Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

alexis11 FRST logs recommended in https://www.bleepingcomputer.com/forums/t/65


  • This topic is locked This topic is locked
14 replies to this topic

#1 alexis11

alexis11

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 05 September 2017 - 05:07 PM

https://www.bleepingcomputer.com/forums/t/655884/adwcleaner-is-not-a-valid-windows32-application;-internet-blocked-and-high-cpu/page-2

 

Posting here at kind request of Quietman7 in the above linked to thread.

 

As Requested:

1. Brief summary of problem:

 

XP SP3. CPU at 100%. Something prevents me from getting Firefox to boot despite cleaning out entirely with Add/Remove Programs and Revo uninstaller. Additionally though IE is functional, it is only partly functional - it will block access to certain websites that in my mind I see it as thinking these are my attempts to get info online in order to snuff it out. EDIT: I notice that java.exe keeps popping up in task manager even after I Revo uninstall it. Similarly, there are two programs that keep reinstalling themselves after I delete them with Revo and also Add/Remove Programs: Splashtop Streamer, and Splashtop Updater. I don't recognize either of those as something I have intentionally installed.

 

If I go to Safe Mode: CPU is not at 100%, it is quite low, single digits - but no printers available, and I'm not able to add any (something bad about Printer Spools is the error message - more details upon request).

 

2. Tools I have used:

JRT, ESET, Malwarebytes, Zemana, Rkill, EDIT: added this tool as one I have used: MBAR, Ccleaner. AdwCleaner was not able to work on XP per kind notification by Quietman7. 

 

3. FRST log and FRST Addition logs below:

FRST

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 20-08-2017
Ran by front (administrator) on FENTON-4Y9X3D1 (05-09-2017 16:31:10)
Running from C:\Documents and Settings\front\Desktop\Malware Removal Etc\FRST
Loaded Profiles: front (Available Profiles: afenton & front & sfenton & front2 & Administrator & Front & QBDataServiceUser17 & QBDataServiceUser23 & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 7 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Broadcom Corporation) C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
(ATERA Networks Ltd.) C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Juniper Networks) C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
(Prosoftnet) C:\Program Files\IBackupWindows\ib_service.exe
(Medicity, Inc.) C:\Program Files\Novo Grid Node Container\iNexx Platform.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\ramaint.exe
(Citrix Systems, Inc) C:\Program Files\Citrix\Secure Access Client\nsverctl.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
(Sun Microsystems, Inc.) C:\Program Files\Novo Grid Node Container\jre\bin\java.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\TeamViewer_Service.exe
(TightVNC Group) C:\Program Files\TightVNC\WinVNC.exe
(Microsoft Corporation) C:\WINDOWS\system32\fxssvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeIn.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\CCSF\TmCCSF.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\HostedAgent.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
(Atera Networks) C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\logWriter.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\BM\TMBMSRV.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Brother Industries, Ltd.) C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
(Apple Inc.) C:\Program Files\AirPort\APAgent.exe
(Prosoftnet) C:\Program Files\IBackupWindows\ib_bglaunch.exe
(Brother Industries, Ltd.) C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
(Prosoftnet) C:\Program Files\IBackupWindows\ib_tray.exe
(Brother Industries, Ltd.) C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\PccNTMon.exe
(Brother Industries, Ltd.) C:\Program Files\ControlCenter4\BrCtrlCntr.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\concentr.exe
(Brother Industries, Ltd.) C:\Program Files\Browny02\BrYNSvc.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\Receiver\ConfigurationWizard.exe
(Splashtop Inc.) C:\Program Files\Splashtop\Splashtop Software Updater\SSUService.exe
(Brother Industries, Ltd.) C:\Program Files\ControlCenter4\BrCcUxSys.exe
(Splashtop Inc.) C:\Program Files\Splashtop\Splashtop Remote\Server\SRServer.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\wfcrun32.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BrMfcWnd] => C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [745472 2009-02-10] (Brother Industries, Ltd.)
HKLM\...\Run: [ControlCenter3] => C:\Program Files\Brother\ControlCenter3\brctrcen.exe [77824 2007-10-30] (Brother Industries, Ltd.)
HKLM\...\Run: [AirPort Base Station Agent] => C:\Program Files\AirPort\APAgent.exe [771360 2009-11-11] (Apple Inc.)
HKLM\...\Run: [IBackup Background process] => C:\Program Files\IBackupWindows\ib_bglaunch.exe [160008 2016-04-11] (Prosoftnet)
HKLM\...\Run: [IBackup Tray] => C:\Program Files\IBackupWindows\ib_tray.exe [2222344 2016-04-11] (Prosoftnet)
HKLM\...\Run: [OfficeScanNT Monitor] => C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe [1499656 2017-07-07] (Trend Micro Inc.)
HKLM\...\Run: [ControlCenter4] => C:\Program Files\ControlCenter4\BrCcBoot.exe [139776 2015-01-29] (Brother Industries, Ltd.)
HKLM\...\Run: [BrStsMon00] => C:\Program Files\Browny02\Brother\BrStMonW.exe [4517376 2014-11-11] (Brother Industries, Ltd.)
HKLM\...\Run: [ConnectionCenter] => C:\Program Files\Citrix\ICA Client\concentr.exe [395656 2014-05-29] (Citrix Systems, Inc.)
HKLM Group Policy restriction on software: %userprofile%\appdata\local\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %localappdata%\*\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %localappdata%\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\appdata\*.exe <==== ATTENTION
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist Corporate\1135\G2AWinLogon.dll [2016-11-04] (Citrix Systems, Inc.)
Winlogon\Notify\LMIinit: C:\WINDOWS\system32\LMIinit.dll [2017-03-28] (LogMeIn, Inc.)
Winlogon\Notify\NavLogon:
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKU\S-1-5-19\...\Winlogon: [Shell] C:\WINDOWS\Explorer.exe [1033728 2008-04-13] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-20\...\Winlogon: [Shell] C:\WINDOWS\Explorer.exe [1033728 2008-04-13] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [7680216 2017-08-03] (Piriform Ltd)
HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\Policies\Explorer: [DisablePersonalDirChange] 1
HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\MountPoints2: {6fef352f-33a5-11dc-bb2a-001aa0a08e95} - E:\Autorun.exe /run
HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\MountPoints2: {a66421b0-5861-11de-bb9a-001aa0a08e95} - E:\LaunchU3.exe -a
HKU\S-1-5-18\...\Run: [DWQueuedReporting] => C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [434080 2011-07-27] (Microsoft Corporation)
HKU\S-1-5-18\...\Winlogon: [Shell] C:\WINDOWS\Explorer.exe [1033728 2008-04-13] (Microsoft Corporation) <==== ATTENTION
Startup: C:\Documents and Settings\afenton\Start Menu\Programs\Startup\Shortcut to qb.lnk [2007-07-09]
ShortcutTarget: Shortcut to qb.lnk -> \\server1\images\qb.bat (No File)
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
GroupPolicyScripts\User: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864 2011-04-06] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.2
Tcpip\..\Interfaces\{9030C340-D0F3-4E61-829E-3B9531DD8825}: [DhcpNameServer] 10.0.0.2

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070619
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070619
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145 -> {8FB925C5-0142-4AC8-89ED-23DD1F915ACB} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2011-08-30] (Adobe Systems Incorporated)
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\Client Server Security Agent\TmIEPlg.dll [2016-11-21] (Trend Micro Inc.)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2011-08-30] (Adobe Systems Incorporated)
BHO: Trend Micro IE Protection -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\Client Server Security Agent\CCSF\module\BES\TmBpIe32.dll [2017-06-19] (Trend Micro Inc.)
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2011-08-30] (Adobe Systems Incorporated)
Toolbar: HKU\.DEFAULT -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2011-08-30] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2011-08-30] (Adobe Systems Incorporated)
DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} hxxps://ctzmdportal.iasishealthcare.com/portal/applets/SharedSession.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} hxxp://10.71.16.39/iSite3_3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183400669703
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} hxxp://mhmhtrmsrv01.hca.corpad.net/msrdp.cab
DPF: {A08D2318-19E6-4332-A741-87FBBD3984CD} hxxps://hpfwtxf.hca.corpad.net/portal/mckesson/eig/viewer/mckapprun.cab
DPF: {C3A57B60-C117-11D2-BD9B-00105A0A7E89} hxxps://www.webholter.com/pdsaccess/Fileup/saxfile.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} hxxps://sanantoniora.clio.medcity.net/dana-cached/setup/JuniperSetupSP1.cab
DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} hxxps://portal.baptisthealthsystem.com/portal/applets/mckntauth.ocx
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} hxxps://sanantoniora.clio.medcity.net/dana-cached/sc/JuniperSetupClient.cab
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll [2012-05-12] (Intuit, Inc.)
Handler: intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} - C:\Program Files\Intuit\QuickBooks 2013\HelpAsyncPluggableProtocol.dll [2013-03-11] (Intuit, Inc.)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\WINDOWS\system32\mscoree.dll [2009-11-07] (Microsoft Corporation)
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\Client Server Security Agent\CCSF\module\BES\TmBpIe32.dll [2017-06-19] (Trend Micro Inc.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\Client Server Security Agent\TmIEPlg.dll [2016-11-21] (Trend Micro Inc.)
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll [2014-05-29] (Citrix Systems, Inc.)

FireFox:
========
FF DefaultProfile: 4sxod2zj.default
FF ProfilePath: C:\Documents and Settings\front\Application Data\Mozilla\Firefox\Profiles\4sxod2zj.default [2017-09-05]
FF HKLM\...\Firefox\Extensions: [{52d08c03-d98f-40ed-bd1c-e4ee1d7b9bdd}] - C:\Program Files\Trend Micro\Client Server Security Agent\FirefoxExtension
FF Extension: (No Name) - C:\Program Files\Trend Micro\Client Server Security Agent\FirefoxExtension [2017-09-03] [not signed]
FF Plugin: @Citrix.com/npagee,version=9.3.58.5 -> C:\Program Files\Citrix\Secure Access Client\npagee.dll [2012-08-17] (Citrix Systems, Inc.)
FF Plugin: @Citrix.com/npican -> C:\Program Files\Citrix\ICA Client\npicaN.dll [2014-05-29] (Citrix Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.25.2 -> C:\WINDOWS\system32\npDeployJava1.dll [2013-07-01] (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin HKU\S-1-5-21-1362468806-2297102619-1991856889-1145: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\front\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll [2015-10-06] (Citrix Online)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 Advantage; C:\Program Files\Extended Systems\Advantage 8.0\Server\ADS.EXE [1970176 2006-05-03] (Extended Systems, Inc.) [File not signed]
R2 ASFIPmon; C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [65536 2006-03-17] (Broadcom Corporation) [File not signed]
R2 AteraAgent; C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe [92672 2017-06-11] (ATERA Networks Ltd.) [File not signed]
R3 BrYNSvc; C:\Program Files\Browny02\BrYNSvc.exe [289792 2014-10-23] (Brother Industries, Ltd.) [File not signed]
R2 dsNcService; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [615792 2010-03-31] (Juniper Networks)
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [654848 2007-07-02] (Macrovision Europe Ltd.) [File not signed]
S4 GoToAssist; C:\Program Files\Citrix\GoToAssist Corporate\1135\G2AC_Service.exe [310592 2016-11-04] (Citrix Systems, Inc.)
R2 IBService; C:\Program Files\IBackupWindows\ib_service.exe [242952 2016-04-11] (Prosoftnet)
R2 iNexx Platform; C:\Program Files\Novo Grid Node Container\iNexx Platform.exe [122144 2012-03-14] (Medicity, Inc.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4430792 2017-08-21] (Malwarebytes)
R2 nsverctl; C:\Program Files\Citrix\Secure Access Client\nsverctl.exe [156272 2012-08-17] (Citrix Systems, Inc)
R2 ntrtscan; C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe [3128808 2017-07-07] (Trend Micro Inc.)
S4 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2013-03-11] (Intuit) [File not signed]
S4 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2009-07-23] (Intuit Inc.) [File not signed]
S4 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2013-03-11] (Intuit Inc.) [File not signed]
S4 QuickBooksDB23; C:\Program Files\Intuit\QuickBooks 2013\QBDBMgrN.exe [679936 2013-03-11] (Intuit, Inc.) [File not signed]
S2 SplashtopRemoteService; C:\Program Files\Splashtop\Splashtop Remote\Server\SRService.exe [739008 2017-04-13] (Splashtop Inc.) [File not signed]
R2 SSUService; C:\Program Files\Splashtop\Splashtop Software Updater\SSUService.exe [609056 2013-10-08] (Splashtop Inc.)
R2 svcGenericHost; C:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [81352 2017-07-17] (Trend Micro Inc.)
R2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [5702416 2015-09-11] (TeamViewer GmbH)
R3 TMBMServer; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [375296 2016-09-07] (Trend Micro Inc.)
R3 TmCCSF; C:\Program Files\Trend Micro\Client Server Security Agent\CCSF\TmCCSF.exe [765824 2017-07-07] (Trend Micro Inc.)
R2 tmlisten; C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe [2937840 2017-07-07] (Trend Micro Inc.)
R3 TmProxy; C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe [723456 2016-11-21] (Trend Micro Inc.)
R2 winvnc; C:\Program Files\TightVNC\WinVNC.exe [589824 2007-05-07] (TightVNC Group) [File not signed]
S4 ZAMSvc; C:\Documents and Settings\front\Desktop\Malware Removal Etc\Zemana AntiMalware\ZAM.exe [15775888 2017-08-09] (Copyright 2017.)
S4 bomgar-ps-1225815684-1231367015; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1231875795; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1232658794; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1234733971; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1235099523; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1368736706-1391044247; "C:\Documents and Settings\All Users\Application Data\bomgar-scc-519543C2\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-scc-551AC089; "C:\Documents and Settings\All Users\Application Data\bomgar-scc-519543C2\bomgar-scc.exe" -service:run [X] <==== ATTENTION

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 abp480n5; C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
R2 BASFND; C:\Program Files\Broadcom\ASFIPMon\BASFND.sys [6025 2003-04-24] (Broadcom Corporation) [File not signed]
R3 BrScnUsb; C:\WINDOWS\System32\Drivers\BrScnUsb.sys [15295 2004-10-15] (Brother Industries Ltd.)
R2 cag; C:\Program Files\Common Files\Deterministic Networks\Common Files\cag.sys [189272 2011-10-18] (Citrix Systems, Inc.)
R3 ctxva51; C:\WINDOWS\System32\DRIVERS\ctxva51.sys [42096 2012-08-17] (Citrix Systems, Inc.)
R2 DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [25628 2005-09-08] (Sonic Solutions) [File not signed]
R1 DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [5628 2005-08-25] (Sonic Solutions) [File not signed]
R2 DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2496 2005-09-08] (Sonic Solutions) [File not signed]
R2 DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [86524 2005-09-08] (Sonic Solutions) [File not signed]
R2 DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [14684 2005-09-08] (Sonic Solutions) [File not signed]
R2 DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [6364 2005-09-08] (Sonic Solutions) [File not signed]
R1 DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [22684 2005-08-25] (Sonic Solutions) [File not signed]
R2 DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [94332 2005-09-08] (Sonic Solutions) [File not signed]
R2 DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [87036 2005-09-08] (Sonic Solutions) [File not signed]
R3 DNE; C:\WINDOWS\System32\DRIVERS\dne2000.sys [133592 2011-02-07] (Citrix Systems, Inc.)
R0 DRVMCDB; C:\WINDOWS\System32\Drivers\DRVMCDB.SYS [89264 2005-09-12] (Sonic Solutions) [File not signed]
R2 DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [40544 2005-08-12] (Sonic Solutions) [File not signed]
R3 dsNcAdpt; C:\WINDOWS\System32\DRIVERS\dsNcAdpt.sys [26624 2010-03-31] (Juniper Networks)
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae.sys [59904 2017-08-24] ()
R2 LMIInfo; C:\WINDOWS\system32\drivers\LMIInfo.sys [13624 2015-06-15] (LogMeIn, Inc.)
R2 MBAMChameleon; C:\WINDOWS\system32\drivers\MBAMChameleon.sys [150816 2017-09-05] (Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [40352 2017-09-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [221632 2017-09-05] (Malwarebytes)
R1 NEOFLTR_550_11905; C:\WINDOWS\system32\Drivers\NEOFLTR_550_11905.SYS [63008 2007-06-22] (Juniper Networks)
R1 NEOFLTR_650_15507; C:\WINDOWS\system32\Drivers\NEOFLTR_650_15507.SYS [85360 2010-03-31] (Juniper Networks)
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [20576 2005-01-26] (Sonic Solutions) [File not signed]
R3 SenFiltService; C:\WINDOWS\System32\drivers\Senfilt.sys [392960 2006-03-17] (Sensaura)
R2 tmactmon; C:\WINDOWS\system32\drivers\tmactmon.sys [113888 2016-08-04] (Trend Micro Inc.)
R2 tmcomm; C:\WINDOWS\system32\drivers\tmcomm.sys [324320 2016-08-22] (Trend Micro Inc.)
R2 tmevtmgr; C:\WINDOWS\system32\drivers\tmevtmgr.sys [83680 2016-08-04] (Trend Micro Inc.)
R2 TmFilter; C:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys [318688 2016-08-22] (Trend Micro Inc.)
R2 TmPreFilter; C:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys [59104 2016-08-22] (Trend Micro Inc.)
R1 tmtdi; C:\WINDOWS\System32\DRIVERS\tmtdi.sys [90712 2015-05-15] (Trend Micro Inc.)
R1 tmumh; C:\WINDOWS\System32\DRIVERS\TMUMH.sys [88288 2016-10-28] (Trend Micro Inc.)
R1 veracrypt; C:\WINDOWS\System32\drivers\veracrypt.sys [199256 2016-01-07] (IDRIX)
R2 VSApiNt; C:\Program Files\Trend Micro\Client Server Security Agent\VSApiNt.sys [1720544 2016-08-22] (Trend Micro Inc.)
R1 ZAM; C:\WINDOWS\System32\drivers\zam32.sys [181496 2017-09-03] (Zemana Ltd.)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard32.sys [181496 2017-09-03] (Zemana Ltd.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-09-05 09:35 - 2017-09-05 09:35 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\Splashtop
2017-09-05 09:32 - 2017-09-05 09:32 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Splashtop Remote
2017-09-05 09:29 - 2017-09-05 09:34 - 000000000 ____D C:\Program Files\Splashtop
2017-09-04 22:55 - 2017-09-04 22:55 - 000000682 _____ C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2017-09-04 22:55 - 2017-09-04 22:55 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
2017-09-04 20:47 - 2017-09-04 20:47 - 000000730 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2017-09-04 20:47 - 2017-09-04 20:47 - 000000000 ____D C:\Program Files\Mozilla Maintenance Service
2017-09-04 20:47 - 2017-09-04 20:47 - 000000000 ____D C:\Program Files\Mozilla Firefox
2017-09-04 20:47 - 2017-09-04 20:47 - 000000000 ____D C:\Documents and Settings\front\Local Settings\Application Data\Mozilla
2017-09-04 20:47 - 2017-09-04 20:47 - 000000000 ____D C:\Documents and Settings\front\Application Data\Mozilla
2017-09-04 15:51 - 2017-09-04 17:25 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Revo Uninstaller
2017-09-04 15:51 - 2017-09-04 15:51 - 000000000 ____D C:\Program Files\VS Revo Group
2017-09-03 22:59 - 2017-09-03 22:59 - 000000000 ____D C:\Documents and Settings\front\Local Settings\Application Data\ESET
2017-09-03 16:24 - 2017-09-05 16:32 - 000262354 _____ C:\WINDOWS\ZAM.krnl.trace
2017-09-03 16:24 - 2017-09-05 16:32 - 000158704 _____ C:\WINDOWS\ZAM_Guard.krnl.trace
2017-09-03 16:24 - 2017-09-03 16:24 - 000181496 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zamguard32.sys
2017-09-03 16:24 - 2017-09-03 16:24 - 000181496 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zam32.sys
2017-09-03 16:24 - 2017-09-03 16:24 - 000000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\Zemana
2017-09-03 16:23 - 2017-09-03 16:24 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Zemana AntiMalware
2017-09-03 16:22 - 2017-09-03 16:22 - 000000000 ____D C:\Documents and Settings\front\Local Settings\Application Data\Zemana
2017-09-02 20:05 - 2017-09-03 16:16 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2017-09-02 20:00 - 2017-09-04 22:54 - 000000000 ____D C:\Documents and Settings\front\Desktop\Malware Removal Etc
2017-08-31 18:29 - 2017-08-31 18:35 - 000066116 _____ C:\Documents and Settings\front\Desktop\FRST.txt
2017-08-31 16:04 - 2017-09-05 16:31 - 000000000 ____D C:\FRST
2017-08-30 15:29 - 2017-09-05 09:27 - 000150816 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMChameleon.sys
2017-08-30 15:28 - 2017-09-05 09:26 - 000040352 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-08-30 15:28 - 2017-09-05 09:20 - 000221632 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-08-30 15:28 - 2017-08-30 15:28 - 000000000 ____D C:\Program Files\Malwarebytes
2017-08-30 15:28 - 2017-08-30 15:28 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes
2017-08-30 15:28 - 2017-08-24 11:27 - 000059904 _____ C:\WINDOWS\system32\Drivers\mbae.sys
2017-08-30 15:27 - 2017-08-30 15:27 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\MB2Migration
2017-08-22 14:37 - 2013-02-14 12:39 - 000061069 _____ C:\Documents and Settings\front\Desktop\Medical Record.pdf

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-09-05 16:32 - 2007-07-09 11:45 - 000000000 ____D C:\Documents and Settings\front\Local Settings\Temp
2017-09-05 16:24 - 2016-09-07 15:37 - 000008051 _____ C:\WINDOWS\BRRBCOM.INI
2017-09-05 15:01 - 2007-07-09 10:57 - 000000120 _____ C:\WINDOWS\system32\config\netlogon.ftl
2017-09-05 10:40 - 2007-06-19 11:55 - 000002473 _____ C:\Documents and Settings\front\Desktop\Microsoft Office Excel 2007.lnk
2017-09-05 09:33 - 2016-11-07 18:18 - 000000336 _____ C:\WINDOWS\Tasks\Trend Micro Worry-Free Business Security Services Recovery Pack Tool.job
2017-09-05 09:33 - 2004-08-11 17:20 - 000032600 _____ C:\WINDOWS\SchedLgU.Txt
2017-09-05 09:32 - 2014-04-03 07:36 - 000000222 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2017-09-05 09:32 - 2004-08-11 17:00 - 000002206 _____ C:\WINDOWS\system32\wpa.dbl
2017-09-05 09:27 - 2007-07-09 11:05 - 000000000 __SHD C:\WINDOWS\CSC
2017-09-05 09:27 - 2004-08-11 17:06 - 000000000 ____D C:\Documents and Settings\All Users
2017-09-05 09:26 - 2007-07-02 16:54 - 000035348 __RSH C:\Documents and Settings\All Users\ntuser.pol
2017-09-05 09:20 - 2015-03-31 12:05 - 000000719 _____ C:\Documents and Settings\All Users\Start Menu\Programs\LogMeIn Control Panel.lnk
2017-09-05 09:20 - 2004-08-11 17:20 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-09-05 01:38 - 2004-08-11 17:02 - 000000000 ____D C:\WINDOWS\security
2017-09-05 00:33 - 2009-08-21 17:07 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\LogMeIn
2017-09-04 22:56 - 2015-09-29 11:29 - 000000000 ____D C:\Program Files\TeamViewer
2017-09-04 22:56 - 2007-07-09 11:45 - 000000000 ____D C:\Documents and Settings\front
2017-09-04 22:38 - 2013-11-07 11:35 - 000000000 ____D C:\WINDOWS\Minidump
2017-09-04 22:27 - 2010-11-07 09:24 - 000000000 ____D C:\WINDOWS\network diagnostic
2017-09-04 22:24 - 2016-04-13 11:47 - 000000000 ____D C:\Program Files\IBackupWindows
2017-09-04 21:49 - 2007-07-09 11:45 - 000000268 ___SH C:\Documents and Settings\front\ntuser.ini
2017-09-04 18:24 - 2004-08-11 17:00 - 000000583 _____ C:\WINDOWS\win.ini
2017-09-04 18:24 - 2004-08-11 17:00 - 000000227 _____ C:\WINDOWS\system.ini
2017-09-04 18:24 - 2004-08-11 17:00 - 000000211 __RSH C:\boot.ini
2017-09-04 17:56 - 2007-06-29 15:50 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\QuickBooks
2017-08-31 18:05 - 2009-03-20 15:19 - 000001011 _____ C:\Documents and Settings\front\Start Menu\2008-03-13Outlook export file.lnk
2017-08-31 18:01 - 2010-11-19 15:06 - 000000000 ____D C:\WINDOWS\pss
2017-08-30 19:21 - 2007-06-19 12:01 - 000073992 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2017-08-30 19:18 - 2017-05-13 17:04 - 000073992 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2017-08-30 18:21 - 2004-08-11 17:06 - 000283720 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-08-30 17:23 - 2007-07-02 16:52 - 000000000 ____D C:\Program Files\ScanSoft
2017-08-30 17:23 - 2007-07-02 16:52 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\ScanSoft
2017-08-30 15:28 - 2010-11-19 15:26 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2017-08-30 15:20 - 2015-10-12 11:52 - 000000284 _____ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2017-08-29 14:36 - 2007-06-29 15:00 - 000001791 _____ C:\WINDOWS\Brpfx04a.ini
2017-08-18 10:28 - 2004-08-11 17:06 - 000000000 ____D C:\Documents and Settings
2017-08-11 10:50 - 2011-10-12 10:05 - 000000000 ____D C:\Documents and Settings\front\Desktop\Procedure-Lab Orders
2017-08-11 10:49 - 2011-01-07 14:09 - 000000000 ____D C:\Documents and Settings\front\Desktop\DR FENTON PROCEDURE ORDERS - Do not revise
2017-08-08 15:00 - 2014-04-03 07:36 - 000000216 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job

==================== Files in the root of some directories =======

2007-07-12 14:33 - 2008-10-31 19:31 - 000013072 _____ () C:\Documents and Settings\front\Application Data\Comma Separated Values (Windows).CAL
2007-10-08 09:36 - 2007-10-08 09:36 - 000038529 _____ () C:\Documents and Settings\front\Application Data\Tab Separated Values (DOS).ADR
2007-07-10 12:27 - 2008-01-02 11:21 - 000038528 _____ () C:\Documents and Settings\front\Application Data\Tab Separated Values (Windows).ADR
2007-07-12 14:34 - 2008-03-13 11:56 - 000013059 _____ () C:\Documents and Settings\front\Application Data\Tab Separated Values (Windows).CAL
2007-07-09 11:46 - 2007-07-11 09:49 - 000000128 _____ () C:\Documents and Settings\front\Local Settings\Application Data\fusioncache.dat
2011-03-11 09:52 - 2010-10-06 12:57 - 000004238 _____ () C:\Documents and Settings\All Users\hCare_Access.ico
2009-07-28 14:56 - 2008-07-09 12:41 - 000004286 _____ () C:\Documents and Settings\All Users\Portal.ico

Some files in TEMP:
====================
2015-10-06 11:05 - 2015-10-06 11:05 - 000304848 _____ (Citrix Online) C:\Documents and Settings\front\Local Settings\Temp\CitrixOnlineLauncher.exe
2016-01-15 10:56 - 2015-06-22 09:50 - 001050656 ____N (CANON INC.) C:\Documents and Settings\front\Local Settings\Temp\MSETUP4.EXE
2017-08-30 17:20 - 2017-09-04 22:46 - 000383928 _____ (Splashtop Inc.) C:\Documents and Settings\front\Local Settings\Temp\SetupUtil.exe
2015-10-26 14:48 - 2015-10-26 14:48 - 022192849 _____ (                                                            ) C:\Documents and Settings\front\Local Settings\Temp\tmp39.tmp.exe
2015-10-26 14:49 - 2015-10-26 14:49 - 022192849 _____ (                                                            ) C:\Documents and Settings\front\Local Settings\Temp\tmp3A.tmp.exe
2016-02-20 18:11 - 2016-02-20 18:12 - 022190922 _____ (                                                            ) C:\Documents and Settings\front\Local Settings\Temp\tmp3EC.tmp.exe
2016-01-15 10:57 - 2013-01-31 10:24 - 000354392 _____ (CANON INC.) C:\Documents and Settings\front\Local Settings\Temp\uninstall.exe
2015-10-12 15:06 - 2015-10-12 15:06 - 029010712 _____ (Kareo, Inc.                                               ) C:\Documents and Settings\front\Local Settings\Temp\~33.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

 

 

 

 

 

 

 

 

 

 

 

 

 

 

FRST Addition

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 20-08-2017
Ran by front (05-09-2017 16:33:23)
Running from C:\Documents and Settings\front\Desktop\Malware Removal Etc\FRST
Microsoft Windows XP Professional Service Pack 3 (X86) (2007-06-29 19:00:44)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-1908797294-3136705385-1896871847-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-1908797294-3136705385-1896871847-1011 - Limited - Enabled)
Front (S-1-5-21-1908797294-3136705385-1896871847-1008 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Front
Guest (S-1-5-21-1908797294-3136705385-1896871847-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1908797294-3136705385-1896871847-1007 - Limited - Disabled)
QBDataServiceUser17 (S-1-5-21-1908797294-3136705385-1896871847-1009 - Limited - Enabled) => %SystemDrive%\Documents and Settings\QBDataServiceUser17
QBDataServiceUser23 (S-1-5-21-1908797294-3136705385-1896871847-1012 - Limited - Enabled) => %SystemDrive%\Documents and Settings\QBDataServiceUser23
SUPPORT_388945a0 (S-1-5-21-1908797294-3136705385-1896871847-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Trend Micro Security Agent (Enabled - Up to date) {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}
AV: Malwarebytes (Enabled - Up to date) {D4AC7077-9720-47B0-8B38-DFAF3AA21DB6}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat 8.3.1 - CPSID_83708 (HKLM\...\Adobe Acrobat  8 Standard_831) (Version:  - Adobe Systems Incorporated)
Adobe Acrobat 8.3.1 Standard (HKLM\...\Adobe Acrobat  8 Standard) (Version: 8.3.1 - Adobe Systems)
Advantage Data Architect v8.1 (HKLM\...\{67400809-E887-4A9E-BD97-95D473DE707B}) (Version: 8.10.0018 - Extended Systems, Inc.)
Advantage Database Server for Windows NT/2000/2003 v8.0 (USA) (HKLM\...\{45D1CDD7-B2CC-427F-80EC-E915396DC478}) (Version: 8.00.0008 - Extended Systems, Inc.)
AirPort (HKLM\...\{40184457-4514-4B18-84A8-6BB8A3AB6A81}) (Version: 5.5.3.2 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AppLogLibSetup (HKLM\...\{7C40ADB8-AD6E-4CDF-94A1-06ACDC99F90F}) (Version: 1.0.2.0 - Brother Industries Ltd.) Hidden
Appointment Scheduling Interactive Software Training  (HKLM\...\5_AS) (Version:  - McKesson)
AteraAgent (HKLM\...\{c17f829f-8914-4ea3-b220-25f59f8d6231}_is1) (Version: 1.7.1.9 - ATERA Networks)
Billing and Accounts Receivable Interactive Software Training  (HKLM\...\3_BAR) (Version:  - McKesson)
Bonjour (HKLM\...\{C2E4B5BD-32DB-4817-A060-341AB17C3F90}) (Version: 2.0.5.0 - Apple Inc.)
BrLauncher (HKLM\...\{9483AB22-92AA-4161-9E79-DE77B71949DA}) (Version: 1.1.6.0 - Brother Industries Ltd.) Hidden
BrLogRx (HKLM\...\{E9A086F3-E0CB-4E91-AABE-586D99788BC3}) (Version: 1.0.1.1 - Brother Industries Ltd.) Hidden
Broadcom ASF Management Applications (HKLM\...\{071B9AFA-EBE8-4ABF-8F4A-9F92612F517E}) (Version: 8.18.14 - Broadcom)
Broadcom Management Programs (HKLM\...\{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}) (Version: 9.03.02 - Broadcom Corporation)
Brother MFL-Pro Suite (HKLM\...\{46E1B1F2-A279-4356-9B17-029F9CC72EAE}) (Version: 1.00 - Brother Industries, Ltd.)
Brother PCFax Driver (HKLM\...\{56BA05BD-7A67-4EF8-85A7-8C6528AEE2AC}) (Version: 1.4.0.0 - Brother Industries Ltd.) Hidden
Brother Port Driver (HKLM\...\{AE2FFC71-AE46-4B6C-A890-0808B4AF9DF9}) (Version: 1.1.3.3 - Brother Industries Ltd.) Hidden
Brother Printer Driver (HKLM\...\{8281F578-2B02-4E98-956F-64E5D60D761B}) (Version: 1.1.0.0 - Brother Industries Ltd.) Hidden
Brother Scanner Driver (HKLM\...\{F98C83EC-0334-4F4E-8AC0-211DAC81ED35}) (Version: 1.0.5.2 - Brother Industries Ltd.) Hidden
BrotherHelpInstaller (HKLM\...\{4E461C2A-EC1C-46D1-AF5B-7FEFD0054AF8}) (Version: 1.0.0.0 - Brother) Hidden
BrSupportTools (HKLM\...\{F8F9EB58-33BA-4FF8-80E7-66D87D2E0C3C}) (Version: 1.0.9.0 - Brother Industries Ltd.) Hidden
Canon IJ Scan Utility (HKLM\...\Canon_IJ_Scan_Utility) (Version: 1.1.5.14 - Canon Inc.)
Canon MX470 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX470_series) (Version: 1.00 - Canon Inc.)
Canon MX470 series On-screen Manual (HKLM\...\Canon MX470 series On-screen Manual) (Version: 7.6.1 - Canon Inc.)
Canon MX470 series User Registration (HKLM\...\Canon MX470 series User Registration) (Version:  - ‭Canon Inc.)
Canon My Printer (HKLM\...\CanonMyPrinter) (Version: 3.3.0 - Canon Inc.)
Canon Speed Dial Utility (HKLM\...\Speed Dial Utility) (Version: 1.6.0 - Canon Inc.)
Cash Flow Analysis and Practice Management Interactive Software Training  (HKLM\...\4_CFA) (Version:  - McKesson)
CCleaner (HKLM\...\CCleaner) (Version: 5.33 - Piriform)
Citrix Access Gateway Plug-in (HKLM\...\{EFA471C2-9843-48A0-BC2E-CCA297835F4E}) (Version: 9.3.58.5 - Citrix Systems, Inc.)
Citrix Online Launcher (HKLM\...\{E5F6D26D-E180-4547-A865-565EAB61000C}) (Version: 1.0.362 - Citrix)
Citrix Receiver (HKLM\...\CitrixOnlinePluginPackWeb) (Version: 14.4.0.8014 - Citrix Systems, Inc.)
Collections Interactive Software Training  (HKLM\...\7_Coll) (Version:  - McKesson)
ControlCenter4 (HKLM\...\{9ADB625A-7F6D-4C48-9058-4767A55D5424}) (Version: 4.2.438.1 - Brother Insutries Ltd.) Hidden
ControlCenter4 CSDK (HKLM\...\{1BAE50D4-5F2A-4E34-BD81-B4555109F7C2}) (Version: 4.2.3.1 - Brother Insutries Ltd.) Hidden
Crystal Reports 10 Support Files (HKLM\...\{A3AE0EFB-C8C2-4AF5-9841-459DB1C138CF}) (Version: 1.00.0000 -  )
Custom Reports and Utilities Interactive Software Training  (HKLM\...\6_CRU) (Version:  - McKesson)
Daily Accounting Activities Interactive Software Training  (HKLM\...\2_DAA) (Version:  - McKesson)
Dell ETS Factory Installation (HKLM\...\{92FD71D5-ED7E-40B2-8DF3-4B5E6F684367}) (Version: 1.0.0 - ) Hidden
DeviceDetect (HKLM\...\{0B226409-96A6-47F0-84D8-89223B6F9479}) (Version: 1.0.3.4 - Brother Industries Ltd.) Hidden
GoToAssist Corporate (HKLM\...\GoToAssist) (Version: 11.4.0.1135 - Citrix Systems, Inc.)
High Definition Audio Driver Package - KB835221 (HKLM\...\KB835221WXP) (Version: 20040219.000000 - Microsoft Corporation)
HowToGuide (HKLM\...\{36580EEB-4EDF-4880-BBD4-097E2C645ECD}) (Version: 1.0.1.0 - Brother Industries Ltd.) Hidden
IBackup Version - 11.0 (HKLM\...\IBackup_is1) (Version: 11.0 - Pro Softnet Corp)
iNexx Platform (HKLM\...\{33F5D24A-9F87-4878-BEBC-0DABDD1A9F0E}) (Version: 9.9.11 - Medicity, Inc.)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - )
Juniper Networks Host Checker (HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\Neoteris_Host_Checker) (Version: 6.5.0.15507 - Juniper Networks)
Juniper Networks Network Connect 6.5.0 (HKLM\...\Juniper Network Connect 6.5.0) (Version: 6.5.0.15507 - Juniper Networks)
Juniper Networks Secure Application Manager (HKLM\...\Neoteris_Secure_Application_Manager) (Version: 6.5.0.15507 - Juniper Networks)
Juniper Networks Setup Client (HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\Juniper_Setup_Client) (Version: 2.1.2.5973 - Juniper Networks)
Kareo (HKLM\...\{03C0C998-7669-438E-8DA1-0956466503FB}) (Version: 1.77.5758.27839 - Kareo, Inc.) Hidden
Kareo (HKLM\...\InstallShield_{03C0C998-7669-438E-8DA1-0956466503FB}) (Version: 1.77.5758.27839 - Kareo, Inc.)
LogMeIn (HKLM\...\{7F831576-6246-42C7-B523-55B3F96509CC}) (Version: 4.0.784 - LogMeIn, Inc.)
Malwarebytes version 3.2.2.2018 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.2.2.2018 - Malwarebytes)
Medcon AppLauncher (HKLM\...\{8F5F43D2-C218-4166-82D0-9AABB0953701}) (Version: 4.06.011 - McKesson)
Medcon WebClient (HKLM\...\{2F882DF1-6439-4F31-8BF4-A8422D1A056A}) (Version: 4.06.011 - McKesson)
MedconViewer (HKLM\...\{17EDDEA4-B322-401F-AC3D-D01819CC9E41}) (Version: 4.06.011 - McKesson)
Medisoft Network Professional 12 (HKLM\...\Medisoft Network Professional 12) (Version:  - )
Medisoft Network Professional 12 SP2 (HKLM\...\Medisoft Network Professional 12 SP2) (Version:  - )
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Exchange Calendar Update Tool (HKLM\...\{9F73F6F4-F3A0-4B0A-A52B-D3B622DE6024}) (Version: 8.1.61.6 - Microsoft)
Microsoft Office 2003 Web Components (HKLM\...\{90A40409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office 2007 Primary Interop Assemblies (HKLM\...\{50120000-1105-0000-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Small Business 2007 (HKLM\...\SMALLBUSINESSR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Small Business Connectivity Components (HKLM\...\{A939D341-5A04-4E0A-BB55-3E65B386432D}) (Version: 2.0.7024.0 - Microsoft Corporation)
Microsoft SQL Server Native Client (HKLM\...\{50A0893D-47D8-48E0-A7E8-44BCD7E4422E}) (Version: 9.00.2047.00 - Microsoft Corporation)
Microsoft SQL Server Setup Support Files (English) (HKLM\...\{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}) (Version: 9.00.2047.00 - Microsoft Corporation)
Microsoft SQL Server VSS Writer (HKLM\...\{C0D2F614-5CE5-4DCB-8678-E5C9AF7044F8}) (Version: 9.00.2047.00 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual Studio 2005 Tools for Office Runtime (HKLM\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version:  - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x86)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft WinUsb 1.0 (HKLM\...\winusb0100) (Version:  - Microsoft Corporation)
Mouse Suite for Desktop Computers (HKLM\...\{448E2D77-E504-4221-B2C2-93646B344729}) (Version: 2.50.023 - Dell)
Mozilla Firefox 52.3.0 ESR (x86 en-US) (HKLM\...\Mozilla Firefox 52.3.0 ESR (x86 en-US)) (Version: 52.3.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 52.3.0 - Mozilla)
MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
MSXML 6 Service Pack 2 (KB973686) (HKLM\...\{56EA8BC0-3751-4B93-BC9D-6651CC36E5AA}) (Version: 6.20.2003.0 - Microsoft Corporation)
NetworkRepairTool (HKLM\...\{4694AD3E-D4A2-4D98-9848-662A0475E872}) (Version: 1.2.11.0 - Brother Insutries Ltd.) Hidden
Office Hours Professional for Networks 12 (HKLM\...\Office Hours Professional for Networks 12) (Version:  - )
Online Plug-in (HKLM\...\{9C1496FA-BB86-4A08-96CC-4F43EC65395A}) (Version: 14.1.100.12 - Citrix Systems, Inc.) Hidden
PaperPort Image Printer (HKLM\...\{2BC2781A-F7F6-452E-95EB-018A522F1B2C}) (Version: 1.00.0000 - Nuance Communications, Inc.)
PC-FAXReceive (HKLM\...\{8DB92891-74BB-464E-BCF8-6D6A9C2132AC}) (Version: 1.3.8.0 - Brother Insutries Ltd.) Hidden
PCFaxTx (HKLM\...\{4D52CAB8-06E6-4511-B29C-E2F36B52AE12}) (Version: 1.0.4.5 - Brother Industries Ltd.) Hidden
PowerDVD 5.7 (HKLM\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version:  - )
QuickBooks (HKLM\...\{06A9E630-DBA6-4D92-9DE7-A235AA6496C7}) (Version: 20.0.4006.807 - Intuit Inc.) Hidden
QuickBooks (HKLM\...\{3167CC62-C775-4E47-92C1-73EBB845751A}) (Version: 23.0.4006.2305 - Intuit Inc.) Hidden
QuickBooks Pro 2010 (HKLM\...\{0700E22B-A422-40A5-BD20-04BF618CA0F9}) (Version: 20.0.4006.807 - Intuit Inc.)
QuickBooks Pro 2013 (HKLM\...\{3C631966-387E-4054-85D9-BBFFABE32BD8}) (Version: 23.0.4006.2305 - Intuit Inc.)
QuickBooks Product Listing Service (HKLM\...\{91208A47-5D08-4C79-986F-1931940F51BB}) (Version: 2.0.148 - Intuit)
QuickStart Toolkit and AED Software Update (HKLM\...\{77C4B1A0-45D2-4BB7-90CA-8F9A783F58CB}) (Version: 1.03.0000 - Cardiac Science Corp)
RemoteSetup (HKLM\...\{B6CE4633-EA3F-4856-9BCC-9B8702E076FE}) (Version: 3.8.0.0 - Brother Industries Ltd.) Hidden
Revo Uninstaller 2.0.3 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.0.3 - VS Revo Group, Ltd.)
Roxio DLA (HKLM\...\{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}) (Version: 5.2.0 - Roxio)
Roxio Express Labeler (HKLM\...\{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}) (Version: 2.1.0 - Roxio)
Roxio RecordNow Copy (HKLM\...\{B12665F4-4E93-4AB4-B7FC-37053B524629}) (Version: 2.0.4 - Roxio)
Roxio RecordNow Data (HKLM\...\{075473F5-846A-448B-BCB3-104AA1760205}) (Version: 2.0.4 - Roxio)
RSA SecurID Software Token (HKLM\...\{432DDCA6-5CF6-4F02-93D3-BD78E327DA66}) (Version: 3.0.3 - RSA Security Inc.) Hidden
RSA SecurID Software Token (HKLM\...\InstallShield_{432DDCA6-5CF6-4F02-93D3-BD78E327DA66}) (Version: 3.0.3 - RSA Security Inc.)
ScannerUtilityInstaller (HKLM\...\{5B645FE2-19E9-4B15-B5B2-3D8766F6FA27}) (Version: 1.0.0.0 - Brother) Hidden
ScanSoft PaperPort 11 (HKLM\...\{7A8FF745-BBC5-482B-88E4-18D3178249A9}) (Version: 11.1.0000 - Nuance Communications, Inc.)
SearchAssist (HKLM\...\SearchAssist) (Version:  - )
Self-service Plug-in (HKLM\...\{D8FD5C98-F5A6-4623-B9C5-6099B227C343}) (Version: 4.1.100.46563 - Citrix Systems, Inc.) Hidden
Setup and Maintenance Interactive Software Training  (HKLM\...\1_SU) (Version:  - McKesson)
Splashtop Software Updater (HKLM\...\Splashtop Software Updater) (Version: 1.5.6.15 - Splashtop Inc.)
Splashtop Streamer (HKLM\...\{B7C5EA94-B96A-41F5-BE95-25D78B486678}) (Version: 3.1.4.0 - Splashtop Inc.)
StatusMonitor (HKLM\...\{86D16055-3C14-44C6-BCD7-5514B83BAD34}) (Version: 1.12.4.0 - Brother Insutries Ltd.) Hidden
SupportSoft Assisted Service (HKLM\...\{5A3F6A80-7913-475E-8B96-477A952CFA43}) (Version: 15 - SupportSoft)
TeamViewer 10 (HKLM\...\TeamViewer) (Version: 10.0.47484 - TeamViewer)
Time Zone Data Update Tool for Microsoft Office Outlook (HKLM\...\{95120000-0038-0409-0000-0000000FF1CE}) (Version: 12.0.4518.1062 - Microsoft Corporation)
Trend Micro Security Agent (HKLM\...\{BED0B8A2-2986-49F8-90D6-FA008D37A3D2}) (Version: 6.0.1225 - Trend Micro Inc.) Hidden
Trend Micro Security Agent (HKLM\...\HostedAgent) (Version: 6.0.1225 - Trend Micro Inc.)
Tweak UI (HKLM\...\Tweak UI 2.10) (Version:  - )
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
URL Assistant (HKLM\...\{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}) (Version:  - )
UsbRepairTool (HKLM\...\{523276A4-5779-4105-9163-CA1CF94EC533}) (Version: 1.4.0.0 - Brother Insutries Ltd.) Hidden
VeraCrypt (HKLM\...\VeraCrypt) (Version: 1.16 - IDRIX)
Visual Studio Tools for the Office system 3.0 Runtime (HKLM\...\Visual Studio Tools for the Office system 3.0 Runtime) (Version:  - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (HKLM\...\{8FB53850-246A-3507-8ADE-0060093FFEA6}.KB949258) (Version: 1 - Microsoft Corporation)
WebFldrs XP (HKLM\...\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}) (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Installer 3.1 (KB893803) (HKLM\...\KB893803v2) (Version:  - Microsoft Corporation)
Windows Internet Explorer 7 (HKLM\...\ie7) (Version: 20061107.210142 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
Zemana AntiMalware (HKLM\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.74.0.150 - Zemana Ltd.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{05EC5C13-D255-4592-9CCB-98615172F0D6}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{0ADF9C35-0D5E-4B75-88DD-B64868907E17}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{123FAF7F-3FB1-4B8F-AD18-0047401D436A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{23CEE673-F947-4d94-9D54-F4BA00C8B73D}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2013\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{28400E86-5FFC-453D-A534-EF455A115E74}\localserver32 -> C:\Program Files\Intuit\QuickBooks Product Listing Service\QBProductListingCOMServer.exe (TODO: <Company name>)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{32D32337-1511-4416-85C5-FD96C99322A0}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{37A2FC00-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{37A2FC02-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{3928D252-6BB4-4C0D-BE70-1E03AF93D464}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{3CDEA288-D759-4C3B-B07F-7AFBCC842D98}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{4716D3CE-55DB-4D2A-818C-87D912895890}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{4844F3F7-2161-4AC4-B219-B3B4311782AA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{4877276C-A727-486D-B201-F096035CA4DF}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\qbfc5.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{4A56F19E-9F50-4F43-93C8-050E44AA83A9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{4E5E74B5-8EB5-4859-A335-837EED412620}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{5428A9ED-6CD8-11D6-9C8A-0001023DCAA2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{547C8F00-5567-4AE3-8BB0-CC3CE2AB9070}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{57D590F1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{596801D8-2C9D-4627-9C67-195CB81B655A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{5B7331FA-8910-4748-A8A4-60B445041F28}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{5ED8AC89-B2DE-476D-8EEA-E170B2FCB058}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{7694F1CD-A55B-4B7C-8820-A90892EB4E9E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{7DBF8260-30AD-4D1B-876A-8032B87B809F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{8034BBB8-2145-4159-9A34-51E21A0A981F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{810CADD9-2658-4820-BA95-30199625191E}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2010\qbw32.exe (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{828E5386-74CF-4019-B356-C857CD028A7D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{82CC31B3-53B4-4161-A4E9-6B4F1290A6C8}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{8572570D-12D9-4F2C-8BB8-EB8848178B94}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{86AC2FAD-C987-4757-B591-02F9867A8BE5}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\qbfc5.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{8E590317-1329-11D1-B70B-00805F29CD16}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2013\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{8FEDE364-AB37-4551-80C9-6D468E222AB2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{9D9B61F2-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{9D9B61F3-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{9D9B61F4-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{9D9B61F5-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{9D9B61F6-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{9D9B61F7-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{A63E42D0-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{A63E42D2-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{AF5E0A13-CEAB-47CE-991D-77E82CD1BF3F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{B10BFAC3-EFF1-40D9-ADA0-BEBE037C24CA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{B66F2BF1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{D14FD6B3-6A9F-4537-9460-07B836707127}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{D4A12AAF-E15E-470B-A6B6-63032186F91F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{D9B9C060-0954-11D3-9E07-00104BD2BE34}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSource.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{D9BC6F81-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{D9BC6F84-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{D9BC6F87-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{D9BC6FA1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{D9BC6FA6-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{D9BC6FB2-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\StorageClasses.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{DCB2B478-EFF6-48F6-B718-13E98876854E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{DFD0AF10-B86C-4AF3-B609-1348D513E565}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{E1A173E1-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{E1A173E3-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{EADA914E-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{EAEF733D-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{F19F9A95-7A43-4A93-80B0-C9C1FF6F63F9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{F2C593CC-74B2-4F71-8556-DD4D426D0409}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{F3B647C1-572C-4CC7-AFC9-A5E92837D05B}\InprocServer32 -> C:\Program Files\Common Files\Crystal Decisions\2.5\bin\keycode.dll (Crystal Decisions)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{FAC93D42-FFC2-11d1-9DEB-0008C7A08EBA}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2013\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145_Classes\CLSID\{FB17915F-06D1-4214-A902-CC5EE05186E9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
ContextMenuHandlers1: [2.0 Zemana AntiMalware] -> {6ABB1C11-E261-4CEA-BBB5-3836225689DD} => C:\Documents and Settings\front\Desktop\Malware Removal Etc\Zemana AntiMalware\ZAMShellExt32.dll [2017-09-03] ()
ContextMenuHandlers1: [Adobe.Acrobat.ContextMenu] -> {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} => C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll [2011-08-30] (Adobe Systems Inc.)
ContextMenuHandlers1: [IBackupMenu] -> {580061C7-F821-447C-AB70-5E4AD25AF2E0} => C:\Program Files\IBackupWindows\IBContextMenu.dll [2016-04-11] ()
ContextMenuHandlers2: [DriveLetterAccess] -> {5CA3D70E-1895-11CF-8E15-001234567890} => C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08] (Sonic Solutions)
ContextMenuHandlers2: [IBackupMenu] -> {580061C7-F821-447C-AB70-5E4AD25AF2E0} => C:\Program Files\IBackupWindows\IBContextMenu.dll [2016-04-11] ()
ContextMenuHandlers4: [IBackupMenu] -> {580061C7-F821-447C-AB70-5E4AD25AF2E0} => C:\Program Files\IBackupWindows\IBContextMenu.dll [2016-04-11] ()
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\WINDOWS\system32\igfxpph.dll [2006-07-21] (Intel Corporation)
ContextMenuHandlers6: [2.0 Zemana AntiMalware] -> {6ABB1C11-E261-4CEA-BBB5-3836225689DD} => C:\Documents and Settings\front\Desktop\Malware Removal Etc\Zemana AntiMalware\ZAMShellExt32.dll [2017-09-03] ()
ContextMenuHandlers6: [Adobe.Acrobat.ContextMenu] -> {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} => C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll [2011-08-30] (Adobe Systems Inc.)

==================== Scheduled Tasks=============================

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => C:\Program Files\Apple Software Update\SoftwareUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Trend Micro Worry-Free Business Security Services Recovery Pack Tool.job => C:\Program Files\Trend Micro\WFBSSUpdater\WFBSSUpdater.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Documents and Settings\front\NetHood\My Web Sites on MSN\target.lnk -> hxxp://www.msnusers.co
Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\iNexx Platform\Start platform.lnk -> C:\Program Files\Novo Grid Node Container\Novo\Node\bootstrap\startPlatform.bat ()
Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\iNexx Platform\Stop platform.lnk -> C:\Program Files\Novo Grid Node Container\Novo\Node\bootstrap\stopPlatform.bat ()

==================== Loaded Modules (Whitelisted) ==============

2016-04-13 11:47 - 2016-04-11 18:07 - 000013312 _____ () C:\Program Files\IBackupWindows\SqliteWrapper.dll
2016-04-13 11:47 - 2016-04-11 15:32 - 000639488 _____ () C:\Program Files\IBackupWindows\sqlite3.dll
2016-04-13 11:47 - 2016-04-11 18:08 - 000043520 _____ () C:\Program Files\IBackupWindows\RemoteManagement.dll
2016-04-13 11:51 - 2016-06-21 11:20 - 000499712 _____ () C:\Program Files\Trend Micro\Client Server Security Agent\sqlite3.dll
2007-06-29 15:00 - 2002-11-26 14:43 - 000106496 _____ () C:\WINDOWS\system32\BrMuSNMP.dll
2009-02-27 16:38 - 2009-02-27 16:38 - 000139264 _____ () C:\Program Files\Brother\BrUtilities\BrLogAPI.dll
2016-06-07 10:41 - 2016-06-07 10:41 - 000024312 _____ () C:\Program Files\Trend Micro\Client Server Security Agent\CCSF\boost_system-vc110-mt-1_57.dll
2016-06-07 10:41 - 2016-06-07 10:41 - 000049544 _____ () C:\Program Files\Trend Micro\Client Server Security Agent\CCSF\boost_date_time-vc110-mt-1_57.dll
2016-06-07 10:41 - 2016-06-07 10:41 - 000552696 _____ () C:\Program Files\Trend Micro\Client Server Security Agent\CCSF\sqlite3.dll
2016-06-07 10:41 - 2016-06-07 10:41 - 001111456 _____ () C:\Program Files\Trend Micro\Client Server Security Agent\CCSF\libprotobuf.dll
2016-06-07 10:41 - 2016-06-07 10:41 - 000092792 _____ () C:\Program Files\Trend Micro\Client Server Security Agent\CCSF\boost_thread-vc110-mt-1_57.dll
2016-06-07 10:41 - 2016-06-07 10:41 - 000032552 _____ () C:\Program Files\Trend Micro\Client Server Security Agent\CCSF\boost_chrono-vc110-mt-1_57.dll
2017-05-13 17:00 - 2017-05-13 17:00 - 000030720 _____ () C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageCommonTasksLib.dll
2017-07-26 10:44 - 2016-06-21 11:19 - 000663552 _____ () C:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\sqlite3.dll
2016-04-13 11:47 - 2016-04-11 15:32 - 000488448 _____ () C:\Program Files\IBackupWindows\IBContextMenu.dll
2017-09-03 16:24 - 2017-09-03 16:24 - 000131952 _____ () C:\Documents and Settings\front\Desktop\Malware Removal Etc\Zemana AntiMalware\ZAMShellExt32.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMChameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\bomgar-ps-1368736706-1391044247 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\bomgar-scc-551AC089 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMChameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SplashtopRemoteService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\apps.resolutehealth.com -> hxxps://apps.resolutehealth.com
IE trusted site: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\apps.vhschicago.com -> hxxps://apps.vhschicago.com
IE trusted site: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\baptisthealthsystem.com -> hxxps://portal.baptisthealthsystem.com
IE trusted site: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\bomacitrix.etenet.com -> hxxps://bomacitrix.etenet.com
IE trusted site: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\cardionet.com -> hxxps://access.cardionet.com
IE trusted site: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\chilcitrix.etenet.com -> hxxps://chilcitrix.etenet.com
IE trusted site: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\citrix.etenet.com -> hxxps://citrix.etenet.com
IE trusted site: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\citrix.stvincenthospital.com -> hxxps://citrix.stvincenthospital.com
IE trusted site: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\citrixxen.abrazohealth.com -> hxxps://citrixxen.abrazohealth.com
IE trusted site: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\desktop.etenet.com -> hxxp://desktop.etenet.com
IE trusted site: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\gateway.vhschicago.com -> hxxps://gateway.vhschicago.com
IE trusted site: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\hatxcitrix.etenet.com -> hxxps://hatxcitrix.etenet.com
IE trusted site: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\portal.valleybaptist.net -> hxxps://portal.valleybaptist.net
IE trusted site: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\remote.baptisthealthsystem.com -> hxxps://remote.baptisthealthsystem.com
IE trusted site: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\satxcitrix.etenet.com -> hxxps://satxcitrix.etenet.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2004-08-11 17:00 - 2010-11-19 16:27 - 000000734 _____ C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

DNS Servers: 10.0.0.2
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Citrix Access Gateway.lnk => C:\WINDOWS\pss\Citrix Access Gateway.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Intuit Data Protect.lnk => C:\WINDOWS\pss\Intuit Data Protect.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk => C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk => C:\WINDOWS\pss\QuickBooks_Standard_21.lnkCommon Startup
MSCONFIG\startupreg: Acrobat Assistant 8.0 => "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: DLA => C:\WINDOWS\System32\DLA\DLACTRLW.EXE
MSCONFIG\startupreg: DVDLauncher => "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
MSCONFIG\startupreg: Google Desktop Search => "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
MSCONFIG\startupreg: HotKeysCmds => C:\WINDOWS\system32\hkcmd.exe
MSCONFIG\startupreg: IgfxTray => C:\WINDOWS\system32\igfxtray.exe
MSCONFIG\startupreg: Intuit SyncManager => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup
MSCONFIG\startupreg: ISUSPM Startup => C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
MSCONFIG\startupreg: ISUSScheduler => "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
MSCONFIG\startupreg: Load => C:\DOCUME~1\front\LOCALS~1\Temp\dwm.exe
MSCONFIG\startupreg: LogMeIn GUI => "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
MSCONFIG\startupreg: Persistence => C:\WINDOWS\system32\igfxpers.exe
MSCONFIG\startupreg: PMX Daemon => ICO.EXE
MSCONFIG\startupreg: PPort11reminder => "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
MSCONFIG\startupreg: QuickBooksDB23 => C:\PROGRA~1\Intuit\QUICKB~4\QBDBMgrN.exe -n QB_FENTON-4Y9X3D1_23 -qs -gd ALL -gk all -gp 4096 -gu all  -ch 256M -c 128M -x tcpip(BroadcastListener=NO;port=55353) -ti 0 -ec simple  -qi -qw  -tl 120 -oe C:\DOCUME~1\ALLUSE~1\APPLIC~1\Intuit\QUICKB~2\DBSTAR~1.LOG -y
MSCONFIG\startupreg: SoundMAXPnP => C:\Program Files\Analog Devices\Core\smax4pnp.exe
MSCONFIG\startupreg: SupportAnyPC => "C:\DOCUME~1\front\LOCALS~1\Temp\winvnc.exe" -servicehelper
MSCONFIG\startupreg: Synchronization Manager => %SystemRoot%\system32\mobsync.exe /logon
MSCONFIG\startupreg: WinVNC => "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
MSCONFIG\startupreg: ZAM => "C:\Documents and Settings\front\Desktop\Malware Removal Etc\Zemana AntiMalware\ZAM.exe" /minimized

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

DomainProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE] => Enabled:Microsoft Office Outlook
DomainProfile\AuthorizedApplications: [C:\Program Files\Medisoft\Bin\MAPA.EXE] => Enabled:MAPA
DomainProfile\AuthorizedApplications: [C:\Program Files\Medisoft\Bin\Ohp.exe] => Enabled:Ohp
DomainProfile\AuthorizedApplications: [C:\Program Files\Medisoft\Bin\Oh.exe] => Enabled:Oh
DomainProfile\AuthorizedApplications: [C:\Program Files\RAS\client25989\Tool.exe] => Enabled:Tool
DomainProfile\AuthorizedApplications: [C:\WINDOWS\system32\fxsclnt.exe] => Enabled:Microsoft  Fax Console
DomainProfile\AuthorizedApplications: [C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe] => Enabled:Secure Application Manager Proxy
DomainProfile\AuthorizedApplications: [C:\Program Files\Internet Explorer\iexplore.exe] => Enabled:Internet Explorer
DomainProfile\AuthorizedApplications: [C:\Program Files\MEDITECH\Print\VMagicPPII.exe] => Enabled:Document Spooling Service
DomainProfile\AuthorizedApplications: [C:\WINDOWS\LMI399.tmp\lmi_rescue.exe] => Enabled:LogMeIn Rescue
DomainProfile\AuthorizedApplications: [C:\WINDOWS\LMIDF1.tmp\lmi_rescue.exe] => Enabled:LogMeIn Rescue
DomainProfile\AuthorizedApplications: [C:\WINDOWS\LMIDFF.tmp\lmi_rescue.exe] => Enabled:LogMeIn Rescue
DomainProfile\AuthorizedApplications: [C:\WINDOWS\LMIE9E.tmp\lmi_rescue.exe] => Enabled:LogMeIn Rescue
DomainProfile\AuthorizedApplications: [C:\WINDOWS\LMIE866.tmp\lmi_rescue.exe] => Enabled:LogMeIn Rescue
DomainProfile\AuthorizedApplications: [C:\Program Files\Intuit\QuickBooks 2010\QBDBMgrN.exe] => Enabled:QuickBooks 2010 Data Manager
DomainProfile\AuthorizedApplications: [\\Fenton-4y9x3d1\c$\Program Files\Medisoft\Bin\Ohp.exe] => \\Fenton-4y9x3d1\c$\Program Files\Medisoft\Bin\Ohp.exe:*:Disabled:Ohp
DomainProfile\AuthorizedApplications: [C:\WINDOWS\LMI766.tmp\lmi_rescue.exe] => Enabled:LogMeIn Rescue
DomainProfile\AuthorizedApplications: [C:\WINDOWS\LMI376F.tmp\lmi_rescue.exe] => Enabled:LogMeIn Rescue
DomainProfile\AuthorizedApplications: [C:\Program Files\Brother\Brmfl07b\FAXRX.exe] => Enabled:FAXRX.EXE
DomainProfile\AuthorizedApplications: [C:\Program Files\Citrix\Secure Access Client\nsepa.exe] => Enabled:Citrix Access Gateway Endpoint Analysis
DomainProfile\AuthorizedApplications: [C:\Program Files\Citrix\Secure Access Client\nsload.exe] => Enabled:Citrix Access Gateway Plug-in
DomainProfile\AuthorizedApplications: [C:\Program Files\Intuit\QuickBooks 2013\QBDBMgrN.exe] => Enabled:QuickBooks 2013 Data Manager
DomainProfile\AuthorizedApplications: [C:\Program Files\TeamViewer\TeamViewer.exe] => Enabled:Teamviewer Remote Control Application
DomainProfile\AuthorizedApplications: [C:\Program Files\TeamViewer\TeamViewer_Service.exe] => Enabled:Teamviewer Remote Control Service
DomainProfile\AuthorizedApplications: [C:\Program Files\Bonjour\mDNSResponder.exe] => Enabled:Bonjour Service
DomainProfile\AuthorizedApplications: [C:\Program Files\AirPort\APAgent.exe] => Enabled:AirPort
DomainProfile\AuthorizedApplications: [C:\Program Files\AirPort\APUtil.exe] => Enabled:AirPort Utility
DomainProfile\AuthorizedApplications: [C:\Program Files\PC-FAXReceive\BREngineProcess.exe] => Enabled:BREngineProcess
DomainProfile\AuthorizedApplications: [C:\Program Files\Splashtop\Splashtop Remote\Server\SRManager.exe] => Enabled:Splashtop® Streamer
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE] => Enabled:Microsoft Office Outlook
StandardProfile\AuthorizedApplications: [C:\Program Files\Citrix\Secure Access Client\nsepa.exe] => Enabled:Citrix Access Gateway Endpoint Analysis
StandardProfile\AuthorizedApplications: [C:\Program Files\Citrix\Secure Access Client\nsload.exe] => Enabled:Citrix Access Gateway Plug-in
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)
DomainProfile\GloballyOpenPorts: [3389:TCP] => Enabled:@xpsp2res.dll,-22009
DomainProfile\GloballyOpenPorts: [1723:TCP] => Enabled:Medisoft1
DomainProfile\GloballyOpenPorts: [47:TCP] => Enabled:Medisoft2
DomainProfile\GloballyOpenPorts: [54925:UDP] => Enabled:Brother Network Scanner
DomainProfile\GloballyOpenPorts: [5353:UDP] => Enabled:Bonjour
DomainProfile\GloballyOpenPorts: [21112:TCP] => Enabled:Trend Micro Security Agent Listener
DomainProfile\GloballyOpenPorts: [61117:UDP] => Enabled:Trend Micro Security Agent Broadcast
DomainProfile\GloballyOpenPorts: [61116:TCP] => Enabled:Trend Micro Security Agent Update
StandardProfile\GloballyOpenPorts: [3389:TCP] => Enabled:@xpsp2res.dll,-22009

==================== Restore Points =========================

17-06-2017 03:02:09 Software Distribution Service 3.0
18-06-2017 11:52:40 System Checkpoint
19-06-2017 11:57:29 System Checkpoint
20-06-2017 03:00:26 Software Distribution Service 3.0
21-06-2017 03:27:49 System Checkpoint
22-06-2017 04:27:51 System Checkpoint
23-06-2017 04:39:53 System Checkpoint
24-06-2017 05:27:52 System Checkpoint
25-06-2017 06:27:55 System Checkpoint
26-06-2017 07:27:02 System Checkpoint
16-07-2017 03:00:43 Software Distribution Service 3.0
24-07-2017 12:15:44 System Checkpoint
30-07-2017 03:00:40 Software Distribution Service 3.0
09-08-2017 10:20:10 System Checkpoint
10-08-2017 10:59:50 System Checkpoint
30-08-2017 17:19:13 Removed Splashtop Streamer.
30-08-2017 17:23:43 Removed ScanSoft PDF Create! 4
02-09-2017 11:44:25 System Checkpoint
02-09-2017 19:58:34 Removed Java™ 6 Update 20
03-09-2017 22:46:27 Removed Splashtop Streamer.
03-09-2017 22:49:31 JRT Pre-Junkware Removal
03-09-2017 23:39:06 JRT Pre-Junkware Removal
04-09-2017 15:53:45 Revo Uninstaller's restore point - QuickBooks Pro 2007
04-09-2017 16:59:23 Revo Uninstaller's restore point - Splashtop Streamer
04-09-2017 17:00:10 Revo Uninstaller's restore point - Splashtop Streamer
04-09-2017 17:29:25 Revo Uninstaller's restore point - Mozilla Firefox 52.3.0 ESR (x86 en-US)
04-09-2017 17:40:22 Revo Uninstaller's restore point - Splashtop Streamer
04-09-2017 17:42:36 Removed Splashtop Streamer.
04-09-2017 17:47:33 Revo Uninstaller's restore point - QuickBooks Pro 2007
04-09-2017 17:52:12 Removed QuickBooks
04-09-2017 18:33:40 Revo Uninstaller's restore point - Splashtop Software Updater
04-09-2017 19:21:34 Revo Uninstaller's restore point - Splashtop Streamer

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (09/05/2017 09:31:34 AM) (Source: Userenv) (EventID: 1526) (User: NT AUTHORITY)
Description: Windows did not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Windows did not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrator's group must be the owner of the folder. Contact your network administrator.

Error: (09/05/2017 09:25:41 AM) (Source: Broadcom ASF IP Monitor) (EventID: 0) (User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (09/05/2017 09:22:36 AM) (Source: PerfNet) (EventID: 2006) (User: )
Description: Unable to read Server Queue performance data from the Server service.
No Server Queue performance data will be returned in this sample.
Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and
the IOSB.Information is DWORD 2.

Error: (09/05/2017 09:22:36 AM) (Source: PerfNet) (EventID: 2005) (User: )
Description: Unable to read performance data from the Server service.
No Server performance data will be returned in this sample.
Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and
the IOSB.Information is DWORD 2.

Error: (09/05/2017 09:22:36 AM) (Source: PerfNet) (EventID: 2006) (User: )
Description: Unable to read Server Queue performance data from the Server service.
No Server Queue performance data will be returned in this sample.
Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and
the IOSB.Information is DWORD 2.

Error: (09/05/2017 09:22:36 AM) (Source: PerfNet) (EventID: 2005) (User: )
Description: Unable to read performance data from the Server service.
No Server performance data will be returned in this sample.
Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and
the IOSB.Information is DWORD 2.

Error: (09/05/2017 09:22:36 AM) (Source: PerfNet) (EventID: 2006) (User: )
Description: Unable to read Server Queue performance data from the Server service.
No Server Queue performance data will be returned in this sample.
Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and
the IOSB.Information is DWORD 2.

Error: (09/05/2017 09:22:36 AM) (Source: PerfNet) (EventID: 2005) (User: )
Description: Unable to read performance data from the Server service.
No Server performance data will be returned in this sample.
Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and
the IOSB.Information is DWORD 2.

Error: (09/05/2017 09:21:03 AM) (Source: PerfNet) (EventID: 2006) (User: )
Description: Unable to read Server Queue performance data from the Server service.
No Server Queue performance data will be returned in this sample.
Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and
the IOSB.Information is DWORD 2.

Error: (09/05/2017 09:21:03 AM) (Source: PerfNet) (EventID: 2005) (User: )
Description: Unable to read performance data from the Server service.
No Server performance data will be returned in this sample.
Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and
the IOSB.Information is DWORD 2.

System errors:
=============
Error: (09/05/2017 09:37:07 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Splashtop® Remote Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (09/05/2017 09:37:07 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the Splashtop® Remote Service service to connect.

Error: (09/05/2017 09:26:00 AM) (Source: NETLOGON) (EventID: 5783) (User: )
Description: The session setup to the Windows NT or Windows 2000 Domain Controller \\SERVER1.fenton.local for the domain FENTON
is not responsive.  The current RPC call from Netlogon on \\FENTON-4Y9X3D1 to \\SERVER1.fenton.local has been cancelled.

Error: (09/05/2017 09:24:46 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The AteraAgent service hung on starting.

Error: (09/04/2017 10:31:52 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:
An instance of the service is already running.

Error: (09/04/2017 09:59:02 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The BrYNSvc service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (09/04/2017 09:59:02 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the BrYNSvc service to connect.

Error: (09/04/2017 09:59:02 PM) (Source: DCOM) (EventID: 10005) (User: FENTON)
Description: DCOM got error "%%1053 = The service did not respond to the start or control request in a timely fashion." attempting to start the service BrYNSvc with arguments ""
in order to run the server:
{F2189AE3-E432-427F-93B6-38D1C6F5E8D4}

Error: (09/04/2017 09:57:01 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The IMAPI CD-Burning COM Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (09/04/2017 09:57:01 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.

==================== Memory info ===========================

Processor: Intel® Core™2 CPU 6400 @ 2.13GHz
Percentage of memory in use: 49%
Total physical RAM: 3061.54 MB
Available physical RAM: 1539.88 MB
Total Virtual: 4425.51 MB
Available Virtual: 2793.25 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:74.45 GB) (Free:3.35 GB) NTFS ==>[drive with boot components (Windows XP)]
Drive n: () (Network) (Total:122.95 GB) (Free:15.7 GB)
Drive p: () (Network) (Total:122.95 GB) (Free:15.7 GB)
Drive q: () (Network) (Total:122.95 GB) (Free:15.7 GB)
Drive u: () (Network) (Total:122.95 GB) (Free:15.7 GB)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 74.5 GB) (Disk ID: 41AB2316)
Partition 1: (Not Active) - (Size=47 MB) - (Type=DE)
Partition 2: (Active) - (Size=74.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 

 

Thank you for your help!


Edited by alexis11, 05 September 2017 - 06:30 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:44 AM

Posted 06 September 2017 - 08:13 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM Group Policy restriction on software: %userprofile%\appdata\local\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %localappdata%\*\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %localappdata%\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\appdata\*.exe <==== ATTENTION
HKU\S-1-5-19\...\Winlogon: [Shell] C:\WINDOWS\Explorer.exe [1033728 2008-04-13] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-20\...\Winlogon: [Shell] C:\WINDOWS\Explorer.exe [1033728 2008-04-13] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\Policies\Explorer: [DisablePersonalDirChange] 1
HKU\S-1-5-18\...\Winlogon: [Shell] C:\WINDOWS\Explorer.exe [1033728 2008-04-13] (Microsoft Corporation) <==== ATTENTION
ShortcutTarget: Shortcut to qb.lnk -> \\server1\images\qb.bat (No File)
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
GroupPolicyScripts\User: Restriction <==== ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
Toolbar: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
S4 bomgar-ps-1225815684-1231367015; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1231875795; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1232658794; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1234733971; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1235099523; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1368736706-1391044247; "C:\Documents and Settings\All Users\Application Data\bomgar-scc-519543C2\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-scc-551AC089; "C:\Documents and Settings\All Users\Application Data\bomgar-scc-519543C2\bomgar-scc.exe" -service:run [X] <==== ATTENTION


Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 alexis11

alexis11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 06 September 2017 - 06:33 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM Group Policy restriction on software: %userprofile%\appdata\local\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %localappdata%\*\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %localappdata%\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\appdata\*.exe <==== ATTENTION
HKU\S-1-5-19\...\Winlogon: [Shell] C:\WINDOWS\Explorer.exe [1033728 2008-04-13] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-20\...\Winlogon: [Shell] C:\WINDOWS\Explorer.exe [1033728 2008-04-13] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\Policies\Explorer: [DisablePersonalDirChange] 1
HKU\S-1-5-18\...\Winlogon: [Shell] C:\WINDOWS\Explorer.exe [1033728 2008-04-13] (Microsoft Corporation) <==== ATTENTION
ShortcutTarget: Shortcut to qb.lnk -> \\server1\images\qb.bat (No File)
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
GroupPolicyScripts\User: Restriction <==== ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
Toolbar: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
S4 bomgar-ps-1225815684-1231367015; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1231875795; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1232658794; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1234733971; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1235099523; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1368736706-1391044247; "C:\Documents and Settings\All Users\Application Data\bomgar-scc-519543C2\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-scc-551AC089; "C:\Documents and Settings\All Users\Application Data\bomgar-scc-519543C2\bomgar-scc.exe" -service:run [X] <==== ATTENTION


Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

 

Thank you very much nasdaq!

 

I did what you said, and please find the log (fixlog.txt) below as you requested.

 

 

I hit OK to reboot, and am waiting (it's slow).

 

I also wanted to mention that even prior to this step today that yesterday I made significant progress by deleting certain processes in "Task Manager > Processes" to the point that I was able to access anywhere on the internet, even the places I need to go that involve log-ins and downloads that previously I was blocked from. [I was able to get on the internet - by clicking an old icon on my desktop that was directed to a certain website ... then once there, I could retype a new URL in the address bar and then could get to any website].  At that point the only thing wrong with the computer that I could tell was that the CPU meter was way high - baseline approximately 50-60% when not asking it to do anything ... up to 90-100% with the simplest of tasks. I could even also use the printers.

 

[Explanation, for what it's worth, of how I adjusted the  "Task Manager > Processes" list to get internet access yesterday: I essentially matched the list of processes that were present when the system was booted into XP Safe Mode, with the exception that I didn't delete the ones associated with the printer, or for Trend Micro (the latter was out of my control - it insisted on adding in .exe files to the list no matter how often I deleted them). I definitely deleted the ones related to Splashtop, and some others that kept inserting themselves back into the list as fast as I could delete them, until finally it seems like they just gave up trying to be included in the list.]

 

I will pause typing here while the other "sick" computer boots up. It is taking a very long time ...

 

 

OK, back. Unfortunately it looks like things took a step backwards after hitting "FIX" in FRST after putting the FIXLOG.TXT in the appropriate folder and then restarting:

1) No longer able to access Firefox/Internet as I was before running the "FIX" in FRST. Unfortunately, this holds true even after I then made changes to Task Manger > Processes as described above. Re: IE today - it will let me go to certain websites, but it is back to its bad behavior of not letting me access certain sites, like the ones I need to log into.

2) CPU - still running at very high levels.

 

Thank you for any further advice you may have, nasdaq.

 

************************************************************************************************

************************************************************************************************

 

 

 

 

 

 

 

 

 

 

FIXLOG.TEXT

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 20-08-2017
Ran by front (06-09-2017 17:19:17) Run:1
Running from C:\Documents and Settings\front\Desktop\Malware Removal Etc\FRST
Loaded Profiles: front (Available Profiles: afenton & front & sfenton & front2 & Administrator & Front & QBDataServiceUser17 & QBDataServiceUser23 & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM Group Policy restriction on software: %userprofile%\appdata\local\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %localappdata%\*\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %localappdata%\*.exe <==== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\appdata\*.exe <==== ATTENTION
HKU\S-1-5-19\...\Winlogon: [Shell] C:\WINDOWS\Explorer.exe [1033728 2008-04-13] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-20\...\Winlogon: [Shell] C:\WINDOWS\Explorer.exe [1033728 2008-04-13] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\...\Policies\Explorer: [DisablePersonalDirChange] 1
HKU\S-1-5-18\...\Winlogon: [Shell] C:\WINDOWS\Explorer.exe [1033728 2008-04-13] (Microsoft Corporation) <==== ATTENTION
ShortcutTarget: Shortcut to qb.lnk -> \\server1\images\qb.bat (No File)
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
GroupPolicyScripts\User: Restriction <==== ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
Toolbar: HKU\S-1-5-21-1362468806-2297102619-1991856889-1145 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
S4 bomgar-ps-1225815684-1231367015; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1231875795; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1232658794; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1234733971; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1225815684-1235099523; "C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-49107683\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-ps-1368736706-1391044247; "C:\Documents and Settings\All Users\Application Data\bomgar-scc-519543C2\bomgar-scc.exe" -pinned elevated [X]
S4 bomgar-scc-551AC089; "C:\Documents and Settings\All Users\Application Data\bomgar-scc-519543C2\bomgar-scc.exe" -service:run [X] <==== ATTENTION


Reboot:

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM Group Policy restriction on software: %userprofile%\appdata\local\*.exe <==== ATTENTION => restored successfully
HKLM Group Policy restriction on software: %AppData%\*.exe <==== ATTENTION => restored successfully
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*\*.exe <==== ATTENTION => restored successfully
HKLM Group Policy restriction on software: %userprofile%\Local Settings\Application Data\*.exe <==== ATTENTION => restored successfully
HKLM Group Policy restriction on software: %AppData%\*\*.exe <==== ATTENTION => restored successfully
HKLM Group Policy restriction on software: %localappdata%\*\*.exe <==== ATTENTION => restored successfully
HKLM Group Policy restriction on software: %localappdata%\*.exe <==== ATTENTION => restored successfully
HKLM Group Policy restriction on software: %userprofile%\appdata\*.exe <==== ATTENTION => restored successfully
HKU\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value removed successfully.
HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value removed successfully.
HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\DisablePersonalDirChange => value removed successfully.
HKU\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value removed successfully.
ShortcutTarget: Shortcut to qb.lnk -> \\server1\images\qb.bat (No File) => not found.
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\system32\GroupPolicy\User => moved successfully
"C:\WINDOWS\system32\GroupPolicy\User" => not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key removed successfully.
HKLM\Software\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found.
HKU\S-1-5-21-1362468806-2297102619-1991856889-1145\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully.
HKLM\Software\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
HKLM\System\CurrentControlSet\Services\bomgar-ps-1225815684-1231367015 => key removed successfully.
bomgar-ps-1225815684-1231367015 => service removed successfully.
HKLM\System\CurrentControlSet\Services\bomgar-ps-1225815684-1231875795 => key removed successfully.
bomgar-ps-1225815684-1231875795 => service removed successfully.
HKLM\System\CurrentControlSet\Services\bomgar-ps-1225815684-1232658794 => key removed successfully.
bomgar-ps-1225815684-1232658794 => service removed successfully.
HKLM\System\CurrentControlSet\Services\bomgar-ps-1225815684-1234733971 => key removed successfully.
bomgar-ps-1225815684-1234733971 => service removed successfully.
HKLM\System\CurrentControlSet\Services\bomgar-ps-1225815684-1235099523 => key removed successfully.
bomgar-ps-1225815684-1235099523 => service removed successfully.
HKLM\System\CurrentControlSet\Services\bomgar-ps-1368736706-1391044247 => key removed successfully.
bomgar-ps-1368736706-1391044247 => service removed successfully.
HKLM\System\CurrentControlSet\Services\bomgar-scc-551AC089 => key removed successfully.
bomgar-scc-551AC089 => service removed successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache => 42548 B
Java, Flash, Steam htmlcache => 5963604 B
Windows/system/dllcache/drivers => 224208381 B
Edge => 0 B
Chrome => 0 B
Firefox => 49554001 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Documents and Settings => 0 B
Default User => 501971 B
All Users => 0 B
systemprofile => 1523481 B
LocalService => 33128 B
NetworkService => 2441726 B
afenton => 9818635 B
front => 1034879670 B
sfenton => 0 B
front2 => 496542 B
administrator.FENTON => 784319 B
Front => 0 B
QBDataServiceUser17 => 32918 B
QBDataServiceUser23 => 0 B
Administrator => 33144 B

RecycleBin => 0 B
EmptyTemp: => 1.2 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 17:21:22 ====



#4 alexis11

alexis11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 06 September 2017 - 07:20 PM

Hi nasdaq:

 

Wonderful news here: It looks like Malwarebytes premium trial is the culprit keeping me from using Firefox. If I disable Malwarebytes premium trial, I can access Firefox in the normal fashion.

 

The remaining problem is that my CPU meter is running so hot: baseline 50-60% when nothing is happening, and frequently up to 100% when I ask it to run a task.

 

Here is the sequence of events that got me to this point:

 

1) BSOD many times, and high CPU usage.

2) Kind assistance from two helpful users in the first thread I posted in.

3) BSODs gone, but now no internet access.

4) Start this thread, ran FRST as per your kind assistance, disabled Malwarebytes. Now the remaining problem is 1) Very high CPU usage > computer slowdowns, as described above.

 

 

Somewhere along the line I noticed three programs that a) I don't remember putting on my computer, b.) I don't think I want on my computer, and c) cannot delete from my computer, using Add/Remove Programs or even Revo Uninstaller. These three programs are:

1) java.exe as a process in Task Manager

2) Splashtop Software Updater and Splashtop Streamer

3) Atera Agent

 

Could they be responsible for the high CPU usage? Should I keep trying to get rid of them/delete them?

 

I'm very grateful for your help to this point, nasdaq, thank you! If you would be able to help me get my CPU usage down to normal levels, I'd be ecstatic, but at least now I can go to the internet (though I can't imagine why Malwarebytes doesn't like it).

 

Thanks again!


Edited by alexis11, 06 September 2017 - 07:23 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:44 AM

Posted 07 September 2017 - 09:13 AM



Somewhere along the line I noticed three programs that a) I don't remember putting on my computer, b.) I don't think I want on my computer, and c) cannot delete from my computer, using Add/Remove Programs or even Revo Uninstaller. These three programs are:
1) java.exe as a process in Task Manager
2) Splashtop Software Updater and Splashtop Streamer
3) Atera Agent



java.exe as a process in Task Manager

This was installed by"

iNexx Platform
from Medicity, Inc.
http://www.shouldiremoveit.com/iNexx-Platform-96170-program.aspx

Yyou can disable Inexx plaform from the Taksk Manager or remove it via the Control Panel > Programs > Programs and Features.

iNexx Platform (HKLM\...\{33F5D24A-9F87-4878-BEBC-0DABDD1A9F0E}) (Version: 9.9.11 - Medicity, Inc.)
===

Splashtop Software Updater and Splashtop Streamer
Splashtop
https://en.wikipedia.org/wiki/Splashtop_Remote

Remove control program. Again you can disable iin the Task manager or remove it.

If you did not install it remove it.

Read about it:
http://www.systemlookup.com/search.php?type=name&client=malwaresearch-chrome&search=Splashtop
===

Atera Agent

Installed by Splashtop.
https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001152686-Atera
Decide if you want to keep it.

===

Keep me posted.

#6 alexis11

alexis11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 07 September 2017 - 09:54 AM

Hi nasdaq, thank you!

1) I will look into removing the iNexx platform and Atera agent.

2) I have tried unsuccessfully many times to remove the Splashtop programs using Control Panel > Add/Remove programs, and even Revo uninstall. The removal goes fine in each case, but it always reappears soon thereafter. Does that mean there is a virus? Can you help me with that part also please?

3) Once we get these nasty programs gone for good ... do you think my CPU meter will run at normal low values?

Thank you again, nasdaq!

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:44 AM

Posted 07 September 2017 - 01:12 PM


Hi,

Once we get these nasty programs gone for good ... do you think my CPU meter will run at normal low values?


Disable them via the Task manager.

Restart the computer normally.

If the CPU is not changing they they are not the cause.

Check the integrity of the operating system files.
How to run sfc /Scannow
http://support.microsoft.com/kb/929833

When completed refer to the Microsoft article again and follow the instructions to view details of the System File Checker process

Post the contents of the sfcdetails.txt file for my review.

Let me know if the problem persists.
<<<>>>

#8 alexis11

alexis11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 07 September 2017 - 10:32 PM

Hi,



Once we get these nasty programs gone for good ... do you think my CPU meter will run at normal low values?

Disable them via the Task manager.

Restart the computer normally.

If the CPU is not changing they they are not the cause.

Thank you, nasdaq!

I disabled as you suggested, rebooted. The .exe files unfortunately reappeared in Task Manager.

I then deleted the programs in Control Panel > Add/Remove Programs. This time, for the first time, they didn't reappear in the list of programs!

The CPU meter was initially low, but the more manipulation I did in Task Manager, the higher the CPU meter reading became.

I was blocked out of the internet until I disabled Malwarebytes in the task bar, and disabled its .exe files in Task Manager.





Check the integrity of the operating system files.
How to run sfc /Scannow
http://support.microsoft.com/kb/929833

When completed refer to the Microsoft article again and follow the instructions to view details of the System File Checker process

Post the contents of the sfcdetails.txt file for my review.

Let me know if the problem persists.

I will do this tomorrow, thank you.

Here is where things stand:
1) I can get on Firefox only by shutting down/disabling Malwarebytes. I'm wondering if that suggests a virus (Malwarebytes doesn't have that effect on my other computers, even XP SP3 ones)?
2) CPU meter runs high.

Thank you again, nasdaq. Will post back.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:44 AM

Posted 08 September 2017 - 08:00 AM

Try this.

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>


If still using high CPU

Disable the dwm.exe
MSCONFIG\startupreg: Load => C:\DOCUME~1\front\LOCALS~1\Temp\dwm.exe

Read about it.
http://www.thewindowsclub.com/desktop-window-manager-dwm-exe

Keep me posted.

p.s.

You have many programs started under the MsConfig.
Do you need/use all of them?

==================== MSCONFIG/TASK MANAGER disabled items ==
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Citrix Access Gateway.lnk => C:\WINDOWS\pss\Citrix Access Gateway.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Intuit Data Protect.lnk => C:\WINDOWS\pss\Intuit Data Protect.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk => C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk => C:\WINDOWS\pss\QuickBooks_Standard_21.lnkCommon Startup
MSCONFIG\startupreg: Acrobat Assistant 8.0 => "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: DLA => C:\WINDOWS\System32\DLA\DLACTRLW.EXE
MSCONFIG\startupreg: DVDLauncher => "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
MSCONFIG\startupreg: Google Desktop Search => "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
MSCONFIG\startupreg: HotKeysCmds => C:\WINDOWS\system32\hkcmd.exe
MSCONFIG\startupreg: IgfxTray => C:\WINDOWS\system32\igfxtray.exe
MSCONFIG\startupreg: Intuit SyncManager => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
MSCONFIG\startupreg: ISUSPM Startup => C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
MSCONFIG\startupreg: ISUSScheduler => "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
MSCONFIG\startupreg: Load => C:\DOCUME~1\front\LOCALS~1\Temp\dwm.exe
MSCONFIG\startupreg: LogMeIn GUI => "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
MSCONFIG\startupreg: Persistence => C:\WINDOWS\system32\igfxpers.exe
MSCONFIG\startupreg: PMX Daemon => ICO.EXE
MSCONFIG\startupreg: PPort11reminder => "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
MSCONFIG\startupreg: QuickBooksDB23 => C:\PROGRA~1\Intuit\QUICKB~4\QBDBMgrN.exe -n QB_FENTON-4Y9X3D1_23 -qs -gd ALL -gk all -gp 4096 -gu all -ch 256M -c 128M -x tcpip(BroadcastListener=NO;port=55353) -ti 0 -ec simple -qi -qw -tl 120 -oe C:\DOCUME~1\ALLUSE~1\APPLIC~1\Intuit\QUICKB~2\DBSTAR~1.LOG -y
MSCONFIG\startupreg: SoundMAXPnP => C:\Program Files\Analog Devices\Core\smax4pnp.exe
MSCONFIG\startupreg: SupportAnyPC => "C:\DOCUME~1\front\LOCALS~1\Temp\winvnc.exe" -servicehelper
MSCONFIG\startupreg: Synchronization Manager => %SystemRoot%\system32\mobsync.exe /logon
MSCONFIG\startupreg: WinVNC => "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
MSCONFIG\startupreg: ZAM => "C:\Documents and Settings\front\Desktop\Malware Removal Etc\Zemana AntiMalware\ZAM.exe" /minimized



#10 alexis11

alexis11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 08 September 2017 - 11:54 PM

Try this.

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox

This was a miracle move! CPU down quote low now. Thank you!

I did not move on to disabling the dwm.exe since that worked so well.


.
.
.
.

p.s.

You have many programs started under the MsConfig.
Do you need/use all of them?


==================== MSCONFIG/TASK MANAGER disabled items ==
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Citrix Access Gateway.lnk => C:\WINDOWS\pss\Citrix Access Gateway.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Intuit Data Protect.lnk => C:\WINDOWS\pss\Intuit Data Protect.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk => C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk => C:\WINDOWS\pss\QuickBooks_Standard_21.lnkCommon Startup
MSCONFIG\startupreg: Acrobat Assistant 8.0 => "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: DLA => C:\WINDOWS\System32\DLA\DLACTRLW.EXE
MSCONFIG\startupreg: DVDLauncher => "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
MSCONFIG\startupreg: Google Desktop Search => "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
MSCONFIG\startupreg: HotKeysCmds => C:\WINDOWS\system32\hkcmd.exe
MSCONFIG\startupreg: IgfxTray => C:\WINDOWS\system32\igfxtray.exe
MSCONFIG\startupreg: Intuit SyncManager => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
MSCONFIG\startupreg: ISUSPM Startup => C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
MSCONFIG\startupreg: ISUSScheduler => "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
MSCONFIG\startupreg: Load => C:\DOCUME~1\front\LOCALS~1\Temp\dwm.exe
MSCONFIG\startupreg: LogMeIn GUI => "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
MSCONFIG\startupreg: Persistence => C:\WINDOWS\system32\igfxpers.exe
MSCONFIG\startupreg: PMX Daemon => ICO.EXE
MSCONFIG\startupreg: PPort11reminder => "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
MSCONFIG\startupreg: QuickBooksDB23 => C:\PROGRA~1\Intuit\QUICKB~4\QBDBMgrN.exe -n QB_FENTON-4Y9X3D1_23 -qs -gd ALL -gk all -gp 4096 -gu all -ch 256M -c 128M -x tcpip(BroadcastListener=NO;port=55353) -ti 0 -ec simple -qi -qw -tl 120 -oe C:\DOCUME~1\ALLUSE~1\APPLIC~1\Intuit\QUICKB~2\DBSTAR~1.LOG -y
MSCONFIG\startupreg: SoundMAXPnP => C:\Program Files\Analog Devices\Core\smax4pnp.exe
MSCONFIG\startupreg: SupportAnyPC => "C:\DOCUME~1\front\LOCALS~1\Temp\winvnc.exe" -servicehelper
MSCONFIG\startupreg: Synchronization Manager => %SystemRoot%\system32\mobsync.exe /logon
MSCONFIG\startupreg: WinVNC => "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
MSCONFIG\startupreg: ZAM => "C:\Documents and Settings\front\Desktop\Malware Removal Etc\Zemana AntiMalware\ZAM.exe" /minimized

I reviewed the msconfig window. I see that only 11 or so are enabled, the large number of the rest being disabled. Is 11 a lot? Do the disabled still have the potential to cause problems?

The only problem remaining now is that Malwarebytes still blocks internet use (unlike on my other XP computer). I can live with that, as I have Trend Micro.

I didn't get a chance to stress the system with a reboot to see if your fixes hold up. I'll do that tomorrow and post back.

Thank you, nasdaq!

#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:44 AM

Posted 09 September 2017 - 08:22 AM

Hi,


Do the disabled still have the potential to cause problems?

No!.


The only problem remaining now is that Malwarebytes still blocks internet use (unlike on my other XP computer). I can live with that, as I have Trend Micro.


Check the status of Malwarebytes Web Protection on the other computer. If it's OFF then do the same on this compromised computer.

===

#12 alexis11

alexis11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 10 September 2017 - 08:51 PM

Hi nasdaq -

 

After all your kind help - things seem to be running great now, even after reboot ... thank you so much!

 

my CPU meter runs at essentially 0%, instead of 50%, when nothing is going on with the computer. When I open a program or file, or change web pages, it stays quite low, maybe up to 25-30%, then drops down towards 0% or so, instead of 100%.

 

Thank you so much again - you have made it so I can use my computer again!

 

I have not run sfc/scannow, which was one of the things you mentioned earlier in the thread, nor disabled dwm.exe. Do you think it's OK to skip those steps, and just call it a job well-done? Or is it important to do that to be sure of something that might not be obvious to me at this point?

 

Thanks again, nasdaq!

 

 

*********************************************

PS: How do I get my passwords back into the newly downloaded Firefox from Mozbackup (which was recommended to be run by Quietman7 in the thread that was closed so that I could get help in this subforum)? Thank you -


Edited by alexis11, 11 September 2017 - 12:08 AM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:44 AM

Posted 11 September 2017 - 07:56 AM



Hi,

I have not run sfc/scannow, which was one of the things you mentioned earlier in the thread, nor disabled dwm.exe. Do you think it's OK to skip those steps, and just call it a job well-done? Or is it important to do that to be sure of something that might not be obvious to me at this point?


No!

===

PS: How do I get my passwords back into the newly downloaded Firefox from Mozbackup (which was recommended to be run by Quietman7 in the thread that was closed so that I could get help in this subforum)? Thank you -


Read carefully this topic and proceed as suggested.

https://support.mozilla.org/en-US/questions/958936

==

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#14 alexis11

alexis11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 11 September 2017 - 12:46 PM

Hi,
 

I have not run sfc/scannow, which was one of the things you mentioned earlier in the thread, nor disabled dwm.exe. Do you think it's OK to skip those steps, and just call it a job well-done? Or is it important to do that to be sure of something that might not be obvious to me at this point?


No!

===

PS: How do I get my passwords back into the newly downloaded Firefox from Mozbackup (which was recommended to be run by Quietman7 in the thread that was closed so that I could get help in this subforum)? Thank you -


Read carefully this topic and proceed as suggested.

https://support.mozilla.org/en-US/questions/958936

==

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

 

Thank you, nasdaq!

 

Just two quick things, please:

1) Sorry to ask ... which of the two questions I asked (I've bolded underlined and colored them in red, above) are you replying "No" to?

 

2) Thank you for the suggestion for how to get my bookmarks back in FIrefox. The link you provided in turn referenced another link http://kb.mozillazine.org/Profile_folder_-_Firefox describing how to find the profile folder. Unfortunately that folder doesn't exist, being one that I'd been instructed to delete in another thread, https://www.bleepingcomputer.com/forums/t/655884/adwcleaner-is-not-a-valid-windows32-application;-internet-blocked-and-high-cpu/?p=4326893 .

 

I do have a Mozbackup file in my computer - is it OK for me to google Mozbackup and find instructions on how to bring those passwords to my current FIrefox installation?

 

Thank you!



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,587 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:44 AM

Posted 12 September 2017 - 07:06 AM



No you do not need to run the Scan sfc/scannow nor do you have to disable dwm.exe

I do have a Mozbackup file in my computer - is it OK for me to google Mozbackup and find instructions on how to bring those passwords to my current FIrefox installation?


Yes start with this one.
http://kb.mozillazine.org/MozBackup

If you can extract the file to a temporary folder you may find the signons.sqlite you are looking for.

There is also a video on how to do that.
https://www.google.ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&cad=rja&uact=8&ved=0ahUKEwiIi46CzJ_WAhXFYCYKHTP0AykQtwIIZDAI&url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DCz1P0W4E3yY&usg=AFQjCNH3dZg2AJCwArWCovubOHcStMLL9g

Hope this helps.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users