Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Botnet with worm-like characteristics?


  • This topic is locked This topic is locked
7 replies to this topic

#1 dkhman26

dkhman26

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 25 August 2017 - 08:33 AM

I'm an IT professional and I've got a client's branch office where most, if not all, of the PCs seem to be infected with the same virus. We use a managed Bit Defender product, which detects the secondary infections, but isn't removing the root infection.

 

Here's what I've seen so far:

1. Random numbered executables in C:\windows - this is what Bit Defender detects and deletes.

2. A dropper or trojan in C:\users\username\appdata\roaming\microsoft\random letters folder. This folder typically contains an executable with the same random name as the folder it is in along with a .dat file of the same name. On a couple of the PCs there have been other files in the folder including a differently named .xkg file, a "u" folder which which is empty.

3. On one machine in particular, I found a hidden folder that contained a different .exe and a file identified as a system file, but it doesn't have an extension.

 

 

This started with the managed Bit Defender product detections, and then a couple of users reported problems with Adobe Acrobat and Microsoft Office products randomly crashing. The tech that worked on those PCs identified that there was malware and ran MBAM and TDSS Killer scans until they came back clean, but ultimately the infection returned. One thing the technician noticed was that some shortcuts had been modified with malicious code inserted into the .lnk file.

 

The one machine in particular where I found the hidden folder, I ran Bit Defender's BDSysLog tool, GMER and AutoRuns to create logs for Bit Defender support. I also can probably get access to that machine again to run more tools on it, but this was after MBAM supposedly cleaned the PC. I also found a "providerservice.exe" in C:\windows\syswow64 that appears to be a renamed copy of GnuGP4Win, a tool for encrypting email and network traffic.

 

I also have samples of some of the malware from about 8 or so different PCs at that location. Some of the samples are the randomly named .exe files from the root of C:\windows and they are all 664 KB with a 1 KB .exe.cfg file. The samples of the files from the appdata\roaming\microsoft folder are all between 34,224 KB and 40,368 KB. It's actually about 4 or 5 different sized files, across all PCs, not completely random sizes. The total amount of samples I have is almost 1 GB.

 

One thing that I found strange about the files in the user profiles is that it seems to randomly select a user profile to place the files in. I found the infected files in a user's profile that would have gone to this branch office to train users a few years ago, so she logged in that one time, and she's never been back. I've also found them in a profile that was a local user, which no one uses or knows the credentials for except for our IT team.

 

On the firewall at that location I noticed traffic going out on port 65200 to an IP address associated with the Qakbot botnet, but that might be the secondary infection and not the root. The company uses a web filter with a pretty strict filtering policy, so my guess is that it arrived either via an infected flash drive or a malicious email attachment that made it through the spam filter.

 

Any help on identifying and ultimately remediating the infection on all of these PCs would be greatly appreciated. If anyone wants my full archive of almost 1 GB of samples, let me know and I can upload them and share them with you.


Edited by hamluis, 25 August 2017 - 10:17 AM.
Moved from MRL to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 dkhman26

dkhman26
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 25 August 2017 - 01:47 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-08-2017
Ran by administrator (administrator) on 5HQG942 (25-08-2017 14:45:02)
Running from C:\_Sys_admin
Loaded Profiles: cpetagna & administrator (Available Profiles: User & LKott & AParolari & MLake & cpetagna & EPena & administrator)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Autodesk Inc.) C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Solarwinds MSP) C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvcUpdater.exe
(Solarwinds MSP) C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Bitdefender) C:\Program Files\N-able Technologies\AVDefender\EPIntegrationService.exe
(Bitdefender) C:\Program Files\N-able Technologies\AVDefender\EPSecurityService.exe
(Bitdefender) C:\Program Files\N-able Technologies\AVDefender\EPUpdateService.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Dell) C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe
(Dell Products, LP.) C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(Bomgar) C:\ProgramData\bomgar-scc-0x54e4f43d\bomgar-scc.exe
(Bomgar) C:\ProgramData\bomgar-scc-0x54e4f43d\bomgar-scc.exe
(Solarwinds MSP) C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupTSHelper.exe
(Dell) C:\Program Files\Dell\Dell Foundation Services\DFS.Common.Agent.exe
(Bitdefender) C:\Program Files\N-able Technologies\AVDefender\EPConsole.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe
(Advanced Micro Devices, Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe
(Solarwinds MSP) C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvcCnfg.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7637720 2014-09-23] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1396592 2014-09-01] (Realtek Semiconductor)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2014-05-28] (Intel Corporation)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe [1087960 2014-04-29] (Intel Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-12-06] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [BASupSrvcCnfg_N-Central] => C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvcCnfg.exe [5209280 2017-06-13] (Solarwinds MSP)
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-451767395-811497850-1264475144-23206\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-451767395-811497850-1264475144-23206\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-451767395-811497850-1264475144-23206\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-451767395-811497850-1264475144-23206\...\Policies\Explorer: [] 
HKU\S-1-5-21-451767395-811497850-1264475144-23206\...\MountPoints2: {61593193-7f29-11e6-8871-806e6f6e6963} - E:\FIBPGuard.exe
HKU\S-1-5-21-451767395-811497850-1264475144-23206\...\MountPoints2: {cab67628-98f6-11e5-8c6e-989096b80aec} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-18\...\Run: [Autodesk Sync] => C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe [1283112 2016-02-02] (Autodesk, Inc.)
HKU\S-1-5-18\...\RunOnce: [Application Restart #0] => C:\Windows\System32\ctfmon.exe ctfmon.exe
HKU\S-1-5-18\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-18\...\Policies\Explorer: [HideSCAHealth] 1
Startup: C:\Users\aparolari\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\efyxw.lnk [2017-08-24]
Startup: C:\Users\epena\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iuawqi.lnk [2017-08-24]
Startup: C:\Users\lpeach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dirlflm.lnk [2017-08-24]
Startup: C:\Users\Mlake\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eqzmzxea.lnk [2017-08-24]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyServer: [S-1-5-21-451767395-811497850-1264475144-23206] => http=webproxy.mragta.com:9090;https=webproxy.mragta.com:9090
Tcpip\Parameters: [DhcpNameServer] 192.10.26.10 192.10.21.9
Tcpip\..\Interfaces\{622C829A-EFA6-44AE-B567-F23DF64CCC81}: [DhcpNameServer] 192.10.26.10 192.10.21.9
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-451767395-811497850-1264475144-23206\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-451767395-811497850-1264475144-23206\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-451767395-811497850-1264475144-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://dell13.msn.com/?pc=DCJB
HKU\S-1-5-21-451767395-811497850-1264475144-500\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-451767395-811497850-1264475144-23206 -> DefaultScope {6E4FB43B-8480-4545-8758-A6984C20E85D} URL = 
SearchScopes: HKU\S-1-5-21-451767395-811497850-1264475144-23206 -> {6E4FB43B-8480-4545-8758-A6984C20E85D} URL = 
SearchScopes: HKU\S-1-5-21-451767395-811497850-1264475144-500 -> DefaultScope {6E4FB43B-8480-4545-8758-A6984C20E85D} URL = 
SearchScopes: HKU\S-1-5-21-451767395-811497850-1264475144-500 -> {6E4FB43B-8480-4545-8758-A6984C20E85D} URL = 
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2017-07-11] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_131\bin\ssv.dll [2017-04-25] (Oracle Corporation)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2016-04-23] (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [2017-03-14] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2017-07-11] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-04-25] (Oracle Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2016-04-23] (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\ssv.dll [2017-08-22] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2016-04-23] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2017-03-14] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\jp2ssv.dll [2017-08-22] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2016-04-23] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2016-04-23] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2016-04-23] (Adobe Systems Incorporated)
DPF: HKLM-x32 {06F24855-36E8-4A27-9EB1-DE73D96466E6} hxxp://bst/auroraweb/ClientComponents/BSTVIM0050.CAB
DPF: HKLM-x32 {11E93902-B6FD-11D7-A642-00C04F57E4DC} hxxp://bst/auroraweb/ClientComponents/BSTEIX0010.CAB
DPF: HKLM-x32 {2961B151-8F4A-4C9E-8287-D59FAA6C959D} hxxp://bst/auroraweb/ClientComponents/BSTEIX0060.CAB
DPF: HKLM-x32 {29BB41F2-3E3F-41B4-B40E-8B443B67378F} hxxp://bst/auroraweb/ClientComponents/BSTEBM0030.CAB
DPF: HKLM-x32 {2A00324E-751C-11D3-A5D3-00C04F7F81E2} hxxp://bst/auroraweb/ClientComponents/BSTEIT0040.CAB
DPF: HKLM-x32 {2FC291D0-5814-4658-9680-4DAD4DD3F330} hxxp://bst/auroraweb/ClientComponents/BSTRCM0030.CAB
DPF: HKLM-x32 {310C70B7-92ED-11D3-81CE-00C04F8DF62C} hxxp://bst/auroraweb/ClientComponents/BSTEIT0070.CAB
DPF: HKLM-x32 {327A9BC9-9300-11D3-81CE-00C04F8DF62C} hxxp://bst/auroraweb/ClientComponents/BSTEIT0060.CAB
DPF: HKLM-x32 {4004B4D0-7D66-11D5-A55B-00B0D07DCA5B} hxxp://bst/auroraweb/ClientComponents/BSTEIT0090.CAB
DPF: HKLM-x32 {4E096548-B6FC-11D7-A642-00C04F57E4DC} hxxp://bst/auroraweb/ClientComponents/BSTEIX0030.CAB
DPF: HKLM-x32 {5A243863-2149-4261-BEBD-5A46B6C73D08} hxxp://bst/auroraweb/ClientComponents/BSTEBM0010.CAB
DPF: HKLM-x32 {63881838-E51F-11D6-891A-00B0D099C2B6} hxxp://bst/auroraweb/ClientComponents/BSTRPR0000.CAB
DPF: HKLM-x32 {645E9764-A29D-11D3-81D9-00C04F8DF62C} hxxp://bst/auroraweb/ClientComponents/BSTEIT0043.CAB
DPF: HKLM-x32 {68303A24-C779-11D3-8394-00C04F69A345} hxxp://bst/auroraweb/ClientComponents/BSTEIP0300.CAB
DPF: HKLM-x32 {815E0702-E4CA-11D3-81ED-00C04F8DF62C} hxxp://bst/auroraweb/ClientComponents/BSTEIT0080.CAB
DPF: HKLM-x32 {85DAA0B2-F005-11D5-9271-00B0D07DCA5B} hxxp://bst/auroraweb/ClientComponents/BSTGUI000013.CAB
DPF: HKLM-x32 {90C8812D-81C2-45EA-8101-6C6F29835AE8} hxxp://bst/auroraweb/BSTeInstaller.CAB
DPF: HKLM-x32 {A1CA644F-D8D2-428D-B3D3-D37AE44F86D6} hxxp://bst/auroraweb/ClientComponents/BSTVIM0010.CAB
DPF: HKLM-x32 {ACCB32DB-F2C9-46C3-A215-21F805657765} hxxp://bst/auroraweb/ClientComponents/BSTEIX0050.CAB
DPF: HKLM-x32 {AD37D4AC-D1D3-405B-A7A1-F82D541FE8DF} hxxp://bst/auroraweb/ClientComponents/BSTAPD2000.CAB
DPF: HKLM-x32 {AD46BB36-7741-11D3-81B8-00C04F8DF62C} hxxp://bst/auroraweb/ClientComponents/BSTEIT0030.CAB
DPF: HKLM-x32 {AFC6A54E-C401-4022-9A36-103214B2F53D} hxxp://bst/auroraweb/ClientComponents/BSTEIT0150.CAB
DPF: HKLM-x32 {B3A8D7A2-B7E1-11D3-81E2-00C04F8DF62C} hxxp://bst/auroraweb/ClientComponents/BSTEIT0050.CAB
DPF: HKLM-x32 {B3D2ED24-A4B6-11D6-A604-00C04F57E4DC} hxxp://bst/auroraweb/ClientComponents/BSTEIU0010.CAB
DPF: HKLM-x32 {C0A870C3-66BB-4106-9A25-60A26F3C1DA8} hxxp://bst/auroraweb/BSTeReportsCE14.CAB
DPF: HKLM-x32 {C1FADE56-6FB8-4147-98E8-DDD938C81606} hxxp://bst/auroraweb/ClientComponents/BSTAPD2000.CAB
DPF: HKLM-x32 {CA06CBD9-2D90-11D3-836C-00C04F69A345} hxxp://bst/auroraweb/ClientComponents/BSTBIP1000.CAB
DPF: HKLM-x32 {D9EE5A5C-AF15-11D3-81E0-00C04F8DF62C} hxxp://bst/auroraweb/ClientComponents/BSTEIT0010.CAB
DPF: HKLM-x32 {DCFEDB58-DB3F-4DEB-A4C4-D8107FBBDAC3} hxxp://bst/auroraweb/BSTeReportsCE12.CAB
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://akamaicdn.webex.com/client/WBXclient-T30L10NSP10-10036/webex/ieatgpc1.cab
DPF: HKLM-x32 {E2C7A8A5-8CBB-11D9-8A58-00B0D099C2B6} hxxp://bst/auroraweb/ClientComponents/BSTEII0010.CAB
DPF: HKLM-x32 {E6671596-1F52-11D3-8162-00C04F8DF62C} hxxp://bst/auroraweb/AuroraShell.CAB
DPF: HKLM-x32 {F1AC44EA-77C7-4B04-9844-959247F9FD71} hxxp://bst/auroraweb/BSTeDepFiles.CAB
DPF: HKLM-x32 {F9C011EB-D241-4B7A-86F6-B4C35032D330} hxxp://bst/auroraweb/ClientComponents/BSTVIM0060.CAB
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2016-04-19] (Microsoft Corporation)
 
FireFox:
========
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension.15@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat - Create PDF) - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2017-08-10]
FF Plugin: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-04-25] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-04-25] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2015-07-29] (Adobe Systems)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll [2017-03-31] (Adobe Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-04-29] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-04-29] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.144.2 -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\dtplugin\npDeployJava1.dll [2017-08-22] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.144.2 -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\plugin2\npjp2.dll [2017-08-22] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-05-12] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-27] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-27] (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [2017-08-17] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2017-03-28] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2015-07-29] (Adobe Systems)
FF Plugin HKU\S-1-5-21-451767395-811497850-1264475144-23206: @citrixonline.com/appdetectorplugin -> C:\Users\cpetagna\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2017-04-26] (Citrix Online)
 
Chrome: 
=======
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2017-07-27]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 107108554; C:\Windows\23914968.exe [110592 2017-08-24] (g10 Code GmbH) [File not signed]
S2 118856849; C:\Windows\14608856.exe [110592 2017-08-24] (g10 Code GmbH) [File not signed]
S2 119894178; C:\Windows\25225688.exe [110592 2017-08-24] (g10 Code GmbH) [File not signed]
S2 162205253; C:\Windows\29157848.exe [86016 2017-08-25] (Microsoft Corporation) [File not signed]
S2 91550122; C:\Windows\24111576.exe [110592 2017-08-24] (g10 Code GmbH) [File not signed]
R2 AdAppMgrSvc; C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe [1309176 2017-03-10] (Autodesk Inc.)
R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2246256 2017-05-18] (Adobe Systems, Incorporated)
R2 BASupportExpressSrvcUpdater_N_Central; C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvcUpdater.exe [1157312 2017-06-13] (Solarwinds MSP)
R2 BASupportExpressStandaloneService_N_Central; C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvc.exe [3959488 2017-06-13] (Solarwinds MSP)
R2 bomgar-ps-54E4F43D-1485554056; C:\ProgramData\bomgar-scc-0x54e4f43d\bomgar-scc.exe [9330448 2017-01-21] (Bomgar)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3042544 2017-03-14] (Microsoft Corporation)
R2 Dell Foundation Services; C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe [97616 2017-01-11] (Dell)
R2 EPIntegrationService; C:\Program Files\N-able Technologies\AVDefender\EPIntegrationService.exe [455184 2017-03-10] (Bitdefender)
R2 EPSecurityService; C:\Program Files\N-able Technologies\AVDefender\EPSecurityService.exe [455184 2017-03-10] (Bitdefender)
R2 EPUpdateService; C:\Program Files\N-able Technologies\AVDefender\EPUpdateService.exe [455184 2017-03-10] (Bitdefender)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-05-28] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887232 2014-01-31] (Intel® Corporation)
S3 InvProtectSvc; C:\Program Files (x86)\Invincea\Enterprise\X64\InvProtectSvc64.exe [2672328 2014-07-30] (Invincea, Inc.)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-04-29] (Intel Corporation)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2013-05-16] (Hewlett-Packard) [File not signed]
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2013-05-16] (Hewlett-Packard) [File not signed]
S3 SboxSvc; C:\Program Files (x86)\Invincea\Enterprise\Sandbox\SboxSvc.exe [173256 2014-07-30] (Invincea, Inc.)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1921768 2014-07-02] (SoftThinks SAS)
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2015-02-12] (Microsoft Corporation)
S2 123598359; %SystemRoot%\22931928.exe [X]
S2 124224485; %SystemRoot%\41478616.exe [X]
S2 124825026; %SystemRoot%\20965848.exe [X]
S2 125509137; %SystemRoot%\19917272.exe [X]
S2 126534548; %SystemRoot%\33876440.exe [X]
S2 145726571; %SystemRoot%\19261912.exe [X]
S2 150147748; %SystemRoot%\20376024.exe [X]
S2 161164913; %SystemRoot%\29944280.exe [X]
S2 199911771; %SystemRoot%\40167896.exe [X]
S2 29617694; %SystemRoot%\23849432.exe [X]
S2 34053146; %SystemRoot%\25553368.exe [X]
S2 34821825; %SystemRoot%\33745368.exe [X]
S2 36223759; %SystemRoot%\34662872.exe [X]
S2 583116; %SystemRoot%\12839384.exe [X]
S2 71902186; %SystemRoot%\15854040.exe [X]
S2 92383; %SystemRoot%\37874136.exe [X]
S2 96425309; %SystemRoot%\20572632.exe [X]
S2 96959816; %SystemRoot%\38267352.exe [X]
S2 98190461; %SystemRoot%\37808600.exe [X]
S2 providerservice;  [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1605376 2016-09-20] (BitDefender)
S3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [878072 2016-09-20] (BitDefender)
R1 Bdfwfpf; C:\Program Files\N-able Technologies\AVDefender\bdfwfpf.sys [131520 2016-12-12] ()
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [489752 2014-08-14] (Intel Corporation)
R0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [178384 2017-03-21] (BitDefender LLC)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28008 2014-05-02] (Intel Corporation)
R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHD64.sys [2638808 2014-10-15] (Realtek Semiconductor Corp.)
S3 InvProtectDrv; C:\Program Files (x86)\Invincea\Enterprise\X64\InvProtectDrv64.sys [50696 2014-07-30] (Invincea, Inc.)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [118272 2014-04-29] (Intel Corporation)
S3 SboxDrv; C:\Program Files (x86)\Invincea\Enterprise\Sandbox\SboxDrv.sys [183304 2014-07-30] (Invincea, Inc.)
R2 trufos; C:\Windows\System32\DRIVERS\trufos.sys [442848 2017-03-21] (BitDefender S.R.L.)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-08-25 14:44 - 2017-08-25 14:45 - 000000000 ____D C:\FRST
2017-08-25 08:05 - 2017-08-25 08:05 - 000118784 _____ (g10 Code GmbH) C:\Windows\SysWOW64\providerservice.exe
2017-08-25 04:30 - 2017-08-25 04:14 - 000086016 _____ (Microsoft Corporation) C:\Windows\29157848.exe
2017-08-24 16:45 - 2017-08-24 16:30 - 000110592 _____ (g10 Code GmbH) C:\Windows\25225688.exe
2017-08-24 16:45 - 2017-08-24 16:30 - 000110592 _____ (g10 Code GmbH) C:\Windows\24111576.exe
2017-08-24 16:45 - 2017-08-24 16:30 - 000110592 _____ (g10 Code GmbH) C:\Windows\23914968.exe
2017-08-24 16:45 - 2017-08-24 16:30 - 000110592 _____ (g10 Code GmbH) C:\Windows\14608856.exe
2017-08-24 14:26 - 2017-08-24 14:26 - 000000000 ___HD C:\Users\Public\Documents\AdobeGC
2017-08-24 13:55 - 2017-08-24 13:55 - 938872211 _____ C:\Windows\MEMORY.DMP
2017-08-24 13:55 - 2017-08-24 13:55 - 000281872 _____ C:\Windows\Minidump\082417-24601-01.dmp
2017-08-24 13:41 - 2017-08-24 13:41 - 000000000 ____D C:\Windows\pss
2017-08-24 07:17 - 2017-08-24 07:17 - 000143360 ___SH (Fweq bvhrp i mok qft) C:\ProgramData\WKSpbTo9MwAIHx.exe
2017-08-23 16:58 - 2017-08-23 16:58 - 000003504 _____ C:\Windows\System32\Tasks\{2CB93311-BBB5-4215-8ABB-28F80978E97B}
2017-08-23 13:47 - 2017-08-23 13:49 - 000214914 _____ C:\TDSSKiller.3.1.0.15_23.08.2017_13.47.53_log.txt
2017-08-23 13:47 - 2017-08-23 13:47 - 004830473 _____ C:\Users\User\Downloads\tdsskiller.zip
2017-08-23 11:18 - 2017-08-23 11:18 - 000000000 ____D C:\Users\User\AppData\Roaming\TeamViewer
2017-08-23 11:18 - 2017-08-23 11:18 - 000000000 ____D C:\Program Files (x86)\QS
2017-08-22 22:08 - 2017-08-22 22:08 - 000000000 ____D C:\Users\User\AppData\Roaming\Sun
2017-08-22 22:03 - 2017-08-22 22:03 - 000000000 ____D C:\Users\User\AppData\Roaming\Autodesk
2017-08-22 22:03 - 2017-08-22 22:03 - 000000000 ____D C:\Users\User\AppData\Local\Autodesk
2017-08-22 19:24 - 2017-08-22 19:24 - 000000000 ____D C:\Users\cpetagna\AppData\Roaming\Sun
2017-08-22 19:24 - 2017-04-25 07:46 - 000110144 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-64.dll
2017-08-22 19:23 - 2017-08-22 19:23 - 000425304 _____ (Secure By Design Inc.) C:\Users\cpetagna\Downloads\Ninite Java 8 Malwarebytes Installer.exe
2017-08-22 17:09 - 2017-08-22 17:10 - 000189946 _____ C:\Users\cpetagna\Desktop\GTA - cmp master - NJ Env Sc.pdf
2017-08-22 08:03 - 2017-08-22 08:03 - 000000000 ____D C:\Users\cpetagna\AppData\Local\KONICA MINOLTA
2017-08-21 18:11 - 2017-08-21 18:11 - 000002212 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth Pro.lnk
2017-08-21 18:11 - 2017-08-21 18:11 - 000002174 _____ C:\Users\Public\Desktop\Google Earth Pro.lnk
2017-08-18 09:17 - 2017-08-18 09:17 - 000116224 _____ C:\Users\cpetagna\Downloads\results.xls
2017-08-18 07:56 - 2017-08-18 07:56 - 000241664 _____ C:\Users\cpetagna\Downloads\results (100).xls
2017-08-17 12:16 - 2017-08-17 12:16 - 000216576 _____ C:\Users\cpetagna\Downloads\results (99).xls
2017-08-15 10:51 - 2017-08-15 10:51 - 000206848 _____ C:\Users\cpetagna\Downloads\results (98).xls
2017-08-15 10:47 - 2017-08-15 10:47 - 000141824 _____ C:\Users\cpetagna\Downloads\results (97).xls
2017-08-15 08:41 - 2017-08-15 08:41 - 000056784 _____ C:\Users\cpetagna\Desktop\VZW lunch meeting.pdf
2017-08-11 12:33 - 2017-08-11 12:33 - 000114688 _____ C:\Users\cpetagna\Downloads\results (96).xls
2017-08-11 12:32 - 2017-08-11 12:32 - 000097280 _____ C:\Users\cpetagna\Downloads\results (95).xls
2017-08-11 08:23 - 2017-08-11 08:23 - 000000058 _____ C:\ProgramData\42F8.tmp
2017-08-07 09:34 - 2017-08-07 09:34 - 000075264 _____ C:\Users\cpetagna\Downloads\results (94).xls
2017-08-07 09:18 - 2017-08-07 09:18 - 000033792 _____ C:\Users\cpetagna\Downloads\results (93).xls
2017-08-07 09:10 - 2017-08-07 09:10 - 000069632 _____ C:\Users\cpetagna\Downloads\results (92).xls
2017-08-02 09:03 - 2017-08-02 09:03 - 000060928 _____ C:\Users\cpetagna\Downloads\results (91).xls
2017-07-31 16:22 - 2017-07-31 16:22 - 000084992 _____ C:\Users\cpetagna\Downloads\results (90).xls
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-08-25 14:45 - 2015-04-20 10:49 - 000000000 ____D C:\_Sys_admin
2017-08-25 14:45 - 2015-02-18 16:21 - 000000000 ____D C:\ProgramData\bomgar-scc-0x54e4f43d
2017-08-25 14:43 - 2015-02-19 09:29 - 000000240 _____ C:\Windows\system32\config\netlogon.ftl
2017-08-25 04:18 - 2009-07-14 00:45 - 000021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-08-25 04:18 - 2009-07-14 00:45 - 000021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-08-24 14:35 - 2015-02-12 05:55 - 000000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2017-08-24 14:31 - 2009-07-14 01:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-08-24 14:26 - 2015-02-19 09:34 - 000458331 _____ C:\Windows\system32\prefs.js
2017-08-24 13:55 - 2016-03-11 14:46 - 000000000 ____D C:\Windows\Minidump
2017-08-24 13:33 - 2015-04-28 11:28 - 000000000 ____D C:\Users\cpetagna\AppData\Local\CrashDumps
2017-08-24 13:14 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\inf
2017-08-23 11:01 - 2017-04-26 13:59 - 000000612 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-451767395-811497850-1264475144-23206.job
2017-08-23 11:01 - 2017-04-26 13:59 - 000000516 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-451767395-811497850-1264475144-23206.job
2017-08-23 10:57 - 2017-04-26 13:59 - 000003648 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-451767395-811497850-1264475144-23206
2017-08-23 10:57 - 2017-04-26 13:59 - 000003552 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-451767395-811497850-1264475144-23206
2017-08-22 22:47 - 2011-02-10 10:25 - 000000000 ____D C:\Windows\panther
2017-08-22 22:04 - 2015-02-18 15:41 - 000175544 _____ C:\Users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2017-08-22 22:03 - 2015-02-18 16:31 - 000000000 ____D C:\Users\User\AppData\Local\Google
2017-08-22 22:03 - 2009-07-14 00:57 - 000001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2017-08-22 21:55 - 2015-04-17 09:46 - 000000000 ____D C:\Users\cpetagna
2017-08-22 19:24 - 2015-02-18 16:24 - 000097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2017-08-22 19:24 - 2015-02-18 16:23 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-08-22 19:24 - 2015-02-18 16:23 - 000000000 ____D C:\Program Files (x86)\Java
2017-08-22 16:02 - 2009-07-14 01:13 - 000806452 _____ C:\Windows\system32\PerfStringBackup.INI
2017-08-22 14:03 - 2017-04-27 15:53 - 000000000 ____D C:\ProgramData\boost_interprocess
2017-08-21 18:11 - 2015-02-18 16:31 - 000000000 ____D C:\Program Files (x86)\Google
2017-08-17 15:12 - 2015-08-17 15:40 - 000002197 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-08-17 15:12 - 2015-08-17 15:40 - 000002185 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-08-17 00:08 - 2017-07-10 11:26 - 000000000 ____D C:\Program Files (x86)\GoToMeeting
2017-08-10 08:40 - 2015-02-18 15:50 - 000002507 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat XI Standard.lnk
2017-08-10 08:40 - 2015-02-18 15:50 - 000002051 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat Distiller XI.lnk
2017-08-08 08:24 - 2015-02-12 05:29 - 000803328 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-08-08 08:24 - 2015-02-12 05:29 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-08-08 08:24 - 2015-02-12 05:29 - 000004312 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-08-08 08:24 - 2015-02-12 05:29 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2017-08-08 08:24 - 2015-02-12 05:29 - 000000000 ____D C:\Windows\system32\Macromed
2017-08-04 06:45 - 2015-02-12 05:52 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-08-04 06:43 - 2015-02-18 16:39 - 000000000 ____D C:\Program Files\Microsoft Office 15
2017-08-04 06:42 - 2015-07-06 07:57 - 000004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
 
==================== Files in the root of some directories =======
 
2017-01-03 06:48 - 2017-01-03 06:48 - 000008591 _____ () C:\ProgramData\1483440042.bdinstall.bin
2017-01-04 06:58 - 2017-01-04 06:58 - 000006409 _____ () C:\ProgramData\1483527523.bdinstall.bin
2017-01-04 07:04 - 2017-01-04 07:04 - 000284822 _____ () C:\ProgramData\1483527543.bdinstall.bin
2017-01-19 10:32 - 2017-01-19 10:32 - 000139312 _____ () C:\ProgramData\1484836283.bdinstall.bin
2017-06-05 00:15 - 2017-06-05 00:15 - 000324609 _____ () C:\ProgramData\1496635951.bdinstall.bin
2017-06-05 00:13 - 2017-06-05 00:13 - 000110573 _____ () C:\ProgramData\1496635960.bdinstall.bin
2017-08-11 08:23 - 2017-08-11 08:23 - 000000058 _____ () C:\ProgramData\42F8.tmp
2016-02-17 12:28 - 2016-02-17 13:39 - 000000421 _____ () C:\ProgramData\proxy-19004.tmp
2017-08-24 07:17 - 2017-08-24 07:17 - 000143360 ___SH (Fweq bvhrp i mok qft) C:\ProgramData\WKSpbTo9MwAIHx.exe
 
Files to move or delete:
====================
C:\ProgramData\WKSpbTo9MwAIHx.exe
 
 
Some files in TEMP:
====================
2017-04-27 15:45 - 2016-01-26 03:40 - 000066496 _____ (Autodesk, Inc.) C:\Users\cpetagna\AppData\Local\Temp\AcDeltree.exe
2017-08-24 07:18 - 2017-08-24 07:18 - 000143360 _____ (Fweq bvhrp i mok qft) C:\Users\User\AppData\Local\Temp\B2CC.tmp.exe
2017-08-23 11:18 - 2017-04-21 11:15 - 000805376 _____ (Microsoft Corporation) C:\Users\User\AppData\Local\Temp\cdo151403996.dll
2017-08-23 11:18 - 2017-08-23 11:18 - 000008192 ___SH (TeamViewer GmbH) C:\Users\User\AppData\Local\Temp\tv.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-08-21 00:46
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by administrator (25-08-2017 14:45:49)
Running from C:\_Sys_admin
Windows 7 Professional Service Pack 1 (X64) (2015-02-18 19:39:34)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2598863810-441794302-464771407-500 - Administrator - Disabled)
Guest (S-1-5-21-2598863810-441794302-464771407-501 - Limited - Disabled)
User (S-1-5-21-2598863810-441794302-464771407-1000 - Administrator - Enabled) => C:\Users\User
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Malwarebytes (Disabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AV: Security Manager AV Defender Antimalware (Enabled - Up to date) {3FB17364-4FCC-0FA7-6BBF-973897395371}
AS: Security Manager AV Defender Antimalware (Enabled - Up to date) {84D09280-69F6-0029-510F-AC4AECBE19CC}
AS: Malwarebytes (Disabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
 Update (HKLM-x32\...\{EC542D5D-B608-4145-A8F7-749C02BE6D94}) (Version: 2.0.0 - Dell Inc.)
64 Bit HP CIO Components Installer (HKLM\...\{345F3F90-0505-4EDF-B7A9-5E3AC1AC6CE4}) (Version: 15.2.1 - Hewlett-Packard) Hidden
A360 Desktop (HKLM\...\{7758802D-9486-4883-9927-CCAC366A3BA4}) (Version: 7.2.3.1800 - Autodesk)
Adobe Acrobat XI Standard (HKLM-x32\...\{AC76BA86-1033-FFFF-BA7E-000000000006}) (Version: 11.0.22 - Adobe Systems)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 26.0.0.118 - Adobe Systems Incorporated)
Adobe Flash Player 26 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 26.0.0.151 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.20)  MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.20 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.2 (HKLM-x32\...\{39EA6AA6-F891-4D70-867D-839DA49948D2}) (Version: 12.2.9.199 - Adobe Systems, Inc)
Akamai NetSession Interface (HKU\S-1-5-21-451767395-811497850-1264475144-23206\...\Akamai) (Version:  - Akamai Technologies, Inc)
AMD Catalyst Install Manager (HKLM\...\{8AE48E61-DA96-813C-18CA-727881362878}) (Version: 8.0.915.0 - Advanced Micro Devices, Inc.)
ArcGIS 10.1 for Desktop (HKLM-x32\...\{6C8365F4-1102-4064-B696-68842D20B933}) (Version: 10.1.3035 - Environmental Systems Research Institute, Inc.) Hidden
ArcGIS 10.1 for Desktop (HKLM-x32\...\ArcGIS 10.1 for Desktop) (Version: 10.1.3035 - Environmental Systems Research Institute, Inc.)
AutoCAD LT 2017 - English (HKLM\...\{28B89EEF-0009-0000-0102-CF3F3A09B77D}) (Version: 21.0.52.0 - Autodesk) Hidden
AutoCAD LT 2017 - English (HKLM\...\{28B89EEF-0009-0409-2102-CF3F3A09B77D}) (Version: 21.0.52.0 - Autodesk) Hidden
AutoCAD LT 2017 Language Pack - English (HKLM\...\{28B89EEF-0009-0409-1102-CF3F3A09B77D}) (Version: 21.0.52.0 - Autodesk) Hidden
Autodesk Advanced Material Library Image Library 2017 (HKLM-x32\...\{8ED2ED41-4455-449D-993C-751C039089B9}) (Version: 15.11.3.0 - Autodesk)
Autodesk AutoCAD LT 2017 - English (HKLM\...\AutoCAD LT 2017 - English) (Version: 21.0.52.0 - Autodesk)
Autodesk Desktop App (HKLM-x32\...\Autodesk Desktop App) (Version: 7.0.5.154 - Autodesk)
Autodesk License Service (x64) - 3.1 (HKLM\...\{EB6FE58F-8576-4272-BB9C-6B47D9EDFA4D}) (Version: 3.1.26.0 - Autodesk)
Autodesk Material Library 2017 (HKLM-x32\...\{8FB9F735-D64C-4991-8D91-4CDDAB1ABDEE}) (Version: 15.11.3.0 - Autodesk)
Autodesk Material Library Base Resolution Image Library 2017 (HKLM-x32\...\{3FBFBC43-9882-43FA-B979-2D53896747B3}) (Version: 15.11.3.0 - Autodesk)
Barracuda Message Archiver Outlook Add-In 5.1.65.0 (HKLM-x32\...\{F34A0A8A-8A51-4F77-B11B-ADA3B3E2A363}) (Version: 5.1.65.0 - Barracuda Networks)
Bomgar Jump Client 16.2.2 [support.ddsystems.net] [54E4F43D] (HKLM\...\Bomgar Jump Client [support.ddsystems.net-54E4F43D]) (Version: 16.2.2 - Bomgar)
Cisco WebEx Meetings (HKLM-x32\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM-x32\...\{48947098-A67C-46D4-90C5-9F2F6F0F96FE}) (Version: 1.0.449 - Citrix)
Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.7.5.60 - Dell Inc.)
Dell Command 
Dell Digital Delivery (HKLM-x32\...\{BC8233D8-59BA-4D40-92B9-4FDE7452AA8B}) (Version: 3.0.3999.0 - Dell Products, LP)
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
Dell Foundation Services (HKLM\...\{BDB50421-E961-42F3-B803-6DAC6F173834}) (Version: 3.4.16100.0 - Dell Inc.)
Dell Protected Workspace (HKLM-x32\...\{E2CAA395-66B3-4772-85E3-6134DBAB244E}) (Version: 4.0.18189 - Invincea, Inc.)
Google Chrome (HKLM-x32\...\{7B08614B-27F9-3570-950F-EB3B13BD9E8E}) (Version: 60.0.3112.101 - Google, Inc.)
Google Earth Pro (HKLM-x32\...\{ECF2E224-42F5-4E50-B58E-94CA70E85697}) (Version: 7.3.0.3832 - Google)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
GoToMeeting 8.9.1.7469 (HKU\S-1-5-21-451767395-811497850-1264475144-23206\...\GoToMeeting) (Version: 8.9.1.7469 - LogMeIn, Inc.)
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 10.0.2.1000 - Intel Corporation)
Intel® Network Connections 19.2.104.00 (HKLM\...\PROSetDX) (Version: 19.2.104.00 - Intel)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 13.1.0.1058 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 2.5.4.40 - Intel Corporation)
Java 8 Update 131 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180131F0}) (Version: 8.0.1310.11 - Oracle Corporation)
Java 8 Update 144 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180144F0}) (Version: 8.0.1440.1 - Oracle Corporation)
Microsoft .NET Framework 4.7 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02053 - Microsoft Corporation)
Microsoft Office Professional 2013 - en-us (HKLM\...\ProfessionalRetail - en-us) (Version: 15.0.4953.1001 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-451767395-811497850-1264475144-23206\...\OneDriveSetup.exe) (Version: 17.0.4023.1211 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026 (HKLM-x32\...\{e46eca4f-393b-40df-9f49-076faf788d83}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026 (HKLM-x32\...\{74d0e5db-b326-4dae-a6b2-445b9de1836e}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Office 15 Click-to-Run Extensibility Component (HKLM-x32\...\{90150000-008C-0000-0000-0000000FF1CE}) (Version: 15.0.4953.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (HKLM\...\{90150000-008F-0000-1000-0000000FF1CE}) (Version: 15.0.4953.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (HKLM-x32\...\{90150000-008C-0409-0000-0000000FF1CE}) (Version: 15.0.4953.1001 - Microsoft Corporation) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6053 - Realtek Semiconductor Corp.)
Security Manager AV Defender (HKLM\...\Endpoint Security) (Version: 6.2.19.899 - N-able Technologies)
Surfer 14  (HKLM\...\{F16F0F2A-CCBD-4550-BE7D-C1EA4746A018}) (Version: 14.3.691 - Golden Software, LLC) Hidden
Surfer 14 (HKLM-x32\...\Surfer 14) (Version: 14.3.691 - Golden Software)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-451767395-811497850-1264475144-23206_Classes\CLSID\{720DB9AF-D62C-4ED0-A377-429C22312852}\localserver32 -> C:\Program Files\Autodesk\AutoCAD LT 2017\acadlt.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-451767395-811497850-1264475144-23206_Classes\CLSID\{74F5CC00-49A9-11CF-A2F9-444553540000}\InprocServer32 -> C:\Program Files\Autodesk\AutoCAD LT 2017\en-US\acadltficn.dll (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-451767395-811497850-1264475144-23206_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files (x86)\Citrix\GoToMeeting\6634\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-451767395-811497850-1264475144-23206_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\cpetagna\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-451767395-811497850-1264475144-23206_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\cpetagna\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-451767395-811497850-1264475144-23206_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\cpetagna\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-451767395-811497850-1264475144-23206_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\cpetagna\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-451767395-811497850-1264475144-23206_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\cpetagna\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\FileSyncApi64.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2016-02-07] (Autodesk, Inc.)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ContextMenuHandlers1: [AcShellExtension.AcContextMenuHandler] -> {2E7A2C6C-B938-40a4-BA1C-C7EC982DC202} => C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll [2016-02-07] (Autodesk)
ContextMenuHandlers1: [Adobe.Acrobat.ContextMenu] -> {A6595CD1-BF77-430A-A452-18696685F7C7} => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat Elements\ContextMenuShim64.dll [2012-09-23] (Adobe Systems Inc.)
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\atiacm64.dll [2013-12-06] (Advanced Micro Devices, Inc.)
ContextMenuHandlers6: [Adobe.Acrobat.ContextMenu] -> {A6595CD1-BF77-430A-A452-18696685F7C7} => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat Elements\ContextMenuShim64.dll [2012-09-23] (Adobe Systems Inc.)
ContextMenuHandlers1_S-1-5-21-451767395-811497850-1264475144-23206: [ SkyDriveEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers4_S-1-5-21-451767395-811497850-1264475144-23206: [ SkyDriveEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers5_S-1-5-21-451767395-811497850-1264475144-23206: [ SkyDriveEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {19B59F1A-0E9A-41AA-AF70-4A221E721240} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-07-19] (Adobe Systems Incorporated)
Task: {2E04FCBA-9FCC-428A-A2D8-FA740D52EA40} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2017-04-11] (Microsoft Corporation)
Task: {30707261-B1EB-4B45-B1D4-F7C8FF65646F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-17] (Google Inc.)
Task: {390A6787-06B4-4E17-878F-221F11834A6B} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-08-08] (Adobe Systems Incorporated)
Task: {6A369305-25A0-499A-B8E2-1C8C0003C391} - System32\Tasks\{2CB93311-BBB5-4215-8ABB-28F80978E97B} => C:\Users\User\AppData\Roaming\Microsoft\Ecuwgictc\ecuwgict.exe
Task: {703801FC-C64D-44E2-B561-D5501272EC85} - System32\Tasks\G2MUpdateTask-S-1-5-21-451767395-811497850-1264475144-23206 => C:\Program Files (x86)\GoToMeeting\7469\g2mupdate.exe [2017-08-17] (LogMeIn, Inc.)
Task: {9FF5A3E2-41F1-447A-8F40-C744FA3C157F} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2017-04-11] (Microsoft Corporation)
Task: {DE189106-003E-48FA-87C9-F462CD463BC0} - System32\Tasks\G2MUploadTask-S-1-5-21-451767395-811497850-1264475144-23206 => C:\Program Files (x86)\GoToMeeting\7469\g2mupload.exe [2017-08-17] (LogMeIn, Inc.)
Task: {E9C27304-961C-4346-BE57-DFAFDC31F3DC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-17] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-451767395-811497850-1264475144-23206.job => C:\Program Files (x86)\GoToMeeting\7469\g2mupdate.exe
Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-451767395-811497850-1264475144-23206.job => C:\Program Files (x86)\GoToMeeting\7469\g2mupload.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-02-18 16:39 - 2017-01-17 04:25 - 000117440 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2017-06-05 00:14 - 2017-03-21 11:27 - 000280576 _____ () C:\Program Files\N-able Technologies\AVDefender\txmlutil.dll
2017-06-05 00:14 - 2017-02-07 12:49 - 001008448 _____ () C:\Program Files\N-able Technologies\AVDefender\Signatures\WFEngines\wfengines_000_000\ashttpbr.mdl
2017-06-05 00:14 - 2017-02-07 12:49 - 000541952 _____ () C:\Program Files\N-able Technologies\AVDefender\Signatures\WFEngines\wfengines_000_000\ashttpdsp.mdl
2017-06-05 00:14 - 2017-02-07 12:49 - 003654344 _____ () C:\Program Files\N-able Technologies\AVDefender\Signatures\WFEngines\wfengines_000_000\ashttpf.mdl
2017-06-05 00:14 - 2017-02-07 12:49 - 001544568 _____ () C:\Program Files\N-able Technologies\AVDefender\Signatures\WFEngines\wfengines_000_000\ashttprbl.mdl
2015-02-18 16:40 - 2017-01-31 08:34 - 008909512 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2017-04-27 15:42 - 2017-03-10 06:48 - 000061944 _____ () C:\Program Files (x86)\Autodesk\Autodesk Desktop App\QtSolutions_Service-head.dll
2017-04-27 15:42 - 2017-03-10 06:48 - 000110584 _____ () C:\Program Files (x86)\Autodesk\Autodesk Desktop App\qjson0.dll
2013-05-13 10:42 - 2013-05-13 10:42 - 000107520 _____ () C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\ZLIB1.DLL
2016-09-20 19:45 - 2016-09-20 19:45 - 000662333 _____ () C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\TURBOJPEG.DLL
2007-06-22 10:23 - 2007-06-22 10:23 - 000069632 _____ () C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BAWHook.dll
2014-11-24 13:39 - 2014-11-24 13:39 - 000155528 _____ () c:\Program Files (x86)\Dell Digital Delivery\ServiceTagPlusPlus.dll
2014-04-29 18:23 - 2014-04-29 18:23 - 001241560 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll
2017-06-13 13:23 - 2017-06-13 13:23 - 000280256 _____ () C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvcCnfgEN.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3696 [0]
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3738 [0]
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3836 [0]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\bomgar-ps-54E4F43D-1485554056 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Windows Agent Maintenance Service => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Windows Agent Service => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
HKU\S-1-5-21-451767395-811497850-1264475144-23206\Software\Classes\.scr: AutoCADLTScriptFile => C:\Windows\system32\notepad.exe "%1"
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 22:34 - 2009-06-10 17:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-451767395-811497850-1264475144-23206\Control Panel\Desktop\\Wallpaper -> C:\Users\cpetagna\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-451767395-811497850-1264475144-500\Control Panel\Desktop\\Wallpaper -> C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.10.26.10 - 192.10.21.9
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
mpsdrv => Firewall Service is not running.
MpsSvc => Firewall Service is not running.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\startupreg: Acrobat Assistant 8.0 => "C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: Akamai NetSession Interface => "C:\Users\cpetagna\AppData\Local\Akamai\netsession_win.exe"
MSCONFIG\startupreg: Autodesk Desktop App => "C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AutodeskDesktopApp.exe" -tray
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{F04099CE-E6A8-4732-A95C-526380BED7A9}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [{DA19777B-BC15-4B13-86E3-B1193EC596DA}] => (Allow) C:\Users\User\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [{879EC1E5-4F5F-4A38-ABB6-609835943E40}] => (Allow) C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvc.exe
FirewallRules: [{95352B12-9B57-4718-9C55-2AC4C1D2CADC}] => (Allow) C:\Program Files (x86)\BeAnywhere Support Express\GetSupportService_N-Central\BASupSrvc.exe
FirewallRules: [{6FBBFE14-77B0-4CE3-A1F5-42DF2D0BDB75}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{A61E36B9-F2CC-4871-BDE3-BC6167960F0B}] => (Allow) LPort=65083
FirewallRules: [{CB306582-441F-4E5E-9582-22159DA98816}] => (Allow) LPort=5000
 
==================== Restore Points =========================
 
23-08-2017 12:25:48 Scheduled Checkpoint
Check "winmgmt" service or repair WMI.
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (08/25/2017 02:43:14 PM) (Source: Group Policy Registry) (EventID: 8194) (User: NT AUTHORITY)
Description: The client-side extension could not apply user policy settings for 'No-auto restart with logged on users {D8770DB1-1CB1-4BFF-B4B0-19FCCE6A6188}' because it failed with error code '0x80070035 The network path was not found.'%apply00790275
 
Error: (08/24/2017 02:33:35 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/24/2017 02:26:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/24/2017 01:57:02 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/24/2017 01:33:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: u9490zvn.exe, version: 2.2.19882.0, time stamp: 0x56e2cdca
Faulting module name: u9490zvn.exe, version: 2.2.19882.0, time stamp: 0x56e2cdca
Exception code: 0xc0000005
Fault offset: 0x0008dcc4
Faulting process id: 0x1b90
Faulting application start time: 0x01d31cfebb370c24
Faulting application path: C:\_Sys_admin钐zvn.exe
Faulting module path: C:\_Sys_admin钐zvn.exe
Report Id: 495007a4-88f2-11e7-ad31-989096b80aec
 
Error: (08/23/2017 03:08:26 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/23/2017 02:04:30 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/23/2017 01:52:04 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (08/23/2017 12:25:50 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
Details:
AddWin32ServiceFiles: Unable to back up image of service 3697925 since QueryServiceConfig API failed
 
System Error:
The system cannot find the file specified.
.
 
Error: (08/23/2017 12:25:50 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
Details:
AddWin32ServiceFiles: Unable to back up image of service 3678066 since QueryServiceConfig API failed
 
System Error:
The system cannot find the file specified.
.
 
 
System errors:
=============
Error: (08/25/2017 02:41:25 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
 
Error: (08/25/2017 02:41:24 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Bomgar Jump Client [support.ddsystems.net] service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
 
Error: (08/25/2017 02:41:22 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
 
Error: (08/25/2017 08:05:52 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the 92383 service to connect.
 
Error: (08/25/2017 07:52:51 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the 199911771 service to connect.
 
Error: (08/25/2017 07:01:58 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the 583116 service to connect.
 
Error: (08/25/2017 04:30:39 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the 161164913 service to connect.
 
Error: (08/25/2017 04:30:37 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the 162205253 service to connect.
 
Error: (08/25/2017 04:30:16 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the 71902186 service to connect.
 
Error: (08/24/2017 06:36:22 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the 125509137 service to connect.
 
 
CodeIntegrity:
===================================
  Date: 2015-08-03 08:49:06.888
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_47662a2706182d6f\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-08-03 08:49:06.872
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_47662a2706182d6f\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-08-03 08:49:06.633
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_a384c5aabe759ea5\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-08-03 08:49:06.520
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.10074.1_none_a384c5aabe759ea5\wermgr.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-08-03 08:49:06.386
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-08-03 08:49:06.206
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-08-03 08:49:05.992
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-08-03 08:49:05.777
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-4790 CPU @ 3.60GHz
Percentage of memory in use: 15%
Total physical RAM: 16326.12 MB
Available physical RAM: 13748.78 MB
Total Virtual: 32650.42 MB
Available Virtual: 29496.57 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:453.99 GB) (Free:353.44 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: 54DC84BA)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=11.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=454 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================
 
Moved from Gen security FRST logs
NickAu

Edited by NickAu, 27 August 2017 - 06:31 AM.


#3 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:50 PM

Posted 28 August 2017 - 02:37 AM

Hi dkhman26!

 

 

I would be helping you out with this. Kindly allow me some time to go through your logs and come up with a plan of action.

 

 

 

Thanks,

Pranav


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#4 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:50 PM

Posted 29 August 2017 - 03:29 PM

Hello dkhman26 ^_^,

 

 

 

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • My name is Pranav. Please free to call me by my first name (Actually I prefer that).
  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only that tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and that may have been the route the malware used to infect your computer. Do not use any P2P software until we conclude your topic.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

     

Let's begin!

 

 

 

One or more of the identified infections is a backdoor trojan.

 

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

 

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

 

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

 

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

 

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

 

 

 

 

 

Regards,

Pranav


Edited by blueelvis, 29 August 2017 - 03:32 PM.
It's always the formatting!

Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#5 dkhman26

dkhman26
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 29 August 2017 - 08:54 PM

Hey Pranav, thanks for responding. I submitted my samples to BitDefender and they have identified the randomly numbered executables in the root of C: and C:\windows as a new variant of some ransomware, those were the ones they detected. BitDefender support also looked at my other samples and identified those as the Trojan that was dropping the ransomware on the PC(s). As of right now, I don't think the definitions have been updated to actually include the new Trojan, so the PC is definitely still infected. I keep finding the randomly numbered executables on the PC, but luckily BitDefender is blocking them from doing anything. I think I'd like to take a look at it and see what we can find.



#6 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:50 PM

Posted 01 September 2017 - 05:07 AM

Hello dkhman26!

 

 

That's great. Let's get started then. Glad to hear that the ransomware infection is blocked as of now. I have analysed your log files and I believe that there is a rootkit which is protecting the infection which is why BitDefender is not able to clean it up properly.

 

I noticed some files which are listed below. Do you recognize them?

2017-08-22 17:09 - 2017-08-22 17:10 - 000189946 _____ C:\Users\cpetagna\Desktop\GTA - cmp master - NJ Env Sc.pdf
 
 
2017-08-18 09:17 - 2017-08-18 09:17 - 000116224 _____ C:\Users\cpetagna\Downloads\results.xls
2017-08-18 07:56 - 2017-08-18 07:56 - 000241664 _____ C:\Users\cpetagna\Downloads\results (100).xls
2017-08-17 12:16 - 2017-08-17 12:16 - 000216576 _____ C:\Users\cpetagna\Downloads\results (99).xls
2017-08-15 10:51 - 2017-08-15 10:51 - 000206848 _____ C:\Users\cpetagna\Downloads\results (98).xls
2017-08-15 10:47 - 2017-08-15 10:47 - 000141824 _____ C:\Users\cpetagna\Downloads\results (97).xls
2017-08-15 08:41 - 2017-08-15 08:41 - 000056784 _____ C:\Users\cpetagna\Desktop\VZW lunch meeting.pdf
2017-08-11 12:33 - 2017-08-11 12:33 - 000114688 _____ C:\Users\cpetagna\Downloads\results (96).xls
2017-08-11 12:32 - 2017-08-11 12:32 - 000097280 _____ C:\Users\cpetagna\Downloads\results (95).xls
2017-08-07 09:34 - 2017-08-07 09:34 - 000075264 _____ C:\Users\cpetagna\Downloads\results (94).xls
2017-08-07 09:18 - 2017-08-07 09:18 - 000033792 _____ C:\Users\cpetagna\Downloads\results (93).xls
2017-08-07 09:10 - 2017-08-07 09:10 - 000069632 _____ C:\Users\cpetagna\Downloads\results (92).xls
2017-08-02 09:03 - 2017-08-02 09:03 - 000060928 _____ C:\Users\cpetagna\Downloads\results (91).xls
2017-07-31 16:22 - 2017-07-31 16:22 - 000084992 _____ C:\Users\cpetagna\Downloads\results (90).xls

I also notice multiple user account as below. Do you recognize all of them?

User & LKott & AParolari & MLake & cpetagna & EPena & administrator

Are you aware that this machine has TeamViewer?

 

 

Download attached fixlist.txt file and save it to the Desktop.

 

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

 

Run FRST/FRST64 and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Also, please check PM.

 

Let me know how it goes!

 

 

Regards,

Pranav

Attached Files


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#7 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:50 PM

Posted 04 September 2017 - 04:56 AM

Hello,

 

 

It has been 3 days since my last response. Are you still with me?

 

 

-Pranav


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#8 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:11:50 PM

Posted 07 September 2017 - 05:48 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users