Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Atros4.BCWA - infection keeps returning


  • This topic is locked This topic is locked
5 replies to this topic

#1 plasterhead

plasterhead

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 09 December 2016 - 12:02 PM

I started this topic in the "Am I infected" forum but after some analysis was told to post it here.

 

Here is a link to that topic for reference:

 

https://www.bleepingcomputer.com/forums/t/634089/trojan-horse-atros4bcwa-infection-keeps-returning/

 

I keep getting an alert from AVG Antivirus Free about "Trojan horse Atros4.BCWA".

I tell AVG to "protect me" and it appears to remove it, but the next day the infection comes back.

 

Here are the details that AVG provides:

 

Threat: Trojan horse Atros4.BCWA

Object name: c:\Windows\Temp\easlerfk.dll

Severity: High

Identified by: Resident Shield

 

Extended Element Information

Process Name: c:\Windows\SysWOW64\svchost.exe

Process ID: 9376

Username: SYSTEM

Session ID: 0

 

 

Here is the contents of the FRST.txt file

------------------------------------------------------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 07-12-2016
Ran by gorleans (administrator) on DALGORLEANS (09-12-2016 10:09:18)
Running from C:\Users\gorleans\Downloads
Loaded Profiles: gorleans (Available Profiles: adm1n! & gorleans)
Platform: Windows 7 Enterprise Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgcsrva.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\stacsv64.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
(Broadcom Corporation) C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
(Andrea Electronics Corporation) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\AESTSr64.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgidsagenta.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgwdsvca.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
(DeviceVM, Inc.) C:\Program Files (x86)\Dell\Reader 2.1\DVMExportService.exe
() C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe
(Flexera Software LLC) C:\Program Files (x86)\ManageSoft\Launcher\mgsdl.exe
(Flexera Software LLC) C:\Program Files (x86)\ManageSoft\Security Agent\mgssecsvc.exe
(Flexera Software LLC) C:\Program Files (x86)\ManageSoft\Launcher\ndserv.exe
(Flexera Software LLC) C:\Program Files (x86)\ManageSoft\Schedule Agent\ndinit.exe
(Flexera Software LLC) C:\Program Files (x86)\ManageSoft\Schedule Agent\ndtask.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\HelperService.exe
(pdfforge GbR) C:\Program Files (x86)\PDF Architect\ConversionService.exe
(Absolute Software Corp.) C:\Windows\SysWOW64\rpcnet.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
() C:\Program Files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe
(Dell Inc.) C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\CCM\CcmExec.exe
(Dell Inc.) C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgemca.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Dell Inc.) C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
(Broadcom Corporation) C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Update\GoogleUpdate.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Dell Inc.) C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
(DeviceVM, Inc.) C:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe
(Dell Inc.) C:\Program Files\Dell\Dell ControlPoint\System Manager\PanelHelper32.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\BusinessMessaging.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgui.exe
(Flexera Software LLC) C:\Program Files (x86)\ManageSoft\Schedule Agent\ndtask.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD App Manager\WDAppManager.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD App Manager\Plugins\WD Backup\App\WDBackupService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\55.0.2883.75\nacl64.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\55.0.2883.75\nacl64.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\chrome.exe
(Flexera Software LLC) C:\Program Files (x86)\ManageSoft\Schedule Agent\ndschedag.exe
(Flexera Software LLC) C:\Program Files (x86)\ManageSoft\Tracker\ndtrack.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\gorleans\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [picon] => C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe [358424 2009-08-04] (Intel Corporation)
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [391024 2010-05-12] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-03-10] (IDT, Inc.)
HKLM\...\Run: [nwiz] => nwiz.exe /installquiet
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NVHotkey] => rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
HKLM\...\Run: [DellControlPoint] => C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe [657920 2009-11-02] (Dell Inc.)
HKLM\...\Run: [USCService] => C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe [34232 2010-01-14] (Broadcom Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2016-11-01] (Apple Inc.)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [112152 2010-04-15] (Intel Corporation)
HKLM-x32\...\Run: [DellBtrEvent] => C:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe [147456 2010-05-04] (DeviceVM, Inc.)
HKLM-x32\...\Run: [PDVDDXSrv] => C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe [140520 2010-01-07] (CyberLink Corp.)
HKLM-x32\...\Run: [Dell Webcam Central] => C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [413827 2009-07-08] (Creative Technology Ltd)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [67384 2016-10-05] (Apple Inc.)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [304568 2010-11-09] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [DivXMediaServer] => C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [450560 2013-01-29] (DivX, LLC)
HKLM-x32\...\Run: [DivXUpdate] => C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1263952 2013-02-12] ()
HKLM-x32\...\Run: [SchedulingAgent_nDG] => C:\Program Files (x86)\ManageSoft\Schedule Agent\ndschedag.exe [1530160 2014-07-14] (Flexera Software LLC)
HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [240400 2016-12-06] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [240400 2016-12-06] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [WD Drive Unlocker] => C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe [1761120 2015-12-07] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [DriveUtilitiesHelper] => C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe [1890664 2016-01-14] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5564784 2015-02-12] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WDAppManager] => C:\Program Files (x86)\Western Digital\WD App Manager\AppManagerLauncher.exe [21384 2016-04-19] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [Malwarebytes Anti-Malware] => C:\Program Files (x86)\Malwarebytes Anti-Malware\BusinessMessaging.exe [3219456 2016-12-05] (Malwarebytes)
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %temp%\rar* <====== ATTENTION
HKLM Group Policy restriction on software: %temp%\wz* <====== ATTENTION
HKLM Group Policy restriction on software: %localappdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %localappdata%\*\*.exe <====== ATTENTION
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
HKU\S-1-5-21-4175730781-2642324733-1139661035-2938\...\Run: [Google Update] => C:\Users\gorleans\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-10-31] (Google Inc.)
HKU\S-1-5-21-4175730781-2642324733-1139661035-2938\...\Run: [Amazon Cloud Player] => C:\Users\gorleans\AppData\Local\Amazon Cloud Player\Amazon Music Helper.exe [3112768 2013-05-15] ()
HKU\S-1-5-21-4175730781-2642324733-1139661035-2938\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\x64\3\E_YATIHSA.EXE [241280 2013-07-01] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-4175730781-2642324733-1139661035-2938\...\Run: [Dropbox Update] => C:\Users\gorleans\AppData\Local\Dropbox\Update\DropboxUpdate.exe [143144 2016-01-25] (Dropbox, Inc.)
HKU\S-1-5-21-4175730781-2642324733-1139661035-2938\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9105112 2016-11-15] (Piriform Ltd)
HKU\S-1-5-18\...\Policies\system: [DisableChangePassword] 1
Lsa: [Authentication Packages] msv1_0 wvauth
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\gorleans\AppData\Roaming\Dropbox\bin\DropboxExt64.3.0.dll [2016-11-28] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\gorleans\AppData\Roaming\Dropbox\bin\DropboxExt64.3.0.dll [2016-11-28] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\gorleans\AppData\Roaming\Dropbox\bin\DropboxExt64.3.0.dll [2016-11-28] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\gorleans\AppData\Roaming\Dropbox\bin\DropboxExt64.3.0.dll [2016-11-28] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\gorleans\AppData\Roaming\Dropbox\bin\DropboxExt.3.0.dll [2016-11-28] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\gorleans\AppData\Roaming\Dropbox\bin\DropboxExt.3.0.dll [2016-11-28] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\gorleans\AppData\Roaming\Dropbox\bin\DropboxExt.3.0.dll [2016-11-28] (Dropbox, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dell ControlPoint System Manager.lnk [2010-06-04]
ShortcutTarget: Dell ControlPoint System Manager.lnk -> C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe (Dell Inc.)
GroupPolicy: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 66.90.132.162 66.90.130.10
Tcpip\..\Interfaces\{3D542F9D-7E0C-4E19-B87D-6EFFD3996001}: [DhcpNameServer] 66.90.132.162 66.90.130.10
Tcpip\..\Interfaces\{E3488704-2ED8-462C-B635-B3F569177937}: [DhcpNameServer] 192.168.10.13 192.168.10.6 192.168.10.10
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4175730781-2642324733-1139661035-2938\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://my.yahoo.com/
HKU\S-1-5-21-4175730781-2642324733-1139661035-2938\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: WebEx Productivity Tools -> {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} -> C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli64.dll [2013-09-17] (Cisco WebEx LLC)
BHO: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2015-11-01] (LastPass)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-22] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2016-10-11] (Microsoft Corporation)
BHO-x32: Inventory Manager Web Application Tracker -> {30A22EC9-42D0-4D46-A2F7-7516419F943D} -> C:\Program Files (x86)\ManageSoft\Usage Agent\mgsiebho.dll [2014-07-14] ()
BHO-x32: DivX Plus Web Player HTML5 <video> -> {326E768D-4182-46FD-9C16-1449A49795F4} -> C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll [2013-02-06] (DivX, LLC)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: WebEx Productivity Tools -> {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} -> C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll [2013-09-17] (Cisco WebEx LLC)
BHO-x32: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar.dll [2015-11-01] (LastPass)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll => No File
Toolbar: HKLM - WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli64.dll [2013-09-17] (Cisco WebEx LLC)
Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2015-11-01] (LastPass)
Toolbar: HKLM-x32 - WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll [2013-09-17] (Cisco WebEx LLC)
Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll [2015-11-01] (LastPass)
Toolbar: HKU\S-1-5-21-4175730781-2642324733-1139661035-2938 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP27-10832/webex/ieatgpc1.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-11-09] (Citrix Systems, Inc.)
 
FireFox:
========
FF DefaultProfile: do1vy3uj.default-1446325268830
FF ProfilePath: C:\Users\gorleans\AppData\Roaming\Mozilla\Firefox\Profiles\do1vy3uj.default-1446325268830 [2016-12-09]
FF DefaultSearchEngine.US: Mozilla\Firefox\Profiles\do1vy3uj.default-1446325268830 -> Google
FF Homepage: Mozilla\Firefox\Profiles\do1vy3uj.default-1446325268830 -> hxxps://my.yahoo.com/
FF Extension: (LastPass) - C:\Users\gorleans\AppData\Roaming\Mozilla\Firefox\Profiles\do1vy3uj.default-1446325268830\Extensions\support@lastpass.com [2016-03-14]
FF HKLM-x32\...\Firefox\Extensions: [fiddlerhook@fiddler2.com] - C:\Program Files (x86)\Fiddler2\FiddlerHook
FF Extension: (FiddlerHook) - C:\Program Files (x86)\Fiddler2\FiddlerHook [2012-11-30] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt
FF Extension: (PDF Architect Converter For Firefox) - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt [2013-01-01] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: (DivX Plus Web Player HTML5 &video&) - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2013-02-25] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [mgsusageagent@managesoft.com] - C:\Program Files (x86)\ManageSoft\Usage Agent\mgsusageagent
FF Extension: (ManageSoft Usage Agent Web Tracker) - C:\Program Files (x86)\ManageSoft\Usage Agent\mgsusageagent [2014-07-28] [not signed]
FF HKU\S-1-5-21-4175730781-2642324733-1139661035-2938\...\Firefox\Extensions: [ocplugin@webex.com] - C:\Program Files (x86)\WebEx\Productivity Tools
FF Extension: (WebEx Productivity Tools) - C:\Program Files (x86)\WebEx\Productivity Tools [2013-12-20] [not signed]
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll [2011-06-20] (DivX, LLC.)
FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2015-11-01] (LastPass)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @divx.com/DivX Browser Plugin,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll [2013-02-07] (DivX, LLC)
FF Plugin-x32: @divx.com/DivX Player Plugin,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX Player\npDivxPlayerPlugin.dll [No File]
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll [2011-06-20] (DivX, LLC.)
FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2015-11-01] (LastPass)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-09-30] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4175730781-2642324733-1139661035-2938: @tools.google.com/Google Update;version=3 -> C:\Users\gorleans\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin HKU\S-1-5-21-4175730781-2642324733-1139661035-2938: @tools.google.com/Google Update;version=9 -> C:\Users\gorleans\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\CCMSDK.dll [2010-11-09] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\cgpcfg.dll [2010-11-09] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\CgpCore.dll [2010-11-09] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\confmgr.dll [2010-11-09] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\ctxlogging.dll [2010-11-09] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\ctxmui.dll [2010-11-09] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\icafile.dll [2010-11-09] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\icalogon.dll [2010-11-09] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll [2011-10-03] (Sun Microsystems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npDivxPlayerPlugin.dll [2009-09-25] (DivX, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npicaN.dll [2010-11-09] ()
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2016-09-30] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\sslsdk_b.dll [2010-11-09] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\TcpPServ.dll [2010-11-09] (Citrix Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\gorleans\AppData\Roaming\mozilla\plugins\npatgpc.dll [2011-11-30] (Cisco WebEx LLC)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR Plugin: (Native Client) - C:\Users\gorleans\AppData\Local\Google\Chrome\Application\55.0.2883.75\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\gorleans\AppData\Local\Google\Chrome\Application\55.0.2883.75\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Users\gorleans\AppData\Local\Google\Chrome\Application\55.0.2883.75\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.290.11) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll => No File
CHR Plugin: (Java™ Platform SE 6 U29) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll => No File
CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll => No File
CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll => No File
CHR Plugin: (DivX Player Netscape Plugin) - C:\Program Files (x86)\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll (DivX, Inc)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll => No File
CHR Plugin: (ActiveTouch General Plugin Container) - C:\Users\gorleans\AppData\Roaming\Mozilla\plugins\npatgpc.dll (Cisco WebEx LLC)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (DivX VOD Helper Plug-in) - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
CHR Plugin: (DivX Plus Web Player) - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll => No File
CHR Profile: C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default [2016-12-09]
CHR Extension: (No Name) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd [2015-11-01]
CHR Extension: (No Name) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-01]
CHR Extension: (Baymax - BIG HERO 6) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\ddkinilfnngkdoflahekdngbbfhahlee [2016-10-01]
CHR Extension: (Google Play Music) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\fahmaaghhglfmonjliepjlchgpgfmobi [2016-12-08]
CHR Extension: (No Name) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-17]
CHR Extension: (LastPass: Free Password Manager) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2016-12-07]
CHR Extension: (Google Hangouts) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\knipolnnllmklapflnccelgolnpehhpl [2016-12-05]
CHR Extension: (Poppit!) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2015-11-01]
CHR Extension: (No Name) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbpblocgmgfnpjjppndjkmgjaogfceg [2016-11-27]
CHR Extension: (No Name) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlipoenfbbikpbjkfpfillcgkoblgpmj [2016-11-18]
CHR Extension: (Chrome Web Store Payments) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-07]
CHR Extension: (No Name) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm [2013-03-11]
CHR Extension: (Chrome Media Router) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-07]
CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iikilebpkiopdpeaebnpoodkjelfjlgh] - C:\ProgramData\SaveByclick\iikilebpkiopdpeaebnpoodkjelfjlgh.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - C:\Program Files (x86)\DivX\DivX Plus Web Player\chrome\DivXHTML5\DivXHTML5.crx [2013-02-06]
StartMenuInternet: Google Chrome - C:\Users\adm1n!\AppData\Local\Google\Chrome\Application\chrome.exe
StartMenuInternet: Google Chrome.HDWAAOGCIZK7Q3GZNBREPYQKPQ - C:\Users\gorleans\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\AESTSr64.exe [89600 2009-03-03] (Andrea Electronics Corporation)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [647864 2016-11-02] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagenta.exe [5337696 2016-11-02] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1146128 2016-12-06] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvca.exe [727512 2016-11-02] (AVG Technologies CZ, s.r.o.)
R2 dcpsysmgrsvc; C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [515952 2010-02-08] (Dell Inc.)
R2 DvmMDES; C:\Program Files (x86)\Dell\Reader 2.1\DVMExportService.exe [327680 2010-05-04] (DeviceVM, Inc.) [File not signed]
R2 InstallFilterService; C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [60928 2010-01-10] () [File not signed]
R2 MDM; C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed]
R2 mgsdl; C:\Program Files (x86)\ManageSoft\Launcher\mgsdl.exe [1458992 2014-07-14] (Flexera Software LLC)
R2 mgssecsvc; C:\Program Files (x86)\ManageSoft\Security Agent\mgssecsvc.exe [1104176 2014-07-14] (Flexera Software LLC)
R2 ndGlobalLauncher; C:\Program Files (x86)\ManageSoft\Launcher\ndserv.exe [2910512 2014-07-14] (Flexera Software LLC)
R2 ndinit; C:\Program Files (x86)\ManageSoft\Schedule Agent\ndinit.exe [738608 2014-07-14] (Flexera Software LLC)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-01-18] (Hewlett-Packard) [File not signed]
R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1522312 2012-11-22] (pdfforge GbR)
R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [905864 2012-11-22] (pdfforge GbR)
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-01-18] (Hewlett-Packard) [File not signed]
S3 SecureStorageService; C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [1558016 2009-11-18] (Wave Systems Corp.) [File not signed]
S3 smstsmgr; C:\Windows\SysWOW64\CCM\TSManager.exe [246624 2009-09-18] (Microsoft Corporation)
R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\STacSV64.exe [244736 2010-03-10] (IDT, Inc.)
S2 tcsd_win32.exe; C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1273856 2008-11-12] () [File not signed]
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [308088 2015-12-07] (Western Digital Technologies, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 WMCoreService; C:\Program Files (x86)\Dell\Dell WWAN\WMCore\mini_WMCore.exe [424448 2009-08-06] () [File not signed]
S3 WD Backup Drive Helper; C:\Windows\SysWOW64\dllhost.exe /Processid:{4AB831D3-8315-414C-8A7A-303105288D0B}
S3 WD Backup Snapshot; C:\Windows\SysWOW64\dllhost.exe /Processid:{302480DF-3AC5-4400-BE7B-DD77AF93B6DD}
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [163072 2016-05-13] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [312576 2016-10-17] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [267008 2016-10-05] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [267520 2016-10-19] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [360736 2016-02-16] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [254208 2016-09-26] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [52992 2016-06-01] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [299264 2016-07-27] (AVG Technologies CZ, s.r.o.)
R0 Avguniva; C:\Windows\System32\DRIVERS\avguniva.sys [77056 2016-06-20] (AVG Technologies CZ, s.r.o.)
R3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()
R1 DVMIO; C:\Program Files (x86)\Dell\Reader 2.1\dvmio_x64.sys [20624 2010-05-04] (DeviceVM, Inc.)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-08-26] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Symantec\Definitions\VirusDefs\20140921.020\eng64.sys [129752 2014-08-11] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Symantec\Definitions\VirusDefs\20140921.020\ex64.sys [2137304 2014-08-11] (Symantec Corporation)
S3 PCASp50a64; C:\Windows\System32\Drivers\PCASp50a64.sys [41280 2009-03-31] (Printing Communications Assoc., Inc. (PCAUSA))
S3 prepdrvr; C:\Windows\SysWOW64\CCM\prepdrv.sys [26992 2009-09-18] (Microsoft Corporation)
R3 WDC_SAM; C:\Windows\System32\DRIVERS\wdcsam64_prewin8.sys [23200 2015-12-07] (Western Digital Technologies)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2016-12-07] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2016-12-07] (Zemana Ltd.)
S3 e1yexpress; system32\DRIVERS\e1y62x64.sys [X]
S3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-09 10:09 - 2016-12-09 10:13 - 00040423 _____ C:\Users\gorleans\Downloads\FRST.txt
2016-12-09 10:08 - 2016-12-09 10:09 - 00000000 ____D C:\FRST
2016-12-09 10:08 - 2016-12-09 10:08 - 02420224 _____ (Farbar) C:\Users\gorleans\Downloads\FRST64.exe
2016-12-09 10:07 - 2016-12-09 10:07 - 01761792 _____ (Farbar) C:\Users\gorleans\Downloads\FRST.exe
2016-12-08 15:50 - 2016-12-08 15:51 - 00000000 ____D C:\Users\gorleans\Documents\Axxess
2016-12-08 15:50 - 2016-12-08 15:50 - 00196645 _____ C:\Users\gorleans\Downloads\Benefits Summary.pdf
2016-12-08 11:36 - 2016-12-08 11:37 - 00112024 _____ C:\Users\gorleans\Desktop\SFF.pdf
2016-12-08 11:08 - 2016-12-08 11:08 - 01379823 _____ C:\Users\gorleans\Desktop\Orleans-authorization.pdf
2016-12-08 11:06 - 2016-12-08 11:06 - 13786784 ____R C:\Users\gorleans\Documents\My Money Backup_2016-12-08_110603.mbf
2016-12-08 11:01 - 2016-12-08 11:01 - 00347741 _____ C:\Users\gorleans\Downloads\SSA89 update 6.2015.pdf
2016-12-07 16:17 - 2016-12-07 16:17 - 00128701 _____ C:\Users\gorleans\Downloads\8135544200_20161207_155741.wav
2016-12-07 13:55 - 2016-12-07 13:55 - 00084415 _____ C:\Users\gorleans\Downloads\2813476188_20161207_104927.wav
2016-12-07 12:53 - 2016-12-07 12:53 - 13758104 ____R C:\Users\gorleans\Documents\My Money Backup_2016-12-07_125355.mbf
2016-12-07 12:03 - 2016-12-07 12:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2016-12-07 12:02 - 2016-12-07 12:03 - 00000000 ____D C:\Program Files\iTunes
2016-12-07 12:02 - 2016-12-07 12:02 - 00000000 ____D C:\Program Files\iPod
2016-12-07 11:57 - 2016-12-07 11:57 - 00000000 ____D C:\Windows\System32\Tasks\Apple
2016-12-07 11:57 - 2016-12-07 11:57 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2016-12-07 10:18 - 2016-12-07 10:18 - 00000000 ____D C:\SecurityCheck
2016-12-07 10:17 - 2016-12-07 10:17 - 00511034 _____ (glax24 (safezone.cc)) C:\Users\gorleans\Downloads\SecurityCheck.exe
2016-12-07 10:15 - 2016-12-07 10:15 - 14262040 ____R C:\Users\gorleans\Documents\My Money Backup_2016-12-07_101514.mbf
2016-12-07 09:28 - 2016-12-09 10:11 - 00250760 _____ C:\Windows\ZAM.krnl.trace
2016-12-07 09:28 - 2016-12-09 10:11 - 00215913 _____ C:\Windows\ZAM_Guard.krnl.trace
2016-12-07 09:28 - 2016-12-07 09:28 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2016-12-07 09:28 - 2016-12-07 09:28 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2016-12-07 09:28 - 2016-12-07 09:28 - 00000000 ____D C:\Users\gorleans\AppData\Local\Zemana
2016-12-07 09:27 - 2016-12-07 09:27 - 05188032 _____ (Zemana Ltd.) C:\Users\gorleans\Downloads\Zemana.AntiMalware.Portable.exe
2016-12-06 18:25 - 2016-12-06 18:25 - 00312395 _____ C:\Users\gorleans\Desktop\Star Wars™ _ LEGO Shop.pdf
2016-12-06 15:38 - 2016-12-06 15:38 - 06771840 _____ (ESET spol. s r.o.) C:\Users\gorleans\Downloads\esetonlinescanner_enu (1).exe
2016-12-06 15:38 - 2016-12-06 15:38 - 00000000 ____D C:\Users\gorleans\AppData\Local\ESET
2016-12-06 15:37 - 2016-12-06 15:37 - 06771840 _____ (ESET spol. s r.o.) C:\Users\gorleans\Downloads\esetonlinescanner_enu.exe
2016-12-06 15:31 - 2016-12-06 15:31 - 00006587 _____ C:\Users\gorleans\Desktop\JRT.txt
2016-12-06 15:22 - 2016-12-06 15:22 - 01631928 _____ (Malwarebytes) C:\Users\gorleans\Downloads\JRT.exe
2016-12-06 15:19 - 2016-12-09 10:10 - 00000000 ____D C:\Users\gorleans\Desktop\results
2016-12-06 15:05 - 2016-12-06 15:06 - 03968464 _____ C:\Users\gorleans\Downloads\AdwCleaner.exe
2016-12-06 13:46 - 2016-12-06 13:46 - 00002798 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2016-12-06 13:46 - 2016-12-06 13:46 - 00000822 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-12-06 13:46 - 2016-12-06 13:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-12-06 13:46 - 2016-12-06 13:46 - 00000000 ____D C:\Program Files\CCleaner
2016-12-05 10:22 - 2016-12-05 10:22 - 00281160 _____ C:\Users\gorleans\Downloads\Background Consent & Locations (LOCAL) (1).pdf
2016-12-05 10:21 - 2016-12-05 10:21 - 00281160 _____ C:\Users\gorleans\Downloads\Background Consent & Locations (LOCAL).pdf
2016-12-02 19:50 - 2016-12-02 19:50 - 00000000 ____D C:\Users\gorleans\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2016-12-02 17:01 - 2016-12-02 17:01 - 00467009 _____ C:\Users\gorleans\Downloads\Gregory Orleans Offer 12.2.16 - Updated.pdf
2016-12-02 14:23 - 2016-12-02 14:23 - 00467611 _____ C:\Users\gorleans\Downloads\Gregory Orleans Offer 12.2.16.pdf
2016-12-02 14:23 - 2016-12-02 14:23 - 00467611 _____ C:\Users\gorleans\Downloads\Gregory Orleans Offer 12.2.16 (1).pdf
2016-11-29 19:25 - 2016-11-29 19:25 - 00498741 _____ C:\Users\gorleans\Desktop\cba test review.pdf
2016-11-28 22:45 - 2016-11-28 22:45 - 00000984 _____ C:\Users\Public\Desktop\AVG.lnk
2016-11-28 17:16 - 2016-11-28 17:16 - 00000000 ____D C:\Users\gorleans\Downloads\FireShot
2016-11-28 13:44 - 2016-12-09 09:48 - 00000000 ____D C:\Users\gorleans\AppData\LocalLow\Mozilla
2016-11-26 11:42 - 2016-12-07 11:23 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-09 10:10 - 2009-07-13 22:45 - 00021104 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-09 10:10 - 2009-07-13 22:45 - 00021104 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-09 10:04 - 2011-02-07 13:49 - 00000920 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2404267284-557891354-1994849693-11839UA.job
2016-12-09 09:47 - 2016-01-25 16:27 - 00000930 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-4175730781-2642324733-1139661035-2938UA.job
2016-12-09 09:45 - 2011-08-18 13:40 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2073666044-2475884703-1318401005-500UA.job
2016-12-09 09:41 - 2016-01-20 14:53 - 00000000 ____D C:\ProgramData\MFAData
2016-12-09 09:36 - 2010-01-27 11:23 - 00017920 _____ C:\Windows\system32\rpcnetp.exe
2016-12-08 19:47 - 2016-01-25 16:27 - 00000878 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-4175730781-2642324733-1139661035-2938Core.job
2016-12-08 16:50 - 2016-09-20 11:09 - 00003600 _____ C:\Windows\System32\Tasks\AVG EUpdate Task
2016-12-08 14:45 - 2011-08-18 13:40 - 00000860 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2073666044-2475884703-1318401005-500Core.job
2016-12-08 11:06 - 2015-10-31 15:53 - 13787136 _____ C:\Users\gorleans\Documents\My Money.mny
2016-12-08 11:03 - 2011-10-19 13:04 - 00000868 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2404267284-557891354-1994849693-11839Core1cc8e91ed1ef23d.job
2016-12-07 12:54 - 2011-11-16 09:12 - 00000000 ____D C:\Windows\system32\Macromed
2016-12-07 12:54 - 2009-11-05 09:18 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-12-07 12:18 - 2009-11-06 11:07 - 00405946 _____ C:\Windows\system32\prfh0404.dat
2016-12-07 12:18 - 2009-11-06 11:07 - 00116836 _____ C:\Windows\system32\prfc0404.dat
2016-12-07 12:18 - 2009-11-06 10:56 - 00433348 _____ C:\Windows\system32\perfh012.dat
2016-12-07 12:18 - 2009-11-06 10:56 - 00122130 _____ C:\Windows\system32\perfc012.dat
2016-12-07 12:18 - 2009-11-06 10:46 - 00388874 _____ C:\Windows\system32\prfh0804.dat
2016-12-07 12:18 - 2009-11-06 10:46 - 00121338 _____ C:\Windows\system32\prfc0804.dat
2016-12-07 12:18 - 2009-11-06 10:35 - 00421702 _____ C:\Windows\system32\perfh011.dat
2016-12-07 12:18 - 2009-11-06 10:35 - 00123846 _____ C:\Windows\system32\perfc011.dat
2016-12-07 12:18 - 2009-07-13 23:13 - 02887802 _____ C:\Windows\system32\PerfStringBackup.INI
2016-12-07 12:18 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\inf
2016-12-07 12:12 - 2009-11-03 10:56 - 00000497 _____ C:\Windows\SMSCFG.ini
2016-12-07 12:08 - 2010-01-27 11:26 - 00078032 _____ (Absolute Software Corp.) C:\Windows\SysWOW64\rpcnet.dll
2016-12-07 12:07 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-07 12:05 - 2010-06-08 13:51 - 00000075 _____ C:\dvmaccounts.ini
2016-12-07 12:02 - 2010-10-28 17:15 - 00000000 ____D C:\Program Files\Common Files\Apple
2016-12-07 11:57 - 2010-10-28 14:10 - 00002519 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2016-12-07 11:40 - 2011-02-07 13:55 - 00002353 _____ C:\Users\gorleans\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-12-07 11:36 - 2011-02-07 13:13 - 00117080 _____ C:\Users\gorleans\AppData\Local\GDIPFONTCACHEV1.DAT
2016-12-07 11:33 - 2011-02-08 13:58 - 00000000 ____D C:\Program Files (x86)\Google
2016-12-07 11:33 - 2009-11-04 11:56 - 00000000 ____D C:\Program Files\Google
2016-12-07 11:33 - 2009-07-13 22:45 - 00463136 _____ C:\Windows\system32\FNTCACHE.DAT
2016-12-07 11:24 - 2011-02-07 13:49 - 00000000 ____D C:\Users\gorleans\AppData\Local\Google
2016-12-07 11:24 - 2009-11-05 12:49 - 00000000 ____D C:\ProgramData\Google
2016-12-07 11:20 - 2010-10-28 14:11 - 00000000 ____D C:\Program Files (x86)\Safari
2016-12-07 11:10 - 2011-02-16 16:24 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-12-07 11:09 - 2014-06-13 12:40 - 00000000 ____D C:\Users\gorleans\AppData\Local\Adobe
2016-12-07 09:28 - 2011-02-07 13:13 - 00000000 ____D C:\Users\gorleans
2016-12-06 15:16 - 2012-05-03 14:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-12-06 15:12 - 2016-08-21 16:20 - 00000000 ____D C:\AdwCleaner
2016-12-06 14:09 - 2015-11-02 00:11 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-12-06 14:04 - 2013-11-22 11:53 - 00000000 ____D C:\Program Files (x86)\PDFCreator
2016-12-06 14:04 - 2011-02-07 14:38 - 00000000 ____D C:\Users\gorleans\AppData\Roaming\FileZilla
2016-12-06 13:57 - 2016-03-21 08:59 - 00000000 ____D C:\Users\gorleans\AppData\Local\CrashDumps
2016-12-06 13:57 - 2010-06-04 10:00 - 00000000 ____D C:\Windows\Minidump
2016-12-06 13:57 - 2009-10-27 12:31 - 00000000 ____D C:\Windows\Panther
2016-12-06 13:57 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\ModemLogs
2016-12-06 10:21 - 2015-11-01 10:37 - 00000000 ____D C:\Users\gorleans\AppData\LocalLow\LastPass
2016-12-05 09:08 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2016-12-05 09:06 - 2015-11-02 00:11 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-12-04 23:55 - 2010-01-27 11:24 - 00017920 _____ C:\Windows\SysWOW64\rpcnetp.dll
2016-12-04 23:53 - 2010-01-27 11:23 - 00017920 _____ C:\Windows\SysWOW64\rpcnetp.exe
2016-12-04 23:43 - 2015-11-02 00:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-12-02 19:51 - 2012-02-14 12:20 - 00000000 ____D C:\Users\gorleans\AppData\Roaming\Dropbox
2016-11-29 17:52 - 2012-08-24 09:49 - 00000146 __RSH C:\ProgramData\3002.xml
2016-11-28 22:45 - 2016-01-20 14:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Zen
2016-11-28 19:42 - 2016-01-25 16:27 - 00003906 _____ C:\Windows\System32\Tasks\DropboxUpdateTaskUserS-1-5-21-4175730781-2642324733-1139661035-2938UA
2016-11-28 19:42 - 2016-01-25 16:27 - 00003510 _____ C:\Windows\System32\Tasks\DropboxUpdateTaskUserS-1-5-21-4175730781-2642324733-1139661035-2938Core
2016-11-25 17:39 - 2012-07-25 09:37 - 00033808 __RSH C:\ProgramData\3002.abs
2016-11-21 18:11 - 2016-01-20 15:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2016-11-09 04:51 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\rescache
2016-11-09 03:28 - 2013-09-06 13:40 - 00000000 ____D C:\Windows\system32\MRT
2016-11-09 03:14 - 2009-11-04 09:38 - 141011376 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-11-09 03:13 - 2014-01-29 17:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
 
==================== Files in the root of some directories =======
 
2015-11-01 10:37 - 2015-11-01 10:38 - 20320792 _____ (LastPass) C:\Program Files (x86)\Common Files\lpuninstall.exe
2016-04-25 19:16 - 2016-04-25 19:16 - 0005278 _____ () C:\Users\gorleans\AppData\Local\recently-used.xbel
2012-07-25 09:37 - 2016-11-25 17:39 - 0033808 __RSH () C:\ProgramData\3002.abs
2012-08-24 09:49 - 2016-11-29 17:52 - 0000146 __RSH () C:\ProgramData\3002.xml
2015-10-31 15:00 - 2015-10-31 15:00 - 0015568 __RSH () C:\ProgramData\3029.abs
2012-02-26 14:47 - 2012-02-26 14:47 - 0000057 _____ () C:\ProgramData\Ament.ini
2016-01-20 14:33 - 2016-01-20 14:41 - 0038265 _____ () C:\ProgramData\LUUnInstall.LiveUpdate
2016-01-07 16:59 - 2016-01-07 17:01 - 0000614 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
 
Some files in TEMP:
====================
C:\Users\adm1n!\AppData\Local\Temp\4385.exe
C:\Users\adm1n!\AppData\Local\Temp\DivXSetup.exe
C:\Users\adm1n!\AppData\Local\Temp\FP_PL_PFS_INSTALLER.exe
C:\Users\adm1n!\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\adm1n!\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Users\adm1n!\AppData\Local\Temp\vpnclient_setup.exe
C:\Users\gorleans\AppData\Local\Temp\libeay32.dll
C:\Users\gorleans\AppData\Local\Temp\msvcr120.dll
C:\Users\gorleans\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2016-12-04 11:53
 
==================== End of FRST.txt ============================

 


Edited by plasterhead, 09 December 2016 - 12:06 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:59 AM

Posted 10 December 2016 - 09:00 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:


HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %temp%\rar* <====== ATTENTION
HKLM Group Policy restriction on software: %temp%\wz* <====== ATTENTION
HKLM Group Policy restriction on software: %localappdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %localappdata%\*\*.exe <====== ATTENTION
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
GroupPolicy: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll => No File
Toolbar: HKU\S-1-5-21-4175730781-2642324733-1139661035-2938 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @divx.com/DivX Player Plugin,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX Player\npDivxPlayerPlugin.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Plugin: (Native Client) - C:\Users\gorleans\AppData\Local\Google\Chrome\Application\55.0.2883.75\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\gorleans\AppData\Local\Google\Chrome\Application\55.0.2883.75\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Users\gorleans\AppData\Local\Google\Chrome\Application\55.0.2883.75\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.290.11) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll => No File
CHR Plugin: (Java Platform SE 6 U29) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll => No File
CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll => No File
CHR Plugin: (Coupons Inc., Coupon Printer Manager ) - C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll => No File
CHR Extension: (Poppit!) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2015-11-01]
CHR Extension: (Chrome Web Store Payments) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-07]
CHR Extension: (Chrome Media Router) - C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-07]
CHR HKLM-x32\...\Chrome\Extension: [iikilebpkiopdpeaebnpoodkjelfjlgh] - C:\ProgramData\SaveByclick\iikilebpkiopdpeaebnpoodkjelfjlgh.crx <not found>
S3 e1yexpress; system32\DRIVERS\e1y62x64.sys [X]
S3 PCTINDIS5X64; \??\C:\Windows\system32\PCTINDIS5X64.SYS [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\gorleans\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm

reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

P.S.
Include the Addition.txt file that was created by the Farbar tool.

Let me know if the problem persists.

#3 plasterhead

plasterhead
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 10 December 2016 - 10:17 PM

I ran the fix list.  Attached are the fixlog.txt file and the addition.txt file.

Thanks for your help.

 

-P

Attached File  Addition.txt   50.55KB   2 downloadsAttached File  Fixlog.txt   10.09KB   2 downloads



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:59 AM

Posted 11 December 2016 - 08:52 AM

Your Addition.txt file is clean.

Has the problem been solved?

#5 plasterhead

plasterhead
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 11 December 2016 - 04:54 PM

Since running the FRST tool, I haven't had any notifications from AVG about an infection.  So, maybe the first time I ran the FRST tool it cleaned up the infection.

 

I'll post again if it comes back.

 

Thanks for all of your help.

- P



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:59 AM

Posted 12 December 2016 - 08:42 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users