Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with something that keeps recreating hkcu/run registry entry


  • This topic is locked This topic is locked
13 replies to this topic

#1 Rich Webb

Rich Webb

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 29 December 2015 - 03:16 PM

Whatever this infection is, it keeps recreating the following registry key value:

 

regsvr32.exe "C:\Users\llehman\AppData\Roaming\AufOmxu\WeyInba.dll

 

in the HKCU/Software/Microsoft/Windows/CurrentVersion/Run key

 

I delete it and hit F5 and it is back.  Don't know how to tell what is creating it.

 

In addition it seems to be causing Acrobat Reader to crash and a repeating occurance of WerFault.exe that will slow the computer to a crawl.  A reboot will stop the repeating werfault.exe from coming up but opening up a PDF will cause it again.  Reinstalling Acrobat reader does not fix the issue. 

 

I have run JRT and also combofix - neither has appeared to be able to handle it.

 

Here is the FRST log and I have attached the addition.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:29-12-2015
Ran by llehman (administrator) on ROCK-PC3 (29-12-2015 15:06:40)
Running from C:\Users\llehman\Downloads
Loaded Profiles: llehman (Available Profiles: Admin & zylatech & llehman)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Sanford, L.P.) C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(ScreenConnect Software) C:\Users\llehman\AppData\Local\Apps\2.0\WYN5OOH4.VRE\VZMXT0L9.HP7\scre..tion_d291612c4dce6913_0005.0004_4e170dada201aa54\ScreenConnect.ClientService.exe
(ScreenConnect Software) C:\Users\llehman\AppData\Local\Apps\2.0\WYN5OOH4.VRE\VZMXT0L9.HP7\scre..tion_d291612c4dce6913_0005.0004_4e170dada201aa54\ScreenConnect.WindowsClient.exe
(ScreenConnect Software) C:\Users\llehman\AppData\Local\Apps\2.0\WYN5OOH4.VRE\VZMXT0L9.HP7\scre..tion_d291612c4dce6913_0005.0004_4e170dada201aa54\ScreenConnect.WindowsClient.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7205592 2013-11-19] (Realtek Semiconductor)
HKLM\...\Run: [HPKBDOSD] => C:\Program Files\Hewlett-Packard\HP Wireless Keyboard and Mouse Applet\KBDOSD.exe [802816 2012-08-14] ()
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-04-26] (Intel Corporation)
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [3776824 2015-11-10] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [SharpTray.exe] => C:\Program Files (x86)\Sharp\Sharpdesk\SharpTray.exe [131584 2010-03-08] (SHARP CORPORATION)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [FtpServer.exe] => C:\Program Files (x86)\Sharp\Sharpdesk\FtpServer.exe [819712 2010-02-21] (SHARP CORPORATION)
HKLM-x32\...\Run: [IndexTray.exe] => C:\Program Files (x86)\Sharp\Sharpdesk\IndexTray.exe [395264 2010-03-08] (SHARP CORPORATION)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2015-08-06] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597552 2015-08-04] (Oracle Corporation)
HKLM Group Policy restriction on software: %AppData%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1740059776-4217202778-4225504728-1134\...\Run: [{773750A4-0D01-41C2-B228-D310EEDF480E}] => regsvr32.exe "C:\Users\llehman\AppData\Roaming\AufOmxu\WeyInba.dll"
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk [2015-12-02]
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2015-12-02]
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk [2015-12-02]
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files (x86)\Intuit\QuickBooks 2013\QBW32.EXE (Intuit Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.64.131
Tcpip\..\Interfaces\{EC4719A9-7679-4AFA-AD88-FCC1691449DA}: [DhcpNameServer] 192.168.64.131
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1740059776-4217202778-4225504728-1134\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPCOM14/19
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPCOM14/19
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPCOM14/19
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1740059776-4217202778-4225504728-1134\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPCOM14/19
HKU\S-1-5-21-1740059776-4217202778-4225504728-1134\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-18] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-12-20] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\ssv.dll [2015-09-18] (Oracle Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-12-20] (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-09-18] (Oracle Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll => No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-12-20] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-12-20] (Google Inc.)
Handler-x32: intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} - C:\Program Files (x86)\Intuit\QuickBooks 2013\HelpAsyncPluggableProtocol.dll [2015-11-10] (Intuit, Inc.)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\windows\SysWOW64\mscoree.dll [2010-11-20] (Microsoft Corporation)
Handler-x32: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files (x86)\Sharp\Sharpdesk\ExplorerExtensions.dll [2010-03-08] (SHARP CORPORATION)
 
FireFox:
========
FF ProfilePath: C:\Users\llehman\AppData\Roaming\Mozilla\Firefox\Profiles\qegb6cbs.default
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_20_0_0_235.dll [2015-12-14] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41105.0\npctrl.dll [2015-11-04] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_235.dll [2015-12-14] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] ()
FF Plugin-x32: @dymo.com/DymoLabelFramework -> C:\Program Files (x86)\DYMO\DYMO Label Software\Framework\npDYMOLabelFramework.dll [2014-03-20] ( Sanford L.P.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=3.0.72 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-04-11] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-04-11] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2015-09-18] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-09-18] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41105.0\npctrl.dll [2015-11-04] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-14] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Store) - C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-03]
CHR Extension: (Google Drive) - C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-12-28]
CHR Extension: (YouTube) - C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-12-28]
CHR Extension: (Google Search) - C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-12-28]
CHR Extension: (Store) - C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-12-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-14]
CHR Extension: (Gmail) - C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-07]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
R2 DymoPnpService; C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [33072 2014-03-20] (Sanford, L.P.)
R2 Intel® Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [731648 2013-02-13] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [820184 2013-02-13] (Intel® Corporation)
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [178312 2015-09-25] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-04-11] (Intel Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273136 2013-08-02] ()
R2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2015-11-10] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2013-03-11] (Intuit Inc.) [File not signed]
R2 QBVSS; C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2013-03-11] (Intuit Inc.) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [289496 2013-10-16] (Realtek Semiconductor)
R2 ScreenConnect Client (6821ca1d-2d91-49f7-81be-95674510832b); C:\Users\llehman\AppData\Local\Apps\2.0\WYN5OOH4.VRE\VZMXT0L9.HP7\scre..tion_d291612c4dce6913_0005.0004_4e170dada201aa54\ScreenConnect.ClientService.exe [35808 2015-12-29] (ScreenConnect Software)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2014-03-25] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3378416 2013-08-02] (Intel® Corporation)
S2 AdobeARMservice; "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [X]
S2 HPFSService; "C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe" [X]
S2 spsrv; C:\windows\system32\prevhone.exe -k [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [496400 2013-02-26] (Intel Corporation)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28656 2013-05-30] (Intel Corporation)
S3 NETwNs64; C:\Windows\System32\DRIVERS\NETwsw02.sys [3584992 2013-08-01] (Intel Corporation)
R3 RTSPER; C:\Windows\System32\DRIVERS\RtsPer.sys [424664 2013-08-02] (Realsil Semiconductor Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [30848 2015-12-29] ()
R3 usb3Hub; C:\Windows\System32\DRIVERS\usb3Hub.sys [206744 2013-06-20] (Windows ® Win 7 DDK provider)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-29 15:06 - 2015-12-29 15:06 - 02370560 _____ (Farbar) C:\Users\llehman\Downloads\FRST64.exe
2015-12-29 15:06 - 2015-12-29 15:06 - 00017318 _____ C:\Users\llehman\Downloads\FRST.txt
2015-12-29 15:06 - 2015-12-29 15:06 - 00000000 ____D C:\FRST
2015-12-29 14:14 - 2015-12-29 14:14 - 20835400 _____ C:\Users\llehman\Downloads\RogueKiller.exe
2015-12-29 14:11 - 2015-12-29 14:11 - 00696984 ____N (Sysinternals - www.sysinternals.com) C:\Users\llehman\Desktop\autoruns.exe
2015-12-29 13:49 - 2015-12-29 13:49 - 00027146 _____ C:\Users\llehman\Desktop\ComboFix1.txt
2015-12-29 13:48 - 2015-12-29 13:48 - 00027146 _____ C:\ComboFix1.txt
2015-12-29 13:48 - 2015-12-29 13:48 - 00000000 ___SD C:\ComboFix
2015-12-29 13:43 - 2015-12-29 13:43 - 00067040 _____ C:\Users\llehman\Downloads\Elsinore.ScreenConnect.Client (2).exe
2015-12-29 13:41 - 2015-12-29 13:41 - 00067040 _____ C:\Users\llehman\Downloads\Elsinore.ScreenConnect.Client (1).exe
2015-12-29 12:28 - 2015-12-29 12:28 - 00027146 _____ C:\ComboFix.txt
2015-12-29 12:07 - 2015-12-29 12:07 - 05643545 ____R (Swearware) C:\Users\llehman\Desktop\ComboFix.exe
2015-12-29 12:06 - 2015-12-29 13:42 - 00000000 ____D C:\Users\llehman\AppData\Roaming\AufOmxu
2015-12-29 12:05 - 2015-12-29 12:06 - 00208332 _____ C:\TDSSKiller.3.1.0.9_29.12.2015_12.05.27_log.txt
2015-12-29 12:04 - 2015-12-29 12:04 - 04727984 ____N (Kaspersky Lab ZAO) C:\Users\llehman\Desktop\tdsskiller.exe
2015-12-29 11:59 - 2015-12-29 11:59 - 06503984 _____ (Microsoft Corporation) C:\Users\llehman\Desktop\vcredist_x86.exe
2015-12-29 11:58 - 2015-12-29 11:58 - 07194312 _____ (Microsoft Corporation) C:\Users\llehman\Desktop\vcredist_x64.exe
2015-12-29 11:56 - 2015-12-29 11:56 - 00480177 _____ C:\Users\llehman\Downloads\AdobeAcroCleaner_DC2015.zip
2015-12-29 11:22 - 2015-12-29 11:22 - 00003886 _____ C:\windows\System32\Tasks\Adobe Acrobat Update Task
2015-12-28 19:36 - 2015-12-28 19:36 - 00042135 _____ C:\Users\llehman\Desktop\99123-630749-2319497-2319497-FN02-87122695.PDF
2015-12-28 13:20 - 2015-12-29 13:50 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-12-28 13:20 - 2015-12-28 13:20 - 00000000 ____D C:\Users\llehman\AppData\Local\CEF
2015-12-28 12:09 - 2015-12-28 12:10 - 00000000 ____D C:\Users\llehman\AppData\Roaming\Mozilla
2015-12-28 12:09 - 2015-12-28 12:10 - 00000000 ____D C:\Users\llehman\AppData\Local\Mozilla
2015-12-28 10:32 - 2015-12-28 10:33 - 01743360 _____ C:\Users\llehman\Downloads\adwcleaner_5.026.exe
2015-12-28 10:02 - 2015-12-28 10:02 - 00000017 _____ C:\Users\llehman\AppData\Local\resmon.resmoncfg
2015-12-28 09:45 - 2015-12-28 09:45 - 00000000 ____D C:\ProgramData\scre..tion_d291612c4dce6913_0005.0004_4e170dada201aa54
2015-12-18 11:13 - 2015-12-18 11:13 - 00010421 _____ C:\Users\llehman\Documents\Woody Medical.xlsx
2015-12-14 18:44 - 2015-12-14 18:44 - 00001761 _____ C:\Users\Public\Desktop\iTunes.lnk
2015-12-14 18:44 - 2015-12-14 18:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2015-12-14 18:44 - 2015-12-14 18:44 - 00000000 ____D C:\Program Files\iTunes
2015-12-14 18:44 - 2015-12-14 18:44 - 00000000 ____D C:\Program Files\iPod
2015-12-14 18:44 - 2015-12-14 18:44 - 00000000 ____D C:\Program Files (x86)\iTunes
2015-12-14 08:14 - 2015-11-20 13:54 - 03170304 _____ (Microsoft Corporation) C:\windows\system32\wucltux.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 02609152 _____ (Microsoft Corporation) C:\windows\system32\wuaueng.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 00709632 _____ (Microsoft Corporation) C:\windows\system32\wuapi.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 00192512 _____ (Microsoft Corporation) C:\windows\system32\wuwebv.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 00140288 _____ (Microsoft Corporation) C:\windows\system32\wuauclt.exe
2015-12-14 08:14 - 2015-11-20 13:54 - 00098816 _____ (Microsoft Corporation) C:\windows\system32\wudriver.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 00091136 _____ (Microsoft Corporation) C:\windows\system32\WinSetupUI.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 00037888 _____ (Microsoft Corporation) C:\windows\system32\wups2.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 00037888 _____ (Microsoft Corporation) C:\windows\system32\wuapp.exe
2015-12-14 08:14 - 2015-11-20 13:54 - 00036864 _____ (Microsoft Corporation) C:\windows\system32\wups.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 00012288 _____ (Microsoft Corporation) C:\windows\system32\wu.upgrade.ps.dll
2015-12-14 08:14 - 2015-11-20 13:34 - 00573440 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapi.dll
2015-12-14 08:14 - 2015-11-20 13:34 - 00174080 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuwebv.dll
2015-12-14 08:14 - 2015-11-20 13:34 - 00093696 _____ (Microsoft Corporation) C:\windows\SysWOW64\wudriver.dll
2015-12-14 08:14 - 2015-11-20 13:34 - 00030208 _____ (Microsoft Corporation) C:\windows\SysWOW64\wups.dll
2015-12-14 08:14 - 2015-11-20 13:33 - 00035328 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapp.exe
2015-12-14 08:14 - 2015-11-11 16:12 - 00387792 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2015-12-14 08:14 - 2015-11-11 15:52 - 00341192 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2015-12-14 08:14 - 2015-11-11 13:53 - 01735680 _____ (Microsoft Corporation) C:\windows\system32\comsvcs.dll
2015-12-14 08:14 - 2015-11-11 13:53 - 00525312 _____ (Microsoft Corporation) C:\windows\system32\catsrvut.dll
2015-12-14 08:14 - 2015-11-11 13:39 - 01242624 _____ (Microsoft Corporation) C:\windows\SysWOW64\comsvcs.dll
2015-12-14 08:14 - 2015-11-11 13:39 - 00487936 _____ (Microsoft Corporation) C:\windows\SysWOW64\catsrvut.dll
2015-12-14 08:14 - 2015-11-11 11:21 - 25837568 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2015-12-14 08:14 - 2015-11-11 11:00 - 12856832 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2015-12-14 08:14 - 2015-11-11 10:44 - 00416256 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2015-12-14 08:14 - 2015-11-11 10:44 - 00279040 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2015-12-14 08:14 - 2015-11-11 10:41 - 20366848 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2015-12-14 08:14 - 2015-11-11 10:12 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2015-12-14 08:14 - 2015-11-11 09:57 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2015-12-14 08:14 - 2015-11-10 13:55 - 01648128 _____ (Microsoft Corporation) C:\windows\system32\DWrite.dll
2015-12-14 08:14 - 2015-11-10 13:55 - 01180160 _____ (Microsoft Corporation) C:\windows\system32\FntCache.dll
2015-12-14 08:14 - 2015-11-10 13:55 - 01008640 _____ (Microsoft Corporation) C:\windows\system32\user32.dll
2015-12-14 08:14 - 2015-11-10 13:39 - 01251328 _____ (Microsoft Corporation) C:\windows\SysWOW64\DWrite.dll
2015-12-14 08:14 - 2015-11-10 13:37 - 00833024 _____ (Microsoft Corporation) C:\windows\SysWOW64\user32.dll
2015-12-14 08:14 - 2015-11-10 12:47 - 03211264 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2015-12-14 08:14 - 2015-11-09 19:24 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2015-12-14 08:14 - 2015-11-09 19:13 - 00496640 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2015-12-14 08:14 - 2015-11-09 19:13 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2015-12-14 08:14 - 2015-11-09 19:12 - 00341504 _____ (Microsoft Corporation) C:\windows\SysWOW64\html.iec
2015-12-14 08:14 - 2015-11-09 19:12 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2015-12-14 08:14 - 2015-11-09 19:11 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2015-12-14 08:14 - 2015-11-09 19:08 - 02280448 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2015-12-14 08:14 - 2015-11-09 19:06 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2015-12-14 08:14 - 2015-11-09 19:06 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2015-12-14 08:14 - 2015-11-09 19:04 - 00476160 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2015-12-14 08:14 - 2015-11-09 19:03 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2015-12-14 08:14 - 2015-11-09 19:02 - 00663552 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2015-12-14 08:14 - 2015-11-09 19:02 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2015-12-14 08:14 - 2015-11-09 18:50 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-12-14 08:14 - 2015-11-09 18:47 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2015-12-14 08:14 - 2015-11-09 18:46 - 04514816 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2015-12-14 08:14 - 2015-11-09 18:44 - 00130048 _____ (Microsoft Corporation) C:\windows\SysWOW64\occache.dll
2015-12-14 08:14 - 2015-11-09 18:37 - 00230400 _____ (Microsoft Corporation) C:\windows\SysWOW64\webcheck.dll
2015-12-14 08:14 - 2015-11-09 18:36 - 02050560 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2015-12-14 08:14 - 2015-11-09 18:36 - 00687104 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2015-12-14 08:14 - 2015-11-09 18:35 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2015-12-14 08:14 - 2015-11-09 18:17 - 02011136 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2015-12-14 08:14 - 2015-11-09 18:14 - 01311744 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2015-12-14 08:14 - 2015-11-09 18:12 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2015-12-14 08:14 - 2015-11-08 17:33 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2015-12-14 08:14 - 2015-11-08 17:32 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2015-12-14 08:14 - 2015-11-08 17:16 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2015-12-14 08:14 - 2015-11-08 17:15 - 02887168 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2015-12-14 08:14 - 2015-11-08 17:15 - 00571392 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2015-12-14 08:14 - 2015-11-08 17:15 - 00417792 _____ (Microsoft Corporation) C:\windows\system32\html.iec
2015-12-14 08:14 - 2015-11-08 17:15 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2015-12-14 08:14 - 2015-11-08 17:14 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2015-12-14 08:14 - 2015-11-08 17:07 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2015-12-14 08:14 - 2015-11-08 17:06 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2015-12-14 08:14 - 2015-11-08 17:04 - 05923840 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2015-12-14 08:14 - 2015-11-08 17:02 - 00615936 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2015-12-14 08:14 - 2015-11-08 17:01 - 00817664 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2015-12-14 08:14 - 2015-11-08 17:01 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2015-12-14 08:14 - 2015-11-08 17:01 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2015-12-14 08:14 - 2015-11-08 17:01 - 00114688 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2015-12-14 08:14 - 2015-11-08 16:52 - 00968704 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2015-12-14 08:14 - 2015-11-08 16:48 - 00489984 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2015-12-14 08:14 - 2015-11-08 16:40 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2015-12-14 08:14 - 2015-11-08 16:35 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2015-12-14 08:14 - 2015-11-08 16:32 - 00315392 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2015-12-14 08:14 - 2015-11-08 16:29 - 00152064 _____ (Microsoft Corporation) C:\windows\system32\occache.dll
2015-12-14 08:14 - 2015-11-08 16:18 - 00262144 _____ (Microsoft Corporation) C:\windows\system32\webcheck.dll
2015-12-14 08:14 - 2015-11-08 16:15 - 00798208 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2015-12-14 08:14 - 2015-11-08 16:15 - 00718336 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2015-12-14 08:14 - 2015-11-08 16:14 - 14456832 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2015-12-14 08:14 - 2015-11-08 16:14 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2015-12-14 08:14 - 2015-11-08 16:13 - 02123264 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2015-12-14 08:14 - 2015-11-08 15:53 - 02487808 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2015-12-14 08:14 - 2015-11-08 15:41 - 01546752 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2015-12-14 08:14 - 2015-11-08 15:30 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2015-12-14 08:14 - 2015-11-05 14:05 - 00017408 _____ (Microsoft Corporation) C:\windows\system32\wshrm.dll
2015-12-14 08:14 - 2015-11-05 14:02 - 00014848 _____ (Microsoft Corporation) C:\windows\SysWOW64\wshrm.dll
2015-12-14 08:14 - 2015-11-05 04:53 - 00146944 _____ (Microsoft Corporation) C:\windows\system32\Drivers\rmcast.sys
2015-12-14 08:14 - 2015-11-03 14:04 - 00802304 _____ (Microsoft Corporation) C:\windows\system32\usp10.dll
2015-12-14 08:14 - 2015-11-03 14:04 - 00241664 _____ (Microsoft Corporation) C:\windows\system32\els.dll
2015-12-14 08:14 - 2015-11-03 13:56 - 00627712 _____ (Microsoft Corporation) C:\windows\SysWOW64\usp10.dll
2015-12-14 08:14 - 2015-11-03 13:55 - 00179712 _____ (Microsoft Corporation) C:\windows\SysWOW64\els.dll
2015-12-03 11:39 - 2015-12-03 11:39 - 57780336 _____ C:\Users\llehman\Documents\GLRockford120320152.zip
2015-12-03 11:37 - 2015-12-03 11:37 - 57785169 _____ C:\Users\llehman\Documents\GLRockford12032015.zip
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-29 15:06 - 2009-07-13 22:20 - 00000000 ____D C:\Windows
2015-12-29 14:47 - 2015-03-09 11:51 - 00000000 ____D C:\ProgramData\RogueKiller
2015-12-29 14:15 - 2015-03-09 11:51 - 00030848 _____ C:\windows\system32\Drivers\TrueSight.sys
2015-12-29 14:04 - 2014-08-19 11:46 - 00000000 ____D C:\Users\llehman\AppData\Local\Deployment
2015-12-29 13:58 - 2009-07-13 23:45 - 00016976 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-29 13:58 - 2009-07-13 23:45 - 00016976 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-29 13:56 - 2014-08-19 11:46 - 00000000 ____D C:\Users\llehman\AppData\Local\Apps\2.0
2015-12-29 13:54 - 2009-07-14 00:13 - 00785858 _____ C:\windows\system32\PerfStringBackup.INI
2015-12-29 13:54 - 2009-07-13 22:20 - 00000000 ____D C:\windows\inf
2015-12-29 13:50 - 2014-04-21 10:21 - 00000128 _____ C:\windows\system32\config\netlogon.ftl
2015-12-29 13:50 - 2009-07-14 00:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2015-12-29 13:48 - 2015-03-09 11:58 - 00000000 ____D C:\Qoobox
2015-12-29 12:22 - 2009-07-13 21:34 - 00000215 _____ C:\windows\system.ini
2015-12-29 11:56 - 2015-07-10 05:57 - 02244280 _____ C:\Users\llehman\Desktop\AdobeAcroCleaner_DC2015.exe
2015-12-29 11:43 - 2015-03-27 07:13 - 00000000 ____D C:\Users\llehman\AppData\Local\CrashDumps
2015-12-29 11:22 - 2014-08-14 14:59 - 00000000 ____D C:\Users\llehman\AppData\Local\Adobe
2015-12-29 11:10 - 2015-03-10 08:12 - 00000564 _____ C:\Users\llehman\Desktop\JRT.txt
2015-12-29 10:54 - 2009-07-14 00:08 - 00032556 _____ C:\windows\Tasks\SCHEDLGU.TXT
2015-12-29 08:21 - 2014-04-22 10:15 - 00796864 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2015-12-29 08:21 - 2014-04-22 10:15 - 00142528 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-12-28 13:17 - 2014-04-21 08:57 - 00000000 ____D C:\ProgramData\Adobe
2015-12-28 10:44 - 2015-03-09 11:55 - 00000000 ____D C:\AdwCleaner
2015-12-28 10:31 - 2014-10-14 13:55 - 00000000 ____D C:\Users\llehman\AppData\Roaming\Apple Computer
2015-12-28 10:31 - 2014-10-14 13:54 - 00000000 ____D C:\Program Files\Common Files\Apple
2015-12-28 10:31 - 2014-06-13 13:33 - 00000000 ____D C:\Users\llehman\AppData\Local\ElevatedDiagnostics
2015-12-28 10:20 - 2014-10-16 09:16 - 00000000 ____D C:\Users\llehman\AppData\Local\0C6951B0-52C6-42D7-A67E-DA6AC2AAC3FD.aplzod
2015-12-28 08:27 - 2014-04-22 08:21 - 00000000 ____D C:\Users\llehman\AppData\Local\Greenshot
2015-12-23 10:25 - 2014-04-22 09:06 - 00000000 ____D C:\Users\llehman\Documents\Sharpdesk Desktop
2015-12-18 15:51 - 2015-06-22 13:57 - 00094208 _____ C:\Users\llehman\Documents\Budget 2015.xls
2015-12-15 12:40 - 2009-07-13 22:20 - 00000000 ____D C:\windows\rescache
2015-12-15 08:05 - 2009-07-13 23:45 - 00439104 _____ C:\windows\system32\FNTCACHE.DAT
2015-12-14 18:58 - 2014-04-21 08:58 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-12-14 18:57 - 2014-04-21 09:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-12-14 18:57 - 2014-04-21 09:37 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-12-14 18:57 - 2014-04-21 09:37 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2015-12-14 18:56 - 2014-04-21 08:42 - 00000000 ____D C:\windows\system32\MRT
2015-12-14 18:52 - 2014-04-21 08:42 - 140158008 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2015-12-02 19:02 - 2014-04-22 09:05 - 00000000 ____D C:\Users\llehman\Documents\Misc
2015-12-02 13:18 - 2010-11-20 22:27 - 00301728 ____N (Microsoft Corporation) C:\windows\system32\MpSigStub.exe
2015-12-02 09:25 - 2014-04-22 10:17 - 00002119 _____ C:\Users\Public\Desktop\QuickBooks Pro 2013.lnk
2015-12-02 09:25 - 2014-04-22 10:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickBooks
2015-12-02 09:25 - 2014-04-22 10:15 - 00000089 _____ C:\windows\QBChanUtil_Trigger.ini
 
==================== Files in the root of some directories =======
 
2014-04-22 10:57 - 2014-04-22 10:59 - 0044086 __RSH () C:\Program Files (x86)\DLS8Uninstall.log
2015-12-28 10:02 - 2015-12-28 10:02 - 0000017 _____ () C:\Users\llehman\AppData\Local\resmon.resmoncfg
2015-06-06 09:20 - 2015-06-06 09:20 - 0507352 _____ (ForensiT Limited) C:\ProgramData\UserProfileMigrationService.exe
 
Files to move or delete:
====================
C:\ProgramData\UserProfileMigrationService.exe
 
 
Some files in TEMP:
====================
C:\Users\llehman\AppData\Local\Temp\dllnt_dump.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\SysWOW64\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-12-20 00:46
 
==================== End of FRST.txt ============================
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:48 AM

Posted 30 December 2015 - 09:43 AM

Welcome to Bleeping Computer's Malware Removal Logs area. My name is Sintharius. I will assist you with your problem.

Please allow me some time to review your logs and I will be back with instructions.

#3 Rich Webb

Rich Webb
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 30 December 2015 - 07:38 PM

Sintharius, thanks for the response.  Just wondering if you have had a chance to look over the logs?  We're getting close to a reformat here if we can't make progress soon as this is somewhat time sensitive.  I do understand that this is a free forum which offers free help so I am not at all rushing you.  Just this machine is somewhat critical and I can't have it down for much longer.

 

Thank You!

Rich



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:48 AM

Posted 30 December 2015 - 08:16 PM

Hello Rich Webb,

Below are some rules that you will need to follow while receiving my assistance:
  • I am currently in training, so my responses might be delayed. I will generally reply within 48 hours - if this is not possible, I will let you know.
  • Please do not seek assistance elsewhere without letting me know, as "Too many cooks can spoil the soup".
  • Please do not run any tools without being instructed to, as this makes my job much harder in trying to figure out what you have done.
  • If you wish to do other interventions, please let me know. I will assist you if possible.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the Follow this topic button, and make sure a tick is in the receive notifications and is set to Instantly. Any replies should be made in this topic by clicking the Reply to this topic button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. Please inform me if you need more time.
  • Please stay with me until I have confirmed that you are clean. Absence of symptoms does not mean that the computer is clean.
If you do not agree with any of the above, please let me know so I can have this topic closed.

===

:step1: No antivirus installed

Your logs indicate that there are no antivirus solutions running on your computer. New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.

Please install an antivirus solution and remember to keep it updated.

I recommend Avast!, BitDefender or Microsoft Security Essentials for free non-commercial everyday use.

If you wish to use a paid-for solution, I recommend Emsisoft Anti-Malware, ESET NOD32 or Kaspersky Anti-Virus.

Note: You should only have one antivirus solution installed at any given time. Having more than one antivirus solutions can cause a lot of problems, including system instability and reduced performance.

For additional malware protection I recommend Malwarebytes Anti-Malware (MBAM). Emsisoft Anti-Malware also features anti-malware protection with an excellent track record.

===

:step2: Did you set these group policies yourself?

HKLM Group Policy restriction on software: %AppData%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION


===

:step3: VirusTotal file analysis
  • Go to VirusTotal.
  • Click Choose File and navigate to the following file:
    C:\Users\llehman\AppData\Roaming\AufOmxu\WeyInba.dll
  • Press Scan it! and wait for VirusTotal to complete scanning.
  • When VirusTotal finished scanning, copy and paste the link to the result list into your next reply. You can see the image below as an example of what to copy.
    THmd0qR.png
===

:step4: Fix with Farbar Recovery Scan Tool
  • Please download the attached fixlist.txt and save it to your Desktop.
    Note: It's important that both FRST/FRST64.exe and fixlist.txt are in the same location or the fix will not work!
    WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system!
  • Run FRST/FRST64.exe and press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run.
  • When finished, FRST will generate a log named Fixlog.txt on the Desktop, please post it to your reply.

Edited by Sintharius, 30 December 2015 - 08:18 PM.


#5 Rich Webb

Rich Webb
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 30 December 2015 - 08:25 PM

Sintharius,

 

Thank you for getting back to me.  I think that I have resolved the issue myself.  I ran Malwarebytes Anti-Malware and it identified and removed the threat.  This was prior to your response but it looks to have completely removed the infection.  I am now able to open PDFs without the WerFault.exe box coming up.  At this point I am having the computer user monitor the situation and let me know if they are still having any issues.

 

Thank you for taking the time to review the logs. 

Rich



#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:48 AM

Posted 31 December 2015 - 09:48 AM

Hello Rich Webb,

Can you post the scan log from MBAM that shows the detection? Logs should be in History -> Application Logs.

Please read my warning and install an AV. They are not perfect, but having one is better than having none at all. 

Also please create a new set of FRST logs for me to see what might be left.

#7 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:48 AM

Posted 02 January 2016 - 10:13 PM

Hi there,

Are you still with me? It has been three days since my last post.

#8 Rich Webb

Rich Webb
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 02 January 2016 - 10:40 PM

Here is the FRST Log and attached is the mbam scan log and addition.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:31-12-2015
Ran by llehman (administrator) on ROCK-PC3 (02-01-2016 22:36:42)
Running from C:\Users\llehman\Downloads
Loaded Profiles: llehman (Available Profiles: Admin & zylatech & llehman)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Sanford, L.P.) C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(ScreenConnect Software) C:\Users\llehman\AppData\Local\Apps\2.0\WYN5OOH4.VRE\VZMXT0L9.HP7\scre..tion_d291612c4dce6913_0005.0004_4e170dada201aa54\ScreenConnect.ClientService.exe
(ScreenConnect Software) C:\Users\llehman\AppData\Local\Apps\2.0\WYN5OOH4.VRE\VZMXT0L9.HP7\scre..ient_4b14c015c87c1ad8_0005.0004_none_7994834f119d462e\ScreenConnect.WindowsClient.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
() C:\Program Files\Hewlett-Packard\HP Wireless Keyboard and Mouse Applet\KBDOSD.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(ScreenConnect Software) C:\Users\llehman\AppData\Local\Apps\2.0\WYN5OOH4.VRE\VZMXT0L9.HP7\scre..ient_4b14c015c87c1ad8_0005.0004_none_7994834f119d462e\ScreenConnect.WindowsClient.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(SHARP CORPORATION) C:\Program Files (x86)\Sharp\Sharpdesk\SharpTray.exe
(SHARP CORPORATION) C:\Program Files (x86)\Sharp\Sharpdesk\FTPServer.exe
(SHARP CORPORATION) C:\Program Files (x86)\Sharp\Sharpdesk\IndexTray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(SHARP CORPORATION) C:\Program Files (x86)\Sharp\Sharpdesk\Indexer.exe
(SHARP CORPORATION) C:\Program Files (x86)\Sharp\Sharpdesk\nsapp.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Farbar) C:\Users\llehman\Downloads\FRST64 (1).exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7205592 2013-11-19] (Realtek Semiconductor)
HKLM\...\Run: [HPKBDOSD] => C:\Program Files\Hewlett-Packard\HP Wireless Keyboard and Mouse Applet\KBDOSD.exe [802816 2012-08-14] ()
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-04-26] (Intel Corporation)
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [3776824 2015-11-10] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [SharpTray.exe] => C:\Program Files (x86)\Sharp\Sharpdesk\SharpTray.exe [131584 2010-03-08] (SHARP CORPORATION)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [FtpServer.exe] => C:\Program Files (x86)\Sharp\Sharpdesk\FtpServer.exe [819712 2010-02-21] (SHARP CORPORATION)
HKLM-x32\...\Run: [IndexTray.exe] => C:\Program Files (x86)\Sharp\Sharpdesk\IndexTray.exe [395264 2010-03-08] (SHARP CORPORATION)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2015-08-06] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597552 2015-08-04] (Oracle Corporation)
HKLM Group Policy restriction on software: %AppData%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk [2015-12-02]
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2015-12-02]
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk [2015-12-02]
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files (x86)\Intuit\QuickBooks 2013\QBW32.EXE (Intuit Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.64.131
Tcpip\..\Interfaces\{EC4719A9-7679-4AFA-AD88-FCC1691449DA}: [DhcpNameServer] 192.168.64.131
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1740059776-4217202778-4225504728-1134\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPCOM14/19
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPCOM14/19
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPCOM14/19
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1740059776-4217202778-4225504728-1134\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPCOM14/19
HKU\S-1-5-21-1740059776-4217202778-4225504728-1134\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-18] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-12-20] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\ssv.dll [2015-09-18] (Oracle Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-12-20] (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-09-18] (Oracle Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll => No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-12-20] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-12-20] (Google Inc.)
Handler-x32: intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} - C:\Program Files (x86)\Intuit\QuickBooks 2013\HelpAsyncPluggableProtocol.dll [2015-11-10] (Intuit, Inc.)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\windows\SysWOW64\mscoree.dll [2010-11-20] (Microsoft Corporation)
Handler-x32: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files (x86)\Sharp\Sharpdesk\ExplorerExtensions.dll [2010-03-08] (SHARP CORPORATION)
 
FireFox:
========
FF ProfilePath: C:\Users\llehman\AppData\Roaming\Mozilla\Firefox\Profiles\qegb6cbs.default
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_20_0_0_235.dll [2015-12-14] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41105.0\npctrl.dll [2015-11-04] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_235.dll [2015-12-14] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] ()
FF Plugin-x32: @dymo.com/DymoLabelFramework -> C:\Program Files (x86)\DYMO\DYMO Label Software\Framework\npDYMOLabelFramework.dll [2014-03-20] ( Sanford L.P.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=3.0.72 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-04-11] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-04-11] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2015-09-18] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-09-18] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41105.0\npctrl.dll [2015-11-04] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-14] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-14] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Store) - C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-03]
CHR Extension: (Google Drive) - C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-12-28]
CHR Extension: (YouTube) - C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-12-28]
CHR Extension: (Google Search) - C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-12-28]
CHR Extension: (Store) - C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-12-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-14]
CHR Extension: (Gmail) - C:\Users\llehman\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-07]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
R2 DymoPnpService; C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [33072 2014-03-20] (Sanford, L.P.)
R2 Intel® Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [731648 2013-02-13] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [820184 2013-02-13] (Intel® Corporation)
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [178312 2015-09-25] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-04-11] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273136 2013-08-02] ()
R2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2015-11-10] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2013-03-11] (Intuit Inc.) [File not signed]
R2 QBVSS; C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2013-03-11] (Intuit Inc.) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [289496 2013-10-16] (Realtek Semiconductor)
R2 ScreenConnect Client (6821ca1d-2d91-49f7-81be-95674510832b); C:\Users\llehman\AppData\Local\Apps\2.0\WYN5OOH4.VRE\VZMXT0L9.HP7\scre..tion_d291612c4dce6913_0005.0004_4e170dada201aa54\ScreenConnect.ClientService.exe [35808 2015-12-29] (ScreenConnect Software)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2014-03-25] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3378416 2013-08-02] (Intel® Corporation)
S2 HPFSService; "C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe" [X]
S2 spsrv; C:\windows\system32\prevhone.exe -k [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [496400 2013-02-26] (Intel Corporation)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28656 2013-05-30] (Intel Corporation)
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-01-02] (Malwarebytes)
R3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
S3 NETwNs64; C:\Windows\System32\DRIVERS\NETwsw02.sys [3584992 2013-08-01] (Intel Corporation)
R3 RTSPER; C:\Windows\System32\DRIVERS\RtsPer.sys [424664 2013-08-02] (Realsil Semiconductor Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [30848 2015-12-29] ()
R3 usb3Hub; C:\Windows\System32\DRIVERS\usb3Hub.sys [206744 2013-06-20] (Windows ® Win 7 DDK provider)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-02 22:36 - 2016-01-02 22:37 - 00018578 _____ C:\Users\llehman\Downloads\FRST.txt
2016-01-02 22:36 - 2016-01-02 22:36 - 02370560 _____ (Farbar) C:\Users\llehman\Downloads\FRST64 (1).exe
2016-01-02 22:32 - 2016-01-02 22:32 - 00001863 _____ C:\Users\llehman\Desktop\mbamlog-1230.txt
2015-12-30 20:16 - 2015-12-30 20:16 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-12-30 20:16 - 2015-12-30 20:16 - 00002055 _____ C:\Users\Public\Desktop\Acrobat Reader DC.lnk
2015-12-30 19:49 - 2016-01-02 22:32 - 00192216 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-12-30 19:48 - 2015-12-30 19:48 - 00001114 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-12-30 19:48 - 2015-12-30 19:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-12-30 19:48 - 2015-12-30 19:48 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-12-30 19:48 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\windows\system32\Drivers\mbamchameleon.sys
2015-12-30 19:48 - 2015-10-05 09:50 - 00063704 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2015-12-30 19:48 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\windows\system32\Drivers\mbam.sys
2015-12-30 19:40 - 2015-12-30 19:41 - 22908888 ____N (Malwarebytes ) C:\Users\llehman\Desktop\mbam-setup-2.2.0.1024.exe
2015-12-29 15:24 - 2015-12-29 15:24 - 00000000 ____D C:\Users\llehman\AppData\Roaming\Notepad++
2015-12-29 15:07 - 2015-12-29 15:07 - 00034554 _____ C:\Users\llehman\Desktop\Addition.txt
2015-12-29 15:06 - 2016-01-02 22:36 - 00000000 ____D C:\FRST
2015-12-29 15:06 - 2015-12-29 15:07 - 00037670 _____ C:\Users\llehman\Desktop\FRST.txt
2015-12-29 15:06 - 2015-12-29 15:06 - 02370560 _____ (Farbar) C:\Users\llehman\Downloads\FRST64.exe
2015-12-29 14:14 - 2015-12-29 14:14 - 20835400 _____ C:\Users\llehman\Downloads\RogueKiller.exe
2015-12-29 14:11 - 2015-12-29 14:11 - 00696984 ____N (Sysinternals - www.sysinternals.com) C:\Users\llehman\Desktop\autoruns.exe
2015-12-29 13:48 - 2015-12-29 13:48 - 00027146 _____ C:\ComboFix1.txt
2015-12-29 13:48 - 2015-12-29 13:48 - 00000000 ___SD C:\ComboFix
2015-12-29 13:43 - 2015-12-29 13:43 - 00067040 _____ C:\Users\llehman\Downloads\Elsinore.ScreenConnect.Client (2).exe
2015-12-29 13:41 - 2015-12-29 13:41 - 00067040 _____ C:\Users\llehman\Downloads\Elsinore.ScreenConnect.Client (1).exe
2015-12-29 12:28 - 2015-12-29 12:28 - 00027146 _____ C:\ComboFix.txt
2015-12-29 12:06 - 2015-12-30 20:09 - 00000000 ____D C:\Users\llehman\AppData\Roaming\AufOmxu
2015-12-29 12:05 - 2015-12-29 12:06 - 00208332 _____ C:\TDSSKiller.3.1.0.9_29.12.2015_12.05.27_log.txt
2015-12-29 11:56 - 2015-12-29 11:56 - 00480177 _____ C:\Users\llehman\Downloads\AdobeAcroCleaner_DC2015.zip
2015-12-29 11:22 - 2015-12-30 20:16 - 00003886 _____ C:\windows\System32\Tasks\Adobe Acrobat Update Task
2015-12-28 19:36 - 2015-12-28 19:36 - 00042135 _____ C:\Users\llehman\Desktop\test.PDF
2015-12-28 13:20 - 2015-12-30 20:16 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-12-28 13:20 - 2015-12-28 13:20 - 00000000 ____D C:\Users\llehman\AppData\Local\CEF
2015-12-28 12:09 - 2015-12-28 12:10 - 00000000 ____D C:\Users\llehman\AppData\Roaming\Mozilla
2015-12-28 12:09 - 2015-12-28 12:10 - 00000000 ____D C:\Users\llehman\AppData\Local\Mozilla
2015-12-28 10:32 - 2015-12-28 10:33 - 01743360 _____ C:\Users\llehman\Downloads\adwcleaner_5.026.exe
2015-12-28 10:02 - 2015-12-28 10:02 - 00000017 _____ C:\Users\llehman\AppData\Local\resmon.resmoncfg
2015-12-28 09:45 - 2015-12-28 09:45 - 00000000 ____D C:\ProgramData\scre..tion_d291612c4dce6913_0005.0004_4e170dada201aa54
2015-12-18 11:13 - 2015-12-18 11:13 - 00010421 _____ C:\Users\llehman\Documents\Woody Medical.xlsx
2015-12-14 18:44 - 2015-12-14 18:44 - 00001761 _____ C:\Users\Public\Desktop\iTunes.lnk
2015-12-14 18:44 - 2015-12-14 18:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2015-12-14 18:44 - 2015-12-14 18:44 - 00000000 ____D C:\Program Files\iTunes
2015-12-14 18:44 - 2015-12-14 18:44 - 00000000 ____D C:\Program Files\iPod
2015-12-14 18:44 - 2015-12-14 18:44 - 00000000 ____D C:\Program Files (x86)\iTunes
2015-12-14 08:14 - 2015-11-20 13:54 - 03170304 _____ (Microsoft Corporation) C:\windows\system32\wucltux.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 02609152 _____ (Microsoft Corporation) C:\windows\system32\wuaueng.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 00709632 _____ (Microsoft Corporation) C:\windows\system32\wuapi.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 00192512 _____ (Microsoft Corporation) C:\windows\system32\wuwebv.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 00140288 _____ (Microsoft Corporation) C:\windows\system32\wuauclt.exe
2015-12-14 08:14 - 2015-11-20 13:54 - 00098816 _____ (Microsoft Corporation) C:\windows\system32\wudriver.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 00091136 _____ (Microsoft Corporation) C:\windows\system32\WinSetupUI.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 00037888 _____ (Microsoft Corporation) C:\windows\system32\wups2.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 00037888 _____ (Microsoft Corporation) C:\windows\system32\wuapp.exe
2015-12-14 08:14 - 2015-11-20 13:54 - 00036864 _____ (Microsoft Corporation) C:\windows\system32\wups.dll
2015-12-14 08:14 - 2015-11-20 13:54 - 00012288 _____ (Microsoft Corporation) C:\windows\system32\wu.upgrade.ps.dll
2015-12-14 08:14 - 2015-11-20 13:34 - 00573440 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapi.dll
2015-12-14 08:14 - 2015-11-20 13:34 - 00174080 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuwebv.dll
2015-12-14 08:14 - 2015-11-20 13:34 - 00093696 _____ (Microsoft Corporation) C:\windows\SysWOW64\wudriver.dll
2015-12-14 08:14 - 2015-11-20 13:34 - 00030208 _____ (Microsoft Corporation) C:\windows\SysWOW64\wups.dll
2015-12-14 08:14 - 2015-11-20 13:33 - 00035328 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapp.exe
2015-12-14 08:14 - 2015-11-11 16:12 - 00387792 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2015-12-14 08:14 - 2015-11-11 15:52 - 00341192 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2015-12-14 08:14 - 2015-11-11 13:53 - 01735680 _____ (Microsoft Corporation) C:\windows\system32\comsvcs.dll
2015-12-14 08:14 - 2015-11-11 13:53 - 00525312 _____ (Microsoft Corporation) C:\windows\system32\catsrvut.dll
2015-12-14 08:14 - 2015-11-11 13:39 - 01242624 _____ (Microsoft Corporation) C:\windows\SysWOW64\comsvcs.dll
2015-12-14 08:14 - 2015-11-11 13:39 - 00487936 _____ (Microsoft Corporation) C:\windows\SysWOW64\catsrvut.dll
2015-12-14 08:14 - 2015-11-11 11:21 - 25837568 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2015-12-14 08:14 - 2015-11-11 11:00 - 12856832 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2015-12-14 08:14 - 2015-11-11 10:44 - 00416256 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2015-12-14 08:14 - 2015-11-11 10:44 - 00279040 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2015-12-14 08:14 - 2015-11-11 10:41 - 20366848 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2015-12-14 08:14 - 2015-11-11 10:12 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2015-12-14 08:14 - 2015-11-11 09:57 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2015-12-14 08:14 - 2015-11-10 13:55 - 01648128 _____ (Microsoft Corporation) C:\windows\system32\DWrite.dll
2015-12-14 08:14 - 2015-11-10 13:55 - 01180160 _____ (Microsoft Corporation) C:\windows\system32\FntCache.dll
2015-12-14 08:14 - 2015-11-10 13:55 - 01008640 _____ (Microsoft Corporation) C:\windows\system32\user32.dll
2015-12-14 08:14 - 2015-11-10 13:39 - 01251328 _____ (Microsoft Corporation) C:\windows\SysWOW64\DWrite.dll
2015-12-14 08:14 - 2015-11-10 13:37 - 00833024 _____ (Microsoft Corporation) C:\windows\SysWOW64\user32.dll
2015-12-14 08:14 - 2015-11-10 12:47 - 03211264 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2015-12-14 08:14 - 2015-11-09 19:24 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2015-12-14 08:14 - 2015-11-09 19:13 - 00496640 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2015-12-14 08:14 - 2015-11-09 19:13 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2015-12-14 08:14 - 2015-11-09 19:12 - 00341504 _____ (Microsoft Corporation) C:\windows\SysWOW64\html.iec
2015-12-14 08:14 - 2015-11-09 19:12 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2015-12-14 08:14 - 2015-11-09 19:11 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2015-12-14 08:14 - 2015-11-09 19:08 - 02280448 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2015-12-14 08:14 - 2015-11-09 19:06 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2015-12-14 08:14 - 2015-11-09 19:06 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2015-12-14 08:14 - 2015-11-09 19:04 - 00476160 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2015-12-14 08:14 - 2015-11-09 19:03 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2015-12-14 08:14 - 2015-11-09 19:02 - 00663552 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2015-12-14 08:14 - 2015-11-09 19:02 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2015-12-14 08:14 - 2015-11-09 18:50 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-12-14 08:14 - 2015-11-09 18:47 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2015-12-14 08:14 - 2015-11-09 18:46 - 04514816 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2015-12-14 08:14 - 2015-11-09 18:44 - 00130048 _____ (Microsoft Corporation) C:\windows\SysWOW64\occache.dll
2015-12-14 08:14 - 2015-11-09 18:37 - 00230400 _____ (Microsoft Corporation) C:\windows\SysWOW64\webcheck.dll
2015-12-14 08:14 - 2015-11-09 18:36 - 02050560 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2015-12-14 08:14 - 2015-11-09 18:36 - 00687104 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2015-12-14 08:14 - 2015-11-09 18:35 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2015-12-14 08:14 - 2015-11-09 18:17 - 02011136 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2015-12-14 08:14 - 2015-11-09 18:14 - 01311744 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2015-12-14 08:14 - 2015-11-09 18:12 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2015-12-14 08:14 - 2015-11-08 17:33 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2015-12-14 08:14 - 2015-11-08 17:32 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2015-12-14 08:14 - 2015-11-08 17:16 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2015-12-14 08:14 - 2015-11-08 17:15 - 02887168 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2015-12-14 08:14 - 2015-11-08 17:15 - 00571392 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2015-12-14 08:14 - 2015-11-08 17:15 - 00417792 _____ (Microsoft Corporation) C:\windows\system32\html.iec
2015-12-14 08:14 - 2015-11-08 17:15 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2015-12-14 08:14 - 2015-11-08 17:14 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2015-12-14 08:14 - 2015-11-08 17:07 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2015-12-14 08:14 - 2015-11-08 17:06 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2015-12-14 08:14 - 2015-11-08 17:04 - 05923840 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2015-12-14 08:14 - 2015-11-08 17:02 - 00615936 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2015-12-14 08:14 - 2015-11-08 17:01 - 00817664 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2015-12-14 08:14 - 2015-11-08 17:01 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2015-12-14 08:14 - 2015-11-08 17:01 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2015-12-14 08:14 - 2015-11-08 17:01 - 00114688 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2015-12-14 08:14 - 2015-11-08 16:52 - 00968704 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2015-12-14 08:14 - 2015-11-08 16:48 - 00489984 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2015-12-14 08:14 - 2015-11-08 16:40 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2015-12-14 08:14 - 2015-11-08 16:35 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2015-12-14 08:14 - 2015-11-08 16:32 - 00315392 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2015-12-14 08:14 - 2015-11-08 16:29 - 00152064 _____ (Microsoft Corporation) C:\windows\system32\occache.dll
2015-12-14 08:14 - 2015-11-08 16:18 - 00262144 _____ (Microsoft Corporation) C:\windows\system32\webcheck.dll
2015-12-14 08:14 - 2015-11-08 16:15 - 00798208 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2015-12-14 08:14 - 2015-11-08 16:15 - 00718336 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2015-12-14 08:14 - 2015-11-08 16:14 - 14456832 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2015-12-14 08:14 - 2015-11-08 16:14 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2015-12-14 08:14 - 2015-11-08 16:13 - 02123264 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2015-12-14 08:14 - 2015-11-08 15:53 - 02487808 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2015-12-14 08:14 - 2015-11-08 15:41 - 01546752 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2015-12-14 08:14 - 2015-11-08 15:30 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2015-12-14 08:14 - 2015-11-05 14:05 - 00017408 _____ (Microsoft Corporation) C:\windows\system32\wshrm.dll
2015-12-14 08:14 - 2015-11-05 14:02 - 00014848 _____ (Microsoft Corporation) C:\windows\SysWOW64\wshrm.dll
2015-12-14 08:14 - 2015-11-05 04:53 - 00146944 _____ (Microsoft Corporation) C:\windows\system32\Drivers\rmcast.sys
2015-12-14 08:14 - 2015-11-03 14:04 - 00802304 _____ (Microsoft Corporation) C:\windows\system32\usp10.dll
2015-12-14 08:14 - 2015-11-03 14:04 - 00241664 _____ (Microsoft Corporation) C:\windows\system32\els.dll
2015-12-14 08:14 - 2015-11-03 13:56 - 00627712 _____ (Microsoft Corporation) C:\windows\SysWOW64\usp10.dll
2015-12-14 08:14 - 2015-11-03 13:55 - 00179712 _____ (Microsoft Corporation) C:\windows\SysWOW64\els.dll
2015-12-03 11:39 - 2015-12-03 11:39 - 57780336 _____ C:\Users\llehman\Documents\GLRockford120320152.zip
2015-12-03 11:37 - 2015-12-03 11:37 - 57785169 _____ C:\Users\llehman\Documents\GLRockford12032015.zip
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-02 22:36 - 2015-03-27 07:13 - 00000000 ____D C:\Users\llehman\AppData\Local\CrashDumps
2016-01-02 22:30 - 2014-04-21 10:21 - 00000128 _____ C:\windows\system32\config\netlogon.ftl
2015-12-30 20:17 - 2014-08-14 14:59 - 00000000 ____D C:\Users\llehman\AppData\Local\Adobe
2015-12-30 20:17 - 2009-07-13 23:45 - 00016976 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-30 20:17 - 2009-07-13 23:45 - 00016976 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-30 20:14 - 2009-07-14 00:13 - 00785858 _____ C:\windows\system32\PerfStringBackup.INI
2015-12-30 20:14 - 2009-07-13 22:20 - 00000000 ____D C:\windows\inf
2015-12-30 20:09 - 2009-07-14 00:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2015-12-30 20:09 - 2009-07-13 23:45 - 00439104 _____ C:\windows\system32\FNTCACHE.DAT
2015-12-30 20:09 - 2009-07-13 22:20 - 00000000 ____D C:\windows\system
2015-12-30 16:31 - 2015-06-22 13:57 - 00095232 _____ C:\Users\llehman\Documents\Budget 2015.xls
2015-12-30 12:29 - 2014-04-22 08:21 - 00121624 _____ C:\Users\llehman\AppData\Local\GDIPFONTCACHEV1.DAT
2015-12-30 12:28 - 2014-04-22 08:56 - 00000000 ____D C:\Users\Public\Desktop\Equalizer .Net Applications
2015-12-30 12:28 - 2014-04-22 08:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Equalizer .Net Applications
2015-12-30 12:28 - 2014-04-22 08:56 - 00000000 ____D C:\ProgramData\BS&A Software
2015-12-29 15:07 - 2009-07-13 22:20 - 00000000 ____D C:\Windows
2015-12-29 14:47 - 2015-03-09 11:51 - 00000000 ____D C:\ProgramData\RogueKiller
2015-12-29 14:15 - 2015-03-09 11:51 - 00030848 _____ C:\windows\system32\Drivers\TrueSight.sys
2015-12-29 14:04 - 2014-08-19 11:46 - 00000000 ____D C:\Users\llehman\AppData\Local\Deployment
2015-12-29 13:56 - 2014-08-19 11:46 - 00000000 ____D C:\Users\llehman\AppData\Local\Apps\2.0
2015-12-29 13:48 - 2015-03-09 11:58 - 00000000 ____D C:\Qoobox
2015-12-29 12:22 - 2009-07-13 21:34 - 00000215 _____ C:\windows\system.ini
2015-12-29 11:56 - 2015-07-10 05:57 - 02244280 _____ C:\Users\llehman\Desktop\AdobeAcroCleaner_DC2015.exe
2015-12-29 11:10 - 2015-03-10 08:12 - 00000564 _____ C:\Users\llehman\Desktop\JRT.txt
2015-12-29 10:54 - 2009-07-14 00:08 - 00032556 _____ C:\windows\Tasks\SCHEDLGU.TXT
2015-12-29 08:21 - 2014-04-22 10:15 - 00796864 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2015-12-29 08:21 - 2014-04-22 10:15 - 00142528 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-12-28 13:17 - 2014-04-21 08:57 - 00000000 ____D C:\ProgramData\Adobe
2015-12-28 10:44 - 2015-03-09 11:55 - 00000000 ____D C:\AdwCleaner
2015-12-28 10:31 - 2014-10-14 13:55 - 00000000 ____D C:\Users\llehman\AppData\Roaming\Apple Computer
2015-12-28 10:31 - 2014-10-14 13:54 - 00000000 ____D C:\Program Files\Common Files\Apple
2015-12-28 10:31 - 2014-06-13 13:33 - 00000000 ____D C:\Users\llehman\AppData\Local\ElevatedDiagnostics
2015-12-28 10:20 - 2014-10-16 09:16 - 00000000 ____D C:\Users\llehman\AppData\Local\0C6951B0-52C6-42D7-A67E-DA6AC2AAC3FD.aplzod
2015-12-28 08:27 - 2014-04-22 08:21 - 00000000 ____D C:\Users\llehman\AppData\Local\Greenshot
2015-12-23 10:25 - 2014-04-22 09:06 - 00000000 ____D C:\Users\llehman\Documents\Sharpdesk Desktop
2015-12-15 12:40 - 2009-07-13 22:20 - 00000000 ____D C:\windows\rescache
2015-12-14 18:58 - 2014-04-21 08:58 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-12-14 18:57 - 2014-04-21 09:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-12-14 18:57 - 2014-04-21 09:37 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-12-14 18:57 - 2014-04-21 09:37 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2015-12-14 18:56 - 2014-04-21 08:42 - 00000000 ____D C:\windows\system32\MRT
2015-12-14 18:52 - 2014-04-21 08:42 - 140158008 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
 
==================== Files in the root of some directories =======
 
2014-04-22 10:57 - 2014-04-22 10:59 - 0044086 __RSH () C:\Program Files (x86)\DLS8Uninstall.log
2015-12-28 10:02 - 2015-12-28 10:02 - 0000017 _____ () C:\Users\llehman\AppData\Local\resmon.resmoncfg
2015-06-06 09:20 - 2015-06-06 09:20 - 0507352 _____ (ForensiT Limited) C:\ProgramData\UserProfileMigrationService.exe
 
Files to move or delete:
====================
C:\ProgramData\UserProfileMigrationService.exe
 
 
Some files in TEMP:
====================
C:\Users\llehman\AppData\Local\Temp\dllnt_dump.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\SysWOW64\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-12-30 00:41
 
==================== End of FRST.txt ============================
 
 

Attached Files



#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 03 January 2016 - 11:48 AM

Hi Rich Webb,
 
Sintharius is unavailable right now. She will be back soon. I will help you in the meantime. :)
 
Please do this next...

FRST fix:
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:
start
CloseProcesses:
S2 spsrv; C:\windows\system32\prevhone.exe -k [X]
HKLM Group Policy restriction on software: %AppData%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1740059776-4217202778-4225504728-1134\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
C:\Users\llehman\AppData\Roaming\AufOmxu
EmptyTemp:
end
  • Save the file to your desktop and name it as fixlist.txt
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
Please copy and paste the log in your next reply.

<<<<<<<<<<

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
How is your computer running now? Any further questions or concerns?

Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:48 AM

Posted 07 January 2016 - 07:07 AM

Hi there,

Are you still with me? It has been three days since my last post.

#11 Rich Webb

Rich Webb
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 07 January 2016 - 05:07 PM

The end user of the system says that the problem has gone away.   They don't want to troubleshoot any further.  Thank you for the help though! 

 

This one can be closed.

 

-Rich



#12 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:04:48 AM

Posted 08 January 2016 - 01:42 PM

Hello Rich Webb,

In my experience there might be a chance that the computer is not entirely clean, but if the user wishes to stop troubleshooting then I will oblige.

Below are some information that your client can find useful in preventing future infections.

Best Practices for Safe Computing - Prevention of Malware Infection
How Malware Spreads - How did I get infected
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs)

Please reply to this thread one more time so it can be closed. It has been a pleasure to help. 

#13 Rich Webb

Rich Webb
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 08 January 2016 - 05:49 PM

I agree with you completely. Thank you for your help - you can close this thread.

 

Rich



#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:48 PM

Posted 08 January 2016 - 07:05 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users