Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Quirky network behavior, programs don't always load properly


  • This topic is locked This topic is locked
8 replies to this topic

#1 katzendreckt

katzendreckt

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 08 September 2016 - 08:49 PM

I have been experiencing some very strange network behavior on my main computer recently, but not on any others on my network. For instance, my network icon will show an exclamation point and say 'disconnected', when physically the cable has not left either the router or my computer. I'll be browsing and suddenly internet will cut out, but it works on all the other machines on my network.

 

I realized I had not been using any antivirus software, so I am pretty confident my system is infected with some sort of trojan. I started using Webroot software, but it didn't find anything.

 

I ran defogger and FRST, logs attached.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-08-2016
Ran by profilenew (administrator) on DIONYSUS (08-09-2016 21:21:31)
Running from C:\Users\profilenew\Downloads
Loaded Profiles: bhodges (Available Profiles: bhodges & profilenew)
Platform: Windows 10 Pro Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Webroot) C:\Program Files (x86)\Webroot\WRSA.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(Webroot) C:\Program Files (x86)\Webroot\WRSA.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Greenshot) C:\Program Files\Greenshot\Greenshot.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(CoralTree, Inc.) C:\Users\profilenew\AppData\Local\Apps\2.0\WKLA8K2K.PZ8\C8TV60QM.Q46\qbox..tion_c7c5fb3875c039a3_0004.0000_13b33b749e48836c\QBoxClient.exe
(CounterPath) C:\Program Files (x86)\CounterPath\Bria 4\Bria4.exe
(The CefSharp Authors) C:\Program Files (x86)\CounterPath\Bria 4\CefSharp.BrowserSubprocess.exe
(Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Avid Technology, Inc.) C:\Windows\SysWOW64\MAFWTray.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(PFU LIMITED) C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe
(Microsoft Corporation) C:\Windows\System32\wiawow64.exe
(Canon INC.) C:\Program Files (x86)\Canon\EOS Utility\EOS Utility.exe
(Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.ZuneVideo_3.6.23941.0_x64__8wekyb3d8bbwe\Video.UI.exe
(Intuit Inc.) C:\Program Files (x86)\Intuit\QuickBooks 2014\QBW32.EXE
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Intuit, Inc.) C:\Program Files (x86)\Intuit\QuickBooks 2014\QBDBMgr.exe
(Intuit Inc. All rights reserved.) C:\Users\profilenew\AppData\Local\Intuit\SyncManager\Current\IntuitSyncManager.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_22_0_0_209.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_22_0_0_209.exe
() C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1608.2213.0_x64__8wekyb3d8bbwe\Calculator.exe
(Deluge Team) C:\Program Files (x86)\Deluge\deluge.exe
(Pushbullet Inc) C:\Users\profilenew\AppData\Local\Pushbullet\bin\pushbullet_client.exe
(LogMeIn, Inc.) C:\Users\profilenew\AppData\Local\LogMeIn Client\LMIIgnition.exe
(LogMeIn, Inc.) C:\Users\profilenew\AppData\Local\LogMeIn Client\LMIGuardianSvc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
() C:\Users\profilenew\Downloads\Defogger.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [322472 2015-06-23] (Intel Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [14040792 2015-07-15] (Realtek Semiconductor)
HKLM\...\Run: [Greenshot] => C:\Program Files\Greenshot\Greenshot.exe [528384 2015-11-10] (Greenshot)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2787264 2016-01-22] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\nvspcap64.dll [1859936 2016-01-22] (NVIDIA Corporation)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [25197248 2016-08-30] (Dropbox, Inc.)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-10] (Elaborate Bytes AG)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3499896 2014-05-08] (Adobe Systems Inc.)
HKLM-x32\...\Run: [M-Audio Taskbar Icon] => C:\Windows\SysWOW64\MAFWTray.exe [252424 2009-07-29] (Avid Technology, Inc.)
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [3776824 2015-11-03] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [143360 2012-08-28] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [3076096 2012-06-06] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
HKLM-x32\...\Run: [WRSVC] => C:\Program Files (x86)\Webroot\WRSA.exe [937520 2016-08-24] (Webroot)
HKU\S-1-5-21-3499336029-3320506896-2359871584-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2857248 2016-08-23] (Valve Corporation)
HKU\S-1-5-21-3499336029-3320506896-2359871584-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [29544576 2016-08-17] (Skype Technologies S.A.)
HKU\S-1-5-21-3499336029-3320506896-2359871584-1001\...\Run: [Pushbullet] => "" -show false
HKU\S-1-5-21-3499336029-3320506896-2359871584-1001\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [465920 2016-06-30] (Microsoft Corporation)
HKU\S-1-5-21-3499336029-3320506896-2359871584-1001\...\Run: [Qbox Client] => C:\Users\profilenew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CoralTree, Inc.\Qbox Client.appref-ms
HKU\S-1-5-21-3499336029-3320506896-2359871584-1001\...\Run: [Bria 4] => C:\Program Files (x86)\CounterPath\Bria 4\Bria4.exe [4734344 2016-07-11] (CounterPath)
HKU\S-1-5-21-3499336029-3320506896-2359871584-1001\...\RunOnce: [Uninstall C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\amd64"
HKU\S-1-5-21-3499336029-3320506896-2359871584-1001\...\RunOnce: [Uninstall C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.5892.0626] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.5892.0626"
HKU\S-1-5-21-3499336029-3320506896-2359871584-1001\...\RunOnce: [Uninstall C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.6281.1202] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.6281.1202"
HKU\S-1-5-21-3499336029-3320506896-2359871584-1001\...\RunOnce: [Uninstall C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.6302.0225] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.6302.0225"
HKU\S-1-5-21-3499336029-3320506896-2359871584-1001\...\RunOnce: [Uninstall C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.6386.0412\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.6386.0412\amd64"
HKU\S-1-5-21-3499336029-3320506896-2359871584-1001\...\RunOnce: [Uninstall C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.6386.0412] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.6386.0412"
HKU\S-1-5-21-3499336029-3320506896-2359871584-1001\...\RunOnce: [Uninstall C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64"
HKU\S-1-5-21-3499336029-3320506896-2359871584-1001\...\RunOnce: [Uninstall C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.6390.0509] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\profilenew\AppData\Local\Microsoft\OneDrive\17.3.6390.0509"
HKU\S-1-5-21-3499336029-3320506896-2359871584-1001\...\MountPoints2: {f59bfac6-b9c3-11e5-bb79-bc5ff4bcbaf9} - "K:\SETUP.EXE" 
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE -> 
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt10] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt9] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt10] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.42.dll [2016-08-30] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt9] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.42.dll [2016-08-30] (Dropbox, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Conversion to PDF with ScanSnap Organizer.lnk [2016-02-22]
ShortcutTarget: Conversion to PDF with ScanSnap Organizer.lnk -> C:\Program Files (x86)\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe (PFU LIMITED)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass FF RunOnce.lnk [2016-01-13]
ShortcutTarget: Install LastPass FF RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe (LastPass)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk [2016-01-13]
ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe (LastPass)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk [2016-01-13]
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2016-01-13]
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk [2016-01-13]
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files (x86)\Intuit\QuickBooks 2014\QBW32.EXE (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ScanSnap Manager.lnk [2016-01-13]
ShortcutTarget: ScanSnap Manager.lnk -> C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
Startup: C:\Users\profilenew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EOS Utility.lnk [2016-02-27]
ShortcutTarget: EOS Utility.lnk -> C:\Program Files (x86)\Canon\EOS Utility\EOS Utility.exe (Canon INC.)
Startup: C:\Users\profilenew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk [2016-01-15]
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
Startup: C:\Users\profilenew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2016-07-27]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\profilenew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EOS Utility.lnk [2016-02-27]
ShortcutTarget: EOS Utility.lnk -> C:\Program Files (x86)\Canon\EOS Utility\EOS Utility.exe (Canon INC.)
Startup: C:\Users\profilenew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk [2016-01-15]
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
Startup: C:\Users\profilenew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2016-07-27]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE (Microsoft Corporation)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.5 8.8.8.8 8.8.4.4
Tcpip\..\Interfaces\{52C2C3AE-FDC1-4762-AE87-8EA7AAC8DA2B}: [DhcpNameServer] 10.0.10.50
Tcpip\..\Interfaces\{ac672949-ba97-4bb4-83b6-86a03c2da993}: [DhcpNameServer] 192.168.1.5 8.8.8.8 8.8.4.4
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2016-07-19] (Microsoft Corporation)
BHO: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2016-01-13] (LastPass)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office16\GROOVEEX.DLL [2016-07-13] (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2016-07-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-07-20] (Oracle Corporation)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2016-06-01] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar.dll [2016-01-13] (LastPass)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office16\GROOVEEX.DLL [2016-07-13] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-07-20] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2016-01-13] (LastPass)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll [2016-01-13] (LastPass)
Handler-x32: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - C:\Program Files (x86)\Intuit\QuickBooks 2014\HelpAsyncPluggableProtocol.dll [2016-05-08] (Intuit, Inc.)
Handler-x32: mso-minsb.16 - {3459B272-CC19-4448-86C9-DDC3B4B2FAD3} - C:\Program Files (x86)\Microsoft Office\Office16\MSOSB.DLL [2016-07-12] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\Office16\MSOSB.DLL [2016-07-12] (Microsoft Corporation)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll [2015-10-30] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default
FF DefaultSearchEngine.US: Google
FF Homepage: hxxp://www.netvibes.com/privatepage/1#asdf
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-07-13] ()
FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2016-01-13] (LastPass)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-16] (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2014-04-29] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-13] ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2015-10-13] (Google, Inc.)
FF Plugin-x32: @IPCWebComponents -> C:\Program Files (x86)\IPCWebComponents\npIPCReg.dll [2014-04-07] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-07-20] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-07-20] (Oracle Corporation)
FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2016-01-13] (LastPass)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-07-19] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office16\NPSPWRAP.DLL [2015-07-31] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-01-22] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-01-22] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [2014-05-08] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2014-04-29] (Adobe Systems)
FF Plugin HKU\S-1-5-21-3499336029-3320506896-2359871584-1001: @citrixonline.com/appdetectorplugin -> C:\Users\profilenew\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2016-02-12] (Citrix Online)
FF Plugin HKU\S-1-5-21-3499336029-3320506896-2359871584-1001: www.mydlink.com/Uplayer -> C:\Users\profilenew\AppData\Roaming\D-Link\mydlink services plugin\1.0.2.7\npUplayer.dll [2015-12-11] (D-Link Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2016-07-19] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2014-05-08] (Adobe Systems Inc.)
FF Extension: (Fox To Phone) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\extensions\sendtophone@martinezdelizarrondo.com.xpi [2016-01-13]
FF Extension: (FoxReplace) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\extensions\fox@replace.fx.xpi [2016-01-13]
FF Extension: (Update Scanner) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\extensions\{c07d1a49-9894-49ff-a594-38960ede8fb9}.xpi [2016-03-11]
FF Extension: (DOM Inspector) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\extensions\inspector@mozilla.org [2016-04-28]
FF Extension: (Find and Replace for FireFox) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\extensions\findandreplace@notreal.org.xpi [2016-04-28]
FF Extension: (Add to Amazon Wish List Button) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\extensions\amznUWL2@amazon.com.xpi [2016-06-14]
FF Extension: (PixelZoomer) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\extensions\pixelzoomer@matthiasschuetz.com.xpi [2016-08-01]
FF Extension: (LastPass) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\extensions\support@lastpass.com [2016-08-16]
FF Extension: (Web Developer) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}.xpi [2016-08-19]
FF Extension: (Firefox Hotfix) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\Extensions\firefox-hotfix@mozilla.org.xpi [2016-09-08]
FF Extension: (Privacy Badger) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\Extensions\jid1-MnnxcxisBPnSXQ@jetpack.xpi [2016-08-11]
FF Extension: (Reddit Enhancement Suite) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\Extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi [2016-09-06]
FF Extension: (Buffer) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\Extensions\jid1-zUyU7TGKwejAyA@jetpack.xpi [2016-07-21]
FF Extension: (KeeFox) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\Extensions\keefox@chris.tomlinson [2016-08-18]
FF Extension: (SimpleWebCapture) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\Extensions\SimpleWebCapture@ewgenij-starostin.name.xpi [2016-04-28]
FF Extension: (Session Manager) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2016-08-01]
FF Extension: (Adblock Plus) - C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-04-29]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat - Create PDF) - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2016-01-13] [not signed]
 
Chrome: 
=======
CHR Profile: C:\Users\profilenew\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\profilenew\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-01-28]
CHR Extension: (Google Drive) - C:\Users\profilenew\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-01-28]
CHR Extension: (YouTube) - C:\Users\profilenew\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-01-28]
CHR Extension: (Google Search) - C:\Users\profilenew\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-01-28]
CHR Extension: (Adobe Acrobat) - C:\Users\profilenew\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2016-01-28]
CHR Extension: (Google Sheets) - C:\Users\profilenew\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-01-24]
CHR Extension: (Google Docs Offline) - C:\Users\profilenew\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-16]
CHR Extension: (LastPass: Free Password Manager) - C:\Users\profilenew\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2016-09-06]
CHR Extension: (mydlink services plugin) - C:\Users\profilenew\AppData\Local\Google\Chrome\User Data\Default\Extensions\ldibdoepbjbkkcbgndfljnphngpglhbb [2016-04-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\profilenew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-07]
CHR Extension: (Gmail) - C:\Users\profilenew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-01-28]
CHR Extension: (Chrome Media Router) - C:\Users\profilenew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-09-06]
CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2014-05-08]
CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [266240 2012-06-05] (Brother Industries, Ltd.) [File not signed]
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-01-13] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-01-13] (Dropbox, Inc.)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1163200 2016-01-22] (NVIDIA Corporation)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [18856 2015-06-23] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [374360 2016-05-27] (Intel Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1879488 2016-01-22] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [6308288 2016-01-22] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [4812736 2016-01-22] (NVIDIA Corporation)
R2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2016-05-08] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [65536 2013-12-02] (Intuit Inc.) [File not signed]
R2 QBVSS; C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2013-12-02] (Intuit Inc.) [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [7534864 2016-08-25] (TeamViewer GmbH)
S3 vmicvss; C:\Windows\System32\ICSvc.dll [511488 2015-10-30] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2016-07-01] (Microsoft Corporation)
R2 WRSVC; C:\Program Files (x86)\Webroot\WRSA.exe [937520 2016-08-24] (Webroot)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 AsrVDrive; C:\Windows\system32\DRIVERS\AsrVDrive.sys [24400 2015-02-04] (ASRock Inc.)
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [130688 2016-07-22] (Samsung Electronics Co., Ltd.)
R3 e1dexpress; C:\Windows\system32\DRIVERS\e1d65x64.sys [530416 2015-06-19] (Intel Corporation)
S3 epmntdrv; C:\Windows\system32\epmntdrv.sys [16776 2010-07-15] () [File not signed]
S3 epmntdrv; C:\Windows\SysWOW64\epmntdrv.sys [14216 2010-07-15] () [File not signed]
S3 EuGdiDrv; C:\Windows\system32\EuGdiDrv.sys [9096 2010-07-15] () [File not signed]
S3 EuGdiDrv; C:\Windows\SysWOW64\EuGdiDrv.sys [8456 2010-07-15] () [File not signed]
R3 GrdKey; C:\Windows\system32\DRIVERS\grdkey.sys [927744 2010-11-16] (Aktiv Co.)
R1 HWiNFO32; C:\Windows\system32\drivers\HWiNFO64A.SYS [27552 2016-07-27] (REALiX™)
R3 ISCT; C:\Windows\System32\drivers\ISCTD64.sys [47008 2013-07-31] ()
S3 MAFW; C:\Windows\system32\DRIVERS\mafw.sys [231944 2009-07-29] (Avid Technology, Inc.)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [26560 2016-01-22] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [47760 2015-12-18] (NVIDIA Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
R0 WRkrn; C:\Windows\System32\drivers\WRkrn.sys [139088 2016-09-08] (Webroot)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-08 21:21 - 2016-09-08 21:21 - 00037215 _____ C:\Users\profilenew\Downloads\FRST.txt
2016-09-08 21:21 - 2016-09-08 21:21 - 00000000 ____D C:\FRST
2016-09-08 21:20 - 2016-09-08 21:20 - 02397696 _____ (Farbar) C:\Users\profilenew\Downloads\FRST64.exe
2016-09-08 21:20 - 2016-09-08 21:20 - 00050477 _____ C:\Users\profilenew\Downloads\Defogger.exe
2016-09-08 21:20 - 2016-09-08 21:20 - 00000000 _____ C:\Users\profilenew\defogger_reenable
2016-09-08 02:33 - 2016-09-08 02:38 - 1510718329 _____ C:\Users\profilenew\dpg.16.05.28.aria.alexander.flesh.house.of.hedonism.episode.4.mp4
2016-09-08 02:30 - 2016-09-08 02:33 - 916963472 _____ C:\Users\profilenew\tatlov-mywifeisawhore.mp4
2016-09-08 02:27 - 2016-09-08 14:26 - 4083918673 _____ C:\Users\profilenew\sts.16.08.27.jamie.marleigh.mixed.race.hottie.thick.booty.mp4
2016-09-08 02:27 - 2016-09-08 02:46 - 4182344994 _____ C:\Users\profilenew\iktg.16.04.03.gina.valentina.dirty-talking.girlfriend.rides.cock.mp4
2016-09-08 02:27 - 2016-09-08 02:30 - 1566867421 _____ C:\Users\profilenew\passion-hd.16.08.27.peyton.coast.and.lucy.doll.best.friend.threesome.mp4
2016-09-06 17:50 - 2016-09-06 17:50 - 00085380 _____ C:\Users\profilenew\Downloads\bluescreenview-x64.zip
2016-09-06 17:45 - 2016-09-06 17:45 - 03480040 _____ (McAfee, Inc.) C:\Users\profilenew\Downloads\MCPR.exe
2016-09-06 01:46 - 2016-09-06 01:46 - 00000218 _____ C:\Users\profilenew\AppData\Local\recently-used.xbel
2016-09-05 02:51 - 2016-09-05 03:26 - 4182344994 _____ C:\Users\profilenew\Downloads\iktg.16.04.03.gina.valentina.dirty-talking.girlfriend.rides.cock.mp4
2016-09-05 02:49 - 2016-09-05 03:51 - 4083918673 _____ C:\Users\profilenew\Downloads\sts.16.08.27.jamie.marleigh.mixed.race.hottie.thick.booty.mp4
2016-09-05 02:44 - 2016-09-05 03:13 - 1510718329 _____ C:\Users\profilenew\Downloads\dpg.16.05.28.aria.alexander.flesh.house.of.hedonism.episode.4.mp4
2016-09-05 02:44 - 2016-09-05 02:47 - 1566867421 _____ C:\Users\profilenew\Downloads\passion-hd.16.08.27.peyton.coast.and.lucy.doll.best.friend.threesome.mp4
2016-09-02 18:00 - 2016-09-02 18:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2016-09-01 01:30 - 2016-09-01 01:30 - 00003584 _____ C:\Users\profilenew\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-08-31 01:47 - 2016-08-31 01:47 - 00000000 ___HD C:\Windows\system32\CanonIJ Uninstaller Information
2016-08-31 01:47 - 2016-08-31 01:47 - 00000000 ___HD C:\ProgramData\CanonBJ
2016-08-31 01:47 - 2016-08-31 01:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon iP2700 series
2016-08-31 01:47 - 2012-03-14 05:00 - 00385024 _____ (CANON INC.) C:\Windows\system32\CNMLMA4.DLL
2016-08-31 01:47 - 2009-09-10 09:00 - 00245760 _____ (CANON INC.) C:\Windows\system32\CNMIUA4.DLL
2016-08-31 01:46 - 2016-08-31 01:46 - 17108560 _____ C:\Users\profilenew\Downloads\pd68-win-ip2700-2_56a-ea24.exe
2016-08-31 01:46 - 2016-08-31 01:46 - 00000000 ___HD C:\Program Files\CanonBJ
2016-08-28 14:13 - 2016-08-28 14:13 - 00000000 ____D C:\Users\profilenew\AppData\Roaming\MK10
2016-08-25 03:42 - 2016-08-25 03:42 - 03150168 _____ C:\Users\profilenew\Downloads\OutlookPH_EAST080.exe
2016-08-25 03:11 - 2016-09-02 06:16 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-08-23 22:46 - 2016-08-23 22:46 - 00047317 _____ C:\Users\profilenew\Downloads\invoice_7595_from_Bell Roofing.pdf
2016-08-22 20:09 - 2016-08-22 20:09 - 00003358 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task
2016-08-22 05:25 - 2016-08-22 05:25 - 00000000 ____D C:\ds
2016-08-22 03:25 - 2016-08-21 22:25 - 00001303 ____H C:\Windows\EPMBatch.bak
2016-08-21 22:20 - 2016-08-21 22:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EASEUS Partition Master 7.1.1 Server Edition
2016-08-21 22:20 - 2016-08-21 22:20 - 00000000 ____D C:\Program Files (x86)\EASEUS
2016-08-21 22:20 - 2011-03-03 22:09 - 02913920 _____ C:\Windows\system32\BootMan.exe
2016-08-21 22:20 - 2011-03-03 22:09 - 02336384 _____ C:\Windows\SysWOW64\BootMan.exe
2016-08-21 22:20 - 2010-07-15 08:44 - 00100232 _____ C:\Windows\system32\setupempdrvx64.exe
2016-08-21 22:20 - 2010-07-15 08:44 - 00086408 _____ C:\Windows\SysWOW64\setupempdrv03.exe
2016-08-21 22:20 - 2010-07-15 08:44 - 00016776 _____ C:\Windows\system32\epmntdrv.sys
2016-08-21 22:20 - 2010-07-15 08:44 - 00014848 _____ C:\Windows\SysWOW64\EuEpmGdi.dll
2016-08-21 22:20 - 2010-07-15 08:44 - 00014216 _____ C:\Windows\SysWOW64\epmntdrv.sys
2016-08-21 22:20 - 2010-07-15 08:44 - 00011264 _____ C:\Windows\system32\EuEpmGdi.dll
2016-08-21 22:20 - 2010-07-15 08:44 - 00009096 _____ C:\Windows\system32\EuGdiDrv.sys
2016-08-21 22:20 - 2010-07-15 08:44 - 00008456 _____ C:\Windows\SysWOW64\EuGdiDrv.sys
2016-08-20 19:14 - 2016-08-20 19:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinMerge
2016-08-20 19:14 - 2016-08-20 19:14 - 00000000 ____D C:\Program Files (x86)\WinMerge
2016-08-20 03:50 - 2016-08-20 03:50 - 06647784 _____ (Tim Kosse) C:\Users\profilenew\Downloads\FileZilla_3.20.1_win64-setup.exe
2016-08-19 01:53 - 2016-08-19 01:53 - 02431274 _____ C:\Users\profilenew\Downloads\jsettlers-1.1.19-full.tar.gz
2016-08-19 01:53 - 2016-08-19 01:53 - 00000000 ____D C:\Users\profilenew\Downloads\jsettlers-1.1.19-full.tar
2016-08-15 01:25 - 2016-08-15 01:25 - 33324178 _____ C:\Users\profilenew\Downloads\pm001220.jp2
2016-08-09 22:48 - 2016-09-06 18:32 - 00000180 _____ C:\Windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2016-08-09 22:48 - 2016-08-09 22:48 - 00000000 ____D C:\Program Files (x86)\Intel
2016-08-09 22:48 - 2016-08-09 22:48 - 00000000 _____ C:\Windows\system32\GfxValDisplayLog.bin
2016-08-09 16:58 - 2016-08-03 06:23 - 00693600 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupEngine.dll
2016-08-09 16:58 - 2016-08-03 06:22 - 00808288 _____ (Microsoft Corporation) C:\Windows\system32\WWAHost.exe
2016-08-09 16:58 - 2016-08-03 06:21 - 00566112 _____ (Microsoft Corporation) C:\Windows\system32\SettingSyncHost.exe
2016-08-09 16:58 - 2016-08-03 06:19 - 00604928 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2016-08-09 16:58 - 2016-08-03 06:19 - 00161632 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-08-09 16:58 - 2016-08-03 05:51 - 00084480 _____ (Microsoft Corporation) C:\Windows\system32\rdpudd.dll
2016-08-09 16:58 - 2016-08-03 05:44 - 00189952 _____ (Microsoft Corporation) C:\Windows\system32\MusNotification.exe
2016-08-09 16:58 - 2016-08-03 05:44 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\musdialoghandlers.dll
2016-08-09 16:58 - 2016-08-03 05:43 - 16985088 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Xaml.dll
2016-08-09 16:58 - 2016-08-03 05:40 - 00058880 _____ (Microsoft Corporation) C:\Windows\system32\MusNotificationUx.exe
2016-08-09 16:58 - 2016-08-03 05:40 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\TpmTasks.dll
2016-08-09 16:58 - 2016-08-03 05:38 - 00379392 _____ (Microsoft Corporation) C:\Windows\system32\usocore.dll
2016-08-09 16:58 - 2016-08-03 05:36 - 00211456 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupSvc.dll
2016-08-09 16:58 - 2016-08-03 05:31 - 00247296 _____ (Microsoft Corporation) C:\Windows\system32\wevtutil.exe
2016-08-09 16:58 - 2016-08-03 05:30 - 00515072 _____ (Microsoft Corporation) C:\Windows\system32\OneDriveSettingSyncProvider.dll
2016-08-09 16:58 - 2016-08-03 05:29 - 14252544 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2016-08-09 16:58 - 2016-08-03 05:27 - 07536640 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2016-08-09 16:58 - 2016-08-03 05:18 - 06974464 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Data.Pdf.dll
2016-08-09 16:58 - 2016-08-03 05:18 - 01388032 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-08-09 16:58 - 2016-08-03 05:16 - 05123072 _____ (Microsoft Corporation) C:\Windows\system32\dbgeng.dll
2016-08-09 16:58 - 2016-08-03 05:16 - 03589120 _____ (Microsoft Corporation) C:\Windows\system32\win32kfull.sys
2016-08-09 16:58 - 2016-08-03 05:14 - 01997824 _____ (Microsoft Corporation) C:\Windows\system32\ActiveSyncProvider.dll
2016-08-09 16:58 - 2016-08-03 05:11 - 04171264 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2016-08-09 16:58 - 2016-08-03 01:52 - 00034088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wldp.dll
2016-08-09 16:58 - 2016-08-03 01:34 - 00501592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\NetSetupEngine.dll
2016-08-09 16:58 - 2016-08-03 01:34 - 00084832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\NetSetupApi.dll
2016-08-09 16:58 - 2016-08-03 01:33 - 00051128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SensorsNativeApi.dll
2016-08-09 16:58 - 2016-08-03 01:31 - 02921368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-08-09 16:58 - 2016-08-03 01:31 - 00703840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WWAHost.exe
2016-08-09 16:58 - 2016-08-03 00:44 - 00048640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.StateRepositoryClient.dll
2016-08-09 16:58 - 2016-08-03 00:44 - 00048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.StateRepositoryBroker.dll
2016-08-09 16:58 - 2016-08-03 00:32 - 12585984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmp.dll
2016-08-09 16:58 - 2016-08-03 00:31 - 06743040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2016-08-09 16:58 - 2016-08-03 00:25 - 04078080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dbgeng.dll
2016-08-09 16:58 - 2016-08-03 00:19 - 02180096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.StateRepository.dll
2016-08-09 16:57 - 2016-08-03 07:14 - 01505984 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2016-08-09 16:57 - 2016-08-03 07:14 - 00092352 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2016-08-09 16:57 - 2016-08-03 07:14 - 00050368 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2016-08-09 16:57 - 2016-08-03 06:36 - 07469408 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-08-09 16:57 - 2016-08-03 06:36 - 00099680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\pdc.sys
2016-08-09 16:57 - 2016-08-03 06:36 - 00037744 _____ (Microsoft Corporation) C:\Windows\system32\wldp.dll
2016-08-09 16:57 - 2016-08-03 06:30 - 00026408 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2016-08-09 16:57 - 2016-08-03 06:23 - 00115040 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupApi.dll
2016-08-09 16:57 - 2016-08-03 06:22 - 01322760 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2016-08-09 16:57 - 2016-08-03 06:22 - 00465248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2016-08-09 16:57 - 2016-08-03 06:22 - 00331616 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\pci.sys
2016-08-09 16:57 - 2016-08-03 06:22 - 00058408 _____ (Microsoft Corporation) C:\Windows\system32\SensorsNativeApi.dll
2016-08-09 16:57 - 2016-08-03 06:21 - 22561256 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2016-08-09 16:57 - 2016-08-03 06:21 - 03675512 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-08-09 16:57 - 2016-08-03 06:21 - 00303216 _____ (Microsoft Corporation) C:\Windows\system32\LockAppHost.exe
2016-08-09 16:57 - 2016-08-03 06:20 - 01540224 _____ (Microsoft Corporation) C:\Windows\system32\sppobjs.dll
2016-08-09 16:57 - 2016-08-03 06:20 - 00692136 _____ (Microsoft Corporation) C:\Windows\system32\sppwinob.dll
2016-08-09 16:57 - 2016-08-03 06:13 - 01988448 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2016-08-09 16:57 - 2016-08-03 06:13 - 00576864 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms2.sys
2016-08-09 16:57 - 2016-08-03 06:13 - 00393056 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
2016-08-09 16:57 - 2016-08-03 06:11 - 00422744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdbss.sys
2016-08-09 16:57 - 2016-08-03 05:51 - 00123392 _____ (Microsoft Corporation) C:\Windows\system32\tdlrecover.exe
2016-08-09 16:57 - 2016-08-03 05:46 - 22384128 _____ (Microsoft Corporation) C:\Windows\system32\edgehtml.dll
2016-08-09 16:57 - 2016-08-03 05:44 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\wshbth.dll
2016-08-09 16:57 - 2016-08-03 05:41 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\Windows.StateRepositoryClient.dll
2016-08-09 16:57 - 2016-08-03 05:41 - 00059904 _____ (Microsoft Corporation) C:\Windows\system32\Windows.StateRepositoryBroker.dll
2016-08-09 16:57 - 2016-08-03 05:40 - 00127488 _____ (Microsoft Corporation) C:\Windows\system32\VEDataLayerHelpers.dll
2016-08-09 16:57 - 2016-08-03 05:40 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\bthserv.dll
2016-08-09 16:57 - 2016-08-03 05:39 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2016-08-09 16:57 - 2016-08-03 05:39 - 00104448 _____ (Microsoft Corporation) C:\Windows\system32\BluetoothApis.dll
2016-08-09 16:57 - 2016-08-03 05:38 - 00412160 _____ (Microsoft Corporation) C:\Windows\system32\MusUpdateHandlers.dll
2016-08-09 16:57 - 2016-08-03 05:37 - 00110080 _____ (Microsoft Corporation) C:\Windows\system32\IdCtrls.dll
2016-08-09 16:57 - 2016-08-03 05:36 - 00221696 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-08-09 16:57 - 2016-08-03 05:36 - 00198144 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2016-08-09 16:57 - 2016-08-03 05:35 - 00764928 _____ (Microsoft Corporation) C:\Windows\system32\Chakradiag.dll
2016-08-09 16:57 - 2016-08-03 05:35 - 00200192 _____ (Microsoft Corporation) C:\Windows\system32\WUDFPlatform.dll
2016-08-09 16:57 - 2016-08-03 05:34 - 00383488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-08-09 16:57 - 2016-08-03 05:33 - 00339968 _____ (Microsoft Corporation) C:\Windows\system32\SensorService.dll
2016-08-09 16:57 - 2016-08-03 05:33 - 00285184 _____ (Microsoft Corporation) C:\Windows\system32\VEEventDispatcher.dll
2016-08-09 16:57 - 2016-08-03 05:31 - 00506880 _____ (Microsoft Corporation) C:\Windows\system32\tileobjserver.dll
2016-08-09 16:57 - 2016-08-03 05:31 - 00359936 _____ (Microsoft Corporation) C:\Windows\system32\SensorsApi.dll
2016-08-09 16:57 - 2016-08-03 05:30 - 24613888 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-08-09 16:57 - 2016-08-03 05:30 - 00970752 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-08-09 16:57 - 2016-08-03 05:29 - 02127360 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-08-09 16:57 - 2016-08-03 05:29 - 01500160 _____ (Microsoft Corporation) C:\Windows\system32\RecoveryDrive.exe
2016-08-09 16:57 - 2016-08-03 05:29 - 01387520 _____ (Microsoft Corporation) C:\Windows\system32\win32kbase.sys
2016-08-09 16:57 - 2016-08-03 05:29 - 00784384 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-08-09 16:57 - 2016-08-03 05:28 - 01213440 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2016-08-09 16:57 - 2016-08-03 05:28 - 00848896 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2016-08-09 16:57 - 2016-08-03 05:28 - 00529920 _____ (Microsoft Corporation) C:\Windows\system32\LogonController.dll
2016-08-09 16:57 - 2016-08-03 05:27 - 01752576 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-08-09 16:57 - 2016-08-03 05:27 - 01717760 _____ (Microsoft Corporation) C:\Windows\system32\GdiPlus.dll
2016-08-09 16:57 - 2016-08-03 05:27 - 00381952 _____ (Microsoft Corporation) C:\Windows\system32\wuuhext.dll
2016-08-09 16:57 - 2016-08-03 05:20 - 13390336 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-08-09 16:57 - 2016-08-03 05:18 - 02067968 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentExtensions.dll
2016-08-09 16:57 - 2016-08-03 05:17 - 02175488 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentServer.dll
2016-08-09 16:57 - 2016-08-03 05:16 - 02635776 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Logon.dll
2016-08-09 16:57 - 2016-08-03 05:16 - 01732096 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-08-09 16:57 - 2016-08-03 05:15 - 07833088 _____ (Microsoft Corporation) C:\Windows\system32\Chakra.dll
2016-08-09 16:57 - 2016-08-03 05:14 - 04895232 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-08-09 16:57 - 2016-08-03 05:13 - 03025920 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-08-09 16:57 - 2016-08-03 05:13 - 02280960 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2016-08-09 16:57 - 2016-08-03 05:12 - 02746368 _____ (Microsoft Corporation) C:\Windows\system32\Windows.StateRepository.dll
2016-08-09 16:57 - 2016-08-03 01:31 - 00957608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ole32.dll
2016-08-09 16:57 - 2016-08-03 01:30 - 21123320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2016-08-09 16:57 - 2016-08-03 01:30 - 00465760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SettingSyncHost.exe
2016-08-09 16:57 - 2016-08-03 01:30 - 00255168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\LockAppHost.exe
2016-08-09 16:57 - 2016-08-03 00:57 - 00091648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdlrecover.exe
2016-08-09 16:57 - 2016-08-03 00:48 - 00051712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wshbth.dll
2016-08-09 16:57 - 2016-08-03 00:47 - 13018112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.Xaml.dll
2016-08-09 16:57 - 2016-08-03 00:42 - 00080896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\BluetoothApis.dll
2016-08-09 16:57 - 2016-08-03 00:40 - 00092160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IdCtrls.dll
2016-08-09 16:57 - 2016-08-03 00:39 - 19351040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-08-09 16:57 - 2016-08-03 00:37 - 00335872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2016-08-09 16:57 - 2016-08-03 00:37 - 00219136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\VEEventDispatcher.dll
2016-08-09 16:57 - 2016-08-03 00:35 - 00286208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SensorsApi.dll
2016-08-09 16:57 - 2016-08-03 00:35 - 00178688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wevtutil.exe
2016-08-09 16:57 - 2016-08-03 00:34 - 00792064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2016-08-09 16:57 - 2016-08-03 00:34 - 00400896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\OneDriveSettingSyncProvider.dll
2016-08-09 16:57 - 2016-08-03 00:33 - 18677760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\edgehtml.dll
2016-08-09 16:57 - 2016-08-03 00:33 - 02050048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-08-09 16:57 - 2016-08-03 00:33 - 00687616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-08-09 16:57 - 2016-08-03 00:32 - 01526272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2016-08-09 16:57 - 2016-08-03 00:32 - 01467392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\GdiPlus.dll
2016-08-09 16:57 - 2016-08-03 00:32 - 00434688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\LogonController.dll
2016-08-09 16:57 - 2016-08-03 00:31 - 00705536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2016-08-09 16:57 - 2016-08-03 00:29 - 12133376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-08-09 16:57 - 2016-08-03 00:28 - 03663360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-08-09 16:57 - 2016-08-03 00:25 - 05323776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll
2016-08-09 16:57 - 2016-08-03 00:23 - 05660672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Chakra.dll
2016-08-09 16:57 - 2016-08-03 00:23 - 01799680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.Logon.dll
2016-08-09 16:57 - 2016-08-03 00:22 - 02501120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-08-09 16:57 - 2016-08-03 00:22 - 01502208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-08-09 16:57 - 2016-08-03 00:21 - 01708032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ActiveSyncProvider.dll
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-08 21:20 - 2016-01-13 18:47 - 00000000 ____D C:\Users\profilenew\AppData\Roaming\Skype
2016-09-08 21:20 - 2016-01-13 15:06 - 00000000 ____D C:\Users\profilenew
2016-09-08 21:20 - 2015-10-30 03:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-09-08 21:20 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\AppReadiness
2016-09-08 21:16 - 2016-04-14 04:20 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-09-08 21:16 - 2016-01-13 15:06 - 00000000 ____D C:\Users\profilenew\AppData\Local\VirtualStore
2016-09-08 21:02 - 2016-01-13 05:56 - 00000136 _____ C:\Windows\system32\config\netlogon.ftl
2016-09-08 20:55 - 2016-01-13 15:09 - 00000000 ____D C:\Users\profilenew\AppData\LocalLow\LastPass
2016-09-08 20:51 - 2016-01-13 03:09 - 00000928 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job
2016-09-08 20:39 - 2016-02-12 14:02 - 00000634 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3499336029-3320506896-2359871584-1001.job
2016-09-08 20:35 - 2016-01-13 03:07 - 00000924 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-09-08 19:48 - 2016-02-12 14:02 - 00000730 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-3499336029-3320506896-2359871584-1001.job
2016-09-08 19:35 - 2016-01-13 03:07 - 00000920 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-09-08 19:02 - 2016-01-13 18:42 - 00000000 ____D C:\Users\profilenew\AppData\Local\Pushbullet
2016-09-08 18:40 - 2016-01-13 03:17 - 00003808 _____ C:\Windows\System32\Tasks\AutoKMS
2016-09-08 18:37 - 2016-07-31 20:55 - 00139088 _____ (Webroot) C:\Windows\system32\Drivers\WRkrn.sys
2016-09-08 10:50 - 2016-01-20 15:54 - 00000000 ____D C:\ProgramData\LogMeIn
2016-09-08 10:50 - 2016-01-20 15:48 - 00000000 ____D C:\Users\profilenew\AppData\Local\LogMeInIgnition
2016-09-08 03:03 - 2016-07-19 23:24 - 00000000 ____D C:\Users\profilenew\AppData\Local\Glance
2016-09-08 02:27 - 2016-05-04 02:31 - 00000000 ____D C:\Users\profilenew\AppData\Roaming\deluge
2016-09-08 00:11 - 2016-07-31 20:55 - 00000000 ____D C:\ProgramData\WRData
2016-09-07 23:51 - 2016-01-13 03:09 - 00000924 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job
2016-09-07 00:49 - 2016-01-14 01:08 - 00000000 ____D C:\Users\profilenew\AppData\Local\CrashDumps
2016-09-06 18:33 - 2016-03-19 17:42 - 00000000 ___RD C:\Users\profilenew\Dropbox
2016-09-06 18:33 - 2016-02-14 19:04 - 00000000 ____D C:\Users\profilenew\AppData\Local\Deployment
2016-09-06 18:33 - 2016-01-13 03:08 - 00000000 ____D C:\Program Files (x86)\Steam
2016-09-06 18:32 - 2016-01-13 05:34 - 00000000 __SHD C:\Users\bhodges\IntelGraphicsProfiles
2016-09-06 18:32 - 2016-01-13 05:14 - 00885104 _____ C:\Windows\system32\PerfStringBackup.INI
2016-09-06 18:32 - 2015-10-30 03:21 - 00000000 ____D C:\Windows\INF
2016-09-06 18:25 - 2016-01-28 03:00 - 00000000 ____D C:\ProgramData\NVIDIA
2016-09-06 18:25 - 2016-01-13 05:10 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-09-06 18:24 - 2015-10-30 02:28 - 00786432 ___SH C:\Windows\system32\config\BBI
2016-09-06 18:23 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\system32\FxsTmp
2016-09-06 15:38 - 2016-01-13 03:09 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-09-06 15:38 - 2016-01-13 03:09 - 00000000 ____D C:\ProgramData\Skype
2016-09-03 11:17 - 2016-02-12 14:02 - 00003892 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-3499336029-3320506896-2359871584-1001
2016-09-03 11:17 - 2016-02-12 14:02 - 00003796 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-3499336029-3320506896-2359871584-1001
2016-09-02 18:00 - 2016-01-13 03:09 - 00000000 ____D C:\Program Files (x86)\Dropbox
2016-09-02 06:19 - 2016-01-13 15:09 - 00000000 ____D C:\Users\profilenew\AppData\Local\Greenshot
2016-09-02 06:16 - 2016-01-13 05:47 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-09-02 06:16 - 2016-01-13 05:09 - 05036432 _____ C:\Windows\system32\FNTCACHE.DAT
2016-09-02 03:00 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\system32\appraiser
2016-09-02 03:00 - 2015-10-30 03:11 - 00000000 ____D C:\Windows\CbsTemp
2016-09-01 18:17 - 2016-01-20 15:48 - 00000000 ____D C:\Users\profilenew\AppData\Local\LogMeIn Client
2016-08-31 12:38 - 2016-07-15 01:06 - 00002741 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook 2016.lnk
2016-08-31 12:38 - 2016-07-15 01:06 - 00002674 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive for Business.lnk
2016-08-31 12:38 - 2016-07-15 01:06 - 00002668 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk
2016-08-31 12:38 - 2016-07-15 01:06 - 00002660 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk
2016-08-31 12:38 - 2016-07-15 01:06 - 00002660 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel 2016.lnk
2016-08-31 12:38 - 2016-07-15 01:06 - 00002654 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint 2016.lnk
2016-08-31 12:38 - 2016-07-15 01:06 - 00002640 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher 2016.lnk
2016-08-31 12:38 - 2016-07-15 01:06 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools
2016-08-31 12:37 - 2015-10-30 05:07 - 00000000 ____D C:\Windows\ShellNew
2016-08-31 12:37 - 2015-10-30 03:24 - 00000167 _____ C:\Windows\win.ini
2016-08-31 12:37 - 2015-10-30 03:24 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-08-31 02:48 - 2016-01-13 15:06 - 00000000 ____D C:\Users\profilenew\AppData\Local\Packages
2016-08-28 17:21 - 2016-07-20 23:08 - 00000000 ____D C:\Users\profilenew\Ubiquiti UniFi
2016-08-26 06:48 - 2016-01-13 03:08 - 00001040 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 11.lnk
2016-08-26 06:48 - 2016-01-13 03:08 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2016-08-24 00:04 - 2016-07-31 20:55 - 00185272 _____ (Webroot) C:\Windows\SysWOW64\WRusr.dll
2016-08-24 00:04 - 2016-07-31 20:55 - 00119920 _____ (Webroot) C:\Windows\system32\WRusr.dll
2016-08-22 20:09 - 2016-01-13 15:09 - 00002403 _____ C:\Users\profilenew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-08-22 20:09 - 2016-01-13 15:09 - 00000000 ___RD C:\Users\profilenew\OneDrive
2016-08-20 05:36 - 2016-01-13 03:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
2016-08-20 04:03 - 2016-02-19 01:41 - 00000600 _____ C:\Users\profilenew\AppData\Local\PUTTY.RND
2016-08-20 04:03 - 2016-01-20 16:18 - 00000000 ____D C:\Users\profilenew\AppData\Roaming\FileZilla
2016-08-20 03:56 - 2016-04-01 03:42 - 00000000 ____D C:\Temp
2016-08-12 12:03 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\rescache
2016-08-09 23:02 - 2016-01-13 05:08 - 00000000 ____D C:\Windows\Panther
2016-08-09 23:01 - 2016-07-16 11:17 - 00000000 ___HD C:\$WINDOWS.~BT
2016-08-09 22:48 - 2016-01-13 05:34 - 00000200 _____ C:\Windows\system32\{EC94D02F-D200-4428-9531-05AF7F9799CB}.bat
2016-08-09 22:47 - 2016-01-13 05:11 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-08-09 22:46 - 2015-10-30 05:07 - 00000000 ____D C:\Program Files\Windows Journal
2016-08-09 22:46 - 2015-10-30 03:24 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2016-08-09 22:33 - 2016-01-13 05:49 - 00000000 ____D C:\Windows\system32\MRT
2016-08-09 22:33 - 2016-01-13 03:14 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2016-08-09 22:33 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\system32\SecureBootUpdates
2016-08-09 22:29 - 2016-01-13 05:49 - 147640136 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-08-09 03:22 - 2016-04-04 03:03 - 00000000 ____D C:\Users\profilenew\AppData\Roaming\vlc
2016-08-09 02:52 - 2016-04-04 03:03 - 00000000 ____D C:\Users\profilenew\AppData\Roaming\dvdcss
 
==================== Files in the root of some directories =======
 
2016-01-13 05:48 - 2016-01-13 15:14 - 21403160 _____ (LastPass) C:\Program Files (x86)\Common Files\lpuninstall.exe
2016-01-15 16:19 - 2016-01-15 16:19 - 0038510 _____ () C:\Users\profilenew\AppData\Roaming\Comma Separated Values.ADR
2016-02-23 03:23 - 2016-02-23 03:23 - 0004772 _____ () C:\Users\profilenew\AppData\Roaming\QBFileDrTool.log
2016-09-01 01:30 - 2016-09-01 01:30 - 0003584 _____ () C:\Users\profilenew\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-02-19 01:41 - 2016-08-20 04:03 - 0000600 _____ () C:\Users\profilenew\AppData\Local\PUTTY.RND
2016-09-06 01:46 - 2016-09-06 01:46 - 0000218 _____ () C:\Users\profilenew\AppData\Local\recently-used.xbel
2016-01-13 05:41 - 2016-01-13 05:41 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2016-04-01 01:39 - 2016-04-01 01:40 - 0000319 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
 
Some files in TEMP:
====================
C:\Users\bhodges\AppData\Local\Temp\Abspdf.exe
C:\Users\bhodges\AppData\Local\Temp\acfpdfu.dll
C:\Users\bhodges\AppData\Local\Temp\acfpdfuamd64.dll
C:\Users\bhodges\AppData\Local\Temp\acfpdfui.dll
C:\Users\bhodges\AppData\Local\Temp\acfpdfuia64.dll
C:\Users\bhodges\AppData\Local\Temp\acfpdfuiamd64.dll
C:\Users\bhodges\AppData\Local\Temp\acfpdfuiia64.dll
C:\Users\bhodges\AppData\Local\Temp\cdintf.dll
C:\Users\bhodges\AppData\Local\Temp\PDFPRT400.exe
C:\Users\bhodges\AppData\Local\Temp\PidGenX.dll
C:\Users\bhodges\AppData\Local\Temp\xmllite.dll
C:\Users\bhodges\AppData\Local\Temp\xmlUpdater.exe
C:\Users\profilenew\AppData\Local\Temp\SkypeSetup.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-09-06 11:47
 
==================== End of FRST.txt ============================

 

Attached File  FRST.txt   66.43KB   2 downloads

 

Attached File  Addition.txt   69.23KB   2 downloads


Edited by katzendreckt, 09 September 2016 - 05:36 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 AM

Posted 10 September 2016 - 09:14 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR Extension: (Chrome Web Store Payments) - C:\Users\profilenew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-07]
Task: {91DEA014-757E-49E8-BCA3-3840EC2D576D} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2016-01-13] ()
Task: {CA6ED8A3-2BC0-4124-8FE9-3BBA2740AC79} - System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}
C:\Users\profilenew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Windows\AutoKMS

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Please post the logs and let me know if the problem persists.

#3 katzendreckt

katzendreckt
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 10 September 2016 - 03:55 PM

Ran the three tools, rebooted each time, logs attached. Behavior persists. I ran a hijackthis scan as well, but have not taken any action with that. Log attached as well.

Attached Files


Edited by katzendreckt, 10 September 2016 - 03:56 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 AM

Posted 11 September 2016 - 07:28 AM


HijackThis is not ready for the 64 bit system.
I't no longer being updated. Many never be ready.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#5 katzendreckt

katzendreckt
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 12 September 2016 - 12:09 AM

Zoek triggered my antivirus. I disabled antivirus and ran it anyways.

 

Zoek does not appear to finish with the script you gave me. It stalls on "firefox extensions" and stays there. Have left it for 4 hours, no progress past the attached. Computer behavior remains unchanged, still strange network behavior and disconnects.

 

 

 

Zoek.exe v5.0.0.1 Updated 31-December-2015
Tool run by profilenew on Sun 09/11/2016 at 23:03:14.95.
Microsoft Windows 10 Pro 10.0.10586  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\profilenew\Downloads\zoek.exe [Scan all users] [Script inserted]

===== Runcheck 23:05:03.57 =====

--- Create Environment Variables 23:05:04.59
--- Create System Restore Point 23:05:09.90
--- Checking Input 23:05:16.36
--- AU AppData Check 23:05:32.78
--- Remove From Windows Installer 23:05:34.97
--- Empty Folders Check 23:06:20.38
--- Registry HKLM Software Check 23:06:20.41
--- Quick Launch Shortcut Check 23:06:32.46
--- IE Startpage Check 23:06:38.07
--- Program Files DB Check 23:06:48.63
--- C:\Users\preofilenew\AppData DB Check 23:07:24.52
--- C:\Users\profilenew\AppData DB Check 23:07:24.52
--- C:\Users\profilenew\AppData DB Check 23:07:24.52
--- C:\Users\Default\AppData DB Check 23:07:24.52
--- C:\Windows\SysNative\config\systemprofile\AppData DB Check 23:07:24.52
--- C:\Windows\sysWoW64\config\systemprofile\AppData DB Check 23:07:24.52
--- C:\Windows\serviceprofiles\networkservice\AppData DB Check 23:07:24.52
--- C:\Windows\serviceprofiles\Localservice\AppData DB Check 23:07:24.52
--- C:\Users\profilenew DB Check 23:09:28.15
--- C:\PROGRA~3 DB Check 23:09:44.19
--- C:\Users\Default\AppData\Local DB Check 23:10:00.13
--- C:\Users\profilenew\AppData\Local DB Check 23:10:00.13
--- C:\Users\profilenew\AppData\Local DB Check 23:10:00.13
--- C:\Users\Default\AppData\Local DB Check 23:10:00.13
--- C:\Users\Default User\AppData\Local DB Check 23:10:00.13
--- C:\Windows\SysNative\config\systemprofile\AppData\Local DB Check 23:10:00.13
--- C:\Windows\sysWoW64\config\systemprofile\AppData\Local DB Check 23:10:00.13
--- C:\Windows\serviceprofiles\networkservice\AppData\Local DB Check 23:10:00.13
--- C:\Windows\serviceprofiles\Localservice\AppData\Local DB Check 23:10:00.13
--- C:\ProgramData\Microsoft\Windows\Start Menu\Programs DB Check 23:11:34.78
--- C:\Users\profilenew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs DB Check 23:11:42.86
--- Tasks DB Check 23:11:47.94
--- C:\Users\profilenew\AppData\LocalLow DB Check 23:11:51.51
--- C:\Users\profilenew\AppData\LocalLow DB Check 23:11:51.51
--- C:\Windows\SysNative\config\systemprofile\AppData\LocalLow DB Check 23:11:51.51
--- C:\Windows\sysWoW64\config\systemprofile\AppData\LocalLow DB Check 23:11:51.51
--- C:\Windows\serviceprofiles\networkservice\AppData\LocalLow DB Check 23:11:51.51
--- C:\Windows\serviceprofiles\Localservice\AppData\LocalLow DB Check 23:11:51.51
--- Tasks2 DB Check 23:12:35.08
--- Documents DB Check 23:13:00.36
--- Documents2 DB Check 23:13:07.90
--- C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\9azg4jy6.default DB Check 23:13:09.23
--- C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default DB Check 23:13:09.23
--- C:\Users\Public\Desktop DB Check 23:13:13.06
--- C:\Users\profilenew\Desktop DB Check 23:13:17.35
--- Services DB Check 23:13:24.34
--- FF prefs.js DB Check 23:13:43.73
--- Emptyclsid 23:14:44.40
--- Del by CLSID 23:14:46.84
--- Delete Services 23:15:07.83
--- Firefox Fix 23:15:09.38
--- Batch Commands 23:15:11.93
--- Delete files\folders 23:15:12.03
--- Create Backups 23:15:12.11
--- Firefox Extensions 23:15:14.90

 

 

 

 

edit : also, now all my browser windows page-down to the bottom every 10-15 seconds. Zoek is still open, I suspect this is part of that program's code. Not particularly confidence inspiring, along with my AV's warnings...


Edited by katzendreckt, 12 September 2016 - 12:12 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 AM

Posted 12 September 2016 - 07:12 AM

Please run the Zoek tool as previously suggested but only use this for the fix.

createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b


Post the log and let me know if the problem persists.

#7 katzendreckt

katzendreckt
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 13 September 2016 - 11:33 AM

Thank you for your help. Logs attached below. Has any of this indicated my machine is/was infected with malware? If so, is there a name for the malware we dealt with?

I'll monitor for any improvements, and let me know next steps for additional scans now that it looks like the firefox extensions were dealt with.

 

Thanks!

 

Zoek.exe v5.0.0.1 Updated 31-December-2015
Tool run by profilenew on Sun 09/11/2016 at 23:03:14.95.
Microsoft Windows 10 Pro 10.0.10586  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\profilenew\Downloads\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

9/11/2016 11:05:15 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Program Files\ASRock deleted successfully
C:\PROGRA~3\Comms deleted successfully
C:\PROGRA~3\SoftwareDistribution deleted successfully
C:\Users\profilenew\AppData\Local\ActiveSync deleted successfully
C:\Users\profilenew\AppData\Local\PeerDistRepub deleted successfully
C:\Users\profilenew\AppData\Local\VirtualStore deleted successfully
C:\Users\profilenew\AppData\Local\ActiveSync deleted successfully
C:\Users\profilenew\AppData\Local\PeerDistRepub deleted successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\PeerDistPub deleted successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\PeerDistRepub deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

Deleted from C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\9azg4jy6.default\prefs.js:
user_pref("browser.startup.homepage", "http://www.netvibes.com/privatepage/1#asdf");
user_pref("services.sync.prefs.sync.browser.search.selectedEngine", true);

Added to C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\9azg4jy6.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

Deleted from C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\prefs.js:
user_pref("browser.startup.homepage", "http://www.netvibes.com/privatepage/1#asdf");
user_pref("browser.search.defaultenginename.US", "Google");
user_pref("services.sync.prefs.sync.browser.search.selectedEngine", true);

Added to C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\prefs.js:

ProfilePath: C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\9azg4jy6.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_20160911_1115_.backup

ProfilePath: C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_20160911_1115_.backup

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\gatherosstate.exe deleted
C:\install.exe deleted
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\windows\SysNative\GroupPolicy\DataStore deleted
C:\Users\profilenew\Documents\Add-in Express deleted
C:\Users\profilenew\Documents\Add-in Express deleted
C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\9azg4jy6.default\jetpack deleted
C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\jetpack deleted
C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\kxkvl8pm.default\Yahoo Inc deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\profilenew\AppData\Roaming\Mozilla\Firefox\Profiles\9azg4jy6.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"web2pdfextension@web2pdf.adobedotcom"="C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn" [01/13/2016 03:26 AM]
 


Edited by katzendreckt, 13 September 2016 - 11:34 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 AM

Posted 13 September 2016 - 12:07 PM

It was what we call a Browser Hijacker.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 AM

Posted 19 September 2016 - 08:40 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users