENG64.SYS [129752 2015-01-07] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton AntiVirus\NortonData\21.1.0.18\Definitions\VirusDefs\20150113.020\EX64.SYS [2137304 2015-01-07] (Symantec Corporation)
R1 SMR430; C:\Windows\System32\drivers\SMR430.SYS [108216 2015-01-12] (Symantec Corporation)
R3 SRTSP; C:\Windows\System32\Drivers\NAVx64\1506000.020\SRTSP64.SYS [876248 2014-08-26] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NAVx64\1506000.020\SRTSPX64.SYS [37592 2014-08-26] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NAVx64\1506000.020\SYMDS64.SYS [493656 2013-09-10] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NAVx64\1506000.020\SYMEFA64.SYS [1148120 2014-08-26] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2015-01-07] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NAVx64\1506000.020\Ironx64.SYS [266968 2014-08-07] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\NAVx64\1506000.020\SYMNETS.SYS [593112 2014-08-26] (Symantec Corporation)
R0 tib; C:\Windows\System32\DRIVERS\tib.sys [1120032 2014-04-16] (Acronis International GmbH)
R0 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [198432 2014-04-16] (Acronis International GmbH)
R3 trdpusbdbus; C:\Windows\System32\DRIVERS\trdpusbdbus.sys [56976 2013-06-13] (Incentives Pro)
R0 vidsflt; C:\Windows\System32\DRIVERS\vidsflt.sys [117024 2014-04-16] (Acronis International GmbH)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-14 19:50 - 2015-01-14 19:51 - 00037347 _____ () C:\Users\NetAdmin\Desktop\FRST.txt
2015-01-14 19:50 - 2015-01-14 19:50 - 00000000 ____D () C:\FRST
2015-01-14 19:45 - 2015-01-14 19:40 - 02124288 _____ (Farbar) C:\Users\NetAdmin\Desktop\FRST64.exe
2015-01-14 19:37 - 2015-01-14 19:37 - 05013680 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2015-01-14 18:23 - 2015-01-14 18:23 - 04166770 _____ () C:\Users\NetAdmin\Downloads\tdsskiller.zip
2015-01-14 18:18 - 2015-01-14 18:21 - 00380416 _____ () C:\Users\NetAdmin\Downloads\e8mx3bt3.exe
2015-01-14 18:12 - 2015-01-14 18:12 - 00000000 ____D () C:\Users\NetAdmin\AppData\Roaming\RDP-Tcp#1
2015-01-14 17:11 - 2015-01-14 17:11 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\RDP-Tcp#0
2015-01-14 16:16 - 2015-01-14 16:16 - 00000000 ____D () C:\Users\GS5\AppData\Roaming\RDP-Tcp#4
2015-01-14 14:41 - 2015-01-14 14:41 - 00000000 ____D () C:\Users\CM2\AppData\Roaming\RDP-Tcp#6
2015-01-14 09:58 - 2015-01-14 09:58 - 00000000 ____D () C:\Users\CM2\AppData\Roaming\RDP-Tcp#7
2015-01-14 08:40 - 2015-01-14 08:40 - 00000000 ____D () C:\Users\GS3\AppData\Roaming\RDP-Tcp#8
2015-01-14 08:12 - 2015-01-14 08:12 - 00000000 ____D () C:\Users\CM1\AppData\Roaming\RDP-Tcp#6
2015-01-14 08:08 - 2015-01-14 08:08 - 00000000 ____D () C:\Users\SREP\AppData\Roaming\RDP-Tcp#5
2015-01-14 08:01 - 2015-01-14 08:01 - 00000000 ____D () C:\Users\POS3\AppData\Roaming\RDP-Tcp#3
2015-01-14 08:00 - 2015-01-14 08:00 - 00000000 ____D () C:\Users\GS2\AppData\Roaming\RDP-Tcp#2
2015-01-14 06:53 - 2015-01-14 06:53 - 00000000 ____D () C:\Users\POS1\AppData\Roaming\RDP-Tcp#1
2015-01-14 06:04 - 2015-01-14 06:04 - 00000000 ____D () C:\Users\POS2\AppData\Roaming\RDP-Tcp#0
2015-01-13 19:35 - 2015-01-13 19:35 - 00024030 _____ () C:\Users\NetAdmin\Desktop\dds.txt
2015-01-13 19:35 - 2015-01-13 19:35 - 00014049 _____ () C:\Users\NetAdmin\Desktop\attach.txt
2015-01-13 17:45 - 2015-01-13 17:45 - 00000000 ____D () C:\Users\CM2\AppData\Roaming\RDP-Tcp#0
2015-01-13 17:22 - 2015-01-13 17:22 - 00000000 ____D () C:\Users\CM2\AppData\Roaming\RDP-Tcp#1
2015-01-13 17:19 - 2015-01-13 17:19 - 00000000 ____D () C:\Users\GS1\AppData\Roaming\RDP-Tcp#0
2015-01-13 15:00 - 2015-01-13 14:00 - 00688992 ____R (Swearware) C:\Users\NetAdmin\Downloads\dds.com
2015-01-13 14:52 - 2015-01-13 14:52 - 00000000 ____D () C:\Users\NetAdmin\AppData\Roaming\RDP-Tcp#5
2015-01-13 13:52 - 2015-01-13 13:52 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\RDP-Tcp#5
2015-01-13 10:30 - 2015-01-13 10:30 - 00000000 ____D () C:\Users\GS4\AppData\Roaming\RDP-Tcp#9
2015-01-13 09:58 - 2015-01-13 09:58 - 00000000 ____D () C:\Users\POS3\AppData\Roaming\RDP-Tcp#8
2015-01-13 08:45 - 2015-01-13 08:45 - 00000000 ____D () C:\Users\YRDMGR\AppData\Roaming\RDP-Tcp#9
2015-01-13 08:44 - 2015-01-13 08:44 - 00000000 ____D () C:\Users\NetAdmin\AppData\Roaming\RDP-Tcp#8
2015-01-13 08:27 - 2015-01-13 08:27 - 00000000 ____D () C:\Users\GS3\AppData\Roaming\RDP-Tcp#7
2015-01-13 08:16 - 2015-01-13 08:16 - 00000000 ____D () C:\Users\CM2\AppData\Roaming\RDP-Tcp#5
2015-01-13 08:13 - 2015-01-13 08:13 - 00000000 ____D () C:\Users\CM1\AppData\Roaming\RDP-Tcp#4
2015-01-13 08:06 - 2015-01-13 08:06 - 00000000 ____D () C:\Users\GS5\AppData\Roaming\RDP-Tcp#6
2015-01-13 08:05 - 2015-01-13 08:05 - 00000000 ____D () C:\Users\SREP\AppData\Roaming\RDP-Tcp#3
2015-01-12 21:23 - 2015-01-12 21:23 - 00000000 ____D () C:\Users\GS4\AppData\Roaming\RDP-Tcp#0
2015-01-12 20:29 - 2015-01-14 10:00 - 00000000 ____D () C:\Users\CM2\AppData\Local\CrashDumps
2015-01-12 20:26 - 2015-01-12 20:27 - 00108216 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SMR430.SYS
2015-01-12 20:26 - 2015-01-12 20:27 - 00000020 _____ () C:\Windows\system32\Drivers\SMR430.dat
2015-01-12 20:26 - 2015-01-12 20:26 - 00000000 ____D () C:\Users\NetAdmin\AppData\Roaming\RDP-Tcp#0
2015-01-12 19:55 - 2015-01-12 20:27 - 00000000 ____D () C:\Users\NetAdmin\AppData\Local\NPE
2015-01-12 19:51 - 2015-01-12 19:51 - 03060320 ____N (Symantec Corporation) C:\Users\NetAdmin\Downloads\NPE.exe
2015-01-09 15:54 - 2015-01-09 16:00 - 00000000 ____D () C:\Users\GS1\AppData\Local\CrashDumps
2015-01-09 10:16 - 2015-01-12 21:36 - 00000000 ____D () C:\Users\GS4\AppData\Local\CrashDumps
2015-01-09 08:40 - 2015-01-09 08:40 - 00000000 ____D () C:\Users\GS3\AppData\Local\CrashDumps
2015-01-08 08:35 - 2015-01-12 10:11 - 00000000 ____D () C:\Users\CM1\AppData\Local\CrashDumps
2015-01-08 08:31 - 2015-01-13 14:58 - 00000000 ____D () C:\Users\GS2\AppData\Local\CrashDumps
2015-01-07 22:49 - 2015-01-07 22:49 - 00000000 ____D () C:\Windows\System32\Tasks\Norton Identity Safe
2015-01-07 19:41 - 2015-01-07 19:41 - 00000000 ____D () C:\Windows\System32\Tasks\Norton AntiVirus
2015-01-07 18:49 - 2015-01-12 19:57 - 00000000 ____D () C:\ProgramData\Norton
2015-01-07 18:49 - 2015-01-08 17:38 - 00000000 ____D () C:\Windows\system32\Drivers\NSTx64
2015-01-07 18:49 - 2015-01-07 19:40 - 00003218 _____ () C:\Windows\System32\Tasks\Norton WSC Integration
2015-01-07 18:49 - 2015-01-07 19:40 - 00002399 _____ () C:\Users\Public\Desktop\Norton AntiVirus.lnk
2015-01-07 18:49 - 2015-01-07 19:40 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton AntiVirus
2015-01-07 18:49 - 2015-01-07 19:40 - 00000000 ____D () C:\Windows\system32\Drivers\NAVx64
2015-01-07 18:49 - 2015-01-07 18:49 - 00177752 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
2015-01-07 18:49 - 2015-01-07 18:49 - 00008222 _____ () C:\Windows\system32\Drivers\SYMEVENT64x86.CAT
2015-01-07 18:49 - 2015-01-07 18:49 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Identity Safe
2015-01-07 18:49 - 2015-01-07 18:49 - 00000000 ____D () C:\ProgramData\NCOTEMP
2015-01-07 18:49 - 2015-01-07 18:49 - 00000000 ____D () C:\Program Files\Common Files\Symantec Shared
2015-01-07 18:49 - 2015-01-07 18:49 - 00000000 ____D () C:\Program Files (x86)\Norton Identity Safe
2015-01-07 18:49 - 2015-01-07 18:49 - 00000000 ____D () C:\Program Files (x86)\Norton AntiVirus
2015-01-07 16:48 - 2014-01-17 16:33 - 00001158 _____ () C:\Users\GS2\Desktop\Job Portfolio - Shortcut.lnk
2015-01-07 14:20 - 2015-01-07 14:26 - 218966928 ____N (Symantec Corporation) C:\Users\NetAdmin\Downloads\NAV-TW-21.1.0-EN-AU.exe
2015-01-07 09:50 - 2015-01-07 10:01 - 203660016 _____ (Kaspersky Lab) C:\Users\NetAdmin\Downloads\kav15.0.1.415en-au.exe
2015-01-07 09:26 - 2015-01-07 09:26 - 00000000 ____D () C:\Users\SREP\AppData\Roaming\Console
2015-01-05 09:40 - 2015-01-05 09:40 - 00000000 ____D () C:\Users\GS3\AppData\Local\Apple Computer
2015-01-02 05:43 - 2015-01-02 05:43 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\jbajjzzu.sys
2014-12-29 09:58 - 2015-01-14 08:27 - 00004974 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-POS3 OFPC-MYOB
2014-12-28 11:06 - 2015-01-07 16:29 - 00258620 _____ () C:\Users\GS4\Documents\monthly sales.xlsx
2014-12-24 15:35 - 2014-12-24 15:35 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2014-12-24 11:23 - 2014-12-24 11:23 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_dc3d_01011.Wdf
2014-12-23 06:47 - 2014-12-23 06:47 - 00000000 ____D () C:\Users\POS1\AppData\Local\Apple Computer
2014-12-20 08:08 - 2014-12-20 08:08 - 00000000 __SHD () C:\Users\Administrator\AppData\Local\EmieUserList
2014-12-20 08:08 - 2014-12-20 08:08 - 00000000 __SHD () C:\Users\Administrator\AppData\Local\EmieSiteList
2014-12-19 10:17 - 2014-12-19 10:19 - 00000000 _____ () C:\Users\CM1\Documents\Nuance Image Printer Writer Port
2014-12-19 10:17 - 2014-12-19 10:17 - 00000000 ____D () C:\Users\CM1\AppData\Roaming\Zeon
2014-12-19 10:17 - 2014-12-19 10:17 - 00000000 ____D () C:\Users\CM1\AppData\Roaming\Nuance
2014-12-19 07:53 - 2014-12-19 07:53 - 00000000 ____D () C:\Users\GS2\Tracing
2014-12-18 13:36 - 2014-12-18 13:36 - 00000000 ____D () C:\Users\GS5\Tracing
2014-12-16 08:55 - 2014-12-16 12:31 - 00010479 _____ () C:\Users\GS1\Desktop\rainbow list.xlsx
2014-12-15 10:46 - 2014-12-15 10:46 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\yzzktmny.sys

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-14 19:51 - 2009-07-14 15:32 - 00000000 ____D () C:\Windows\Offline Web Pages
2015-01-14 19:37 - 2014-04-03 19:59 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-14 19:37 - 2013-06-28 18:02 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-14 19:37 - 2013-06-28 18:02 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-14 19:37 - 2013-06-28 18:02 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-14 19:37 - 2013-06-28 18:02 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-14 19:00 - 2013-06-14 18:54 - 00000000 ____D () C:\RM_Backup
2015-01-14 18:33 - 2014-12-03 20:08 - 00004988 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-NetAdmin OFPC-MYOB
2015-01-14 18:13 - 2013-06-13 08:48 - 00000315 _____ () C:\Users\NetAdmin\AppData\Roaming\Applications-NetAdmin.ini
2015-01-14 18:12 - 2014-04-03 19:59 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-14 18:12 - 2009-07-14 15:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-01-14 17:11 - 2014-11-10 10:15 - 00000267 _____ () C:\Users\Administrator\AppData\Roaming\Applications-Administrator.ini
2015-01-14 16:50 - 2013-11-14 08:44 - 00000000 ____D () C:\Program Files (x86)\iTunes
2015-01-14 16:50 - 2013-06-11 11:11 - 00000000 ____D () C:\Program Files (x86)\Browny02
2015-01-14 16:18 - 2013-07-11 20:13 - 00000000 ____D () C:\Users\GS5\Documents\Outlook Files
2015-01-14 16:17 - 2013-06-14 12:33 - 00000000 ____D () C:\Users\GS5\AppData\Roaming\Skype
2015-01-14 16:16 - 2014-04-08 11:51 - 00004970 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-GS5 OFPC-MYOB
2015-01-14 16:16 - 2013-06-13 12:31 - 00000247 _____ () C:\Users\GS5\AppData\Roaming\Applications-GS5.ini
2015-01-14 16:04 - 2014-05-09 11:51 - 00004970 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-CM1 OFPC-MYOB
2015-01-14 16:00 - 2013-06-19 15:55 - 00000000 ____D () C:\Users\GS2\AppData\Roaming\Skype
2015-01-14 15:34 - 2013-06-17 09:01 - 00000000 ____D () C:\Users\GS5\Desktop\Interim Rports
2015-01-14 15:26 - 2014-06-24 14:21 - 00004972 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-SREP OFPC-MYOB
2015-01-14 15:02 - 2014-10-20 14:09 - 00004970 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-CM2 OFPC-MYOB
2015-01-14 14:41 - 2013-06-18 15:10 - 00000249 _____ () C:\Users\CM2\AppData\Roaming\Applications-CM2.ini
2015-01-14 13:59 - 2013-06-13 09:44 - 00000240 _____ () C:\Windows\MYOBP.INI
2015-01-14 13:59 - 2013-06-13 09:44 - 00000042 _____ () C:\Windows\MYOB.INI
2015-01-14 13:29 - 2013-06-11 11:22 - 00001061 _____ () C:\Windows\Brpfx04a.ini
2015-01-14 12:01 - 2014-04-08 07:51 - 00004972 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-POS2 OFPC-MYOB
2015-01-14 09:01 - 2014-04-08 14:39 - 00004968 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-GS3 OFPC-MYOB
2015-01-14 08:40 - 2013-06-13 12:23 - 00000247 _____ () C:\Users\GS3\AppData\Roaming\Applications-GS3.ini
2015-01-14 08:29 - 2012-07-18 06:07 - 02014021 _____ () C:\Windows\WindowsUpdate.log
2015-01-14 08:27 - 2014-07-31 10:55 - 00004970 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-GS2 OFPC-MYOB
2015-01-14 08:12 - 2013-06-14 09:12 - 00000247 _____ () C:\Users\CM1\AppData\Roaming\Applications-CM1.ini
2015-01-14 08:08 - 2013-06-13 12:14 - 00000249 _____ () C:\Users\SREP\AppData\Roaming\Applications-SREP.ini
2015-01-14 08:08 - 2013-06-11 11:21 - 00000435 _____ () C:\Windows\BRWMARK.INI
2015-01-14 08:08 - 2013-06-11 11:21 - 00000027 _____ () C:\Windows\BRPP2KA.INI
2015-01-14 08:01 - 2013-06-13 12:09 - 00000249 _____ () C:\Users\POS3\AppData\Roaming\Applications-POS3.ini
2015-01-14 08:00 - 2013-06-13 12:21 - 00000247 _____ () C:\Users\GS2\AppData\Roaming\Applications-GS2.ini
2015-01-14 07:14 - 2014-04-08 06:26 - 00004974 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-POS1 OFPC-MYOB
2015-01-14 06:55 - 2009-07-14 15:13 - 00786622 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-14 06:54 - 2013-06-13 08:43 - 00000249 _____ () C:\Users\POS1\AppData\Roaming\Applications-POS1.ini
2015-01-14 06:04 - 2013-06-13 12:06 - 00000249 _____ () C:\Users\POS2\AppData\Roaming\Applications-POS2.ini
2015-01-13 17:19 - 2013-06-13 12:16 - 00000247 _____ () C:\Users\GS1\AppData\Roaming\Applications-GS1.ini
2015-01-13 17:05 - 2013-06-07 15:24 - 00000000 ____D () C:\Premier19
2015-01-13 14:09 - 2013-06-20 12:51 - 00000000 ____D () C:\Users\GS4\AppData\Roaming\Skype
2015-01-13 10:51 - 2014-04-14 10:00 - 00004968 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-GS4 OFPC-MYOB
2015-01-13 10:30 - 2013-06-13 12:28 - 00000247 _____ () C:\Users\GS4\AppData\Roaming\Applications-GS4.ini
2015-01-13 10:27 - 2013-06-20 14:40 - 00000000 ____D () C:\Users\GS5\AppData\Roaming\AUSkey
2015-01-13 10:27 - 2013-06-20 14:40 - 00000000 ____D () C:\Program Files (x86)\ECIClientV6
2015-01-13 10:26 - 2013-09-19 10:17 - 00000000 ____D () C:\Users\GS5\.csi
2015-01-13 09:12 - 2013-06-15 14:05 - 00003356 _____ () C:\Windows\System32\Tasks\Daily Backup
2015-01-13 08:45 - 2013-06-13 12:10 - 00000253 _____ () C:\Users\YRDMGR\AppData\Roaming\Applications-YRDMGR.ini
2015-01-12 20:29 - 2009-07-14 14:45 - 00027568 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-12 20:29 - 2009-07-14 14:45 - 00027568 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-12 20:27 - 2014-11-10 10:14 - 00000000 ____D () C:\Users\Administrator
2015-01-12 20:27 - 2013-09-20 10:13 - 00000000 ____D () C:\Users\CM4
2015-01-12 20:26 - 2013-06-18 15:17 - 00000000 ____D () C:\Users\CM3
2015-01-12 20:26 - 2013-06-18 15:10 - 00000000 ____D () C:\Users\CM2
2015-01-12 20:26 - 2013-06-14 09:12 - 00000000 ____D () C:\Users\CM1
2015-01-12 20:26 - 2013-06-13 12:30 - 00000000 ____D () C:\Users\GS5
2015-01-12 20:26 - 2013-06-13 12:22 - 00000000 ____D () C:\Users\GS3
2015-01-12 20:26 - 2013-06-13 12:20 - 00000000 ____D () C:\Users\GS2
2015-01-12 20:26 - 2013-06-13 12:16 - 00000000 ____D () C:\Users\GS1
2015-01-12 20:26 - 2013-06-13 12:14 - 00000000 ____D () C:\Users\SREP
2015-01-12 20:26 - 2013-06-13 12:10 - 00000000 ____D () C:\Users\YRDMGR
2015-01-12 20:26 - 2013-06-13 12:08 - 00000000 ____D () C:\Users\POS3
2015-01-12 20:26 - 2013-06-13 12:05 - 00000000 ____D () C:\Users\POS2
2015-01-12 20:26 - 2013-06-13 08:42 - 00000000 ____D () C:\Users\POS1
2015-01-12 20:22 - 2014-04-14 14:15 - 00000000 ____D () C:\Fax Box
2015-01-12 20:22 - 2013-06-13 08:39 - 00000000 ____D () C:\wsession
2015-01-12 20:22 - 2009-07-14 15:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-12 20:22 - 2009-07-14 14:51 - 00068083 _____ () C:\Windows\setupact.log
2015-01-12 20:05 - 2013-06-06 08:53 - 00003942 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{F0E1E592-48E2-4770-BE9C-6A07C6CA1EB1}
2015-01-12 19:59 - 2010-11-21 13:47 - 00501654 _____ () C:\Windows\PFRO.log
2015-01-10 16:09 - 2013-09-20 10:14 - 00000247 _____ () C:\Users\CM4\AppData\Roaming\Applications-CM4.ini
2015-01-10 11:04 - 2014-01-22 15:57 - 00000000 ____D () C:\Users\POS2\Desktop\YArd SHort Cuts-incl Price Lists
2015-01-09 16:14 - 2014-11-28 14:36 - 00000000 ___RD () C:\Users\GS5\ODBA
2015-01-08 20:59 - 2014-12-02 09:46 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-08 17:36 - 2014-03-11 14:15 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2015-01-07 17:28 - 2014-09-29 09:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-01-07 17:28 - 2014-03-14 15:25 - 00002697 _____ () C:\Users\Public\Desktop\Skype.lnk
2015-01-07 17:28 - 2013-06-14 12:32 - 00000000 ____D () C:\ProgramData\Skype
2015-01-07 13:47 - 2013-06-06 09:25 - 00001945 _____ () C:\Windows\epplauncher.mif
2015-01-07 10:12 - 2013-06-12 11:13 - 00000000 ____D () C:\Drivers and Software
2015-01-06 16:18 - 2013-06-13 08:43 - 00003926 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{E3CEB330-A2FC-4FBE-BF7C-EBB4055EF3B7}
2015-01-05 11:03 - 2009-07-14 13:20 - 00000000 ____D () C:\Windows\LiveKernelReports
2014-12-24 14:25 - 2014-08-28 14:54 - 00000000 ___RD () C:\Users\CM1\ODBA
2014-12-23 16:59 - 2014-06-23 13:40 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2014-12-23 15:44 - 2009-07-14 15:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2014-12-23 12:16 - 2014-12-08 14:30 - 00000000 ____D () C:\Users\GS5\Desktop\Weekly Reports
2014-12-23 08:53 - 2009-07-14 14:57 - 00001547 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2014-12-18 15:52 - 2009-07-14 13:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-12-18 13:35 - 2013-10-23 08:10 - 00000000 ____D () C:\Users\GS1\AppData\Roaming\Skype
2014-12-18 13:35 - 2013-06-14 12:32 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-12-18 09:32 - 2014-04-02 14:28 - 00000000 ___RD () C:\Users\POS1\Desktop\Every day files
2014-12-16 14:30 - 2014-02-06 09:01 - 00000000 _____ () C:\Users\GS4\Documents\Nuance Image Printer Writer Port

Files to move or delete:
====================
C:\ProgramData\logonsession.exe
C:\ProgramData\uninst.exe
C:\Users\Public\MAPISubSystem.reg


Some content of TEMP:
====================
C:\Users\CM1\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\GS1\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\GS1\AppData\Local\Temp\MouseKeyboardCenterx64_1033.exe
C:\Users\GS3\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\GS4\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\GS5\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\NetAdmin\AppData\Local\Temp\MouseKeyboardCenterx64_1033.exe
C:\Users\NetAdmin\AppData\Local\Temp\Quarantine.exe
C:\Users\NetAdmin\AppData\Local\Temp\sqlite3.dll
C:\Users\POS1\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\POS2\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\SREP\AppData\Local\Temp\Foxit Reader Updater.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-14 01:13

==================== End Of Log ============================

Addition.TXT

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-01-2015 02
Ran by NetAdmin at 2015-01-14 19:52:01
Running from C:\Users\NetAdmin\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Norton AntiVirus (Enabled - Up to date) {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
AS: Norton AntiVirus (Enabled - Up to date) {631E4324-D31C-783F-EC5C-35AD42B18466}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Acronis True Image 2014 (HKLM-x32\...\{6B38A7DF-F641-45D5-BBCA-3E676ABCF5C8}Visible) (Version: 17.0.6673 - Acronis)
Acronis True Image 2014 (x32 Version: 17.0.6673 - Acronis) Hidden
ActiveCheck component for HP Active Support Library (x32 Version: 3.0.0.3 - Hewlett-Packard) Hidden
Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.257 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.257 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.07) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2EF5D87E-B7BD-458F-8428-E4D0B8B4E65C}) (Version: 7.0.0.117 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AUSkey software 1.4.4 (HKLM-x32\...\{24D37B30-83B4-46A7-A691-30F2FCEAE58E}) (Version: 1.4.4 - ABR)
BIXOLON SRP-275 V3.2.3Ea_x64 (HKLM-x32\...\BIXOLON_SRP-275) (Version:  - )
BIXOLON SRP-350 Windows Driver V3.2.0 (HKLM\...\BIXOLON_SRP-350) (Version:  - )
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Brother MFL-Pro Suite MFC-6890CDW (HKLM-x32\...\{F9626826-162E-4EFD-9440-3F3B8317C097}) (Version: 1.0.1.0 - Brother Industries, Ltd.)
Brother MFL-Pro Suite MFC-J6910DW (HKLM-x32\...\{17795164-3BC1-4D4F-8ADA-65C895EBFC9A}) (Version: 1.0.27.0 - Brother Industries, Ltd.)
Corel WinDVD (HKLM-x32\...\{5C1F18D2-F6B7-4242-B803-B5A78648185D}) (Version: 10.0.5.835 - Corel Inc.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DirectX 9 Runtime (x32 Version: 1.00.0000 - Sonic Solutions) Hidden
ECI Client v6.0 (HKLM-x32\...\{DE730F37-A198-4112-A3B6-97786F34354A}) (Version: v6.0.1 - Australian Taxation Office)
Express ClickYes 1.2 (HKLM-x32\...\Express ClickYes) (Version: 1.2 - ContextMagic.com)
Foxit Reader (HKLM-x32\...\Foxit Reader_is1) (Version: 6.0.5.618 - Foxit Corporation)
GIMP 2.8.10 (HKLM\...\GIMP-2_is1) (Version: 2.8.10 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
HL-2250DN (HKLM-x32\...\{E2A97415-BD97-4867-B906-05E39E9EE51F}) (Version: 1.0.7.0 - Brother Industries, Ltd.)
HP Odometer (HKLM-x32\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard)
HP Performance Advisor (HKLM-x32\...\{C1347D45-C69E-4688-80F4-BAC4C5081EE5}) (Version: 1.3.2905 - Hewlett-Packard Company)
HP Support Assistant (HKLM-x32\...\{E92D47A1-D27D-430A-8368-0BAFD956507D}) (Version: 5.2.9.2 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{7F2A11F4-EAE8-4325-83EC-E3E99F85169E}) (Version: 10.1.1000 - Hewlett-Packard)
HP Vision Hardware Diagnostics (HKLM\...\{D79A02E9-6713-4335-9668-AAC7474C0C0E}) (Version: 2.6.0.0 - Hewlett-Packard)
HPAsset component for HP Active Support Library (x32 Version: 3.0.2.2 - Hewlett-Packard) Hidden
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel(R) Network Connections 15.7.176.1 (HKLM\...\PROSetDX) (Version: 15.7.176.1 - Intel)
IPTInstaller (HKLM-x32\...\{08208143-777D-4A06-BB54-71BF0AD1BB70}) (Version: 4.0.8 - HTC)
iTunes (HKLM\...\{D601CEAD-2E4F-4BBB-85CC-C29A4CE6A3C0}) (Version: 11.1.3.8 - Apple Inc.)
Java(TM) 6 Update 18 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416018FF}) (Version: 6.0.180 - Sun Microsystems, Inc.)
Kutools for Excel 7.5.5.0 (HKLM-x32\...\{A095BA43-4A97-4D55-8E25-A0BC46F10765}_is1) (Version:  - Detong)
Kyocera Product Library (HKLM\...\Kyocera Product Library) (Version: 2.0.0713 - KYOCERA Document Solutions Inc.)
Kyocera TWAIN Driver (HKLM-x32\...\InstallShield_{E4AFE3E9-6354-4C81-85FD-C3DCF904C379}) (Version: 2.0.1707 - KYOCERA Document Solutions Inc.)
Kyocera TWAIN Driver (x32 Version: 2.0.1707 - KYOCERA Document Solutions Inc.) Hidden
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170) (HKLM-x32\...\{41785C66-90F2-40CE-8CB5-1C94BFC97280}) (Version: 3.5.30730.0 - Microsoft Corporation)
Microsoft Office 365 Small Business Premium - en-us (HKLM\...\O365SmallBusPremRetail - en-us) (Version: 15.0.4675.1003 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Core Components (x64) ENU  (HKLM\...\{8CCBEC22-D2DB-4DC9-A58A-E1A1F3A38C8A}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Provider Services (x64) ENU  (HKLM\...\{03AC245F-4C64-425C-89CF-7783C1D3AB2C}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Mozilla Firefox 34.0.5 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 34.0.5 (x86 en-US)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
MYOB AccountRight Premier v19.6.1 (HKLM-x32\...\InstallShield_{14CD4651-23C3-4D99-9A13-D1DBE4835E16}) (Version: 19.6.1 - MYOB Technology Pty Ltd)
MYOB AccountRight Premier v19.6.1 (x32 Version: 19.6.1 - MYOB Technology Pty Ltd) Hidden
MYOB ODBC Direct v10 AUS (HKLM-x32\...\InstallShield_{55D5A77E-FAAA-4358-B3E5-6565E024F78B}) (Version: 10.0.0 - MYOB Technology Pty Ltd)
MYOB ODBC Direct v10 AUS (x32 Version: 10.0.0 - MYOB Technology Pty Ltd) Hidden
MYOB RetailManager v12 (HKLM-x32\...\{47CA3C70-1FC8-4026-8256-A685979EE34F}) (Version:  - )
Norton AntiVirus (HKLM-x32\...\NAV) (Version: 21.6.0.32 - Symantec Corporation)
Norton Identity Safe (HKLM-x32\...\NST) (Version: 2014.6.0.27 - Symantec Corporation)
Nuance PaperPort 12 (HKLM-x32\...\{6C0A559F-8583-4B5A-8B50-20BEE15D8E64}) (Version: 12.1.0000 - Nuance Communications, Inc.)
Nuance PDF Viewer Plus (HKLM-x32\...\{28656860-4728-433C-8AD4-D1A930437BC8}) (Version: 5.30.3290 - Nuance Communications, Inc)
NVIDIA Graphics Driver 276.28 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 276.28 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.2.24.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.2.24.0 - NVIDIA Corporation)
NVIDIA nView 136.02 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView) (Version: 136.02 - NVIDIA Corporation)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4675.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4675.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4675.1003 - Microsoft Corporation) Hidden
PaperPort Image Printer 64-bit (HKLM\...\{715CAACC-579B-4831-A5F4-A83A8DE3EFE2}) (Version: 1.00.0001 - Nuance Communications, Inc.)
QuickTime 7 (HKLM-x32\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6080 - Realtek Semiconductor Corp.)
Roxio Creator Business (HKLM-x32\...\{537BF16E-7412-448C-95D8-846E85A1D817}) (Version: 10.3.56.24 - Roxio)
Scansoft PDF Professional (x32 Version:  - ) Hidden
Skype Click to Call (HKLM-x32\...\{6D1221A9-17BF-4EC0-81F2-27D30EC30701}) (Version: 7.3.16540.9015 - Microsoft Corporation)
Skype™ 7.0 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
Sonic CinePlayer Decoder Pack (x32 Version: 4.3.0 - Sonic Solutions) Hidden
Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.5.4 - Sophos Limited)
SyncToy 2.1 (x64) (HKLM\...\{88DAAF05-5A72-46D2-A7C5-C3759697E943}) (Version: 2.1.0 - Microsoft)
TeamViewer 8 (HKLM-x32\...\TeamViewer 8) (Version: 8.0.18051 - TeamViewer)
Uninstall RDPLUS (HKLM\...\RDPLUS) (Version:  - )
UniversalPrinter (HKLM\...\UniversalPrinter) (Version:  - )
USB Redirector RDP edition - Terminal-Server (HKLM\...\{961AE5EE-E9BB-427e-BF8B-0C83AB73959F}) (Version:  - )
VD64Inst (Version: 1.00.0000 - Roxio, Inc.) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

12-01-2015 02:38:53 Scheduled Checkpoint
12-01-2015 19:55:59 Nortons detection
12-01-2015 20:20:21 Norton_Power_Eraser_20150112202017721

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 12:34 - 2014-12-08 18:23 - 00000027 ____N C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {01D2AE25-5104-435E-9E6D-68941A0B03B5} - System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-CM2 OFPC-MYOB => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-11-04] (Microsoft Corporation)
Task: {0387DAAB-6718-44F4-852E-01F157101B3A} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {047C23AA-B223-43E8-9CC6-36859794B31E} - System32\Tasks\Norton AntiVirus\Norton Error Analyzer => C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\SymErr.exe [2014-01-31] (Symantec Corporation)
Task: {1841FE60-0EBF-4835-942B-169804475438} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe [2014-11-12] (Microsoft Corporation)
Task: {28EF951F-95DF-4107-A71A-72112A2DFF1C} - System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-GS4 OFPC-MYOB => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-11-04] (Microsoft Corporation)
Task: {38BCB49F-2517-4B97-9D3A-E02F6FF609F5} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: {47B286FC-2334-47A8-9947-4782A4C1975F} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2014-11-04] (Microsoft Corporation)
Task: {665CDD89-30AA-431B-A9C1-AFD8E9622668} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2011-02-24] (Hewlett-Packard Company)
Task: {67E991F8-1635-4808-8DB0-C666075E743B} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {735B7DE7-C67C-44EA-8A77-2930457DEB46} - System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-GS5 OFPC-MYOB => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-11-04] (Microsoft Corporation)
Task: {8EFAA728-246E-48BB-BDFF-52D9DC698D1C} - System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-POS3 OFPC-MYOB => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-11-04] (Microsoft Corporation)
Task: {962B47D1-7F6E-43E8-8651-3637A10392A4} - System32\Tasks\Daily Backup => C:\Program Files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19] (Microsoft Corporation)
Task: {97F1EC6E-421C-4C0C-AE41-0DD59310C9B3} - System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-NetAdmin OFPC-MYOB => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-11-04] (Microsoft Corporation)
Task: {ABB30B5D-2316-4783-8107-799794A812B4} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\WSCStub.exe [2014-09-21] (Symantec Corporation)
Task: {B5078F9C-53A5-4F22-B546-03664116CD02} - System32\Tasks\Norton Identity Safe\Norton Error Processor => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.6.0.27\SymErr.exe [2013-06-04] (Symantec Corporation)
Task: {B9140998-32B5-4FFB-AD68-FA415188368D} - System32\Tasks\Norton Identity Safe\Norton Error Analyzer => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.6.0.27\SymErr.exe [2013-06-04] (Symantec Corporation)
Task: {BD6C63FA-F85F-4FA5-B414-B1339EEFA1B1} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-03] (Google Inc.)
Task: {CA795512-9FAC-4071-95C7-C23838DE2660} - System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-POS1 OFPC-MYOB => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-11-04] (Microsoft Corporation)
Task: {E5D46D26-2E9D-4ABA-B967-B02441E4115F} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-01-14] (Adobe Systems Incorporated)
Task: {E6315F67-FA56-4469-82D4-1CE7EB224348} - System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-GS3 OFPC-MYOB => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-11-04] (Microsoft Corporation)
Task: {E639BEE8-ABD2-49E5-B2E9-28438246ACA8} - System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-SREP OFPC-MYOB => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-11-04] (Microsoft Corporation)
Task: {E741F2E1-AAE6-4970-85F3-3E0A6D3F0177} - System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-CM1 OFPC-MYOB => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-11-04] (Microsoft Corporation)
Task: {F42BC7CB-7F23-475F-BD6C-5AAD05F20E61} - System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-POS2 OFPC-MYOB => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-11-04] (Microsoft Corporation)
Task: {F606F8BF-5D55-467E-84E4-8A47B8D4AC85} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {F868EC23-AF15-4326-8740-FE1BA92F75B3} - System32\Tasks\Norton AntiVirus\Norton Error Processor => C:\Program Files (x86)\Norton AntiVirus\Engine\21.6.0.32\SymErr.exe [2014-01-31] (Symantec Corporation)
Task: {FA6ADFB4-94EE-4CDB-BF0D-AE0CF62FB496} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-03] (Google Inc.)
Task: {FAEF89E8-CC14-4721-A1D0-31703E34C1B8} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Tuneup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2011-02-24] (Hewlett-Packard Company)
Task: {FB1358EF-1451-4355-89EC-6CBAB1804B17} - System32\Tasks\Microsoft Office 15 Sync Maintenance for OFPC-MYOB-GS2 OFPC-MYOB => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-11-04] (Microsoft Corporation)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-06-13 08:41 - 2012-07-23 06:57 - 00087552 _____ () C:\Windows\System32\custmon64i.dll
2014-06-23 13:40 - 2014-05-20 08:19 - 00105640 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2012-12-07 18:27 - 2012-12-07 18:27 - 00167424 _____ () C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
2013-04-02 03:17 - 2013-05-10 06:00 - 00854960 _____ () C:\Program Files (x86)\RDPLUS\UserDesktop\files\svcac.exe
2013-06-20 11:25 - 2010-03-16 09:04 - 00143360 ____R () C:\Windows\system32\BrSNMP64.dll
2013-03-30 02:22 - 2013-05-10 06:00 - 00886696 _____ () C:\wsession\logonsession.exe
2014-10-30 06:16 - 2014-09-23 23:36 - 08897696 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2013-10-01 10:26 - 2013-10-01 10:26 - 02810968 _____ () C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll
2012-07-18 06:02 - 2011-09-08 03:44 - 00380736 _____ () C:\Program Files\NVIDIA Corporation\nView\nvshell.dll
2013-04-21 21:44 - 2013-04-21 21:44 - 00087952 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2013-04-21 21:44 - 2013-04-21 21:44 - 01242952 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2014-02-04 18:25 - 2014-02-04 18:25 - 00028992 _____ () C:\Program Files (x86)\Common Files\Acronis\Home\thread_pool.dll
2014-02-04 18:28 - 2014-02-04 18:28 - 00420160 _____ () C:\Program Files (x86)\Common Files\Acronis\Home\ulxmlrpcpp.dll
2013-06-11 11:11 - 2009-02-27 16:38 - 00139264 ____R () C:\Program Files (x86)\Brother\BrUtilities\BrLogAPI.dll
2014-06-23 13:40 - 2014-11-20 13:57 - 00316576 _____ () C:\Program Files\Microsoft Office 15\root\office15\AppVIsvStream32.dll
2014-02-04 18:25 - 2014-02-04 18:25 - 00036672 _____ () C:\Program Files (x86)\Acronis\TrueImageHome\qt_icontray_ex.dll
2013-06-13 09:34 - 2005-08-04 00:28 - 01187840 _____ () C:\Program Files (x86)\Common Files\Business Objects\3.0\bin\prompt.dll
2013-10-01 11:00 - 2013-10-01 11:00 - 00022336 _____ () C:\Program Files (x86)\Acronis\TrueImageHome\ti_managers_proxy_stub.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Windows\system32\Drivers\jbajjzzu.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\yzzktmny.sys:changelist
AlternateDataStreams: C:\ProgramData\TEMP:F8AF2BB9

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FastUserSwitchingCompatibility => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-3777378854-3807207529-1244416889-500 - Administrator - Enabled) => C:\Users\Administrator
CM1 (S-1-5-21-3777378854-3807207529-1244416889-1011 - Administrator - Enabled) => C:\Users\CM1
CM2 (S-1-5-21-3777378854-3807207529-1244416889-1012 - Administrator - Enabled) => C:\Users\CM2
CM3 (S-1-5-21-3777378854-3807207529-1244416889-1013 - Administrator - Enabled) => C:\Users\CM3
CM4 (S-1-5-21-3777378854-3807207529-1244416889-1014 - Administrator - Enabled) => C:\Users\CM4
GS1 (S-1-5-21-3777378854-3807207529-1244416889-1006 - Administrator - Enabled) => C:\Users\GS1
GS2 (S-1-5-21-3777378854-3807207529-1244416889-1007 - Administrator - Enabled) => C:\Users\GS2
GS3 (S-1-5-21-3777378854-3807207529-1244416889-1008 - Administrator - Enabled) => C:\Users\GS3
GS4 (S-1-5-21-3777378854-3807207529-1244416889-1009 - Administrator - Enabled) => C:\Users\GS4
GS5 (S-1-5-21-3777378854-3807207529-1244416889-1010 - Administrator - Enabled) => C:\Users\GS5
Guest (S-1-5-21-3777378854-3807207529-1244416889-501 - Limited - Disabled)
NetAdmin (S-1-5-21-3777378854-3807207529-1244416889-1000 - Administrator - Enabled) => C:\Users\NetAdmin
POS1 (S-1-5-21-3777378854-3807207529-1244416889-1001 - Administrator - Enabled) => C:\Users\POS1
POS2 (S-1-5-21-3777378854-3807207529-1244416889-1002 - Administrator - Enabled) => C:\Users\POS2
POS3 (S-1-5-21-3777378854-3807207529-1244416889-1003 - Administrator - Enabled) => C:\Users\POS3
SREP (S-1-5-21-3777378854-3807207529-1244416889-1005 - Administrator - Enabled) => C:\Users\SREP
YRDMGR (S-1-5-21-3777378854-3807207529-1244416889-1004 - Administrator - Enabled) => C:\Users\YRDMGR

==================== Faulty Device Manager Devices =============

Name: Microsoft PS/2 Mouse
Description: Microsoft PS/2 Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Standard PS/2 Keyboard
Description: Standard PS/2 Keyboard
Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/14/2015 04:03:59 PM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (01/14/2015 03:00:25 PM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (01/14/2015 01:41:40 PM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (01/14/2015 10:00:10 AM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file  for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Myobp.exe because of this error.

Program: Myobp.exe
File: 

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
	- It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
	- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.

Additional Data
Error value: 00000000
Disk type: 0

Error: (01/14/2015 10:00:10 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Myobp.exe, version: 19.10.0.0, time stamp: 0x538d6240
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc000001d
Fault offset: 0x127bfd35
Faulting process id: 0x141c
Faulting application start time: 0xMyobp.exe0
Faulting application path: Myobp.exe1
Faulting module path: Myobp.exe2
Report Id: Myobp.exe3

Error: (01/14/2015 03:52:45 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (01/14/2015 03:46:42 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (01/14/2015 02:31:32 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (01/14/2015 01:14:46 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"1".Error in manifest or policy file "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"2" on line UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0".
Please use sxstrace.exe for detailed diagnosis.

Error: (01/13/2015 11:14:35 PM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.


System errors:
=============
Error: (01/14/2015 06:12:43 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Foxit Reader PDF Printer Driver required for printer Foxit Reader PDF Printer is unknown. Contact the administrator to install the driver before you log in again.

Error: (01/14/2015 06:12:39 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Brother MFC-490CW Printer required for printer Brother MFC-490CW Printer is unknown. Contact the administrator to install the driver before you log in again.

Error: (01/14/2015 04:16:26 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.

Error: (01/14/2015 04:16:24 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver HP Deskjet 2050 J510 series required for printer HP Deskjet 2050 J510 series is unknown. Contact the administrator to install the driver before you log in again.

Error: (01/14/2015 04:16:23 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Foxit Reader PDF Printer Driver required for printer Foxit Reader PDF Printer is unknown. Contact the administrator to install the driver before you log in again.

Error: (01/14/2015 02:53:54 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (01/14/2015 02:53:50 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (01/14/2015 02:53:47 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (01/14/2015 02:52:44 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (01/14/2015 02:52:43 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.


Microsoft Office Sessions:
=========================
Error: (01/14/2015 04:03:59 PM) (Source: Winlogon) (EventID: 4005) (User: )
Description: 

Error: (01/14/2015 03:00:25 PM) (Source: Winlogon) (EventID: 4005) (User: )
Description: 

Error: (01/14/2015 01:41:40 PM) (Source: Winlogon) (EventID: 4005) (User: )
Description: 

Error: (01/14/2015 10:00:10 AM) (Source: Application Error) (EventID: 1005) (User: )
Description: Myobp.exe000000000

Error: (01/14/2015 10:00:10 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Myobp.exe19.10.0.0538d6240unknown0.0.0.000000000c000001d127bfd35141c01d02f8ce821caf4C:\Premier19\Myobp.exeunknown4e4cbe17-9b80-11e4-abae-24be05280700

Error: (01/14/2015 03:52:45 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: 

Error: (01/14/2015 03:46:42 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: 

Error: (01/14/2015 02:31:32 AM) (Source: Winlogon) (EventID: 4005) (User: )
Description: 

Error: (01/14/2015 01:14:46 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0"c:\program files\microsoft office 15\root\office15\lync.exe.Manifestc:\program files\microsoft office 15\root\office15\UccApi.DLL1

Error: (01/13/2015 11:14:35 PM) (Source: Winlogon) (EventID: 4005) (User: )
Description: 


CodeIntegrity Errors:
===================================
  Date: 2015-01-14 19:50:05.308
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-14 19:40:04.046
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-14 18:42:42.375
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-14 18:12:52.471
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-14 17:11:40.508
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-14 16:43:16.279
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-14 16:36:20.687
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-14 16:16:27.253
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-14 16:08:16.410
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2015-01-14 15:38:28.892
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.


==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
Percentage of memory in use: 42%
Total physical RAM: 8150.06 MB
Available physical RAM: 4666.63 MB
Total Pagefile: 16298.3 MB
Available Pagefile: 12528.78 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:929.51 GB) (Free:740.09 GB) NTFS
Drive e: () (Fixed) (Total:931.51 GB) (Free:197.43 GB) NTFS
Drive s: () (Network) (Total:930.29 GB) (Free:380.56 GB) NTFS
Drive z: () (Network) (Total:930.29 GB) (Free:380.56 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 68E2AF36)
Partition 1: (Active) - (Size=2 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=929.5 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 1DBF8492)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================

ARK.TXT

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-01-14 20:23:12
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JP4O 931.51GB
Running: e8mx3bt3.exe; Driver: C:\Users\NetAdmin\AppData\Local\Temp\pgtdqpog.sys


---- Threads - GMER 2.1 ----

Thread   C:\Windows\SysWOW64\svchost.exe [1404:1508]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1584]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1588]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1592]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1596]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1668]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1672]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1676]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1680]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1684]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1688]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1692]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1708]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1712]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1728]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1736]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1740]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1744]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1748]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1756]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1796]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1804]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1848]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1852]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1872]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1884]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1896]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1932]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1944]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1948]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1964]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1968]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:1972]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:2000]                                                                                                                               000000000011dfdd
Thread   C:\Windows\SysWOW64\svchost.exe [1404:2020]                                                                                                                               000000000011dfdd
---- Processes - GMER 2.1 ----

Library  C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\ONENOTE.EXE [20464]       00000000655c0000
Library  C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\ONENOTE.EXE [20464]  0000000063880000
Library  C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\root\office15\ONENOTE.EXE [20464]    0000000063760000
Library  Y:\RetailM\RetailManager.exe (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                   0000000000400000
Library  Y:\RetailM\RMCommon.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                        00000000485f0000
Library  Y:\RetailM\RMResLocale.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                     0000000010000000
Library  Y:\RetailM\RMHWDriver.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                      000000006ddf0000
Library  Y:\RetailM\RMHWareObj.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                      0000000030d50000
Library  Y:\RetailM\RMRemote.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                        000000003cdc0000
Library  Y:\RetailM\RMInfo.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                          00000000624b0000
Library  Y:\RetailM\RMOptions.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                       0000000011700000
Library  Y:\RetailM\RMAuxTools.ocx (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                      0000000011000000
Library  Y:\RetailM\RMDisplay.ocx (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                       0000000011c00000
Library  Y:\RetailM\RMMatrix.ocx (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                        0000000073af0000
Library  Y:\RetailM\RMSecurity.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                      000000007db70000
Library  Y:\RetailM\RMRepEng.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                        0000000033490000
Library  Y:\RetailM\RMExtensions.ocx (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                    0000000054fc0000
Library  Y:\RetailM\RMTools.ocx (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                         0000000012100000
Library  Y:\RetailM\RMSysTray.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [8296]                                                                                       000000005eaf0000
Library  Y:\RetailM\RMHWSvr.exe (*** suspicious ***) @ Y:\RetailM\RMHWSvr.exe [16484]                                                                                              0000000000400000
Library  Y:\RetailM\RMHWareObj.dll (*** suspicious ***) @ Y:\RetailM\RMHWSvr.exe [16484]                                                                                           0000000030d50000
Library  Y:\RetailM\RMCommon.dll (*** suspicious ***) @ Y:\RetailM\RMHWSvr.exe [16484]                                                                                             00000000485f0000
Library  Y:\RetailM\RetailManager.exe (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                  0000000000400000
Library  Y:\RetailM\RMCommon.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                       00000000485f0000
Library  Y:\RetailM\RMResLocale.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                    0000000010000000
Library  Y:\RetailM\RMHWDriver.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                     000000006ddf0000
Library  Y:\RetailM\RMHWareObj.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                     0000000030d50000
Library  Y:\RetailM\RMRemote.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                       000000003cdc0000
Library  Y:\RetailM\RMInfo.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                         00000000624b0000
Library  Y:\RetailM\RMOptions.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                      0000000011700000
Library  Y:\RetailM\RMAuxTools.ocx (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                     0000000011000000
Library  Y:\RetailM\RMDisplay.ocx (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                      0000000011c00000
Library  Y:\RetailM\RMMatrix.ocx (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                       0000000073af0000
Library  Y:\RetailM\RMSecurity.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                     000000007db70000
Library  Y:\RetailM\RMRepEng.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                       0000000033490000
Library  Y:\RetailM\RMExtensions.ocx (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                   0000000054fc0000
Library  Y:\RetailM\RMTools.ocx (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                        0000000012100000
Library  Y:\RetailM\RMSysTray.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                      000000005eaf0000
Library  Y:\RetailM\RMRepDriver.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                    000000005f370000
Library  Y:\RetailM\RMRec80.dll (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                        0000000016de0000
Library  Y:\RetailM\RMReports.ocx (*** suspicious ***) @ Y:\RetailM\RetailManager.exe [21772]                                                                                      000000005ab60000
Library  Y:\RetailM\RMHWSvr.exe (*** suspicious ***) @ Y:\RetailM\RMHWSvr.exe [2400]                                                                                               0000000000400000
Library  Y:\RetailM\RMHWareObj.dll (*** suspicious ***) @ Y:\RetailM\RMHWSvr.exe [2400]                                                                                            0000000030d50000
Library  Y:\RetailM\RMCommon.dll (*** suspicious ***) @ Y:\RetailM\RMHWSvr.exe [2400]                                                                                              00000000485f0000

---- Registry - GMER 2.1 ----

Reg      HKLM\SYSTEM\WPA@md                                                                                                                                                        0x64 0x62 0x04 0x00 ...

---- EOF - GMER 2.1 ----

Attached Files



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 PM

Posted 14 January 2015 - 08:53 AM

Is this an enterprise machine?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Redders1970

Redders1970
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 15 January 2015 - 05:16 AM

No it's not.



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 PM

Posted 17 January 2015 - 06:06 AM

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Redders1970

Redders1970
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 19 January 2015 - 01:52 AM

Hi Marius,

 

I have run the scans and attached the logs.

 

Fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-01-2015 01
Ran by NetAdmin at 2015-01-19 07:43:25 Run:1
Running from C:\Users\NetAdmin\Desktop
Loaded Profiles: NetAdmin & POS1 & POS2 (Available profiles: NetAdmin & POS1 & POS2 & POS3 & YRDMGR & SREP & GS1 & GS2 & GS3 & GS4 & GS5 & CM1 & CM2 & CM3 & CM4 & Administrator)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
AlternateDataStreams: C:\Windows\system32\Drivers\jbajjzzu.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\yzzktmny.sys:changelist
AlternateDataStreams: C:\ProgramData\TEMP:F8AF2BB9
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3777378854-3807207529-1244416889-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3777378854-3807207529-1244416889-1012\...\Winlogon: [Shell] C:\Windows\explorer.exe [2871808 2012-07-18] (Microsoft Corporation) <==== ATTENTION 
HKU\S-1-5-21-3777378854-3807207529-1244416889-1006\...\Winlogon: [Shell] C:\Windows\explorer.exe [2871808 2012-07-18] (Microsoft Corporation) <==== ATTENTION 
HKU\S-1-5-21-3777378854-3807207529-1244416889-1003\...\Winlogon: [Shell] C:\Windows\explorer.exe [2871808 2012-07-18] (Microsoft Corporation) <==== ATTENTION 
HKU\S-1-5-21-3777378854-3807207529-1244416889-1000\...\Winlogon: [Shell] C:\Windows\explorer.exe [2871808 2012-07-18] (Microsoft Corporation) <==== ATTENTION 

C:\ProgramData\logonsession.exe
C:\ProgramData\uninst.exe
C:\Users\Public\MAPISubSystem.reg
2014-12-15 10:46 - 2014-12-15 10:46 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\yzzktmny.sys

EmptyTemp:
*****************

C:\Windows\system32\Drivers\jbajjzzu.sys => ":changelist" ADS removed successfully.
C:\Windows\system32\Drivers\yzzktmny.sys => ":changelist" ADS removed successfully.
C:\ProgramData\TEMP => ":F8AF2BB9" ADS removed successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-3777378854-3807207529-1244416889-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\S-1-5-21-3777378854-3807207529-1244416889-1012\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value not found.
HKU\S-1-5-21-3777378854-3807207529-1244416889-1006\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value not found.
HKU\S-1-5-21-3777378854-3807207529-1244416889-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value not found.
HKU\S-1-5-21-3777378854-3807207529-1244416889-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.
C:\ProgramData\logonsession.exe => Moved successfully.
C:\ProgramData\uninst.exe => Moved successfully.
C:\Users\Public\MAPISubSystem.reg => Moved successfully.
C:\Windows\system32\Drivers\yzzktmny.sys => Moved successfully.
EmptyTemp: => Removed 7.1 GB temporary data.


The system needed a reboot. 

==== End of Fixlog 07:49:42 ====

Malwarebytes log

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 19/01/2015
Scan Time: 9:57:25 AM
Logfile: MBAM.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.18.12
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: NetAdmin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 1070314
Time Elapsed: 51 min, 50 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.Agent, C:\Windows\Offline Web Pages\cache.txt, Quarantined, [9153cb2d0287a294a19a9ecd12f2827e], 

Physical Sectors: 0
(No malicious items detected)


(end)

Thanks



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 PM

Posted 19 January 2015 - 06:15 AM

Scan with ESET Online Scan

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
  • Click the blue Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
  • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Redders1970

Redders1970
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 20 January 2015 - 06:46 AM

Hi Marius,

 

See the ESET log below:

C:\Users\GS5\Downloads\FoxitReader603.0524_enu_Setup.exe	a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application
C:\Users\GS5\Downloads\FoxitReader605.0618_enu_Setup.exe	Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Windows\Offline Web Pages\cache.txt	a variant of Win32/Morto.Y worm

Most of the scanners find cache.txt but don't find what is causing it. The other file in the offline webpages folder never gets detected. See attached screen shot.Attached File  Offline Web Page Folder 2.PNG   5.49KB   0 downloads

 

Thanks your continued assistance.

 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 PM

Posted 20 January 2015 - 07:07 AM

 

C:\Windows\Offline Web Pages

Delete the whole folder, then rescan with ESET


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 Redders1970

Redders1970
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 21 January 2015 - 06:14 AM

I have deleted the whole folder and the Trojan is not being detected. But as I said in the original post, I have previously deleted the files in the Offline Webpages folder and Trojan is not discovered by the AV. It will then reappear after a variable amount of time. Could be a month or it could be days.

 

the ESET Log

C:\Users\GS5\Downloads\FoxitReader603.0524_enu_Setup.exe	a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application
C:\Users\GS5\Downloads\FoxitReader605.0618_enu_Setup.exe	Win32/Bundled.Toolbar.Google.D potentially unsafe application



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 PM

Posted 21 January 2015 - 06:30 AM

We have removed the trojan´s processes so it isn´t able to come back by itself.

 

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.




SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK Mirror (if the link is down)

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread (Note: Do NOT post this one into a code box!





Are any problems left or may I post the final reply? :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 Redders1970

Redders1970
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 21 January 2015 - 04:44 PM

Hi Marius,

 

AdwCleaner Log

# AdwCleaner v4.108 - Report created 21/01/2015 at 21:46:23
# Updated 17/01/2015 by Xplode
# Database : 2015-01-18.1 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : NetAdmin - OFPC-MYOB
# Running from : C:\Users\NetAdmin\Desktop\adwcleaner_4.108.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17280


-\\ Mozilla Firefox v35.0 (x86 en-US)


-\\ Google Chrome v39.0.2171.99


*************************

AdwCleaner[R0].txt - [3729 octets] - [01/04/2014 13:52:02]
AdwCleaner[R1].txt - [3663 octets] - [01/04/2014 20:28:38]
AdwCleaner[R2].txt - [2013 octets] - [02/12/2014 11:04:10]
AdwCleaner[R3].txt - [1098 octets] - [08/12/2014 18:34:02]
AdwCleaner[R4].txt - [1221 octets] - [21/01/2015 21:44:09]
AdwCleaner[S0].txt - [3740 octets] - [01/04/2014 20:29:43]
AdwCleaner[S1].txt - [2100 octets] - [02/12/2014 11:08:55]
AdwCleaner[S2].txt - [1160 octets] - [08/12/2014 19:27:59]
AdwCleaner[S3].txt - [1143 octets] - [21/01/2015 21:46:23]

########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1203 octets] ##########

JRT Log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Professional x64
Ran by NetAdmin on Wed 21/01/2015 at 21:56:53.95
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 21/01/2015 at 21:59:36.60
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checkup.txt

 

Results of screen317's Security Check version 0.99.94  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Norton AntiVirus   
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Adobe Flash Player 16.0.0.257  
 Adobe Reader XI  
 Mozilla Firefox (35.0) 
 Google Chrome (39.0.2171.95) 
 Google Chrome (39.0.2171.99) 
````````Process Check: objlist.exe by Laurent````````  
 Norton AntiVirus Engine 21.6.0.32 NAV.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 2% 
````````````````````End of Log`````````````````````` 
 
The trojan appears to be gone. Thanks very much for assistance.


#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 PM

Posted 22 January 2015 - 03:57 AM

Your system is clean now! :)

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.




Delete System Restore Points

To ensure your System Restore Points are free of malware, we will delete all of them but the most recent or create a new one.

On Windows Vista: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows 7/8: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows XP: Please follow these instructions to delete all but the most common System Protection Restore Points.




Temp File Cleaner

We need to download Temp File Cleaner (TFC) by OldTimer:
  • Please download TFC.exe by Oldtimer at one of the two links: Link 1 Link 2
  • Save and close all running applications
  • Double-click on TFC.exe to run the program
  • Click on Start to begin the cleaning process note: this program may close running applications, make your screen disappear temporarily, or require a reboot of your PC - this is normal and part of the cleanup
  • When the scan is complete, if you were not asked to reboot the computer, please do so now
More Information can be found about the tool here: http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

 

 

 

Recommendations: How to protect yourself

  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.

  • Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:

  • Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system.
  • Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.
    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 Redders1970

Redders1970
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 22 January 2015 - 10:42 PM

Hi Marius,

 

All the tools and Temp files removed. Thank you very much for all of your assistance.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users