Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Terminal Server infected with Recurrent virus (Agent.PTD found)


  • This topic is locked This topic is locked
16 replies to this topic

#1 madpoet62

madpoet62

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 31 July 2017 - 09:05 AM

Hi all,

 

I have been struggling with my Terminal server since it was hit with a Ransomware attack 3 months ago.  We keep multiple copies of backups so we were able to restore the documents.  We continued to have a virus hogging the CPU resources.  We remove the file (in this case xmr-radon.exe) but it comes right back.  Since it is a Terminal Server (Windows 2003 R2), I have to work on it mostly in the late evenings when I only inconvenience our 2nd shift or on weekends.  I ran several root kit detection software programs this past weekend and none were detected.  One found Agent.PTD and removed it. 

 

I ran several programs:  (Bitware BootkitRemoval – found nothing, Sophos Virus Removal – found nothing, RogueKiller – found the attached, HitmanPro which removed some virus stuff) 

 

I’ve found a couple of things on the Terminal server that need clarification.  First is this TCX program.  Every time I log onto Terminal now I get a request to let these two programs run (which I deny):

“C:Windows\regedit.exe” /s  (supposed to run silent)

C:\Windows\System32\TCXReg\TCXAddins.reg and C:\Windows\system32\TCXReg\DVCSupport.reg

 

The next thing I see in Hijack This is that mail.kerrvance.com is a trusted site.  I have NEVER used Terminal for anything related to KVA.  But I do see a gmail address in the virus program xmr-nodonSTART.  It has akva747@gmail.com.  Is this a coincidence?

 

There is a program in Startup called Prepare_TCX that has the following lines in it:

 

@ECHO OFF

regedit /s c:\WINDOWS\system32\TCXReg\TCXAddins.reg

 

regedit /s c:\WINDOWS\system32\TCXReg\DVCSupport.reg

 

Please advise as soon as you can what I should do.  I don’t want to do something ill-advised and crash Terminal.

 

I do have a Terminal User Activity software running on this computer.  If you see that listed - ignore it.

Attached Files



BC AdBot (Login to Remove)

 


#2 madpoet62

madpoet62
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 31 July 2017 - 09:17 AM

I forgot to attach this screen shot of the virus hogging the CPU.

Attached Files



#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:00 AM

Posted 04 August 2017 - 05:35 AM

Welcome to Bleeping Computer's Malware Removal Logs area. My name is Sintharius. I will assist you with your problem.

Below are some rules that you will need to follow while receiving my assistance:
  • I am currently in training, so my responses might be delayed. I will generally reply within 48 hours - if this is not possible, I will let you know.
  • Please do not seek assistance elsewhere without letting me know.
  • Please do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • If you wish to do other interventions, please let me know. I will assist you if possible.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the Follow this topic button, and make sure a tick is in the receive notifications and is set to Instantly. Any replies should be made in this topic by clicking the Reply to this topic button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. Please inform me if you need more time.
  • Please stay with me until I have confirmed that you are clean. Absence of symptoms does not mean that the computer is clean.
  • If you do not agree with any of the above, please let me know so I can have this topic closed.
===

Please create a set of FRST logs so I can assess the status of your computer.

Farbar Recovery Scan Tool

Please download the correct version of Farbar Recovery Scan Tool and save it to your Desktop.

32-bit version here

64-bit version here

Note 1: Don't know if your Windows is 32-bit or 64-bit? Check it out here. The Automatic detection section should give you information about your OS. If it's not, use the Manual detection section.

Note 2: Temporary disable your antivirus and/or antimalware if they flag FRST as unsafe, as the tool is safe.
  • Right click on FRST/FRST64.exe and choose Run as Administrator.
  • When the tool launches, choose Yes at the disclaimer.
  • Choose Scan.
  • The tool will produces a log named FRST.txt in the same location where the tool is run from.
  • Please copy the log and paste it here.
On its first run FRST will generate an Addition.txt log in the same location as the other log. Please copy and paste that along with the main log in your reply.

#4 madpoet62

madpoet62
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 04 August 2017 - 08:46 AM

Hi Sintharius,
 
Thank you for responding.  What has happened so far since I posted this request for help:
 
We found a set of Brute Force hack tools on a drive on the Terminal server.  We also used the email address that was in one of the bat files to track this guy down on Facebook but nothing much was posted there.  The password for his Facebook account was one that had been leaked at some point in the past.  We did not attempt to contact him.
 
It is our guess that he had access to the shipping account on the Terminal and was attempting to brute force an administrator account.  Every time we cleaned out the virus file (xmr-nodon.exe) it would come back in various public folders the next day and max out our CPU.  My outside tech service shut down the port the hacker was using to keep communications from going on each day and I changed the password for the shipping computer (a thin client) to a very strong one.  The plan is to redirect the RDP access to another port.  The outside service said they would do that but have not as yet. 
 
I'm attaching the files you requested.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-07-2017
Ran by bev (administrator) on TERMINAL (04-08-2017 09:35:17)
Running from C:\Users\bev\Desktop\Bleeping Computer
Loaded Profiles: shipping & bev & rwest & traynor & rfrscan1 & rfrscan2 & rfrscan3 & rfrscan4 & rfrscan5 & mtaylor & kbeal & mnorris & rfrscan7 & awilliams & Administrator & SalogSrvTsm & SawebSrv (Available Profiles: MICROSOFT$DPM$Acct & Administrator & shipping & bev & rwest & rwilliams & traynor & allen & mtalley & tbeal & Pkcsadm & rfrscan & cwatson & rfrscan1 & rfrscan2 & rfrscan3 & rfrscan4 & rfrscan5 & rfrscan6 & steve & mtaylor & kbeal & tlloyd & mnorris & tcottrell & sbeal & rfrscan7 & 404label & labelmachine & bgrose & awilliams & dboyd & 404SHIP & Administrator & SalogSrvTsm & SawebSrv)
Platform: Windows Server 2008 R2 Enterprise Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avpsus.exe
(Cisco WebEx LLC) C:\Windows\SysWOW64\atashost.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
(Symantec Corporation) C:\Program Files\Symantec\Backup Exec\RAWS\bedbg.exe
(SafeNet Inc.) C:\Windows\System32\hasplms.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
(Symantec Corporation) C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
(Brother Industries, Ltd.) C:\Program Files (x86)\BrownyScn\Brother\BrStMonScn.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\BrownyScn\Brother\BrStMonScn.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\BrownyScn\Brother\BrStMonScn.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\BrownyScn\Brother\BrStMonScn.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\BrownyScn\Brother\BrStMonScn.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\BrownyScn\ScannerStatusMonitorService.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler64.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagent.exe
(Deep Software Inc.) C:\Program Files (x86)\SoftActivity TS Monitor\sawebsrv.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\webapp\serve.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\vapm.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\webapp\serve.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(ProfitKey International) C:\PK\Deploy\xmesdc.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(Brother Industries, Ltd.) C:\Program Files (x86)\BrownyScn\Brother\BrStMonScn.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\BrownyScn\Brother\BrStMonScn.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(ProfitKey International) C:\PK\Deploy\xmesdc.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(Brother Industries, Ltd.) C:\Program Files (x86)\BrownyScn\Brother\BrStMonScn.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(ProfitKey International) C:\PK\Deploy\XPLNMGT.EXE
(ProfitKey International) C:\PK\Deploy\xmesdc.exe
(ProfitKey International) C:\PK\Deploy\xmesdc.exe
(ProfitKey International) C:\PK\Deploy\xmesdc.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\BrownyScn\Brother\BrStMonScn.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\BrownyScn\Brother\BrStMonScn.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(Brother Industries, Ltd.) C:\Program Files (x86)\BrownyScn\Brother\BrStMonScn.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmsvc.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmsys.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmimpl.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\x64\tsmimpl64.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmimpl.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\x64\tsmimpl64.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmsys.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmimpl.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\x64\tsmimpl64.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmimpl.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\x64\tsmimpl64.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmsys.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmimpl.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\x64\tsmimpl64.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmimpl.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\x64\tsmimpl64.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmsys.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmimpl.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\x64\tsmimpl64.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmimpl.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\x64\tsmimpl64.exe
(Deep Software Inc.) C:\Program Files (x86)\SoftActivity TS Monitor\salogsrv.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
(ProfitKey International) C:\PK\Deploy\XMFGOPER.EXE
(ProfitKey International) C:\PK\Deploy\XPLNMGT.EXE
(ProfitKey International) C:\PK\Deploy\XINVMGT.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
(ProfitKey International) C:\PK\Deploy\xmesdc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(ProfitKey International) C:\PK\Deploy\XCUSTMGT.EXE
(ProfitKey International) C:\PK\Deploy\XPURMGT.EXE
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmsys.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmimpl.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\x64\tsmimpl64.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\tsmimpl.exe
() C:\Program Files (x86)\SoftActivity TS Monitor\x64\tsmimpl64.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(Brother Industries, Ltd.) C:\Program Files (x86)\BrownyScn\Brother\BrStMonScn.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
(ProfitKey International) C:\PK\Deploy\XCUSTMGT.EXE
(ProfitKey International) C:\PK\Deploy\XPLNMGT.EXE
(ProfitKey International) C:\PK\Deploy\XENGINER.EXE
(ProfitKey International) C:\PK\Deploy\XCUSTMGT.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
(ProfitKey International) C:\PK\Deploy\XMFGOPER.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
(ProfitKey International) C:\PK\Deploy\XINVMGT.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
(ProfitKey International) C:\PK\Deploy\XCUSTMGT.EXE
(AO Kaspersky Lab) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\BrownyScn\Brother\BrStMonScn.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [VMware Tools] => C:\Program Files\VMware\VMware Tools\VMwareTray.exe [60016 2011-06-07] (VMware, Inc.)
HKLM\...\Run: [VMware User Process] => C:\Program Files\VMware\VMware Tools\vmtoolsd.exe [65648 2011-06-07] (VMware, Inc.)
HKLM-x32\...\Run: [BrScnStsMon00] => C:\Program Files (x86)\BrownyScn\Brother\BrStMonScn.exe [3046912 2015-10-15] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrHelp] => C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe [1939968 2014-10-22] (Brother Industries, Ltd.)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-19\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-20\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-4128123357-3028985877-1724802406-1112\...\Run: [] => [X]
HKU\S-1-5-21-4128123357-3028985877-1724802406-1112\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-4128123357-3028985877-1724802406-1115\...\Run: [cfonp] => "C:\Windows\System32\rundll32.exe" "C:\Users\rwest\AppData\Roaming\cfonp.dll",SetError <==== ATTENTION
HKU\S-1-5-21-4128123357-3028985877-1724802406-1115\...\Run: [] => [X]
HKU\S-1-5-21-4128123357-3028985877-1724802406-1115\...\MountPoints2: {8fd83ab5-b7d3-11e2-acf8-000c29bf984f} - E:\LaunchU3.exe -a
HKU\S-1-5-21-4128123357-3028985877-1724802406-1115\...\MountPoints2: {9f352d09-afef-11e6-9cb6-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-1115\...\MountPoints2: {a25dc582-1104-11e6-80f4-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-1115\...\MountPoints2: {ac7cd25e-054e-11e2-9ff0-000c29bf984f} - E:\LiteAuto.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-1115\...\MountPoints2: {dc25136d-89de-11e5-a5fe-000c29bf984f} - E:\setup.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-1115\...\MountPoints2: {dc2525c3-89de-11e5-a5fe-000c29bf984f} - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-1115\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-4128123357-3028985877-1724802406-1117\...\Run: [] => [X]
HKU\S-1-5-21-4128123357-3028985877-1724802406-1117\...\MountPoints2: {8fd83ab5-b7d3-11e2-acf8-000c29bf984f} - E:\LaunchU3.exe -a
HKU\S-1-5-21-4128123357-3028985877-1724802406-1117\...\MountPoints2: {9f352d09-afef-11e6-9cb6-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-1117\...\MountPoints2: {a25dc582-1104-11e6-80f4-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-1117\...\MountPoints2: {ac7cd25e-054e-11e2-9ff0-000c29bf984f} - E:\LiteAuto.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-1117\...\MountPoints2: {dc2525c3-89de-11e5-a5fe-000c29bf984f} - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-1117\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-4128123357-3028985877-1724802406-2112\...\Run: [] => [X]
HKU\S-1-5-21-4128123357-3028985877-1724802406-2112\...\MountPoints2: {8fd83ab5-b7d3-11e2-acf8-000c29bf984f} - E:\LaunchU3.exe -a
HKU\S-1-5-21-4128123357-3028985877-1724802406-2112\...\MountPoints2: {9f352d09-afef-11e6-9cb6-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2112\...\MountPoints2: {a25dc582-1104-11e6-80f4-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2112\...\MountPoints2: {ac7cd25e-054e-11e2-9ff0-000c29bf984f} - E:\LiteAuto.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2112\...\MountPoints2: {dc25136d-89de-11e5-a5fe-000c29bf984f} - E:\setup.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2112\...\MountPoints2: {dc2525c3-89de-11e5-a5fe-000c29bf984f} - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2112\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-4128123357-3028985877-1724802406-2113\...\Run: [] => [X]
HKU\S-1-5-21-4128123357-3028985877-1724802406-2113\...\MountPoints2: {8fd83ab5-b7d3-11e2-acf8-000c29bf984f} - E:\LaunchU3.exe -a
HKU\S-1-5-21-4128123357-3028985877-1724802406-2113\...\MountPoints2: {9f352d09-afef-11e6-9cb6-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2113\...\MountPoints2: {a25dc582-1104-11e6-80f4-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2113\...\MountPoints2: {ac7cd25e-054e-11e2-9ff0-000c29bf984f} - E:\LiteAuto.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2113\...\MountPoints2: {dc25136d-89de-11e5-a5fe-000c29bf984f} - E:\setup.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2113\...\MountPoints2: {dc2525c3-89de-11e5-a5fe-000c29bf984f} - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2113\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-4128123357-3028985877-1724802406-2114\...\Run: [OfficeSyncProcess] => C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [721504 2015-09-02] (Microsoft Corporation)
HKU\S-1-5-21-4128123357-3028985877-1724802406-2114\...\Run: [] => [X]
HKU\S-1-5-21-4128123357-3028985877-1724802406-2114\...\MountPoints2: {8fd83ab5-b7d3-11e2-acf8-000c29bf984f} - E:\LaunchU3.exe -a
HKU\S-1-5-21-4128123357-3028985877-1724802406-2114\...\MountPoints2: {9f352d09-afef-11e6-9cb6-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2114\...\MountPoints2: {a25dc582-1104-11e6-80f4-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2114\...\MountPoints2: {ac7cd25e-054e-11e2-9ff0-000c29bf984f} - E:\LiteAuto.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2114\...\MountPoints2: {dc25136d-89de-11e5-a5fe-000c29bf984f} - E:\setup.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2114\...\MountPoints2: {dc2525c3-89de-11e5-a5fe-000c29bf984f} - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2114\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-4128123357-3028985877-1724802406-2131\...\Run: [] => [X]
HKU\S-1-5-21-4128123357-3028985877-1724802406-2131\...\MountPoints2: {8fd83ab5-b7d3-11e2-acf8-000c29bf984f} - E:\LaunchU3.exe -a
HKU\S-1-5-21-4128123357-3028985877-1724802406-2131\...\MountPoints2: {9f352d09-afef-11e6-9cb6-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2131\...\MountPoints2: {a25dc582-1104-11e6-80f4-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2131\...\MountPoints2: {dc25136d-89de-11e5-a5fe-000c29bf984f} - E:\setup.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2131\...\MountPoints2: {dc2525c3-89de-11e5-a5fe-000c29bf984f} - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2131\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-4128123357-3028985877-1724802406-2132\...\Run: [] => [X]
HKU\S-1-5-21-4128123357-3028985877-1724802406-2132\...\MountPoints2: {8fd83ab5-b7d3-11e2-acf8-000c29bf984f} - E:\LaunchU3.exe -a
HKU\S-1-5-21-4128123357-3028985877-1724802406-2132\...\MountPoints2: {9f352d09-afef-11e6-9cb6-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2132\...\MountPoints2: {a25dc582-1104-11e6-80f4-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2132\...\MountPoints2: {dc25136d-89de-11e5-a5fe-000c29bf984f} - E:\setup.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-2132\...\MountPoints2: {dc2525c3-89de-11e5-a5fe-000c29bf984f} - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-3104\...\Run: [] => [X]
HKU\S-1-5-21-4128123357-3028985877-1724802406-3104\...\MountPoints2: {6171d1f0-d9db-11e5-8ea5-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-3104\...\MountPoints2: {9f352d09-afef-11e6-9cb6-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-3104\...\MountPoints2: {a25dc582-1104-11e6-80f4-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-3104\...\MountPoints2: {dc2525c3-89de-11e5-a5fe-000c29bf984f} - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-3107\...\Run: [] => [X]
HKU\S-1-5-21-4128123357-3028985877-1724802406-3107\...\MountPoints2: {9f352d09-afef-11e6-9cb6-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-3107\...\MountPoints2: {a25dc582-1104-11e6-80f4-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-3107\...\MountPoints2: {dc25136d-89de-11e5-a5fe-000c29bf984f} - E:\setup.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-3107\...\MountPoints2: {dc2525c3-89de-11e5-a5fe-000c29bf984f} - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-3109\...\Run: [] => [X]
HKU\S-1-5-21-4128123357-3028985877-1724802406-3109\...\MountPoints2: {6171d1f0-d9db-11e5-8ea5-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-3109\...\MountPoints2: {9f352d09-afef-11e6-9cb6-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-3109\...\MountPoints2: {dc2525c3-89de-11e5-a5fe-000c29bf984f} - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-3122\...\Run: [] => [X]
HKU\S-1-5-21-4128123357-3028985877-1724802406-3122\...\MountPoints2: {9f352d09-afef-11e6-9cb6-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-3122\...\MountPoints2: {a25dc582-1104-11e6-80f4-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-3122\...\MountPoints2: {dc2525c3-89de-11e5-a5fe-000c29bf984f} - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-3130\...\Run: [] => [X]
HKU\S-1-5-21-4128123357-3028985877-1724802406-3130\...\MountPoints2: {9f352d09-afef-11e6-9cb6-000c29bf984f} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-500\...\Run: [] => [X]
HKU\S-1-5-21-4128123357-3028985877-1724802406-500\...\MountPoints2: {8fd83ab5-b7d3-11e2-acf8-000c29bf984f} - E:\LaunchU3.exe -a
HKU\S-1-5-21-4128123357-3028985877-1724802406-500\...\MountPoints2: {c3e85c7c-7b65-11e1-babd-806e6f6e6963} - Z:\setup.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-500\...\MountPoints2: {dc2525c3-89de-11e5-a5fe-000c29bf984f} - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-4128123357-3028985877-1724802406-500\...\Winlogon: [Shell] C:\Windows\Explorer.exe [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-18\...\Run: [] => [X]
Lsa: [Notification Packages] scecli rassfm
Startup: C:\Users\administrator.LOCAL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bginfo.bat - Shortcut.lnk [2012-05-07]
ShortcutTarget: bginfo.bat - Shortcut.lnk -> C:\bginfo.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Prepare_TCX.bat [2015-07-17] ()
Startup: C:\Users\jmurray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2013-04-25]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\mnorris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2017-05-25]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\rbroughton\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2013-06-19]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\rfrscan5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2017-08-02]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\rwest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2013-04-03]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\tlloyd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2017-08-03]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\traynor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2017-08-03]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * bootdelete
GroupPolicy: Restriction <==== ATTENTION
GroupPolicyScripts: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [S-1-5-21-4128123357-3028985877-1724802406-1111] => Proxy is enabled.
ProxyServer: [S-1-5-21-4128123357-3028985877-1724802406-1111] => 0.0.0.0:80
Tcpip\..\Interfaces\{C199486A-0EB6-41D2-AE73-A97AF7C189C4}: [NameServer] 10.0.0.200,10.0.0.201

Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4128123357-3028985877-1724802406-1112\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4128123357-3028985877-1724802406-1112\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKU\S-1-5-21-4128123357-3028985877-1724802406-1115\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4128123357-3028985877-1724802406-1115\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
HKU\S-1-5-21-4128123357-3028985877-1724802406-1115\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKU\S-1-5-21-4128123357-3028985877-1724802406-1117\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4128123357-3028985877-1724802406-1117\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKU\S-1-5-21-4128123357-3028985877-1724802406-1117\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
HKU\S-1-5-21-4128123357-3028985877-1724802406-2112\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4128123357-3028985877-1724802406-2112\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKU\S-1-5-21-4128123357-3028985877-1724802406-2113\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4128123357-3028985877-1724802406-2113\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKU\S-1-5-21-4128123357-3028985877-1724802406-2113\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
HKU\S-1-5-21-4128123357-3028985877-1724802406-2114\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4128123357-3028985877-1724802406-2114\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKU\S-1-5-21-4128123357-3028985877-1724802406-2131\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4128123357-3028985877-1724802406-2131\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKU\S-1-5-21-4128123357-3028985877-1724802406-2131\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/
HKU\S-1-5-21-4128123357-3028985877-1724802406-2132\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4128123357-3028985877-1724802406-2132\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKU\S-1-5-21-4128123357-3028985877-1724802406-2132\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
HKU\S-1-5-21-4128123357-3028985877-1724802406-3104\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4128123357-3028985877-1724802406-3104\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKU\S-1-5-21-4128123357-3028985877-1724802406-3104\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/
HKU\S-1-5-21-4128123357-3028985877-1724802406-3107\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4128123357-3028985877-1724802406-3107\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKU\S-1-5-21-4128123357-3028985877-1724802406-3107\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
HKU\S-1-5-21-4128123357-3028985877-1724802406-3109\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4128123357-3028985877-1724802406-3109\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKU\S-1-5-21-4128123357-3028985877-1724802406-3109\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
HKU\S-1-5-21-4128123357-3028985877-1724802406-3122\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4128123357-3028985877-1724802406-3122\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKU\S-1-5-21-4128123357-3028985877-1724802406-3122\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
HKU\S-1-5-21-4128123357-3028985877-1724802406-3130\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
HKU\S-1-5-21-4128123357-3028985877-1724802406-3130\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4128123357-3028985877-1724802406-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4128123357-3028985877-1724802406-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_3
SearchScopes: HKU\S-1-5-21-4128123357-3028985877-1724802406-500 -> {D9786D8C-44A9-4D01-8F27-D6DED23348DF} URL = hxxps://www.google.com/search?q={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-07-11] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-07-11] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-4128123357-3028985877-1724802406-1115 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
DPF: HKLM-x32 {4871A87A-BFDD-4106-8153-FFDE2BAC2967} hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} hxxp://10.10.10.10/WebClient.exe
DPF: HKLM-x32 {ECD1EF2B-1A07-4F2E-8296-4EDEFDD7CBF9} hxxp://rfrmetals.no-ip.biz:3002/WebClient.cab
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-05-23] (Citrix Systems, Inc.)

FireFox:
========
FF HKLM\...\Firefox\Extensions: [FFExtnHTML2PDF@foxitsoftware.com] - C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\Creator\FirefoxAddin\FFExtnHTML2PDF.xpi
FF Extension: (Foxit PDF Creator) - C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\Creator\FirefoxAddin\FFExtnHTML2PDF.xpi [2017-01-13]
FF HKLM-x32\...\Firefox\Extensions: [tcxflash@extension] - C:\Program Files (x86)\Wyse\TCX\Server\Flash Redirection\firefox\tcxflash => not found
FF HKLM-x32\...\Firefox\Extensions: [FFExtnHTML2PDF@foxitsoftware.com] - C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\Creator\FirefoxAddin\FFExtnHTML2PDF.xpi
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_26_0_0_137.dll [2017-07-12] ()
FF Plugin: @java.com/DTPlugin,version=10.4.0 -> C:\Windows\system32\npDeployJava1.dll [2012-06-11] (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_26_0_0_137.dll [2017-07-12] ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [2012-05-23] (Citrix Systems, Inc.)
FF Plugin-x32: @EDVR/WebClient -> C:\windows\system32\WebClient\npwebclient.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2017-02-28] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2017-02-28] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2017-02-28] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2017-02-28] (Foxit Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.65.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-07-11] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.65.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-07-11] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4128123357-3028985877-1724802406-1115: @citrixonline.com/appdetectorplugin -> C:\Users\rwest\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-05-14] (Citrix Online)
FF Plugin HKU\S-1-5-21-4128123357-3028985877-1724802406-1117: @citrixonline.com/appdetectorplugin -> C:\Users\traynor\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2014-12-22] (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPFRWPlugin.dll [2011-08-19] (WYSE Technology, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)

Chrome:
=======
CHR Profile: C:\Users\bev\AppData\Local\Google\Chrome\User Data\Default [2017-08-03]
CHR Extension: (No Name) - C:\Users\bev\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-04-10]
CHR Extension: (No Name) - C:\Users\bev\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-04-10]
CHR Extension: (No Name) - C:\Users\bev\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-04-10]
CHR Extension: (No Name) - C:\Users\bev\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-04-10]
CHR Extension: (Foxit PDF Creator) - C:\Users\bev\AppData\Local\Google\Chrome\User Data\Default\Extensions\cifnddnffldieaamihfkhkdgnbhfmaci [2017-04-10]
CHR Extension: (No Name) - C:\Users\bev\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-04-10]
CHR Extension: (No Name) - C:\Users\bev\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-07-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\bev\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-10]
CHR Extension: (No Name) - C:\Users\bev\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-04-10]
CHR Extension: (Chrome Media Router) - C:\Users\bev\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-07-27]
CHR HKLM\...\Chrome\Extension: [cifnddnffldieaamihfkhkdgnbhfmaci] - C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\Creator\ChromeAddin\ChromeAddin.crx [2017-01-13]
CHR HKLM-x32\...\Chrome\Extension: [cifnddnffldieaamihfkhkdgnbhfmaci] - C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\Creator\ChromeAddin\ChromeAddin.crx [2017-01-13]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVP; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avp.exe [2106664 2017-03-13] (AO Kaspersky Lab)
R2 avpsus; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\avpsus.exe [2692512 2017-03-13] (AO Kaspersky Lab)
R2 BackupExecAgentAccelerator; C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe [1994096 2012-01-23] (Symantec Corporation)
S3 BackupExecVSSProvider; C:\Program Files\Symantec\Backup Exec\RAWS\VSS Provider\bevssprovider.exe [148336 2012-01-20] (Symantec Corporation)
R2 bedbg; C:\Program Files\Symantec\Backup Exec\RAWS\bedbg.exe [353648 2012-01-12] (Symantec Corporation)
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-13] (Microsoft Corporation)
R2 hasplms; C:\Windows\system32\hasplms.exe [4180576 2010-09-27] (SafeNet Inc.)
R2 klnagent; C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagent.exe [166288 2017-01-19] (AO Kaspersky Lab)
S3 LiveUpdate; C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093872 2007-08-11] (Symantec Corporation)
S3 ManagedClientInstallService; C:\scclientinstall_a1d462ef_a0f6_4aa3_9d8b_308a650d9616\clientinstallservice.exe [40960 2015-10-28] (Malwarebytes Corporation) [File not signed]
S3 PDVFSService; C:\Program Files\Symantec\Backup Exec\RAWS\PDVFSService.exe [301720 2012-03-30] ()
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-13] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-13] (Microsoft Corporation)
R2 SalogSrvTsm; C:\Program Files (x86)\SoftActivity TS Monitor\salogsrv.exe [4023664 2017-05-05] (Deep Software Inc.)
R2 SawebSrv; C:\Program Files (x86)\SoftActivity TS Monitor\sawebsrv.exe [1639792 2017-05-05] (Deep Software Inc.)
R3 ScannerStatusMonitorService; C:\Program Files (x86)\BrownyScn\ScannerStatusMonitorService.exe [279552 2015-10-15] (Brother Industries, Ltd.) [File not signed]
R2 TermServLicensing; C:\Windows\System32\lserver.dll [694784 2010-11-20] (Microsoft Corporation)
R2 Tsmsvc; C:\Program Files (x86)\SoftActivity TS Monitor\tsmsvc.exe [2746736 2017-05-05] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [554408 2016-10-01] (AO Kaspersky Lab)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [197344 2017-03-11] (AO Kaspersky Lab)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [310256 2017-03-11] (AO Kaspersky Lab)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [1077984 2017-03-11] (AO Kaspersky Lab)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [50008 2016-10-01] (AO Kaspersky Lab)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [45488 2016-10-01] (AO Kaspersky Lab)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [73112 2016-10-12] (AO Kaspersky Lab)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [200784 2016-10-09] (AO Kaspersky Lab)
S3 MRxDAV; C:\Windows\SysWOW64\drivers\mrxdav.sys [117248 2016-09-08] (Microsoft Corporation)
R1 PDVFSDriver; C:\Windows\System32\drivers\pdfsd.sys [79480 2012-03-30] (Symantec Corporation)
S4 PDVFSNP; no ImagePath
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-13] (Microsoft Corporation)
R0 SIS; C:\Windows\System32\drivers\sis.sys [133488 2011-09-07] (Microsoft Corporation)
R3 VirtFile; C:\Windows\System32\DRIVERS\VirtFile.sys [114296 2011-10-25] (Symantec Corporation)
S2 wusb; C:\Windows\system32\Drivers\wusb.sys [23912 2016-06-27] (Wyse Technology Inc.)
R1 wusbload; C:\Windows\system32\Drivers\wusbload.sys [45416 2016-06-27] (Wyse Technology Inc.)
R3 wvusbbus; C:\Windows\System32\DRIVERS\wvusbbus.sys [53768 2011-08-19] (Wyse Technology Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-08-04 09:34 - 2017-08-04 09:35 - 000000000 ____D C:\FRST
2017-08-04 09:33 - 2017-08-04 09:35 - 000000000 ____D C:\Users\bev\Desktop\Bleeping Computer
2017-08-04 07:17 - 2017-08-04 07:17 - 000000064 _____ C:\Users\rwest\Desktop\Open Order Reports.ldb
2017-08-03 16:52 - 2017-08-03 16:54 - 000026582 _____ C:\Users\bev\Documents\cc_20170803_165255.reg
2017-08-03 06:15 - 2017-08-03 06:15 - 000000000 ____D C:\Users\rfrscan2\AppData\Local\CrashDumps
2017-08-02 16:30 - 2015-08-05 13:56 - 000022528 _____ (Microsoft Corporation) C:\Windows\system32\icaapi.dll
2017-08-02 16:30 - 2015-08-05 13:06 - 000039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2017-08-02 16:28 - 2015-12-16 14:53 - 000007168 _____ (Microsoft Corporation) C:\Windows\system32\kbdgeoqw.dll
2017-08-02 16:28 - 2015-12-16 14:53 - 000007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDAZEL.DLL
2017-08-02 16:28 - 2015-12-16 14:53 - 000007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDAZE.DLL
2017-08-02 16:28 - 2015-12-16 14:48 - 000007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDAZE.DLL
2017-08-02 16:28 - 2015-12-16 14:48 - 000006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kbdgeoqw.dll
2017-08-02 16:28 - 2015-12-16 14:48 - 000006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDAZEL.DLL
2017-08-02 16:17 - 2017-08-02 16:20 - 173332752 _____ (Sophos Limited) C:\Users\administrator.LOCAL\Downloads\Sophos Virus Removal Tool.exe
2017-08-02 15:14 - 2017-08-02 15:14 - 000000000 ____D C:\Program Files\Malwarebytes
2017-08-02 15:07 - 2017-08-02 15:09 - 065033984 _____ (Malwarebytes ) C:\Users\administrator.LOCAL\Downloads\mb3-setup-consumer-3.1.2.1733-1.0.160-1.0.2251.exe
2017-08-02 12:32 - 2017-08-02 12:32 - 000000000 ____D C:\Users\rfrscan5\Documents\OneNote Notebooks
2017-08-02 09:49 - 2017-08-02 09:49 - 000000000 ____D C:\Users\rwest\AppData\Local\CrashDumps
2017-08-01 23:00 - 2017-08-01 23:04 - 000000000 ____D C:\Users\shipping.LOCAL\AppData\Local\CrashDumps
2017-08-01 22:37 - 2017-08-01 22:37 - 000000000 ____D C:\Users\shipping.LOCAL\AppData\LocalLow\Mozilla
2017-08-01 22:36 - 2017-08-01 22:37 - 000000000 ____D C:\Users\shipping.LOCAL\AppData\Roaming\Mozilla
2017-08-01 22:36 - 2017-08-01 22:36 - 000000000 ____D C:\Users\shipping.LOCAL\AppData\Local\Mozilla
2017-08-01 17:24 - 2017-07-31 08:25 - 000388608 _____ (Trend Micro Inc.) C:\Users\shipping.LOCAL\Desktop\HijackThis.exe
2017-08-01 17:15 - 2017-08-01 17:15 - 000012291 _____ C:\Users\awilliams\Desktop\hijackthis_8-1-17.txt
2017-08-01 16:32 - 2017-08-01 16:32 - 000000000 ____D C:\Users\shipping.LOCAL\AppData\Local\VirtualStore
2017-08-01 09:37 - 2017-08-01 09:37 - 000000996 _____ C:\Users\shipping.LOCAL\Desktop\XCUSTMGT - Shortcut.lnk
2017-08-01 09:37 - 2017-08-01 09:37 - 000000985 _____ C:\Users\shipping.LOCAL\Desktop\XINVMGT - Shortcut.lnk
2017-08-01 09:36 - 2017-08-01 09:36 - 000000000 ____D C:\Users\shipping.LOCAL\Oracle
2017-08-01 08:49 - 2017-08-03 08:22 - 000000000 ____D C:\Users\mnorris\AppData\Local\CrashDumps
2017-07-31 08:26 - 2017-07-31 08:25 - 000388608 _____ (Trend Micro Inc.) C:\Users\bev\Desktop\HijackThis.exe
2017-07-31 08:11 - 2017-07-28 15:25 - 001993530 _____ C:\MGtools.exe
2017-07-31 07:33 - 2017-07-31 07:33 - 000000000 ____D C:\Users\404SHIP\AppData\Local\VirtualStore
2017-07-31 07:32 - 2017-07-31 07:32 - 000000000 ____D C:\Users\rfrscan3\AppData\Local\CrashDumps
2017-07-31 07:28 - 2017-08-03 07:28 - 000000000 ____D C:\Users\rfrscan7\AppData\Local\CrashDumps
2017-07-31 07:26 - 2017-08-02 09:35 - 000000000 ____D C:\Users\kbeal\AppData\Local\CrashDumps
2017-07-31 07:19 - 2017-08-03 07:23 - 000000000 ____D C:\Users\rfrscan5\AppData\Local\CrashDumps
2017-07-30 15:06 - 2017-07-30 15:06 - 000015254 _____ C:\Windows\system32\.crusader
2017-07-30 14:44 - 2017-07-30 15:07 - 000000000 ____D C:\ProgramData\HitmanPro
2017-07-29 08:54 - 2017-07-29 08:54 - 000000000 ____D C:\ProgramData\Sophos
2017-07-29 08:50 - 2017-07-29 08:51 - 000186240 _____ C:\TDSSKiller.3.1.0.15_29.07.2017_08.50.10_log.txt
2017-07-28 22:44 - 2017-08-03 08:43 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-07-28 22:42 - 2017-07-29 08:49 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-07-28 22:41 - 2017-07-31 10:39 - 000000000 ____D C:\Users\bev\Desktop\mbar
2017-07-28 22:39 - 2017-08-03 14:34 - 000000000 ____D C:\Users\bev\AppData\Local\CrashDumps
2017-07-28 15:48 - 2017-07-28 15:48 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-07-28 15:47 - 2017-07-28 22:40 - 000000000 ____D C:\ProgramData\RogueKiller
2017-07-28 08:57 - 2017-07-28 08:57 - 000000000 ____D C:\Users\shipping.LOCAL\AppData\Roaming\Foxit Software
2017-07-28 03:22 - 2017-07-31 19:25 - 000000000 ____D C:\Users\shipping.LOCAL\AppData\Local\Google
2017-07-28 03:22 - 2017-07-31 19:19 - 000002259 _____ C:\Users\shipping.LOCAL\Desktop\Google Chrome.lnk
2017-07-28 03:22 - 2017-07-28 03:22 - 000000000 ____D C:\Users\shipping.LOCAL\AppData\Roaming\Adobe
2017-07-28 03:21 - 2017-07-28 03:21 - 000110008 _____ C:\Users\shipping.LOCAL\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-28 03:20 - 2017-07-28 03:20 - 000000500 __RSH C:\Users\shipping.LOCAL\ntuser.pol
2017-07-28 03:19 - 2017-08-01 09:36 - 000000000 ____D C:\Users\shipping.LOCAL
2017-07-28 03:19 - 2017-07-28 03:19 - 000000020 ___SH C:\Users\shipping.LOCAL\ntuser.ini
2017-07-28 03:19 - 2012-08-07 03:02 - 000000000 ____D C:\Users\shipping.LOCAL\Documents\Visual Studio 2008
2017-07-28 03:19 - 2012-06-14 03:00 - 000000000 ____D C:\Users\shipping.LOCAL\AppData\Local\Microsoft Help
2017-07-27 00:37 - 2017-07-27 00:37 - 000089288 _____ C:\Users\bev\Documents\cc_20170727_003728.reg
2017-07-27 00:25 - 2017-07-27 00:25 - 000004652 _____ C:\Users\bev\Desktop\eset log.txt
2017-07-26 14:02 - 2017-07-26 14:02 - 000000000 ____D C:\Users\bev\AppData\Local\ESET
2017-07-25 16:25 - 2017-07-25 16:25 - 000000000 ____D C:\Users\administrator.LOCAL\Desktop\SS_install777
2017-07-25 16:24 - 2017-06-13 15:14 - 981892466 _____ C:\Users\administrator.LOCAL\Desktop\SS_install777.zip
2017-07-25 15:24 - 2017-07-25 15:24 - 010581280 _____ C:\Users\mtaylor\Downloads\HPPSdr.exe
2017-07-25 14:27 - 2017-07-25 14:27 - 000000899 _____ C:\Users\rfrscan7\Desktop\404 Project Management.lnk
2017-07-20 01:41 - 2017-08-01 14:15 - 000000000 ____D C:\TEMP
2017-07-19 16:09 - 2017-07-19 16:09 - 000000000 ____D C:\Users\administrator.LOCAL\Desktop\Shipping
2017-07-19 12:44 - 2017-07-19 12:44 - 000000000 ____D C:\Foxit Software
2017-07-18 17:49 - 2017-07-18 17:49 - 000039424 _____ C:\Users\mnorris\Documents\Copy of RFR OPEN POS (6).xls
2017-07-18 10:39 - 2017-08-03 11:19 - 000438272 _____ C:\Users\shipping.LOCAL\Desktop\UpdatedEaton Packing List.mdb
2017-07-17 09:00 - 2017-07-17 09:00 - 020975616 _____ C:\Users\administrator.LOCAL\Desktop\EVENT_VIEWER_LOG_2017-07-17.evtx
2017-07-17 07:18 - 2017-07-17 07:18 - 000000000 ____D C:\Users\shipping\AppData\Roaming\VMware
2017-07-17 00:01 - 2017-07-28 00:05 - 000036335 _____ C:\ProgramData\tsmimpl.dmp
2017-07-15 08:51 - 2017-07-15 08:51 - 000000000 ____D C:\Users\shipping\AppData\Roaming\Adobe
2017-07-14 08:36 - 2017-07-14 08:36 - 000000000 ____D C:\Users\shipping\AppData\Roaming\TeamViewer
2017-07-14 08:36 - 2017-07-14 08:36 - 000000000 ____D C:\Users\shipping\AppData\Roaming\Foxit Software
2017-07-12 09:57 - 2017-06-30 00:15 - 000394448 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2017-07-12 09:57 - 2017-06-29 23:32 - 000346312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2017-07-12 09:57 - 2017-06-29 22:57 - 002058240 _____ (Microsoft Corporation) C:\Windows\system32\Query.dll
2017-07-12 09:57 - 2017-06-29 22:38 - 001363968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Query.dll
2017-07-12 09:57 - 2017-06-29 02:27 - 025734656 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-07-12 09:57 - 2017-06-29 02:19 - 002724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2017-07-12 09:57 - 2017-06-29 02:18 - 000004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2017-07-12 09:57 - 2017-06-29 02:04 - 000066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2017-07-12 09:57 - 2017-06-29 02:03 - 000417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2017-07-12 09:57 - 2017-06-29 02:03 - 000048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2017-07-12 09:57 - 2017-06-29 02:02 - 002899456 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2017-07-12 09:57 - 2017-06-29 02:02 - 000576512 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-07-12 09:57 - 2017-06-29 02:02 - 000088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2017-07-12 09:57 - 2017-06-29 01:55 - 000054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2017-07-12 09:57 - 2017-06-29 01:54 - 000034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2017-07-12 09:57 - 2017-06-29 01:51 - 000615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2017-07-12 09:57 - 2017-06-29 01:50 - 000817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-07-12 09:57 - 2017-06-29 01:50 - 000814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2017-07-12 09:57 - 2017-06-29 01:50 - 000144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2017-07-12 09:57 - 2017-06-29 01:50 - 000116224 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2017-07-12 09:57 - 2017-06-29 01:44 - 005975552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-07-12 09:57 - 2017-06-29 01:43 - 000968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2017-07-12 09:57 - 2017-06-29 01:39 - 000489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2017-07-12 09:57 - 2017-06-29 01:35 - 002724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2017-07-12 09:57 - 2017-06-29 01:31 - 000087552 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2017-07-12 09:57 - 2017-06-29 01:31 - 000077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2017-07-12 09:57 - 2017-06-29 01:30 - 000107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2017-07-12 09:57 - 2017-06-29 01:27 - 000199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2017-07-12 09:57 - 2017-06-29 01:26 - 000092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2017-07-12 09:57 - 2017-06-29 01:23 - 020270592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-07-12 09:57 - 2017-06-29 01:23 - 000499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2017-07-12 09:57 - 2017-06-29 01:23 - 000315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2017-07-12 09:57 - 2017-06-29 01:23 - 000062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2017-07-12 09:57 - 2017-06-29 01:23 - 000047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2017-07-12 09:57 - 2017-06-29 01:22 - 000341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2017-07-12 09:57 - 2017-06-29 01:22 - 000152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2017-07-12 09:57 - 2017-06-29 01:22 - 000064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2017-07-12 09:57 - 2017-06-29 01:19 - 002290176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2017-07-12 09:57 - 2017-06-29 01:17 - 000047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2017-07-12 09:57 - 2017-06-29 01:16 - 000030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2017-07-12 09:57 - 2017-06-29 01:14 - 000476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2017-07-12 09:57 - 2017-06-29 01:13 - 000663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2017-07-12 09:57 - 2017-06-29 01:13 - 000620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2017-07-12 09:57 - 2017-06-29 01:13 - 000115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2017-07-12 09:57 - 2017-06-29 01:11 - 000262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2017-07-12 09:57 - 2017-06-29 01:09 - 000806912 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2017-07-12 09:57 - 2017-06-29 01:09 - 000725504 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2017-07-12 09:57 - 2017-06-29 01:08 - 001359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2017-07-12 09:57 - 2017-06-29 01:07 - 002132992 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2017-07-12 09:57 - 2017-06-29 01:05 - 000416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2017-07-12 09:57 - 2017-06-29 01:01 - 000060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2017-07-12 09:57 - 2017-06-29 01:00 - 000091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2017-07-12 09:57 - 2017-06-29 01:00 - 000073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2017-07-12 09:57 - 2017-06-29 00:58 - 015253504 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-07-12 09:57 - 2017-06-29 00:58 - 000168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2017-07-12 09:57 - 2017-06-29 00:56 - 000279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2017-07-12 09:57 - 2017-06-29 00:56 - 000076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2017-07-12 09:57 - 2017-06-29 00:54 - 000130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2017-07-12 09:57 - 2017-06-29 00:53 - 003240960 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-07-12 09:57 - 2017-06-29 00:52 - 004549632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-07-12 09:57 - 2017-06-29 00:48 - 000230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2017-07-12 09:57 - 2017-06-29 00:47 - 000693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2017-07-12 09:57 - 2017-06-29 00:46 - 002057216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2017-07-12 09:57 - 2017-06-29 00:46 - 001155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2017-07-12 09:57 - 2017-06-29 00:43 - 013663744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-07-12 09:57 - 2017-06-29 00:41 - 001545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-07-12 09:57 - 2017-06-29 00:29 - 000800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2017-07-12 09:57 - 2017-06-29 00:28 - 002767872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2017-07-12 09:57 - 2017-06-29 00:24 - 001314816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2017-07-12 09:57 - 2017-06-29 00:23 - 000710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2017-07-12 09:57 - 2017-06-22 10:58 - 003223040 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-07-12 09:57 - 2017-06-15 16:23 - 000753664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\http.sys
2017-07-12 09:57 - 2017-06-12 18:54 - 000370920 _____ (Microsoft Corporation) C:\Windows\system32\clfs.sys
2017-07-12 09:57 - 2017-06-12 18:54 - 000154856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2017-07-12 09:57 - 2017-06-12 18:54 - 000095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2017-07-12 09:57 - 2017-06-12 18:49 - 001460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 001363456 _____ (Microsoft Corporation) C:\Windows\system32\wdc.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 001212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000731648 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000594432 _____ (Microsoft Corporation) C:\Windows\system32\wvc.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000475136 _____ (Microsoft Corporation) C:\Windows\system32\sysmon.ocx
2017-07-12 09:57 - 2017-06-12 18:49 - 000463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000345600 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000316928 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000123904 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000058880 _____ (Microsoft Corporation) C:\Windows\system32\pdhui.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2017-07-12 09:57 - 2017-06-12 18:49 - 000022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2017-07-12 09:57 - 2017-06-12 18:29 - 001227264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdc.dll
2017-07-12 09:57 - 2017-06-12 18:29 - 000666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2017-07-12 09:57 - 2017-06-12 18:29 - 000444928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wvc.dll
2017-07-12 09:57 - 2017-06-12 18:29 - 000390144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sysmon.ocx
2017-07-12 09:57 - 2017-06-12 18:29 - 000172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2017-07-12 09:57 - 2017-06-12 18:29 - 000096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2017-07-12 09:57 - 2017-06-12 18:29 - 000082944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcrypt.dll
2017-07-12 09:57 - 2017-06-12 18:29 - 000065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2017-07-12 09:57 - 2017-06-12 18:28 - 000690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2017-07-12 09:57 - 2017-06-12 18:28 - 000554496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2017-07-12 09:57 - 2017-06-12 18:28 - 000342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2017-07-12 09:57 - 2017-06-12 18:28 - 000261120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2017-07-12 09:57 - 2017-06-12 18:28 - 000254464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2017-07-12 09:57 - 2017-06-12 18:28 - 000223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2017-07-12 09:57 - 2017-06-12 18:28 - 000146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2017-07-12 09:57 - 2017-06-12 18:28 - 000141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2017-07-12 09:57 - 2017-06-12 18:28 - 000060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2017-07-12 09:57 - 2017-06-12 18:28 - 000047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pdhui.dll
2017-07-12 09:57 - 2017-06-12 18:28 - 000022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2017-07-12 09:57 - 2017-06-12 18:28 - 000017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2017-07-12 09:57 - 2017-06-12 18:19 - 000064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2017-07-12 09:57 - 2017-06-12 18:14 - 000379392 _____ (Microsoft Corporation) C:\Windows\system32\msinfo32.exe
2017-07-12 09:57 - 2017-06-12 18:14 - 000172544 _____ (Microsoft Corporation) C:\Windows\system32\perfmon.exe
2017-07-12 09:57 - 2017-06-12 18:14 - 000103936 _____ (Microsoft Corporation) C:\Windows\system32\resmon.exe
2017-07-12 09:57 - 2017-06-12 18:12 - 000291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2017-07-12 09:57 - 2017-06-12 18:12 - 000159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2017-07-12 09:57 - 2017-06-12 18:12 - 000129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2017-07-12 09:57 - 2017-06-12 18:11 - 000030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2017-07-12 09:57 - 2017-06-12 18:09 - 000050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2017-07-12 09:57 - 2017-06-12 18:06 - 000303616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msinfo32.exe
2017-07-12 09:57 - 2017-06-12 18:06 - 000157184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\perfmon.exe
2017-07-12 09:57 - 2017-06-12 18:06 - 000103424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\resmon.exe
2017-07-12 09:57 - 2017-06-12 18:05 - 000036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2017-07-12 09:57 - 2017-06-10 11:59 - 000313856 _____ (Microsoft Corporation) C:\Windows\system32\Wldap32.dll
2017-07-12 09:57 - 2017-06-10 11:39 - 000271360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Wldap32.dll
2017-07-12 09:57 - 2017-06-09 11:33 - 001680616 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2017-07-12 09:57 - 2017-06-06 11:30 - 001867264 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2017-07-12 09:57 - 2017-06-06 11:12 - 001499648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll
2017-07-12 09:57 - 2017-05-30 00:56 - 001895656 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2017-07-12 09:57 - 2017-05-30 00:56 - 000377576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2017-07-12 09:57 - 2017-05-30 00:56 - 000287976 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
2017-07-12 09:57 - 2017-05-21 00:24 - 000002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2017-07-12 09:57 - 2017-05-21 00:06 - 000002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2017-07-12 09:57 - 2017-05-16 11:35 - 000986856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2017-07-12 09:57 - 2017-05-16 11:35 - 000265448 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
2017-07-12 09:57 - 2017-05-16 11:30 - 000144384 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2017-07-12 09:11 - 2017-07-12 09:11 - 000000000 ____D C:\Users\404SHIP\AppData\Roaming\Foxit Software
2017-07-12 09:10 - 2017-07-12 09:12 - 000033792 _____ C:\Users\404SHIP\Desktop\smp_open_20170712.xls
2017-07-11 15:13 - 2017-07-11 15:13 - 000000000 ____D C:\Users\mnorris\AppData\Local\HP
2017-07-11 08:45 - 2017-07-11 08:45 - 000252437 _____ C:\Users\administrator.LOCAL\Desktop\mb-clean-results.txt
2017-07-11 08:45 - 2017-07-11 08:44 - 000841160 _____ (Malwarebytes) C:\Users\administrator.LOCAL\Desktop\mb-clean-3.1.0.1014.exe
2017-07-11 08:04 - 2017-07-11 08:04 - 000000000 ____D C:\Users\404SHIP\AppData\Roaming\VMware
2017-07-09 14:39 - 2017-07-10 08:28 - 000000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2017-07-08 20:14 - 2017-08-03 01:51 - 000000000 ____D C:\Users\rwest\AppData\Local\GoToMeeting
2017-07-07 23:46 - 2017-08-02 11:15 - 000000000 ____D C:\Users\traynor\AppData\Local\GoToMeeting
2017-07-06 17:48 - 2017-07-13 23:41 - 000000000 ____D C:\Users\shipping\AppData\Local\Mozilla Firefox
2017-07-06 13:17 - 2017-07-06 13:17 - 000269442 _____ C:\Users\shipping.LOCAL\Desktop\FEDX BOL BLANK COPY.pdf
2017-07-06 10:23 - 2017-07-06 10:23 - 000000000 ____D C:\Users\404SHIP\Oracle
2017-07-06 10:21 - 2017-07-06 10:21 - 000002259 _____ C:\Users\404SHIP\Desktop\Google Chrome.lnk
2017-07-06 10:21 - 2017-07-06 10:21 - 000000000 ____D C:\Users\404SHIP\AppData\Local\Google
2017-07-06 10:20 - 2017-07-06 10:20 - 000001417 _____ C:\Users\404SHIP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-07-06 10:20 - 2017-07-06 10:20 - 000000000 ____D C:\Users\404SHIP\AppData\Roaming\Adobe
2017-07-06 10:19 - 2017-07-13 11:07 - 000000000 ____D C:\Users\404SHIP
2017-07-06 10:19 - 2017-07-06 10:19 - 000000500 __RSH C:\Users\404SHIP\ntuser.pol
2017-07-06 10:19 - 2017-07-06 10:19 - 000000020 ___SH C:\Users\404SHIP\ntuser.ini
2017-07-06 10:19 - 2012-08-07 03:02 - 000000000 ____D C:\Users\404SHIP\Documents\Visual Studio 2008
2017-07-06 10:19 - 2012-06-14 03:00 - 000000000 ____D C:\Users\404SHIP\AppData\Local\Microsoft Help
2017-07-06 09:10 - 2017-07-06 09:10 - 000000914 _____ C:\Users\administrator.LOCAL\Desktop\MBMC_Client_Diagnosis_Info_2017_07_06_091003.zip
2017-07-05 10:39 - 2017-05-17 17:31 - 002121728 _____ C:\Users\administrator.LOCAL\Desktop\mbae-setup-1.09.2.1413.msi
2017-07-05 10:39 - 2016-02-09 13:55 - 017080320 _____ C:\Users\administrator.LOCAL\Desktop\mbam-setup-1.80.2.1012.msi
2017-07-05 09:55 - 2017-07-09 14:39 - 000000000 ____D C:\Program Files (x86)\Malwarebytes' Managed Client
2017-07-05 09:54 - 2017-07-07 07:35 - 000000000 ____D C:\scclientinstall_a1d462ef_a0f6_4aa3_9d8b_308a650d9616

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-08-04 09:35 - 2017-05-31 14:56 - 000000000 __SHD C:\ProgramData\TSM
2017-08-04 09:33 - 2012-06-14 13:52 - 000007606 _____ C:\Users\bev\AppData\Local\resmon.resmoncfg
2017-08-04 09:32 - 2017-06-19 14:37 - 000000000 ____D C:\ProgramData\Kaspersky Lab
2017-08-04 09:32 - 2012-04-23 13:12 - 000000144 _____ C:\Windows\system32\config\netlogon.ftl
2017-08-04 09:18 - 2015-05-14 11:00 - 000000534 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-4128123357-3028985877-1724802406-1115.job
2017-08-04 09:07 - 2009-07-14 00:49 - 000021536 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-08-04 09:07 - 2009-07-14 00:49 - 000021536 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-08-04 09:04 - 2014-05-12 09:42 - 000000000 ____D C:\Users\kbeal\Documents\Outlook Files
2017-08-04 08:58 - 2015-10-13 11:22 - 000516096 _____ C:\Users\kbeal\Desktop\New Open Order Report_Floor.mdb
2017-08-04 08:50 - 2014-12-22 11:32 - 000000546 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-4128123357-3028985877-1724802406-1117.job
2017-08-04 08:18 - 2014-03-27 12:12 - 000000000 ____D C:\Users\mtaylor\Documents\Outlook Files
2017-08-04 07:51 - 2015-05-30 01:46 - 000000642 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-4128123357-3028985877-1724802406-1117.job
2017-08-04 07:41 - 2015-05-30 19:50 - 000000630 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-4128123357-3028985877-1724802406-1115.job
2017-08-04 07:17 - 2012-07-16 17:05 - 008822784 _____ C:\Users\rwest\Desktop\Open Order Reports.mdb
2017-08-04 07:00 - 2016-11-30 15:00 - 000000494 _____ C:\Windows\Tasks\ShadowCopyVolume{7d5acd5a-e3ce-11e4-9bda-000c29bf984f}.job
2017-08-04 07:00 - 2012-07-19 11:28 - 000000494 _____ C:\Windows\Tasks\ShadowCopyVolume{c3e85c79-7b65-11e1-babd-806e6f6e6963}.job
2017-08-04 07:00 - 2012-04-23 13:26 - 000000494 _____ C:\Windows\Tasks\ShadowCopyVolume{a5f3fd3a-8d67-11e1-bf8b-000c29bf984f}.job
2017-08-04 03:20 - 2017-06-01 17:16 - 000000000 ____D C:\Users\SalogSrvTsm
2017-08-04 02:32 - 2016-11-16 11:26 - 000000000 ____D C:\Users\dboyd\Documents\Outlook Files
2017-08-03 19:00 - 2013-09-18 18:58 - 000000344 _____ C:\Windows\Tasks\At10.job
2017-08-03 19:00 - 2013-09-18 18:17 - 000000346 _____ C:\Windows\Tasks\At9.job
2017-08-03 19:00 - 2012-06-28 16:30 - 000000000 ____D C:\Windows\system32\lserver
2017-08-03 17:59 - 2013-09-18 17:37 - 000000340 _____ C:\Windows\Tasks\At8.job
2017-08-03 17:40 - 2014-05-30 16:30 - 000000000 ____D C:\Users\mnorris
2017-08-03 17:39 - 2017-01-27 15:51 - 000000000 ____D C:\Users\mnorris\Desktop\open order reports
2017-08-03 17:39 - 2014-05-30 16:34 - 000000000 ____D C:\Users\mnorris\Documents\Outlook Files
2017-08-03 17:00 - 2013-09-18 16:52 - 000000340 _____ C:\Windows\Tasks\At7.job
2017-08-03 17:00 - 2013-09-18 16:05 - 000000344 _____ C:\Windows\Tasks\At6.job
2017-08-03 16:55 - 2012-06-11 13:43 - 000000000 ____D C:\Users\bev
2017-08-03 14:34 - 2015-02-03 13:58 - 000260989 _____ C:\Users\kbeal\Desktop\SEFL ALTAIR BILL OF LADING.pdf
2017-08-03 14:34 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\inf
2017-08-03 14:21 - 2016-12-14 12:02 - 000262444 _____ C:\Users\kbeal\Desktop\SEFL PENCO BILL OF LADING.pdf
2017-08-03 14:11 - 2012-06-28 16:38 - 000000000 ____D C:\Windows\System32\Tasks\WPD
2017-08-03 14:00 - 2013-09-18 13:29 - 000000344 _____ C:\Windows\Tasks\At4.job
2017-08-03 12:00 - 2013-09-18 11:58 - 000000344 _____ C:\Windows\Tasks\At3.job
2017-08-03 12:00 - 2013-09-18 11:08 - 000000342 _____ C:\Windows\Tasks\At2.job
2017-08-03 11:00 - 2013-09-18 10:06 - 000000346 _____ C:\Windows\Tasks\At1.job
2017-08-03 09:14 - 2013-03-18 09:13 - 000003914 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{898830D7-269B-4D60-B7B1-4287D4396341}
2017-08-03 08:43 - 2012-04-23 13:20 - 000000000 ____D C:\Users\administrator.LOCAL
2017-08-03 03:27 - 2012-07-10 13:28 - 000000000 ____D C:\Users\traynor
2017-08-03 03:27 - 2012-06-13 10:52 - 000000000 ____D C:\Users\rwest
2017-08-03 03:20 - 2017-03-29 09:56 - 000000000 ____D C:\Users\rfrscan7\AppData\Roaming\VMware
2017-08-03 03:20 - 2013-11-20 13:10 - 000000000 ____D C:\Users\rfrscan5\AppData\Roaming\VMware
2017-08-03 03:20 - 2012-07-27 16:03 - 000000000 ____D C:\Users\rfrscan2\AppData\Roaming\VMware
2017-08-03 03:19 - 2012-07-13 09:58 - 000000000 ____D C:\Users\rfrscan3
2017-08-03 03:17 - 2009-07-14 01:06 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-08-03 01:51 - 2015-05-30 19:50 - 000003650 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-4128123357-3028985877-1724802406-1115
2017-08-03 01:51 - 2015-05-14 11:00 - 000003554 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-4128123357-3028985877-1724802406-1115
2017-08-02 16:33 - 2014-05-25 07:40 - 000754178 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2017-08-02 16:33 - 2009-07-14 01:10 - 000754178 _____ C:\Windows\system32\PerfStringBackup.INI
2017-08-02 15:06 - 2015-03-06 17:00 - 000260358 _____ C:\Users\kbeal\Desktop\SEFL AIP-EAST BILL OF LADING.pdf
2017-08-02 14:36 - 2016-12-14 12:05 - 000261463 _____ C:\Users\kbeal\Desktop\SEFL PRECISION METAL FINISHING BILL OF LADING.pdf
2017-08-02 13:53 - 2017-01-10 16:53 - 000000000 ____D C:\Users\rfrscan5\AppData\Local\Google
2017-08-02 11:15 - 2015-05-30 01:46 - 000003666 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-4128123357-3028985877-1724802406-1117
2017-08-02 11:15 - 2014-12-22 11:32 - 000003570 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-4128123357-3028985877-1724802406-1117
2017-08-02 09:29 - 2017-06-01 17:17 - 000000000 ____D C:\Users\SawebSrv
2017-08-02 09:29 - 2014-10-02 16:50 - 000000000 ____D C:\Users\kbeal\AppData\Roaming\VMware
2017-08-02 09:29 - 2013-12-13 10:31 - 000000000 ____D C:\Users\rwest\AppData\Roaming\VMware
2017-08-01 16:42 - 2017-03-06 15:51 - 000110008 _____ C:\Users\awilliams\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-31 15:56 - 2014-05-12 09:48 - 000271412 _____ C:\Users\kbeal\Desktop\FEDX FREIGHT P0112097.pdf
2017-07-30 15:12 - 2012-06-19 15:15 - 000003906 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{EA292A75-ECDA-44A7-89E5-C78FB3BE2EBF}
2017-07-30 15:09 - 2012-07-23 17:33 - 000000000 ____D C:\Users\rfrscan3\AppData\Roaming\VMware
2017-07-28 15:34 - 2017-04-06 12:17 - 000000000 ____D C:\Users\bev\AppData\Roaming\Foxit Software
2017-07-28 03:20 - 2013-10-28 17:36 - 000000000 ____D C:\Users\rfrscan4\AppData\Roaming\VMware
2017-07-28 03:01 - 2009-07-13 22:34 - 000000699 _____ C:\Windows\win.ini
2017-07-27 14:24 - 2014-05-12 09:48 - 000271194 _____ C:\Users\kbeal\Desktop\FEDX FREIGHT P0112328.pdf
2017-07-27 14:08 - 2012-07-19 10:01 - 000003922 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{F026A864-3D70-41D2-B3C5-BFB898CDEAD4}
2017-07-27 11:13 - 2016-07-25 15:39 - 000000000 ____D C:\ProgramData\OpenDNS
2017-07-27 08:08 - 2014-05-30 12:23 - 000000000 ____D C:\Users\tlloyd\Documents\Outlook Files
2017-07-27 07:57 - 2013-11-20 13:02 - 000000000 ____D C:\Users\cwatson\AppData\Roaming\VMware
2017-07-27 00:38 - 2012-03-31 16:14 - 000000000 ____D C:\Windows\Panther
2017-07-27 00:33 - 2012-07-22 18:23 - 000000000 ____D C:\Users\bev\AppData\Roaming\VMware
2017-07-27 00:32 - 2012-07-22 18:24 - 000000000 ____D C:\Users\rfrscan1\AppData\Roaming\VMware
2017-07-27 00:30 - 2009-07-14 00:49 - 000409488 _____ C:\Windows\system32\FNTCACHE.DAT
2017-07-26 14:02 - 2017-03-01 09:57 - 000000000 ____D C:\Users\bev\AppData\Local\Google
2017-07-26 13:48 - 2012-06-13 11:17 - 000110008 _____ C:\Users\bev\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-26 13:47 - 2015-04-13 19:16 - 000000500 __RSH C:\Users\bev\ntuser.pol
2017-07-26 13:41 - 2012-04-23 13:20 - 000110008 _____ C:\Users\administrator.LOCAL\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-26 13:40 - 2015-04-29 12:26 - 000007628 _____ C:\Users\administrator.LOCAL\AppData\Local\resmon.resmoncfg
2017-07-26 12:33 - 2016-07-25 15:39 - 000110008 _____ C:\Users\rfrscan7\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-26 05:06 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\rescache
2017-07-25 16:30 - 2015-04-30 17:27 - 000000109 _____ C:\Windows\cdlli61.INI
2017-07-25 09:52 - 2014-06-06 15:40 - 000110008 _____ C:\Users\mnorris\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-25 05:58 - 2012-07-20 08:06 - 000110008 _____ C:\Users\cwatson\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-25 00:08 - 2014-05-17 11:08 - 000110008 _____ C:\Users\kbeal\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-25 00:08 - 2013-10-09 12:48 - 000110008 _____ C:\Users\rfrscan1\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-25 00:08 - 2012-07-17 07:23 - 000110008 _____ C:\Users\rwest\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-24 20:50 - 2012-07-17 09:11 - 000110008 _____ C:\Users\traynor\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-24 11:15 - 2014-04-03 08:10 - 000110008 _____ C:\Users\mtaylor\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-24 10:45 - 2017-06-12 12:35 - 000000000 ____D C:\Program Files (x86)\TeamViewer
2017-07-21 12:38 - 2014-05-12 09:48 - 000299082 _____ C:\Users\kbeal\Desktop\EstesBOL ALTAIR ADVANCED D941333.pdf
2017-07-19 10:50 - 2017-03-14 16:20 - 000438272 _____ C:\Users\shipping\Desktop\UpdatedEaton Packing List.mdb
2017-07-18 09:56 - 2017-02-21 10:52 - 000000000 ____D C:\ProgramData\WebEx
2017-07-18 09:56 - 2013-12-13 10:11 - 000000000 ____D C:\ProgramData\regid.1992-12.com.symantec
2017-07-18 09:56 - 2012-07-23 11:45 - 000000000 ____D C:\ProgramData\Minitab
2017-07-18 09:56 - 2012-07-18 16:50 - 000000000 ____D C:\ProgramData\FLEXnet
2017-07-18 09:56 - 2012-07-16 17:50 - 000000000 ____D C:\Users\shipping\AppData\Local\Microsoft Help
2017-07-18 09:47 - 2012-07-16 17:50 - 000000000 ____D C:\Users\shipping\AppData\Local\VirtualStore
2017-07-18 08:45 - 2017-03-15 14:48 - 000000000 ____D C:\Users\Public\Foxit Software
2017-07-18 08:45 - 2009-07-13 23:20 - 000000000 __RHD C:\Users\Public\Libraries
2017-07-17 14:54 - 2014-05-12 09:48 - 000261589 _____ C:\Users\kbeal\Desktop\SEFL OCC BILL OF LADING.pdf
2017-07-17 14:27 - 2014-05-12 09:48 - 000271932 _____ C:\Users\kbeal\Desktop\FEDX FREIGHT COMMVAULT FIT OUT.pdf
2017-07-17 14:21 - 2014-05-12 09:48 - 000271193 _____ C:\Users\kbeal\Desktop\FEDX FREIGHT KING OF PRUSSIA.pdf
2017-07-13 23:42 - 2017-04-08 17:32 - 000000000 ____D C:\Users\shipping\AppData\LocalLow\Mozilla
2017-07-13 05:53 - 2017-04-02 17:57 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-07-13 04:31 - 2016-11-16 11:19 - 000000000 ____D C:\Users\dboyd
2017-07-13 03:06 - 2013-09-12 13:26 - 000000000 ____D C:\Windows\system32\MRT
2017-07-13 03:05 - 2012-05-08 12:32 - 135225752 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-07-12 03:01 - 2012-06-13 11:06 - 000803328 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-07-12 03:01 - 2012-06-13 11:06 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-07-12 03:01 - 2012-06-13 11:06 - 000004312 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-07-12 03:01 - 2012-06-13 11:06 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2017-07-12 03:01 - 2012-06-13 11:06 - 000000000 ____D C:\Windows\system32\Macromed
2017-07-11 14:16 - 2014-05-12 09:48 - 000297672 _____ C:\Users\kbeal\Desktop\EstesBOL ALTAIR ADVANCED REG.pdf
2017-07-11 10:04 - 2015-07-27 11:19 - 000002297 _____ C:\Users\rfrscan3\Desktop\RFR Quality Work Instructions.lnk
2017-07-11 08:38 - 2017-06-19 12:53 - 000000000 ____D C:\Users\mtaylor\AppData\Roaming\VMware
2017-07-10 08:27 - 2012-07-10 11:03 - 000000000 ____D C:\Windows\SHELLNEW
2017-07-09 15:06 - 2012-10-24 14:33 - 000000000 ____D C:\Users\administrator.LOCAL\AppData\Roaming\Malwarebytes
2017-07-09 15:03 - 2013-05-06 09:10 - 000000000 ____D C:\Users\administrator.LOCAL\AppData\Roaming\VMware
2017-07-06 15:35 - 2012-07-16 17:50 - 000000000 ____D C:\Users\shipping
2017-07-06 13:17 - 2017-03-14 16:20 - 000269442 _____ C:\Users\shipping\Desktop\FEDX BOL BLANK COPY.pdf
2017-07-06 12:30 - 2015-04-08 15:40 - 000068388 _____ C:\Users\kbeal\Desktop\con-way bol.pdf
2017-07-06 09:21 - 2015-04-14 12:22 - 000000500 __RSH C:\Users\administrator.LOCAL\ntuser.pol

==================== Files in the root of some directories =======

2013-09-12 13:53 - 2005-12-08 22:51 - 000000060 ____R () C:\Program Files (x86)\BRINST.INI
2012-06-14 13:52 - 2017-08-04 09:33 - 000007606 _____ () C:\Users\bev\AppData\Local\resmon.resmoncfg
2013-05-03 15:15 - 2013-05-03 15:15 - 000000000 _____ () C:\ProgramData\as98213.txt
2017-07-17 00:01 - 2017-07-28 00:05 - 000036335 _____ () C:\ProgramData\tsmimpl.dmp
2014-05-15 15:37 - 2017-06-19 12:44 - 000000000 _____ () C:\ProgramData\tsmsys.dmp

Files to move or delete:
====================
C:\Users\rwest\TsAllUsr.Dat
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At10.job
C:\Windows\Tasks\At2.job
C:\Windows\Tasks\At3.job
C:\Windows\Tasks\At4.job
C:\Windows\Tasks\At6.job
C:\Windows\Tasks\At7.job
C:\Windows\Tasks\At8.job
C:\Windows\Tasks\At9.job


Some files in TEMP:
====================
2012-07-23 11:44 - 2012-07-23 12:53 - 000555008 _____ (SafeNet Inc.) C:\Users\administrator.LOCAL\AppData\Local\Temp\hasp_windows.dll
2010-03-16 10:11 - 2010-03-16 10:11 - 000174440 ____R (Microsoft Corporation) C:\Users\administrator.LOCAL\AppData\Local\Temp\ose00000.exe
2017-04-06 10:09 - 2017-04-06 10:09 - 000040960 _____ () C:\Users\administrator.LOCAL\AppData\Local\Temp\SearchDLLInUSe.dll
2013-05-22 14:05 - 2013-05-22 14:05 - 002141192 _____ (Solid State Networks) C:\Users\cwatson\AppData\Local\Temp\install_flashplayer.exe
2013-02-08 10:34 - 2013-02-08 10:34 - 000999768 _____ (Solid State Networks) C:\Users\cwatson\AppData\Local\Temp\install_reader11_en_gtba_chra_dy_aih[1].exe
2013-05-01 11:40 - 2013-05-01 11:40 - 002138584 _____ (Solid State Networks) C:\Users\rbroughton\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_aih[1].exe
2012-08-15 14:40 - 2012-08-15 14:40 - 000999520 _____ (Solid State Networks) C:\Users\rbroughton\AppData\Local\Temp\install_reader10_en_gtbd_chrd_dn_aih[1].exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-15 18:18

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 31-07-2017
Ran by bev (04-08-2017 09:36:14)
Running from C:\Users\bev\Desktop\Bleeping Computer
Windows Server 2008 R2 Enterprise Service Pack 1 (X64) (2012-03-31 19:19:53)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3131421439-3159242595-1108985637-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-3131421439-3159242595-1108985637-501 - Limited - Disabled)
MICROSOFT$DPM$Acct (S-1-5-21-3131421439-3159242595-1108985637-1008 - Limited - Enabled) => C:\Users\MICROSOFT$DPM$Acct

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

64 Bit HP CIO Components Installer (HKLM\...\{F8F948EA-5AEA-4158-8821-A2F788ECE936}) (Version: 16.2.1 - Hewlett-Packard) Hidden
Adobe Flash Player 26 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 26.0.0.137 - Adobe Systems Incorporated)
Adobe Flash Player 26 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 26.0.0.137 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Bootstrapper (HKLM-x32\...\{B9D9B170-6A42-4AD0-8DBE-10E0EF29B0A3}) (Version: 1.1.0.0 - Minitab, Inc.) Hidden
BrLauncher (HKLM-x32\...\{C661197A-6B93-4E37-9E3F-2A1DFCD64234}) (Version: 1.1.15.0 - Brother Industries Ltd.) Hidden
BrLogRx (HKLM-x32\...\{B556F816-FF4D-4BB6-9339-ED28639E2EF3}) (Version: 1.0.2.1 - Brother Industries Ltd.) Hidden
Brother BRAdmin Light 1.24.0000 (HKLM-x32\...\{DB75941E-30C4-4D97-B000-D17C764B998C}) (Version: 1.24.0000 - Brother)
Brother Driver Deployment Wizard (HKLM-x32\...\{0ED38503-B69A-44B4-98BE-21BFF284A9B6}) (Version: 1.09.000 - Brother)
Brother Scanner Driver (HKLM-x32\...\{E9EDA660-801D-4FC2-9B1E-26C2D32042C6}) (Version: 1.1.37.1 - Brother Industries Ltd.) Hidden
BrotherHelpInstaller (HKLM-x32\...\{4E461C2A-EC1C-46D1-AF5B-7FEFD0054AF8}) (Version: 1.0.0.0 - Brother) Hidden
BrSupportTools (HKLM-x32\...\{83626DDE-99CD-4FF2-804E-36BE82143315}) (Version: 1.0.14.0 - Brother Industries Ltd.) Hidden
Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 13.1.201.3 - Citrix Systems, Inc.)
ControlCenter4 (HKLM-x32\...\{553D6C39-4176-4CA8-99B2-557FE2989369}) (Version: 4.3.23.1 - Brother Industries, Ltd.) Hidden
Crystal Viewer 11 (HKLM-x32\...\{688E117B-56AC-427A-95BA-60B41A81EBDB}) (Version: 1.00.0000 - )
Crystal Viewer 11 (HKLM-x32\...\{BF675D70-D465-4A4F-A37B-B60F4316F061}) (Version: 1.00.0000 - ProfitKey International) Hidden
DocketPORT 467 (HKLM\...\{29921E70-50C0-4117-AC65-24E0C95693E9}) (Version: 1.2.1002 - Document Capture Technologies Inc)
Foxit PhantomPDF (HKLM-x32\...\{294FCFCC-FD6C-11E6-BCDD-000C2992F709}) (Version: 8.2.1.6871 - Foxit Software Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 59.0.3071.115 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
GoToMeeting 8.9.0.7403 (HKU\S-1-5-21-4128123357-3028985877-1724802406-1115\...\GoToMeeting) (Version: 8.9.0.7403 - LogMeIn, Inc.)
GoToMeeting 8.9.0.7403 (HKU\S-1-5-21-4128123357-3028985877-1724802406-1117\...\GoToMeeting) (Version: 8.9.0.7403 - LogMeIn, Inc.)
HL-5450DN (HKLM-x32\...\{7171B206-5C5A-4B7F-B9E1-1F1827FC769F}) (Version: 1.0.2.0 - Brother Industries, Ltd.)
HowToGuide (HKLM-x32\...\{36580EEB-4EDF-4880-BBD4-097E2C645ECD}) (Version: 1.0.1.0 - Brother Industries Ltd.) Hidden
Java 7 Update 65 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.650 - Oracle)
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
Kaspersky Endpoint Security 10 for Windows (HKLM-x32\...\{7911E943-32CC-45D0-A29C-56E6EF762275}) (Version: 10.3.0.6294 - Kaspersky Lab)
Kaspersky Security Center 10 Network Agent (HKLM-x32\...\{BCF4CF24-88AB-45E1-A6E6-40C8278A70C5}) (Version: 10.4.343 - AO Kaspersky Lab) Hidden
Kaspersky Security Center 10 Network Agent (HKLM-x32\...\InstallWIX_{BCF4CF24-88AB-45E1-A6E6-40C8278A70C5}) (Version: 10.4.343 - AO Kaspersky Lab)
LiveUpdate 3.3 (Symantec Corporation) (HKLM-x32\...\LiveUpdate) (Version: 3.3.0.61 - Symantec Corporation)
Microsoft .NET Framework 4.7 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02053 - Microsoft Corporation)
Microsoft Office 2003 Web Components (HKLM-x32\...\{90120000-00A4-0409-0000-0000000FF1CE}) (Version: 12.0.6213.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft SQL Server 2008 Native Client (HKLM\...\{2738C4AA-420E-4E13-ADEF-B5AB250E3EF1}) (Version: 10.3.5500.0 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP1 English (HKLM-x32\...\{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}) (Version: 3.5.5692.0 - Microsoft Corporation)
Microsoft Store Download Manager (HKLM-x32\...\{2C019AC0-E2E1-4E63-8113-87F9D44EAF07}) (Version: 2.9.4919.1 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft Visual Studio Tools for Applications 2.0 - ENU (HKLM-x32\...\{AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB}) (Version: 9.0.30729 - Microsoft Corporation)
Minitab 16 (HKLM-x32\...\Minitab16) (Version: 16.2.2 - Minitab, Inc.)
Minitab Software Update Manager (HKLM-x32\...\MinitabSoftwareManager) (Version: 1.1.0.0 - Minitab, Inc.)
Minitab16 (HKLM-x32\...\{AE902C4A-22FF-4889-9F27-F0D106E43ADC}) (Version: 16.2.2.0 - Minitab, Inc.) Hidden
Minitab16 (HKLM-x32\...\{E62BCBF4-C355-45A0-974B-D5F62963F12A}) (Version: 16.2.2.0 - Minitab Inc) Hidden
Minitab16 (HKLM-x32\...\{F80662FB-C834-497A-AFE7-A4999E508093}) (Version: 16.2.2.0 - Minitab Inc) Hidden
ML320 Windows7_Server 2008 R2 Drivers (HKLM-x32\...\{CACF3A14-2287-490B-8DC3-2714C72DA219}) (Version: 1.00.0000 - OKI® Printing Solutions)
Mozilla Firefox 33.1.1 (x86 en-US) (HKU\S-1-5-21-4128123357-3028985877-1724802406-1115\...\Mozilla Firefox 33.1.1 (x86 en-US)) (Version: 33.1.1 - Mozilla)
Mozilla Firefox 53.0.3 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 53.0.3 (x86 en-US)) (Version: 53.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 53.0.3.6347 - Mozilla)
Online Plug-in (HKLM-x32\...\{2EA6C7A4-9178-4C04-887E-D3515F4AAC1B}) (Version: 13.1.201.3 - Citrix Systems, Inc.) Hidden
ProfitKey RRM 777 Client Install/Update (HKLM-x32\...\{76AE20B6-488E-486D-A58B-37B5BE587803}) (Version: 7.7.7 - ProfitKey International)
RemoteSetup (HKLM-x32\...\{BDD8C463-1183-4A91-9EC8-BF68E4ECA9B6}) (Version: 3.9.2.1 - Brother Industries Ltd.) Hidden
ScannerStatusMonitor (HKLM-x32\...\{D9176838-ABBD-4820-91BE-E1E72CEF1DC6}) (Version: 1.3.16.0 - Brother Insutries Ltd.) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
SoftwareManager (HKLM-x32\...\{2C9F55AF-1CFA-4063-8A36-EEA6979602AD}) (Version: 1.1.0.0 - Minitab, Inc.) Hidden
Stellar Phoenix Outlook PST Repair (HKLM\...\Stellar Phoenix Outlook PST Repair_is1) (Version: 6.0.0.0 - Stellar Information Technology Pvt Ltd.)
Symantec Backup Exec Remote Agent for Windows (HKLM\...\{52B066B2-F52B-40B2-A05D-C69F497ED4D0}) (Version: 14.0.1798 - Symantec Corporation) Hidden
Symantec Backup Exec Remote Agent for Windows (HKLM\...\Remote Agent for Windows Servers) (Version: 14.0.1798 - Symantec Corporation)
Team Developer 6.1 Deployment (HKLM-x32\...\{791261E6-C86C-4ADC-BF43-F4C39FB091F8}) (Version: 6.1.0000 - Gupta Technologies) Hidden
Team Developer 6.1 Deployment (HKLM-x32\...\InstallShield_{791261E6-C86C-4ADC-BF43-F4C39FB091F8}) (Version: 6.1.0000 - Gupta Technologies)
Trix DrawingCenter 6.5 (HKLM-x32\...\{827D0C8E-E624-4730-94EC-EF7256CEE11D}) (Version: 6.5.10475.6 - Trix Systems AB)
VisionX (HKLM-x32\...\{68FF4E69-53DC-485C-ADD9-E56FF9A406F8}) (Version: 3.3.1 - Panini)
VMware Tools (HKLM\...\{A5CD39D8-F8A7-494F-9357-878A4AB6537F}) (Version: 8.6.0.6261 - VMware, Inc.)
VueScan x64 (HKLM\...\VueScan x64) (Version: - )
WebClient (HKLM-x32\...\WebClient) (Version: - )
Wyse TCX Client Suite (HKLM\...\{82744A92-4D9F-4680-B707-3B20890311EC}) (Version: 7.1.0.44 - Dell Inc.)
Xerox Support Centre (HKLM-x32\...\Xerox_Support_Centre) (Version: - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-4128123357-3028985877-1724802406-1115_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\rwest\AppData\Local\Citrix\GoToMeeting\2553\G2MOutlookAddin64.dll => No File
CustomCLSID: HKU\S-1-5-21-4128123357-3028985877-1724802406-1117_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\traynor\AppData\Local\Citrix\GoToMeeting\2031\G2MOutlookAddin64.dll => No File
ContextMenuHandlers1: [Foxit_ConvertToPDF] -> {C5269811-4A29-4818-A4BB-111F9FC63A5F} => C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\ConvertToPDFShellExtension_x64.dll [2017-02-15] (Foxit Software Inc.)
ContextMenuHandlers1: [Kaspersky Anti-Virus] -> {dd230880-495a-11d1-b064-008048ec2fc5} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\x64\ShellEx.dll. [2017-03-13] (AO Kaspersky Lab)
ContextMenuHandlers2: [Kaspersky Anti-Virus] -> {dd230880-495a-11d1-b064-008048ec2fc5} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\x64\ShellEx.dll. [2017-03-13] (AO Kaspersky Lab)
ContextMenuHandlers4: [Kaspersky Anti-Virus] -> {dd230880-495a-11d1-b064-008048ec2fc5} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\x64\ShellEx.dll. [2017-03-13] (AO Kaspersky Lab)
ContextMenuHandlers6: [Foxit_ConvertToPDF] -> {C5269811-4A29-4818-A4BB-111F9FC63A5F} => C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\ConvertToPDFShellExtension_x64.dll [2017-02-15] (Foxit Software Inc.)
ContextMenuHandlers6: [Kaspersky Anti-Virus] -> {dd230880-495a-11d1-b064-008048ec2fc5} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\x64\ShellEx.dll. [2017-03-13] (AO Kaspersky Lab)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {147B729B-627E-4293-8C13-0D74B1337D88} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-01-10] (Google Inc.)
Task: {1EC263D9-18EA-42AD-BCFF-EBFEA99EA8A1} - System32\Tasks\At6 => rundll32.exe ucmiq.zj,hgnnyvv <==== ATTENTION
Task: {20E9B587-772A-4E6E-937A-FE0A269146DA} - System32\Tasks\At4 => rundll32.exe ucmiq.zj,twrbtou <==== ATTENTION
Task: {2F68B049-CA50-4423-8060-42CC96ED39FC} - System32\Tasks\ShadowCopyVolume{7d5acd5a-e3ce-11e4-9bda-000c29bf984f} => C:\Windows\system32\vssadmin.exe [2009-07-13] (Microsoft Corporation)
Task: {34ED3C59-0863-4FE1-B9E7-A3B34330774D} - System32\Tasks\G2MUpdateTask-S-1-5-21-4128123357-3028985877-1724802406-1115 => C:\Users\rwest\AppData\Local\GoToMeeting\7403\g2mupdate.exe [2017-08-03] (LogMeIn, Inc.)
Task: {4A09F3E6-5246-435B-8F4A-FA6EA787F237} - System32\Tasks\{D634178C-04E2-4B7E-A684-FE44A1D1D62B} => C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE [2017-07-22] (Microsoft Corporation)
Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2009-07-13] (Microsoft Corporation)
Task: {687969C6-35A3-42A3-8D70-0378CEF61575} - System32\Tasks\ShadowCopyVolume{c3e85c79-7b65-11e1-babd-806e6f6e6963} => C:\Windows\system32\vssadmin.exe [2009-07-13] (Microsoft Corporation)
Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)
Task: {7750878B-281D-4AD0-AE49-EE1E1BBF2B33} - System32\Tasks\At7 => rundll32.exe ucmiq.zj,uyrxn <==== ATTENTION
Task: {895B0B11-4647-4822-A94B-FB53393C7318} - System32\Tasks\ShadowCopyVolume{a5f3fd3a-8d67-11e1-bf8b-000c29bf984f} => C:\Windows\system32\vssadmin.exe [2009-07-13] (Microsoft Corporation)
Task: {8A6D39A9-82A3-499E-A8B9-3B2D0DBFE16F} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-04-25] (Adobe Systems Incorporated)
Task: {8EF8D1D7-E8E8-438F-912E-BA16DAE46486} - System32\Tasks\G2MUploadTask-S-1-5-21-4128123357-3028985877-1724802406-1117 => C:\Users\traynor\AppData\Local\GoToMeeting\7403\g2mupload.exe [2017-08-02] (LogMeIn, Inc.)
Task: {907F1A9E-EE5F-44FB-836C-889C4E63552F} - System32\Tasks\At9 => rundll32.exe ucmiq.zj,eozzuzgm <==== ATTENTION
Task: {90D3D314-AF2A-42B8-8CED-7B52103EFAB1} - System32\Tasks\At3 => rundll32.exe ucmiq.zj,aqdmblq <==== ATTENTION
Task: {99DFF19C-0A95-4611-83EA-942BD32E208B} - System32\Tasks\Microsoft\Windows\termsrv\licensing\TlsWarning => C:\Windows\system32\tlsbln.exe [2010-11-20] (Microsoft Corporation)
Task: {ADB2F227-8322-43D8-97D2-392B2E5EBB2F} - System32\Tasks\G2MUploadTask-S-1-5-21-4128123357-3028985877-1724802406-1115 => C:\Users\rwest\AppData\Local\GoToMeeting\7403\g2mupload.exe [2017-08-03] (LogMeIn, Inc.)
Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2010-11-20] (Microsoft Corporation)
Task: {B7D8D138-0B88-4AE5-923C-9D1A56D4F7C1} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-07-12] (Adobe Systems Incorporated)
Task: {C4476CE2-2CE0-4EEF-9037-5B5F2FA4776B} - System32\Tasks\At8 => rundll32.exe ucmiq.zj,sasfg <==== ATTENTION
Task: {C732415D-3B94-4989-9148-9FF06C7870D5} - System32\Tasks\Minitab\Minitab Software Update Manager => C:\Program Files (x86)\Common Files\Minitab Shared\Software Manager\SoftwareManager.exe [2010-11-05] (Minitab)
Task: {D1AD0515-7D0D-49C5-AF61-A2880E98E2B8} - System32\Tasks\At1 => rundll32.exe ucmiq.zj,kghimwqs <==== ATTENTION
Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)
Task: {DF7A7980-F5B4-4FE1-ACB8-2EFDFB3C6432} - System32\Tasks\G2MUpdateTask-S-1-5-21-4128123357-3028985877-1724802406-1117 => C:\Users\traynor\AppData\Local\GoToMeeting\7403\g2mupdate.exe [2017-08-02] (LogMeIn, Inc.)
Task: {E72EC3CC-95DF-4FBD-9B30-F8FAFF0E3D82} - System32\Tasks\ConfigureSCPForDPM => C:\Users\bev\AppData\Local\Temp\10\tmp3B09.tmp\Setup\ConfigureScp.exe <==== ATTENTION
Task: {E7FE7570-B9E3-4D61-B6D2-43381FB2BD8B} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-01-10] (Google Inc.)
Task: {F53E3FB8-2F84-4D3C-8C3D-4567429751F6} - System32\Tasks\At2 => rundll32.exe ucmiq.zj,mkhhum <==== ATTENTION
Task: {F758C1C2-BD1B-4013-A52C-C3E774EE1FC3} - System32\Tasks\At10 => rundll32.exe ucmiq.zj,ikyjxwq <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\At1.job => rundll32 exeucmiq zj kghimwqsSYSTEMCreated by NetScheduleJobAdd
Task: C:\Windows\Tasks\At10.job => rundll32 exeucmiq zj ikyjxwqSYSTEMCreated by NetScheduleJobAdd
Task: C:\Windows\Tasks\At2.job => rundll32 exeucmiq zj mkhhumSYSTEMCreated by NetScheduleJobAdd
Task: C:\Windows\Tasks\At3.job => urundll32 exeucmiq zj aqdmblqSYSTEMCreated by NetScheduleJobAdd
Task: C:\Windows\Tasks\At4.job => rundll32 exeucmiq zj twrbtouSYSTEMCreated by NetScheduleJobAdd
Task: C:\Windows\Tasks\At6.job => rundll32 exeucmiq zj hgnnyvvSYSTEMCreated by NetScheduleJobAdd
Task: C:\Windows\Tasks\At7.job => rundll32 exeucmiq zj uyrxnSYSTEMCreated by NetScheduleJobAdd
Task: C:\Windows\Tasks\At8.job => rundll32 exeucmiq zj sasfgSYSTEMCreated by NetScheduleJobAdd
Task: C:\Windows\Tasks\At9.job => rundll32 exeucmiq zj eozzuzgmSYSTEMCreated by NetScheduleJobAdd
Task: C:\Windows\Tasks\ConfigureSCPForDPM.job => C:\Users\bev\AppData\Local\Temp\10\tmp3B09.tmp\Setup\ConfigureScp.exe <==== ATTENTION
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-4128123357-3028985877-1724802406-1115.job => C:\Users\rwest\AppData\Local\GoToMeeting\7403\g2mupdate.exe
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-4128123357-3028985877-1724802406-1117.job => C:\Users\traynor\AppData\Local\GoToMeeting\7403\g2mupdate.exe
Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-4128123357-3028985877-1724802406-1115.job => C:\Users\rwest\AppData\Local\GoToMeeting\7403\g2mupload.exe
Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-4128123357-3028985877-1724802406-1117.job => C:\Users\traynor\AppData\Local\GoToMeeting\7403\g2mupload.exe
Task: C:\Windows\Tasks\ShadowCopyVolume{7d5acd5a-e3ce-11e4-9bda-000c29bf984f}.job => C:\Windows\system32\vssadmin.exe
Task: C:\Windows\Tasks\ShadowCopyVolume{a5f3fd3a-8d67-11e1-bf8b-000c29bf984f}.job => C:\Windows\system32\vssadmin.exe
Task: C:\Windows\Tasks\ShadowCopyVolume{c3e85c79-7b65-11e1-babd-806e6f6e6963}.job => C:\Windows\system32\vssadmin.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2012-03-30 14:31 - 2012-03-30 14:31 - 000087704 _____ () C:\Windows\System32\PDVFSNP.dll
2017-04-18 16:55 - 2005-04-22 13:36 - 000143360 _____ () C:\Windows\system32\BrSNMP64.dll
2017-05-31 14:56 - 2017-05-05 12:18 - 000050544 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\x64\StlImpl64.dll
2017-05-31 14:56 - 2017-05-05 12:11 - 000105472 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\x64\KbdImpl64.dll
2017-05-31 14:56 - 2017-05-05 12:11 - 000103936 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\x64\AppImpl64.dll
2013-09-05 01:17 - 2013-09-05 01:17 - 004300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:23 - 2010-10-20 15:23 - 008801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2011-06-07 07:49 - 2011-06-07 07:49 - 000077824 _____ () C:\Program Files\VMware\VMware Tools\sigc-2.0.dll
2011-06-07 07:48 - 2011-06-07 07:48 - 000780400 _____ () C:\Program Files\VMware\VMware Tools\glibmm-2.4.dll
2017-06-01 13:58 - 2017-04-27 09:45 - 004718312 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\webapp\serve.exe
2017-06-01 13:58 - 2017-04-27 09:45 - 000124416 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\webapp\win32api.pyd
2017-06-01 13:58 - 2017-04-27 09:45 - 000129536 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\webapp\pywintypes35.dll
2017-06-01 13:58 - 2017-04-27 09:45 - 000022016 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\webapp\win32event.pyd
2017-06-01 13:58 - 2017-04-27 09:45 - 000051712 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\webapp\win32service.pyd
2017-06-01 13:58 - 2017-04-27 09:45 - 002316288 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\webapp\psycopg2._psycopg.pyd
2017-06-01 13:58 - 2017-04-27 09:45 - 000031744 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\webapp\_jpegtran.pyd
2017-06-01 13:58 - 2017-04-27 09:45 - 000430592 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\webapp\jpeg62.dll
2017-06-01 13:58 - 2017-04-27 09:45 - 000574464 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\webapp\turbojpeg.dll
2017-06-01 13:58 - 2017-04-27 09:45 - 000165888 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\webapp\_cffi_backend.pyd
2017-05-31 14:56 - 2017-05-05 12:18 - 002746736 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\tsmsvc.exe
2017-06-01 13:57 - 2017-05-05 12:18 - 002005360 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\tsmsys.exe
2017-06-01 13:57 - 2017-05-05 12:18 - 000100720 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\tsmimpl.exe
2017-06-01 13:57 - 2017-05-05 12:18 - 000123760 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\x64\tsmimpl64.exe
2017-06-28 17:24 - 2017-06-22 23:21 - 002692440 _____ () C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\swiftshader\libglesv2.dll
2017-06-28 17:24 - 2017-06-22 23:21 - 000137048 _____ () C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\swiftshader\libegl.dll
2017-03-13 11:07 - 2017-03-13 11:07 - 000233376 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP2\product_ksn_client.dll
2017-05-31 14:56 - 2017-05-05 12:18 - 000062832 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\StlImpl.dll
2017-05-31 14:56 - 2017-05-05 12:10 - 000078848 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\AppImpl.dll
2014-02-19 16:12 - 2009-02-27 17:38 - 000139264 ____R () C:\Program Files (x86)\Brother\BrUtilities\BrLogAPI.dll
2017-05-31 14:56 - 2017-05-05 12:10 - 000438272 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\ImImpl.dll
2017-06-01 13:57 - 2016-10-27 21:00 - 000145408 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\LIBPQ.dll
2017-06-01 13:57 - 2017-04-20 21:04 - 000401920 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\Dbglog.dll
2013-03-25 14:42 - 2013-03-25 14:42 - 000045936 _____ () C:\PK\Deploy\GTBLEXI61.dll
2013-09-05 01:14 - 2013-09-05 01:14 - 004300456 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:45 - 2010-10-20 15:45 - 008801120 _____ () C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2017-05-31 14:56 - 2017-05-05 12:09 - 000769024 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\usrintr.dll
2017-06-01 13:57 - 2017-05-05 12:10 - 000077312 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\kbdintr.dll
2017-06-01 13:57 - 2017-05-05 12:10 - 000816640 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\scrintr.dll
2017-06-01 13:57 - 2017-05-05 12:10 - 000942592 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\appintr.dll
2017-06-01 13:57 - 2017-05-05 12:10 - 000911872 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\inetintr.dll
2017-06-01 13:57 - 2017-05-05 12:10 - 000141824 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\imintr.dll
2017-06-01 13:57 - 2017-05-05 12:10 - 000101376 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\fsintr.dll
2017-06-01 13:57 - 2017-05-05 12:10 - 000033280 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\xngintr.dll
2017-05-31 14:56 - 2017-05-05 12:02 - 000168960 _____ () C:\Program Files (x86)\SoftActivity TS Monitor\XngImpl.dll
2015-11-11 03:42 - 2015-11-11 03:42 - 001045672 _____ () C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll
2007-05-13 01:50 - 2007-05-13 01:50 - 001212416 _____ () C:\Program Files (x86)\Common Files\Business Objects\3.0\bin\prompt.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\MGtools.exe:BDU [0]
AlternateDataStreams: C:\Users\administrator.LOCAL\Desktop\mb-clean-3.1.0.1014.exe:BDU [0]
AlternateDataStreams: C:\Users\administrator.LOCAL\Desktop\SymDiag.exe:BDU [0]
AlternateDataStreams: C:\Users\bev\Desktop\HijackThis.exe:BDU [0]
AlternateDataStreams: C:\Users\shipping.LOCAL\Desktop\HijackThis.exe:BDU [0]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\atashost => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2009-06-10 17:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4128123357-3028985877-1724802406-1111\Control Panel\Desktop\\Wallpaper -> C:\Users\shipping.LOCAL\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-4128123357-3028985877-1724802406-1112\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-4128123357-3028985877-1724802406-1115\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-4128123357-3028985877-1724802406-1117\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-4128123357-3028985877-1724802406-2112\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-4128123357-3028985877-1724802406-2113\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-4128123357-3028985877-1724802406-2114\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-4128123357-3028985877-1724802406-2131\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-4128123357-3028985877-1724802406-2132\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-4128123357-3028985877-1724802406-3104\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-4128123357-3028985877-1724802406-3107\Control Panel\Desktop\\Wallpaper -> C:\Users\kbeal\AppData\Roaming\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
HKU\S-1-5-21-4128123357-3028985877-1724802406-3109\Control Panel\Desktop\\Wallpaper -> C:\Users\mnorris\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-4128123357-3028985877-1724802406-3122\Control Panel\Desktop\\Wallpaper -> C:\Users\rfrscan7\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-4128123357-3028985877-1724802406-3130\Control Panel\Desktop\\Wallpaper -> C:\Users\awilliams\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-4128123357-3028985877-1724802406-500\Control Panel\Desktop\\Wallpaper -> C:\Users\ADMINI~1.LOC\AppData\Local\Temp\12\BGInfo.bmp
DNS Servers: 10.0.0.200 - 10.0.0.201
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) %systemroot%\system32\dllhost.exe
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper] => (Allow) %systemroot%\system32\scshost.exe
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC] => (Allow) %systemroot%\system32\scshost.exe
FirewallRules: [DfsMgmt-In-TCP] => (Allow) %systemroot%\system32\dfsfrsHost.exe
FirewallRules: [{0B5007FF-647C-419B-BDF0-335390E0785B}] => (Allow) C:\Windows\System32\hasplms.exe
FirewallRules: [{8A5E3A75-0B13-4537-BA66-4347AFA72B88}] => (Allow) C:\Windows\System32\hasplms.exe
FirewallRules: [{89546764-E916-4B19-9469-CB87616D8752}] => (Allow) C:\Program Files (x86)\Windows Media Player\wmplayer.exe
FirewallRules: [{1288141E-B359-4C1F-A9C4-694001D75CF4}] => (Allow) C:\Program Files (x86)\Windows Media Player\wmplayer.exe
FirewallRules: [{54FC0371-5663-432A-BE64-BBDCC2D5C124}] => (Allow) C:\Program Files (x86)\Internet Explorer\iexplore.exe
FirewallRules: [{8DABD02A-948F-4114-9004-B8C3F9E70F1C}] => (Allow) C:\Program Files (x86)\Windows Media Player\wmplayer.exe
FirewallRules: [{933BC7EA-AC4F-4BBD-B13D-E96286A0B95A}] => (Allow) LPort=135
FirewallRules: [{C2207EA5-CBBD-4BB2-8A61-27C474EDDFC1}] => (Allow) C:\Program Files (x86)\Internet Explorer\iexplore.exe
FirewallRules: [{FDF476DE-AACC-4429-BE36-2B12436437F0}] => (Allow) C:\Program Files (x86)\Windows Media Player\wmplayer.exe
FirewallRules: [{15C17270-F6EC-4B5F-8BC3-847471EF367F}] => (Allow) C:\Program Files (x86)\Internet Explorer\iexplore.exe
FirewallRules: [{B35FCA3A-0D81-458A-A7EE-2EB26DA631FC}] => (Allow) C:\Program Files (x86)\Windows Media Player\wmplayer.exe
FirewallRules: [{B4DB2808-83E2-4757-924F-50169E486E55}] => (Allow) C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
FirewallRules: [{148CDB23-E53B-4AE5-93AB-886867C44412}] => (Allow) C:\Program Files (x86)\Brother\BRAdmin Light\BRAdmLight.exe
FirewallRules: [{331E1DBA-8BC6-4270-81F4-A7F399168DA0}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{424AA527-FE1A-4F80-90B6-3189837536D3}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{7F6CA109-23FD-4601-801D-3E23639E1DDD}] => (Allow) C:\Program Files\Wyse\TCX\Client\Flash Redirection\FRLauncher.exe
FirewallRules: [{01DFE392-E809-4CF7-9D04-AA7A8C96D1AC}] => (Allow) LPort=54925
FirewallRules: [{B8F6734E-1BC7-4126-A367-6F604EA2D69E}] => (Allow) LPort=15000
FirewallRules: [{ACBE23D3-3ECC-48F8-AC9E-742D084FC3B3}] => (Allow) LPort=15000
FirewallRules: [{416BFA6D-94DB-4EE5-91FD-90F76D464EDD}] => (Allow) C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagwds.exe
FirewallRules: [{E4AB81A6-92F8-463C-9505-8D530589DFB6}] => (Allow) C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagwds.exe
FirewallRules: [{0EC8666D-FCC0-4319-91EF-B97F1D7152C9}] => (Allow) C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagwds.exe
FirewallRules: [{BC2AC309-E012-4465-B84B-BED2283D13AD}] => (Allow) C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagwds.exe
FirewallRules: [{7CA27E4A-5F5A-4BEA-9B60-776C16D443B8}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.


==================== Faulty Device Manager Devices =============

Name: Brother ADS-2400N
Description: Brother ADS-2400N
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Brother
Service: usbscan
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (08/04/2017 07:00:05 AM) (Source: VSS) (EventID: 7001) (User: )
Description: VssAdmin: Unable to create a shadow copy: Either the specified volume was not found or it is not a local volume.
Command-line: 'C:\Windows\system32\vssadmin.exe Create Shadow /AutoRetry=15 /For=\\?\Volume{a5f3fd3a-8d67-11e1-bf8b-000c29bf984f}\'.

Error: (08/04/2017 03:23:10 AM) (Source: SalogSrvTsm) (EventID: 260) (User: )
Description: Failed to export logdb: could not connect to server: Connection refused (0x0000274D/10061)
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Connection refused (0x0000274D/10061)
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?

Error: (08/03/2017 03:24:46 PM) (Source: SalogSrvTsm) (EventID: 260) (User: )
Description: Failed to export logdb: could not connect to server: Connection refused (0x0000274D/10061)
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Connection refused (0x0000274D/10061)
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?

Error: (08/03/2017 03:17:12 PM) (Source: Winlogon) (EventID: 4005) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (08/03/2017 12:00:00 PM) (Source: VSS) (EventID: 7001) (User: )
Description: VssAdmin: Unable to create a shadow copy: Either the specified volume was not found or it is not a local volume.
Command-line: 'C:\Windows\system32\vssadmin.exe Create Shadow /AutoRetry=15 /For=\\?\Volume{a5f3fd3a-8d67-11e1-bf8b-000c29bf984f}\'.

Error: (08/03/2017 08:21:55 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: EXCEL.EXE, version: 14.0.7183.5000, time stamp: 0x59450c3c
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0b61f7d8
Faulting process id: 0x10e8
Faulting application start time: 0x01d30c51361da1fc
Faulting application path: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Faulting module path: unknown
Report Id: 561689df-7846-11e7-9178-000c29bf984f

Error: (08/03/2017 07:27:59 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmtoolsd.exe, version: 8.6.0.6261, time stamp: 0x4dee27c3
Faulting module name: unity.dll, version: 8.6.0.6261, time stamp: 0x4dee27f9
Exception code: 0xc0000094
Fault offset: 0x0000000000010408
Faulting process id: 0x1e50
Faulting application start time: 0x01d30c28dadfbec6
Faulting application path: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
Faulting module path: C:\Program Files\VMware\VMware Tools\plugins\vmusr\unity.dll
Report Id: cd64b14c-783e-11e7-9178-000c29bf984f

Error: (08/03/2017 07:23:06 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmtoolsd.exe, version: 8.6.0.6261, time stamp: 0x4dee27c3
Faulting module name: unity.dll, version: 8.6.0.6261, time stamp: 0x4dee27f9
Exception code: 0xc0000094
Fault offset: 0x0000000000010408
Faulting process id: 0x18e8
Faulting application start time: 0x01d30c28d76f01a1
Faulting application path: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
Faulting module path: C:\Program Files\VMware\VMware Tools\plugins\vmusr\unity.dll
Report Id: 1e865778-783e-11e7-9178-000c29bf984f

Error: (08/03/2017 07:00:17 AM) (Source: VSS) (EventID: 7001) (User: )
Description: VssAdmin: Unable to create a shadow copy: Either the specified volume was not found or it is not a local volume.
Command-line: 'C:\Windows\system32\vssadmin.exe Create Shadow /AutoRetry=15 /For=\\?\Volume{a5f3fd3a-8d67-11e1-bf8b-000c29bf984f}\'.

Error: (08/03/2017 06:15:36 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmtoolsd.exe, version: 8.6.0.6261, time stamp: 0x4dee27c3
Faulting module name: unity.dll, version: 8.6.0.6261, time stamp: 0x4dee27f9
Exception code: 0xc0000094
Fault offset: 0x0000000000010408
Faulting process id: 0x1c18
Faulting application start time: 0x01d30c28d76ca041
Faulting application path: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
Faulting module path: C:\Program Files\VMware\VMware Tools\plugins\vmusr\unity.dll
Report Id: b095e45c-7834-11e7-9178-000c29bf984f


System errors:
=============
Error: (08/04/2017 03:18:37 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1030) (User: LOCAL)
Description: The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.

Error: (08/03/2017 05:40:17 PM) (Source: TermDD) (EventID: 50) (User: )
Description: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

Error: (08/03/2017 03:16:43 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NlaSvc service.

Error: (08/03/2017 02:34:59 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.

Error: (08/03/2017 11:58:08 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (08/03/2017 08:26:04 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 1203.

Error: (08/03/2017 08:26:04 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 1203.

Error: (08/03/2017 08:12:22 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 1203.

Error: (08/03/2017 08:12:22 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 1203.

Error: (08/03/2017 07:43:39 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 1203.


CodeIntegrity:
===================================
Date: 2017-08-04 09:32:41.788
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2017-08-04 09:26:27.295
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2017-08-04 09:19:14.068
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2017-08-04 08:54:56.927
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2017-08-04 08:42:40.521
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2017-08-04 08:31:00.380
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2017-08-04 08:24:09.750
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2017-08-04 08:12:16.356
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2017-08-04 07:55:21.090
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Date: 2017-08-04 07:48:48.046
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Xeon® CPU E5620 @ 2.40GHz
Percentage of memory in use: 47%
Total physical RAM: 16383.55 MB
Available physical RAM: 8580.26 MB
Total Virtual: 32765.29 MB
Available Virtual: 24705.57 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:302.24 GB) (Free:154.81 GB) NTFS
Drive d: (Data) (Fixed) (Total:97.66 GB) (Free:96.87 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 400 GB) (Disk ID: 89B287D7)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=302.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=97.7 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Attached Files


Edited by Oh My!, 05 August 2017 - 08:02 AM.


#5 madpoet62

madpoet62
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 04 August 2017 - 09:21 AM

BTW - I figured out that the TCX program is a Wyse program that configures peripherals to run on thin clients.



#6 madpoet62

madpoet62
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 04 August 2017 - 10:12 AM

I was checking my scheduled tasks and found a list of tasks that I did not recognize.  A good search suggests Conficker.

Attached Files



#7 madpoet62

madpoet62
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 05 August 2017 - 08:56 AM

I appreciate your willingness to help.  However, I have limited time to work on this system without disrupting the work flow here.  So I'm going forward with deleting the suspicious tasks and doing what I can to clean it up.



#8 madpoet62

madpoet62
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 05 August 2017 - 10:47 AM

I ran AdwCleaner.  I've attached the files.  It found Trojan Bayrob and supposedly cleaned it.

Attached Files



#9 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:00 AM

Posted 06 August 2017 - 08:39 AM

Please keep me posted on your progress :)

#10 madpoet62

madpoet62
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 06 August 2017 - 12:55 PM

I just don't know what I'm dealing with here.  I ran the online ESET scanner and it found (and supposedly cleaned) MSIL/TrojanDropper.Agent.DBK trojan.  It did not find that the last time I ran it a week ago.  Something is continuing to download viruses onto this server even though we have closed the RDP port through our Watchguard T30 version 11.12.  The XMR-NODON is also back.  ESET found that and also supposedly cleaned it.  I deleted the automated tasks A1 - A10.  I'm not sure what to do next.   I've attached the log files as well as a zip file of the virus and it's bat file.

Attached Files



#11 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:00 AM

Posted 08 August 2017 - 10:31 AM

Hello again,

Please post a fresh set of FRST logs.

Did you delete the suspicious objects or quarantined them?

#12 madpoet62

madpoet62
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 08 August 2017 - 12:30 PM

Some were deleted - some were zipped - some were quarantined.  Attached are the new FRST logs.

Attached Files



#13 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:00 AM

Posted 14 August 2017 - 01:56 PM

Hello madpoet62,

I am very sorry for the delay!

I would like to follow up on some suspicious entries. Please follow the instructions below.

Fix with Farbar Recovery Scan Tool
  • Please copy the following lines into Notepad and save it to your Desktop as fixlist.txt.
    File: C:\Users\rwest\AppData\Roaming\cfonp.dll
    Folder: C:\Users\cwatson\AppData\Local\Temp\9
    
    Note: It's important that both FRST/FRST64.exe and fixlist.txt are in the same location or the fix will not work!
    WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system!
  • Run FRST/FRST64.exe and press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run.
  • When finished, FRST will generate a log named Fixlog.txt on the Desktop, please post it to your reply.
Please let me know how the computer is doing.

#14 madpoet62

madpoet62
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 14 August 2017 - 02:06 PM

Here you go.

Attached Files



#15 madpoet62

madpoet62
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 14 August 2017 - 02:17 PM

After the changes we've made with passwords and the multiple package scans we've run, we have not seen the processes running again.

 

Kaspersky sent a "fix" tool and found the following:

 

VPN.exe_ HackTool.Win64.NLBrute.a
xmr-nodon.exe_ not-a-virus:RiskTool.Win64.BitCoinMiner.dal

 

They updated their databases since they were not detecting these.


Edited by madpoet62, 14 August 2017 - 02:38 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users