Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

support to remove from server 2008R2 mng_minerd virus.


  • This topic is locked This topic is locked
4 replies to this topic

#1 adax1

adax1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 PM

Posted 06 May 2015 - 03:47 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-05-2015 01
Ran by adax (administrator) on KLONDIKE on 06-05-2015 16:15:26
Running from C:\Users\adax\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\43W2SORD
Loaded Profiles: nurse1 & nurse2 & SleepingAccuroAdmin & test1 & laptop5 & doctor1 & doctor5 & doctor10 & doctor11 & doctor17 & doctor32 & physio2 & adax & Administrator (Available profiles: Reception & reception3 & nurse1 & nurse2 & nurse3 & exam1 & exam4 & exam7 & exam9 & exam10 & SleepingAccuroAdmin & exam11 & exam17 & laptop1 & laptop2 & cdsadmin & test1 & laptop3 & laptop4 & laptop5 & laptop6 & doctor1 & doctor2 & doctor3 & doctor4 & doctor5 & doctor6 & doctor7 & doctor8 & physio & doctor9 & doctor10 & doctor11 & dr.burns & doctor13 & doctor14 & doctor15 & doctor16 & doctor17 & doctor18 & doctor19 & doctor20 & doctor21 & laptop7 & doctor23 & doctor24 & doctor25 & doctor26 & doctor27 & access & doctor28 & doctor29 & ipad & doctor30 & doctor31 & doctor32 & doctor35 & carling & sara & physio2 & physio3 & doctor36 & doctor37 & doctor38 & doctor39 & physio4 & doctor40 & doctor33 & adax & Administrator & Classic .NET AppPool)
Platform: Windows Server 2008 R2 Standard Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
(Microsoft Corporation) C:\Windows\System32\certsrv.exe
(Microsoft Corporation) C:\Windows\System32\dfsrs.exe
(Microsoft Corporation) C:\Windows\System32\dns.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe
(Microsoft Corporation) C:\Windows\System32\iashost.exe
(Microsoft Corporation) C:\Windows\System32\ismserv.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(McAfee, Inc.) C:\Program Files\McAfee\Agent\masvc.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(Microsoft Corporation) D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Windows\System32\ntfrs.exe
() C:\Program Files (x86)\ReminderSync\ReminderSyncService.exe
() C:\Program Files (x86)\ReminderSync\ReminderSyncService.exe
() C:\Windows\System32\scclient.exe
(Microsoft Corporation) C:\Windows\System32\TCPSVCS.EXE
(Microsoft Corporation) C:\Windows\System32\snmp.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Microsoft Corporation) C:\Windows\System32\dfssvc.exe
(Microsoft Corporation) C:\Windows\System32\FXSSVC.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Windows\System32\vmms.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(McAfee, Inc.) C:\Program Files\McAfee\Agent\x86\macompatsvc.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AVSolution\mcshield.exe
(McAfee, Inc.) C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform\mfeesp.exe
(McAfee, Inc.) C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfetp.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(McAfee, Inc.) C:\Program Files\McAfee\Agent\macmnsvc.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Telemetry\mctelsvc.exe
(Microsoft Corporation) C:\Windows\System32\wsrm.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Endpoint Security\Web Control\mfewc.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(ASIGRA Inc.) C:\Program Files\CloudBackup\DS-Client\dsclient.exe
() C:\Program Files\Accuro\Accuro.exe
(Microsoft Corporation) C:\Windows\System32\wbengine.exe
(Apache Software Foundation) C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\Accuro\Accuro.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\Accuro\Accuro.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\Accuro\Accuro.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(ASIGRA Inc.) C:\Windows\complusbackup\289470296\vsscontrol.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\Accuro\Accuro.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\Accuro\Accuro.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\Accuro\Accuro.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\AccuroCommunicationEngine\core\bin\wrapper.exe
(Sun Microsystems, Inc.) C:\Program Files\AccuroCommunicationEngine\jvm\1.6.0_22\bin\java.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\Accuro\Accuro.exe
() C:\Program Files\Accuro\Accuro.exe
(Microsoft Corporation) C:\Windows\System32\consent.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Sun Microsystems, Inc.) C:\Program Files\AccuroCommunicationEngine\jvm\1.6.0_22\bin\java.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_17_0_0_169_ActiveX.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2011-09-16] (LogMeIn, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-12-18] (Oracle Corporation)
HKLM-x32\...\Run: [McAfeeUpdaterUI] => C:\Program Files\McAfee\Agent\x86\UpdaterUI.exe [514928 2014-09-22] (McAfee, Inc.)
HKLM-x32\...\Run: [DLSService] => "C:\Program Files (x86)\DYMO\DYMO Label Software\DLSService.exe"
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-2738355517-3946100407-2187008905-1114\...\Run: [Windows Exception Filter] => C:\Users\Administrator\AppData\Roaming\VeryGoodDrkWaxter\exceptionfilter.exe
HKU\S-1-5-21-2738355517-3946100407-2187008905-1115\...\Run: [Google Update**.d<*>] => "C:\Users\nurse2\AppData\Local\Google\Desktop\Install\{81468ccb-1cdf-715f-d5c8-0ce8dfd8637d}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{81468ccb-1cdf-715f-d5c8-0ce8dfd8637d}\GoogleUpdate.exe" > <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-2738355517-3946100407-2187008905-1115\...\Run: [Windows Exception Filter] => C:\Users\Administrator\AppData\Roaming\VeryGoodDrkWaxter\exceptionfilter.exe
HKU\S-1-5-21-2738355517-3946100407-2187008905-1129\...\Run: [Windows Exception Filter] => C:\Users\Administrator\AppData\Roaming\VeryGoodDrkWaxter\exceptionfilter.exe
HKU\S-1-5-21-2738355517-3946100407-2187008905-1129\...\Policies\Explorer\Run: [DCOM Service Manager] => C:\Users\access\AppData\Roaming\WinDCOMSvc\windcomsvc.exe
HKU\S-1-5-21-2738355517-3946100407-2187008905-1143\...\Run: [Windows Exception Filter] => C:\Users\Administrator\AppData\Roaming\VeryGoodDrkWaxter\exceptionfilter.exe
HKU\S-1-5-21-2738355517-3946100407-2187008905-1148\...\Run: [Windows Exception Filter] => C:\Users\Administrator\AppData\Roaming\VeryGoodDrkWaxter\exceptionfilter.exe
HKU\S-1-5-21-2738355517-3946100407-2187008905-1150\...\Run: [Windows Exception Filter] => C:\Users\Administrator\AppData\Roaming\VeryGoodDrkWaxter\exceptionfilter.exe
HKU\S-1-5-21-2738355517-3946100407-2187008905-1154\...\Run: [Windows Exception Filter] => C:\Users\Administrator\AppData\Roaming\VeryGoodDrkWaxter\exceptionfilter.exe
HKU\S-1-5-21-2738355517-3946100407-2187008905-1154\...\MountPoints2: {ad06c79b-8992-11e0-b532-806e6f6e6963} - Z:\P1100_P1560_P1600.exe
HKU\S-1-5-21-2738355517-3946100407-2187008905-1165\...\Run: [Windows Exception Filter] => C:\Users\Administrator\AppData\Roaming\VeryGoodDrkWaxter\exceptionfilter.exe
HKU\S-1-5-21-2738355517-3946100407-2187008905-1166\...\Run: [Windows Exception Filter] => C:\Users\Administrator\AppData\Roaming\VeryGoodDrkWaxter\exceptionfilter.exe
HKU\S-1-5-21-2738355517-3946100407-2187008905-1166\...\MountPoints2: {ad06c79b-8992-11e0-b532-806e6f6e6963} - Z:\Setup.exe
HKU\S-1-5-21-2738355517-3946100407-2187008905-1174\...\Run: [Windows Exception Filter] => C:\Users\Administrator\AppData\Roaming\VeryGoodDrkWaxter\exceptionfilter.exe
HKU\S-1-5-21-2738355517-3946100407-2187008905-1192\...\Run: [Windows Exception Filter] => C:\Users\Administrator\AppData\Roaming\VeryGoodDrkWaxter\exceptionfilter.exe
HKU\S-1-5-21-2738355517-3946100407-2187008905-1197\...\Run: [Windows Exception Filter] => C:\Users\Administrator\AppData\Roaming\VeryGoodDrkWaxter\exceptionfilter.exe
HKU\S-1-5-21-2738355517-3946100407-2187008905-2111\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7063832 2014-11-21] (Piriform Ltd)
HKU\S-1-5-21-2738355517-3946100407-2187008905-500\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7063832 2014-11-21] (Piriform Ltd)
Lsa: [Notification Packages] scecli rassfm
SecurityProviders: credssp.dll, pwdssp.dll, pwdssp.dll, pwdssp.dll
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
ShellIconOverlayIdentifiers: [IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll [2014-04-21] (Tonec Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2738355517-3946100407-2187008905-1114\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2738355517-3946100407-2187008905-1114\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?rd=1&ucc=CA&dcc=CA&opt=0&ocid=iehp
HKU\S-1-5-21-2738355517-3946100407-2187008905-1115\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2738355517-3946100407-2187008905-1129\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2738355517-3946100407-2187008905-1143\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2738355517-3946100407-2187008905-1143\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKU\S-1-5-21-2738355517-3946100407-2187008905-1148\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2738355517-3946100407-2187008905-1148\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?rd=1&ucc=CA&dcc=CA&opt=0&ocid=iehp&tc=37
HKU\S-1-5-21-2738355517-3946100407-2187008905-1150\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2738355517-3946100407-2187008905-1150\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-2738355517-3946100407-2187008905-1154\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2738355517-3946100407-2187008905-1154\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?rd=1&ucc=CA&dcc=CA&opt=0&ocid=iehp
HKU\S-1-5-21-2738355517-3946100407-2187008905-1165\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2738355517-3946100407-2187008905-1166\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?rd=1&ucc=CA&dcc=CA&opt=0&ocid=iehp
HKU\S-1-5-21-2738355517-3946100407-2187008905-1174\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2738355517-3946100407-2187008905-1192\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/en-ca/?ocid=iehp
HKU\S-1-5-21-2738355517-3946100407-2187008905-1197\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2738355517-3946100407-2187008905-1197\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-2738355517-3946100407-2187008905-2111\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
HKU\S-1-5-21-2738355517-3946100407-2187008905-500\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
SearchScopes: HKU\S-1-5-21-2738355517-3946100407-2187008905-1114 -> DefaultScope {D022E12E-3987-4B7F-9A7D-C4632EA09FEA} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-2738355517-3946100407-2187008905-1114 -> {D022E12E-3987-4B7F-9A7D-C4632EA09FEA} URL = https://www.google.com/search?q={searchTerms}
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll No File
BHO: McAfee Endpoint Security Script Protection -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\McAfee\Endpoint Security\Threat Prevention\mfeEpSS.dll [2014-09-26] (McAfee, Inc.)
BHO: McAfee Web Control BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> C:\Program Files (x86)\McAfee\Endpoint Security\Web Control\x64\McIEPlg.dll [2015-02-10] (McAfee, Inc.)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll No File
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2015-03-20] (Oracle Corporation)
BHO-x32: McAfee Endpoint Security Script Protection -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files (x86)\McAfee\Endpoint Security\Threat Prevention\mfeEpSS.dll [2014-09-26] (McAfee, Inc.)
BHO-x32: McAfee Web Control BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> C:\Program Files (x86)\McAfee\Endpoint Security\Web Control\McIEPlg.dll [2015-02-10] (McAfee, Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2015-03-20] (Oracle Corporation)
Toolbar: HKLM - McAfee Web Control Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\Endpoint Security\Web Control\x64\McIEPlg.dll [2015-02-10] (McAfee, Inc.)
Toolbar: HKLM-x32 - McAfee Web Control Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\Endpoint Security\Web Control\McIEPlg.dll [2015-02-10] (McAfee, Inc.)
DPF: HKLM-x32 {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: HKLM-x32 {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\Endpoint Security\Web Control\x64\McIEPlg.dll [2015-02-10] (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\Endpoint Security\Web Control\McIEPlg.dll [2015-02-10] (McAfee, Inc.)
Handler: hpapp - No CLSID Value
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\Endpoint Security\Web Control\x64\McIEPlg.dll [2015-02-10] (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\Endpoint Security\Web Control\McIEPlg.dll [2015-02-10] (McAfee, Inc.)
Winsock: Catalog5 05 C:\Windows\SysWOW64\escortdrv.dll [17920 2014-12-17] (EscortSoftware)
Winsock: Catalog9 01 C:\Windows\SysWOW64\escortdrv.dll [17920 2014-12-17] (EscortSoftware)
Winsock: Catalog9 02 C:\Windows\SysWOW64\escortdrv.dll [17920 2014-12-17] (EscortSoftware)
Winsock: Catalog9 03 C:\Windows\SysWOW64\escortdrv.dll [17920 2014-12-17] (EscortSoftware)
Winsock: Catalog9 04 C:\Windows\SysWOW64\escortdrv.dll [17920 2014-12-17] (EscortSoftware)
Winsock: Catalog9 05 C:\Windows\SysWOW64\escortdrv.dll [17920 2014-12-17] (EscortSoftware)
Winsock: Catalog9 06 C:\Windows\SysWOW64\escortdrv.dll [17920 2014-12-17] (EscortSoftware)
Winsock: Catalog9 17 C:\Windows\SysWOW64\escortdrv.dll [17920 2014-12-17] (EscortSoftware)
Tcpip\..\Interfaces\{5E3425DB-6EEC-4372-8DB2-702BB36088AF}: [NameServer] 192.168.1.10,8.8.8.8

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_169.dll [2015-04-15] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_169.dll [2015-04-15] ()
FF Plugin-x32: @dymo.com/DymoLabelFramework -> C:\Program Files (x86)\DYMO\DYMO Label Software\Framework\npDYMOLabelFramework.dll [2012-01-30] ( Sanford L.P.)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2013-04-02] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2013-04-02] (Foxit Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.75.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2015-03-20] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.75.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2015-03-20] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin HKU\S-1-5-21-2738355517-3946100407-2187008905-500: @citrixonline.com/appdetectorplugin -> C:\Users\Administrator\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2013-07-17] (Citrix Online)
FF HKLM-x32\...\Firefox\Extensions: [{B7082FAA-CB62-4872-9106-E42DD88EDE45}] - C:\Program Files (x86)\McAfee\Endpoint Security
FF Extension: No Name - C:\Program Files (x86)\McAfee\Endpoint Security [2015-04-27]
FF HKU\S-1-5-21-2738355517-3946100407-2187008905-1114\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\access\AppData\Roaming\IDM\idmmzcc5
FF Extension: No Name - C:\Users\access\AppData\Roaming\IDM\idmmzcc5 [2014-12-25]
FF HKU\S-1-5-21-2738355517-3946100407-2187008905-1115\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\access\AppData\Roaming\IDM\idmmzcc5
FF HKU\S-1-5-21-2738355517-3946100407-2187008905-1129\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\access\AppData\Roaming\IDM\idmmzcc5
FF HKU\S-1-5-21-2738355517-3946100407-2187008905-1143\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\access\AppData\Roaming\IDM\idmmzcc5
FF HKU\S-1-5-21-2738355517-3946100407-2187008905-1148\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\access\AppData\Roaming\IDM\idmmzcc5
FF HKU\S-1-5-21-2738355517-3946100407-2187008905-1150\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\access\AppData\Roaming\IDM\idmmzcc5
FF HKU\S-1-5-21-2738355517-3946100407-2187008905-1154\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\access\AppData\Roaming\IDM\idmmzcc5
FF HKU\S-1-5-21-2738355517-3946100407-2187008905-1165\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\access\AppData\Roaming\IDM\idmmzcc5
FF HKU\S-1-5-21-2738355517-3946100407-2187008905-1166\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\access\AppData\Roaming\IDM\idmmzcc5
FF HKU\S-1-5-21-2738355517-3946100407-2187008905-1174\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\access\AppData\Roaming\IDM\idmmzcc5
FF HKU\S-1-5-21-2738355517-3946100407-2187008905-1192\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\access\AppData\Roaming\IDM\idmmzcc5
FF HKU\S-1-5-21-2738355517-3946100407-2187008905-1197\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\access\AppData\Roaming\IDM\idmmzcc5
FF HKU\S-1-5-21-2738355517-3946100407-2187008905-2111\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Users\access\AppData\Roaming\IDM\idmmzcc5

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [Not Found]
CHR HKLM\...\Chrome\Extension: [jjkchpdmjjdmalgembblgafllbpcjlei] - C:\Program Files (x86)\McAfee\Endpoint Security\Web Control\McChPlg.crx [2015-02-10]
CHR HKLM-x32\...\Chrome\Extension: [jjkchpdmjjdmalgembblgafllbpcjlei] - C:\Program Files (x86)\McAfee\Endpoint Security\Web Control\McChPlg.crx [2015-02-10]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AccuroServer; C:\Program Files\AccuroCommunicationEngine\core\bin\wrapper.exe [204800 2012-08-27] () [File not signed]
R2 ADWS; C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe [487424 2010-11-20] (Microsoft Corporation)
R2 CertSvc; C:\Windows\system32\certsrv.exe [746496 2009-07-13] (Microsoft Corporation)
R2 Dfs; C:\Windows\system32\dfssvc.exe [377344 2010-11-20] (Microsoft Corporation)
R2 Dfs; C:\Windows\SysWOW64\dfssvc.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R2 DFSR; C:\Windows\system32\DFSRs.exe [4518400 2010-11-20] (Microsoft Corporation)
R2 DFSR; C:\Windows\SysWOW64\DFSRs.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R2 DHCPServer; C:\Windows\System32\dhcpssvc.dll [729088 2010-11-20] (Microsoft Corporation)
R2 DNS; C:\Windows\system32\dns.exe [696832 2011-12-26] (Microsoft Corporation)
R2 DNS; C:\Windows\SysWOW64\dns.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R2 DS-Client; C:\Program Files\CloudBackup\DS-Client\dsclient.exe [12695736 2014-09-15] (ASIGRA Inc.)
S2 DymoPnpService; C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [32336 2012-01-30] (Sanford, L.P.)
S3 EFS; C:\Windows\SysWOW64\lsass.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R2 Fax; C:\Windows\SysWOW64\fxssvc.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-13] (Microsoft Corporation)
R2 IAS; C:\Windows\System32\ias.dll [26624 2009-07-13] (Microsoft Corporation)
R2 IAS; C:\Windows\SysWOW64\ias.dll [19456 2009-07-13] (Microsoft Corporation)
R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
R2 IsmServ; C:\Windows\System32\ismserv.exe [59392 2010-11-20] (Microsoft Corporation)
R2 IsmServ; C:\Windows\SysWOW64\ismserv.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R2 kdc; C:\Windows\System32\lsass.exe [31232 2011-11-17] (Microsoft Corporation)
R2 kdc; C:\Windows\SysWOW64\lsass.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R3 KeyIso; C:\Windows\SysWOW64\lsass.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [417640 2015-02-27] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [234344 2015-02-27] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2011-09-16] (LogMeIn, Inc.)
R2 macmnsvc; C:\Program Files\McAfee\Agent\macmnsvc.exe [140656 2014-09-22] (McAfee, Inc.)
R2 masvc; C:\Program Files\McAfee\Agent\masvc.exe [55152 2014-09-22] (McAfee, Inc.)
R3 McAfeeFramework; C:\Program Files\McAfee\Agent\x86\macompatsvc.exe [214384 2014-09-22] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [312472 2014-10-29] (McAfee, Inc.)
R3 mfevtp; C:\Windows\system32\mfevtps.exe [218736 2014-10-29] (McAfee, Inc.)
R2 mfewc; C:\Program Files (x86)\McAfee\Endpoint Security\Web Control\mfewc.exe [485232 2014-09-26] (McAfee, Inc.)
R2 MSDTC; C:\Windows\SysWOW64\msdtc.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R2 MSMQ; C:\Windows\system32\mqsvc.exe [9216 2009-07-13] (Microsoft Corporation)
S3 MSSQL$MICROSOFT##SSEE; C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Binn\sqlservr.exe [39627104 2010-12-10] (Microsoft Corporation)
R2 MSSQLSERVER; D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [62111072 2011-06-17] (Microsoft Corporation)
R2 Netlogon; C:\Windows\SysWOW64\lsass.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R2 NTDS; C:\Windows\System32\lsass.exe [31232 2011-11-17] (Microsoft Corporation)
R2 NTDS; C:\Windows\SysWOW64\lsass.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R2 NtFrs; C:\Windows\system32\ntfrs.exe [1020416 2010-11-20] (Microsoft Corporation)
R2 NtFrs; C:\Windows\SysWOW64\ntfrs.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R2 nvspwmi; C:\Windows\system32\nvspwmi.dll [407040 2010-11-20] (Microsoft Corporation)
R3 ProtectedStorage; C:\Windows\SysWOW64\lsass.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R2 ReminderSync Service; C:\Program Files (x86)\ReminderSync\ReminderSyncService.exe [29087744 2014-12-13] () [File not signed]
R3 RPCHTTPLBS; C:\Windows\System32\RpcProxy\LBService.dll [24576 2010-11-20] (Microsoft Corporation)
S3 rqs; C:\Windows\system32\rqs.exe [41472 2010-11-20] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-13] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-13] (Microsoft Corporation)
R2 SamSs; C:\Windows\SysWOW64\lsass.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R2 scclient; C:\Windows\System32\scclient.exe [250368 2015-04-22] () [File not signed]
R2 simptcp; C:\Windows\SysWOW64\tcpsvcs.exe [9216 2009-07-13] (Microsoft Corporation)
R2 SMTPSVC; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
R2 SNMP; C:\Windows\System32\snmp.exe [49664 2010-11-20] (Microsoft Corporation)
R2 SNMP; C:\Windows\SysWOW64\snmp.exe [47616 2010-11-20] (Microsoft Corporation)
R2 Spooler; C:\Windows\SysWOW64\spoolsv.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
S2 SQLSERVERAGENT; D:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\SQLAGENT.EXE [431456 2011-06-17] (Microsoft Corporation)
R2 Telemetryserver; C:\Program Files (x86)\McAfee\Telemetry\mctelsvc.exe [199528 2014-08-19] (McAfee, Inc.)
R2 TermServLicensing; C:\Windows\System32\lserver.dll [694784 2010-11-20] (Microsoft Corporation)
S4 TlntSvr; C:\Windows\System32\tlntsvr.exe [81920 2009-07-13] (Microsoft Corporation)
R2 Tomcat6; C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe [61440 2012-04-20] (Apache Software Foundation) [File not signed]
R2 TSGateway; C:\Windows\system32\aaedge.dll [306688 2010-11-20] (Microsoft Corporation)
S3 VaultSvc; C:\Windows\SysWOW64\lsass.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R3 vds; C:\Windows\SysWOW64\vds.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R2 vhdsvc; C:\Windows\system32\vhdsvc.dll [193024 2010-11-20] (Microsoft Corporation)
R2 vmms; C:\Windows\system32\vmms.exe [4625408 2010-11-20] (Microsoft Corporation)
R2 VSS; C:\Windows\SysWOW64\vssvc.exe [0 2014-08-16] () <==== ATTENTION (zero size file/folder)
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
S3 WDSServer; C:\Windows\system32\wdssrv.dll [142848 2009-07-13] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 WSRM; C:\Windows\system32\wsrm.exe [1330688 2009-07-13] (Microsoft Corporation)
S3 CAD; C:\Windows\Ltsvc\cad.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 ati2mtag; C:\Windows\System32\DRIVERS\ati2mtag.sys [2210816 2009-06-25] (ATI Technologies Inc.)
R3 CpqCiDrv; C:\Windows\System32\DRIVERS\cpqcidrv.sys [51752 2009-05-11] (Hewlett-Packard Company)
R1 DfsDriver; C:\Windows\System32\drivers\dfs.sys [51776 2009-07-13] (Microsoft Corporation)
R0 DfsrRo; C:\Windows\System32\drivers\dfsrro.sys [66944 2010-11-20] (Microsoft Corporation)
R3 EpMPShieldK; C:\Windows\System32\drivers\EpMPShieldK.sys [204744 2015-04-27] (McAfee, Inc.)
R1 hvboot; C:\Windows\System32\drivers\hvboot.sys [119168 2010-11-20] (Microsoft Corporation)
S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-05-25] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
R3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [366448 2014-10-29] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [339808 2014-10-29] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [886104 2014-10-29] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [482600 2014-11-08] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [100720 2014-11-08] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [349328 2014-10-29] (McAfee, Inc.)
R3 MODEMCSA; C:\Windows\System32\drivers\MODEMCSA.sys [24064 2009-07-13] (Microsoft Corporation)
R3 MQAC; C:\Windows\System32\drivers\mqac.sys [189440 2009-07-13] (Microsoft Corporation)
R3 NXND6HP; C:\Windows\System32\DRIVERS\hpnd6x64.sys [381408 2010-09-01] (QLogic, Corp.)
R3 passthruparser; C:\Windows\System32\drivers\passthruparser.sys [20992 2010-11-20] (Microsoft Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-13] (Microsoft Corporation)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] ()
R3 vhdparser; C:\Windows\System32\drivers\vhdparser.sys [17408 2010-11-20] (Microsoft Corporation)
R3 VMSMP; C:\Windows\System32\DRIVERS\vmswitch.sys [410624 2010-11-20] (Microsoft Corporation)
S3 VMSP; C:\Windows\System32\DRIVERS\vmswitch.sys [410624 2010-11-20] (Microsoft Corporation)
S3 WLBS; C:\Windows\System32\DRIVERS\NLB.sys [339968 2010-11-20] (Microsoft Corporation)
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-05-06 16:15 - 2015-05-06 16:16 - 00000000 ____D () C:\FRST
2015-05-06 16:13 - 2015-05-06 16:13 - 00000000 ____D () C:\Users\adax\AppData\Roaming\Macromedia
2015-05-06 13:35 - 2015-05-06 13:35 - 00000000 ____D () C:\Users\adax\Documents\Fax
2015-05-06 12:30 - 2015-05-06 12:30 - 00000020 ___SH () C:\Users\updater\ntuser.ini
2015-05-06 12:30 - 2015-05-06 12:30 - 00000000 ____D () C:\Users\updater
2015-05-06 12:30 - 2015-04-27 19:17 - 00000000 ____D () C:\Users\updater\AppData\Roaming\McAfee
2015-05-06 12:30 - 2014-07-03 13:26 - 00000000 ___RD () C:\Users\updater\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-05-06 12:30 - 2014-07-03 13:26 - 00000000 ___RD () C:\Users\updater\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-05-06 12:30 - 2014-07-03 13:26 - 00000000 ____D () C:\Users\updater\Documents\Visual Studio 2008
2015-05-06 12:30 - 2014-07-03 13:26 - 00000000 ____D () C:\Users\updater\Documents\Visual Studio 2005
2015-05-06 12:30 - 2012-01-25 04:03 - 00000000 ____D () C:\Users\updater\AppData\Local\Microsoft Help
2015-05-06 12:15 - 2015-05-06 12:15 - 00000000 ____D () C:\Windows\download
2015-05-06 07:26 - 2015-05-05 16:44 - 00000424 _____ () C:\Users\adax\Desktop\updater.reg
2015-05-06 07:26 - 2015-05-01 09:46 - 00085116 _____ () C:\Users\adax\Desktop\1.reg
2015-05-06 07:26 - 2015-04-29 18:14 - 00000610 _____ () C:\Users\adax\Desktop\ePolicy Orchestrator 5.2.0 (Build 505).website
2015-05-06 07:26 - 2015-03-07 15:59 - 00000416 _____ () C:\Users\adax\Desktop\router pass..txt
2015-05-06 07:26 - 2015-01-20 15:10 - 00000110 _____ () C:\Users\adax\Desktop\Disk2vhd.bat
2015-05-06 07:26 - 2014-09-05 13:47 - 00003104 _____ () C:\Users\adax\Desktop\delete_profile_temp.vbs
2015-05-06 07:26 - 2014-02-06 11:24 - 00002768 _____ () C:\Users\adax\Desktop\RAJAN.txt
2015-05-06 07:26 - 2013-12-03 12:09 - 00002536 _____ () C:\Users\adax\Desktop\radec..txt
2015-05-06 07:26 - 2013-07-31 07:58 - 00001124 _____ () C:\Users\adax\Desktop\HP Array Configuration Utility (64-bit).lnk
2015-05-06 07:26 - 2013-07-17 11:39 - 00000112 _____ () C:\Users\adax\Desktop\ADAX_DSCSGV200486_Active Care Klondike.CRI
2015-05-06 07:26 - 2013-07-12 12:00 - 00001064 _____ () C:\Users\adax\Desktop\join.me.lnk
2015-05-06 07:26 - 2013-04-09 15:42 - 00000116 _____ () C:\Users\adax\Desktop\Accuro Web.url
2015-05-06 07:26 - 2013-03-21 18:43 - 00001242 _____ () C:\Users\adax\Desktop\Fax Service Manager.lnk
2015-05-06 07:26 - 2012-09-24 10:05 - 00034398 _____ () C:\Users\adax\Desktop\ActiveCare Klondike Timeclock.mht
2015-05-06 07:26 - 2012-09-17 09:20 - 00000979 _____ () C:\Users\adax\Desktop\Remote Printing.txt
2015-05-06 07:26 - 2012-06-30 10:39 - 00003598 _____ () C:\Users\adax\Desktop\Auto Update Accuro.xml
2015-05-06 07:26 - 2012-06-30 10:19 - 00001203 _____ () C:\Users\adax\Desktop\kill session.bat
2015-05-06 07:26 - 2012-05-07 17:04 - 00001210 _____ () C:\Users\adax\Desktop\Windows Fax and Scan.lnk
2015-05-06 07:26 - 2012-05-06 13:58 - 18335480 _____ () C:\Users\adax\Desktop\Lexmark_Universal_v2_UD1_Win_64_PS.exe
2015-05-06 07:26 - 2012-05-04 15:05 - 80405952 _____ (Sanford, L.P.) C:\Users\adax\Desktop\DLS8Setup.8.4.0.1524.exe
2015-05-06 07:26 - 2012-05-03 09:41 - 00063554 _____ () C:\Users\adax\Desktop\users.msc
2015-05-06 07:26 - 2012-04-20 14:26 - 01155584 _____ (Microsoft) C:\Users\adax\Desktop\MPSRPT_PFE_X64.EXE
2015-05-06 07:26 - 2012-04-16 13:47 - 00001160 _____ () C:\Users\adax\Desktop\SQL Server Management Studio.lnk
2015-05-06 07:26 - 2012-04-15 10:28 - 00001274 _____ () C:\Users\adax\Desktop\Routing and Remote Access.lnk
2015-05-06 07:26 - 2012-04-15 09:20 - 00000040 _____ () C:\Users\adax\Desktop\logon.bat
2015-05-06 07:26 - 2012-04-14 15:49 - 00001443 _____ () C:\Users\adax\Desktop\Internet Explorer.lnk
2015-05-06 07:26 - 2012-04-14 12:26 - 00001284 _____ () C:\Users\adax\Desktop\Active Directory Users and Computers.lnk
2015-05-06 07:26 - 2012-04-13 19:22 - 00000026 _____ () C:\Users\adax\Desktop\RDP Licences.txt
2015-05-06 07:26 - 2012-03-22 12:22 - 00868352 _____ () C:\Users\adax\Desktop\RDPRemoteEnabler.exe
2015-05-06 07:26 - 2012-02-02 00:00 - 00347136 _____ (Hilgraeve, Inc.) C:\Users\adax\Desktop\hypertrm.dll
2015-05-06 07:26 - 2012-02-02 00:00 - 00028160 _____ (Hilgraeve, Inc.) C:\Users\adax\Desktop\hypertrm.exe
2015-05-06 07:25 - 2015-05-06 07:25 - 00061280 _____ () C:\Users\adax\AppData\Local\GDIPFONTCACHEV1.DAT
2015-05-06 07:25 - 2015-05-06 07:25 - 00001417 _____ () C:\Users\adax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-05-06 07:25 - 2015-05-06 07:25 - 00000000 ____D () C:\Users\adax\AppData\Roaming\Adobe
2015-05-06 07:25 - 2015-05-06 07:25 - 00000000 ____D () C:\Users\adax\AppData\Local\VirtualStore
2015-05-06 07:25 - 2015-05-06 07:25 - 00000000 ____D () C:\Users\adax\AppData\Local\LogMeIn
2015-05-06 07:24 - 2015-05-06 07:25 - 00000000 ____D () C:\Users\adax
2015-05-06 07:24 - 2015-05-06 07:24 - 00000020 ___SH () C:\Users\adax\ntuser.ini
2015-05-06 07:24 - 2015-05-06 07:24 - 00000000 ____D () C:\Users\adax\WINDOWS
2015-05-06 07:24 - 2015-04-27 19:17 - 00000000 ____D () C:\Users\adax\AppData\Roaming\McAfee
2015-05-06 07:24 - 2014-07-03 13:26 - 00000000 ___RD () C:\Users\adax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-05-06 07:24 - 2014-07-03 13:26 - 00000000 ___RD () C:\Users\adax\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-05-06 07:24 - 2014-07-03 13:26 - 00000000 ____D () C:\Users\adax\Documents\Visual Studio 2008
2015-05-06 07:24 - 2014-07-03 13:26 - 00000000 ____D () C:\Users\adax\Documents\Visual Studio 2005
2015-05-06 07:24 - 2012-01-25 04:03 - 00000000 ____D () C:\Users\adax\AppData\Local\Microsoft Help
2015-05-05 16:44 - 2015-05-05 16:44 - 00000424 _____ () C:\Users\Administrator\Desktop\updater.reg
2015-05-04 14:51 - 2015-05-04 15:40 - 00000000 ____D () C:\Users\doctor33
2015-05-04 14:51 - 2015-05-04 14:51 - 00001417 _____ () C:\Users\doctor33\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-05-04 14:51 - 2015-05-04 14:51 - 00000020 ___SH () C:\Users\doctor33\ntuser.ini
2015-05-04 14:51 - 2015-05-04 14:51 - 00000000 ____D () C:\Users\doctor33\WINDOWS
2015-05-04 14:51 - 2015-05-04 14:51 - 00000000 ____D () C:\Users\doctor33\AppData\Roaming\Adobe
2015-05-04 14:51 - 2015-05-04 14:51 - 00000000 ____D () C:\Users\doctor33\AppData\Local\VirtualStore
2015-05-04 14:51 - 2015-05-04 14:51 - 00000000 ____D () C:\Users\doctor33\AppData\Local\LogMeIn
2015-05-04 14:51 - 2015-04-27 19:17 - 00000000 ____D () C:\Users\doctor33\AppData\Roaming\McAfee
2015-05-04 14:51 - 2014-07-03 13:26 - 00000000 ___RD () C:\Users\doctor33\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-05-04 14:51 - 2014-07-03 13:26 - 00000000 ___RD () C:\Users\doctor33\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-05-04 14:51 - 2014-07-03 13:26 - 00000000 ____D () C:\Users\doctor33\Documents\Visual Studio 2008
2015-05-04 14:51 - 2014-07-03 13:26 - 00000000 ____D () C:\Users\doctor33\Documents\Visual Studio 2005
2015-05-04 14:51 - 2012-01-25 04:03 - 00000000 ____D () C:\Users\doctor33\AppData\Local\Microsoft Help
2015-05-04 10:00 - 2015-05-06 10:00 - 00000000 ___HD () C:\Windows\complusbackup
2015-05-03 21:02 - 2015-05-04 12:48 - 00000000 ____D () C:\Users\physio3\Desktop\Scanned April 26
2015-05-03 21:01 - 2015-05-03 21:02 - 00000000 ____D () C:\Users\physio3\Desktop\Scanned March 17
2015-05-01 09:46 - 2015-05-01 09:46 - 00085116 _____ () C:\Users\Administrator\Desktop\1.reg
2015-04-29 18:47 - 2015-05-01 08:51 - 00000000 ____D () C:\Program Files (x86)\stinger
2015-04-28 07:17 - 2015-04-28 07:17 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\McAfee
2015-04-27 20:56 - 2015-04-27 20:56 - 00000000 ____D () C:\Users\doctor14\AppData\Local\VirtualStore
2015-04-27 20:32 - 2015-05-06 07:33 - 00000000 ____D () C:\Quarantine
2015-04-27 20:31 - 2015-04-27 20:31 - 00204744 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\EpMPShieldK.sys
2015-04-27 19:20 - 2015-04-29 18:14 - 00000610 _____ () C:\Users\Administrator\Desktop\ePolicy Orchestrator 5.2.0 (Build 505).website
2015-04-27 19:17 - 2015-04-27 19:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2015-04-27 19:17 - 2015-04-27 19:17 - 00000000 ____D () C:\Users\Default\AppData\Roaming\McAfee
2015-04-27 19:16 - 2015-04-27 19:44 - 00000000 ____D () C:\Program Files (x86)\McAfee
2015-04-27 19:01 - 2015-04-27 20:32 - 00000000 ____D () C:\Program Files\Common Files\McAfee
2015-04-27 19:01 - 2015-04-27 19:16 - 00000000 ____D () C:\Program Files\McAfee
2015-04-27 19:01 - 2014-10-29 13:07 - 00366448 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeaack.sys
2015-04-27 19:01 - 2014-10-29 13:05 - 00218736 _____ (McAfee, Inc.) C:\Windows\system32\mfevtps.exe
2015-04-27 19:01 - 2014-10-29 13:04 - 00886104 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfehidk.sys
2015-04-27 19:01 - 2014-10-29 13:03 - 00339808 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\mfeavfk.sys
2015-04-27 18:53 - 2015-04-27 18:53 - 00748808 _____ (McAfee, Inc.) C:\Users\Administrator\Downloads\McAfeeSmartInstall.exe
2015-04-26 13:35 - 2015-04-27 15:12 - 00000010 _____ () C:\Users\Administrator\AppData\Local\sponge.last.runtime.cache
2015-04-26 13:26 - 2013-09-27 22:56 - 00285208 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2015-04-26 13:02 - 2015-04-27 20:34 - 00000000 ____D () C:\ProgramData\McAfee
2015-04-23 20:02 - 2015-04-23 20:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-04-23 20:01 - 2015-04-23 20:01 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2015-04-23 20:01 - 2015-04-23 20:01 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2015-04-23 11:58 - 2015-05-04 19:30 - 00000000 ____D () C:\Users\Administrator\AppData\Local\CrashDumps
2015-04-23 09:43 - 2015-04-23 09:43 - 00000000 ____D () C:\Users\doctor9\AppData\Local\CrashDumps
2015-04-23 06:03 - 2015-04-23 06:03 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_UsbDr_01_09_00.Wdf
2015-04-22 15:25 - 2015-04-22 15:25 - 00000004 _____ () C:\Windows\SysWOW64\uin_v5.txt
2015-04-22 12:13 - 2015-04-22 12:13 - 00000000 ____D () C:\Users\physio3\AppData\Local\VirtualStore
2015-04-22 10:56 - 2015-04-22 10:56 - 00000000 ____D () C:\Users\doctor1\AppData\Local\VirtualStore
2015-04-22 10:16 - 2015-04-22 10:16 - 00000000 ____D () C:\Users\test1\AppData\Local\VirtualStore
2015-04-22 02:09 - 2015-05-06 12:25 - 00001646 _____ () C:\Windows\SysWOW64\scclient.log
2015-04-22 02:09 - 2015-04-22 02:09 - 00250368 _____ () C:\Windows\system32\scclient.exe
2015-04-13 12:41 - 2015-04-13 12:41 - 00000000 ____D () C:\Users\sara\AppData\Local\VirtualStore
2015-04-08 01:57 - 2015-04-08 01:59 - 00000000 __SHD () C:\Users\Administrator\AppData\Roaming\WinDCOMSvcMgrV5
2015-04-07 07:49 - 2015-04-02 14:37 - 02241781 _____ () C:\Users\sara\Desktop\leads NL.txt
2015-04-06 11:34 - 2015-04-06 11:34 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\IsolatedStorage
2015-04-06 11:34 - 2015-04-06 11:34 - 00000000 ____D () C:\Users\Administrator\AppData\Local\IsolatedStorage

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-05-06 16:13 - 2012-05-06 14:03 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-05-06 15:26 - 2015-03-07 11:00 - 00000000 ____D () C:\Windows\system32\dhcp
2015-05-06 15:11 - 2012-06-04 15:20 - 00000000 ____D () C:\Users\doctor10
2015-05-06 13:44 - 2009-07-14 00:49 - 00014864 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-05-06 13:44 - 2009-07-14 00:49 - 00014864 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-05-06 13:30 - 2012-05-03 12:35 - 00000000 ____D () C:\Users\doctor5
2015-05-06 11:18 - 2014-11-06 15:55 - 00000000 ____D () C:\Users\doctor36
2015-05-06 09:38 - 2012-05-07 14:19 - 00000000 ____D () C:\Users\physio
2015-05-06 09:00 - 2014-11-11 11:31 - 00000000 ____D () C:\Users\doctor1
2015-05-06 08:47 - 2014-11-12 10:15 - 00000000 ____D () C:\Users\physio2
2015-05-06 07:32 - 2014-12-17 07:54 - 00002770 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2015-05-06 07:32 - 2012-04-14 11:21 - 00000000 ____D () C:\ProgramData\LogMeIn
2015-05-06 07:17 - 2013-07-21 11:24 - 00003942 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{0207CB7C-C16D-4FDA-9693-FCA94388B04D}
2015-05-06 01:00 - 2014-12-26 03:47 - 00000000 ____D () C:\Windows\system32\CertLog
2015-05-06 01:00 - 2012-04-13 19:11 - 00000000 ____D () C:\Windows\system32\lserver
2015-05-06 01:00 - 2012-04-13 19:00 - 00000000 ____D () C:\Windows\NTDS
2015-05-06 01:00 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\inetsrv
2015-05-06 00:03 - 2011-05-28 21:34 - 01246455 ____N () C:\Windows\WindowsUpdate.log
2015-05-05 20:51 - 2015-01-30 21:03 - 00000000 ____D () C:\Users\doctor39
2015-05-05 20:24 - 2012-05-25 11:04 - 00000000 ____D () C:\Users\doctor9
2015-05-05 19:08 - 2015-02-23 18:38 - 00000000 ____D () C:\Users\doctor40
2015-05-05 16:25 - 2014-07-11 08:44 - 00000000 ____D () C:\Program Files\Unlocker
2015-05-05 15:26 - 2014-10-03 10:47 - 00000000 ____D () C:\Users\physio3
2015-05-05 07:34 - 2014-04-14 19:45 - 00000000 ____D () C:\Users\doctor31
2015-05-03 21:55 - 2014-11-12 20:12 - 00000000 ____D () C:\Users\physio2\Desktop\dr simon's scanning
2015-05-03 07:48 - 2012-04-20 12:11 - 00000000 ____D () C:\Users\sleepingaccuroadmin
2015-05-03 07:48 - 2012-04-14 15:26 - 00000000 ____D () C:\Users\nurse2
2015-05-03 07:48 - 2011-05-28 21:35 - 00000000 ____D () C:\Users\Administrator
2015-05-02 20:25 - 2012-04-20 16:14 - 00000000 ____D () C:\Program Files\AccuroCommunicationEngine
2015-05-01 11:43 - 2012-04-13 19:06 - 00006048 _____ () C:\Windows\system32\config\netlogon.dnb
2015-05-01 11:43 - 2012-04-13 19:06 - 00001965 _____ () C:\Windows\system32\config\netlogon.dns
2015-05-01 11:14 - 2014-12-26 03:37 - 25804800 _____ () C:\Windows\system32\vmguest.iso
2015-05-01 11:13 - 2009-07-14 01:10 - 01162100 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-05-01 11:08 - 2014-01-23 16:46 - 00001004 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2015-05-01 11:08 - 2014-01-23 16:46 - 00000988 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2015-05-01 11:07 - 2012-04-13 18:18 - 00000000 ____D () C:\Windows\system32\dns
2015-05-01 11:06 - 2009-07-14 01:06 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-05-01 08:45 - 2015-02-11 10:32 - 00000000 ____D () C:\Users\physio4
2015-04-30 13:29 - 2012-04-14 15:26 - 00000000 ____D () C:\Users\nurse2\AppData\Local\VirtualStore
2015-04-29 20:46 - 2012-04-13 19:14 - 00002004 ____H () C:\Users\Administrator\Documents\Default.rdp
2015-04-29 20:14 - 2012-05-06 14:36 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-04-29 19:45 - 2012-04-13 19:38 - 00000000 ____D () C:\Temp
2015-04-29 17:44 - 2014-05-28 19:31 - 00000000 ____D () C:\Users\doctor32
2015-04-27 17:16 - 2012-04-15 10:04 - 00001945 _____ () C:\Windows\epplauncher.mif
2015-04-26 13:33 - 2014-08-16 07:54 - 00564437 _____ () C:\Users\Administrator\AppData\Local\census.cache
2015-04-26 13:33 - 2014-08-16 07:54 - 00108829 _____ () C:\Users\Administrator\AppData\Local\ars.cache
2015-04-26 13:15 - 2012-05-23 14:58 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Citrix
2015-04-24 12:42 - 2014-12-12 12:12 - 00000000 ____D () C:\Users\nurse1\AppData\Local\CrashDumps
2015-04-24 09:09 - 2014-09-09 12:01 - 00000000 ____D () C:\Program Files (x86)\Nmap
2015-04-24 09:08 - 2014-09-18 13:12 - 00000000 ____D () C:\Program Files (x86)\Google
2015-04-23 11:17 - 2015-03-03 22:32 - 00000103 _____ () C:\Users\doctor10\Desktop\billing corrections.txt
2015-04-23 03:55 - 2012-07-01 03:55 - 02563613 _____ () C:\Windows\SysWOW64\DebugFile.txt
2015-04-23 03:55 - 2012-07-01 03:55 - 00231830 _____ () C:\Windows\SysWOW64\updater.log
2015-04-22 16:42 - 2014-10-13 10:56 - 00000000 ____D () C:\Users\sara
2015-04-15 11:13 - 2015-01-13 21:13 - 18178736 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2015-04-15 11:13 - 2012-05-06 14:03 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-04-15 11:13 - 2012-05-06 14:03 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-04-15 11:13 - 2012-05-06 14:03 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-04-10 15:35 - 2013-07-18 09:14 - 00000000 ____D () C:\Users\Administrator\AppData\Local\LogMeIn Rescue Applet
2015-04-07 08:00 - 2014-10-13 11:08 - 00000000 ____D () C:\Program Files (x86)\MassSender
2015-04-06 12:29 - 2012-04-13 19:08 - 00003600 __RSH () C:\ProgramData\ntuser.pol

==================== Files in the root of some directories =======

2012-05-04 15:06 - 2014-04-24 14:31 - 0043298 __RSH () C:\Program Files (x86)\DLS8Uninstall.log
2013-02-07 08:31 - 2013-02-07 08:31 - 0000057 _____ () C:\ProgramData\Ament.ini
ZeroAccess:
C:\Users\nurse2\AppData\Local\Google\Desktop\Install

Files to move or delete:
====================
C:\Users\Administrator\en_res.dll
C:\Users\Administrator\es_res.dll
C:\Users\Administrator\fr_res.dll
C:\Users\Administrator\grm_res.dll
C:\Users\Administrator\it_res.dll
C:\Users\Administrator\jp_res.dll
C:\Users\Administrator\mfc80u.dll
C:\Users\Administrator\msvcr80.dll
C:\Users\Administrator\PCPE Setup.exe
C:\Users\Administrator\pt_res.dll
C:\Users\Administrator\ResourceReader.dll
C:\Users\Administrator\ru_res.dll
C:\Users\Administrator\zh_res.dll

Some content of TEMP:
====================
C:\Users\doctor14\AppData\Local\Temp\Checkupdate.exe
C:\Users\doctor14\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\doctor14\AppData\Local\Temp\gcapi_dll.dll
C:\Users\doctor14\AppData\Local\Temp\gtapi_signed.dll
C:\Users\doctor32\AppData\Local\Temp\Checkupdate.exe
C:\Users\doctor32\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\doctor32\AppData\Local\Temp\gcapi_dll.dll
C:\Users\doctor32\AppData\Local\Temp\gtapi_signed.dll
C:\Users\doctor40\AppData\Local\Temp\Checkupdate.exe
C:\Users\doctor40\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\doctor40\AppData\Local\Temp\gcapi_dll.dll
C:\Users\doctor40\AppData\Local\Temp\gtapi_signed.dll
C:\Users\doctor6\AppData\Local\Temp\Checkupdate.exe
C:\Users\doctor6\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\doctor6\AppData\Local\Temp\gcapi_dll.dll
C:\Users\doctor6\AppData\Local\Temp\gtapi_signed.dll
C:\Users\nurse2\AppData\Local\Temp\Checkupdate.exe
C:\Users\nurse2\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\nurse2\AppData\Local\Temp\gcapi_dll.dll
C:\Users\nurse2\AppData\Local\Temp\gtapi_signed.dll
C:\Users\reception\AppData\Local\Temp\Checkupdate.exe
C:\Users\reception\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\reception\AppData\Local\Temp\gcapi_dll.dll
C:\Users\reception\AppData\Local\Temp\gtapi_signed.dll

Some zero byte size files/folders:
==========================
C:\Windows\SysWOW64\conhost.exe
C:\Windows\SysWOW64\csrss.exe
C:\Windows\SysWOW64\dfsrs.exe
C:\Windows\SysWOW64\dfssvc.exe
C:\Windows\SysWOW64\dns.exe
C:\Windows\SysWOW64\dwm.exe
C:\Windows\SysWOW64\FXSSVC.exe
C:\Windows\SysWOW64\ismserv.exe
C:\Windows\SysWOW64\LogonUI.exe
C:\Windows\SysWOW64\lsass.exe
C:\Windows\SysWOW64\lsm.exe
C:\Windows\SysWOW64\msdtc.exe
C:\Windows\SysWOW64\ntfrs.exe
C:\Windows\SysWOW64\services.exe
C:\Windows\SysWOW64\smss.exe
C:\Windows\SysWOW64\spoolsv.exe
C:\Windows\SysWOW64\taskhost.exe
C:\Windows\SysWOW64\vds.exe
C:\Windows\SysWOW64\VSSVC.exe
C:\Windows\SysWOW64\winlogon.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-05-04 00:27

==================== End Of Log ============================



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 PM

Posted 11 May 2015 - 03:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/575407 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:23 AM

Posted 24 May 2015 - 09:01 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi adax1,
 
Are you familiar with these files?:
C:\Users\Administrator\AppData\Roaming\VeryGoodDrkWaxter\exceptionfilter.exe
Z:\P1100_P1560_P1600.exe
 
--------------

I must give you this warning:
 
Looking through your logs, one or more of your infections has been identified as a Backdoor Trojan. These threats have backdoor functionality which allows hackers to remotely control your computer, steal critical system information, and download and execute files.
 
I highly suggest you to disconnect this PC from the Internet immediately, and if possible use a clean computer and a flash drive to transfer the programs I request for you to run. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would be wise to contact those same financial institutions to notify them of your situation.
 
Due to the nature of this trojan, your computer is very likely to be compromised. There is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
 
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 
We can still clean this machine, but I can't guarantee that it will be 100% secure afterwards. If you decide to continue cleaning this machine, follow on with the rest of the steps posted below. If you do not want to clean this machine, please let me know.
 
--------------
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
HKU\S-1-5-21-2738355517-3946100407-2187008905-1115\...\Run: [Google Update**.d<*>] => "C:\Users\nurse2\AppData\Local\Google\Desktop\Install\{81468ccb-1cdf-715f-d5c8-0ce8dfd8637d}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{81468ccb-1cdf-715f-d5c8-0ce8dfd8637d}\GoogleUpdate.exe" > <===== ATTENTION (Value Name with invalid characters)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll No File
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll No File
S4 LMIRfsClientNP; No ImagePath
C:\Users\nurse2\AppData\Local\Google\Desktop\Install
C:\Windows\SysWOW64\conhost.exe
C:\Windows\SysWOW64\csrss.exe
C:\Windows\SysWOW64\dfsrs.exe
C:\Windows\SysWOW64\dfssvc.exe
C:\Windows\SysWOW64\dns.exe
C:\Windows\SysWOW64\dwm.exe
C:\Windows\SysWOW64\FXSSVC.exe
C:\Windows\SysWOW64\ismserv.exe
C:\Windows\SysWOW64\LogonUI.exe
C:\Windows\SysWOW64\lsass.exe
C:\Windows\SysWOW64\lsm.exe
C:\Windows\SysWOW64\msdtc.exe
C:\Windows\SysWOW64\ntfrs.exe
C:\Windows\SysWOW64\services.exe
C:\Windows\SysWOW64\smss.exe
C:\Windows\SysWOW64\spoolsv.exe
C:\Windows\SysWOW64\taskhost.exe
C:\Windows\SysWOW64\vds.exe
C:\Windows\SysWOW64\VSSVC.exe
C:\Windows\SysWOW64\winlogon.exe
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

--------------
 
Please re-run FRST from the desktop (like you did before) and press the scan button. It will produce a FRST.txt log located on the desktop. Please copy and paste the log into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Fixlog.txt
  • New FRST.txt

xXToffeeXx~


Edited by xXToffeeXx, 24 May 2015 - 09:02 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:23 AM

Posted 07 June 2015 - 08:07 AM

Hi adax1,

 

How are you getting on?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:23 AM

Posted 12 June 2015 - 11:17 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users