Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Malware or BOT? "[LAN access from remote] from xx.xx.xx.xx"


  • Please log in to reply
8 replies to this topic

#1 ronells2000

ronells2000

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 10 April 2017 - 07:28 PM

I happened to randomly check my router logs and found an overload of “LAN access from remote” entries to a different IP address each entry. It’s been a while, and will never be again, since I last checked so I don’t know how long it’s been going on.
 
My son has was getting them on his PC (192.168.1.13) on Port 64406, my other son had the same issue on his Xbox One (192.168.1.6) on port 3074, but a few and not often. Below is obviously a very small sample of the logs below:
[Admin login] from source 192.168.1.4, Monday, Apr 10,2017 15:18:53
[LAN access from remote] from 85.96.217.194:63575 to 192.168.1.13:22502, Monday, Apr 10,2017 15:18:25
[LAN access from remote] from 151.135.39.57:43151 to 192.168.1.13:22502, Monday, Apr 10,2017 15:17:02
[LAN access from remote] from 123.201.112.145:10785 to 192.168.1.13:22502, Monday, Apr 10,2017 15:14:54
[LAN access from remote] from 142.114.0.110:55094 to 192.168.1.13:22502, Monday, Apr 10,2017 15:11:45
[LAN access from remote] from 70.83.189.218:52620 to 192.168.1.13:22502, Monday, Apr 10,2017 15:10:58
[LAN access from remote] from 37.229.205.134:56618 to 192.168.1.13:22502, Monday, Apr 10,2017 15:08:39
[LAN access from remote] from 85.166.255.47:39045 to 192.168.1.13:22502, Monday, Apr 10,2017 15:07:15
[LAN access from remote] from 151.228.178.255:3551 to 192.168.1.13:22502, Monday, Apr 10,2017 15:06:05
[LAN access from remote] from 79.131.148.5:32478 to 192.168.1.13:22502, Monday, Apr 10,2017 15:04:57
[LAN access from remote] from 109.159.81.196:52708 to 192.168.1.13:22502, Monday, Apr 10,2017 15:04:43
[LAN access from remote] from 91.79.138.149:31604 to 192.168.1.13:22502, Monday, Apr 10,2017 15:01:32
[LAN access from remote] from 118.108.51.82:63172 to 192.168.1.13:22502, Monday, Apr 10,2017 15:01:23
[LAN access from remote] from 86.202.245.3:51838 to 192.168.1.13:22502, Monday, Apr 10,2017 15:00:56
[LAN access from remote] from 118.21.95.92:42702 to 192.168.1.13:22502, Monday, Apr 10,2017 15:00:43
[LAN access from remote] from 75.100.212.203:40199 to 192.168.1.13:22502, Monday, Apr 10,2017 14:59:11
[LAN access from remote] from 86.97.46.209:21989 to 192.168.1.13:22502, Monday, Apr 10,2017 14:58:28
[LAN access from remote] from 59.6.223.131:20560 to 192.168.1.13:22502, Monday, Apr 10,2017 14:57:15
[LAN access from remote] from 95.26.87.84:43180 to 192.168.1.13:22502, Monday, Apr 10,2017 14:55:14
[LAN access from remote] from 37.52.99.103:21777 to 192.168.1.13:22502, Monday, Apr 10,2017 14:55:07
[LAN access from remote] from 77.160.239.17:14088 to 192.168.1.13:22502, Monday, Apr 10,2017 14:54:18
[LAN access from remote] from 125.54.212.17:15660 to 192.168.1.13:22502, Monday, Apr 10,2017 14:54:14
This ONLY occurs when UPnP is turned On.
 
I turn UPnP Off when not working on it, but they need it On in order to both use their XBox on the same network at the same time. Luckily it doesn't happen often, but this is for another Post.
I ran netstat –a –o | find “64406” on his PC and found that the PID belonged to Skype. I logged in and out over and over and found that while I was logged into Skype, the “LAN access….” would occur. I force quit programs, games and background processes with no help.
 
I compared running services while Skype was logged in and out, nothing changed. I do not get this when I run Skype on my PC or my Wife's PC.
 
I ran Windows “Malicious Software Removal Tool”, Webroot Secure Any Where, Malware Bytes and McAfee virus scans, and anti-rootkit tools F-Secure and Sophos Virus Removal tool and nothing was found.
 
Tried the obvious - Uninstall Skype and reinstall it. It did not work. The only thing it did was change the port from 64406 to 22502. 
I even had Geek Squad look at it. After looking it over for a while he said they wouldn't be able help me. I did agree to let them run their plethora of software on it. They did their standard tweeks, but found nothing. He thought Microsoft was just pinging sites. I disagreed because 1) they are obtaining LAN access to his PC. 2) some of the sites are Amazon, Google, McAfee, but most of them are all over the world: New Zealand, Ivory Coast, Beleras, Poland, Kabul, Afghanistan, etc. They're all over the place, I can't even block IP's.
 
I'm sure this came from one of the sites my son likes to watch videos on. I can do a Last Known Config to where we did a System Refresh, but that won't solve the future possibilities. Once I can identify the problem, I'll be able to block it from happening again.
 
I am stopping any further scans (except running FRST below) or troubleshooting and hoping the Malware Response Team will be able to help.
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by Jonathan (administrator) on BIOFEVER (10-04-2017 19:11:32)
Running from C:\Users\Jonathan\Downloads\Farbar Recovery Scan Tool (FRST)
Loaded Profiles: Jonathan (Available Profiles: Jonathan)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Webroot) C:\Program Files\Webroot\WRSA.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Webroot) C:\Program Files\Webroot\WRSA.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Hi-Rez Studios) C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe
(McAfee, Inc.) C:\Program Files\McAfee\MfeAV\MfeAVSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Intel Security, Inc.) C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
() C:\Windows\System32\igfxTray.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\ShadowPlay\nvspcaps64.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\CSP\2.3.322.0\McCSPServiceHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\ShadowPlay\nvsphelper64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\VSCore_15_6\mcapexe.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA Share.exe
(Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(MAGIX AG) C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\McChHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Trend Micro Inc.) C:\Users\Jonathan\Downloads\HijackThis.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Security) C:\Program Files\Common Files\McAfee\ClientAnalytics\Legacy\McClientAnalytics.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20605_x64__8wekyb3d8bbwe\livecomm.exe
(Skype Technologies) C:\Program Files (x86)\Skype\Browser\SkypeBrowserHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7158344 2013-03-18] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1278024 2013-03-08] (Realtek Semiconductor)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [286192 2013-01-31] (Intel Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [ShadowPlay] => "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [ASUS Ai Charger] => C:\Program Files (x86)\ASUS\ASUS Ai Charger\AiChargerAP.exe [547984 2012-08-13] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Autodesk Desktop App] => C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AutodeskDesktopApp.exe [721856 2016-07-01] (Autodesk, Inc.)
HKLM-x32\...\Run: [WRSVC] => C:\Program Files\Webroot\WRSA.exe [992056 2017-01-19] (Webroot)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-19\...\Policies\system: [DisableCMD] 0
HKU\S-1-5-19\...\Policies\system: [NoDispAppearancePage] 0
HKU\S-1-5-19\...\Policies\system: [NoDispBackgroundPage] 0
HKU\S-1-5-19\...\Policies\system: [NoDispSettingsPage] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoViewOnDrive] 0
HKU\S-1-5-19\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKU\S-1-5-19\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKU\S-1-5-19\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKU\S-1-5-19\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoViewContextMenu] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoShellSearchButton] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoFind] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoFile] 0
HKU\S-1-5-19\...\Policies\Explorer: [HideClock] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoTrayContextMenu] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoSetFolders] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoDeletePrinter] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoDFSTab] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoLogoff] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoEncryptOnMove] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoResolveSearch] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoHardwareTab] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKU\S-1-5-20\...\Policies\system: [DisableCMD] 0
HKU\S-1-5-20\...\Policies\system: [NoDispAppearancePage] 0
HKU\S-1-5-20\...\Policies\system: [NoDispBackgroundPage] 0
HKU\S-1-5-20\...\Policies\system: [NoDispSettingsPage] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoViewOnDrive] 0
HKU\S-1-5-20\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKU\S-1-5-20\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKU\S-1-5-20\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKU\S-1-5-20\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoViewContextMenu] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoShellSearchButton] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoFind] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoFile] 0
HKU\S-1-5-20\...\Policies\Explorer: [HideClock] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoTrayContextMenu] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoSetFolders] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoDeletePrinter] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoDFSTab] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoLogoff] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoEncryptOnMove] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoResolveSearch] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoHardwareTab] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKU\S-1-5-21-3888602343-2966588038-2730974355-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3888602343-2966588038-2730974355-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3019552 2017-03-22] (Valve Corporation)
HKU\S-1-5-21-3888602343-2966588038-2730974355-1001\...\Run: [GoogleChromeAutoLaunch_67B49362D3A8C1AAF36B88B38FC33840] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1111896 2017-03-29] (Google Inc.)
HKU\S-1-5-21-3888602343-2966588038-2730974355-1001\...\Run: [HP Officejet 5740 series (NET)] => C:\Program Files\HP\HP Officejet 5740 series\Bin\ScanToPCActivationApp.exe [3770000 2016-07-28] (HP Inc.)
HKU\S-1-5-21-3888602343-2966588038-2730974355-1001\...\Run: [Discord] => C:\Users\Jonathan\AppData\Local\Discord\app-0.0.297\Discord.exe [64290304 2017-01-04] (Hammer & Chisel, Inc.)
HKU\S-1-5-21-3888602343-2966588038-2730974355-1001\...\Run: [EADM] => C:\Program Files (x86)\Origin\Origin.exe [3044848 2017-01-12] (Electronic Arts)
HKU\S-1-5-21-3888602343-2966588038-2730974355-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27774936 2017-04-02] (Skype Technologies S.A.)
HKU\S-1-5-21-3888602343-2966588038-2730974355-1001\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-18\...\Policies\system: [DisableCMD] 0
HKU\S-1-5-18\...\Policies\system: [NoDispAppearancePage] 0
HKU\S-1-5-18\...\Policies\system: [NoDispBackgroundPage] 0
HKU\S-1-5-18\...\Policies\system: [NoDispSettingsPage] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoViewOnDrive] 0
HKU\S-1-5-18\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKU\S-1-5-18\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKU\S-1-5-18\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKU\S-1-5-18\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoViewContextMenu] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoShellSearchButton] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoFind] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoFile] 0
HKU\S-1-5-18\...\Policies\Explorer: [HideClock] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoTrayContextMenu] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoSetFolders] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoDeletePrinter] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoDFSTab] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoLogoff] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoEncryptOnMove] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoResolveSearch] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoHardwareTab] 0
HKU\S-1-5-18\...\Policies\Explorer: [NoStartMenuSubFolders] 0
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\Jonathan\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\amd64\FileSyncShell64.dll [2016-09-08] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\Jonathan\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\amd64\FileSyncShell64.dll [2016-09-08] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\Jonathan\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\amd64\FileSyncShell64.dll [2016-09-08] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7190} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\ASUSWSShellExt64.dll [2012-09-27] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D808} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\ASUSWSShellExt64.dll [2012-09-27] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4D} => C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\ASUSWSShellExt64.dll [2012-09-27] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\Jonathan\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\FileSyncShell.dll [2016-09-08] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\Jonathan\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\FileSyncShell.dll [2016-09-08] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\Jonathan\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\FileSyncShell.dll [2016-09-08] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-01-31] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-01-31] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-01-31] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk [2016-08-03]
ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\wruninstall.exe (Webroot Software, Inc.)
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicy: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{EC762800-D6CF-450E-8B10-925B80658809}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3888602343-2966588038-2730974355-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus13.msn.com
HKU\S-1-5-21-3888602343-2966588038-2730974355-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKU\S-1-5-21-3888602343-2966588038-2730974355-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3888602343-2966588038-2730974355-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2016-12-13] (Microsoft Corporation)
BHO: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2017-03-27] (McAfee, Inc.)
BHO: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar64.dll [2016-08-03] (Webroot)
BHO: Webroot Filtering Extension -> {C9C42510-9B41-42c1-9DCD-7282A2D07C61} -> C:\Program Files\Common Files\Webroot\WebFiltering\wrflt.dll [2017-01-27] (Webroot)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2017-01-31] (Microsoft Corporation)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll [2015-09-22] (Eyeo GmbH)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2016-12-13] (Microsoft Corporation)
BHO-x32: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2017-03-27] (McAfee, Inc.)
BHO-x32: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar.dll [2016-08-03] (Webroot)
BHO-x32: Webroot Filtering Extension -> {C9C42510-9B41-42c1-9DCD-7282A2D07C61} -> C:\Program Files (x86)\Common Files\Webroot\WebFiltering\wrflt.dll [2017-01-27] (Webroot)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-01-31] (Microsoft Corporation)
BHO-x32: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2015-09-22] (Eyeo GmbH)
Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll [2016-08-03] (Webroot)
Toolbar: HKLM-x32 - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar.dll [2016-08-03] (Webroot)
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2017-03-27] (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2017-03-27] (McAfee, Inc.)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2016-08-03] (Microsoft Corporation)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2017-03-27] (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2017-03-27] (McAfee, Inc.)
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll No File
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll [2017-02-28] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll [2017-02-28] (McAfee, Inc.)
 
FireFox:
========
FF HKLM\...\Firefox\Extensions: [tmbepff-7.5@trendmicro.com] - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1107\7.5.1107\firefoxextension => not found
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF Extension: (McAfee WebAdvisor) - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi [2017-02-14]
FF HKLM-x32\...\Firefox\Extensions: [tmbepff-7.5@trendmicro.com] - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1107\7.5.1107\firefoxextension => not found
FF HKLM-x32\...\Firefox\Extensions: [{22181a4d-af90-4ca3-a569-faed9118d6bc}] - C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension => not found
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_25_0_0_127.dll [2017-04-07] ()
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2017-02-28] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50905.0\npctrl.dll [2017-02-10] ( Microsoft Corporation)
FF Plugin: @unity3d.com/UnityPlayer64,version=1.0 -> C:\Program Files\Unity\WebPlayer64\loader-x64\npUnity3D64.dll [2015-06-08] (Unity Technologies ApS)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_127.dll [2017-04-07] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=3.0.72 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-02-15] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-02-15] (Intel Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2017-02-28] ()
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-07-12] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50905.0\npctrl.dll [2017-02-10] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2016-08-03] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2017-03-31] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2017-03-31] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @TrendMicro.com/FFExtension -> C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension\components\npToolbarChrome.dll [No File]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-06-30] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.yahoo.com/
CHR Profile: C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default [2017-04-10]
CHR Extension: (Google Slides) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-08-03]
CHR Extension: (Google Docs) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-08-03]
CHR Extension: (Google Drive) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-08-03]
CHR Extension: (YouTube) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-08-03]
CHR Extension: (Adblock Plus) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2017-03-21]
CHR Extension: (QuickHAC) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\dnboopdmbbpaicaphfkcphonijbfhopg [2016-08-03]
CHR Extension: (Google Sheets) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-08-03]
CHR Extension: (McAfee® WebAdvisor) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2017-03-27]
CHR Extension: (Google Docs Offline) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-08-05]
CHR Extension: (Webroot Filtering Extension) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjeghcllfecehndceplomkocgfbklffd [2017-01-25]
CHR Extension: (Morpheon Dark) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mafbdhjdkjnoafhfelkjpchpaepjknad [2016-08-03]
CHR Extension: (Webroot Password Manager) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngkhgikojglcgnckopipfdajaifmmnnc [2017-04-03]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-08]
CHR Extension: (Gmail) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-08-03]
CHR Extension: (Chrome Media Router) - C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-06]
CHR HKLM\...\Chrome\Extension: [bmiabdepfhhiieiipmeecdmeljggmfee] - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1107\7.5.1107\chrome_tmbep.crx <not found>
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bmiabdepfhhiieiipmeecdmeljggmfee] - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1107\7.5.1107\chrome_tmbep.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [kjeghcllfecehndceplomkocgfbklffd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ngkhgikojglcgnckopipfdajaifmmnnc] - hxxp://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AdAppMgrSvc; C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe [1295376 2016-07-01] (Autodesk Inc.)
S3 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe [920736 2012-06-01] ()
S3 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [951936 2012-06-01] (ASUSTeK Computer Inc.)
S3 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe [149120 2012-02-17] (ASUSTeK Computer Inc.)
S3 Asus WebStorage Windows Service; C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\AsusWSWinService.exe [72192 2012-12-19] () [File not signed]
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [1522184 2017-04-05] ()
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3042032 2017-01-17] (Microsoft Corporation)
R3 ClientAnalyticsService; C:\Program Files\Common Files\McAfee\ClientAnalytics\Legacy\McClientAnalytics.exe [1752480 2017-02-24] (Intel Security)
R2 Fabs; C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [1840128 2011-05-24] (MAGIX AG) [File not signed]
S3 FirebirdServerMAGIXInstance; C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2702848 2011-04-26] (MAGIX®) [File not signed]
U2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9728 2016-08-20] (Hi-Rez Studios) [File not signed]
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [641520 2017-02-22] (McAfee, Inc.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [15344 2013-01-31] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [355232 2015-08-09] (Intel Corporation)
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [732160 2012-12-10] (Intel(R) Corporation) [File not signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [803872 2012-12-10] (Intel(R) Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-02-15] (Intel Corporation)
R2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [188264 2017-03-27] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\Common Files\McAfee\VSCore_15_6\McApExe.exe [994312 2017-03-13] (McAfee, Inc.)
R2 McBootDelayStartSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [641520 2017-02-22] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\2.3.322.0\\McCSPServiceHost.exe [2054080 2017-02-28] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [641520 2017-02-22] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [641520 2017-02-22] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [641520 2017-02-22] (McAfee, Inc.)
R3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [241040 2017-01-18] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [385112 2017-01-18] (McAfee, Inc.)
R3 mfevtp; C:\WINDOWS\system32\mfevtps.exe [343792 2017-01-18] (McAfee, Inc.)
S3 mi-raysat_3dsmax2017_64; C:\Program Files\Autodesk\3ds Max 2017\raysat_3dsmax2017_64server.exe [86016 2011-09-14] () [File not signed]
R2 ModuleCoreService; C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe [1551000 2017-03-10] (McAfee, Inc.)
R2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [462784 2017-02-23] (NVIDIA Corporation)
S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [462784 2017-02-23] (NVIDIA Corporation)
R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [462784 2017-03-31] (NVIDIA Corporation)
R2 NvTelemetryContainer; C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe [427064 2017-03-31] (NVIDIA Corporation)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2121736 2017-01-12] (Electronic Arts)
S2 Origin Web Helper Service; C:\Program Files (x86)\Origin\OriginWebHelperService.exe [2183696 2017-01-12] (Electronic Arts)
R2 PEFService; C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe [1104304 2016-11-15] (Intel Security, Inc.)
R2 PnkBstrA; C:\WINDOWS\SysWOW64\PnkBstrA.exe [76152 2016-11-23] ()
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-02-28] (Riverbed Technology, Inc.)
S3 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
S3 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [4088608 2016-09-21] (Safer-Networking Ltd.)
S3 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [235984 2016-11-24] (Safer-Networking Ltd.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-04-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-04-07] (Microsoft Corporation)
R2 WRSVC; C:\Program Files\Webroot\WRSA.exe [992056 2017-01-19] (Webroot)
S2 HPSLPSVC; C:\Users\Jonathan\AppData\Local\Temp\7zS492D\hpslpsvc64.dll [X] <==== ATTENTION
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 AiCharger; C:\Windows\SysWow64\drivers\AiCharger.sys [14848 2012-03-22] (ASUSTek Computer Inc.)
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2012-08-22] ()
R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-03] ()
R3 AU8168; C:\WINDOWS\system32\DRIVERS\au630x64.sys [792648 2013-09-23] (Realtek                                            )
R3 cfwids; C:\WINDOWS\System32\drivers\cfwids.sys [88464 2017-01-20] (McAfee, Inc.)
S3 HipShieldK; C:\WINDOWS\System32\drivers\HipShieldK.sys [207968 2016-02-24] (McAfee, Inc.)
R3 mfeaack; C:\WINDOWS\System32\drivers\mfeaack.sys [487184 2017-01-20] (McAfee, Inc.)
R3 mfeavfk; C:\WINDOWS\System32\drivers\mfeavfk.sys [366328 2017-01-20] (McAfee, Inc.)
U3 mfeavfk01; no ImagePath
S0 mfeelamk; C:\WINDOWS\System32\drivers\mfeelamk.sys [85048 2017-01-23] (McAfee, Inc.)
R3 mfefirek; C:\WINDOWS\System32\drivers\mfefirek.sys [518704 2017-01-20] (McAfee, Inc.)
R0 mfehidk; C:\WINDOWS\System32\drivers\mfehidk.sys [923640 2017-01-20] (McAfee, Inc.)
R3 mfencbdc; C:\WINDOWS\System32\DRIVERS\mfencbdc.sys [498648 2017-01-19] (McAfee, Inc.)
S3 mfencrk; C:\WINDOWS\System32\DRIVERS\mfencrk.sys [109320 2017-01-19] (McAfee, Inc.)
R3 mfeplk; C:\WINDOWS\System32\drivers\mfeplk.sys [110256 2017-01-20] (McAfee, Inc.)
R3 mfesapsn; C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys [46240 2016-06-06] (McAfee, Inc.)
R0 mfewfpk; C:\WINDOWS\System32\drivers\mfewfpk.sys [254800 2017-01-20] (McAfee, Inc.)
R2 NPF; C:\WINDOWS\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [27584 2017-02-23] (NVIDIA Corporation)
R3 NVVADARM; C:\WINDOWS\system32\drivers\nvvadarm.sys [47672 2017-03-31] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\WINDOWS\system32\drivers\nvvad64v.sys [46016 2017-01-20] (NVIDIA Corporation)
R3 nvvhci; C:\WINDOWS\System32\drivers\nvvhci.sys [57792 2017-01-20] (NVIDIA Corporation)
R1 RegHiveRecovery; C:\WINDOWS\system32\drivers\RegHiveRecovery.sys [48304 2014-02-20] (Microsoft Corporation)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [46600 2017-04-07] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [274776 2017-04-07] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [117592 2017-04-07] (Microsoft Corporation)
S3 WIMMount; C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\wimmount.sys [40552 2013-08-22] (Microsoft Corporation)
R0 WRkrn; C:\WINDOWS\System32\drivers\WRkrn.sys [143248 2017-04-10] (Webroot)
S3 wrUrlFlt; C:\WINDOWS\system32\DRIVERS\wrUrlFlt.sys [66328 2016-09-30] (Webroot)
S3 xb1usb; C:\WINDOWS\System32\drivers\xb1usb.sys [34016 2014-05-27] (Microsoft Corporation)
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
S3 MBAMWebProtection; \??\C:\WINDOWS\system32\drivers\mwac.sys [X]
U0 SR; no ImagePath
U2 srservice; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-04-10 18:49 - 2017-04-10 19:11 - 00000000 ____D C:\FRST
2017-04-10 18:48 - 2017-04-10 19:11 - 00000000 ____D C:\Users\Jonathan\Downloads\Farbar Recovery Scan Tool (FRST)
2017-04-10 10:49 - 2017-04-10 10:49 - 00001211 _____ C:\Users\Jonathan\Desktop\HijackThis.exe - Shortcut.lnk
2017-04-09 21:07 - 2017-04-09 21:08 - 00000000 ____D C:\Users\Jonathan\Documents\Windows Credentials
2017-04-09 19:58 - 2017-04-09 19:58 - 00388608 _____ (Trend Micro Inc.) C:\Users\Jonathan\Downloads\HijackThis.exe
2017-04-07 20:07 - 2016-09-10 21:20 - 00843440 _____ (Sysinternals - www.sysinternals.com) C:\Users\Jonathan\Downloads\Autoruns64.exe
2017-04-07 20:06 - 2017-04-10 17:33 - 00003860 _____ C:\WINDOWS\System32\Tasks\Intel Security DAT Reputation (AMCore) periodic endpoint safety pulse
2017-04-07 19:52 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe
2017-04-07 19:30 - 2017-04-07 19:30 - 00113794 _____ C:\Users\Jonathan\Desktop\Agent Notes 9URHPiNuuy 2017-04-07.pdf
2017-04-07 19:22 - 2017-04-07 19:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2017-04-07 19:11 - 2017-04-07 19:11 - 00002238 _____ C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Geek Squad Online Support (4).lnk
2017-04-07 18:40 - 2017-04-07 18:40 - 00002238 _____ C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Geek Squad Online Support (3).lnk
2017-04-07 18:22 - 2017-04-07 18:22 - 03714048 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 02513408 _____ (Microsoft Corporation) C:\WINDOWS\system32\storagewmi.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 02240512 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 01495552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\storagewmi.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 01388544 _____ (Microsoft Corporation) C:\WINDOWS\system32\mispace.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 01113944 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ndis.sys
2017-04-07 18:22 - 2017-04-07 18:22 - 01108480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mispace.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00994760 _____ (Microsoft Corporation) C:\WINDOWS\system32\ucrtbase.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00990040 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\http.sys
2017-04-07 18:22 - 2017-04-07 18:22 - 00955016 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfmp4srcsnk.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00922432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ucrtbase.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00897024 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00865792 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32spl.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00842240 _____ (Microsoft Corporation) C:\WINDOWS\system32\samsrv.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00840192 _____ (Microsoft Corporation) C:\WINDOWS\system32\netlogon.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00787688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfmp4srcsnk.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00726528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00696832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\netlogon.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00477184 _____ (Microsoft Corporation) C:\WINDOWS\system32\puiobj.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00447095 _____ C:\WINDOWS\system32\ApnDatabase.xml
2017-04-07 18:22 - 2017-04-07 18:22 - 00422744 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\spaceport.sys
2017-04-07 18:22 - 2017-04-07 18:22 - 00409088 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00401408 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb.sys
2017-04-07 18:22 - 2017-04-07 18:22 - 00379736 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\storport.sys
2017-04-07 18:22 - 2017-04-07 18:22 - 00342016 _____ (Microsoft Corporation) C:\WINDOWS\system32\SessEnv.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00296960 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SessEnv.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb10.sys
2017-04-07 18:22 - 2017-04-07 18:22 - 00274776 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\WdFilter.sys
2017-04-07 18:22 - 2017-04-07 18:22 - 00269824 _____ (Microsoft Corporation) C:\WINDOWS\system32\DafPrintProvider.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00242176 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinSCard.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00204288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DafPrintProvider.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00201728 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb20.sys
2017-04-07 18:22 - 2017-04-07 18:22 - 00170496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WinSCard.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00158720 _____ (Microsoft Corporation) C:\WINDOWS\system32\certprop.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00138752 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dfsc.sys
2017-04-07 18:22 - 2017-04-07 18:22 - 00136904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2017-04-07 18:22 - 2017-04-07 18:22 - 00133120 _____ (Microsoft Corporation) C:\WINDOWS\system32\ScDeviceEnum.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00117592 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\WdNisDrv.sys
2017-04-07 18:22 - 2017-04-07 18:22 - 00111616 _____ (Microsoft Corporation) C:\WINDOWS\system32\samlib.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00065024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\samlib.dll
2017-04-07 18:22 - 2017-04-07 18:22 - 00046600 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\WdBoot.sys
2017-04-07 18:22 - 2017-04-07 18:22 - 00040960 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\scfilter.sys
2017-04-07 18:22 - 2017-04-07 18:22 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
2017-04-07 18:22 - 2017-04-07 18:22 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
2017-04-07 17:55 - 2017-04-07 17:55 - 00000000 ____D C:\Users\Jonathan\AppData\Local\NPE
2017-04-07 17:55 - 2017-04-07 17:55 - 00000000 ____D C:\ProgramData\Norton
2017-04-07 17:36 - 2017-04-07 17:36 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-04-07 17:35 - 2017-04-07 17:35 - 00000000 ____D C:\Program Files\Malwarebytes
2017-04-07 17:32 - 2017-04-07 17:32 - 00000000 ____D C:\Users\Jonathan\AppData\Local\Adobe
2017-04-07 17:30 - 2017-04-07 17:30 - 00002238 _____ C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Geek Squad Online Support (2).lnk
2017-04-07 17:22 - 2017-04-07 17:24 - 00244732 _____ C:\TDSSKiller.3.1.0.12_07.04.2017_17.22.33_log.txt
2017-04-07 17:17 - 2017-04-07 17:17 - 00000000 ____D C:\ProgramData\Geek Squad
2017-04-07 17:16 - 2017-04-07 17:16 - 00004324 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2017-04-07 17:14 - 2017-04-07 17:14 - 00010490 _____ C:\Users\Jonathan\Documents\Book1.xlsx
2017-04-07 16:34 - 2017-04-07 16:34 - 00000248 _____ C:\rescue.info
2017-04-07 16:31 - 2017-04-07 16:31 - 01830440 _____ (LogMeIn, Inc.) C:\Users\Jonathan\Downloads\Support-LogMeInRescue.exe
2017-04-07 16:31 - 2017-04-07 16:31 - 00002276 _____ C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Geek Squad Online Support.lnk
2017-04-07 14:22 - 2017-04-07 14:22 - 00001798 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk
2017-04-07 14:22 - 2017-04-07 14:22 - 00001615 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark Legacy.lnk
2017-04-06 18:22 - 2017-03-31 22:20 - 00001951 _____ C:\WINDOWS\NvTelemetryContainerRecovery.bat
2017-04-06 18:22 - 2017-03-31 20:36 - 00136248 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvStreaming.exe
2017-04-06 18:22 - 2017-03-10 16:17 - 00536864 _____ C:\WINDOWS\system32\vulkan-1.dll
2017-04-06 18:22 - 2017-03-10 16:17 - 00525600 _____ C:\WINDOWS\SysWOW64\vulkan-1.dll
2017-04-06 18:22 - 2017-03-10 16:17 - 00254240 _____ C:\WINDOWS\system32\vulkaninfo.exe
2017-04-06 18:22 - 2017-03-10 16:17 - 00233760 _____ C:\WINDOWS\SysWOW64\vulkaninfo.exe
2017-04-06 18:19 - 2017-04-02 11:12 - 00218040 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\nvhda64v.sys
2017-04-06 18:19 - 2017-04-02 11:12 - 00046008 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvhdap64.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 40201152 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcompiler.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 35315256 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvoglv64.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 35280320 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcompiler.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 16431320 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvd3dumx.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 14653888 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\nvlddmkm.sys
2017-04-06 18:19 - 2017-03-31 22:20 - 11112928 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuda.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 11056272 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvptxJitCompiler.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 10636240 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvopencl.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 09316648 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuda.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 09014792 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvptxJitCompiler.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 08876272 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvopencl.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 03430336 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuvid.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 03012152 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvcuvid.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 01988032 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispco6438165.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 01591352 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispgenco6438165.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 01054776 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvFBC64.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00991800 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvFBC.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00960448 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFR64.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00912952 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFR.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00895784 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvmcumd.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00688968 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvfatbinaryLoader.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00609728 _____ (NVIDIA Corporation) C:\WINDOWS\system32\NvIFROpenGL.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00577544 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvfatbinaryLoader.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00507504 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvEncodeAPI64.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00499136 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\NvIFROpenGL.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00426312 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvEncodeAPI.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00406736 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvumdshim.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00170360 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvinitx.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00153184 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvoglshim64.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00148016 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvinit.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00131720 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvoglshim32.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00126008 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvaudcaparm.dll
2017-04-06 18:19 - 2017-03-31 22:20 - 00047672 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\nvvadarm.sys
2017-04-06 18:19 - 2017-03-31 22:20 - 00000669 _____ C:\WINDOWS\SysWOW64\nv-vk32.json
2017-04-06 18:19 - 2017-03-31 22:20 - 00000669 _____ C:\WINDOWS\system32\nv-vk64.json
2017-04-06 13:49 - 2017-04-06 13:49 - 00000000 _____ C:\netstat22502.txt
2017-04-06 13:48 - 2017-04-06 13:48 - 00000000 _____ C:\netstat
2017-04-06 11:25 - 2017-04-06 11:25 - 00915128 _____ (Riverbed Technology, Inc.) C:\Users\Jonathan\Downloads\WinPcap_4_1_3.exe
2017-04-06 10:54 - 2017-04-06 10:54 - 00164976 _____ C:\Users\Jonathan\Downloads\Network_Join_Nokia_Mobile.pcap
2017-04-06 10:34 - 2017-04-06 10:47 - 00000000 ____D C:\Users\Jonathan\AppData\Roaming\Wireshark
2017-04-06 10:18 - 2017-04-07 14:22 - 00000000 ____D C:\Program Files (x86)\WinPcap
2017-04-06 10:18 - 2017-04-06 10:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap
2017-04-06 10:03 - 2017-04-07 14:22 - 00000000 ____D C:\Program Files\Wireshark
2017-04-06 09:51 - 2017-04-06 09:52 - 47778256 _____ (Wireshark development team) C:\Users\Jonathan\Downloads\Wireshark-win64-2.0.11.exe
2017-04-05 18:48 - 2017-04-05 18:48 - 00000000 ____D C:\Users\Jonathan\AppData\Local\TslGame
2017-04-05 16:56 - 2017-04-05 16:56 - 00134705 _____ C:\tasklist2.txt
2017-04-05 16:38 - 2017-04-05 16:38 - 00129602 _____ C:\tasklist.txt
2017-03-28 10:40 - 2017-04-10 19:10 - 00000000 ____D C:\Users\Jonathan\AppData\Roaming\Skype
2017-03-28 10:40 - 2017-04-07 17:45 - 00000000 ___RD C:\Program Files (x86)\Skype
2017-03-28 10:40 - 2017-03-28 10:40 - 00002713 _____ C:\Users\Public\Desktop\Skype.lnk
2017-03-28 10:40 - 2017-03-28 10:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2017-03-28 10:39 - 2017-03-28 10:39 - 01631704 _____ (Skype Technologies S.A.) C:\Users\Jonathan\Downloads\SkypeSetup.exe
2017-03-28 10:37 - 2017-03-28 10:38 - 00000000 ____D C:\Users\Jonathan\Desktop\Temp Skype folders
2017-03-27 16:46 - 2017-03-27 16:48 - 00000000 ____D C:\Users\Jonathan\Documents\Virus scans
2017-03-27 16:26 - 2017-03-27 16:26 - 57131432 _____ (Malwarebytes ) C:\Users\Jonathan\Downloads\mb3-setup-consumer-3.0.6.1469-1075.exe
2017-03-27 16:16 - 2017-04-07 19:53 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2017-03-27 16:16 - 2017-03-28 08:58 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2017-03-27 16:16 - 2017-03-27 16:16 - 00001407 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2017-03-27 16:16 - 2017-03-27 16:16 - 00001395 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2017-03-27 16:16 - 2017-03-27 16:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2017-03-27 16:16 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean64.exe
2017-03-27 16:11 - 2017-03-27 16:12 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Jonathan\Downloads\spybot-2.4.exe
2017-03-27 13:54 - 2017-03-27 13:54 - 00000000 ____D C:\ProgramData\Sophos
2017-03-27 13:44 - 2017-03-27 13:45 - 165163936 _____ (Sophos Limited) C:\Users\Jonathan\Downloads\Sophos Virus Removal Tool.exe
2017-03-27 13:33 - 2017-03-27 16:35 - 00000000 ____D C:\Users\Jonathan\AppData\Local\FSDART
2017-03-27 13:33 - 2017-03-27 13:37 - 00000000 ____D C:\ProgramData\F-Secure
2017-03-27 13:33 - 2017-03-27 13:33 - 00000000 ____D C:\Users\Jonathan\AppData\Local\F-Secure
2017-03-27 13:31 - 2017-03-27 13:31 - 00524248 _____ (F-Secure Corporation) C:\Users\Jonathan\Downloads\F-SecureOnlineScanner.exe
2017-03-27 13:12 - 2017-03-27 13:13 - 00000000 ____D C:\Users\Jonathan\Downloads\Malicious Software Removal Tool
2017-03-24 16:47 - 2017-03-27 12:38 - 00003988 _____ C:\WINDOWS\System32\Tasks\Reflux Medicine
2017-03-15 11:31 - 2017-02-23 09:50 - 00093360 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2017-03-15 11:31 - 2017-02-22 09:35 - 01609216 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2017-03-15 11:31 - 2017-02-22 09:35 - 01286144 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2017-03-15 11:31 - 2017-02-22 09:35 - 00646656 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2017-03-15 11:31 - 2017-02-22 09:35 - 00556544 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2017-03-15 11:31 - 2017-02-22 09:35 - 00335360 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2017-03-15 11:31 - 2017-02-22 09:35 - 00293376 _____ (Microsoft Corporation) C:\WINDOWS\system32\centel.dll
2017-03-15 11:31 - 2017-02-22 09:35 - 00233984 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2017-03-15 11:31 - 2017-02-22 09:35 - 00133632 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2017-03-14 22:08 - 2017-03-14 22:08 - 00000000 ____D C:\Users\Jonathan\AppData\Local\Uber Entertainment
2017-03-14 12:49 - 2017-03-04 03:01 - 00576512 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2017-03-14 12:49 - 2017-03-04 02:59 - 02895360 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2017-03-14 12:49 - 2017-03-04 02:48 - 25746944 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2017-03-14 12:49 - 2017-03-04 02:45 - 00114688 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieetwcollector.exe
2017-03-14 12:49 - 2017-03-04 02:44 - 00817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2017-03-14 12:49 - 2017-03-04 02:31 - 06045696 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2017-03-14 12:49 - 2017-03-04 02:05 - 01033216 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2017-03-14 12:49 - 2017-03-04 01:54 - 00806912 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2017-03-14 12:49 - 2017-03-04 01:26 - 15259648 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2017-03-14 12:49 - 2017-03-04 01:25 - 03241984 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2017-03-14 12:49 - 2017-03-04 01:12 - 01545728 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2017-03-14 12:49 - 2017-03-04 01:02 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2017-03-14 12:49 - 2017-03-03 23:18 - 20281856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2017-03-14 12:49 - 2017-03-02 13:01 - 00499200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2017-03-14 12:49 - 2017-03-02 12:55 - 02287104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2017-03-14 12:49 - 2017-03-02 12:49 - 00663552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2017-03-14 12:49 - 2017-03-02 12:25 - 00880640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2017-03-14 12:49 - 2017-03-02 12:22 - 04604416 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2017-03-14 12:49 - 2017-03-02 12:19 - 00693248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2017-03-14 12:49 - 2017-03-02 12:11 - 13654528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2017-03-14 12:49 - 2017-03-02 11:53 - 02767360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2017-03-14 12:49 - 2017-03-02 11:50 - 01312768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2017-03-14 12:49 - 2017-03-02 11:50 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2017-03-14 12:49 - 2017-02-11 14:25 - 00417792 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv.sys
2017-03-14 12:49 - 2017-02-11 00:12 - 00315392 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtrans.dll
2017-03-14 12:49 - 2017-02-11 00:12 - 00145408 _____ (Microsoft Corporation) C:\WINDOWS\system32\iepeers.dll
2017-03-14 12:49 - 2017-02-11 00:00 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2017-03-14 12:49 - 2017-02-10 23:58 - 00378880 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2017-03-14 12:49 - 2017-02-10 23:56 - 02131456 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2017-03-14 12:49 - 2017-02-10 14:09 - 04169728 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2017-03-14 12:49 - 2017-02-10 00:34 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MshtmlDac.dll
2017-03-14 12:49 - 2017-02-10 00:10 - 00076288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtmled.dll
2017-03-14 12:49 - 2017-02-10 00:09 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iepeers.dll
2017-03-14 12:49 - 2017-02-10 00:08 - 00279040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtrans.dll
2017-03-14 12:49 - 2017-02-10 00:01 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2017-03-14 12:49 - 2017-02-10 00:00 - 00330752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2017-03-14 12:49 - 2017-02-09 23:59 - 02055680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2017-03-14 12:49 - 2017-02-09 20:31 - 01549144 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
2017-03-14 12:49 - 2017-02-09 19:12 - 01375960 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2017-03-14 12:49 - 2017-02-09 10:28 - 01987584 _____ (Microsoft Corporation) C:\WINDOWS\system32\DWrite.dll
2017-03-14 12:49 - 2017-02-09 10:19 - 01377792 _____ (Microsoft Corporation) C:\WINDOWS\system32\FntCache.dll
2017-03-14 12:49 - 2017-02-09 10:16 - 01560064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DWrite.dll
2017-03-14 12:49 - 2017-02-09 10:16 - 01094656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2017-03-14 12:49 - 2017-02-09 09:59 - 00658432 _____ (Microsoft Corporation) C:\WINDOWS\system32\dnsapi.dll
2017-03-14 12:49 - 2017-02-09 09:58 - 00499200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dnsapi.dll
2017-03-14 12:49 - 2017-02-09 09:58 - 00252416 _____ (Microsoft Corporation) C:\WINDOWS\system32\dnsrslvr.dll
2017-03-14 12:49 - 2017-02-04 15:32 - 07444832 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2017-03-14 12:49 - 2017-02-04 15:30 - 01663184 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
2017-03-14 12:49 - 2017-02-04 15:30 - 01523216 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.exe
2017-03-14 12:49 - 2017-02-04 15:30 - 01490128 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.efi
2017-03-14 12:49 - 2017-02-04 15:30 - 01358960 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.exe
2017-03-14 12:49 - 2017-02-04 14:32 - 00251392 _____ (Microsoft Corporation) C:\WINDOWS\system32\microsoft-windows-system-events.dll
2017-03-14 12:49 - 2017-02-04 14:30 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64.dll
2017-03-14 12:49 - 2017-02-04 13:14 - 01001472 _____ (Microsoft Corporation) C:\WINDOWS\HelpPane.exe
2017-03-14 12:49 - 2017-02-04 12:50 - 00243712 _____ (Microsoft Corporation) C:\WINDOWS\system32\icm32.dll
2017-03-14 12:49 - 2017-02-04 12:40 - 01754112 _____ (Microsoft Corporation) C:\WINDOWS\system32\GdiPlus.dll
2017-03-14 12:49 - 2017-02-04 12:32 - 00584704 _____ (Microsoft Corporation) C:\WINDOWS\system32\mscms.dll
2017-03-14 12:49 - 2017-02-04 12:17 - 00223232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\icm32.dll
2017-03-14 12:49 - 2017-02-04 12:10 - 01491456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\GdiPlus.dll
2017-03-14 12:49 - 2017-02-04 12:05 - 00503808 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mscms.dll
2017-03-14 12:49 - 2017-01-21 16:37 - 00567152 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2017-03-14 12:49 - 2017-01-21 14:27 - 00756736 _____ (Microsoft Corporation) C:\WINDOWS\system32\adtschema.dll
2017-03-14 12:49 - 2017-01-21 14:27 - 00061952 _____ (Microsoft Corporation) C:\WINDOWS\system32\msobjs.dll
2017-03-14 12:49 - 2017-01-21 13:40 - 00756736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\adtschema.dll
2017-03-14 12:49 - 2017-01-21 13:40 - 00061952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msobjs.dll
2017-03-14 12:49 - 2017-01-21 13:37 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2017-03-14 12:49 - 2017-01-21 12:58 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2017-03-14 12:49 - 2017-01-21 12:48 - 01437696 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2017-03-14 12:49 - 2017-01-14 12:49 - 00146944 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininit.exe
2017-03-14 12:49 - 2017-01-11 14:37 - 02345984 _____ (Microsoft Corporation) C:\WINDOWS\system32\msxml3.dll
2017-03-14 12:49 - 2017-01-10 14:08 - 01549312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msxml3.dll
2017-03-14 12:49 - 2017-01-05 13:20 - 01697792 _____ (Microsoft Corporation) C:\WINDOWS\system32\quartz.dll
2017-03-14 12:49 - 2017-01-05 13:09 - 07076864 _____ (Microsoft Corporation) C:\WINDOWS\system32\glcndFilter.dll
2017-03-14 12:49 - 2017-01-05 12:36 - 01501184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\quartz.dll
2017-03-14 12:49 - 2017-01-05 12:29 - 05273600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\glcndFilter.dll
2017-03-14 12:49 - 2017-01-05 12:13 - 07796224 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
2017-03-14 12:49 - 2017-01-05 11:57 - 05268480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2017-03-14 12:49 - 2016-11-09 14:22 - 00681472 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv2.sys
2017-03-11 16:56 - 2017-03-11 16:56 - 00000000 ____D C:\Users\Jonathan\AppData\LocalLow\Mastfire Studios
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-04-10 18:51 - 2014-11-21 03:44 - 00865408 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-04-10 18:51 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\Inf
2017-04-10 12:25 - 2016-08-03 07:32 - 00000000 ____D C:\ProgramData\NVIDIA
2017-04-10 09:52 - 2016-08-02 20:55 - 00003600 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3888602343-2966588038-2730974355-1001
2017-04-10 09:42 - 2016-08-03 13:43 - 00000000 ____D C:\Program Files (x86)\Steam
2017-04-10 09:38 - 2016-08-03 08:23 - 00000000 ____D C:\Users\Jonathan\OneDrive
2017-04-10 09:36 - 2017-01-16 12:42 - 00000000 __SHD C:\Users\Jonathan\IntelGraphicsProfiles
2017-04-10 09:35 - 2016-08-13 22:21 - 00000000 ____D C:\Program Files (x86)\Hi-Rez Studios
2017-04-10 09:34 - 2016-08-03 20:10 - 00143248 _____ (Webroot) C:\WINDOWS\system32\Drivers\WRkrn.sys
2017-04-10 09:34 - 2013-08-22 09:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-04-09 22:09 - 2013-08-22 08:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2017-04-09 20:17 - 2016-08-02 20:47 - 00000000 ____D C:\Users\Jonathan\AppData\Local\VirtualStore
2017-04-09 11:13 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\rescache
2017-04-08 23:10 - 2016-08-03 20:09 - 00000000 ____D C:\ProgramData\WRData
2017-04-07 19:52 - 2016-11-17 14:04 - 00000000 ____D C:\Program Files\Common Files\AV
2017-04-07 19:25 - 2016-08-27 19:15 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2017-04-07 19:25 - 2016-08-27 19:15 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2017-04-07 19:23 - 2013-08-22 10:36 - 00000000 ___RD C:\WINDOWS\ToastData
2017-04-07 19:23 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\Windows Defender
2017-04-07 19:23 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2017-04-07 19:22 - 2012-07-26 02:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-04-07 17:45 - 2016-08-03 11:00 - 00000000 ____D C:\ProgramData\Skype
2017-04-07 17:24 - 2016-09-11 03:43 - 00110592 ___SH C:\Users\Jonathan\Desktop\Thumbs.db
2017-04-07 17:18 - 2016-12-29 12:17 - 00000000 ____D C:\temp
2017-04-07 17:16 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-04-07 17:16 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\system32\Macromed
2017-04-07 16:24 - 2016-08-07 01:32 - 00000000 ____D C:\Users\Jonathan\AppData\Roaming\TS3Client
2017-04-07 16:24 - 2016-08-06 00:20 - 00000000 ____D C:\Users\Jonathan\AppData\Local\CrashDumps
2017-04-06 18:22 - 2017-01-27 20:33 - 00000000 ____D C:\Program Files (x86)\VulkanRT
2017-04-06 18:22 - 2016-08-05 23:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2017-04-06 18:22 - 2016-08-03 07:32 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2017-04-06 18:22 - 2016-08-03 07:32 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2017-04-06 18:22 - 2016-08-03 07:32 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2017-04-06 18:13 - 2016-09-24 18:52 - 00003852 _____ C:\WINDOWS\System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-04-06 18:13 - 2016-09-24 18:52 - 00001432 _____ C:\Users\Public\Desktop\GeForce Experience.lnk
2017-04-06 18:11 - 2016-12-29 12:11 - 00004146 _____ C:\WINDOWS\System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-04-06 18:11 - 2016-09-24 18:52 - 00003738 _____ C:\WINDOWS\System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-04-06 18:11 - 2016-09-24 18:52 - 00003738 _____ C:\WINDOWS\System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-04-06 18:11 - 2016-09-24 18:52 - 00003730 _____ C:\WINDOWS\System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-04-06 18:11 - 2016-09-24 18:52 - 00003554 _____ C:\WINDOWS\System32\Tasks\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-04-06 18:11 - 2016-09-24 18:52 - 00003494 _____ C:\WINDOWS\System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}
2017-04-06 11:05 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-04-06 10:04 - 2016-08-02 20:57 - 00000000 ____D C:\ProgramData\Package Cache
2017-04-05 18:48 - 2016-12-31 22:01 - 00000000 ____D C:\Users\Jonathan\AppData\Local\UnrealEngine
2017-04-05 16:05 - 2016-08-03 13:39 - 00002215 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-04-05 16:05 - 2016-08-03 13:39 - 00002203 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-04-02 11:12 - 2016-08-05 23:57 - 01600560 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvhdagenco6420103.dll
2017-03-31 22:20 - 2017-02-24 11:23 - 28560440 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvoglv32.dll
2017-03-31 22:20 - 2016-12-29 12:14 - 00042897 _____ C:\WINDOWS\system32\nvinfo.pb
2017-03-31 22:20 - 2016-10-22 17:02 - 00491208 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvumdshimx.dll
2017-03-31 22:20 - 2016-06-07 07:31 - 01591352 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvmcvadgenco64.dll
2017-03-31 22:20 - 2016-06-07 06:58 - 20055968 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvwgf2umx.dll
2017-03-31 22:20 - 2016-06-07 06:58 - 17418608 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvwgf2um.dll
2017-03-31 22:20 - 2016-06-07 06:56 - 13398512 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvd3dum.dll
2017-03-31 22:20 - 2016-06-07 06:55 - 04071816 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvapi64.dll
2017-03-31 22:20 - 2016-06-07 06:55 - 03588376 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvapi.dll
2017-03-31 21:10 - 2016-08-03 07:32 - 06437312 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcpl.dll
2017-03-31 21:10 - 2016-08-03 07:32 - 02481208 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvsvc64.dll
2017-03-31 21:10 - 2016-08-03 07:32 - 01764408 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvsvcr.dll
2017-03-31 21:10 - 2016-08-03 07:32 - 00549944 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nv3dappshext.dll
2017-03-31 21:10 - 2016-08-03 07:32 - 00393784 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvmctray.dll
2017-03-31 21:10 - 2016-08-03 07:32 - 00081856 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nv3dappshextr.dll
2017-03-31 21:10 - 2016-08-03 07:32 - 00071224 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvshext.dll
2017-03-31 21:09 - 2016-09-24 18:52 - 00001951 _____ C:\WINDOWS\NvContainerRecovery.bat
2017-03-31 05:15 - 2016-08-03 07:32 - 07851747 _____ C:\WINDOWS\system32\nvcoproc.bin
2017-03-30 11:54 - 2016-11-17 14:04 - 00000000 ____D C:\Program Files (x86)\McAfee
2017-03-30 11:54 - 2016-11-17 13:59 - 00000000 ____D C:\Program Files\Common Files\McAfee
2017-03-29 19:12 - 2016-11-17 14:04 - 00000000 ____D C:\Program Files\McAfee
2017-03-29 19:10 - 2016-11-17 14:04 - 00003068 _____ C:\WINDOWS\System32\Tasks\McAfeeLogon
2017-03-29 19:10 - 2016-11-17 14:04 - 00000000 ____D C:\WINDOWS\System32\Tasks\McAfee
2017-03-29 19:10 - 2012-07-26 03:12 - 00000000 ___HD C:\WINDOWS\ELAMBKUP
2017-03-29 19:08 - 2016-11-17 13:59 - 00000000 ____D C:\ProgramData\McAfee
2017-03-27 17:02 - 2016-09-20 12:04 - 00000000 ____D C:\Program Files (x86)\Auslogics
2017-03-27 17:02 - 2016-08-02 21:02 - 00000000 ____D C:\Program Files\Enigma Software Group
2017-03-27 13:11 - 2016-08-03 00:58 - 138634176 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-03-25 17:14 - 2016-08-09 23:53 - 00000000 ____D C:\Users\Jonathan\AppData\Local\Battle.net
2017-03-25 16:49 - 2016-08-09 23:53 - 00000000 ____D C:\Program Files (x86)\Overwatch
2017-03-25 16:45 - 2016-11-20 12:45 - 00000000 ____D C:\Program Files (x86)\Heroes of the Storm
2017-03-25 16:45 - 2016-08-09 23:50 - 00000000 ____D C:\Program Files (x86)\Battle.net
2017-03-25 16:44 - 2016-10-22 15:02 - 00000000 ____D C:\Users\Jonathan\AppData\Roaming\Origin
2017-03-25 16:44 - 2016-10-22 15:01 - 00000000 ____D C:\ProgramData\Origin
2017-03-21 17:06 - 2013-08-22 10:36 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-03-21 17:05 - 2016-08-03 09:07 - 00000000 ____D C:\Program Files\Microsoft Office 15
2017-03-16 06:45 - 2013-08-22 09:44 - 05178288 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-03-15 22:49 - 2016-08-03 08:56 - 00000000 ____D C:\WINDOWS\system32\appraiser
2017-03-15 00:22 - 2016-08-03 00:58 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-03-14 21:45 - 2017-03-04 22:27 - 01420792 _____ C:\WINDOWS\ntbtlog.txt
2017-03-14 16:23 - 2016-08-03 07:41 - 00000000 ____D C:\Users\Jonathan
2017-03-14 15:39 - 2016-11-17 14:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2017-03-14 15:39 - 2016-08-03 21:50 - 00000000 ____D C:\ProgramData\pdf995
2017-03-14 15:39 - 2016-08-03 20:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Webroot SecureAnywhere
2017-03-14 15:39 - 2016-08-03 20:10 - 00000000 ____D C:\Program Files\Webroot
2017-03-14 15:39 - 2014-11-21 10:56 - 00000000 ___SD C:\WINDOWS\system32\CompatTel
2017-03-14 15:39 - 2013-08-22 10:36 - 00000000 __RSD C:\WINDOWS\Media
2017-03-14 15:39 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\PolicyDefinitions
2017-03-14 15:39 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\servicing
2017-03-14 15:37 - 2013-08-22 10:36 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-14 15:31 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\registration
2017-03-14 15:31 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\system32\Sysprep
2017-03-12 16:43 - 2016-08-03 12:12 - 00000000 ____D C:\Users\Jonathan\Documents\3dsMax
 
==================== Files in the root of some directories =======
 
2016-09-08 07:28 - 2016-09-08 07:28 - 0000048 ____H () C:\Program Files (x86)\w6wuktdbts.dat
2016-08-03 20:11 - 2016-08-03 20:11 - 12964920 _____ (Webroot Software, Inc.) C:\Program Files (x86)\Common Files\wruninstall.exe
2017-01-05 20:05 - 2017-01-05 20:05 - 0000132 _____ () C:\Users\Jonathan\AppData\Roaming\Adobe AIFF Format CS6 Prefs
2016-09-11 04:16 - 2016-09-11 14:14 - 0000132 _____ () C:\Users\Jonathan\AppData\Roaming\Adobe PNG Format CS6 Prefs
2016-08-17 21:46 - 2016-08-18 16:28 - 0000299 _____ () C:\Users\Jonathan\AppData\Roaming\BreakingPoint_Login.ini
2016-08-17 21:46 - 2016-08-18 18:45 - 0001427 _____ () C:\Users\Jonathan\AppData\Roaming\BreakingPoint_Options.ini
2016-08-03 22:03 - 2016-08-03 22:03 - 0000057 _____ () C:\ProgramData\Ament.ini
2016-12-29 12:11 - 2017-01-27 20:27 - 0005701 _____ () C:\ProgramData\NvTelemetryContainer.log
2016-12-29 12:11 - 2017-01-26 23:32 - 0005110 _____ () C:\ProgramData\NvTelemetryContainer.log_backup1
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-04-07 14:57
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:31 PM

Posted 11 April 2017 - 04:38 PM

An app can continue to get hits even after the connection has ended. In p2p file sharing i can still get bombarded with requests from peers long after i exit the p2p client.

Dont know if thats helpful or not.

Pretty sure from what was run you wouldnt be botted.  Remote access disabled in the router? Any p2p going on, online gaming?


How Can I Reduce My Risk to Malware?


#3 ronells2000

ronells2000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 12 April 2017 - 09:53 AM

I'll try to remember what I typed up last night, accidentally closed Chrome instead of another tab before I could send it.

 

Remote Access is turned Off on the router, had to turn it Off again on the computer after Geek Squad was done.

 

He doesn't have any p2p software on his computer, unless Steam is considered one. The only software he has loaded is related to school AND games (of which some are downloaded from the internet). I think it could be from a site he went to, him and his friends watch all kinds of videos on the web, that may be running activex. Maybe? He uses Google Chrome, I don't know how to disable it in Chrome. 

 

As for a continued to run app, I have force quit any program or game that's not needed and have disabled what I can before troubleshooting, so I don't think there's anything. I have search the net for all the programs, background processes and services that are unfamiliar to me, but there are so many windows processes and services that run that I have no idea what should be and shouldn't be there. It only occurs when "signed in" to Skype, stops when I sign out, so I don't think it's something that continues to run. I was able to identify that it is Skype from the Process ID, isn't there a program out there that can tell me what other related process controlled by Skype is sending out network communication?

 

Is it possible that something has replaced a dll file or injected itself into one? I did run "tasklist /m" and found 4 dll's related to Skype and Skype Browser, but which one's. I found 2 wow64win.dll's, 15 wow64cpu.dll's, 15 wow64.dll's and 31 ntdll.dll files. Properties doesn't say what program it belongs to.

 
When I uninstalled Skype I made sure to delete the ProgramData\Skype folder and the AppData\Roaming\Skype folder (Ok, I kept his personalized folders, like pictures and history, but I isolated them before putting them back).
The only thing I haven't done is touch the registry.
 
I could uninstall one program/game at a time to see which one causes it, but how can I verify it deleted the culprit and it's not just waiting around for re-installation? Short of a System refresh.

Edited by ronells2000, 12 April 2017 - 10:26 AM.


#4 ronells2000

ronells2000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 12 April 2017 - 10:25 AM

I also forgot to ask, why does this only happen when UPnP is enabled?



#5 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:31 PM

Posted 12 April 2017 - 06:18 PM

 

why does this only happen when UPnP is enabled?

See if this helps:

 

"Skype has implemented own uPnP (Universal Plug and Play) protocol since version 3.8" Some links:

 

https://www.mydigitallife.info/how-to-disable-upnp-in-skype-to-remove-open-tcp-and-udp-ports-in-firewall/

https://stackoverflow.com/questions/1539339/how-does-skype-work-without-port-forwarding


How Can I Reduce My Risk to Malware?


#6 ronells2000

ronells2000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 12 April 2017 - 09:44 PM

Ok, if I understand some of this, hope it doesn't sound stupid,
 
Skype's UPnP works in a way such that if my computer wants to communicate to a Skype computer down the street and is having port issues it can scan for open ports or connect to computers around the world, if need be, until the connection is made.
 
why is it occurring on 1 computer and not the other 2? Had Skype on all day on this computer and lo and behold, I'm now being bombarded also. Turned off UPnP in Skype - no help. 
 
 
Why does it give them LAN access? LAN access concerns me that someone has just that "LAN access" and can take control of a computer.
 
Since no one else is asking about their networks, I guess this is normal then. Guess I'll be turning UPnP on my router Off and have to figure a way around their XBox connectivity issue later.
 
Thank you for your help

Why does it give them LAN access? LAN access concerns me that someone has just that "LAN access" and can take control of a computer.


Edited by ronells2000, 12 April 2017 - 09:58 PM.


#7 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:31 PM

Posted 13 April 2017 - 07:01 PM

I believe this is just the normal behavior of Skype.  Personally i have never used it. I know its voice (or data) over IP so

Who ever has the app installed and running becomes a small part of a larger network, like a p2p client.

Access to LAN dosnt mean your machine can be accessed from afar. I think its just a response to port forwarding or having  UPnP enabled.

I see these all the time in my router logs too after running a p2p app. 

You might poke around the Skype forum for more info. Surely other people would have the same question you have. Sorry, really cant give you a solid answer.

 

 


How Can I Reduce My Risk to Malware?


#8 ronells2000

ronells2000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:31 PM

Posted 13 April 2017 - 09:07 PM

Thank you, you've been a big help. I'm not going to worry about it. It makes a lot more sense now.


Edited by ronells2000, 13 April 2017 - 09:08 PM.


#9 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:31 PM

Posted 14 April 2017 - 08:21 AM

Ok, your welcome. Happy Safe surfing out there.


How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users