Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whats App Malware removed but still email problems


  • Please log in to reply
7 replies to this topic

#1 Pewit

Pewit

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Potts Point, NSW
  • Local time:01:35 PM

Posted 01 July 2015 - 05:25 AM

My partner's computer had a malware attack which caused the computer to send fake "You have a Whats App message" emails to the contacts in the address book via Windows Live Mail.

 

I downloaded and ran a full scan with malwarebytes and also installed and ran a full scan with Avast AV and no malware was found.

 

I then invoked 2-stage verification for his Gmail account and it has now stopped sending the fake WhatsApp messages but it now sends a blank email addressed to the bounce server of the domain of any incomming message using an encoded email address, for example:

 

To: 31ZaTVQgTDAQrs-vitp2eggsyrxw.ksskpi.gsqwsrr2.xvizsvkqemp.gsq@gaia.bounces.google.com
From: "My Account" <my.account@gmail.com> [<---name changed to prevent spam]
Date: Wed, 1 Jul 2015 00:29:26 -0700
Message-ID: <CAECbVs7YSG9dgE1ThPnjMM4QMsYNGYvbvma=xq0ueUpAZx=m+Q@mail.gmail.com>
In-Reply-To: <DGc976tcR_o38OERcIdksA@notifications.google.com>
References: <DGc976tcR_o38OERcIdksA@notifications.google.com>
Subject: Re: Change in security settings for your account
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Precedence: bulk
X-Autoreply: yes
Auto-Submitted: auto-replied
X-Antivirus: avast! (VPS 150630-1, 01/07/2015), Inbound message
X-Antivirus-Status: Clean

<div dir="ltr"><br></div>

 

I think the 2-stage verification has prevented the emails transmitting but I don't think it's resolved the infection, can anyone suggest a next action.

 
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 5:46:42 PM, on 1/07/2015
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.18870)
 
FIREFOX: 38.0.5 (x86 en-US)
Boot mode: Normal
 
Running processes:
C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\AVAST Software\Avast\avastUi.exe
C:\Program Files (x86)\Siber Systems\AI RoboForm\Identities.exe
C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Trevor\Downloads\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: RoboForm BHO - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Evernote extension - {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O3 - Toolbar: &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
O4 - HKLM\..\Run: [BATINDICATOR] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
O4 - HKLM\..\Run: [LaunchHPOSIAPP] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe
O4 - HKLM\..\Run: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UpdatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_17_0_0_190_Plugin.exe -update plugin
O4 - Startup: EvernoteClipper.lnk = C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
O8 - Extra context menu item: Clip bookmark - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=0
O8 - Extra context menu item: Clip image - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=4
O8 - Extra context menu item: Clip selection - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=3
O8 - Extra context menu item: Clip this page - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=1
O8 - Extra context menu item: Clip URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
O8 - Extra context menu item: Customize Menu - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComFillForms.html
O8 - Extra context menu item: New note - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\NewNote.html
O8 - Extra context menu item: Save Forms - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComSavePass.html
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: Show RoboForm Toolbar - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComShowToolbar.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra button: Show Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra 'Tools' menuitem: Show RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype Click to Call settings - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @C:\Program Files (x86)\Evernote\Evernote\OLIEResource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Evernote\Evernote\OLIEResource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O18 - Protocol: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device Service - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Avast Antivirus (avast! Antivirus) - Avast Software s.r.o. - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Epson Scanner Service (EpsonScanSvc) - Unknown owner - C:\Windows\system32\EscSvc64.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TeamViewer 9 (TeamViewer9) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 13027 bytes

 

 

Thanks in advance

 

Paul


Edited by Pewit, 01 July 2015 - 07:39 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:35 PM

Posted 02 July 2015 - 10:06 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===


How is the computer running?

#3 Pewit

Pewit
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Potts Point, NSW
  • Local time:01:35 PM

Posted 02 July 2015 - 09:43 PM

Hi nasdaq

 

Zoek script run using recommended settings. AV disabled, Firewall off

Reboot required by Zoek

Log file attached

 

No longer sending blank emails! Hurrah

 

Ran Farbar - log below

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:28-06-2015 01
Ran by Trevor (administrator) on TREVOR-HP on 03-07-2015 12:33:41
Running from C:\Users\Trevor\Downloads
Loaded Profiles: Trevor (Available Profiles: Trevor & Paul)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
() C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
() C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Siber Systems) C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
(Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
() C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Hewlett-Packard) C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
(CyberLink Corp.) C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
(CyberLink) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
(Avast Software s.r.o.) C:\Program Files\AVAST Software\Avast\avastui.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe
(ATI Technologies Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(Microsoft Corporation) C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_18_0_0_194.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_18_0_0_194.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610360 2009-07-08] ()
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1337000 2015-04-30] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-01-27] (Apple Inc.)
HKLM-x32\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [BATINDICATOR] => C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe [2068992 2009-05-08] (Hewlett-Packard)
HKLM-x32\...\Run: [LaunchHPOSIAPP] => C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe [385024 2009-04-03] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Remote Solution] => C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-05-26] ()
HKLM-x32\...\Run: [HP Software Update] => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [UpdatePRCShortCut] => C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2014-11-20] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5515496 2015-06-30] (Avast Software s.r.o.)
HKU\S-1-5-21-630011429-778415715-1037930480-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [28785792 2015-06-02] (Skype Technologies S.A.)
HKU\S-1-5-21-630011429-778415715-1037930480-1000\...\Run: [RoboForm] => C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [110160 2014-11-20] (Siber Systems)
HKU\S-1-5-21-630011429-778415715-1037930480-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\WLXPGSS.SCR [322248 2014-03-31] (Microsoft Corporation)
Startup: C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk [2015-04-06]
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-06-30] (Avast Software s.r.o.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-630011429-778415715-1037930480-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_AU&c=94&bd=Pavilion&pf=cndt
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-630011429-778415715-1037930480-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?pc=SKY2&ocid=SKY2DHP&osmkt=en-au
HKU\S-1-5-21-630011429-778415715-1037930480-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-630011429-778415715-1037930480-1000\Software\Microsoft\Internet Explorer\Main,Old Start Page = http://www.msn.com/?pc=SKY2&ocid=SKY2DHP&osmkt=en-au
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-630011429-778415715-1037930480-1000 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = http://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-630011429-778415715-1037930480-1000 -> {A2C4FD85-91C1-4698-814C-668E51B3C643} URL = http://www.bing.com/search?FORM=SKY2DF&PC=SKY2&q={searchTerms}&src=IE-SearchBox
BHO: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2014-11-20] (Siber Systems Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-05-01] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2014-12-27] (Siber Systems Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2015-03-03] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-05-01] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
Toolbar: HKLM - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2014-11-20] (Siber Systems Inc.)
Toolbar: HKLM-x32 - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2014-12-27] (Siber Systems Inc.)
Toolbar: HKU\S-1-5-21-630011429-778415715-1037930480-1000 -> &RoboForm Toolbar - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2014-11-20] (Siber Systems Inc.)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-05-01] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-05-01] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2015-05-29] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2015-05-29] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2015-05-29] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2015-05-29] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{0EE11D26-492C-48FE-B533-A7852659204B}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{1C728E37-3F7B-4CB2-9F3E-172845672231}: [DhcpNameServer] 172.20.10.1
Tcpip\..\Interfaces\{3AA79F4A-472B-41F0-8561-5E6787BF4221}: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF ProfilePath: C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\pgp8942k.default-1416211681831
FF DefaultSearchEngine: Google Australia
FF SearchEngineOrder.3: Bing
FF SelectedSearchEngine: Bing
FF Homepage: https://www.google.com/calendar/render#main_7
FF Keyword.URL: hxxp://www.bing.com/search?FORM=SKY2DF&PC=SKY2&q=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_194.dll [2015-07-02] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_194.dll [2015-07-02] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-16] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-03-17] (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\pgp8942k.default-1416211681831\searchplugins\google-australia.xml [2015-01-03]
FF SearchPlugin: C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\pgp8942k.default-1416211681831\searchplugins\mycroft-project.xml [2015-01-03]
FF Extension: English (Australian) Dictionary - C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\pgp8942k.default-1416211681831\Extensions\en-AU@dictionaries.addons.mozilla.org [2014-12-27]
FF Extension: Redirector - C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\pgp8942k.default-1416211681831\Extensions\redirector@einaregilsson.com [2015-06-09]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2015-06-03]
FF HKLM-x32\...\Firefox\Extensions: [{22119944-ED35-4ab1-910B-E619EA06A115}] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox
FF Extension: RoboForm Toolbar for Firefox - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox [2014-11-20]
FF HKU\S-1-5-21-630011429-778415715-1037930480-1000\...\Firefox\Extensions: [{22119944-ED35-4ab1-910B-E619EA06A115}] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox

Chrome:
=======
CHR Profile: C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-11-17]
CHR Extension: (Google Docs) - C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-11-17]
CHR Extension: (Google Drive) - C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-11-17]
CHR Extension: (YouTube) - C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-11-17]
CHR Extension: (Google Search) - C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-11-17]
CHR Extension: (Google Sheets) - C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-11-17]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-23]
CHR Extension: (Google Wallet) - C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-11-17]
CHR Extension: (Gmail) - C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-11-17]
CHR Extension: (RoboForm Password Manager) - C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnlccmojcmeohlpggmfnbbiapkmbliob [2014-12-08]
CHR HKLM\...\Chrome\Extension: [pnlccmojcmeohlpggmfnbbiapkmbliob] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome.crx [2014-11-20]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2015-05-01]
CHR HKLM-x32\...\Chrome\Extension: [pnlccmojcmeohlpggmfnbbiapkmbliob] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome.crx [2014-11-20]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [343336 2015-06-30] (Avast Software s.r.o.)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1394816 2015-05-01] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1772672 2015-05-01] (Microsoft Corporation)
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-11] (Seiko Epson Corporation)
R2 HP Health Check Service; C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe [124928 2009-07-09] (Hewlett-Packard) [File not signed]
R2 LightScribeService; c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2009-05-18] (Hewlett-Packard Company) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2015-04-30] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366544 2015-04-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29168 2015-06-30] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [89944 2015-06-30] (Avast Software s.r.o.)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-06-30] (Avast Software s.r.o.)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65736 2015-06-30] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1047320 2015-06-30] (Avast Software s.r.o.)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [442264 2015-06-30] (Avast Software s.r.o.)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [272248 2015-06-30] ()
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [280376 2015-03-04] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124568 2015-03-04] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-03 12:21 - 2015-07-03 12:22 - 00035726 _____ C:\Users\Trevor\Downloads\Addition.txt
2015-07-03 12:20 - 2015-07-03 12:33 - 00020392 _____ C:\Users\Trevor\Downloads\FRST.txt
2015-07-03 12:20 - 2015-07-03 12:33 - 00000000 ____D C:\FRST
2015-07-03 12:20 - 2015-07-03 12:20 - 02112512 _____ (Farbar) C:\Users\Trevor\Downloads\FRST64.exe
2015-07-03 12:10 - 2015-07-03 11:47 - 00024064 _____ C:\Windows\zoek-delete.exe
2015-07-03 12:09 - 2015-07-03 12:13 - 00005890 _____ C:\zoek-results.log
2015-07-03 11:47 - 2015-07-03 12:11 - 00000000 ____D C:\zoek_backup
2015-07-03 11:45 - 2015-07-03 11:45 - 01308672 _____ C:\Users\Trevor\Downloads\zoek.exe
2015-07-02 13:04 - 2015-07-02 13:04 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-07-02 13:04 - 2015-07-02 13:04 - 00002013 _____ C:\Users\Public\Desktop\Acrobat Reader DC.lnk
2015-07-02 13:04 - 2015-07-02 13:04 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-07-02 12:59 - 2015-07-02 13:00 - 01125056 _____ (Adobe Systems Incorporated) C:\Users\Trevor\Downloads\flashplayer18_ha_install.exe
2015-07-01 17:46 - 2015-07-01 17:46 - 00013029 _____ C:\Users\Trevor\Downloads\hijackthis.log
2015-07-01 17:45 - 2015-07-01 17:45 - 00388608 _____ (Trend Micro Inc.) C:\Users\Trevor\Downloads\HijackThis.exe
2015-07-01 16:11 - 2015-07-01 16:11 - 00000020 _____ C:\Windows\¸÷Ï
2015-07-01 16:10 - 2010-06-02 04:55 - 00527192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_7.dll
2015-07-01 16:10 - 2010-06-02 04:55 - 00518488 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_7.dll
2015-07-01 16:10 - 2010-06-02 04:55 - 00077656 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_5.dll
2015-07-01 16:10 - 2010-06-02 04:55 - 00074072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_5.dll
2015-07-01 16:10 - 2010-05-26 11:41 - 02526056 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_43.dll
2015-07-01 16:10 - 2010-05-26 11:41 - 02106216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_43.dll
2015-07-01 16:09 - 2010-05-26 11:41 - 00276832 _____ (Microsoft Corporation) C:\Windows\system32\d3dx11_43.dll
2015-07-01 16:09 - 2010-05-26 11:41 - 00248672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_43.dll
2015-07-01 16:09 - 2009-09-04 17:29 - 00523088 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_42.dll
2015-07-01 16:09 - 2009-09-04 17:29 - 00453456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_42.dll
2015-07-01 16:09 - 2006-11-29 13:06 - 04398360 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_32.dll
2015-07-01 16:09 - 2006-11-29 13:06 - 03426072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_32.dll
2015-07-01 16:03 - 2015-07-01 16:03 - 01125056 _____ (Adobe Systems Incorporated) C:\Users\Trevor\Downloads\flashplayer18_ga_install.exe
2015-06-30 11:49 - 2015-06-30 11:49 - 00000000 ____D C:\Users\Trevor\AppData\Roaming\AVAST Software
2015-06-30 11:48 - 2015-06-30 11:48 - 00442264 _____ (Avast Software s.r.o.) C:\Windows\system32\Drivers\aswsp.sys
2015-06-30 11:48 - 2015-06-30 11:48 - 00003924 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2015-06-30 11:48 - 2015-06-30 11:48 - 00001928 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2015-06-30 11:48 - 2015-06-30 11:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2015-06-30 11:48 - 2015-06-30 11:47 - 01047320 _____ (Avast Software s.r.o.) C:\Windows\system32\Drivers\aswSnx.sys
2015-06-30 11:48 - 2015-06-30 11:47 - 00272248 _____ C:\Windows\system32\Drivers\aswVmm.sys
2015-06-30 11:48 - 2015-06-30 11:47 - 00093528 _____ (Avast Software s.r.o.) C:\Windows\system32\Drivers\aswRdr2.sys
2015-06-30 11:48 - 2015-06-30 11:47 - 00089944 _____ (Avast Software s.r.o.) C:\Windows\system32\Drivers\aswMonFlt.sys
2015-06-30 11:48 - 2015-06-30 11:47 - 00065736 _____ C:\Windows\system32\Drivers\aswRvrt.sys
2015-06-30 11:48 - 2015-06-30 11:47 - 00029168 _____ C:\Windows\system32\Drivers\aswHwid.sys
2015-06-30 11:47 - 2015-06-30 11:47 - 00364472 _____ (Avast Software s.r.o.) C:\Windows\system32\aswBoot.exe
2015-06-30 11:47 - 2015-06-30 11:47 - 00043112 _____ (Avast Software s.r.o.) C:\Windows\avastSS.scr
2015-06-30 11:45 - 2015-06-30 11:45 - 00000000 ____D C:\Program Files\AVAST Software
2015-06-30 11:43 - 2015-06-30 11:44 - 00000000 ____D C:\ProgramData\AVAST Software
2015-06-22 14:31 - 2015-06-22 14:31 - 00018602 _____ C:\ComboFix.txt
2015-06-22 14:16 - 2011-06-26 16:45 - 00256000 _____ C:\Windows\PEV.exe
2015-06-22 14:16 - 2010-11-08 03:20 - 00208896 _____ C:\Windows\MBR.exe
2015-06-22 14:16 - 2009-04-20 14:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-06-22 14:16 - 2000-08-31 10:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-06-22 14:16 - 2000-08-31 10:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-06-22 14:16 - 2000-08-31 10:00 - 00098816 _____ C:\Windows\sed.exe
2015-06-22 14:16 - 2000-08-31 10:00 - 00080412 _____ C:\Windows\grep.exe
2015-06-22 14:16 - 2000-08-31 10:00 - 00068096 _____ C:\Windows\zip.exe
2015-06-22 14:13 - 2015-06-22 14:31 - 00000000 ____D C:\Qoobox
2015-06-22 14:13 - 2015-06-22 14:30 - 00000000 ____D C:\Windows\erdnt
2015-06-22 14:12 - 2015-06-22 14:12 - 00001459 _____ C:\Users\Trevor\Desktop\JRT.txt
2015-06-22 14:09 - 2015-06-22 14:09 - 00000207 _____ C:\Windows\tweaking.com-regbackup-TREVOR-HP-Windows-7-Home-Premium-(64-bit).dat
2015-06-22 14:09 - 2015-06-22 14:09 - 00000000 ____D C:\RegBackup
2015-06-22 14:08 - 2015-06-22 14:09 - 05628633 ____R (Swearware) C:\Users\Trevor\Downloads\ComboFix.exe
2015-06-22 14:08 - 2015-06-22 14:08 - 02950454 _____ (Thisisu) C:\Users\Trevor\Downloads\JRT.exe
2015-06-21 10:32 - 2015-06-21 10:36 - 00000000 ____D C:\AdwCleaner
2015-06-21 10:31 - 2015-06-21 10:31 - 02231296 _____ C:\Users\Trevor\Downloads\adwcleaner_4.206.exe
2015-06-21 09:47 - 2015-06-21 09:53 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-06-21 09:47 - 2015-06-21 09:47 - 00001068 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-06-21 09:47 - 2015-06-21 09:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-06-21 09:47 - 2015-06-21 09:47 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-06-21 09:47 - 2015-06-21 09:47 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-06-21 09:47 - 2015-04-14 09:37 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-06-21 09:47 - 2015-04-14 09:37 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-06-21 09:47 - 2015-04-14 09:37 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-06-21 09:46 - 2015-06-21 09:46 - 21546080 _____ (Malwarebytes Corporation ) C:\Users\Trevor\Downloads\mbam-setup-2.1.6.1022.exe
2015-06-10 08:10 - 2015-05-26 04:24 - 05569984 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-06-10 08:10 - 2015-05-26 04:23 - 00155584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-06-10 08:10 - 2015-05-26 04:21 - 01728960 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-06-10 08:10 - 2015-05-26 04:19 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-06-10 08:10 - 2015-05-26 04:19 - 01255424 _____ (Microsoft Corporation) C:\Windows\system32\diagtrack.dll
2015-06-10 08:10 - 2015-05-26 04:19 - 01162752 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2015-06-10 08:10 - 2015-05-26 04:19 - 00728576 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-06-10 08:10 - 2015-05-26 04:19 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-06-10 08:10 - 2015-05-26 04:19 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2015-06-10 08:10 - 2015-05-26 04:19 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2015-06-10 08:10 - 2015-05-26 04:19 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2015-06-10 08:10 - 2015-05-26 04:18 - 00879104 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2015-06-10 08:10 - 2015-05-26 04:18 - 00404992 _____ (Microsoft Corporation) C:\Windows\system32\tracerpt.exe
2015-06-10 08:10 - 2015-05-26 04:18 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2015-06-10 08:10 - 2015-05-26 04:18 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-06-10 08:10 - 2015-05-26 04:07 - 03989440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-06-10 08:10 - 2015-05-26 04:01 - 00641536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2015-06-10 08:10 - 2015-05-26 04:01 - 00551424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-06-10 08:10 - 2015-05-26 04:00 - 00364544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tracerpt.exe
2015-06-10 08:10 - 2015-05-23 04:18 - 01021440 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-06-10 08:10 - 2015-05-23 04:18 - 00757248 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-06-10 08:10 - 2015-05-23 04:18 - 00700416 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-06-10 08:10 - 2015-05-23 04:18 - 00423424 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-06-10 08:10 - 2015-05-23 04:18 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-06-10 08:10 - 2015-05-23 04:18 - 00045568 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2015-06-10 08:10 - 2015-05-23 04:13 - 01119232 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-06-10 08:10 - 2015-05-21 23:19 - 00193536 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2015-06-10 08:10 - 2015-04-30 04:22 - 14635008 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2015-06-10 08:10 - 2015-04-30 04:21 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll
2015-06-10 08:10 - 2015-04-30 04:21 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx
2015-06-10 08:10 - 2015-04-30 04:21 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll
2015-06-10 08:10 - 2015-04-30 04:19 - 12625920 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2015-06-10 08:10 - 2015-04-30 04:07 - 11411456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmp.dll
2015-06-10 08:10 - 2015-04-30 04:07 - 00008192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\spwmp.dll
2015-06-10 08:10 - 2015-04-30 04:07 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdxm.ocx
2015-06-10 08:10 - 2015-04-30 04:07 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxmasf.dll
2015-06-10 08:10 - 2015-04-30 04:05 - 12625408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmploc.DLL
2015-06-10 08:09 - 2015-05-29 04:25 - 01188864 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 12303872 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 09067520 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 02470912 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 01539584 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 01031168 _____ (Microsoft Corporation) C:\Windows\system32\mstime.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00911360 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00735232 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00610304 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00495616 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00445952 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00289792 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00252928 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00247808 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00241152 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00189952 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00134144 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00082944 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00064512 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00057856 _____ (Microsoft Corporation) C:\Windows\system32\licmgr10.dll
2015-06-10 08:09 - 2015-05-29 04:24 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\corpol.dll
2015-06-10 08:09 - 2015-05-29 04:23 - 01538048 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-06-10 08:09 - 2015-05-29 04:23 - 00174592 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-06-10 08:09 - 2015-05-29 04:23 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2015-06-10 08:09 - 2015-05-29 04:23 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2015-06-10 08:09 - 2015-05-29 04:07 - 11030016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 06032896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 02088448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 01267712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00981504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00717824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00627712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00624640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstime.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00428544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00389632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00345600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00229376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00216064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00195072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00186368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00153088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00132096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00064512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00044544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2015-06-10 08:09 - 2015-05-29 04:07 - 00018944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\corpol.dll
2015-06-10 08:09 - 2015-05-29 04:06 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-06-10 08:09 - 2015-05-29 04:06 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2015-06-10 08:09 - 2015-05-29 04:06 - 00015872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2015-06-10 08:09 - 2015-05-29 04:05 - 01466368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-06-10 08:09 - 2015-05-29 03:46 - 00483328 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-06-10 08:09 - 2015-05-29 03:35 - 00386560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-06-10 08:09 - 2015-05-29 03:21 - 01638912 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-06-10 08:09 - 2015-05-29 03:13 - 01638912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-06-10 08:09 - 2015-05-26 04:23 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-06-10 08:09 - 2015-05-26 04:19 - 00879104 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
2015-06-10 08:09 - 2015-05-26 04:19 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2015-06-10 08:09 - 2015-05-26 04:19 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-06-10 08:09 - 2015-05-26 04:19 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-06-10 08:09 - 2015-05-26 04:19 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-06-10 08:09 - 2015-05-26 04:19 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-06-10 08:09 - 2015-05-26 04:19 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-06-10 08:09 - 2015-05-26 04:19 - 00113664 _____ (Microsoft Corporation) C:\Windows\system32\sechost.dll
2015-06-10 08:09 - 2015-05-26 04:19 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-06-10 08:09 - 2015-05-26 04:19 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-06-10 08:09 - 2015-05-26 04:19 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-06-10 08:09 - 2015-05-26 04:19 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-06-10 08:09 - 2015-05-26 04:19 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2015-06-10 08:09 - 2015-05-26 04:19 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2015-06-10 08:09 - 2015-05-26 04:18 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-06-10 08:09 - 2015-05-26 04:18 - 00104448 _____ (Microsoft Corporation) C:\Windows\system32\logman.exe
2015-06-10 08:09 - 2015-05-26 04:18 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-06-10 08:09 - 2015-05-26 04:18 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\typeperf.exe
2015-06-10 08:09 - 2015-05-26 04:18 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-06-10 08:09 - 2015-05-26 04:18 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\relog.exe
2015-06-10 08:09 - 2015-05-26 04:18 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-06-10 08:09 - 2015-05-26 04:18 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-06-10 08:09 - 2015-05-26 04:18 - 00019456 _____ (Microsoft Corporation) C:\Windows\system32\diskperf.exe
2015-06-10 08:09 - 2015-05-26 04:14 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-06-10 08:09 - 2015-05-26 04:14 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 04:07 - 03934144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-06-10 08:09 - 2015-05-26 04:04 - 01310744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2015-06-10 08:09 - 2015-05-26 04:01 - 00635392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
2015-06-10 08:09 - 2015-05-26 04:01 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-06-10 08:09 - 2015-05-26 04:01 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-06-10 08:09 - 2015-05-26 04:01 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-06-10 08:09 - 2015-05-26 04:01 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-06-10 08:09 - 2015-05-26 04:01 - 00092160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sechost.dll
2015-06-10 08:09 - 2015-05-26 04:01 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-06-10 08:09 - 2015-05-26 04:01 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-06-10 08:09 - 2015-05-26 04:01 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-06-10 08:09 - 2015-05-26 04:01 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-06-10 08:09 - 2015-05-26 04:01 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2015-06-10 08:09 - 2015-05-26 04:00 - 00082944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\logman.exe
2015-06-10 08:09 - 2015-05-26 04:00 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-06-10 08:09 - 2015-05-26 04:00 - 00040448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\typeperf.exe
2015-06-10 08:09 - 2015-05-26 04:00 - 00037888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\relog.exe
2015-06-10 08:09 - 2015-05-26 04:00 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2015-06-10 08:09 - 2015-05-26 04:00 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\diskperf.exe
2015-06-10 08:09 - 2015-05-26 03:59 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2015-06-10 08:09 - 2015-05-26 03:59 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2015-06-10 08:09 - 2015-05-26 03:59 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-06-10 08:09 - 2015-05-26 03:59 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2015-06-10 08:09 - 2015-05-26 03:57 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-06-10 08:09 - 2015-05-26 03:57 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 03:08 - 03206144 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-06-10 08:09 - 2015-05-26 03:00 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\UtcResources.dll
2015-06-10 08:09 - 2015-05-26 02:50 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2015-06-10 08:09 - 2015-05-26 02:50 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2015-06-10 08:09 - 2015-05-26 02:48 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 02:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 02:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2015-06-10 08:09 - 2015-05-26 02:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2015-06-10 08:09 - 2015-04-25 04:17 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.dll
2015-06-10 08:09 - 2015-04-25 03:56 - 00530432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll
2015-06-10 08:09 - 2015-04-11 13:19 - 00069888 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\stream.sys
2015-06-03 09:19 - 2015-06-08 08:44 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-03 12:21 - 2009-07-14 14:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-03 12:21 - 2009-07-14 14:45 - 00018736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-03 12:20 - 2014-11-09 13:48 - 01707513 _____ C:\Windows\WindowsUpdate.log
2015-07-03 12:16 - 2014-11-17 18:00 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-03 12:15 - 2014-11-12 15:13 - 00000000 ____D C:\Users\Trevor\AppData\Roaming\Skype
2015-07-03 12:13 - 2014-11-17 17:59 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-03 12:12 - 2009-07-14 15:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-03 12:12 - 2009-07-14 14:51 - 00036994 _____ C:\Windows\setupact.log
2015-07-03 12:11 - 2009-08-27 18:49 - 00285228 _____ C:\Windows\PFRO.log
2015-07-03 11:37 - 2014-11-10 13:24 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-03 03:05 - 2014-11-11 19:56 - 01861532 _____ C:\Windows\IE11_main.log
2015-07-02 23:06 - 2014-11-09 15:11 - 00000000 ____D C:\Users\Trevor\AppData\Roaming\Adobe
2015-07-02 23:03 - 2014-11-10 13:23 - 00000000 ____D C:\Users\Trevor\AppData\Local\Adobe
2015-07-02 13:05 - 2015-01-03 08:37 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-07-02 13:04 - 2014-11-17 13:36 - 00000000 ____D C:\ProgramData\Adobe
2015-07-02 13:00 - 2014-11-10 13:24 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-07-02 13:00 - 2014-11-10 13:24 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-02 13:00 - 2014-11-10 13:24 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-07-01 17:45 - 2014-11-09 13:54 - 00000000 ____D C:\Users\Trevor\AppData\Local\VirtualStore
2015-07-01 16:12 - 2014-11-10 12:14 - 00001340 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk
2015-07-01 16:12 - 2014-11-10 12:14 - 00001271 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk
2015-07-01 16:11 - 2014-11-10 12:13 - 00001424 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Mail.lnk
2015-07-01 16:09 - 2014-11-10 12:09 - 00000544 _____ C:\Windows\DirectX.log
2015-07-01 13:44 - 2009-07-14 15:32 - 00000000 ____D C:\Windows\system32\FxsTmp
2015-06-30 10:13 - 2014-11-09 13:58 - 00000552 _____ C:\Windows\Tasks\PCDRScheduledMaintenance.job
2015-06-30 10:00 - 2014-11-13 22:58 - 00004869 _____ C:\Windows\system32\lvcoinst.log
2015-06-29 08:25 - 2014-11-09 13:48 - 00000000 ____D C:\Users\Trevor
2015-06-29 07:47 - 2014-11-10 06:59 - 00000052 _____ C:\Windows\SysWOW64\DOErrors.log
2015-06-29 07:46 - 2014-11-10 06:55 - 00000000 ____D C:\Users\Trevor\AppData\Roaming\HpUpdate
2015-06-23 15:36 - 2014-11-12 15:12 - 00000000 ____D C:\ProgramData\Skype
2015-06-23 07:17 - 2014-11-17 18:00 - 00002149 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-06-22 22:40 - 2014-11-12 14:44 - 00003496 _____ C:\Windows\System32\Tasks\Run RoboForm TaskBar Icon
2015-06-22 14:31 - 2009-07-14 13:20 - 00000000 __RHD C:\Users\Default
2015-06-22 14:29 - 2009-07-14 12:34 - 00000215 _____ C:\Windows\system.ini
2015-06-11 04:07 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\rescache
2015-06-11 03:34 - 2009-07-14 15:13 - 00781790 _____ C:\Windows\system32\PerfStringBackup.INI
2015-06-11 03:29 - 2009-07-14 14:45 - 00433248 _____ C:\Windows\system32\FNTCACHE.DAT
2015-06-11 03:27 - 2014-12-12 02:24 - 00000000 ____D C:\Windows\system32\appraiser
2015-06-11 03:27 - 2014-11-09 14:49 - 00000000 ___SD C:\Windows\system32\CompatTel
2015-06-11 03:11 - 2009-08-27 19:09 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-06-11 03:06 - 2014-11-09 14:02 - 00000000 ____D C:\Windows\system32\MRT
2015-06-11 03:01 - 2014-11-09 14:02 - 140135120 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-06-08 08:44 - 2014-11-10 11:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

==================== Files in the root of some directories =======

2014-11-23 23:13 - 2014-11-23 23:13 - 0007619 _____ () C:\Users\Trevor\AppData\Local\Resmon.ResmonCfg
2015-01-19 12:26 - 2015-01-19 12:26 - 0480350 _____ () C:\Users\Trevor\AppData\Local\tmpCCE05042014_00000.0
2015-01-19 12:26 - 2015-01-19 12:26 - 0427282 _____ () C:\Users\Trevor\AppData\Local\tmpCCE05042014_00000.1
2015-01-19 12:26 - 2015-01-19 12:26 - 0422729 _____ () C:\Users\Trevor\AppData\Local\tmpCCE05042014_00000.JPG

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-07-03 01:49

==================== End of log ============================

Attached Files



#4 Pewit

Pewit
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Potts Point, NSW
  • Local time:01:35 PM

Posted 03 July 2015 - 03:15 AM

I spoke to soon -  the system is still sending blank mails to "bounce"addresses.

 

Paul



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:35 PM

Posted 03 July 2015 - 08:14 AM

Sure looks like your e-mail address has been spoofed.

I can only suggest you create a new one and cancel the current one.

Before you cancel the compromised e-mail I suggest you send a message to all your contacts informing them to use the new one from now on.

When you submit the new e-mail address send it in this format.

myxnewxaddress[at]myprovider.com

have them remove the x from the posted address and to change the [at} with the arobase sign.

For security reason, NEVER post your complete new address in a message.

#6 Pewit

Pewit
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Potts Point, NSW
  • Local time:01:35 PM

Posted 03 July 2015 - 09:33 PM

I don't think the email is being spoofed since the emails must be coming from this PC.

 

Having invoked 2-stage authenication for Gmail, only authenticated devices can send mail and they are this Win 7 PC, a Win 8 Laptop and an iPhone.

 

The Laptop is switched off and the iPhone isn't set to download the emails automatically.

 

I just changed the Gmail password and received a confirmation message from Google that the password had changed with the headers below.

 

Delivered-To: <redacted>@gmail.com
Received: by 10.37.50.18 with SMTP id y18csp226172yby;
        Fri, 3 Jul 2015 18:14:58 -0700 (PDT)
X-Received: by 10.52.0.208 with SMTP id 16mr39433328vdg.77.1435972497853;
        Fri, 03 Jul 2015 18:14:57 -0700 (PDT)
Return-Path: <3kTOXVQgTDAgvw-zmxt6ikkw2v10.owwotm.kwu0wvv6.1zm3wzouiqt.kwu@gaia.bounces.google.com>
Received: from mail-vn0-f72.google.com (mail-vn0-f72.google.com. [209.85.216.72])
        by mx.google.com with ESMTPS id sq6si9091733vdb.103.2015.07.03.18.14.57
        for <redacted>@gmail.com>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 03 Jul 2015 18:14:57 -0700 (PDT)

Delivered-To: <redacted>@gmail.com
Received: by 10.37.50.18 with SMTP id y18csp226172yby;
        Fri, 3 Jul 2015 18:14:58 -0700 (PDT)
X-Received: by 10.52.0.208 with SMTP id 16mr39433328vdg.77.1435972497853;
        Fri, 03 Jul 2015 18:14:57 -0700 (PDT)
Return-Path: <3kTOXVQgTDAgvw-zmxt6ikkw2v10.owwotm.kwu0wvv6.1zm3wzouiqt.kwu@gaia.bounces.google.com>
Received: from mail-vn0-f72.google.com (mail-vn0-f72.google.com. [209.85.216.72])
        by mx.google.com with ESMTPS id sq6si9091733vdb.103.2015.07.03.18.14.57
        for <redacted>@gmail.com

        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 03 Jul 2015 18:14:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of 3kTOXVQgTDAgvw-zmxt6ikkw2v10.owwotm.kwu0wvv6.1zm3wzouiqt.kwu@gaia.bounces.google.com designates 209.85.216.72 as permitted sender) client-ip=209.85.216.72;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of 3kTOXVQgTDAgvw-zmxt6ikkw2v10.owwotm.kwu0wvv6.1zm3wzouiqt.kwu@gaia.bounces.google.com designates 209.85.216.72 as permitted sender) smtp.mail=3kTOXVQgTDAgvw-zmxt6ikkw2v10.owwotm.kwu0wvv6.1zm3wzouiqt.kwu@gaia.bounces.google.com;
       dkim=pass header.i=@accounts.google.com;
       dmarc=pass (p=REJECT dis=NONE) header.from=accounts.google.com
Received: by mail-vn0-f72.google.com with SMTP id f129so144vnb.1
        for <redacted>@gmail.com>; Fri, 03 Jul 2015 18:14:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=accounts.google.com; s=20120806;
        h=mime-version:feedback-id:date:message-id:subject:from:to
         :content-type;
<snip>        
MIME-Version: 1.0
X-Received: by 10.13.231.133 with SMTP id q127mr52255048ywe.31.1435972497526;
 Fri, 03 Jul 2015 18:14:57 -0700 (PDT)
X-Notifications: XEAAAAGb53a_CiZEX98WaFg917f4
X-Account-Notification-Type: PASSWORD_CHANGE
Feedback-ID: PASSWORD_CHANGE:account-notifier
Date: Sat, 4 Jul 2015 01:14:36 +0000 (UTC)
Message-ID: <L_C92vyHFOtOtOqGAknvlg@notifications.google.com>
Subject: Google Account password changed
From: Google <no-reply@accounts.google.com>
To: <redacted>@gmail.com
Content-Type: multipart/related; boundary=94eb2c0763a69f4f69051a0266c0
X-Antivirus: avast! (VPS 150703-1, 04/07/2015), Inbound message
X-Antivirus-Status: Clean

 

A few seconds later this blank email with the headers below appeared in the sent mail box:

 

To: 3kTOXVQgTDAgvw-zmxt6ikkw2v10.owwotm.kwu0wvv6.1zm3wzouiqt.kwu@gaia.bounces.google.com
From: "<redacted>" <redacted>@gmail.com>
Date: Fri, 3 Jul 2015 18:14:58 -0700
Message-ID: <CAECbVs7kQK1xVDchFEp+Rt8rMi92Oa5NR5OdUWyn2P3S+0FTzw@mail.gmail.com>
In-Reply-To: <L_C92vyHFOtOtOqGAknvlg@notifications.google.com>
References: <L_C92vyHFOtOtOqGAknvlg@notifications.google.com>
Subject: Re: Google Account password changed
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Precedence: bulk
X-Autoreply: yes
Auto-Submitted: auto-replied
X-Antivirus: avast! (VPS 150703-1, 04/07/2015), Inbound message
X-Antivirus-Status: Clean

 

The second email could have generated by gmail servers but I think that's very unlikely.  Therefore this computer would be the most likely device.

 

Compare the headers above with those from a genuine email created by forwarding the Google message.

 

Return-Path: <redacted>@gmail.com>
Received: from xxxxxxxxx (<ipaddress>.static.rev.eftel.com. [<ipaddress>])
        by mx.google.com with ESMTPSA id cq5sm10454736pad.11.2015.07.03.19.21.08
        for <redacted>@gmail.com>
        (version=TLSv1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Fri, 03 Jul 2015 19:21:10 -0700 (PDT)
Message-ID: <5D2EE6B012BE4AD28AB11C1F78A33EEB@TrevorHP>
From: "<redacted>" <redacted>@gmail.com>
To: "<redacted>" <redacted>@gmail.com>
Subject: Fw: Google Account password changed
Date: Sat, 4 Jul 2015 12:20:50 +1000
MIME-Version: 1.0
Content-Type: multipart/related;
    type="multipart/alternative";
    boundary="----=_NextPart_000_0149_01D0B653.DEA0DF10"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
X-Antivirus: avast! (VPS 150703-1, 04/07/2015), Outbound message
X-Antivirus-Status: Clean
X-Antivirus: avast! (VPS 150703-1, 04/07/2015), Inbound message
X-Antivirus-Status: Clean



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:35 PM

Posted 04 July 2015 - 08:28 AM

This is not malware related and not my forte.

From what I read about the 2 step authentication for Gmail, is to protect your Account so that no one but you can change your profile and protect your current account.

Your e-mail address is being used by someone and heéshe is sending (probably SPAM) to many addresses on his list.
If the email is returned then you get the returned message.

You can check that with Google mail.

#8 Pewit

Pewit
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Potts Point, NSW
  • Local time:01:35 PM

Posted 04 July 2015 - 09:20 AM

Hmm - I think it is malware related because the messages are being SENT to the "bounce" addresses (which is bizarre I know) - like the first email in the message above - this is not a message RECEIVED from the server.

 

As well as protecting your account, Google 2-step authentication also allows you to only permit access to by certain devices which have had a code entered, generated by Google.

 

So unless someone has entered this code which is unique to each device, they can't send to the Google mail servers.

 

I'll keep trying but thanks for your help.

 

Paul


Edited by Pewit, 04 July 2015 - 09:22 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users