Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TrojanDropper:097M/Artitex,A Infection... Help Please!


  • This topic is locked This topic is locked
21 replies to this topic

#1 geegollygirl

geegollygirl

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 12 October 2015 - 09:41 PM

I knew better but got an e-mail about a fax attachment or something of the sort.  I knew it sounded "wrong" but was pre-occupied and clicked on it anyway.  I have Microsoft Security Essentials and Symantic Endpoint Protection on my PC.  From what I can tell, the issue stays dormant until I download something, then I start getting prompts from both security programs about blocked files, referencing the issue mentioned in the topic.  If I reboot it seems to stop it (until I download something again).  I'd like to get rid of this before it does real harm (and hope it isn't already doing just that!).  I don't recall the exact date but I'd guess it was around 10/8/15 when I installed the troublemaking file.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:12-10-2015
Ran by julie.hoffherr (administrator) on MWIN334366 (12-10-2015 21:30:36)
Running from C:\Users\Julie.Hagedorn\Desktop
Loaded Profiles: julie.hoffherr (Available Profiles: julie.hoffherr & local-admin)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Windows\System32\nvservice.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\RSView Enterprise\TagSrv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Cisco WebEx LLC) C:\Windows\SysWOW64\atashost.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
() C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\EventServer.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\FTSysDiagSvcHost.exe
(SafeNet Inc.) C:\Windows\System32\hasplms.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
(MediaMall Technologies, Inc.) C:\Program Files (x86)\MediaMall\MediaMallServer.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.FTVIEWX64TAGDB\MSSQL\Binn\sqlservr.exe
(UPEK Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\NmspHost.exe
() C:\Windows\SysWOW64\srvany.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
(O2Micro.) C:\Windows\SysWOW64\SDIOAssist.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\RdcyHost.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Rockwell Automation Inc.) C:\Program Files (x86)\Common Files\Rockwell\RNADiagnosticsSrv.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\RsvcHost.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
(Snow Software AB) C:\Program Files\INVENTORYCLIENT\client64.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
() C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Quest Software, Inc.) C:\Windows\System32\SPEnroll.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\EventClientMultiplexer.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Flexera Software LLC) C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Flexera Software LLC) C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\RnaDirServer.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Automation\UsbCipDriver\UsbCipHelper\UsbCipHelper.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\RNADirMultiplexor.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Lync\communicator.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\Tools\ActivationNotifier.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\RSView Enterprise\ServerFramework.exe
() C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin64\Smc.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
(Microsoft Corporation) C:\Windows\CCM\CcmExec.exe
(Microsoft Corporation) C:\Windows\CCM\RemCtrl\cmrcservice.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corporation) C:\Windows\CCM\SCNotification.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\RSCommon\RSOBSERV.EXE
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\flexsvr.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_18_0_0_232_ActiveX.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [698712 2013-02-21] (Alps Electric Co., Ltd.)
HKLM\...\Run: [FreeFallProtection] => C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2011-07-25] ()
HKLM\...\Run: [TdmNotify] => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe [381296 2011-12-08] (Wave Systems Corp.)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [SPEnroll] => C:\Windows\system32\SPEnroll.exe [3226960 2013-10-28] (Quest Software, Inc.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-25] (IDT, Inc.)
HKLM\...\Run: [IntelPROSet] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [4791024 2013-07-17] (Intel® Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2041192 2013-01-25] ()
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [113656 2013-01-23] (Intel Corporation)
HKLM-x32\...\Run: [DT DEL] => C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe [121648 2011-10-13] (Portrait Displays, Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [UsbCipHelper] => C:\Program Files (x86)\Rockwell Automation\UsbCipDriver\UsbCipHelper\UsbCipHelper.exe [443176 2014-01-10] (Rockwell Automation, Inc.)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46368 2010-03-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [29984 2010-03-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PPort12reminder] => C:\Program Files (x86)\Nuance\PaperPort\Ereg\Ereg.exe [328992 2010-02-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [Communicator] => C:\Program Files (x86)\Microsoft Lync\communicator.exe [11937552 2010-10-22] (Microsoft Corporation)
HKLM-x32\...\Run: [ActivationNotifier] => C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\Tools\ActivationNotifier.exe [113488 2014-09-09] (Rockwell Automation, Inc.)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41360 2015-06-26] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840592 2015-06-26] (Adobe Systems Inc.)
HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [703888 2013-07-19] (Cisco Systems, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597552 2015-08-04] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [911032 2015-03-18] (Microsoft Corporation)
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\MountPoints2: {258c71d1-0f52-11e2-95b4-005056c00008} - F:\DTVP_Launcher.exe
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\MountPoints2: {31ee5b49-0de0-11e2-a057-991b8f0d873d} - F:\DTVP_Launcher.exe
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\MountPoints2: {35286333-0c8f-11e2-9673-00059a3c7a00} - F:\DTVP_Launcher.exe
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\MountPoints2: {4ab03454-8616-11e2-ace2-005056c00008} - F:\TL_Bootstrap.exe
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\MountPoints2: {d1e70f75-19a0-11e4-9235-005056c00008} - F:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\MountPoints2: {f4d81dbc-37d2-11e2-a9ff-00059a3c7a00} - E:\LaunchU3.exe -a
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\MountPoints2: {f62607ff-274e-11e2-a3b4-9e78dc6cb9de} - F:\DTVP_Launcher.exe
HKU\S-1-5-21-181418603-413491667-474620416-214645\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [477696 2010-11-20] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [688984 2014-08-07] (Garmin Ltd or its subsidiaries)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [245872 2013-01-25] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [201576 2013-01-25] (NVIDIA Corporation)
Lsa: [Authentication Packages] msv1_0 wvauth
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2012-02-06] (Autodesk, Inc.)
ShellIconOverlayIdentifiers: [EnabledUnlockedFDEIconOverlay] -> {30D3C2AF-9709-4D05-9CF4-13335F3C1E4A} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll [2011-12-08] (Wave Systems Corp.)
ShellIconOverlayIdentifiers: [UninitializedFdeIconOverlay] -> {CF08DA3E-C97D-4891-A66B-E39B28DD270F} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll [2011-12-08] (Wave Systems Corp.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk [2012-08-06]
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk [2012-08-06]
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
Startup: C:\Users\Julie.Hagedorn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2015-09-22]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\local-admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk [2012-08-15]
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
Startup: C:\Users\mark.a.smith\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk [2012-08-16]
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
GroupPolicyScripts: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

AutoConfigURL: [.DEFAULT] => hxxp://dc01prx01.skanskausa.com:9001/skanska.pac
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{783A06BA-CB94-4C66-B230-171CD9436D19}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-181418603-413491667-474620416-214645\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_4
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_4
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_4
HKU\S-1-5-21-181418603-413491667-474620416-214645\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
HKU\S-1-5-21-181418603-413491667-474620416-214645\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://one.skanska/
SearchScopes: HKLM -> DefaultScope {A0CE6BD2-F4C2-4EB1-B658-BE173E936939} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {A0CE6BD2-F4C2-4EB1-B658-BE173E936939} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {A0CE6BD2-F4C2-4EB1-B658-BE173E936939} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {A0CE6BD2-F4C2-4EB1-B658-BE173E936939} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-181418603-413491667-474620416-214645 -> {A0CE6BD2-F4C2-4EB1-B658-BE173E936939} URL =
BHO: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files (x86)\TechSmith\SnagIt 8\DLLx64\SnagItBHO64.dll [2007-05-01] (TechSmith Corporation)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files (x86)\TechSmith\SnagIt 8\SnagItBHO.dll [2007-05-01] (TechSmith Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Lync\OCHelper.dll [2010-10-22] (Microsoft Corporation)
BHO-x32: Symantec Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\bin\IPS\IPSBHO.DLL [2013-10-20] (Symantec Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\ssv.dll [2015-09-01] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-06-26] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-09-01] (Oracle Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-06-26] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-06-26] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\SnagIt 8\SnagItIEAddin.dll [2007-05-01] (TechSmith Corporation)
Toolbar: HKU\S-1-5-21-181418603-413491667-474620416-214645 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM-x32 {538793D5-659C-4639-A56C-A179AD87ED44} hxxps://vpn.skanska.com/CACHE/stc/2/binaries/vpnweb.cab
DPF: HKLM-x32 {556EEC63-31E2-47C3-BF29-DFF799D2FE04} hxxps://secure.logmein.com/activex/RACtrl.cab?rnd=2328160274
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
DPF: HKLM-x32 {91B29AFF-E4FF-11D6-8C88-00A0C9D7BBEB} hxxp://www.ab.com/support/abdrives/webupdate/RADriveWebUpdate.cab
DPF: HKLM-x32 {CC679CB8-DC4B-458B-B817-D447B3B6AC31}
DPF: HKLM-x32 {D59124D5-442C-44C5-BD9A-E81BB0582D55} hxxp://raiseinstall.rockwellautomation.com/pstoolbox-lite-9-23-11/setup.ocx
DPF: HKLM-x32 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} hxxps://secure.logmein.com//activex/ractrl.cab?lmi=1058
DPF: HKLM-x32 {FFAD8DA9-ED41-494D-AC8E-63D861D0A733} hxxps://download.rockwellautomation.com/plugins/rockwell.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} -  No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} -  No File

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_232.dll [2015-08-24] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-24] ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.38 -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIIPT.dll [2012-05-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIUpdater.dll [2012-05-21] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2015-09-01] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-09-01] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @nosltd.com/getPlus+®,version=2.0.7.28 -> C:\Program Files (x86)\NOS\bin\nprockwell.dll [2015-04-10] (NOS Microsystems Ltd.)
FF Plugin-x32: @nosltd.com/getPlus+®,version=2.0.7.35 -> C:\Program Files (x86)\NOS\bin\nprockwell.dll [2015-04-10] (NOS Microsystems Ltd.)
FF Plugin-x32: @nosltd.com/getPlus+®,version=2.0.7.38 -> C:\Program Files (x86)\NOS\bin\nprockwell.dll [2015-04-10] (NOS Microsystems Ltd.)
FF Plugin-x32: @nosltd.com/getPlus+®,version=2.0.7.440 -> C:\Program Files (x86)\NOS\bin\nprockwell.dll [2015-04-10] (NOS Microsystems Ltd.)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-01-24] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-01-24] (NVIDIA Corporation)
FF Plugin-x32: @playon.tv/PlayOnToolbar -> C:\Program Files (x86)\MediaMall\toolbar\npVT.dll [2015-08-27] (MediaMall Technologies, Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-17] (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll [2015-06-26] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-05-08] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-181418603-413491667-474620416-214645: @autodesk.com/DWF -> C:\Program Files (x86)\Autodesk\Autodesk Design Review Browser Add-on v1.2\npADRdwf.dll [2011-01-24] (Autodesk)
FF Plugin HKU\S-1-5-21-181418603-413491667-474620416-214645: @citrixonline.com/appdetectorplugin -> C:\Users\Julie.Hagedorn\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-05-27] (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2010-10-22] ()
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2012-08-06]
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\IPSFF
FF Extension: Symantec Vulnerability Protection - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\IPSFF [2014-12-02]

Chrome:
=======
CHR Profile: C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-09-10]
CHR Extension: (Google Docs) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-09-10]
CHR Extension: (Google Drive) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-09-10]
CHR Extension: (YouTube) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-09-10]
CHR Extension: (Google Search) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-09-10]
CHR Extension: (Google Sheets) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-09-10]
CHR Extension: (Google Docs Offline) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-17]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-08-21]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-10]
CHR Extension: (Gmail) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-09-10]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 1784-PCIDS DeviceNet; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe [109568 2015-03-02] (Rockwell Automation) [File not signed]
S3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [245760 2010-01-25] (Brother Industries, Ltd.) [File not signed]
R2 CcmExec; C:\Windows\CCM\CcmExec.exe [1840208 2012-11-21] (Microsoft Corporation)
R2 CmRcService; C:\Windows\CCM\RemCtrl\CmRcService.exe [633952 2012-11-21] (Microsoft Corporation)
R2 DFEPService; c:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe [2279320 2011-08-24] (Dell Inc.)
R2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [129840 2011-10-13] (Portrait Displays, Inc.)
R2 EmbassyService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe [218504 2012-01-17] ()
S3 EmuLogix 5868 Slot2; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\\V24\EmuLogix5868.exe [3262976 2015-03-02] (Rockwell Automation) [File not signed]
R2 FactoryTalk Activation Service; C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe [1443632 2013-06-19] (Flexera Software LLC)
S4 FactoryTalk Gateway; C:\Program Files (x86)\Rockwell Software\RSOPC Gateway\RSOPCGateway.exe [588136 2011-11-18] (Rockwell Automation, Inc.)
R2 FTActivationBoost; C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe [149840 2014-09-09] (Rockwell Automation, Inc.)
S4 FTAE_Archiver; C:\Program Files (x86)\Common Files\Rockwell\FTAEArchiver.exe [71016 2011-06-01] (Rockwell Automation, Inc.)
S4 FTAE_HistServ; C:\Program Files (x86)\Common Files\Rockwell\FTAE_HistServ.exe [152936 2011-06-01] (Rockwell Automation, Inc.)
R2 FTSysDiagSvcHost; C:\Program Files (x86)\Common Files\Rockwell\FTSysDiagSvcHost.exe [74104 2014-07-15] (Rockwell Automation, Inc.) [File not signed]
S3 Garmin Core Update Service; C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [438616 2014-08-07] (Garmin Ltd or its subsidiaries)
R2 hasplms; C:\Windows\system32\hasplms.exe [4412872 2012-08-22] (SafeNet Inc.)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
S4 Ignition; C:\Program Files\Inductive Automation\Ignition\IgnitionGateway.exe [630552 2014-07-15] (Tanuki Software, Ltd.) [File not signed]
S4 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [116104 2010-04-05] ()
S3 LogReceiver; C:\Program Files (x86)\Rockwell Software\RSLinx Enterprise\LogReceiver.exe [81984 2012-04-18] (Rockwell Automation, Inc.)
S3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50280 2012-08-02] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50280 2012-08-02] (Microsoft Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 MediaMall Server; C:\Program Files (x86)\MediaMall\MediaMallServer.exe [6177072 2015-10-08] (MediaMall Technologies, Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
R2 MSSQL$FTVIEWX64TAGDB; C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.FTVIEWX64TAGDB\MSSQL\Binn\sqlservr.exe [42884448 2010-04-03] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 nvservice; C:\Windows\system32\nvservice.exe [192800 2013-01-25] (NVIDIA Corporation)
R2 O2SDIOAssist; c:\Windows\SysWOW64\srvany.exe [8192 2003-04-18] () [File not signed]
R2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2010-03-09] (Nuance Communications, Inc.)
S4 RnaAeServer; C:\Program Files (x86)\Common Files\Rockwell\RnaAeServer.exe [202088 2011-06-01] (Rockwell Automation, Inc.)
S4 RnaAlarmMux; C:\Program Files (x86)\Common Files\Rockwell\RnaAlarmMux.exe [927080 2011-06-01] (Rockwell Automation, Inc.)
S3 Rockwell HMI Activity Logger; C:\Program Files (x86)\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe [150888 2011-07-26] (Rockwell Automation, Inc.)
S3 Rockwell HMI Alarm Logger; C:\Program Files (x86)\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe [130408 2011-07-26] (Rockwell Automation, Inc.)
R2 Rockwell HMI Diagnostics; C:\Program Files (x86)\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe [106344 2011-07-26] (Rockwell Automation, Inc.)
R2 Rockwell HMI Framework; C:\Program Files (x86)\Rockwell Software\RSView Enterprise\ServerFramework.exe [861032 2011-07-26] (Rockwell Automation, Inc.)
R2 Rockwell Tag Server; C:\Program Files (x86)\Rockwell Software\RSView Enterprise\TagSrv.exe [212328 2011-07-26] (Rockwell Automation, Inc.)
S3 RSLinx; C:\Program Files (x86)\Rockwell Software\RSLinx\RSLINX.EXE [3306528 2014-07-29] (Rockwell Automation, Inc.)
R2 RSLinxNG; C:\Program Files (x86)\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe [247872 2012-04-18] (Rockwell Automation, Inc.)
R2 SepMasterService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe [144368 2013-10-20] (Symantec Corporation)
S3 SimModuleService; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe [95232 2015-03-02] () [File not signed]
R3 SmcService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin64\Smc.exe [2377984 2013-10-20] (Symantec Corporation)
S3 smstsmgr; C:\Windows\CCM\TSManager.exe [402000 2012-11-21] (Microsoft Corporation)
S4 SNAC; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin64\snac64.exe [334736 2013-10-20] (Symantec Corporation)
R2 SnowInventoryClient; C:\Program Files\INVENTORYCLIENT\client64.exe [4754944 2014-01-29] (Snow Software AB) [File not signed]
S2 SQLAgent$FTVIEWX64TAGDB; C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.FTVIEWX64TAGDB\MSSQL\Binn\SQLAGENT.EXE [367456 2010-04-03] (Microsoft Corporation)
S3 Studio5000ClockSyncService; C:\Program Files (x86)\Rockwell Automation\Studio 5000 Clock Sync Service\ClockSyncService.exe [26112 2014-08-18] (Rockwell Automation) [File not signed]
S2 tcsd_win32.exe; C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1637888 2011-10-08] () [File not signed]
R2 VMwareHostd; C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [13242960 2013-02-26] ()
R2 Wave Authentication Manager Service; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [1679872 2012-01-05] (Wave Systems Corp.) [File not signed]
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 WvPCR; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe [198144 2012-01-16] (Wave Systems Corp.) [File not signed]
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3377904 2013-07-17] (Intel® Corporation)
S3 EmuLogix 5868 Slot0; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /0 [X]
S3 EmuLogix 5868 Slot1; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /1 [X]
S3 EmuLogix 5868 Slot10; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /10 [X]
S3 EmuLogix 5868 Slot11; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /11 [X]
S3 EmuLogix 5868 Slot12; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /12 [X]
S3 EmuLogix 5868 Slot13; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /13 [X]
S3 EmuLogix 5868 Slot14; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /14 [X]
S3 EmuLogix 5868 Slot15; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /15 [X]
S3 EmuLogix 5868 Slot16; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /16 [X]
S3 EmuLogix 5868 Slot3; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /3 [X]
S3 EmuLogix 5868 Slot4; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /4 [X]
S3 EmuLogix 5868 Slot5; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /5 [X]
S3 EmuLogix 5868 Slot6; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /6 [X]
S3 EmuLogix 5868 Slot7; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /7 [X]
S3 EmuLogix 5868 Slot8; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /8 [X]
S3 EmuLogix 5868 Slot9; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /9 [X]
S2 NPEService; "C:\Users\Julie.Hagedorn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6I94OM2N\NPE.exe" /service [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 akshhl; C:\Windows\System32\DRIVERS\akshhl.sys [57088 2012-06-15] (SafeNet Inc.)
S3 aksusb; C:\Windows\System32\DRIVERS\aksusb.sys [296576 2012-06-15] (SafeNet Inc.)
S3 AX88772; C:\Windows\System32\DRIVERS\ax88772.sys [55168 2008-06-24] (ASIX Electronics Corp.)
R1 BHDrvx64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20150925.011\BHDrvx64.sys [1650936 2015-08-12] (Symantec Corporation)
R1 ccSettings_{2FF4FBED-F03A-4EE2-AC58-C985811A4FBE}; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\ccSetx64.sys [169048 2013-10-20] (Symantec Corporation)
S3 CH341SER_A64; C:\Windows\System32\Drivers\CH341S64.SYS [58368 2009-06-02] (www.winchiphead.com)
R2 DLABMFSE; C:\Windows\System32\Drivers\DLABMFSE.SYS [46448 2007-07-23] (Roxio)
R2 DLABOIOE; C:\Windows\System32\Drivers\DLABOIOE.SYS [42352 2007-07-23] (Roxio)
R0 DLACDBHE; C:\Windows\System32\Drivers\DLACDBHE.SYS [17776 2007-07-23] (Roxio)
R2 DLADResE; C:\Windows\System32\Drivers\DLADResE.SYS [9968 2007-07-23] (Roxio)
R2 DLAIFS_E; C:\Windows\System32\Drivers\DLAIFS_E.SYS [146672 2007-07-23] (Roxio)
R2 DLAOPIOE; C:\Windows\System32\Drivers\DLAOPIOE.SYS [35056 2007-07-23] (Roxio)
R2 DLAPoolE; C:\Windows\System32\Drivers\DLAPoolE.SYS [19824 2007-07-23] (Roxio)
R1 DLARTL_E; C:\Windows\System32\Drivers\DLARTL_E.SYS [41072 2007-07-23] (Roxio)
R2 DLAUDFAE; C:\Windows\System32\Drivers\DLAUDFAE.SYS [135152 2007-07-23] (Roxio)
R2 DLAUDF_E; C:\Windows\System32\Drivers\DLAUDF_E.SYS [144112 2007-07-23] (Roxio)
R0 DRVECDB; C:\Windows\System32\Drivers\DRVECDB.SYS [124112 2007-07-23] (Sonic Solutions)
R2 DRVEDDM; C:\Windows\System32\Drivers\DRVEDDM.SYS [63984 2007-07-23] (Roxio)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [498512 2015-08-27] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [153936 2015-07-28] (Symantec Corporation)
R2 hardlock; C:\Windows\system32\drivers\hardlock.sys [321536 2011-09-28] (SafeNet Inc.)
S3 HBtnKey; C:\Windows\system32\drivers\HBtnKey.sys [20424 2011-07-19] (Dell Inc.)
R1 IDSVia64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20151009.011\IDSvia64.sys [671448 2015-04-23] (Symantec Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-06-18] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R3 msvad_simple; C:\Windows\System32\drivers\povrtdev.sys [28528 2013-03-05] (MediaMall Technologies, Inc.)
R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20151011.001\ENG64.SYS [138488 2015-06-23] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20151011.001\EX64.SYS [2146040 2015-06-23] (Symantec Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
R1 nvkflt; C:\Windows\System32\DRIVERS\nvkflt.sys [284448 2013-01-25] (NVIDIA Corporation)
S3 pcidnt; no ImagePath
R3 prepdrvr; C:\Windows\System32\DRIVERS\prepdrv.sys [26984 2012-11-21] (Microsoft Corporation)
S3 RAUSBCIP; C:\Windows\System32\drivers\rausbcipwdf.sys [87552 2011-11-07] (Rockwell Automation, Inc.)
R1 SRTSP; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\SRTSP64.SYS [797272 2013-10-20] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\SRTSPX64.SYS [36952 2013-10-20] (Symantec Corporation)
S3 SyDvCtrl; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin64\SyDvCtrl64.sys [34800 2013-10-20] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\SYMDS64.SYS [493656 2013-10-20] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\SYMEFA64.SYS [1147480 2013-10-20] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2014-12-02] (Symantec Corporation)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\Ironx64.SYS [224856 2013-10-20] (Symantec Corporation)
R1 SYMNETS; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\SYMNETS.SYS [437336 2013-10-20] (Symantec Corporation)
R1 SysPlant; C:\Windows\System32\Drivers\SysPlant.sys [155352 2014-12-02] (Symantec Corporation)
R1 Teefer2; C:\Windows\System32\DRIVERS\Teefer.sys [92456 2013-10-20] (Symantec Corporation)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2015-06-10] (Apple, Inc.) [File not signed]
S3 usbbus; C:\Windows\System32\DRIVERS\lgx64bus.sys [17920 2013-04-24] (LG Electronics Inc.)
S3 UsbDiag; C:\Windows\System32\DRIVERS\lgx64diag.sys [28160 2013-04-24] (LG Electronics Inc.)
S3 USBModem; C:\Windows\System32\DRIVERS\lgx64modem.sys [34816 2013-04-24] (LG Electronics Inc.)
R1 VirtualBackplane; C:\Windows\System32\Drivers\VirtualBackplane.sys [51200 2011-06-02] (Rockwell Automation)
R2 VMparport; C:\Windows\system32\drivers\VMparport.sys [31824 2013-02-26] (VMware, Inc.)
S3 vpnva; C:\Windows\System32\DRIVERS\vpnva64-6.sys [52080 2013-07-19] (Cisco Systems, Inc.)
R0 vsock; C:\Windows\System32\drivers\vsock.sys [70296 2012-10-24] (VMware, Inc.)
S3 vzandnetdiag; C:\Windows\System32\DRIVERS\lgvzandnetdiag64.sys [29696 2013-05-06] (LG Electronics Inc.)
S3 vzandnetmodem; C:\Windows\System32\DRIVERS\lgvzandnetmdm64.sys [36864 2013-05-06] (LG Electronics Inc.)
S1 MpKsl64d1f6c8; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{69ADCA37-866F-46CF-9800-DF6264F2D7BC}\MpKsl64d1f6c8.sys [X]
S3 RSSERIAL; \SystemRoot\SYSTEM32\RSSERIAL.SYS [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-12 21:30 - 2015-10-12 21:32 - 00045526 _____ C:\Users\Julie.Hagedorn\Desktop\FRST.txt
2015-10-12 21:30 - 2015-10-12 21:30 - 00000000 ____D C:\FRST
2015-10-12 21:27 - 2015-10-12 21:27 - 02196480 _____ (Farbar) C:\Users\Julie.Hagedorn\Desktop\frst64.exe
2015-10-12 15:13 - 2015-10-12 15:13 - 02539012 _____ C:\Users\Julie.Hagedorn\Desktop\L458_P2.mer
2015-10-12 14:45 - 2015-10-12 14:45 - 00000004 ____H C:\ProgramData\cm-lock
2015-10-11 21:05 - 2015-10-11 21:06 - 135358224 _____ (Microsoft Corporation) C:\Users\Julie.Hagedorn\Desktop\msert.exe
2015-10-11 11:01 - 2015-10-11 11:01 - 00000000 ____D C:\ProgramData\SMR501
2015-10-10 11:23 - 2015-10-11 13:38 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\Local\CrashDumps
2015-10-09 19:55 - 2015-10-12 14:43 - 00001424 _____ C:\Windows\setupact.log
2015-10-09 19:55 - 2015-10-09 19:55 - 00000000 _____ C:\Windows\setuperr.log
2015-10-09 19:54 - 2015-10-10 23:36 - 00027574 _____ C:\Windows\PFRO.log
2015-10-09 14:43 - 2015-10-11 13:38 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-10-09 14:43 - 2015-10-09 14:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-09 14:42 - 2015-10-09 14:43 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-10-09 14:42 - 2015-10-09 14:42 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-10-09 14:42 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-10-09 14:42 - 2015-06-18 08:41 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-10-09 14:42 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-10-09 14:39 - 2015-10-11 11:10 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\Local\NPE
2015-10-09 14:39 - 2015-10-09 14:39 - 00000000 ____D C:\ProgramData\Norton
2015-10-05 19:58 - 2015-10-05 19:58 - 00000908 _____ C:\Users\Public\Desktop\PlayOn.lnk
2015-10-05 19:57 - 2015-10-08 21:17 - 00000000 ____D C:\Program Files (x86)\MediaMall
2015-10-05 19:57 - 2015-10-05 19:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PlayOn
2015-10-05 14:12 - 2015-10-05 14:12 - 00000000 ____D C:\Program Files (x86)\CodeMeter
2015-10-05 13:46 - 2015-10-05 14:05 - 00000000 ____D C:\Users\Julie.Hagedorn\Downloads\RA
2015-10-05 10:43 - 2015-10-05 10:51 - 00035303 _____ C:\Users\Julie.Hagedorn\Desktop\_458_Drills-Tags2.CSV
2015-10-05 09:59 - 2015-10-05 10:46 - 00087095 _____ C:\Users\Julie.Hagedorn\Desktop\_458_Drills-Tags.CSV
2015-09-24 22:25 - 2015-09-24 22:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Magellan Content Manager
2015-09-24 22:25 - 2015-09-24 22:25 - 00000000 ____D C:\Program Files (x86)\Content Manager
2015-09-20 22:50 - 2015-09-21 21:17 - 00000000 ____D C:\ProgramData\Auslogics
2015-09-20 22:50 - 2015-09-20 22:50 - 00001208 _____ C:\Users\Julie.Hagedorn\Desktop\Auslogics DiskDefrag.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-12 21:29 - 2012-08-06 20:27 - 01917221 _____ C:\Windows\WindowsUpdate.log
2015-10-12 21:26 - 2012-08-23 10:02 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\Roaming\VMware
2015-10-12 21:26 - 2012-08-23 10:02 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\Local\VMware
2015-10-12 21:04 - 2012-08-23 16:02 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-12 20:57 - 2012-08-06 20:28 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-10-12 20:56 - 2014-11-25 14:53 - 00000068 __RSH C:\Windows\system32\Drivers\winusb.winsecurity
2015-10-12 20:41 - 2014-11-25 14:53 - 00000068 __RSH C:\Windows\system32\Drivers\wmilib.winsecurity
2015-10-12 14:54 - 2009-07-13 23:45 - 00021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-12 14:54 - 2009-07-13 23:45 - 00021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-12 14:49 - 2013-07-01 13:41 - 00000569 _____ C:\Windows\SMSCFG.ini
2015-10-12 14:48 - 2012-08-06 21:12 - 00000000 ____D C:\ProgramData\Sonic
2015-10-12 14:45 - 2012-08-23 16:02 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-12 14:45 - 2012-08-23 09:30 - 00000000 ____D C:\Users\Julie.Hagedorn\Tracing
2015-10-12 14:43 - 2013-07-25 22:43 - 00000000 ____D C:\ProgramData\NVIDIA
2015-10-12 14:43 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-12 14:20 - 2014-10-31 15:03 - 00000000 ____D C:\ProgramData\MediaMall
2015-10-11 21:34 - 2012-08-15 15:45 - 00001344 _____ C:\Windows\system32\config\netlogon.ftl
2015-10-11 21:28 - 2012-08-15 16:20 - 00000000 ___RD C:\Users\Julie.Hagedorn\Virtual Machines
2015-10-11 12:50 - 2013-07-01 13:07 - 00000000 ____D C:\ProgramData\Symantec
2015-10-09 19:53 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2015-10-09 13:45 - 2012-08-29 10:17 - 00000028 _____ C:\Windows\ODBC.INI
2015-10-08 09:47 - 2013-03-12 22:16 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\LocalLow\Temp
2015-10-07 09:18 - 2012-08-27 14:49 - 00000000 ____D C:\Users\Julie.Hagedorn\Documents\PCI Docs
2015-10-07 08:37 - 2013-09-24 22:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-10-06 22:44 - 2012-08-27 14:45 - 00000000 ____D C:\Users\Julie.Hagedorn\Documents\My Docs
2015-10-06 11:28 - 2012-08-23 08:27 - 00000000 ____D C:\ProgramData\VMware
2015-10-05 19:56 - 2013-03-12 20:15 - 00000000 ____D C:\ProgramData\Package Cache
2015-10-05 14:37 - 2012-08-22 00:49 - 00000280 _____ C:\Windows\SlRegEDS.ini
2015-10-05 14:37 - 2012-08-21 14:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rockwell Software
2015-10-05 14:12 - 2014-11-25 14:53 - 00000000 ____D C:\ProgramData\CodeMeter
2015-10-05 14:07 - 2015-09-01 13:17 - 00000000 ____D C:\RATemp
2015-10-05 13:46 - 2015-09-01 13:17 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\Local\RockwellAutomation
2015-10-04 23:44 - 2014-03-20 18:26 - 00000000 __SHD C:\Program Files\INVENTORYCLIENT
2015-10-02 13:45 - 2009-07-14 00:13 - 00901882 _____ C:\Windows\system32\PerfStringBackup.INI
2015-09-29 13:37 - 2013-01-17 17:19 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\LocalLow\WebEx
2015-09-29 12:37 - 2012-11-21 15:04 - 00000000 ____D C:\ProgramData\WebEx
2015-09-28 15:30 - 2012-10-17 09:44 - 00006675 _____ C:\Users\Public\Documents\raw.xml
2015-09-24 22:25 - 2012-11-15 19:26 - 00000000 ____D C:\ProgramData\InstallShield
2015-09-24 22:25 - 2012-08-06 20:45 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-09-24 22:24 - 2012-10-02 22:42 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\Roaming\InstallShield
2015-09-23 15:10 - 2012-08-27 14:50 - 00000000 ____D C:\Users\Julie.Hagedorn\Documents\Reference Material
2015-09-21 21:16 - 2012-08-15 16:19 - 00000000 ____D C:\Users\Julie.Hagedorn
2015-09-21 21:04 - 2009-07-13 23:45 - 00644808 _____ C:\Windows\system32\FNTCACHE.DAT
2015-09-21 14:41 - 2013-08-15 13:36 - 00000000 ____D C:\Users\Julie.Hagedorn\Documents\My Received Files
2015-09-21 14:13 - 2012-10-24 11:30 - 00000000 ____D C:\Windows\Minidump
2015-09-20 22:55 - 2012-08-23 14:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
2015-09-20 22:54 - 2012-08-23 14:01 - 00000000 ____D C:\Program Files (x86)\Auslogics
2015-09-17 12:59 - 2012-08-23 16:02 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-09-17 12:59 - 2012-08-23 16:02 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-09-16 13:37 - 2012-08-15 16:20 - 00167912 _____ C:\Users\Julie.Hagedorn\AppData\Local\GDIPFONTCACHEV1.DAT

==================== Files in the root of some directories =======

2012-05-21 15:00 - 2012-05-21 15:00 - 0020984 _____ (Intel Corporation) C:\Users\Julie.Hagedorn\AppData\Roaming\JomCap.dll
2013-12-20 16:51 - 2013-12-20 16:51 - 0000268 ___RH () C:\Users\Julie.Hagedorn\AppData\Roaming\Strings
2013-12-20 16:52 - 2013-12-20 16:52 - 0000268 ___RH () C:\Users\Julie.Hagedorn\AppData\Roaming\Super Strings
2013-12-20 16:51 - 2013-12-20 16:51 - 0000268 ___RH () C:\Users\Julie.Hagedorn\AppData\Roaming\SupportPrinters
2013-12-20 16:50 - 2013-12-20 16:50 - 0000268 ___RH () C:\Users\Julie.Hagedorn\AppData\Roaming\Templates
2014-06-25 15:25 - 2014-06-25 15:26 - 0005120 _____ () C:\Users\Julie.Hagedorn\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-21 14:49 - 2012-08-21 14:49 - 0000102 _____ () C:\Users\Julie.Hagedorn\AppData\Local\fusioncache.dat
2013-02-19 16:43 - 2015-01-29 09:11 - 0007602 _____ () C:\Users\Julie.Hagedorn\AppData\Local\resmon.resmoncfg
2012-09-10 15:39 - 2012-09-10 15:39 - 0002560 _____ () C:\Users\Julie.Hagedorn\AppData\Local\SecurityDescriptorStream.act
2015-10-12 14:45 - 2015-10-12 14:45 - 0000004 ____H () C:\ProgramData\cm-lock
2014-07-03 09:40 - 2014-07-03 09:40 - 0000096 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2013-12-20 16:50 - 2013-12-20 16:51 - 0000020 ____H () C:\ProgramData\PKP_DLeo.DAT
2013-12-20 16:52 - 2013-12-20 16:52 - 0000020 ____H () C:\ProgramData\PKP_DLes.DAT
2013-12-20 16:51 - 2013-12-20 17:05 - 0000020 ____H () C:\ProgramData\PKP_DLet.DAT
2013-12-20 16:51 - 2013-12-20 16:51 - 0000020 ____H () C:\ProgramData\PKP_DLev.DAT
2013-12-20 16:51 - 2013-12-20 16:51 - 0000268 ___RH () C:\ProgramData\Sync Services
2013-12-20 16:52 - 2013-12-20 16:52 - 0000268 ___RH () C:\ProgramData\Synth Basics
2013-12-20 16:51 - 2013-12-20 16:51 - 0000268 ___RH () C:\ProgramData\Synth Leads
2013-12-20 16:50 - 2013-12-20 16:50 - 0000268 ___RH () C:\ProgramData\Trance Pad

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-10-12 04:58

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:44 PM

Posted 13 October 2015 - 08:36 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Windows Firewall is disabled.


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-181418603-413491667-474620416-214645\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-181418603-413491667-474620416-214645 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} -  No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} -  No File
S3 EmuLogix 5868 Slot0; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /0 [X]
S3 EmuLogix 5868 Slot1; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /1 [X]
S3 EmuLogix 5868 Slot10; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /10 [X]
S3 EmuLogix 5868 Slot11; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /11 [X]
S3 EmuLogix 5868 Slot12; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /12 [X]
S3 EmuLogix 5868 Slot13; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /13 [X]
S3 EmuLogix 5868 Slot14; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /14 [X]
S3 EmuLogix 5868 Slot15; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /15 [X]
S3 EmuLogix 5868 Slot16; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /16 [X]
S3 EmuLogix 5868 Slot3; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /3 [X]
S3 EmuLogix 5868 Slot4; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /4 [X]
S3 EmuLogix 5868 Slot5; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /5 [X]
S3 EmuLogix 5868 Slot6; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /6 [X]
S3 EmuLogix 5868 Slot7; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /7 [X]
S3 EmuLogix 5868 Slot8; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /8 [X]
S3 EmuLogix 5868 Slot9; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /9 [X]
S2 NPEService; "C:\Users\Julie.Hagedorn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6I94OM2N\NPE.exe" /service [X]
S3 pcidnt; no ImagePath
S1 MpKsl64d1f6c8; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{69ADCA37-866F-46CF-9800-DF6264F2D7BC}\MpKsl64d1f6c8.sys [X]
S3 RSSERIAL; \SystemRoot\SYSTEM32\RSSERIAL.SYS [X]
AlternateDataStreams: C:\Windows:CM_89c07002dadf5991f79468c90f37e2533d020b70e8e1912a4856e84326c08211
AlternateDataStreams: C:\Windows:CM_9857127c368ba16c1f274bd4bf1d16fff75f690c8aae941604d58b4b7d00c937
AlternateDataStreams: C:\ProgramData\Temp:07BF512B

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141

For IE 10, 11 follow the following instructions.
http://refreshyourcache.com/en/internet-explorer-11/
===

How is the computer running now?

#3 geegollygirl

geegollygirl
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 13 October 2015 - 09:35 AM

Thanks for your quick reply, this is a work laptop and it's got a demanding week ahead of it!  I ran the fix, below is the log.  I haven't been on it much since running the fix but initially it seems to be better.  The issues would sporadically start so I can't be for sure, I did play on internet some and they haven't started back up.  I'll post the log and try to follow-up later with if I see any more issues.  Initially it seems to be running faster than before the rootkit even.  Thanks!!! (Seriously, you people are the best!)

 

Fix result of Farbar Recovery Scan Tool (x64) Version:12-10-2015
Ran by julie.hoffherr (2015-10-13 09:01:28) Run:1
Running from C:\Users\Julie.Hagedorn\Desktop
Loaded Profiles: julie.hoffherr (Available Profiles: mark.a.smith & julie.hoffherr & local-admin)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-181418603-413491667-474620416-214645\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-181418603-413491667-474620416-214645 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} -  No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} -  No File
S3 EmuLogix 5868 Slot0; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /0 [X]
S3 EmuLogix 5868 Slot1; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /1 [X]
S3 EmuLogix 5868 Slot10; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /10 [X]
S3 EmuLogix 5868 Slot11; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /11 [X]
S3 EmuLogix 5868 Slot12; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /12 [X]
S3 EmuLogix 5868 Slot13; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /13 [X]
S3 EmuLogix 5868 Slot14; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /14 [X]
S3 EmuLogix 5868 Slot15; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /15 [X]
S3 EmuLogix 5868 Slot16; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /16 [X]
S3 EmuLogix 5868 Slot3; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /3 [X]
S3 EmuLogix 5868 Slot4; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /4 [X]
S3 EmuLogix 5868 Slot5; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /5 [X]
S3 EmuLogix 5868 Slot6; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /6 [X]
S3 EmuLogix 5868 Slot7; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /7 [X]
S3 EmuLogix 5868 Slot8; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /8 [X]
S3 EmuLogix 5868 Slot9; "C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\V15\EmuLogix5868.exe" /9 [X]
S2 NPEService; "C:\Users\Julie.Hagedorn\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6I94OM2N\NPE.exe" /service [X]
S3 pcidnt; no ImagePath
S1 MpKsl64d1f6c8; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{69ADCA37-866F-46CF-9800-DF6264F2D7BC}\MpKsl64d1f6c8.sys [X]
S3 RSSERIAL; \SystemRoot\SYSTEM32\RSSERIAL.SYS [X]
AlternateDataStreams: C:\Windows:CM_89c07002dadf5991f79468c90f37e2533d020b70e8e1912a4856e84326c08211
AlternateDataStreams: C:\Windows:CM_9857127c368ba16c1f274bd4bf1d16fff75f690c8aae941604d58b4b7d00c937
AlternateDataStreams: C:\ProgramData\Temp:07BF512B

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-181418603-413491667-474620416-214645\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKU\S-1-5-21-181418603-413491667-474620416-214645\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value removed successfully
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => key not found.
"HKCR\PROTOCOLS\Handler\livecall" => key removed successfully
HKCR\CLSID\{828030A1-22C1-4009-854F-8E305202313F} => key not found.
"HKCR\PROTOCOLS\Handler\msnim" => key removed successfully
HKCR\CLSID\{828030A1-22C1-4009-854F-8E305202313F} => key not found.
EmuLogix 5868 Slot0 => service removed successfully
EmuLogix 5868 Slot1 => service removed successfully
EmuLogix 5868 Slot10 => service removed successfully
EmuLogix 5868 Slot11 => service removed successfully
EmuLogix 5868 Slot12 => service removed successfully
EmuLogix 5868 Slot13 => service removed successfully
EmuLogix 5868 Slot14 => service removed successfully
EmuLogix 5868 Slot15 => service removed successfully
EmuLogix 5868 Slot16 => service removed successfully
EmuLogix 5868 Slot3 => service removed successfully
EmuLogix 5868 Slot4 => service removed successfully
EmuLogix 5868 Slot5 => service removed successfully
EmuLogix 5868 Slot6 => service removed successfully
EmuLogix 5868 Slot7 => service removed successfully
EmuLogix 5868 Slot8 => service removed successfully
EmuLogix 5868 Slot9 => service removed successfully
NPEService => service removed successfully
pcidnt => service removed successfully
MpKsl64d1f6c8 => service removed successfully
RSSERIAL => service removed successfully
C:\Windows => ":CM_89c07002dadf5991f79468c90f37e2533d020b70e8e1912a4856e84326c08211" ADS removed successfully.
C:\Windows => ":CM_9857127c368ba16c1f274bd4bf1d16fff75f690c8aae941604d58b4b7d00c937" ADS removed successfully.
C:\ProgramData\Temp => ":07BF512B" ADS removed successfully.
EmptyTemp: => 10.2 GB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 09:05:09 ====



#4 geegollygirl

geegollygirl
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 13 October 2015 - 04:52 PM

Well, it was good for most of the day, but just started again.  Symantic Endpoint is adding a you've got troubles notification about every 4 seconds.  I went ahead and re-ran the scan in case that helps.  Next idea?  Thanks!!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:12-10-2015
Ran by julie.hoffherr (administrator) on MWIN334366 (13-10-2015 16:41:48)
Running from C:\Users\Julie.Hagedorn\Desktop
Loaded Profiles: julie.hoffherr (Available Profiles: mark.a.smith & julie.hoffherr & local-admin)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Windows\System32\nvservice.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\RSView Enterprise\TagSrv.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Cisco WebEx LLC) C:\Windows\SysWOW64\atashost.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
() C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\EventServer.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\FTSysDiagSvcHost.exe
(SafeNet Inc.) C:\Windows\System32\hasplms.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
(MediaMall Technologies, Inc.) C:\Program Files (x86)\MediaMall\MediaMallServer.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.FTVIEWX64TAGDB\MSSQL\Binn\sqlservr.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\NmspHost.exe
() C:\Windows\SysWOW64\srvany.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
(O2Micro.) C:\Windows\SysWOW64\SDIOAssist.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\RdcyHost.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Rockwell Automation Inc.) C:\Program Files (x86)\Common Files\Rockwell\RNADiagnosticsSrv.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\RsvcHost.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
(Snow Software AB) C:\Program Files\INVENTORYCLIENT\client64.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(WIBU-SYSTEMS AG) C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe
(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\EventClientMultiplexer.exe
(Flexera Software LLC) C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe
(Flexera Software LLC) C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\flexsvr.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\RnaDirServer.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Common Files\Rockwell\RNADirMultiplexor.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\RSView Enterprise\ServerFramework.exe
() C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(UPEK Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin64\Smc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
() C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Quest Software, Inc.) C:\Windows\System32\SPEnroll.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Microsoft Corporation) C:\Windows\CCM\CcmExec.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Automation\UsbCipDriver\UsbCipHelper\UsbCipHelper.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Lync\communicator.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\Tools\ActivationNotifier.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Microsoft Corporation) C:\Windows\CCM\RemCtrl\cmrcservice.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files\Microsoft Lync\UcMapi64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\CCM\SCNotification.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Nullsoft, Inc.) C:\Program Files (x86)\Winamp\winamp.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\vmware-unity-helper.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\x64\vmware-vmx.exe
(VMware, Inc.) C:\Program Files (x86)\VMware\VMware Workstation\vprintproxy.exe
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\Studio 5000\Logix Designer\ENU\v24\Bin\LogixDesigner.Exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
(Rockwell Automation, Inc.) C:\Program Files (x86)\Rockwell Software\Studio 5000\Logix Designer\ENU\v24\Bin\LogixDesigner.Exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\DWHWizrd.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MpCmdRun.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\SavUI.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [698712 2013-02-21] (Alps Electric Co., Ltd.)
HKLM\...\Run: [FreeFallProtection] => C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2011-07-25] ()
HKLM\...\Run: [TdmNotify] => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe [381296 2011-12-08] (Wave Systems Corp.)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [SPEnroll] => C:\Windows\system32\SPEnroll.exe [3226960 2013-10-28] (Quest Software, Inc.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-01-25] (IDT, Inc.)
HKLM\...\Run: [IntelPROSet] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [4791024 2013-07-17] (Intel® Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2041192 2013-01-25] ()
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [113656 2013-01-23] (Intel Corporation)
HKLM-x32\...\Run: [DT DEL] => C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe [121648 2011-10-13] (Portrait Displays, Inc.)
HKLM-x32\...\Run: [UsbCipHelper] => C:\Program Files (x86)\Rockwell Automation\UsbCipDriver\UsbCipHelper\UsbCipHelper.exe [443176 2014-01-10] (Rockwell Automation, Inc.)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46368 2010-03-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [29984 2010-03-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PPort12reminder] => C:\Program Files (x86)\Nuance\PaperPort\Ereg\Ereg.exe [328992 2010-02-09] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [Communicator] => C:\Program Files (x86)\Microsoft Lync\communicator.exe [11937552 2010-10-22] (Microsoft Corporation)
HKLM-x32\...\Run: [ActivationNotifier] => C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\Tools\ActivationNotifier.exe [113488 2014-09-09] (Rockwell Automation, Inc.)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41360 2015-06-26] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840592 2015-06-26] (Adobe Systems Inc.)
HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [703888 2013-07-19] (Cisco Systems, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597552 2015-08-04] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [911032 2015-03-18] (Microsoft Corporation)
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\MountPoints2: {258c71d1-0f52-11e2-95b4-005056c00008} - F:\DTVP_Launcher.exe
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\MountPoints2: {31ee5b49-0de0-11e2-a057-991b8f0d873d} - F:\DTVP_Launcher.exe
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\MountPoints2: {35286333-0c8f-11e2-9673-00059a3c7a00} - F:\DTVP_Launcher.exe
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\MountPoints2: {4ab03454-8616-11e2-ace2-005056c00008} - F:\TL_Bootstrap.exe
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\MountPoints2: {d1e70f75-19a0-11e4-9235-005056c00008} - F:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\MountPoints2: {f4d81dbc-37d2-11e2-a9ff-00059a3c7a00} - E:\LaunchU3.exe -a
HKU\S-1-5-21-181418603-413491667-474620416-214645\...\MountPoints2: {f62607ff-274e-11e2-a3b4-9e78dc6cb9de} - F:\DTVP_Launcher.exe
HKU\S-1-5-21-181418603-413491667-474620416-214645\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [477696 2010-11-20] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [688984 2014-08-07] (Garmin Ltd or its subsidiaries)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [245872 2013-01-25] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [201576 2013-01-25] (NVIDIA Corporation)
Lsa: [Authentication Packages] msv1_0 wvauth
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2012-02-06] (Autodesk, Inc.)
ShellIconOverlayIdentifiers: [EnabledUnlockedFDEIconOverlay] -> {30D3C2AF-9709-4D05-9CF4-13335F3C1E4A} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll [2011-12-08] (Wave Systems Corp.)
ShellIconOverlayIdentifiers: [UninitializedFdeIconOverlay] -> {CF08DA3E-C97D-4891-A66B-E39B28DD270F} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll [2011-12-08] (Wave Systems Corp.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk [2012-08-06]
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk [2012-08-06]
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
Startup: C:\Users\Julie.Hagedorn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2015-09-22]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\local-admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk [2012-08-15]
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
Startup: C:\Users\mark.a.smith\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk [2012-08-16]
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

AutoConfigURL: [.DEFAULT] => hxxp://dc01prx01.skanskausa.com:9001/skanska.pac
Tcpip\Parameters: [DhcpNameServer] 10.0.5.211 10.0.5.212
Tcpip\..\Interfaces\{783A06BA-CB94-4C66-B230-171CD9436D19}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{D21AECDF-4888-417E-9127-49F7E9C19799}: [DhcpNameServer] 10.0.5.211 10.0.5.212

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_4
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_4
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_4
HKU\S-1-5-21-181418603-413491667-474620416-214645\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
SearchScopes: HKLM -> DefaultScope {A0CE6BD2-F4C2-4EB1-B658-BE173E936939} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {A0CE6BD2-F4C2-4EB1-B658-BE173E936939} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {A0CE6BD2-F4C2-4EB1-B658-BE173E936939} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {A0CE6BD2-F4C2-4EB1-B658-BE173E936939} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-181418603-413491667-474620416-214645 -> {A0CE6BD2-F4C2-4EB1-B658-BE173E936939} URL =
BHO: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files (x86)\TechSmith\SnagIt 8\DLLx64\SnagItBHO64.dll [2007-05-01] (TechSmith Corporation)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files (x86)\TechSmith\SnagIt 8\SnagItBHO.dll [2007-05-01] (TechSmith Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Lync\OCHelper.dll [2010-10-22] (Microsoft Corporation)
BHO-x32: Symantec Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\bin\IPS\IPSBHO.DLL [2013-10-20] (Symantec Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\ssv.dll [2015-09-01] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-06-26] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-09-01] (Oracle Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-06-26] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-06-26] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\SnagIt 8\SnagItIEAddin.dll [2007-05-01] (TechSmith Corporation)
DPF: HKLM-x32 {538793D5-659C-4639-A56C-A179AD87ED44} hxxps://vpn.skanska.com/CACHE/stc/2/binaries/vpnweb.cab
DPF: HKLM-x32 {556EEC63-31E2-47C3-BF29-DFF799D2FE04} hxxps://secure.logmein.com/activex/RACtrl.cab?rnd=2328160274
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab
DPF: HKLM-x32 {91B29AFF-E4FF-11D6-8C88-00A0C9D7BBEB} hxxp://www.ab.com/support/abdrives/webupdate/RADriveWebUpdate.cab
DPF: HKLM-x32 {CC679CB8-DC4B-458B-B817-D447B3B6AC31}
DPF: HKLM-x32 {D59124D5-442C-44C5-BD9A-E81BB0582D55} hxxp://raiseinstall.rockwellautomation.com/pstoolbox-lite-9-23-11/setup.ocx
DPF: HKLM-x32 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} hxxps://secure.logmein.com//activex/ractrl.cab?lmi=1058
DPF: HKLM-x32 {FFAD8DA9-ED41-494D-AC8E-63D861D0A733} hxxps://download.rockwellautomation.com/plugins/rockwell.cab

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_232.dll [2015-08-24] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-24] ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.38 -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIIPT.dll [2012-05-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIUpdater.dll [2012-05-21] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2015-09-01] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-09-01] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @nosltd.com/getPlus+®,version=2.0.7.28 -> C:\Program Files (x86)\NOS\bin\nprockwell.dll [2015-04-10] (NOS Microsystems Ltd.)
FF Plugin-x32: @nosltd.com/getPlus+®,version=2.0.7.35 -> C:\Program Files (x86)\NOS\bin\nprockwell.dll [2015-04-10] (NOS Microsystems Ltd.)
FF Plugin-x32: @nosltd.com/getPlus+®,version=2.0.7.38 -> C:\Program Files (x86)\NOS\bin\nprockwell.dll [2015-04-10] (NOS Microsystems Ltd.)
FF Plugin-x32: @nosltd.com/getPlus+®,version=2.0.7.440 -> C:\Program Files (x86)\NOS\bin\nprockwell.dll [2015-04-10] (NOS Microsystems Ltd.)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-01-24] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-01-24] (NVIDIA Corporation)
FF Plugin-x32: @playon.tv/PlayOnToolbar -> C:\Program Files (x86)\MediaMall\toolbar\npVT.dll [2015-08-27] (MediaMall Technologies, Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-17] (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll [2015-06-26] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-05-08] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-181418603-413491667-474620416-214645: @autodesk.com/DWF -> C:\Program Files (x86)\Autodesk\Autodesk Design Review Browser Add-on v1.2\npADRdwf.dll [2011-01-24] (Autodesk)
FF Plugin HKU\S-1-5-21-181418603-413491667-474620416-214645: @citrixonline.com/appdetectorplugin -> C:\Users\Julie.Hagedorn\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-05-27] (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2010-10-22] ()
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2012-08-06]
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\IPSFF
FF Extension: Symantec Vulnerability Protection - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\IPSFF [2014-12-02]

Chrome:
=======
CHR Profile: C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-09-10]
CHR Extension: (Google Docs) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-09-10]
CHR Extension: (Google Drive) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-09-10]
CHR Extension: (YouTube) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-09-10]
CHR Extension: (Google Search) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-09-10]
CHR Extension: (Google Sheets) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-09-10]
CHR Extension: (Google Docs Offline) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-17]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-08-21]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-10]
CHR Extension: (Gmail) - C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-09-10]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 1784-PCIDS DeviceNet; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe [109568 2015-03-02] (Rockwell Automation) [File not signed]
S3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [245760 2010-01-25] (Brother Industries, Ltd.) [File not signed]
R2 CcmExec; C:\Windows\CCM\CcmExec.exe [1840208 2012-11-21] (Microsoft Corporation)
R2 CmRcService; C:\Windows\CCM\RemCtrl\CmRcService.exe [633952 2012-11-21] (Microsoft Corporation)
R2 DFEPService; c:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe [2279320 2011-08-24] (Dell Inc.)
R2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [129840 2011-10-13] (Portrait Displays, Inc.)
R2 EmbassyService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe [218504 2012-01-17] ()
S3 EmuLogix 5868 Slot2; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\\V24\EmuLogix5868.exe [3262976 2015-03-02] (Rockwell Automation) [File not signed]
R2 FactoryTalk Activation Service; C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe [1443632 2013-06-19] (Flexera Software LLC)
S4 FactoryTalk Gateway; C:\Program Files (x86)\Rockwell Software\RSOPC Gateway\RSOPCGateway.exe [588136 2011-11-18] (Rockwell Automation, Inc.)
R2 FTActivationBoost; C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe [149840 2014-09-09] (Rockwell Automation, Inc.)
S4 FTAE_Archiver; C:\Program Files (x86)\Common Files\Rockwell\FTAEArchiver.exe [71016 2011-06-01] (Rockwell Automation, Inc.)
S4 FTAE_HistServ; C:\Program Files (x86)\Common Files\Rockwell\FTAE_HistServ.exe [152936 2011-06-01] (Rockwell Automation, Inc.)
R2 FTSysDiagSvcHost; C:\Program Files (x86)\Common Files\Rockwell\FTSysDiagSvcHost.exe [74104 2014-07-15] (Rockwell Automation, Inc.) [File not signed]
S3 Garmin Core Update Service; C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [438616 2014-08-07] (Garmin Ltd or its subsidiaries)
R2 hasplms; C:\Windows\system32\hasplms.exe [4412872 2012-08-22] (SafeNet Inc.)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
S4 Ignition; C:\Program Files\Inductive Automation\Ignition\IgnitionGateway.exe [630552 2014-07-15] (Tanuki Software, Ltd.) [File not signed]
S4 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [116104 2010-04-05] ()
S3 LogReceiver; C:\Program Files (x86)\Rockwell Software\RSLinx Enterprise\LogReceiver.exe [81984 2012-04-18] (Rockwell Automation, Inc.)
S3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50280 2012-08-02] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50280 2012-08-02] (Microsoft Corporation)
R2 MediaMall Server; C:\Program Files (x86)\MediaMall\MediaMallServer.exe [6177072 2015-10-08] (MediaMall Technologies, Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
R2 MSSQL$FTVIEWX64TAGDB; C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.FTVIEWX64TAGDB\MSSQL\Binn\sqlservr.exe [42884448 2010-04-03] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 nvservice; C:\Windows\system32\nvservice.exe [192800 2013-01-25] (NVIDIA Corporation)
R2 O2SDIOAssist; c:\Windows\SysWOW64\srvany.exe [8192 2003-04-18] () [File not signed]
R2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2010-03-09] (Nuance Communications, Inc.)
S4 RnaAeServer; C:\Program Files (x86)\Common Files\Rockwell\RnaAeServer.exe [202088 2011-06-01] (Rockwell Automation, Inc.)
S4 RnaAlarmMux; C:\Program Files (x86)\Common Files\Rockwell\RnaAlarmMux.exe [927080 2011-06-01] (Rockwell Automation, Inc.)
S3 Rockwell HMI Activity Logger; C:\Program Files (x86)\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe [150888 2011-07-26] (Rockwell Automation, Inc.)
S3 Rockwell HMI Alarm Logger; C:\Program Files (x86)\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe [130408 2011-07-26] (Rockwell Automation, Inc.)
R2 Rockwell HMI Diagnostics; C:\Program Files (x86)\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe [106344 2011-07-26] (Rockwell Automation, Inc.)
R2 Rockwell HMI Framework; C:\Program Files (x86)\Rockwell Software\RSView Enterprise\ServerFramework.exe [861032 2011-07-26] (Rockwell Automation, Inc.)
R2 Rockwell Tag Server; C:\Program Files (x86)\Rockwell Software\RSView Enterprise\TagSrv.exe [212328 2011-07-26] (Rockwell Automation, Inc.)
S3 RSLinx; C:\Program Files (x86)\Rockwell Software\RSLinx\RSLINX.EXE [3306528 2014-07-29] (Rockwell Automation, Inc.)
R2 RSLinxNG; C:\Program Files (x86)\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe [247872 2012-04-18] (Rockwell Automation, Inc.)
R2 SepMasterService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe [144368 2013-10-20] (Symantec Corporation)
S3 SimModuleService; C:\Program Files (x86)\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe [95232 2015-03-02] () [File not signed]
R3 SmcService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin64\Smc.exe [2377984 2013-10-20] (Symantec Corporation)
S3 smstsmgr; C:\Windows\CCM\TSManager.exe [402000 2012-11-21] (Microsoft Corporation)
S4 SNAC; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin64\snac64.exe [334736 2013-10-20] (Symantec Corporation)
R2 SnowInventoryClient; C:\Program Files\INVENTORYCLIENT\client64.exe [4754944 2014-01-29] (Snow Software AB) [File not signed]
S2 SQLAgent$FTVIEWX64TAGDB; C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.FTVIEWX64TAGDB\MSSQL\Binn\SQLAGENT.EXE [367456 2010-04-03] (Microsoft Corporation)
S3 Studio5000ClockSyncService; C:\Program Files (x86)\Rockwell Automation\Studio 5000 Clock Sync Service\ClockSyncService.exe [26112 2014-08-18] (Rockwell Automation) [File not signed]
S2 tcsd_win32.exe; C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1637888 2011-10-08] () [File not signed]
R2 VMwareHostd; C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [13242960 2013-02-26] ()
R2 Wave Authentication Manager Service; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [1679872 2012-01-05] (Wave Systems Corp.) [File not signed]
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 WvPCR; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe [198144 2012-01-16] (Wave Systems Corp.) [File not signed]
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3377904 2013-07-17] (Intel® Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 akshhl; C:\Windows\System32\DRIVERS\akshhl.sys [57088 2012-06-15] (SafeNet Inc.)
S3 aksusb; C:\Windows\System32\DRIVERS\aksusb.sys [296576 2012-06-15] (SafeNet Inc.)
S3 AX88772; C:\Windows\System32\DRIVERS\ax88772.sys [55168 2008-06-24] (ASIX Electronics Corp.)
R1 BHDrvx64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20150925.011\BHDrvx64.sys [1650936 2015-08-12] (Symantec Corporation)
R1 ccSettings_{2FF4FBED-F03A-4EE2-AC58-C985811A4FBE}; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\ccSetx64.sys [169048 2013-10-20] (Symantec Corporation)
S3 CH341SER_A64; C:\Windows\System32\Drivers\CH341S64.SYS [58368 2009-06-02] (www.winchiphead.com)
R2 DLABMFSE; C:\Windows\System32\Drivers\DLABMFSE.SYS [46448 2007-07-23] (Roxio)
R2 DLABOIOE; C:\Windows\System32\Drivers\DLABOIOE.SYS [42352 2007-07-23] (Roxio)
R0 DLACDBHE; C:\Windows\System32\Drivers\DLACDBHE.SYS [17776 2007-07-23] (Roxio)
R2 DLADResE; C:\Windows\System32\Drivers\DLADResE.SYS [9968 2007-07-23] (Roxio)
R2 DLAIFS_E; C:\Windows\System32\Drivers\DLAIFS_E.SYS [146672 2007-07-23] (Roxio)
R2 DLAOPIOE; C:\Windows\System32\Drivers\DLAOPIOE.SYS [35056 2007-07-23] (Roxio)
R2 DLAPoolE; C:\Windows\System32\Drivers\DLAPoolE.SYS [19824 2007-07-23] (Roxio)
R1 DLARTL_E; C:\Windows\System32\Drivers\DLARTL_E.SYS [41072 2007-07-23] (Roxio)
R2 DLAUDFAE; C:\Windows\System32\Drivers\DLAUDFAE.SYS [135152 2007-07-23] (Roxio)
R2 DLAUDF_E; C:\Windows\System32\Drivers\DLAUDF_E.SYS [144112 2007-07-23] (Roxio)
R0 DRVECDB; C:\Windows\System32\Drivers\DRVECDB.SYS [124112 2007-07-23] (Sonic Solutions)
R2 DRVEDDM; C:\Windows\System32\Drivers\DRVEDDM.SYS [63984 2007-07-23] (Roxio)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [498512 2015-08-27] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [153936 2015-07-28] (Symantec Corporation)
R2 hardlock; C:\Windows\system32\drivers\hardlock.sys [321536 2011-09-28] (SafeNet Inc.)
S3 HBtnKey; C:\Windows\system32\drivers\HBtnKey.sys [20424 2011-07-19] (Dell Inc.)
R1 IDSVia64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20151010.011\IDSvia64.sys [671448 2015-04-23] (Symantec Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R3 msvad_simple; C:\Windows\System32\drivers\povrtdev.sys [28528 2013-03-05] (MediaMall Technologies, Inc.)
R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20151013.001\ENG64.SYS [138488 2015-06-23] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20151013.001\EX64.SYS [2146040 2015-06-23] (Symantec Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
R1 nvkflt; C:\Windows\System32\DRIVERS\nvkflt.sys [284448 2013-01-25] (NVIDIA Corporation)
R3 prepdrvr; C:\Windows\System32\DRIVERS\prepdrv.sys [26984 2012-11-21] (Microsoft Corporation)
S3 RAUSBCIP; C:\Windows\System32\drivers\rausbcipwdf.sys [87552 2011-11-07] (Rockwell Automation, Inc.)
R1 SRTSP; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\SRTSP64.SYS [797272 2013-10-20] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\SRTSPX64.SYS [36952 2013-10-20] (Symantec Corporation)
S3 SyDvCtrl; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin64\SyDvCtrl64.sys [34800 2013-10-20] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\SYMDS64.SYS [493656 2013-10-20] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\SYMEFA64.SYS [1147480 2013-10-20] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2014-12-02] (Symantec Corporation)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\Ironx64.SYS [224856 2013-10-20] (Symantec Corporation)
R1 SYMNETS; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x64\SYMNETS.SYS [437336 2013-10-20] (Symantec Corporation)
R1 SysPlant; C:\Windows\System32\Drivers\SysPlant.sys [155352 2014-12-02] (Symantec Corporation)
R1 Teefer2; C:\Windows\System32\DRIVERS\Teefer.sys [92456 2013-10-20] (Symantec Corporation)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2015-06-10] (Apple, Inc.) [File not signed]
S3 usbbus; C:\Windows\System32\DRIVERS\lgx64bus.sys [17920 2013-04-24] (LG Electronics Inc.)
S3 UsbDiag; C:\Windows\System32\DRIVERS\lgx64diag.sys [28160 2013-04-24] (LG Electronics Inc.)
S3 USBModem; C:\Windows\System32\DRIVERS\lgx64modem.sys [34816 2013-04-24] (LG Electronics Inc.)
R1 VirtualBackplane; C:\Windows\System32\Drivers\VirtualBackplane.sys [51200 2011-06-02] (Rockwell Automation)
R2 VMparport; C:\Windows\system32\drivers\VMparport.sys [31824 2013-02-26] (VMware, Inc.)
S3 vpnva; C:\Windows\System32\DRIVERS\vpnva64-6.sys [52080 2013-07-19] (Cisco Systems, Inc.)
R0 vsock; C:\Windows\System32\drivers\vsock.sys [70296 2012-10-24] (VMware, Inc.)
S3 vzandnetdiag; C:\Windows\System32\DRIVERS\lgvzandnetdiag64.sys [29696 2013-05-06] (LG Electronics Inc.)
S3 vzandnetmodem; C:\Windows\System32\DRIVERS\lgvzandnetmdm64.sys [36864 2013-05-06] (LG Electronics Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-13 16:41 - 2015-10-13 16:43 - 00043508 _____ C:\Users\Julie.Hagedorn\Desktop\FRST.txt
2015-10-13 16:24 - 2015-10-13 16:32 - 00279313 _____ C:\Users\Julie.Hagedorn\Desktop\new.txt
2015-10-13 16:11 - 2015-10-13 16:22 - 03217023 _____ C:\Users\Julie.Hagedorn\Desktop\AlarmsImport.xml
2015-10-13 15:47 - 2015-10-13 15:47 - 00240900 _____ C:\Users\Julie.Hagedorn\Desktop\_458_Drills-Controller-Tags.CSV
2015-10-13 15:14 - 2015-10-13 15:14 - 00182195 _____ C:\Users\Julie.Hagedorn\Desktop\Alarms Import.xlsx
2015-10-13 15:10 - 2015-10-13 15:42 - 01993331 _____ C:\Users\Julie.Hagedorn\Desktop\Alarms Import.xml
2015-10-13 13:39 - 2015-10-13 13:39 - 00543771 _____ C:\Users\Julie.Hagedorn\Desktop\L458_Pierce_Coin_Trim_Rev7-Controller-Tags.CSV
2015-10-13 09:09 - 2015-10-13 09:09 - 00000004 ____H C:\ProgramData\cm-lock
2015-10-12 21:30 - 2015-10-13 16:42 - 00000000 ____D C:\FRST
2015-10-12 21:27 - 2015-10-12 21:27 - 02196480 _____ (Farbar) C:\Users\Julie.Hagedorn\Desktop\frst64.exe
2015-10-12 15:13 - 2015-10-12 15:13 - 02539012 _____ C:\Users\Julie.Hagedorn\Desktop\L458_P2.mer
2015-10-11 11:01 - 2015-10-11 11:01 - 00000000 ____D C:\ProgramData\SMR501
2015-10-10 11:23 - 2015-10-11 13:38 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\Local\CrashDumps
2015-10-09 19:55 - 2015-10-13 09:07 - 00001536 _____ C:\Windows\setupact.log
2015-10-09 19:55 - 2015-10-09 19:55 - 00000000 _____ C:\Windows\setuperr.log
2015-10-09 19:54 - 2015-10-13 09:06 - 00027904 _____ C:\Windows\PFRO.log
2015-10-09 14:42 - 2015-10-09 14:42 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-10-09 14:39 - 2015-10-11 11:10 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\Local\NPE
2015-10-09 14:39 - 2015-10-09 14:39 - 00000000 ____D C:\ProgramData\Norton
2015-10-05 19:58 - 2015-10-05 19:58 - 00000908 _____ C:\Users\Public\Desktop\PlayOn.lnk
2015-10-05 19:57 - 2015-10-08 21:17 - 00000000 ____D C:\Program Files (x86)\MediaMall
2015-10-05 19:57 - 2015-10-05 19:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PlayOn
2015-10-05 14:12 - 2015-10-05 14:12 - 00000000 ____D C:\Program Files (x86)\CodeMeter
2015-10-05 13:46 - 2015-10-05 14:05 - 00000000 ____D C:\Users\Julie.Hagedorn\Downloads\RA
2015-09-24 22:25 - 2015-09-24 22:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Magellan Content Manager
2015-09-24 22:25 - 2015-09-24 22:25 - 00000000 ____D C:\Program Files (x86)\Content Manager
2015-09-20 22:50 - 2015-09-21 21:17 - 00000000 ____D C:\ProgramData\Auslogics
2015-09-20 22:50 - 2015-09-20 22:50 - 00001208 _____ C:\Users\Julie.Hagedorn\Desktop\Auslogics DiskDefrag.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-13 16:43 - 2014-11-25 14:53 - 00000068 __RSH C:\Windows\system32\Drivers\winusb.winsecurity
2015-10-13 16:42 - 2014-11-25 14:53 - 00000068 __RSH C:\Windows\system32\Drivers\wmilib.winsecurity
2015-10-13 16:37 - 2012-08-27 14:50 - 00000000 ____D C:\Users\Julie.Hagedorn\Documents\Reference Material
2015-10-13 16:27 - 2012-08-06 20:27 - 01181246 _____ C:\Windows\WindowsUpdate.log
2015-10-13 16:26 - 2013-07-01 13:07 - 00000000 ____D C:\ProgramData\Symantec
2015-10-13 16:10 - 2015-06-30 14:09 - 00291476 _____ C:\Users\Julie.Hagedorn\Desktop\Alarms_Trimmers.xml
2015-10-13 16:04 - 2012-08-23 16:02 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-13 15:57 - 2012-08-06 20:28 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-10-13 15:56 - 2012-08-15 15:45 - 00001344 _____ C:\Windows\system32\config\netlogon.ftl
2015-10-13 13:23 - 2015-06-30 14:09 - 00218291 _____ C:\Users\Julie.Hagedorn\Desktop\Alarms.xml
2015-10-13 13:04 - 2012-08-23 16:02 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-13 11:44 - 2009-07-13 23:45 - 00021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-13 11:44 - 2009-07-13 23:45 - 00021088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-13 10:57 - 2012-08-23 10:02 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\Roaming\VMware
2015-10-13 10:56 - 2012-08-23 10:02 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\Local\VMware
2015-10-13 09:15 - 2013-07-01 13:41 - 00000569 _____ C:\Windows\SMSCFG.ini
2015-10-13 09:15 - 2012-08-15 15:47 - 00029718 __RSH C:\ProgramData\ntuser.pol
2015-10-13 09:15 - 2009-07-13 22:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2015-10-13 09:13 - 2014-10-31 15:03 - 00000000 ____D C:\ProgramData\MediaMall
2015-10-13 09:11 - 2012-08-23 09:30 - 00000000 ____D C:\Users\Julie.Hagedorn\Tracing
2015-10-13 09:07 - 2013-07-25 22:43 - 00000000 ____D C:\ProgramData\NVIDIA
2015-10-13 09:07 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-13 08:54 - 2012-08-06 21:12 - 00000000 ____D C:\ProgramData\Sonic
2015-10-13 08:52 - 2012-08-15 16:19 - 00022928 __RSH C:\Users\Julie.Hagedorn\ntuser.pol
2015-10-13 08:52 - 2012-08-15 16:19 - 00000000 ____D C:\Users\Julie.Hagedorn
2015-10-12 22:32 - 2009-07-14 00:13 - 00901882 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-11 21:28 - 2012-08-15 16:20 - 00000000 ___RD C:\Users\Julie.Hagedorn\Virtual Machines
2015-10-09 19:53 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2015-10-09 13:45 - 2012-08-29 10:17 - 00000028 _____ C:\Windows\ODBC.INI
2015-10-08 09:47 - 2013-03-12 22:16 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\LocalLow\Temp
2015-10-07 09:18 - 2012-08-27 14:49 - 00000000 ____D C:\Users\Julie.Hagedorn\Documents\PCI Docs
2015-10-07 08:37 - 2013-09-24 22:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-10-06 22:44 - 2012-08-27 14:45 - 00000000 ____D C:\Users\Julie.Hagedorn\Documents\My Docs
2015-10-06 11:28 - 2012-08-23 08:27 - 00000000 ____D C:\ProgramData\VMware
2015-10-05 19:56 - 2013-03-12 20:15 - 00000000 ____D C:\ProgramData\Package Cache
2015-10-05 14:37 - 2012-08-22 00:49 - 00000280 _____ C:\Windows\SlRegEDS.ini
2015-10-05 14:37 - 2012-08-21 14:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rockwell Software
2015-10-05 14:12 - 2014-11-25 14:53 - 00000000 ____D C:\ProgramData\CodeMeter
2015-10-05 14:07 - 2015-09-01 13:17 - 00000000 ____D C:\RATemp
2015-10-05 13:46 - 2015-09-01 13:17 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\Local\RockwellAutomation
2015-10-04 23:44 - 2014-03-20 18:26 - 00000000 __SHD C:\Program Files\INVENTORYCLIENT
2015-09-29 13:37 - 2013-01-17 17:19 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\LocalLow\WebEx
2015-09-29 12:37 - 2012-11-21 15:04 - 00000000 ____D C:\ProgramData\WebEx
2015-09-28 15:30 - 2012-10-17 09:44 - 00006675 _____ C:\Users\Public\Documents\raw.xml
2015-09-24 22:25 - 2012-11-15 19:26 - 00000000 ____D C:\ProgramData\InstallShield
2015-09-24 22:25 - 2012-08-06 20:45 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2015-09-24 22:24 - 2012-10-02 22:42 - 00000000 ____D C:\Users\Julie.Hagedorn\AppData\Roaming\InstallShield
2015-09-21 21:04 - 2009-07-13 23:45 - 00644808 _____ C:\Windows\system32\FNTCACHE.DAT
2015-09-21 14:41 - 2013-08-15 13:36 - 00000000 ____D C:\Users\Julie.Hagedorn\Documents\My Received Files
2015-09-21 14:13 - 2012-10-24 11:30 - 00000000 ____D C:\Windows\Minidump
2015-09-20 22:55 - 2012-08-23 14:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
2015-09-20 22:54 - 2012-08-23 14:01 - 00000000 ____D C:\Program Files (x86)\Auslogics
2015-09-17 12:59 - 2012-08-23 16:02 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-09-17 12:59 - 2012-08-23 16:02 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-09-16 13:37 - 2012-08-15 16:20 - 00167912 _____ C:\Users\Julie.Hagedorn\AppData\Local\GDIPFONTCACHEV1.DAT

==================== Files in the root of some directories =======

2012-05-21 15:00 - 2012-05-21 15:00 - 0020984 _____ (Intel Corporation) C:\Users\Julie.Hagedorn\AppData\Roaming\JomCap.dll
2013-12-20 16:51 - 2013-12-20 16:51 - 0000268 ___RH () C:\Users\Julie.Hagedorn\AppData\Roaming\Strings
2013-12-20 16:52 - 2013-12-20 16:52 - 0000268 ___RH () C:\Users\Julie.Hagedorn\AppData\Roaming\Super Strings
2013-12-20 16:51 - 2013-12-20 16:51 - 0000268 ___RH () C:\Users\Julie.Hagedorn\AppData\Roaming\SupportPrinters
2013-12-20 16:50 - 2013-12-20 16:50 - 0000268 ___RH () C:\Users\Julie.Hagedorn\AppData\Roaming\Templates
2014-06-25 15:25 - 2014-06-25 15:26 - 0005120 _____ () C:\Users\Julie.Hagedorn\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-21 14:49 - 2012-08-21 14:49 - 0000102 _____ () C:\Users\Julie.Hagedorn\AppData\Local\fusioncache.dat
2013-02-19 16:43 - 2015-01-29 09:11 - 0007602 _____ () C:\Users\Julie.Hagedorn\AppData\Local\resmon.resmoncfg
2012-09-10 15:39 - 2012-09-10 15:39 - 0002560 _____ () C:\Users\Julie.Hagedorn\AppData\Local\SecurityDescriptorStream.act
2015-10-13 09:09 - 2015-10-13 09:09 - 0000004 ____H () C:\ProgramData\cm-lock
2014-07-03 09:40 - 2014-07-03 09:40 - 0000096 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2013-12-20 16:50 - 2013-12-20 16:51 - 0000020 ____H () C:\ProgramData\PKP_DLeo.DAT
2013-12-20 16:52 - 2013-12-20 16:52 - 0000020 ____H () C:\ProgramData\PKP_DLes.DAT
2013-12-20 16:51 - 2013-12-20 17:05 - 0000020 ____H () C:\ProgramData\PKP_DLet.DAT
2013-12-20 16:51 - 2013-12-20 16:51 - 0000020 ____H () C:\ProgramData\PKP_DLev.DAT
2013-12-20 16:51 - 2013-12-20 16:51 - 0000268 ___RH () C:\ProgramData\Sync Services
2013-12-20 16:52 - 2013-12-20 16:52 - 0000268 ___RH () C:\ProgramData\Synth Basics
2013-12-20 16:51 - 2013-12-20 16:51 - 0000268 ___RH () C:\ProgramData\Synth Leads
2013-12-20 16:50 - 2013-12-20 16:50 - 0000268 ___RH () C:\ProgramData\Trance Pad

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-10-12 04:58

==================== End of FRST.txt ============================

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:44 PM

Posted 14 October 2015 - 09:05 AM

The restriction on the IE is still there.
Lets remove it again.


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

#6 geegollygirl

geegollygirl
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 14 October 2015 - 08:52 PM

I actually ran the FRST twice, I wasn't 100% sure IE was closed when I did it the first time, so I made sure and ran it again.  Here are the logs.  The Cleaner had several registry files, but I didn't recognize them so I didn't "save" them.  As always, thanks!

 

 

Fixlog.txt

 

Fix result of Farbar Recovery Scan Tool (x64) Version:14-10-2015 01

Ran by julie.hoffherr (2015-10-14 20:24:24) Run:3

Running from C:\Users\Julie.Hagedorn\Desktop

Loaded Profiles: julie.hoffherr (Available Profiles: julie.hoffherr & local-admin)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

start

 

CreateRestorePoint:

EmptyTemp:

CloseProcesses:

 

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION

 

End

*****************

 

Restore point was successfully created.

Processes closed successfully.

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.

EmptyTemp: => 15.4 MB temporary data Removed.

 

 

The system needed a reboot.

 

==== End of Fixlog 20:24:56 ====

 

 

 

AdwCleaner Log

 

# AdwCleaner v5.013 - Logfile created 14/10/2015 at 20:40:29

# Updated 09/10/2015 by Xplode

# Database : 2015-10-13.2 [Server]

# Operating system : Windows 7 Professional Service Pack 1 (x64)

# Username : julie.hoffherr - MWIN334366

# Running from : C:\Users\Julie.Hagedorn\Desktop\adwcleaner_5.013.exe

# Option : Cleaning

# Support : http://toolslib.net/forum

 

***** [ Services ] *****

 

 

***** [ Folders ] *****

 

[-] Folder Deleted : C:\Users\Julie.Hagedorn\AppData\Local\Conduit

[!] Folder Not Deleted : C:\Users\Julie.Hagedorn\AppData\Local\Conduit

[-] Folder Deleted : C:\Users\Julie.Hagedorn\AppData\Roaming\SearchProtect

[!] Folder Not Deleted : C:\Users\Julie.Hagedorn\AppData\Roaming\SearchProtect

 

***** [ Files ] *****

 

 

***** [ DLLs ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Scheduled tasks ] *****

 

 

***** [ Registry ] *****

 

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\BHO.DLL

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{81CA8FCD-1420-4A07-B47D-B30F3DDA79E1}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{00A9374B-EA62-4F01-8AD9-0AB9CC92D49E}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{0113165C-98AA-4C86-8CB8-6BD68581B18A}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{04B04A50-B8CA-4F17-939D-AE70146B03AF}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{09267230-F70C-434B-89D0-3128BB80F337}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{0D594E05-D4E1-11D3-87BC-0010A4E2EC3C}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{0D5E9488-2E3E-4D60-BA9D-EBF3086BE2C7}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{0DD24A3B-B7CF-11D3-B17B-001083022E07}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{0E5A70BB-C994-4A85-AA5B-A8182527B035}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1412B82C-F80E-4B55-B3B0-1DB2E24F24EE}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{14EDD925-0BC9-4D86-825B-327E51D29053}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1549E2EF-B3D4-11D3-8A36-0010A4EF3494}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{17B26198-C5E1-451A-AEEC-0FC572572148}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{190B1BB2-2A81-11D1-B9B8-00A0248BA543}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1B740DBA-21B8-4E94-A3F6-900BC40541EC}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1E7B2846-9B19-11D3-8770-0010A4E2EC3C}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{20F3BE13-5393-11D4-8840-0010A4EF33B9}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{22350CDD-93C0-4581-A178-B02242B45C19}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{223DC4A3-197C-4C24-8E23-1F1614830D92}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{248EC100-3D5B-4228-A493-56AAAEE81F50}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{254F1268-C7A7-11D3-B0F2-001083028D76}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{25767E0A-3D54-448E-9712-84C8E5123465}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2958A8DD-BE4A-46D9-AD0B-9C8576BD17E3}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{29B22339-22FA-46AA-8030-8D21A9B7D066}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2A36AC5D-AC9D-4AF5-98DE-C9D7A39EDEFE}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2C2B35D7-3036-4CB1-8CD1-206410A74130}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2CE8D791-4DE5-11D4-883C-0010A4EF33B9}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2D03D55F-120B-43AF-BF4C-DDC6C58E5975}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2D335F24-111A-47BF-83FD-5A0C66423BBF}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3312A6F8-34FF-47E5-B801-693FDCD0DDF7}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{35239D40-F01C-11D2-9A83-00104B6943FF}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{368DF727-D0CB-487D-9711-6AF11F37F8CF}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{38CEAE1A-0448-11D4-947A-00C04F79C2F2}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3AFCB054-161C-402D-9A6A-0A40F7BDAC0D}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3BB799C2-9BDC-483D-8A5C-7D2BC799D777}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3CA74001-A2C7-11D3-8A21-000000000000}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3DFC6BE1-D813-11D3-8A7C-000000000000}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3F4A4D09-072D-11D4-B16A-001083022E16}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3FB7A7BC-FDBC-4433-969B-B1ED77954E77}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{40B307DE-4162-465F-8D06-B2D1E80F2335}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4119F63D-236D-4EA4-AB2B-86F7D8AE3940}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{43A035C7-B899-43EA-AF97-916FC56737D6}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{49FF44DE-DD6E-42C7-B5DC-931DAF9172CB}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A16A8C0-E8D1-4658-8439-DC31DF2ECC73}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4C277C7C-AE79-458A-99E9-1F8E68A7C098}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E7DD2BA-8F45-406F-8E65-06B177199AEE}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4FB336E9-A90F-11D3-B0FB-001083028D43}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{50D7FEB1-2A59-11D3-9AC6-00104B701FD3}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{5784B229-0556-4B84-BCBF-44CDF261F760}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{594D84AD-49CA-4B69-9C29-BF7732790416}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{5A293312-8342-11D3-89EC-0010A4EF3494}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{5EC2CBFE-B249-415B-A40E-9E7F0FD5AAC3}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{62835BBC-C88F-11D3-8A70-00104BA5862D}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{644C9425-1908-11D3-8F0B-006008193528}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6881B463-50E4-11D3-BCFC-006008983BE8}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6883DE78-CAFC-4E29-B39D-ED08477794B3}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{69AEA044-F9E4-45FA-B83D-E5EC1D7E2485}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6FC40A39-DCDE-4CBB-8789-321000452864}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{71510D8F-7177-4541-9345-87AD18E896B9}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{73CB675D-6485-4075-A501-CC126F0245F2}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{75949313-CA29-427B-B7AB-498C11EEF092}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{7800831D-2B5A-11D4-B17C-001083022E16}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{78C4FA21-72A7-11D3-AB1F-00C04F9915E3}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{80200326-2D10-11D4-880A-0010A4E2EC3C}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{80B4EC9D-531B-4796-9502-BA8234DB79A9}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{8150A73B-FE2C-4302-9301-095B1FEE2CEE}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{82BEB909-1433-42DB-AEE6-FB037A847A41}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{83069D93-F5BE-4EC9-8D55-13A25BB6AB36}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{85469340-F189-11D1-9C17-0060977CAAF1}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{87F3F120-2284-47A9-A01C-B175CA76CF8D}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{8923FDD8-AEEE-407A-B084-B3604CA8C3F0}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{8A0A0864-DE2D-11D2-9A92-00104B701FD3}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{8D5A639E-40E5-46E3-90C2-F5B4DCAE80F8}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{8EC84195-C921-11D3-B0E6-001083021EBC}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{901F8A62-4A3F-4339-BB28-320188D575EB}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9415F8E1-72F6-458A-92E4-19647052E949}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{943E567E-0D31-47EF-A668-C4943C33ED75}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{96DCA5C1-2F17-11D3-ABF7-006097D8C7EB}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9AA27AA0-C203-11D3-B0F2-001083028D76}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9D9D5086-F7F7-4920-B14F-A83473C93834}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9F7267C1-567B-11D3-AC3B-006097D8C7EB}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A0D5F76A-5E89-494E-B55A-E3B277B57037}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A1D682ED-C7C0-46B5-A03D-2B96B1FB0E27}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A3008E7A-5116-498A-92B4-23576A75749E}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A92230D7-0A37-11D4-B87A-00C04F797C4A}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A9DF41A1-150D-45F0-8109-8361FE22DB0D}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{AB2EF91F-5F12-11D4-884F-0010A4EF33B9}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B2CE3C9A-EFF4-491D-8798-20AE31BC2A09}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B5EE7276-2B44-11D4-8ACE-0010A4EF348E}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B618B187-070F-11D4-B878-00C04F797C4A}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B7066B09-7B74-4EC3-A559-A9939246D840}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B7C5F505-236A-11D3-9A58-00104B69436D}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B82F6DDF-0775-4930-BCCF-7F74502A7C4D}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B83060A6-2142-42C2-A58C-7CC1F1F93A9B}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B8581311-5C2D-11D4-884A-0010A4EF33B9}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B8A56387-341C-4E82-B742-5181452649B7}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B91846B3-28F6-44F0-8E98-AE8D52FEBFDE}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B9EF03DD-A7BB-47AC-BBAA-DBD609AEA53D}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{BC0AEF12-6B95-4990-9A2B-290C4B442322}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{BC61B56E-07F3-40A2-A998-46A0FE8BB425}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{BE1C6A4F-2FE9-4075-BB6E-875E6151AF09}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{BE46ADF2-8B9C-4852-A452-94C382F47508}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C1C36649-E04E-4F84-A311-5AFAD8FE5DFB}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2BD8216-9305-4A48-A994-9810FA9E5FAF}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2CFD55C-7EE4-41FC-9B2B-7A436177565E}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C87A263B-E67E-4639-8D9D-2C5D6A01E35D}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C8D98E34-C8B9-433C-A9B3-860003E88418}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{CBE20A12-9493-4E68-883A-C7DE38A7396A}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{CC15211F-866E-49D7-A745-81C23F93BC62}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{CF82A22A-FE64-4654-B8AC-59542EAED8C3}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D3A67E41-AE1A-463D-B7E8-A1F883C278E5}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D3E0F08E-C011-4D71-98A7-D114D78680CF}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D4A8C91E-F1FA-4185-A940-7C2ECBB98D91}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D97DD574-6258-447F-9244-22C31AAA12C5}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D9848AC8-BF8A-4FEB-927E-A5E9AA9A17BE}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DBFE96D9-E47A-4107-B7A2-42FCF64410F7}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DCB2BE25-B653-4BD2-84BC-BED3E0BB0E6E}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DD8510EE-69BF-4D72-96DA-5DB7AE951492}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DED87422-0156-4234-AFD5-07E284864D2D}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E0E2541B-85CF-427E-9522-0854DAEE85B0}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E197382C-14DA-4663-835B-130067564BEC}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E5F47112-D589-11D2-9A8C-00104B701FD3}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E7A41DC7-5313-403E-A639-09383927C99C}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EABC9E26-CD1C-4611-ADC1-F4AE0A0B1260}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EB6C7185-CD71-4B53-BD43-3877717B8698}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EE0EAE86-1B40-4906-9890-39F1A191BB08}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EF2DC6AC-95EB-49F6-8429-6392AA95F0FF}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{F038CE98-77E7-46CE-B507-082329074F59}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{F732684A-372C-4B1B-A7C8-B492C605F12E}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{F74830CB-F6EE-4A89-836D-5F221C0B0BA0}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{FC29879F-3B69-49FD-A2D2-AAADE507FFEE}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{FF3B3DFE-956B-4C38-9FD5-F6E486C95DEE}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{FF4921D1-E990-4F2B-BEEF-59C31712FD0A}

[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}

[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}

[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}

[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}

[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}

[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}

[-] Key Deleted : HKCU\Software\Conduit

[-] Key Deleted : HKCU\Software\Softonic

[-] Key Deleted : HKCU\Software\AppDataLow\Software\Conduit

[-] Key Deleted : HKLM\SOFTWARE\Conduit

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6FE5A5BE-8301-4E31-9E7E-580E16292948}

[!] Key Not Deleted : [x64] HKCU\Software\Conduit

[!] Key Not Deleted : [x64] HKCU\Software\Softonic

[!] Key Not Deleted : HKU\S-1-5-21-181418603-413491667-474620416-214645\Software\AppDataLow\Software\Conduit

 

***** [ Web browsers ] *****

 

[-] [C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com

[-] [C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

[-] [C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com

[-] [C:\Users\Julie.Hagedorn\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

 

*************************

 

:: Winsock settings cleared

 

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [15229 bytes] ##########



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:44 PM

Posted 15 October 2015 - 08:58 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#8 geegollygirl

geegollygirl
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 15 October 2015 - 11:32 AM

I haven't been on the internet much the last few days.  I'll give it a few more days and let you know if anything else troublesome pops up.  Thank you again for your help!



#9 geegollygirl

geegollygirl
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 15 October 2015 - 10:16 PM

It just started again...



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:44 PM

Posted 16 October 2015 - 06:51 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

===

#11 geegollygirl

geegollygirl
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 16 October 2015 - 10:48 PM

The scan "quit responding" the first time I tried, but then went ahead and ran.  Attached is the log.  As usual, I just completed the scan and want to post the results but will update you if more problems occur in the near future.

 

Thanks!

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:44 PM

Posted 17 October 2015 - 08:20 AM

Keep me posted.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#13 geegollygirl

geegollygirl
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 20 October 2015 - 10:00 AM

All is not well... it took a couple extra days but it back again.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:44 PM

Posted 21 October 2015 - 08:04 AM

All is not well... it took a couple extra days but it back again.

Was this after you downloaded something?

===

What is the Exact error message?
If you could please include a picture of the error message.

===

Clean your Java cache.
https://www.java.com/en/download/help/plugin_cache.xml

===

Clean your Flash cache.
https://forums.adobe.com/message/4278569
===

Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

====

#15 geegollygirl

geegollygirl
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 21 October 2015 - 09:47 AM

Not that I recall on after a download, definitely not immediately. I was actually about 20 minutes into viewing a webex when the latest round of error messages started up.  The only possibility would have been if a Java update was installing in the background, but I'm not sure if it was... just know I was due for one.  I've attached a screenshot from the Microsoft Security Essentials Quarantine log.  I deleted what was suggested and ran ComboFix.  The Symantec Endpoint is "governed by group policy" so I couldn't get it to completely disable, went to the toolbar and selected Disable Endpoint Protection there, but ComboFix still prompted me that something Symantec was still running...hopefully it didn't get in the way too much.  I don't like it but corporate IT does.  I could try to uninstall it then run ComboFix if you think it interfered... not sure if it will let me uninstall it, but maybe.

 

Anyway, below is the log, please let me know if I need to do something else or something differently.

 

Thanks so much for your help!!

 

ComboFix 15-10-21.01 - julie.hoffherr 10/21/2015   8:56.1.4 - x64

Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8149.5010 [GMT -5:00]

Running from: c:\users\Julie.Hagedorn\Desktop\combofix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}

AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 * Created a new restore point

.

ADS - Windows: deleted 72 bytes in 2 streams.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\ntuser.pol

c:\windows\SysWow64\DEBUG.log

C:\WindowsPODIUM.LOG

.

.

(((((((((((((((((((((((((   Files Created from 2015-09-21 to 2015-10-21  )))))))))))))))))))))))))))))))

.

.

2015-10-21 14:09 . 2015-10-21 14:09 --------    d-----w-      c:\users\mark.a.smith\AppData\Local\temp

2015-10-21 14:09 . 2015-10-21 14:09 --------    d-----w-    c:\users\local-admin\AppData\Local\temp

2015-10-21 13:23 . 2015-10-21 13:23 --------    d-----w-    c:\program files (x86)\Common Files\Java

2015-10-19 13:45 . 2015-10-19 13:45 75888 ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A99D7868-2617-43E5-A64B-0139EA060372}\offreg.1084.dll

2015-10-17 03:47 . 2015-08-31 22:45 11062400    ----a-w-      c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A99D7868-2617-43E5-A64B-0139EA060372}\mpengine.dll

2015-10-17 03:31 . 2015-10-17 02:55 24064 ----a-w-    c:\windows\zoek-delete.exe

2015-10-17 03:31 . 2015-10-21 14:15 --------    d-----w-      c:\users\Julie.Hagedorn\AppData\Local\Temp

2015-10-17 03:23 . 2015-10-17 03:37 --------    d-----w-    C:\zoek

2015-10-16 00:57 . 2015-06-24 20:00 1190000     ----a-w-      c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EC8A37C5-E553-4D55-B87E-63124D6179A9}\gapaengine.dll

2015-10-15 01:35 . 2015-10-15 01:50 --------    d-----w-    C:\AdwCleaner

2015-10-15 01:28 . 2015-10-18 01:45 --------    d-----w-      c:\windows\system32\config\systemprofile\AppData\Local\CrashDumps

2015-10-13 02:30 . 2015-10-15 01:29 --------    d-----w-    C:\FRST

2015-10-11 16:01 . 2015-10-11 16:01 --------    d-----w-    c:\programdata\SMR501

2015-10-10 16:23 . 2015-10-20 17:29 --------    d-----w-      c:\users\Julie.Hagedorn\AppData\Local\CrashDumps

2015-10-09 19:42 . 2015-10-09 19:42 --------    d-----w-    c:\programdata\Malwarebytes

2015-10-09 19:39 . 2015-10-11 16:10 --------    d-----w-      c:\users\Julie.Hagedorn\AppData\Local\NPE

2015-10-09 19:39 . 2015-10-09 19:39 --------    d-----w-    c:\programdata\Norton

2015-10-09 16:45 . 2015-08-31 22:45 11062400    ----a-w-      c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2015-10-06 00:57 . 2015-10-16 02:13 --------    d-----w-    c:\program files (x86)\Common Files\ffdshowEx

2015-10-06 00:57 . 2015-10-20 23:35 --------    d-----w-    c:\program files (x86)\MediaMall

2015-10-05 19:12 . 2015-10-05 19:12 --------    d-----w-    c:\program files (x86)\CodeMeter

2015-09-25 03:25 . 2015-09-25 03:25 --------    d-----w-    c:\program files (x86)\Content Manager

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2015-10-21 13:22 . 2014-08-19 18:04 97888 ----a-w-      c:\windows\SysWow64\WindowsAccessBridge-32.dll

2015-08-26 23:37 . 2012-08-15 17:21 134753440   ----a-w-    c:\windows\system32\MRT.exe

2015-08-24 18:32 . 2012-08-07 01:28 778440      ----a-w-      c:\windows\SysWow64\FlashPlayerApp.exe

2015-08-24 18:32 . 2012-08-07 01:28 142536      ----a-w-      c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2015-08-13 17:42 . 2015-08-13 17:42 1825792     ----a-w-    c:\windows\SysWow64\Raise.dll

2015-08-11 01:20 . 2015-08-28 19:36 25191936    ----a-w-    c:\windows\system32\mshtml.dll

2015-08-11 01:14 . 2015-08-28 19:36 2724864     ----a-w-    c:\windows\system32\mshtml.tlb

2015-08-11 00:33 . 2015-08-28 19:36 2724864     ----a-w-    c:\windows\SysWow64\mshtml.tlb

2015-07-30 18:06 . 2015-08-20 02:20 2565120     ----a-w-    c:\windows\system32\d3d10warp.dll

2015-07-30 18:06 . 2015-08-20 02:20 1180160     ----a-w-    c:\windows\system32\FntCache.dll

2015-07-30 18:06 . 2015-08-20 02:20 1648128     ----a-w-    c:\windows\system32\DWrite.dll

2015-07-30 18:06 . 2015-08-20 02:20 41984 ----a-w-    c:\windows\system32\lpk.dll

2015-07-30 18:06 . 2015-08-20 02:20 100864      ----a-w-    c:\windows\system32\fontsub.dll

2015-07-30 18:06 . 2015-08-20 02:20 14336 ----a-w-    c:\windows\system32\dciman32.dll

2015-07-30 18:06 . 2015-08-20 02:20 46080 ----a-w-    c:\windows\system32\atmlib.dll

2015-07-30 17:57 . 2015-08-20 02:20 1251328     ----a-w-    c:\windows\SysWow64\DWrite.dll

2015-07-30 17:57 . 2015-08-20 02:20 1987584     ----a-w-    c:\windows\SysWow64\d3d10warp.dll

2015-07-30 17:57 . 2015-08-20 02:20 70656 ----a-w-    c:\windows\SysWow64\fontsub.dll

2015-07-30 17:57 . 2015-08-20 02:20 10240 ----a-w-    c:\windows\SysWow64\dciman32.dll

2015-07-30 17:57 . 2015-08-20 02:20 34304 ----a-w-    c:\windows\SysWow64\atmlib.dll

2015-07-30 17:55 . 2015-08-20 02:20 25600 ----a-w-    c:\windows\SysWow64\lpk.dll

2015-07-30 16:56 . 2015-08-20 02:20 3208192     ----a-w-    c:\windows\system32\win32k.sys

2015-07-30 16:52 . 2015-08-20 02:20 372736      ----a-w-    c:\windows\system32\atmfd.dll

2015-07-30 16:49 . 2015-08-20 02:20 299520      ----a-w-    c:\windows\SysWow64\atmfd.dll

2015-07-30 13:13 . 2015-08-20 02:04 103120      ----a-w-      c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll

2015-07-30 13:13 . 2015-08-20 02:04 124624      ----a-w-      c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2015-03-19 911032]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]

"IMSS"="c:\program files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2013-01-23 113656]

"DT DEL"="c:\program files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe" [2011-10-13 121648]

"UsbCipHelper"="c:\program files (x86)\Rockwell Automation\UsbCipDriver\UsbCipHelper\UsbCipHelper.exe" [2014-01-10 443176]

"IndexSearch"="c:\program files (x86)\Nuance\PaperPort\IndexSearch.exe" [2010-03-09 46368]

"PaperPort PTD"="c:\program files (x86)\Nuance\PaperPort\pptd40nt.exe" [2010-03-09 29984]

"PPort12reminder"="c:\program files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" [2010-02-09 328992]

"Communicator"="c:\program files (x86)\Microsoft Lync\communicator.exe" [2010-10-22 11937552]

"ActivationNotifier"="c:\program files (x86)\Rockwell Software\FactoryTalk Activation\Tools\ActivationNotifier.exe" [2014-09-09 113488]

"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2015-06-26 41360]

"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2015-06-26 840592]

"Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2013-07-19 703888]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2015-10-06 597040]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"GarminExpressTrayApp"="c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe" [2014-08-07 688984]

.

c:\users\local-admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2011-8-24 494488]

.

c:\users\Julie.Hagedorn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2013-6-25 246472]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

"DisableCAD"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-181418603-413491667-474620416-214645\Scripts\Logoff\0\0]

"Script"=ChangePassword.VBS

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R2 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]

R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [x]

R2 SQLAgent$FTVIEWX64TAGDB;SQL Server Agent (FTVIEWX64TAGDB);c:\program files (x86)\Microsoft SQL Server\MSSQL10_50.FTVIEWX64TAGDB\MSSQL\Binn\SQLAGENT.EXE;c:\program files (x86)\Microsoft SQL Server\MSSQL10_50.FTVIEWX64TAGDB\MSSQL\Binn\SQLAGENT.EXE [x]

R3 1784-PCIDS DeviceNet;1784-PCIDS DeviceNet;c:\program files (x86)\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe;c:\program files (x86)\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe [x]

R3 acsock;acsock;c:\windows\system32\DRIVERS\acsock64.sys;c:\windows\SYSNATIVE\DRIVERS\acsock64.sys [x]

R3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe;c:\program files (x86)\Browny02\BrYNSvc.exe [x]

R3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys;c:\windows\SYSNATIVE\DRIVERS\btwampfl.sys [x]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]

R3 CH341SER_A64;CH341SER_A64;c:\windows\system32\Drivers\CH341S64.SYS;c:\windows\SYSNATIVE\Drivers\CH341S64.SYS [x]

R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]

R3 EmuLogix 5868 Slot2;EmuLogix 5868 Slot2;c:\program files (x86)\Rockwell Software\RSLogix Emulate 5000\\V24\EmuLogix5868.exe;c:\program files (x86)\Rockwell Software\RSLogix Emulate 5000\\V24\EmuLogix5868.exe [x]

R3 Garmin Core Update Service;Garmin Core Update Service;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [x]

R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]

R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys;c:\windows\SYSNATIVE\drivers\Impcd.sys [x]

R3 LogReceiver;LogReceiver;c:\program files (x86)\Rockwell Software\RSLinx Enterprise\LogReceiver.exe;c:\program files (x86)\Rockwell Software\RSLinx Enterprise\LogReceiver.exe [x]

R3 lppsvc;Microsoft Policy Platform Processor;c:\program files\Microsoft Policy Platform\policyHost.exe;c:\program files\Microsoft Policy Platform\policyHost.exe [x]

R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys;c:\windows\SYSNATIVE\DRIVERS\netvsc60.sys [x]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]

R3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\O2MDFw7x64.sys;c:\windows\SYSNATIVE\drivers\O2MDFw7x64.sys [x]

R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]

R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]

R3 RAUSBCIP;RAUSBCIP;c:\windows\system32\drivers\rausbcipwdf.sys;c:\windows\SYSNATIVE\drivers\rausbcipwdf.sys [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]

R3 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;c:\program files (x86)\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe;c:\program files (x86)\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe [x]

R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x]

R3 SimModuleService;1789-SIM Simulator Module;c:\program files (x86)\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe;c:\program files (x86)\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe [x]

R3 Studio5000ClockSyncService;Studio 5000 Clock Sync Service;c:\program files (x86)\Rockwell Automation\Studio 5000 Clock Sync Service\ClockSyncService.exe;c:\program files (x86)\Rockwell Automation\Studio 5000 Clock Sync Service\ClockSyncService.exe [x]

R3 SyDvCtrl;SyDvCtrl;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin64\SyDvCtrl64.sys;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin64\SyDvCtrl64.sys [x]

R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys;c:\windows\SYSNATIVE\DRIVERS\VMBusVideoM.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]

R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys;c:\windows\SYSNATIVE\DRIVERS\vpcuxd.sys [x]

R3 vzandnetdiag;LGE AndroidNet for VZW USB Serial Port;c:\windows\system32\DRIVERS\lgvzandnetdiag64.sys;c:\windows\SYSNATIVE\DRIVERS\lgvzandnetdiag64.sys [x]

R3 vzandnetmodem;LGE AndroidNet for VZW USB Modem;c:\windows\system32\DRIVERS\lgvzandnetmdm64.sys;c:\windows\SYSNATIVE\DRIVERS\lgvzandnetmdm64.sys [x]

R3 WvPCR;WvPCR;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe [x]

R4 FactoryTalk Gateway;FactoryTalk Gateway;c:\program files (x86)\Rockwell Software\RSOPC Gateway\RSOPCGateway.exe;c:\program files (x86)\Rockwell Software\RSOPC Gateway\RSOPCGateway.exe [x]

R4 FTAE_Archiver;Rockwell Alarm History Archiver;c:\program files (x86)\Common Files\Rockwell\FTAEArchiver.exe;c:\program files (x86)\Common Files\Rockwell\FTAEArchiver.exe [x]

R4 FTAE_HistServ;Rockwell Alarm Historian;c:\program files (x86)\Common Files\Rockwell\FTAE_HistServ.exe;c:\program files (x86)\Common Files\Rockwell\FTAE_HistServ.exe [x]

R4 Ignition;Ignition Gateway;c:\program files\Inductive Automation\Ignition\IgnitionGateway.exe;c:\program files\Inductive Automation\Ignition\IgnitionGateway.exe [x]

R4 RnaAeServer;Rockwell Alarm Server;c:\program files (x86)\Common Files\Rockwell\RnaAeServer.exe;c:\program files (x86)\Common Files\Rockwell\RnaAeServer.exe [x]

R4 RnaAlarmMux;Rockwell Alarm Multiplexer;c:\program files (x86)\Common Files\Rockwell\RnaAlarmMux.exe;c:\program files (x86)\Common Files\Rockwell\RnaAlarmMux.exe [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]

S0 DLACDBHE;DLACDBHE;c:\windows\System32\Drivers\DLACDBHE.SYS;c:\windows\SYSNATIVE\Drivers\DLACDBHE.SYS [x]

S0 DRVECDB;DRVECDB;c:\windows\System32\Drivers\DRVECDB.SYS;c:\windows\SYSNATIVE\Drivers\DRVECDB.SYS [x]

S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]

S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys;c:\windows\SYSNATIVE\DRIVERS\stdcfltn.sys [x]

S0 SymDS;Symantec Data Store;c:\windows\system32\Drivers\SEP\0C010FAD\0FAD.105\x64\SYMDS64.SYS;c:\windows\SYSNATIVE\Drivers\SEP\0C010FAD\0FAD.105\x64\SYMDS64.SYS [x]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\Drivers\SEP\0C010FAD\0FAD.105\x64\SYMEFA64.SYS;c:\windows\SYSNATIVE\Drivers\SEP\0C010FAD\0FAD.105\x64\SYMEFA64.SYS [x]

S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys;c:\windows\SYSNATIVE\DRIVERS\vmci.sys [x]

S0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys;c:\windows\SYSNATIVE\drivers\vsock.sys [x]

S1 BHDrvx64;BHDrvx64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20151005.011\BHDrvx64.sys;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20151005.011\BHDrvx64.sys [x]

S1 ccSettings_{2FF4FBED-F03A-4EE2-AC58-C985811A4FBE};Symantec Endpoint Protection 12.1.4013.4013.105 Settings Manager;c:\windows\system32\Drivers\SEP\0C010FAD\0FAD.105\x64\ccSetx64.sys;c:\windows\SYSNATIVE\Drivers\SEP\0C010FAD\0FAD.105\x64\ccSetx64.sys [x]

S1 DLARTL_E;DLARTL_E;c:\windows\system32\Drivers\DLARTL_E.SYS;c:\windows\SYSNATIVE\Drivers\DLARTL_E.SYS [x]

S1 IDSVia64;IDSVia64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20151020.011\IDSvia64.sys;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20151020.011\IDSvia64.sys [x]

S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\Drivers\SEP\0C010FAD\0FAD.105\x64\Ironx64.SYS;c:\windows\SYSNATIVE\Drivers\SEP\0C010FAD\0FAD.105\x64\Ironx64.SYS [x]

S1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\Drivers\SEP\0C010FAD\0FAD.105\x64\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\SEP\0C010FAD\0FAD.105\x64\SYMNETS.SYS [x]

S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\System32\Drivers\VirtualBackplane.sys;c:\windows\SYSNATIVE\Drivers\VirtualBackplane.sys [x]

S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe;c:\program files\IDT\WDM\AESTSr64.exe [x]

S2 aksdf;aksdf;c:\windows\system32\drivers\aksdf.sys;c:\windows\SYSNATIVE\drivers\aksdf.sys [x]

S2 atashost;WebEx Service Host for Support Center;c:\windows\SysWOW64\atashost.exe;c:\windows\SysWOW64\atashost.exe [x]

S2 CmRcService;Configuration Manager Remote Control;c:\windows\CCM\RemCtrl\CmRcService.exe;c:\windows\CCM\RemCtrl\CmRcService.exe [x]

S2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe;c:\program files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe [x]

S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [x]

S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [x]

S2 DFEPService;Dell Feature Enhancement Pack Service;c:\program files\Dell\Feature Enhancement Pack\DFEPService.exe;c:\program files\Dell\Feature Enhancement Pack\DFEPService.exe [x]

S2 DLABMFSE;DLABMFSE;c:\windows\system32\Drivers\DLABMFSE.SYS;c:\windows\SYSNATIVE\Drivers\DLABMFSE.SYS [x]

S2 DLABOIOE;DLABOIOE;c:\windows\system32\Drivers\DLABOIOE.SYS;c:\windows\SYSNATIVE\Drivers\DLABOIOE.SYS [x]

S2 DLADResE;DLADResE;c:\windows\system32\Drivers\DLADResE.SYS;c:\windows\SYSNATIVE\Drivers\DLADResE.SYS [x]

S2 DLAIFS_E;DLAIFS_E;c:\windows\system32\Drivers\DLAIFS_E.SYS;c:\windows\SYSNATIVE\Drivers\DLAIFS_E.SYS [x]

S2 DLAOPIOE;DLAOPIOE;c:\windows\system32\Drivers\DLAOPIOE.SYS;c:\windows\SYSNATIVE\Drivers\DLAOPIOE.SYS [x]

S2 DLAPoolE;DLAPoolE;c:\windows\system32\Drivers\DLAPoolE.SYS;c:\windows\SYSNATIVE\Drivers\DLAPoolE.SYS [x]

S2 DLAUDF_E;DLAUDF_E;c:\windows\system32\Drivers\DLAUDF_E.SYS;c:\windows\SYSNATIVE\Drivers\DLAUDF_E.SYS [x]

S2 DLAUDFAE;DLAUDFAE;c:\windows\system32\Drivers\DLAUDFAE.SYS;c:\windows\SYSNATIVE\Drivers\DLAUDFAE.SYS [x]

S2 DRVEDDM;DRVEDDM;c:\windows\system32\Drivers\DRVEDDM.SYS;c:\windows\SYSNATIVE\Drivers\DRVEDDM.SYS [x]

S2 EmbassyService;EmbassyService;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe [x]

S2 FactoryTalk Activation Service;FactoryTalk Activation Service;c:\program files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe;c:\program files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe [x]

S2 FTActivationBoost;FactoryTalk Activation Helper;c:\program files (x86)\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe;c:\program files (x86)\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe [x]

S2 FTSysDiagSvcHost;FTSysDiagSvcHost;c:\program files (x86)\Common Files\Rockwell\FTSysDiagSvcHost.exe;c:\program files (x86)\Common Files\Rockwell\FTSysDiagSvcHost.exe [x]

S2 hasplms;Sentinel Local License Manager;c:\windows\system32\hasplms.exe  -run;c:\windows\SYSNATIVE\hasplms.exe  -run [x]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]

S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]

S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [x]

S2 MediaMall Server;MediaMall Server;c:\program files (x86)\MediaMall\MediaMallServer.exe;c:\program files (x86)\MediaMall\MediaMallServer.exe [x]

S2 MSSQL$FTVIEWX64TAGDB;SQL Server (FTVIEWX64TAGDB);c:\program files (x86)\Microsoft SQL Server\MSSQL10_50.FTVIEWX64TAGDB\MSSQL\Binn\sqlservr.exe;c:\program files (x86)\Microsoft SQL Server\MSSQL10_50.FTVIEWX64TAGDB\MSSQL\Binn\sqlservr.exe [x]

S2 NmspHost;Rockwell Namespace Services;c:\program files (x86)\Common Files\Rockwell\NmspHost.exe;c:\program files (x86)\Common Files\Rockwell\NmspHost.exe [x]

S2 nvservice;NVIDIA GuardService;c:\windows\system32\nvservice.exe;c:\windows\SYSNATIVE\nvservice.exe [x]

S2 O2SDIOAssist;O2SDIOAssist;c:\windows\SysWOW64\srvany.exe;c:\windows\SysWOW64\srvany.exe [x]

S2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [x]

S2 PdiService;Portrait Displays SDK Service;c:\program files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe;c:\program files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [x]

S2 RdcyHost;Rockwell Redundancy Services;c:\program files (x86)\Common Files\Rockwell\RdcyHost.exe;c:\program files (x86)\Common Files\Rockwell\RdcyHost.exe [x]

S2 Rockwell HMI Framework;Rockwell HMI Framework;c:\program files (x86)\Rockwell Software\RSView Enterprise\ServerFramework.exe;c:\program files (x86)\Rockwell Software\RSView Enterprise\ServerFramework.exe [x]

S2 SepMasterService;Symantec Endpoint Protection;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe [x]

S2 SnowInventoryClient;Snow Inventory Client;c:\program files\INVENTORYCLIENT\client64.exe;c:\program files\INVENTORYCLIENT\client64.exe [x]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]

S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [x]

S2 VMwareHostd;VMware Workstation Server;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe [x]

S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [x]

S2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);SysWOW64\drivers\vstor2-mntapi10-shared.sys;SysWOW64\drivers\vstor2-mntapi10-shared.sys [x]

S2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [x]

S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]

S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\accelern.sys;c:\windows\SYSNATIVE\DRIVERS\accelern.sys [x]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\CtClsFlt.sys [x]

S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys;c:\windows\SYSNATIVE\Drivers\cvusbdrv.sys [x]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]

S3 EventServer;Rockwell Event Server;c:\program files (x86)\Common Files\Rockwell\EventServer.exe;c:\program files (x86)\Common Files\Rockwell\EventServer.exe [x]

S3 lpasvc;Microsoft Policy Platform Local Authority;c:\program files\Microsoft Policy Platform\policyHost.exe;c:\program files\Microsoft Policy Platform\policyHost.exe [x]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]

S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\DRIVERS\O2MDRw7x64.sys;c:\windows\SYSNATIVE\DRIVERS\O2MDRw7x64.sys [x]

S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7x64.sys;c:\windows\SYSNATIVE\DRIVERS\o2sdjw7x64.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2015-10-16 00:52  997704      ----a-w-    c:\program files (x86)\Google\Chrome\Application\46.0.2490.71\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2015-10-21 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-07 18:32]

.

2015-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-23 21:52]

.

2015-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-23 21:52]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]

@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"

[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]

2011-12-08 15:45  139128      ----a-w-    c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]

@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"

[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]

2011-12-08 15:45  139128      ----a-w-    c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2013-02-21 698712]

"FreeFallProtection"="c:\program files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2011-07-25 686704]

"TdmNotify"="c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe" [2011-12-08 381296]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 1266912]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-06-28 167704]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-06-28 392472]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-06-28 416024]

"SPEnroll"="c:\windows\system32\SPEnroll.exe" [2013-10-29 3226960]

"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-01-25 525312]

"IntelPROSet"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2013-07-17 4791024]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 108144]

"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2013-01-25 2041192]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=c:\windows\System32\nvinitx.dll

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uInternet Settings,ProxyOverride = *.local;<local>

Trusted Zone: adobe.com\www

Trusted Zone: bankofamerica.com

Trusted Zone: celumimagine.com\skanska

Trusted Zone: dell.com

Trusted Zone: e2eglobalsourcing.com

Trusted Zone: e2eglobalsourcing.com\www

Trusted Zone: echosign.com\skanska

Trusted Zone: jireports.com\www

Trusted Zone: localhost

Trusted Zone: myskanska.com

Trusted Zone: navy.mil\www.esol.navfac

Trusted Zone: one.skanska

Trusted Zone: serverbkup01

Trusted Zone: serverexp

Trusted Zone: serverts

Trusted Zone: serverts01

Trusted Zone: serverts02

Trusted Zone: skanska.com

Trusted Zone: skanska.com\gateway.usacivil

Trusted Zone: skanska.com\vpn

Trusted Zone: skanska.info

Trusted Zone: skanska.net

Trusted Zone: skanska.org

Trusted Zone: skanska.se

Trusted Zone: skanskausa.com

Trusted Zone: taleo.net

TCP: DhcpNameServer = 10.0.5.211 10.0.5.212

DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

DPF: {538793D5-659C-4639-A56C-A179AD87ED44} - hxxps://vpn.skanska.com/CACHE/stc/2/binaries/vpnweb.cab

DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://lowes.2020.net/planner/Core/Player/2020PlayerAX_WEB_Win32.cab

DPF: {91B29AFF-E4FF-11D6-8C88-00A0C9D7BBEB} - hxxp://www.ab.com/support/abdrives/webupdate/RADriveWebUpdate.cab

DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31}

DPF: {D59124D5-442C-44C5-BD9A-E81BB0582D55} - hxxp://raiseinstall.rockwellautomation.com/pstoolbox-lite-9-23-11/setup.ocx

DPF: {FFAD8DA9-ED41-494D-AC8E-63D861D0A733} - hxxps://download.rockwellautomation.com/plugins/rockwell.cab

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe

HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start

Toolbar-Locked - (no file)

AddRemove-SLABCOMM&10C4&EA60 - c:\program files (x86)\Silabs\MCU\CP210x\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60

AddRemove-4125308224.localhost - c:\program files (x86)\Microsoft Silverlight\5.1.20125.0\Silverlight.Configuration.exe

AddRemove-Ignition Designer - c:\windows\system32\javaws.exe

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SepMasterService]

"ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\sms.dll\" /prefetch:1"

--

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SmcService]

"ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin64\Smc.exe\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_18_0_0_232_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_18_0_0_232_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]

@Denied: (A 2) (Everyone)

@="IFlashBroker6"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_18_0_0_232_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_18_0_0_232_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_18_0_0_232.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.18"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_18_0_0_232.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_18_0_0_232.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_18_0_0_232.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]

@Denied: (A 2) (Everyone)

@="IFlashBroker6"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

   00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

   00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Rockwell Software\RSView Enterprise\TagSrv.exe

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe

c:\windows\system32\hasplms.exe

c:\windows\sysWOW64\SDIOAssist.exe

c:\program files (x86)\Common Files\Rockwell\RNADiagnosticsSrv.exe

c:\program files (x86)\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe

c:\program files (x86)\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe

c:\program files (x86)\Common Files\Rockwell\RsvcHost.exe

c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files (x86)\Common Files\Rockwell\EventClientMultiplexer.exe

c:\program files (x86)\Rockwell Software\FactoryTalk Activation\flexsvr.exe

c:\program files (x86)\Common Files\Rockwell\RnaDirServer.exe

c:\program files (x86)\Common Files\Rockwell\RNADirMultiplexor.exe

c:\program files (x86)\VMware\VMware Workstation\vmware-authd.exe

c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

c:\windows\CCM\SCNotification.exe

.

**************************************************************************

.

Completion time: 2015-10-21  09:23:07 - machine was rebooted

ComboFix-quarantined-files.txt  2015-10-21 14:23

.

Pre-Run: 338,320,728,064 bytes free

Post-Run: 337,314,291,712 bytes free

.

- - End Of File - - E8CE38B8DCDEAA0974D708A5AF2705A9

 

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users