Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need assistance indentifying/removale


  • This topic is locked This topic is locked
40 replies to this topic

#1 holsch

holsch

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 04 February 2018 - 04:03 PM

Hello,

 Running Windows 7 Pro, SP 1 on Dell Latitude.

Have Symantec Endpoint running, seeing a lot of "Website redirect attempts" and "PJcoinminer" messages pop up, but when I run a scan, it doesn't detect a Virus to quarantine or remove.

Also am seeing a command prompt window on start ups that appears hung up on syswow64.exe in Command Line for about 60 seconds before disappearing.

Not sure what all this means, and help appreciated.



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:35 AM

Posted 04 February 2018 - 05:47 PM

Hello holsch and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please complete these tasks in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.


  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Run Malwarebytes Anti-Malware

Please download and run the installer for Malwarebytes 3.0.

  • follow the prompts to install the program, (Malwarebytes 3.0 will automatically upgrade Malwarebytes Anti-Malware 2.x to Malwarebytes 3.0)
  • at the end, be sure a checkmark is placed next to the following
    • Launch Malwarebytes Anti-Malware
    • a 14 day trial of the Premium features is pre-selected: deselect this if you don’t want it, (it won’t diminish the scanning and removal capabilities of the program).
  • click Finish.
  • on the Dashboard, click Update Now
  • after the update completes, click the Scan Now' button.
  • if an update is available, clicking the Update Now button will update it
  • a Threat Scan will begin.
  • when the scan is complete, if malware has been detected, click Apply Actions to allow MBAM to clean what was found
  • when the prompt to restart the computer appears, click Yes.
  • after the restart once you are back at your desktop, open MBAM once more
  • click on the ‘History’ tab, the ‘Application Logs’
  • double-click on the scan log which shows the date and time of the scan just performed.
  • click Copy to Clipboard
  • please paste the contents of the clipboard into your reply.

===================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/7/8/10, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.

Logs to include with the next post:

AdwCleaner log
Mbam.txt
RKreport.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 holsch

holsch
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 05 February 2018 - 11:03 AM

Hello satchfan, many thanks for your assistance.

3 logs posted below, in order of execution.

 

AdwCleaner

# AdwCleaner 7.0.7.0 - Logfile created on Mon Feb 05 11:41:53 2018
# Updated on 2018/18/01 by Malwarebytes 
# Running on Windows 7 Professional (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

Deleted: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Yahoo! Companion
Deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Yahoo! Companion
Deleted: C:\Users\ITSupport\AppData\LocalLow\Yahoo! Companion
Deleted: C:\Windows\System32\config\systemprofile\AppData\Roaming\Yahoo!\Companion
Deleted: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Yahoo!\Companion
Deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Yahoo!\Companion
Deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Yahoo!\Companion
Deleted: C:\Users\bholscher\AppData\LocalLow\Yahoo!\Companion
Deleted: C:\Users\ITSupport\AppData\LocalLow\Yahoo!\Companion
Deleted: C:\Users\ITSupport\AppData\Roaming\Yahoo!\Companion


***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Data] - HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls|Tabs [http:\\services.eshield.com\general\newhometab.php?hometab=home&partner=11493&guid={7706EF08-A044-4C22-BA0F-DC5CD270B158}&i=]
Deleted: [Key] - HKU\S-1-5-21-698646121-1254382694-1581587538-329973\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShopAtHome.com Helper
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShopAtHome.com Helper
Deleted: [Key] - HKU\S-1-5-21-698646121-1254382694-1581587538-329973\Software\ShopAtHome.com
Deleted: [Key] - HKCU\Software\ShopAtHome.com
Deleted: [Key] - HKLM\SOFTWARE\Yahoo\Companion
Deleted: [Key] - HKU\.DEFAULT\Software\Yahoo\Companion
Deleted: [Key] - HKU\.DEFAULT\Software\AppDataLow\Software\Yahoo\Companion
Deleted: [Key] - HKU\S-1-5-21-698646121-1254382694-1581587538-329973\Software\Yahoo\Companion
Deleted: [Key] - HKU\S-1-5-21-698646121-1254382694-1581587538-329973\Software\AppDataLow\Software\Yahoo\Companion
Deleted: [Key] - HKU\S-1-5-18\Software\Yahoo\Companion
Deleted: [Key] - HKU\S-1-5-18\Software\AppDataLow\Software\Yahoo\Companion
Deleted: [Key] - HKCU\Software\Yahoo\Companion
Deleted: [Key] - HKCU\Software\AppDataLow\Software\Yahoo\Companion
Deleted: [Key] - HKU\.DEFAULT\Software\Yahoo\YFriendsBar
Deleted: [Key] - HKU\S-1-5-21-698646121-1254382694-1581587538-329973\Software\Yahoo\YFriendsBar
Deleted: [Key] - HKU\S-1-5-18\Software\Yahoo\YFriendsBar
Deleted: [Key] - HKCU\Software\Yahoo\YFriendsBar
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Deleted: [Key] - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Deleted: [Key] - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Deleted: [Value] - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks|{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{72A6AB0F-2FA8-4C73-9FCB-1E62A608F001}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{F83D1872-D9FF-47F8-B5A0-49CC51E24EE8}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{0FEB2313-F89B-4AC6-8153-84025604A06A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{0FEB2313-F89B-4AC6-8153-84025604A06A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{02F878DF-E2BE-4B85-8CB4-A0D2D4E2ED7F}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{2AF343DD-3102-4F9D-AC95-DCA4C95382C7}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{3137BC14-D8D7-4B67-8FFA-2E0B2E9D541B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{4CA2AC92-971B-47B1-ACB6-357B552155AC}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{52C5395B-1FCD-47FA-A834-FD830701C2D5}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{5D3DCC39-9233-4330-94E9-DA92BE49CA1A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{615FACDF-DADB-440D-AC91-8AAB0AE9E3AD}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{762D463B-C45A-456D-A80D-8689C297C91E}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{7A6BE473-7960-44D0-BD54-D23DA76353DF}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{803F550E-BAAE-42BB-8917-64BA0006AB17}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{8D5BC51D-C9D3-43B9-B728-B30677B7C7E8}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{991C9D8D-A789-4DB9-BDFC-5F33398B04BF}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{A5ACC874-D943-483F-A2D1-14598D51F872}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{B0474212-0D9D-4361-90B3-B89D1A44275D}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{BFDE183A-C6FE-41D2-80F9-586C29210AC2}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{D83C83BF-3EDD-4410-ADAB-5295116DD8C7}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{DD260902-9420-4055-A956-9152EB4F3E6A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{EB1F9F3C-5526-4DAE-BD4B-3EAA7715DA9F}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{F1912128-469A-4138-AA26-9699C15BB13E}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{F68DC16C-9C2B-455B-8853-7E4D34BAA3F4}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{FBA8498F-B3A0-4942-A2BF-E0CB7BC7E000}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID|{A26ABCF0-1C8F-46E7-A67C-0489DC21B9CC}
Deleted: [Key] - HKCU\Software\Classes\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}
Deleted: [Key] - HKCU\Software\Classes\TypeLib\{B944FF5E-EC87-4E1E-8C49-2FF3BC573997}
Deleted: [Key] - HKU\S-1-5-21-698646121-1254382694-1581587538-329973\Software\Classes\TypeLib\{B944FF5E-EC87-4E1E-8C49-2FF3BC573997}
Deleted: [Key] - HKCU\Software\Classes\CLSID\{08613A51-6E3E-43CC-9ECF-DD58B5837341}
Deleted: [Key] - HKCU\Software\Classes\CLSID\{153EDC41-A2CC-4BEB-9EC8-008242389E50}
Deleted: [Key] - HKCU\Software\Classes\CLSID\{188028B8-D91D-4BE2-BABA-68E32BDE4420}
Deleted: [Key] - HKCU\Software\Classes\CLSID\{28E74F15-18C2-465E-B545-6CC738121C68}
Deleted: [Key] - HKCU\Software\Classes\CLSID\{2BF6042B-B9B1-46D9-A3F8-9C987FADD4C6}
Deleted: [Key] - HKCU\Software\Classes\CLSID\{40A222E2-93B1-45F9-9B07-0D1160A31A6C}
Deleted: [Key] - HKCU\Software\Classes\CLSID\{6325A84C-E746-4007-A9C5-E4C1A50ED61F}
Deleted: [Key] - HKCU\Software\Classes\CLSID\{9BCA87A0-5B8F-4500-A5AF-EA1279714FDF}
Deleted: [Key] - HKCU\Software\Classes\CLSID\{BB17DE65-B548-48C2-AC73-1FD1996C7261}
Deleted: [Key] - HKCU\Software\Classes\CLSID\{C77D3EEF-FDCA-4D37-B0D2-5FF650E07825}
Deleted: [Key] - HKCU\Software\Classes\CLSID\{EA70EB31-CBAD-4862-AFDA-DCFCC32722ED}
Deleted: [Key] - HKCU\Software\Classes\CLSID\{EC9100F8-5918-4F1B-9CC1-4D34A64E0FE0}
Deleted: [Key] - HKCU\Software\Classes\CLSID\{F1A1ABE3-F454-4DD9-B520-01F2EEC5F0DD}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{655847A1-FA36-46ED-923B-A5CD523696EA}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{EBBC143E-44AC-4B9C-BCCE-9A0E42921F2A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\{7375D127-3955-4654-8E7D-1949A7A9C902}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{371AD4A5-1520-4AA2-A8A4-F9AD3BAC6957}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{7F124846-5453-4BB8-A41D-E11481FFC9DF}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{8FD65019-BF09-45DA-AD81-E95AE911F1FD}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{F6C2BABA-9E4C-425F-9AEC-24AB8F2B640D}
Deleted: [Value] - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel|Homepage
Deleted: [Key] - HKCU\Software\Classes\AppID\ShopAtHomeHelper.EXE
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext|DisableAddonLoadTimePerformanceNotifications
Deleted: [Key] - HKLM\SOFTWARE\Conduit
Deleted: [Key] - HKU\S-1-5-21-698646121-1254382694-1581587538-329973\Software\Conduit
Deleted: [Key] - HKCU\Software\Conduit
Deleted: [Key] - HKLM\SOFTWARE\InstallIQ
Deleted: [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{657BFED6-E8D4-406A-B5D9-08BB8DE6210B}
Deleted: [Key] - HKU\S-1-5-21-698646121-1254382694-1581587538-329973\Software\TNT2
Deleted: [Key] - HKCU\Software\TNT2
Deleted: [Key] - HKLM\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{70BC1CDB-0744-4172-BDA0-B5A487D00C3A}


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

Plugin deleted: eShield - 
Plugin deleted: eShield -


*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0

*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [10734 B] - [2018/2/5 11:38:1]


########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########

 

 

Malwarebytes report

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/5/18
Scan Time: 7:03 AM
Log File: 82c60b1e-0a6c-11e8-a01d-d4bed97accfc.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3872
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 424162
Threats Detected: 80
Threats Quarantined: 80
Time Elapsed: 49 min, 44 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 18
PUP.Optional.TNT, HKU\S-1-5-21-698646121-1254382694-1581587538-329973\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{4FAB1525-0E2C-4FF7-A1F7-4AF16459B389}, Quarantined, [12850], [244085],1.0.3872
PUP.Optional.eShield, HKLM\SOFTWARE\GOOGLE\CHROME\NATIVEMESSAGINGHOSTS\com.eshield.extension_host, Quarantined, [171], [251382],1.0.3872
PUM.Optional.DisableChromeUpdates, HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE, Quarantined, [13121], [252393],1.0.3872
PUM.Optional.DisableChromeUpdates, HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\UPDATE, Quarantined, [13121], [252393],1.0.3872
Rootkit.Fileless.MTGen, HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\4d02231\SHELL\OPEN\COMMAND, Quarantined, [1273], [386625],1.0.3872
PUP.Optional.Yontoo, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{906D7E81-6355-4069-B02D-BCFDFE2885E7}, Quarantined, [30], [169166],1.0.3872
PUP.Optional.Yontoo, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{906D7E81-6355-4069-B02D-BCFDFE2885E7}, Quarantined, [30], [169166],1.0.3872
PUP.Optional.Yontoo, HKLM\SOFTWARE\CLASSES\APPID\{906d7e81-6355-4069-b02d-bcfdfe2885e7}, Quarantined, [30], [169166],1.0.3872
PUP.Optional.Yontoo, HKLM\SOFTWARE\POLICIES\GOOGLE\CHROME, Quarantined, [30], [-1],0.0.0
PUP.Optional.Yontoo, HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\CHROME, Quarantined, [30], [-1],0.0.0
PUP.Optional.Yontoo, HKLM\SOFTWARE\CLASSES\APPID\{8A4A8B42-A270-4AD4-95C3-815DED6433FC}, Quarantined, [30], [169165],1.0.3872
PUP.Optional.Yontoo, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{8A4A8B42-A270-4AD4-95C3-815DED6433FC}, Quarantined, [30], [169165],1.0.3872
PUP.Optional.Yontoo, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{8a4a8b42-a270-4ad4-95c3-815ded6433fc}, Quarantined, [30], [169165],1.0.3872
PUP.Optional.FindWide, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{0FEB2313-F89B-4AC6-8153-84025604A06A}, Quarantined, [7228], [169193],1.0.3872
PUP.Optional.FindWide, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{0FEB2313-F89B-4AC6-8153-84025604A06A}, Quarantined, [7228], [169193],1.0.3872
PUP.Optional.FindWide, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{0FEB2313-F89B-4AC6-8153-84025604A06A}, Quarantined, [7228], [169193],1.0.3872
PUP.Optional.FindWide, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{0FEB2313-F89B-4AC6-8153-84025604A06A}, Quarantined, [7228], [169193],1.0.3872
PUP.Optional.SweetIM, HKU\S-1-5-21-698646121-1254382694-1581587538-329973\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DEDAF650-12B8-48F5-A843-BBA100716106}, Quarantined, [1094], [168883],1.0.3872

Registry Value: 4
PUP.Optional.TNT, HKU\S-1-5-21-698646121-1254382694-1581587538-329973\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{4FAB1525-0E2C-4FF7-A1F7-4AF16459B389}|OSDFILEURL, Quarantined, [12850], [244085],1.0.3872
PUM.Optional.DisableChromeUpdates, HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE|DISABLEAUTOUPDATECHECKSCHECKBOXVALUE, Quarantined, [13121], [252393],1.0.3872
PUM.Optional.DisableChromeUpdates, HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\UPDATE|DISABLEAUTOUPDATECHECKSCHECKBOXVALUE, Quarantined, [13121], [252393],1.0.3872
Rootkit.Fileless.MTGen, HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\4d02231\SHELL\OPEN\COMMAND|, Quarantined, [1273], [386625],1.0.3872

Registry Data: 8
PUM.Optional.NoDispScrSavPage, HKU\S-1-5-21-698646121-1254382694-1581587538-329973\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NODISPSCRSAVPAGE, Replaced, [13992], [293338],1.0.3872
PUM.Optional.ConnectionControlRestriction, HKLM\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|CONNECTIONSTAB, Replaced, [13970], [293303],1.0.3872
PUM.Optional.NoDispScrSavPage, HKU\S-1-5-21-698646121-1254382694-1581587538-177680\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NODISPSCRSAVPAGE, Replaced, [13992], [293338],1.0.3872
PUM.Optional.HomepageControl, HKU\S-1-5-21-698646121-1254382694-1581587538-177680\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HOMEPAGE, Replaced, [13987], [293330],1.0.3872
PUM.Optional.ConnectionControlRestriction, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|CONNECTIONSTAB, Replaced, [13970], [293303],1.0.3872
PUM.Optional.NoDispScrSavPage, HKU\S-1-5-21-698646121-1254382694-1581587538-3073\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NODISPSCRSAVPAGE, Replaced, [13992], [293338],1.0.3872
PUM.Optional.HomepageControl, HKU\S-1-5-21-698646121-1254382694-1581587538-3073\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HOMEPAGE, Replaced, [13987], [293330],1.0.3872
PUM.Optional.NoDispScrSavPage, HKU\S-1-5-21-1005336470-3270574750-254552977-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NODISPSCRSAVPAGE, Replaced, [13992], [293338],1.0.3872

Data Stream: 0
(No malicious items detected)

Folder: 6
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\_metadata, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\_metadata, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\USERS\CBA_ANONYMOUS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\dkmjljdbbgogihjcapfhgkonfmccbffp, Quarantined, [171], [456661],1.0.3872

File: 44
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\_metadata\CredDB.CEF, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\_metadata\verified_contents.json, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\background.html, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\background.js, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\CredDB.CEF, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\eshield.nmf, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\eShield_128.png, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\eShield_16.png, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\eShield_48.png, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\eshield_arm.nexe, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\eshield_x86_32.nexe, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\eshield_x86_64.nexe, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\manifest.json, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\newtab.html, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\newtab.js, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\off.png, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\cba_anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\on.png, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\USERS\CBA_ANONYMOUS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\USERS\ITSUPPORT\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\_metadata\CredDB.CEF, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\_metadata\verified_contents.json, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\background.html, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\background.js, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\CredDB.CEF, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\eshield.nmf, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\eShield_128.png, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\eShield_16.png, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\eShield_48.png, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\eshield_arm.nexe, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\eshield_x86_32.nexe, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\eshield_x86_64.nexe, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\manifest.json, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\newtab.html, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\newtab.js, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\off.png, Quarantined, [171], [456661],1.0.3872
PUP.Optional.eShield, C:\Users\ITSupport\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkmjljdbbgogihjcapfhgkonfmccbffp\1.5_0\on.png, Quarantined, [171], [456661],1.0.3872
Rootkit.Fileless.MTGen, C:\USERS\BHOLSCHER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\42F7512.LNK, Quarantined, [1273], [-1],0.0.0
Rootkit.Fileless.MTGen, C:\Users\BHOLSCHER\AppData\Local\03a35d1\0791387.3C8AE516, Quarantined, [1273], [-1],0.0.0
Rootkit.Fileless.MTGen, C:\USERS\BHOLSCHER\START MENU\PROGRAMS\STARTUP\42F7512.LNK, Quarantined, [1273], [-1],0.0.0
PUP.Optional.Yontoo, C:\DOCUMENTS AND SETTINGS\ALL USERS\NTUSER.POL, Quarantined, [30], [-1],0.0.0
PUP.Optional.Yontoo, C:\PROGRAMDATA\NTUSER.POL, Quarantined, [30], [-1],0.0.0
PUP.Optional.Yontoo, C:\USERS\BHOLSCHER\NTUSER.POL, Quarantined, [30], [-1],0.0.0
PUP.Optional.Yontoo, C:\USERS\DAVES\NTUSER.POL, Quarantined, [30], [-1],0.0.0
PUP.Optional.Yontoo, C:\USERS\DA_STAGING_USER\NTUSER.POL, Quarantined, [30], [-1],0.0.0

Physical Sector: 0
(No malicious items detected)


(end)

 

Rogue Killer report

RogueKiller V12.12.3.0 (x64) [Feb 5 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : BHOLSCHER [Administrator]
Started from : C:\Users\bholscher\Downloads\RogueKiller_portable64.exe
Mode : Delete -- Date : 02/05/2018 08:34:47 (Duration : 01:45:49)

¤¤¤ Processes : 3 ¤¤¤
[VT.Unknown] SJ Print-PS Server.exe(2468) -- C:\Program Files\Celiveo\Celiveo Server Services\SJ Print-PS Server.exe[-] -> Found
[VT.Unknown] Jetmobile.PrintServer.WindowsService.exe(2512) -- C:\Program Files\Celiveo\Celiveo Server Services\Jetmobile.PrintServer.WindowsService.exe[-] -> Found
[VT.Unknown] enstart64.exe(3716) -- C:\Windows\System32\enstart64.exe[-] -> Found

¤¤¤ Registry : 8 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {CC91E198-775D-41C5-8DDD-A553D018C624} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\bholscher\AppData\Local\Temp\7zS7488\EasyInst64.exe|Name=Advanced TCP/IP Port Installer| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C859D8CB-F12A-42CB-BB80-BA9C733AB64B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\bholscher\AppData\Local\Temp\7zS7488\EasyInst64.exe|Name=Advanced TCP/IP Port Installer| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {CC91E198-775D-41C5-8DDD-A553D018C624} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\bholscher\AppData\Local\Temp\7zS7488\EasyInst64.exe|Name=Advanced TCP/IP Port Installer| [x] -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C859D8CB-F12A-42CB-BB80-BA9C733AB64B} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\bholscher\AppData\Local\Temp\7zS7488\EasyInst64.exe|Name=Advanced TCP/IP Port Installer| [x] -> Not selected
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Not selected
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Not selected
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-698646121-1254382694-1581587538-329973\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Not selected
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-698646121-1254382694-1581587538-329973\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Not selected

¤¤¤ Tasks : 5 ¤¤¤
[Hj.Shortcut] \{44663AB7-80B8-43B4-81EC-BE6F6AED3435} -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (http://ui.skype.com/ui/0/6.20.0.104/en/abandoninstall?page=tsProgressBar) -> Deleted
[Hj.Shortcut] \{5EF09910-C36E-4E24-A467-C64569240D51} -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (http://ui.skype.com/ui/0/6.20.0.104/en/abandoninstall?page=tsProgressBar) -> Deleted
[Hj.Shortcut] \{AFF7BDAE-F188-4895-941B-913CFE5FA048} -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (http://ui.skype.com/ui/0/6.16.0.105/en/go/help.faq.installer?LastError=1601) -> Deleted
[Hj.Shortcut] \{C7465040-CDA8-4ED0-8AD1-D57EEB567F6D} -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (http://ui.skype.com/ui/0/6.20.0.104/en/abandoninstall?page=tsProgressBar) -> Deleted
[Hj.Shortcut] \{D631544E-AF68-4997-B0BD-D950785D0716} -- "C:\Program Files (x86)\Internet Explorer\iexplore.exe" (http://ui.skype.com/ui/0/6.20.0.104/en/abandoninstall?page=tsProgressBar) -> Deleted

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][Chrome:Config] Default : session.startup_urls [https://dsp.davita.com/Login/?cmd=sso&resume=/idp/PaMpY/resume/idp/prp.ping&spentity=urn:prd:sharepoint:sp|https://dsp.davita.com/Login/?cmd=sso&resume=/idp/PaMpY/resume/idp/prp.ping&spentity=urn:prd:sharepoint:sp] -> Not selected

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200BEKT-75PVMT1 +++++
--- User ---
[MBR] b9203203addb33f9a49084dd8129b4ab
[BSP] 058dfb939ff5b42660c356c9afcae794 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 305243 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK



#4 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:35 AM

Posted 05 February 2018 - 11:41 AM

Those got rid of a lot so let’s see what else there is.

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator, (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log, (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

Logs to include with next post:

Frst.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 holsch

holsch
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 05 February 2018 - 04:25 PM

Hello Satchfan,

 

Ran Farbar, logs posted below.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 27.01.2018
Ran by BHOLSCHER (administrator) on DEN-9FXTNW1-L (05-02-2018 16:09:03)
Running from C:\Users\bholscher\Downloads
Loaded Profiles: BHOLSCHER (Available Profiles: ITSupport & cba_anonymous & Administrator & BHOLSCHER)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(CREDANT Technologies, Inc.) C:\Windows\System32\CmgShieldSvc.exe
(CREDANT Technologies, Inc.) C:\Windows\System32\EmsService.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(Autodesk Inc.) C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Autodesk, Inc.) C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
(Microsoft Corp.) C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files (x86)\LANDesk\Shared Files\residentAgent.exe
(Jetmobile Pte Ltd) C:\Program Files\Celiveo\Celiveo Server Services\SJ Print-PS Server.exe
(Jetmobile Pte Ltd) C:\Program Files\Celiveo\Celiveo Server Services\Jetmobile.PrintServer.WindowsService.exe
(LANDESK Software, Inc. and its affiliates.) C:\Program Files (x86)\LANDesk\LDClient\collector.exe
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
() C:\Windows\System32\enstart64.exe
(SafeNet Inc.) C:\Windows\System32\hasplms.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(LANDESK Software, Inc. and its affiliates.) C:\Program Files (x86)\LANDesk\LDClient\localsch.exe
(LANDesk Software Ltd.) C:\Windows\SysWOW64\cba\pds.exe
(LANDESK Software, Inc. and its affiliates.) C:\Program Files (x86)\LANDesk\LDClient\issuser.exe
(LANDESK Software, Inc. and its affiliates.) C:\Program Files (x86)\LANDesk\LDClient\tmcsvc.exe
(O2Micro International) C:\Windows\System32\drivers\o2flash.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin\ccSvcHst.exe
(LANDESK Software, Inc. and its affiliates.) C:\Program Files (x86)\LANDesk\LDClient\softmon.exe
(McAfee, Inc.) C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe
() C:\Program Files (x86)\LANDesk\LDClient\SelfElectController.exe
(McAfee, Inc.) C:\Program Files\TrueKey\McTkSchedulerService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
() C:\Program Files (x86)\LANDesk\LDClient\XDDClient.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin\ccSvcHst.exe
(McAfee, Inc.) C:\Program Files\TrueKey\McAfee.TrueKey.SmartMonitor.exe
(LANDESK Software, Inc. and its affiliates.) C:\Program Files (x86)\LANDesk\LDClient\rcgui.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(CREDANT Technologies, Inc.) C:\Windows\System32\CmgShieldUI.exe
(CREDANT Technologies, Inc.) C:\Windows\System32\EmsServiceHelper.exe
(Specops Software) C:\Windows\System32\SppClient.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Akamai Technologies, Inc.) C:\Users\bholscher\AppData\Local\Akamai\netsession_win.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
(ADS Corp.) C:\Program Files (x86)\ION\EZ VHS Converter\MediaTVMonitor.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Akamai Technologies, Inc.) C:\Users\bholscher\AppData\Local\Akamai\netsession_win.exe
(Autodesk, Inc.) C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AutodeskDesktopApp.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
(Apple Inc.) C:\Program Files (x86)\AirPort\APAgent.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
(Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
(Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
(Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
(Autodesk) C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AcWebBrowser\acwebbrowser.exe
(Autodesk) C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AcWebBrowser\acwebbrowser.exe
(Autodesk) C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AcWebBrowser\acwebbrowser.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [611192 2012-02-06] (Alps Electric Co., Ltd.)
HKLM\...\Run: [CmgShieldUI] => C:\Windows\System32\CMGShieldUI.exe [360040 2011-11-02] (CREDANT Technologies, Inc.)
HKLM\...\Run: [EmsService] => C:\Windows\system32\EmsServiceHelper.exe [2302056 2011-11-02] (CREDANT Technologies, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Specops Password Client] => C:\Windows\system32\SppClient.exe [1210032 2014-07-31] (Specops Software)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [303928 2017-03-22] (Apple Inc.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [525312 2012-02-06] (IDT, Inc.)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3498720 2015-12-17] (Adobe Systems Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1075296 2013-04-25] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BingDesktop] => C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktop.exe [2368736 2014-06-03] (Microsoft Corp.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [67896 2017-05-08] (Apple Inc.)
HKLM-x32\...\Run: [ADSKAppManager] => C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AutodeskDesktopApp.exe [716224 2016-03-23] (Autodesk, Inc.)
HKLM-x32\...\Run: [PiP Anywhere] => C:\Program Files (x86)\Lenovo\PiP Anywhere\PiP Anywhere.exe /startup
HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [1207808 2016-10-06] (Cisco Systems, Inc.)
HKLM-x32\...\Run: [AirPort Base Station Agent] => C:\Program Files (x86)\AirPort\APAgent.exe [771360 2009-11-11] (Apple Inc.)
HKLM-x32\...\Run: [ArcSoft Connection Service] => C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [72192 2008-02-22] (ArcSoft Inc.)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [3567936 2018-01-22] (Dropbox, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Run: [Akamai NetSession Interface] => C:\Users\bholscher\AppData\Local\Akamai\netsession_win.exe [4490200 2017-09-08] (Akamai Technologies, Inc.)
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Run: [Google Update] => C:\Users\bholscher\AppData\Local\Google\Update\1.3.33.7\GoogleUpdateCore.exe [601680 2018-02-05] (Google Inc.)
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2015-04-26] (Apple Inc.)
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Run: [Autodesk Sync] => C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe [1310088 2015-01-27] (Autodesk, Inc.)
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Run: [OfficeSyncProcess] => C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [721504 2015-09-02] (Microsoft Corporation)
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Run: [Zoom] => [X]
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\system: [NoDispScrSavPage] 0
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [] 
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [SpecifyDefaultButtons] 1
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Back] 1
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Forward] 1
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Stop] 1
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Refresh] 1
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Home] 1
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Search] 1
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Favorites] 1
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_History] 2
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Folders] 2
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Fullscreen] 1
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Tools] 2
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_MailNews] 2
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Size] 2
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Print] 1
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Edit] 2
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Discussions] 2
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Cut] 2
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Copy] 2
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Paste] 2
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Policies\Explorer: [Btn_Encoding] 2
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\MountPoints2: {5ab2eb48-f0b6-11e3-be19-d4bed97accfc} - E:\Autorun.exe
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [477696 2010-11-20] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [Autodesk Sync] => C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe [1310088 2015-01-27] (Autodesk, Inc.)
Lsa: [Notification Packages] scecli C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter "C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter"
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\EZ VHS Converter Monitor.lnk [2018-01-19]
ShortcutTarget: EZ VHS Converter Monitor.lnk -> C:\Program Files (x86)\ION\EZ VHS Converter\MediaTVMonitor.exe (ADS Corp.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\removeMPIcon.vbs [2012-07-12] ()
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <==== ATTENTION (Restriction - ProxySettings)
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
Tcpip\..\Interfaces\{0B8308B8-261D-435D-B9F5-9D906B0762D4}: [DhcpNameServer] 75.75.76.76 75.75.75.75
Tcpip\..\Interfaces\{6766DD51-785B-4D30-887E-A7FFE49C1613}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{C3B3F8A5-343E-4493-B01E-3F8161F95D2D}: [DhcpNameServer] 75.75.76.76 75.75.75.75
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-698646121-1254382694-1581587538-329973 -> DefaultScope {5A3A5B5E-D846-481A-8642-BD661A44C822} URL = 
BHO: True Key Helper -> {0F4B8786-5502-4803-8EBC-F652A1153BB6} -> C:\Program Files\Intel Security\True Key\MSIE\truekey_ie64.dll [2017-06-26] (Intel Security)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2015-12-17] (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2015-12-17] (Adobe Systems Incorporated)
BHO-x32: True Key Helper -> {0F4B8786-5502-4803-8EBC-F652A1153BB6} -> C:\Program Files\Intel Security\True Key\MSIE\truekey_ie.dll [2017-06-26] (Intel Security)
BHO-x32: Symantec Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\bin\IPS\IPSBHO.DLL [2016-03-06] (Symantec Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.7.0_141\bin\ssv.dll [2017-04-05] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2013-12-21] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.7.0_141\bin\jp2ssv.dll [2017-04-05] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2013-12-21] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2015-12-17] (Adobe Systems Incorporated)
Toolbar: HKLM - True Key - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - C:\Program Files\Intel Security\True Key\MSIE\truekey_ie64.dll [2017-06-26] (Intel Security)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2013-12-21] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - True Key - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - C:\Program Files\Intel Security\True Key\MSIE\truekey_ie.dll [2017-06-26] (Intel Security)
Toolbar: HKU\.DEFAULT -> Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2015-12-17] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-698646121-1254382694-1581587538-329973 -> Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2015-12-17] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-698646121-1254382694-1581587538-329973 -> True Key - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - C:\Program Files\Intel Security\True Key\MSIE\truekey_ie64.dll [2017-06-26] (Intel Security)
DPF: HKLM-x32 {0F7A9297-7268-11D1-B81A-00A076C01B0A} file://ldapps/Packages/CPCViewer/CpcViewAX.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP32EP5-14362/training/ieatgpc1.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2017-06-01] (Skype Technologies)
 
FireFox:
========
FF DefaultProfile: zb05was4.default-1503943952718
FF ProfilePath: C:\Users\bholscher\AppData\Roaming\Mozilla\Firefox\Profiles\zb05was4.default-1503943952718 [2017-11-23]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat - Create PDF) - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2016-02-05] [Legacy]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_26_0_0_131.dll [2017-08-28] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2014-04-28] (Adobe Systems)
FF Plugin: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\Win64Plugin\npAdobeExManDetectX64.dll [2013-12-02] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_26_0_0_131.dll [2017-08-28] ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-03-30] (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.141.2 -> C:\Program Files (x86)\Java\jre1.7.0_141\bin\dtplugin\npDeployJava1.dll [2017-04-05] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.141.2 -> C:\Program Files (x86)\Java\jre1.7.0_141\bin\plugin2\npjp2.dll [2017-04-05] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-02-05] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-02-05] (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [2015-12-17] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-08-24] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2014-04-28] (Adobe Systems)
FF Plugin-x32: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll [2013-12-02] (Adobe Systems)
FF Plugin HKU\S-1-5-21-698646121-1254382694-1581587538-329973: @citrixonline.com/appdetectorplugin -> C:\Users\bholscher\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-12-04] (Citrix Online)
FF Plugin HKU\S-1-5-21-698646121-1254382694-1581587538-329973: @tools.google.com/Google Update;version=3 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-02-05] (Google Inc.)
FF Plugin HKU\S-1-5-21-698646121-1254382694-1581587538-329973: @tools.google.com/Google Update;version=9 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-02-05] (Google Inc.)
FF Plugin HKU\S-1-5-21-698646121-1254382694-1581587538-329973: panasonic.com/PanasonicDrmPlugin -> C:\Users\bholscher\AppData\Roaming\Panasonic Avionics Corporation\Panasonic DRM Plugin\1.2.1.0\npPanasonicDrmPlugin.dll [2014-02-06] (Panasonic Avionics Corporation)
FF Plugin ProgramFiles/Appdata: C:\Users\bholscher\AppData\Roaming\mozilla\plugins\npatgpc.dll [2015-04-14] (Cisco WebEx LLC)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default [2018-02-05]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-12]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-12]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-01-15]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-01-15]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2017-01-15]
CHR Extension: (Adobe Acrobat) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-03-03]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-12]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-01-16]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2017-07-17]
CHR Extension: (Skype) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2017-12-01]
CHR Extension: (Chrome Web Store Payments) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-28]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-01-15]
CHR Extension: (Chrome Media Router) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-02-05]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2015-12-17]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [104960 2008-02-22] (ArcSoft Inc.)
R2 AdAppMgrSvc; C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AdAppMgrSvc.exe [1231376 2016-03-23] (Autodesk Inc.)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-04-03] (Apple Inc.)
R2 Autodesk Content Service; C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [31192 2014-02-07] (Autodesk, Inc.)
S3 Autodesk Licensing Service; C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe [85096 2014-04-17] (Autodesk)
R2 BingDesktopUpdate; C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe [173792 2014-06-03] (Microsoft Corp.)
R2 CBA8; C:\Program Files (x86)\LANDesk\Shared Files\residentagent.exe [162816 2016-05-26] (LANDesk Software, Inc. and its affiliates.) [File not signed]
R2 Celiveo Server Services; C:\Program Files\Celiveo\Celiveo Server Services\SJ Print-PS Server.exe [4736000 2016-06-23] (Jetmobile Pte Ltd) [File not signed]
R2 Celiveo(CSS)-Backend Service; C:\Program Files\Celiveo\Celiveo Server Services\Jetmobile.PrintServer.WindowsService.exe [26112 2016-06-23] (Jetmobile Pte Ltd) [File not signed]
R2 CMGShield; C:\Windows\system32\CmgShieldSvc.exe [2879592 2011-11-02] (CREDANT Technologies, Inc.)
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2018-01-30] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2018-01-30] (Dropbox, Inc.)
R2 DbxSvc; C:\Windows\system32\DbxSvc.exe [51024 2018-01-22] (Dropbox, Inc.)
R2 EMS; C:\Windows\system32\EMSService.exe [1607272 2011-11-02] (CREDANT Technologies, Inc.)
R2 enstart64; C:\Windows\system32\enstart64.exe [1160704 2016-12-23] () [File not signed]
R2 hasplms; C:\Windows\system32\hasplms.exe [4609928 2013-08-09] (SafeNet Inc.)
R2 Intel Local Scheduler Service; C:\Program Files (x86)\LANDesk\LDClient\LocalSch.EXE [384488 2016-09-21] (LANDESK Software, Inc. and its affiliates.)
R2 Intel PDS; C:\Windows\SysWOW64\CBA\pds.exe [32825 2015-12-16] (LANDesk Software Ltd.) [File not signed]
R2 ISSUSER; C:\Program Files (x86)\LANDesk\LDClient\issuser.exe [1602984 2016-02-19] (LANDESK Software, Inc. and its affiliates.)
R2 LANDesk Targeted Multicast; C:\Program Files (x86)\LANDesk\LDClient\tmcsvc.exe [221736 2016-02-12] (LANDESK Software, Inc. and its affiliates.)
R3 LDXDD; C:\Program Files (x86)\LANDesk\LDClient\XDDClient.exe [273920 2015-12-16] () [File not signed]
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2011-04-13] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2011-04-13] (Hewlett-Packard) [File not signed]
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-02-28] (Riverbed Technology, Inc.)
R2 SepMasterService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin\ccSvcHst.exe [145008 2016-03-06] (Symantec Corporation)
S3 SNAC; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin64\snac64.exe [395376 2016-03-06] (Symantec Corporation)
R2 Softmon; C:\Program Files (x86)\LANDesk\LDClient\softmon.exe [828288 2017-06-12] (LANDESK Software, Inc. and its affiliates.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S2 tracksvc; C:\Program Files (x86)\LANDesk\LDClient\tracksvc.exe [80120 2015-12-16] (LANDESK Software, Inc. and its affiliates.)
R2 TrueKey; C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe [1001920 2017-06-26] (McAfee, Inc.)
R2 TrueKeyScheduler; C:\Program Files\TrueKey\McTkSchedulerService.exe [16928 2017-06-26] (McAfee, Inc.)
S3 TrueKeyServiceHelper; C:\Program Files\TrueKey\McAfee.TrueKey.ServiceHelper.exe [87760 2017-06-26] (McAfee, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 InstallerService; C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe -originalversion 4.4.127.0 [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 akshasp; C:\Windows\System32\DRIVERS\akshasp.sys [60488 2013-08-09] (SafeNet Inc.)
S3 akshhl; C:\Windows\System32\DRIVERS\akshhl.sys [63944 2013-08-09] (SafeNet Inc.)
S3 aksusb; C:\Windows\System32\DRIVERS\aksusb.sys [303624 2013-08-09] (SafeNet Inc.)
R1 BHDrvx64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Data\Definitions\BASHDefs\20180122.003\BHDrvx64.sys [1872024 2017-10-12] (Symantec Corporation)
R1 ccSettings_{6AFBADCC-F7E5-4944-8B20-F25400C96DCB}; C:\Windows\System32\Drivers\SEP\0C011ACC\1900.105\x64\ccSetx64.sys [162392 2016-03-06] (Symantec Corporation)
R2 CISMBIOS; C:\Windows\system32\drivers\cismbios.sys [21976 2015-12-16] (LANDESK Software, Inc. and its affiliates.)
R0 CmgHiber; C:\Windows\System32\DRIVERS\CmgHiber.sys [92520 2011-11-02] (CREDANT Technologies, Inc.)
R0 CmgPCS; C:\Windows\System32\DRIVERS\CmgPCS.sys [122720 2011-11-02] (CREDANT Technologies, Inc.)
R0 CmgShieldCEF; C:\Windows\System32\DRIVERS\CMGShCEF.sys [372072 2011-11-02] (CREDANT Technologies, Inc.)
R0 CMGShieldReg; C:\Windows\System32\DRIVERS\CmgShREG.sys [24424 2011-11-02] (CREDANT Technologies, Inc.)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [507984 2018-01-04] (Symantec Corporation)
S3 EFKusb; C:\Windows\System32\Drivers\EFKusb.sys [63944 2017-11-14] (Cypress Semiconductor)
R3 enstart64_; C:\Windows\system32\enstart64_.sys [74472 2018-02-05] (Guidance Software Inc.)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [152656 2018-01-04] (Symantec Corporation)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77432 2017-11-29] ()
R2 hardlock; C:\Windows\system32\drivers\hardlock.sys [331328 2013-08-09] (SafeNet Inc.)
R1 IDSVia64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Data\Definitions\IPSDefs\20180202.011\IDSvia64.sys [1056920 2017-10-14] (Symantec Corporation)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193968 2018-02-05] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [110016 2018-02-05] (Malwarebytes)
R3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [46008 2018-02-05] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2018-02-05] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [84256 2018-02-05] (Malwarebytes)
R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Data\Definitions\VirusDefs\20180205.002\ENG64.SYS [138880 2018-01-16] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Data\Definitions\VirusDefs\20180205.002\EX64.SYS [2152064 2018-01-16] (Symantec Corporation)
R2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
R2 NPF; C:\Windows\SysWOW64\drivers\npf.sys [36600 2015-12-16] (Riverbed Technology, Inc.)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
R1 SRTSP; C:\Windows\System32\Drivers\SEP\0C011ACC\1900.105\x64\SRTSP64.SYS [899832 2016-03-06] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C011ACC\1900.105\x64\SRTSPX64.SYS [46320 2016-03-06] (Symantec Corporation)
S3 SyDvCtrl; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin64\SyDvCtrl64.sys [35992 2016-03-06] (Symantec Corporation)
R0 SymEFASI; C:\Windows\System32\drivers\symefasi\0502000.004\symefasi.sys [1626336 2016-05-21] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [178392 2016-05-21] (Symantec Corporation)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0C011ACC\1900.105\x64\Ironx64.SYS [270040 2016-03-06] (Symantec Corporation)
R1 SYMNETS; C:\Windows\System32\Drivers\SEP\0C011ACC\1900.105\x64\SYMNETS.SYS [594136 2016-03-06] (Symantec Corporation)
R1 SysPlant; C:\Windows\System32\Drivers\SysPlant.sys [167856 2016-05-21] (Symantec Corporation)
R1 Teefer2; C:\Windows\System32\DRIVERS\Teefer.sys [116256 2016-03-06] (Symantec Corporation)
S3 VCR2PC; C:\Windows\System32\DRIVERS\0140_ION.sys [301504 2018-01-23] (Trident Multimedia Technologies Co.,Ltd)
S3 vpnva; C:\Windows\System32\DRIVERS\vpnva64-6.sys [52592 2015-12-23] (Cisco Systems, Inc.)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-02-05 16:09 - 2018-02-05 16:11 - 000034573 _____ C:\Users\bholscher\Downloads\FRST.txt
2018-02-05 16:08 - 2018-02-05 16:09 - 000000000 ____D C:\FRST
2018-02-05 16:07 - 2018-02-05 16:07 - 002393088 _____ (Farbar) C:\Users\bholscher\Downloads\FRST64.exe
2018-02-05 10:52 - 2018-02-05 10:52 - 000009772 _____ C:\Users\bholscher\Desktop\RKreport.txt
2018-02-05 08:34 - 2018-02-05 08:34 - 000028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2018-02-05 08:32 - 2018-02-05 08:32 - 026924616 _____ (Adlice Software) C:\Users\bholscher\Downloads\RogueKiller_portable64.exe
2018-02-05 08:31 - 2018-02-05 08:31 - 000001184 _____ C:\Users\bholscher\Desktop\Chromecast.lnk
2018-02-05 08:31 - 2018-02-05 08:31 - 000000000 ____D C:\Users\bholscher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chromecast
2018-02-05 08:28 - 2018-02-05 08:33 - 000000000 ____D C:\ProgramData\RogueKiller
2018-02-05 08:28 - 2018-02-05 08:28 - 000000858 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2018-02-05 08:28 - 2018-02-05 08:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2018-02-05 08:28 - 2018-02-05 08:28 - 000000000 ____D C:\Program Files\RogueKiller
2018-02-05 08:26 - 2018-02-05 08:26 - 000014488 _____ C:\Users\bholscher\Desktop\MB3 scan report.txt
2018-02-05 08:16 - 2018-02-05 08:16 - 000110016 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-02-05 07:02 - 2018-02-05 14:24 - 000084256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-02-05 07:02 - 2018-02-05 08:16 - 000046008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-02-05 07:02 - 2018-02-05 07:02 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-02-05 07:02 - 2018-02-05 07:02 - 000193968 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-02-05 07:01 - 2018-02-05 07:01 - 000001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-02-05 07:01 - 2018-02-05 07:01 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-02-05 07:01 - 2018-02-05 07:01 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-02-05 07:01 - 2018-02-05 07:01 - 000000000 ____D C:\Program Files\Malwarebytes
2018-02-05 07:01 - 2017-11-29 09:11 - 000077432 _____ C:\Windows\system32\Drivers\mbae64.sys
2018-02-05 06:59 - 2018-02-05 06:59 - 000009541 _____ C:\Users\bholscher\Desktop\AdwCleaner[C0].txt
2018-02-05 06:35 - 2018-02-05 06:41 - 000000000 ____D C:\AdwCleaner
2018-02-05 06:34 - 2018-02-05 06:34 - 008206624 _____ (Malwarebytes) C:\Users\bholscher\Desktop\AdwCleaner.exe
2018-02-05 06:04 - 2018-02-05 06:05 - 036430896 _____ (Adlice Software ) C:\Users\bholscher\Desktop\RogueKiller_setup_ref3.exe
2018-02-05 05:56 - 2018-02-05 05:57 - 081173944 _____ (Malwarebytes ) C:\Users\bholscher\Desktop\mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.3857.exe
2018-02-04 23:23 - 2018-02-04 23:23 - 001790024 _____ (Malwarebytes) C:\Users\bholscher\Desktop\JRT.exe
2018-02-03 08:30 - 2018-02-03 08:30 - 000279552 _____ C:\Users\bholscher\Desktop\12x20.vsd
2018-02-01 22:59 - 2018-02-01 22:59 - 084213456 _____ (John Wu Presents LLC ) C:\Users\bholscher\Downloads\sparkboothdslr-setup.exe
2018-02-01 22:59 - 2018-02-01 22:59 - 080840904 _____ (John Wu Presents LLC ) C:\Users\bholscher\Downloads\sparkbooth-setup.exe
2018-02-01 19:11 - 2018-02-01 21:52 - 000325120 _____ C:\Users\bholscher\Desktop\DIY photo booth.vsd
2018-02-01 19:11 - 2018-02-01 19:11 - 000004096 ____H C:\Users\bholscher\Desktop\~$$DIY photo booth.~vsd
2018-02-01 17:03 - 2018-02-01 17:03 - 000037976 _____ C:\Users\bholscher\Desktop\d3828749-8de3-40f2-a645-87ded8b398f6_1.075927e2f1d2d1aaa648326fabe01f0c.jpeg
2018-01-31 20:25 - 2018-01-31 20:25 - 001499107 _____ C:\Users\bholscher\Desktop\dcnr_20031392.pdf
2018-01-31 20:20 - 2018-01-31 20:21 - 005907985 _____ C:\Users\bholscher\Desktop\dcnr_20033193.pdf
2018-01-30 13:48 - 2018-01-30 13:48 - 000001230 _____ C:\Users\bholscher\Desktop\Dropbox.lnk
2018-01-30 13:48 - 2018-01-30 13:48 - 000000000 ___RD C:\Users\bholscher\Dropbox
2018-01-30 13:44 - 2018-01-30 13:44 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2018-01-30 13:40 - 2018-02-05 15:45 - 000000914 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job
2018-01-30 13:40 - 2018-02-05 13:45 - 000000910 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job
2018-01-30 13:40 - 2018-02-04 14:38 - 000000000 ____D C:\Users\bholscher\AppData\Local\Dropbox
2018-01-30 13:40 - 2018-01-30 13:44 - 000000000 ____D C:\Program Files (x86)\Dropbox
2018-01-30 13:40 - 2018-01-30 13:40 - 000003910 _____ C:\Windows\System32\Tasks\DropboxUpdateTaskMachineUA
2018-01-30 13:40 - 2018-01-30 13:40 - 000003658 _____ C:\Windows\System32\Tasks\DropboxUpdateTaskMachineCore
2018-01-30 13:40 - 2018-01-30 13:40 - 000000000 ____D C:\ProgramData\Dropbox
2018-01-30 13:39 - 2018-01-30 13:39 - 000690080 _____ (Dropbox, Inc.) C:\Users\bholscher\Downloads\DropboxInstaller (1).exe
2018-01-30 12:52 - 2018-01-30 12:52 - 000690080 _____ (Dropbox, Inc.) C:\Users\bholscher\Downloads\DropboxInstaller.exe
2018-01-29 22:22 - 2018-01-29 22:22 - 000000000 ____D C:\Users\bholscher\Desktop\109CLOUD
2018-01-29 21:36 - 2018-01-29 21:36 - 000849657 _____ C:\Users\bholscher\Desktop\Walked 4.32 mi on 1-27-18.tcx
2018-01-28 18:53 - 2018-01-28 18:56 - 302758585 _____ C:\Users\bholscher\Downloads\CompuShow061317.exe.zip
2018-01-23 18:07 - 2018-01-25 07:28 - 000000000 ____D C:\Users\bholscher\Desktop\VCR_2_PC info
2018-01-23 18:04 - 2018-01-23 18:06 - 154740867 _____ C:\Users\bholscher\Downloads\VCR_2_PC_Software_Update_3.0.18.zip
2018-01-23 18:04 - 2018-01-23 18:04 - 000256359 _____ C:\Users\bholscher\Downloads\video2pc_drivers_v1.43.07.50.zip
2018-01-23 12:03 - 2018-01-23 12:03 - 000003816 _____ C:\Users\bholscher\Downloads\Tentative 2018 Divisional FA Meeting .ics
2018-01-22 09:45 - 2018-01-22 09:38 - 017363058 _____ C:\Users\bholscher\Desktop\Presentation MD Jan 2018 LIVRE BLANC DE DEFENSE (2018) v2.pptx
2018-01-22 06:19 - 2018-01-22 06:19 - 000051024 _____ (Dropbox, Inc.) C:\Windows\system32\DbxSvc.exe
2018-01-22 06:19 - 2018-01-22 06:19 - 000045672 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-dev.sys
2018-01-22 06:19 - 2018-01-22 06:19 - 000045640 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-stable.sys
2018-01-22 06:19 - 2018-01-22 06:19 - 000045640 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-canary.sys
2018-01-19 19:09 - 2018-01-19 19:09 - 000000000 ____D C:\Users\bholscher\Documents\ArcSoft ToGo
2018-01-19 19:08 - 2018-02-05 08:18 - 000000000 ____D C:\Users\bholscher\AppData\Temp
2018-01-19 19:08 - 2018-01-19 19:08 - 000000000 ____D C:\Users\bholscher\AppData\Local\ArcSoft
2018-01-19 19:07 - 2018-01-19 19:25 - 000000000 ____D C:\Users\bholscher\AppData\Roaming\ArcSoft
2018-01-19 19:06 - 2018-01-19 19:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ArcSoft Connect
2018-01-19 19:06 - 2018-01-19 19:06 - 000000000 ____D C:\ProgramData\ArcSoft
2018-01-19 19:06 - 2006-11-14 11:31 - 000022784 _____ (Arcsoft, Inc.) C:\Windows\SysWOW64\Drivers\afc.sys
2018-01-19 19:05 - 2018-01-19 19:05 - 000001962 _____ C:\Users\Public\Desktop\EZ VHS Converter.lnk
2018-01-19 19:05 - 2018-01-19 19:05 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ION EZ VHS Converter
2018-01-19 19:03 - 2018-01-19 19:03 - 000000000 ____D C:\Program Files (x86)\ION
2018-01-11 12:59 - 2018-02-01 16:23 - 000000000 ____D C:\Users\bholscher\Desktop\iPad Tripod Stand _ Light, Portable, Folding, and Adjustable_files
2018-01-11 12:59 - 2018-01-11 12:59 - 000121862 _____ C:\Users\bholscher\Desktop\iPad Tripod Stand _ Light, Portable, Folding, and Adjustable.html
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-02-05 16:10 - 2016-09-22 16:02 - 000000422 _____ C:\Windows\Tasks\TrackingFTPScheduler.job
2018-02-05 16:09 - 2016-06-17 03:10 - 000000520 _____ C:\Windows\SysWOW64\hostcache.xml
2018-02-05 16:08 - 2015-12-04 13:57 - 000000558 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-698646121-1254382694-1581587538-329973.job
2018-02-05 16:00 - 2017-07-24 20:44 - 000000356 _____ C:\Windows\Tasks\Job Purge.job
2018-02-05 15:33 - 2015-12-04 13:57 - 000000654 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-698646121-1254382694-1581587538-329973.job
2018-02-05 08:34 - 2014-12-26 12:19 - 000002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-02-05 08:31 - 2014-05-12 11:33 - 000000000 ____D C:\Users\bholscher\AppData\Local\Google
2018-02-05 08:25 - 2014-12-26 11:55 - 000003518 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-698646121-1254382694-1581587538-329973UA
2018-02-05 08:25 - 2014-12-26 11:55 - 000003246 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-698646121-1254382694-1581587538-329973Core
2018-02-05 08:23 - 2014-05-12 11:33 - 000003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2018-02-05 08:23 - 2014-05-12 11:33 - 000003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2018-02-05 08:22 - 2009-07-13 23:45 - 000022032 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-02-05 08:22 - 2009-07-13 23:45 - 000022032 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-02-05 08:18 - 2014-09-18 22:20 - 000000000 ____D C:\ProgramData\vulScan
2018-02-05 08:15 - 2014-09-18 22:22 - 000006372 _____ C:\Windows\SysWOW64\ldcpu.data
2018-02-05 08:14 - 2016-12-23 15:50 - 000074472 _____ (Guidance Software Inc.) C:\Windows\system32\enstart64_.sys
2018-02-05 08:13 - 2017-06-04 18:44 - 000000000 ____D C:\Users\bholscher\AppData\Local\03a35d1
2018-02-05 08:13 - 2009-07-14 00:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-02-05 07:56 - 2013-01-15 11:24 - 000000000 ____D C:\Users\bholscher
2018-02-05 07:56 - 2013-01-02 13:17 - 000000000 ____D C:\Users\daves
2018-02-05 07:56 - 2013-01-02 12:11 - 000000000 ____D C:\Users\da_staging_user
2018-02-05 06:41 - 2014-07-30 09:23 - 000000000 ____D C:\Users\ITSupport\AppData\Roaming\Yahoo!
2018-02-05 06:41 - 2014-07-30 09:22 - 000000000 ____D C:\Users\ITSupport\AppData\LocalLow\Yahoo!
2018-02-05 06:41 - 2013-02-18 16:50 - 000000000 ____D C:\Users\bholscher\AppData\LocalLow\Yahoo!
2018-02-05 02:00 - 2013-01-15 11:24 - 000000000 ____D C:\Users\bholscher\AppData\Local\Adobe
2018-02-04 15:08 - 2017-07-07 18:26 - 000000000 ____D C:\Users\bholscher\AppData\Local\GoToMeeting
2018-02-02 19:31 - 2013-01-18 14:35 - 000000000 ___SD C:\Users\bholscher\Documents\My Shapes
2018-01-26 21:15 - 2017-12-31 11:26 - 000000000 ____D C:\Users\bholscher\Desktop\Shower
2018-01-23 18:10 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\inf
2018-01-23 18:08 - 2008-09-22 12:23 - 000121920 _____ C:\Windows\system32\VendorCmdRW.dll
2018-01-23 18:08 - 2008-09-22 12:23 - 000076864 _____ (Trident Multimedia Technologies Corporation) C:\Windows\system32\acpinfo.ax
2018-01-23 18:08 - 2008-09-22 12:21 - 000301504 _____ (Trident Multimedia Technologies Co.,Ltd) C:\Windows\system32\Drivers\0140_ION.sys
2018-01-23 13:05 - 2009-07-14 00:13 - 000782470 _____ C:\Windows\system32\PerfStringBackup.INI
2018-01-21 23:02 - 2013-01-02 12:10 - 000000000 ____D C:\ProgramData\CREDANT
2018-01-21 16:17 - 2013-01-18 12:33 - 000000000 ____D C:\Users\bholscher\AppData\Local\ElevatedDiagnostics
2018-01-19 19:03 - 2013-03-05 18:53 - 000000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2018-01-18 21:37 - 2015-12-04 13:57 - 000003684 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-698646121-1254382694-1581587538-329973
2018-01-18 21:37 - 2015-12-04 13:57 - 000003588 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-698646121-1254382694-1581587538-329973
 
==================== Files in the root of some directories =======
 
2013-01-02 12:04 - 2008-08-01 12:34 - 000102400 _____ () C:\Program Files\uninstgs.exe
2013-02-19 11:39 - 2017-06-20 01:20 - 000000132 _____ () C:\Users\bholscher\AppData\Roaming\Adobe PNG Format CS6 Prefs
2014-02-07 14:33 - 2015-04-13 15:12 - 000001456 _____ () C:\Users\bholscher\AppData\Local\Adobe Save for Web 13.0 Prefs
2014-02-26 19:54 - 2015-03-04 11:37 - 000005120 _____ () C:\Users\bholscher\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-01-15 11:24 - 2015-10-12 11:52 - 000007625 _____ () C:\Users\bholscher\AppData\Local\resmon.resmoncfg
2013-03-05 19:51 - 2017-07-18 13:34 - 000866388 _____ () C:\Users\bholscher\AppData\Local\rx_audio.Cache
2013-03-05 19:49 - 2017-07-18 13:34 - 000022896 _____ () C:\Users\bholscher\AppData\Local\rx_image32.Cache
 
Some files in TEMP:
====================
2015-12-04 14:56 - 2015-01-26 09:59 - 000060296 _____ (Autodesk, Inc.) C:\Users\bholscher\AppData\Local\Temp\AcDeltree.exe
2017-01-16 07:39 - 2016-07-13 08:36 - 000034480 _____ (Zoom Video Communications, Inc.) C:\Users\bholscher\AppData\Local\Temp\CptInstall.exe
2017-01-16 07:39 - 2016-07-13 08:35 - 000138416 _____ (Zoom Video Communications, Inc.) C:\Users\bholscher\AppData\Local\Temp\CptShare.dll
2018-02-05 08:28 - 2017-09-13 10:31 - 001732864 _____ (Microsoft Corporation) C:\Users\bholscher\AppData\Local\Temp\dllnt_dump.dll
2015-12-09 21:12 - 2015-12-09 21:12 - 000585824 _____ (Oracle Corporation) C:\Users\bholscher\AppData\Local\Temp\jre-8u66-windows-au.exe
2016-03-12 10:50 - 2016-03-12 10:50 - 000736352 _____ (Oracle Corporation) C:\Users\bholscher\AppData\Local\Temp\jre-8u73-windows-au.exe
2016-04-21 20:52 - 2016-04-21 20:52 - 000739904 _____ (Oracle Corporation) C:\Users\bholscher\AppData\Local\Temp\jre-8u91-windows-au.exe
2017-03-24 10:48 - 2017-03-24 10:48 - 014456872 _____ (Microsoft Corporation) C:\Users\bholscher\AppData\Local\Temp\vc_redist.x86.exe
2017-01-16 07:39 - 2016-07-13 08:35 - 000090288 _____ () C:\Users\bholscher\AppData\Local\Temp\zCrashReport.dll
2007-04-25 08:48 - 2007-04-25 08:48 - 000163840 _____ (LANDesk Software, Ltd.) C:\Users\daves\AppData\Local\Temp\enuinst32.dll
2007-04-25 08:48 - 2007-04-25 08:48 - 001317656 _____ (LANDesk Software, Ltd.) C:\Users\daves\AppData\Local\Temp\inst32.exe
2013-01-02 13:42 - 2013-01-02 13:42 - 000053536 _____ () C:\Users\daves\AppData\Local\Temp\_DelAll.EXE
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2018-01-28 20:43
 
==================== End of FRST.txt ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018
Ran by BHOLSCHER (05-02-2018 16:12:18)
Running from C:\Users\bholscher\Downloads
Windows 7 Professional Service Pack 1 (X64) (2013-01-02 16:39:30)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1005336470-3270574750-254552977-500 - Administrator - Enabled) => C:\Users\Administrator
cba_anonymous (S-1-5-21-1005336470-3270574750-254552977-1003 - Administrator - Enabled) => C:\Users\cba_anonymous
Guest (S-1-5-21-1005336470-3270574750-254552977-501 - Limited - Disabled)
ITSupport (S-1-5-21-1005336470-3270574750-254552977-1001 - Limited - Enabled) => C:\Users\ITSupport
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Symantec Endpoint Protection (Enabled - Up to date) {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Symantec Endpoint Protection (Enabled - Up to date) {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}
FW: Symantec Endpoint Protection (Disabled) {6BFC5632-188D-B806-D13E-C607121B42A0}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
4500_G510af_Help_Web (HKLM-x32\...\{C175D5B0-ED04-42C9-B23F-D8BD406173E7}) (Version: 000.0.440.000 - Hewlett-Packard) Hidden
4500G510af_Software_Min (HKLM-x32\...\{3EB6F78A-66E3-434f-BD0E-76C7D078DB5E}) (Version: 000.0.423.000 - Hewlett-Packard) Hidden
4500G510af_web (HKLM-x32\...\{EC2F135B-48ED-4682-A90B-54846218C1F3}) (Version: 000.0.425.000 - Hewlett-Packard) Hidden
64 Bit HP CIO Components Installer (HKLM\...\{BC741628-0AFC-405C-8946-DD46D1005A0A}) (Version: 8.2.4 - Hewlett-Packard) Hidden
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
A360 Desktop (HKLM\...\{B209E611-5511-4AD6-B4B3-9D36F93DBCD4}) (Version: 6.0.3.1100 - Autodesk)
ACA & MEP 2016 Object Enabler (HKLM\...\{5783F2D7-F004-0000-5102-0060B0CE6BBA}) (Version: 7.8.41.0 - Autodesk) Hidden
ACAD Private (HKLM\...\{5783F2D7-F001-0000-3102-0060B0CE6BBA}) (Version: 20.1.49.0 - Autodesk) Hidden
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.012.20098 - Adobe Systems Incorporated)
Adobe Acrobat XI Pro (HKLM-x32\...\{AC76BA86-1033-FFFF-7760-000000000006}) (Version: 11.0.14 - Adobe Systems)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 23.0.0.257 - Adobe Systems Incorporated)
Adobe Creative Suite 6 Design Standard (HKLM-x32\...\{0327A4BF-62BF-48BB-8928-B971B749E9E1}) (Version: 6 - Adobe Systems Incorporated)
Adobe Flash Player 26 ActiveX (HKLM-x32\...\{3D5E2F56-60D2-4B5F-802E-9EAF7DC2E8E1}) (Version: 26.0.0.131 - Adobe Systems Incorporated)
Adobe Flash Player 26 NPAPI (HKLM-x32\...\{BD09A75D-86C0-4BBE-869D-2724DA1F9579}) (Version: 26.0.0.131 - Adobe Systems Incorporated)
Adobe Flash Player 26 PPAPI (HKLM-x32\...\{4C96288D-7068-4907-A4E0-B3CCF360D07B}) (Version: 26.0.0.131 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Adobe® Content Viewer (HKLM-x32\...\com.adobe.dmp.contentviewer) (Version: 3.4.3 - Adobe Systems, Incorporated)
AirPort (HKLM-x32\...\{AA68AAAE-41F0-40B5-8896-5947F5FD6889}) (Version: 5.6.1.2 - Apple Inc.)
Akamai NetSession Interface (HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Akamai) (Version:  - Akamai Technologies, Inc)
Apple Application Support (32-bit) (HKLM-x32\...\{E92BB800-BCC5-4C25-8102-AC2C3B7C7C1E}) (Version: 5.5 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{9C912B1E-06DD-43EF-BB2B-45CB2C88BAAE}) (Version: 5.5 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{0A596141-97D5-45FA-9281-98DFAF48D579}) (Version: 10.3.2.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{52D87F32-70E4-4348-8148-C0B9F35B1314}) (Version: 2.3.0.177 - Apple Inc.)
AutoCAD 2015 - English (HKLM\...\{5783F2D7-E001-0000-0102-0060B0CE6BBA}) (Version: 20.0.141.0 - Autodesk) Hidden
AutoCAD 2015 - English (HKLM\...\{5783F2D7-E001-0409-2102-0060B0CE6BBA}) (Version: 20.0.51.0 - Autodesk) Hidden
AutoCAD 2015 Language Pack - English (HKLM\...\{5783F2D7-E001-0409-1102-0060B0CE6BBA}) (Version: 20.0.51.0 - Autodesk) Hidden
AutoCAD 2016 - English (HKLM\...\{5783F2D7-F001-0409-2102-0060B0CE6BBA}) (Version: 20.1.49.0 - Autodesk) Hidden
AutoCAD 2016 (HKLM\...\{5783F2D7-F001-0000-0102-0060B0CE6BBA}) (Version: 20.1.49.0 - Autodesk) Hidden
AutoCAD 2016 Language Pack - English (HKLM\...\{5783F2D7-F001-0409-1102-0060B0CE6BBA}) (Version: 20.1.49.0 - Autodesk) Hidden
AutoCAD LT 2008 - English (HKLM-x32\...\{5783F2D7-6009-0409-0002-0060B0CE6BBA}) (Version: 17.1.51.0 - Autodesk) Hidden
AutoCAD LT 2008 - English (HKLM-x32\...\AutoCAD LT 2008 - English) (Version: 17.1.51.0 - Autodesk)
Autodesk Advanced Material Library Image Library 2016 (HKLM-x32\...\{94AD53E7-493B-4291-8714-7A3B761D2783}) (Version: 6.3.0.15 - Autodesk)
Autodesk App Manager (HKLM-x32\...\{C8125548-F2D5-4059-823F-1F3C5BBD9F19}) (Version: 1.2.0 - Autodesk)
Autodesk App Manager 2016 (HKLM-x32\...\{4ECF9E00-2978-46AF-BD80-455EFEAB7A93}) (Version: 2.0.0 - Autodesk)
Autodesk AutoCAD 2015 - English (HKLM\...\AutoCAD 2015 - English) (Version: 20.0.141.0 - Autodesk)
Autodesk AutoCAD 2016 - English (HKLM\...\AutoCAD 2016 - English) (Version: 20.1.49.0 - Autodesk)
Autodesk AutoCAD Performance Feedback Tool 1.2.4 (HKLM-x32\...\{4E20873D-BC20-495C-AFD9-B18877B7F9BB}) (Version: 1.2.4.0 - Autodesk)
Autodesk BIM 360 Glue AutoCAD 2015 Add-in 64 bit (HKLM\...\{9D589081-AFC2-4932-9071-AC585AC1EA83}) (Version: 3.32.3004 - Autodesk)
Autodesk BIM 360 Glue AutoCAD 2016 Add-in 64 bit (HKLM\...\{4BEE127E-95C4-434D-ABAC-65155192BB24}) (Version: 4.35.1742 - Autodesk)
Autodesk Content Service (HKLM-x32\...\{A37CDB58-AAE8-0000-8C13-E0F7BACB0D5F}) (Version: 3.2.0.0 - Autodesk) Hidden
Autodesk Content Service (HKLM-x32\...\Autodesk Content Service) (Version: 3.2.0.0 - Autodesk)
Autodesk Content Service Language Pack (HKLM-x32\...\{A37CDB58-AAE8-0001-8C13-E0F7BACB0D5F}) (Version: 3.2.0.0 - Autodesk) Hidden
Autodesk Desktop App (HKLM-x32\...\Autodesk Desktop App) (Version: 6.0.108.150 - Autodesk)
Autodesk DWF Viewer 7 (HKLM-x32\...\{9A346205-EA92-4406-B1AB-50379DA3F057}) (Version: 7.2.0 - Autodesk, Inc.)
Autodesk DWG TrueView 2015 - English (HKLM\...\DWG TrueView 2015 - English) (Version: 20.0.51.0 - Autodesk)
Autodesk Featured Apps (HKLM-x32\...\{EDDEE94B-214D-4B07-9727-A3E46F3E379A}) (Version: 1.2.0 - Autodesk)
Autodesk Featured Apps 2016 (HKLM-x32\...\{D42F37CD-9AF9-4435-A474-B387C5BB6B47}) (Version: 2.0.0 - Autodesk)
Autodesk Material Library 2015 (HKLM-x32\...\{427F733F-4D6C-45BC-9324-EB743104C321}) (Version: 5.2.9.100 - Autodesk)
Autodesk Material Library 2016 (HKLM-x32\...\{29A7D6EC-63C2-42FD-8143-5812ABD2923F}) (Version: 6.3.0.15 - Autodesk)
Autodesk Material Library Base Resolution Image Library 2015 (HKLM-x32\...\{ABE2F70B-8D94-44E9-AA04-F0DB35063D62}) (Version: 5.2.9.100 - Autodesk)
Autodesk Material Library Base Resolution Image Library 2016 (HKLM-x32\...\{6B4CFC6E-ECB0-47FE-95D3-65C680ED0687}) (Version: 6.3.0.15 - Autodesk)
Autodesk ReCap 2016 (HKLM\...\{F6FD1651-0000-1033-0102-387BAF9B3B0A}) (Version: 1.5.0.33 - Autodesk) Hidden
Autodesk ReCap 2016 (HKLM\...\Autodesk ReCap 2016) (Version: 1.5.0.33 - Autodesk)
Bing Desktop (HKLM-x32\...\{7D095455-D971-4D4C-9EFD-9AF6A6584F3A}) (Version: 1.3.470.0 - Microsoft Corporation)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Box Sync (HKLM-x32\...\{b42401ee-86c0-44a2-baa2-b460dc10e1dc}) (Version: 4.0.6634.0 - Box Inc.) Hidden
BufferChm (HKLM-x32\...\{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}) (Version: 130.0.331.000 - Hewlett-Packard) Hidden
Celiveo Server Services (HKLM\...\{9957862C-5419-4BFD-A547-A0AA51DFCF2E}) (Version: 8.0.1 - Celiveo)
ChromecastApp (HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\{079ede36-133d-44b0-8053-c7c1fa8d2e0d}_is1) (Version: 1.5.1693.0 - Google Inc.)
Cisco AnyConnect Secure Mobility Client  (HKLM-x32\...\Cisco AnyConnect Secure Mobility Client) (Version: 4.3.03086 - Cisco Systems, Inc.)
Cisco AnyConnect Secure Mobility Client (HKLM-x32\...\{2A01CAB3-5117-4BDC-96FF-2A0D2AB0F182}) (Version: 4.3.03086 - Cisco Systems, Inc.) Hidden
Cisco WebEx Meetings (HKLM-x32\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM-x32\...\{678753E6-E526-4AE5-A144-00240772543A}) (Version: 1.0.393 - Citrix)
Citrix XenApp Web Plugin (HKLM-x32\...\{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}) (Version: 11.0.0.5357 - Citrix Systems, Inc.)
CMG Windows Shield 64-bit (HKLM\...\{AF42C7DB-4560-4FFD-829B-D0C516D1E92A}) (Version: 7.1.3.3918 - CREDANT Technologies, Inc.) Hidden
ConvertHelper 3.1.1 (HKLM\...\{27CC6AB1-E72B-4179-AF1A-EAE507EBAF52}}_is1) (Version:  - DownloadHelper)
Crystal Reports ActiveX Viewer 11.5 (HKLM-x32\...\{EB63BB5C-B3B6-4AEB-B99F-4E728C5D0680}) (Version: 1.0.0.0 - ReCrystallize.com LLC)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.1208.101.125 - ALPS ELECTRIC CO., LTD.)
DirectX 9 Runtime (HKLM-x32\...\{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}) (Version: 1.00.0000 - Sonic Solutions) Hidden
Dropbox (HKLM-x32\...\Dropbox) (Version: 42.4.114 - Dropbox, Inc.)
Dropbox Update Helper (HKLM-x32\...\{099218A5-A723-43DC-8DB5-6173656A1E94}) (Version: 1.3.65.1 - Dropbox, Inc.) Hidden
DWG TrueView 2015 - English (HKLM\...\{5783F2D7-E028-0409-0100-0060B0CE6BBA}) (Version: 20.0.51.0 - Autodesk) Hidden
FARO LS 1.1.502.0 (64bit) (HKLM-x32\...\{66D83FE0-D798-4B38-86FE-FB48151E5AEF}) (Version: 5.2.0.35213 - FARO Scanner Production)
FileNet IDM Viewer 4.0 (HKLM-x32\...\IDMViewer) (Version:  - )
Garmin USB Drivers (HKLM\...\{DC7720F2-98BE-41C1-B0A8-E391362E86B8}) (Version: 2.3.1.1 - Garmin Ltd or its subsidiaries)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.132 - Google Inc.)
Google Earth Plug-in (HKLM-x32\...\{ADA8583A-C20B-414B-8CB7-3AA7A89F7952}) (Version: 7.1.4.1529 - Google)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
GoToMeeting 8.20.0.8199 (HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\GoToMeeting) (Version: 8.20.0.8199 - LogMeIn, Inc.)
GPL Ghostscript 9.04 (HKLM-x32\...\GPL Ghostscript 9.04) (Version:  - )
HandBrake 1.0.3 (HKLM-x32\...\HandBrake) (Version: 1.0.3 - )
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version:  - )
HP Officejet 4500 G510a-f (HKLM\...\{1EB2596D-80B0-4D55-AC31-6FCFE757081E}) (Version: 13.0 - HP)
IBM Content Collector Outlook Extension (HKLM-x32\...\IBM Content Collector Outlook Extension) (Version: 4.0.1.4 - IBM)
iCloud (HKLM\...\{709A2D23-C25E-47B5-9268-CB6FEE648504}) (Version: 4.1.1.53 - Apple Inc.)
IEMx Client (HKLM-x32\...\{FEEB4D9B-EBF4-4C92-B2AF-4A775B422CDC}) (Version: 5.3.0 - Integro)
Intel Security True Key (HKLM\...\TrueKey) (Version: 4.19.108.1 - Intel Security)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.3040 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
ION EZ VHS Converter (HKLM-x32\...\{04E364F1-4582-4567-A6C8-C7FBBCC86C91}) (Version:  - ION)
iTunes (HKLM\...\{6C01A0A7-7440-4D48-93C6-2927A1E93FE6}) (Version: 12.6.0.100 - Apple Inc.)
Java 7 Update 141 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32170141F0}) (Version: 7.0.1410 - Oracle Corporation)
JNLP (HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\JNLP) (Version:  - JNLP)
LANDESK Advance Agent (HKLM-x32\...\{7E8833A1-AF24-4CAE-82DF-CFE14C14B94D}) (Version: 1.0.0 - LANDesk Software) Hidden
LANDesk® Common Base Agent 8 (HKLM-x32\...\{45734758-4041-4EA8-8E62-DE661FC3879C}) (Version: 10.0.0.455 - LANDesk Software, Ltd) Hidden
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
MAPP Online Pro - Standalone (HKLM-x32\...\{1F3372CF-D89E-4E74-A4D7-DB6C71440D61}) (Version: 4.4.0 - Meyer Sound Laboratories, Inc.)
Microsoft .NET Framework 4.7 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02053 - Microsoft Corporation)
Microsoft ASP.NET SignalR Security Update (KB2903919) (HKLM-x32\...\{EE80A3E1-332E-4920-BAEF-89B7D9EC9B15}) (Version: 2.0.11105 - Microsoft Corporation)
Microsoft Office 2010 Primary Interop Assemblies (HKLM-x32\...\{90140000-1105-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1024 - Microsoft Corporation)
Microsoft Office Communicator 2005 (HKLM-x32\...\{BE5AD430-9E0C-4243-AB3F-593835869855}) (Version: 1.0.559.0 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Standard 2010 (HKLM-x32\...\Office14.STANDARD) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft Visio Standard 2010 (HKLM-x32\...\Office14.VISIO) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (HKLM\...\{8338783A-0968-3B85-AFC7-BAAE0A63DC50}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM-x32\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.60724 - Microsoft Corporation)
Mozilla Firefox 54.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 54.0.1 (x86 en-US)) (Version: 54.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 54.0.1.6388 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
Panasonic DRM Plugin (HKLM-x32\...\{9C267E0B-9058-49D4-96F4-D42056D22B59}) (Version: 1.2.1.0 - Panasonic Avionics Corporation)
PDF Settings CS6 (HKLM-x32\...\{BFEAAE77-BD7F-4534-B286-9C5CB4697EB1}) (Version: 11.0 - Adobe Systems Incorporated) Hidden
QuickTime 7 (HKLM-x32\...\{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}) (Version: 7.79.80.95 - Apple Inc.)
RogueKiller version 12.12.2.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.12.2.0 - Adlice Software)
SAFE Servlet (HKLM-x32\...\{E39C38FC-343C-4D3D-8DCA-681C7FF8518A}) (Version: 7.13.00.11 - Guidance Software) Hidden
Scan (HKLM-x32\...\{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}) (Version: 13.0.0.0 - Hewlett-Packard) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-0057-0000-0000-0000000FF1CE}_Office14.VISIO_{359ADBEC-068A-4CC9-9174-77AB8EDB867A}) (Version:  - Microsoft)
ShowXpress (HKLM\...\ShowXpress_is1) (Version:  - efk)
SketchUp Import (HKLM-x32\...\{C403E867-FCF1-432B-BCC1-8FFD40A10A6E}) (Version: 1.2.0 - Autodesk)
SketchUp Import 2016 (HKLM-x32\...\{C769FB7C-1F55-4B31-9A2A-21CEC50F4F92}) (Version: 2.0.0 - Autodesk)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 7.38 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.38.101 - Skype Technologies S.A.)
SmartSound Quicktracks Plugin (HKLM-x32\...\{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}) (Version: 3.0.8.0 - SmartSound Software Inc) Hidden
SmartSound Quicktracks Plugin (HKLM-x32\...\InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}) (Version: 3.0.8.0 - SmartSound Software Inc)
Sonic CinePlayer Decoder Pack (HKLM-x32\...\{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}) (Version: 4.2.0 - Sonic Solutions)
Specops Password Client (x64) (HKLM\...\{0C965341-C18E-4C51-A894-91051F7D6B9D}) (Version: 6.3.40731.1 - Specops Software)
Symantec Endpoint Protection (HKLM\...\{644BDA5C-897C-42B5-BEA8-F73D70A94E9E}) (Version: 12.1.6860.6400 - Symantec Corporation)
Toolbox (HKLM-x32\...\{6BBA26E9-AB03-4FE7-831A-3535584CA002}) (Version: 130.0.648.000 - Hewlett-Packard) Hidden
VD64Inst (HKLM\...\{DB9C43F7-0B0F-4E43-9E6B-F945C71C469E}) (Version: 1.00.0000 - Roxio, Inc.) Hidden
WebReg (HKLM-x32\...\{43CDF946-F5D9-4292-B006-BA0D92013021}) (Version: 130.0.132.017 - Hewlett-Packard) Hidden
WinPcap 4.1.3 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2980 - Riverbed Technology, Inc.)
Wireless Workbench 6 (HKLM-x32\...\Wireless Workbench 6) (Version: 6.12.1 - Shure Inc)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\bholscher\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay => No File
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{0B628DE4-07AD-4284-81CA-5B439F67C5E6}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2016\acad.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.33.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{149DD748-EA85-45A6-93C5-AC50D0260C98}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2016\acad.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{3faa4380-a399-11cf-a466-00805fe418f6}\InprocServer32 -> C:\Program Files\Autodesk\DWG TrueView 2015 - English\en-US\dwgviewrficn.dll (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{5370C727-1451-4700-A960-77630950AF6D}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2016\acad.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{57B13C80-C59C-4981-8870-4A209C1B7589}\InprocServer32 -> C:\Program Files\Roxio 2010\Virtual Drive 10\DC_ShellExt64.dll (Sonic Solutions)
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Citrix\GoToMeeting\4670\G2MOutlookAddin64.dll => No File
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{91A41FCC-BC02-42D8-A36E-0D27FF9BFFC8}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.33.7\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{E2C40589-DE61-11ce-BAE0-0020AF6D7005}\InprocServer32 -> C:\Program Files\Autodesk\AutoCAD 2016\en-US\acadficn.dll (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.33.7\psuser_64.dll (Google Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2015-02-05] (Autodesk, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2015-02-05] (Autodesk, Inc.)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => c:\Program Files\7-Zip\7-zip.dll [2010-11-18] (Igor Pavlov)
ContextMenuHandlers1: [AcShellExtension.AcContextMenuHandler] -> {2E7A2C6C-B938-40a4-BA1C-C7EC982DC202} => C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll [2015-02-05] (Autodesk)
ContextMenuHandlers1: [Adobe.Acrobat.ContextMenu] -> {A6595CD1-BF77-430A-A452-18696685F7C7} => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat Elements\ContextMenuShim64.dll [2012-09-23] (Adobe Systems Inc.)
ContextMenuHandlers1-x32: [Autodesk.DWF.ContextMenu] -> {6C18531F-CA85-45F7-8278-FF33CF0A5964} => C:\Program Files (x86)\Common Files\Autodesk Shared\dwf Common\DWFShellExtension.dll [2006-11-09] (Autodesk, Inc.)
ContextMenuHandlers1-x32: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ContextMenuHandlers1-x32: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin64\vpshell2.dll [2016-03-06] (Symantec Corporation)
ContextMenuHandlers1-x32: [PhotoStreamsExt] -> {89D984B3-813B-406A-8298-118AFA3A22AE} => C:\Program Files\Common Files\Apple\Internet Services\ShellStreams64.dll [2015-04-26] (Apple Inc.)
ContextMenuHandlers2: [EmsBkgndExtension] -> {53BAE32F-BD17-4ba6-B975-C01FAF3CE476} => C:\Windows\system32\EmsExt.dll [2011-11-02] (CREDANT Technologies, Inc.)
ContextMenuHandlers2: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin64\vpshell2.dll [2016-03-06] (Symantec Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => c:\Program Files\7-Zip\7-zip.dll [2010-11-18] (Igor Pavlov)
ContextMenuHandlers4: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ContextMenuHandlers5: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2018-01-22] (Dropbox, Inc.)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2013-02-22] (Intel Corporation)
ContextMenuHandlers6: [Adobe.Acrobat.ContextMenu] -> {A6595CD1-BF77-430A-A452-18696685F7C7} => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat Elements\ContextMenuShim64.dll [2012-09-23] (Adobe Systems Inc.)
ContextMenuHandlers6: [LDVPMenu] -> {8BEEE74D-455E-4616-A97A-F6E86C317F32} => C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin64\vpshell2.dll [2016-03-06] (Symantec Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers1_S-1-5-21-698646121-1254382694-1581587538-329973: [RXDCExtSvr] -> {57B13C80-C59C-4981-8870-4A209C1B7589} => C:\Program Files\Roxio 2010\Virtual Drive 10\DC_ShellExt64.dll [2009-07-07] (Sonic Solutions)
ContextMenuHandlers2_S-1-5-21-698646121-1254382694-1581587538-329973: [RXDCExtSvr] -> {57B13C80-C59C-4981-8870-4A209C1B7589} => C:\Program Files\Roxio 2010\Virtual Drive 10\DC_ShellExt64.dll [2009-07-07] (Sonic Solutions)
ContextMenuHandlers6_S-1-5-21-698646121-1254382694-1581587538-329973: [RXDCExtSvr] -> {57B13C80-C59C-4981-8870-4A209C1B7589} => C:\Program Files\Roxio 2010\Virtual Drive 10\DC_ShellExt64.dll [2009-07-07] (Sonic Solutions)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {07A2F1AF-29F9-45DC-A5B8-DD5E2879435E} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2017-02-14] (Apple Inc.)
Task: {1094944A-819C-422E-81DE-C74F217C6371} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-698646121-1254382694-1581587538-329973Core => C:\Users\bholscher\AppData\Local\Google\Update\GoogleUpdate.exe [2015-10-12] (Google Inc.)
Task: {1111F5CA-3393-4007-BC9A-A8F014545369} - System32\Tasks\TrackingFTPScheduler => C:\Program Files\Jetmobile\SecureJet Server Services\Jetmobile.PrintServer.Tools.FTPTrackingFileUploader.exe
Task: {118A939F-BA83-4895-91B2-A56C3C2F4CA0} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-698646121-1254382694-1581587538-329973 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe
Task: {1934DF74-4BF2-48FF-8731-80A077A5B80D} - System32\Tasks\DaVita_Logon_Script => \davita.corp\SYSVOL\DAVITA.Corp\Logon\logon_DEV.vbe
Task: {47BC72F6-94B0-41B7-9943-12FCD38A5A62} - System32\Tasks\G2MUploadTask-S-1-5-21-698646121-1254382694-1581587538-329973 => C:\Users\bholscher\AppData\Local\GoToMeeting\8199\g2mupload.exe [2018-01-18] (LogMeIn, Inc.)
Task: {4CB0C466-C5DD-4F28-84BA-AED3C4403212} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-698646121-1254382694-1581587538-329973UA => C:\Users\bholscher\AppData\Local\Google\Update\GoogleUpdate.exe [2015-10-12] (Google Inc.)
Task: {516AF849-7104-4AB8-9CA5-8D43E489077A} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-07-20] (Adobe Systems Incorporated)
Task: {56FEC53D-84C0-45C8-B33B-844BCD6DEE2B} - System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-698646121-1254382694-1581587538-329973 => C:\Program Files (x86)\RealNetworks\RealDownloader\realupgrade.exe
Task: {572519B1-C36B-424C-8322-3182B38E784D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-10-12] (Google Inc.)
Task: {76CA41A5-02CA-4D69-9011-2582C047779D} - System32\Tasks\Scheduled Reboot => C:\Windows\System32\shutdown.exe [2009-07-13] (Microsoft Corporation)
Task: {7DD15087-9796-476E-A603-8D030AD79DDB} - System32\Tasks\G2MUpdateTask-S-1-5-21-698646121-1254382694-1581587538-329973 => C:\Users\bholscher\AppData\Local\GoToMeeting\8199\g2mupdate.exe [2018-01-18] (LogMeIn, Inc.)
Task: {7E16F5BD-3C03-4AD2-8FE2-E79DEFC73F86} - System32\Tasks\DropboxUpdateTaskMachineCore => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2018-01-30] (Dropbox, Inc.)
Task: {896B6379-F42C-471E-9BCE-EE75087D0B64} - System32\Tasks\McAfee Remediation (Prepare) => C:\Program Files\Common Files\AV\McAfee Anti-Virus And Anti-Spyware\upgrade.exe [2016-12-15] (McAfee, Inc.)
Task: {A3B325E7-0A5B-43CF-BF9E-9EA6A730DAA3} - System32\Tasks\Job Purge => C:\Program Files\Celiveo\Celiveo Server Services\sjps_job_purge.exe [2016-06-23] (Jetmobile Pte Ltd)
Task: {A46D545B-B999-49FC-8F72-0D8C72941044} - System32\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-698646121-1254382694-1581587538-329973 => C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe
Task: {B05E9882-195A-49C3-AC46-B3646CE4D434} - System32\Tasks\LANDESK Agent Health Bootstrap Task => C:\Program Files (x86)\LANDesk\LDClient\LANDESKAgentBootStrap.exe [2015-12-16] (LANDESK Software, Inc. and its affiliates.)
Task: {C318D740-CC45-4ECB-AA4C-E6EFF3BC995F} - System32\Tasks\DropboxUpdateTaskMachineUA => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2018-01-30] (Dropbox, Inc.)
Task: {D4A35FDC-3653-479E-94C9-8875FE7F33B8} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-10-12] (Google Inc.)
Task: {F14D41A3-65F3-46F8-8479-4FF830618764} - System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-698646121-1254382694-1581587538-329973 => C:\Program Files (x86)\RealNetworks\RealDownloader\realupgrade.exe
Task: {F56553D5-0628-479D-97D0-8F4794FAA6E5} - System32\Tasks\AdobeAAMUpdater-1.0-DAVITA-BHOLSCHER => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2014-02-27] (Adobe Systems Incorporated)
Task: {F8DE03CD-0A9A-41F8-B8B2-4E375FE3032A} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-698646121-1254382694-1581587538-329973 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-698646121-1254382694-1581587538-329973.job => C:\Users\bholscher\AppData\Local\GoToMeeting\8199\g2mupdate.exe
Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-698646121-1254382694-1581587538-329973.job => C:\Users\bholscher\AppData\Local\GoToMeeting\8199\g2mupload.exe
Task: C:\Windows\Tasks\Job Purge.job => C:\Program Files\Celiveo\Celiveo Server Services\sjps_job_purge.exe
Task: C:\Windows\Tasks\TrackingFTPScheduler.job => C:\Program Files\Jetmobile\SecureJet Server Services\Jetmobile.PrintServer.Tools.FTPTrackingFileUploader.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2013-05-22 11:08 - 2010-10-14 09:05 - 000290816 _____ () C:\Windows\System32\HP1100LM.DLL
2013-05-22 11:08 - 2010-10-14 09:05 - 000074240 _____ () C:\Windows\system32\spool\PRTPROCS\x64\HP1100PP.DLL
2013-08-19 17:17 - 2012-12-04 19:33 - 000065024 _____ () C:\Windows\system32\spool\PRTPROCS\x64\HP2030PP.DLL
2017-05-08 23:44 - 2017-05-08 23:44 - 001354040 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2016-09-01 17:12 - 2016-09-01 17:12 - 000092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2016-12-23 15:50 - 2016-12-23 15:50 - 001160704 _____ () C:\Windows\system32\enstart64.exe
2017-01-13 09:35 - 2015-12-16 13:55 - 000164864 _____ () C:\Program Files (x86)\LANDesk\LDClient\SelfElectController.exe
2018-02-05 07:01 - 2017-11-29 09:11 - 002301384 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2018-02-05 07:01 - 2017-11-29 09:11 - 002358728 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2017-01-13 09:36 - 2015-12-16 14:46 - 000273920 _____ () C:\Program Files (x86)\LANDesk\LDClient\XDDClient.exe
2013-01-02 12:30 - 2012-02-06 16:54 - 000094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2017-03-27 11:20 - 2017-03-27 11:20 - 001354040 _____ () C:\Program Files\iTunes\libxml2.dll
2017-03-27 11:20 - 2017-03-27 11:20 - 000092472 _____ () C:\Program Files\iTunes\zlib1.dll
2018-02-05 08:34 - 2018-01-03 04:20 - 004063064 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.132\libglesv2.dll
2018-02-05 08:34 - 2018-01-03 04:20 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.132\libegl.dll
2016-10-06 13:37 - 2016-10-06 13:37 - 000073728 _____ () C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\zlib1.dll
2016-05-08 13:32 - 2016-03-23 05:02 - 000061968 _____ () C:\Program Files (x86)\Autodesk\Autodesk Desktop App\QtSolutions_Service-head.dll
2016-05-08 13:32 - 2016-03-23 05:02 - 000110608 _____ () C:\Program Files (x86)\Autodesk\Autodesk Desktop App\qjson0.dll
2016-06-17 03:03 - 2016-09-21 19:30 - 000130560 _____ () C:\Program Files (x86)\LANDesk\LDClient\RollingLog.dll
2016-06-17 03:03 - 2015-12-16 13:53 - 000165888 _____ () C:\Program Files (x86)\LANDesk\LDClient\httprequest.dll
2017-01-13 09:36 - 2016-02-12 10:40 - 001145856 _____ () C:\Program Files (x86)\LANDesk\LDClient\tmcdll.dll
2016-03-06 22:44 - 2016-03-06 22:44 - 000565872 ____C () C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin\AvPluginImpl.dll
2017-01-13 09:35 - 2015-12-16 13:21 - 000106567 _____ () C:\Program Files (x86)\LANDesk\LDClient\ThinstallManageApi.dll
2017-01-13 09:35 - 2016-02-12 10:40 - 000476672 _____ () C:\Program Files (x86)\LANDesk\LDClient\SelfElect.dll
2018-01-19 19:03 - 2004-12-14 12:00 - 000430080 _____ () C:\Program Files (x86)\ION\EZ VHS Converter\fpxlib.dll
2018-01-19 19:03 - 2006-01-06 14:51 - 000266303 _____ () C:\Program Files (x86)\ION\EZ VHS Converter\magengin.dll
2018-01-19 19:03 - 2004-12-01 17:21 - 000180224 _____ () C:\Program Files (x86)\ION\EZ VHS Converter\kgl.dll
2017-09-25 03:12 - 2017-07-21 09:26 - 000518144 _____ () C:\Windows\SysWOW64\msjetoledb40.dll
2016-05-08 13:32 - 2015-11-05 07:07 - 000052224 _____ () C:\Program Files (x86)\Autodesk\Autodesk Desktop App\qoauth_Ad_1.dll
2016-05-08 13:32 - 2015-11-05 07:07 - 000742400 _____ () C:\Program Files (x86)\Autodesk\Autodesk Desktop App\qca_Ad_2.dll
2016-05-08 13:32 - 2015-11-05 07:07 - 000195584 _____ () C:\Program Files (x86)\Autodesk\Autodesk Desktop App\qjson_Ad_0.dll
2016-05-08 13:32 - 2013-09-23 12:52 - 000043912 _____ () C:\Program Files (x86)\Autodesk\Autodesk Desktop App\QtSolutions_MFCMigrationFramework_Ad_2.dll
2016-05-08 13:32 - 2016-03-23 04:35 - 000284608 _____ () C:\Program Files (x86)\Autodesk\Autodesk Desktop App\en-US\AdWingManRes.dll
2018-01-30 13:43 - 2018-01-22 06:19 - 000733000 _____ () C:\Program Files (x86)\Dropbox\Client\dropbox_watchdog.dll
2018-01-30 13:43 - 2018-01-22 06:19 - 002079048 _____ () C:\Program Files (x86)\Dropbox\Client\dropbox_crashpad.dll
2018-01-30 13:44 - 2018-01-22 06:19 - 000100296 _____ () C:\Program Files (x86)\Dropbox\Client\_ctypes.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000018888 _____ () C:\Program Files (x86)\Dropbox\Client\select.pyd
2018-01-30 13:44 - 2018-01-22 06:22 - 000020808 _____ () C:\Program Files (x86)\Dropbox\Client\tornado.speedups.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000035792 _____ () C:\Program Files (x86)\Dropbox\Client\_multiprocessing.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000694224 _____ () C:\Program Files (x86)\Dropbox\Client\unicodedata.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000021856 _____ () C:\Program Files (x86)\Dropbox\Client\cryptography.hazmat.bindings._constant_time.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000130512 _____ () C:\Program Files (x86)\Dropbox\Client\_cffi_backend.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 001856864 _____ () C:\Program Files (x86)\Dropbox\Client\cryptography.hazmat.bindings._openssl.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000022880 _____ () C:\Program Files (x86)\Dropbox\Client\cryptography.hazmat.bindings._padding.pyd
2018-01-30 13:43 - 2018-01-22 06:19 - 000145864 _____ () C:\Program Files (x86)\Dropbox\Client\pyexpat.pyd
2018-01-30 13:43 - 2018-01-22 06:19 - 000116688 _____ () C:\Program Files (x86)\Dropbox\Client\pywintypes27.dll
2018-01-30 13:44 - 2018-01-22 06:19 - 000105928 _____ () C:\Program Files (x86)\Dropbox\Client\win32api.pyd
2018-01-30 13:44 - 2018-01-22 06:22 - 000022872 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.crt.compiled._winffi_crt.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000063312 _____ () C:\Program Files (x86)\Dropbox\Client\psutil._psutil_windows.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000024528 _____ () C:\Program Files (x86)\Dropbox\Client\win32event.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000077120 _____ () C:\Program Files (x86)\Dropbox\Client\fastpath.pyd
2018-01-30 13:43 - 2018-01-22 06:19 - 000020936 _____ () C:\Program Files (x86)\Dropbox\Client\mmapfile.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000124880 _____ () C:\Program Files (x86)\Dropbox\Client\win32file.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000116176 _____ () C:\Program Files (x86)\Dropbox\Client\win32security.pyd
2018-01-30 13:43 - 2018-01-22 06:19 - 000392656 _____ () C:\Program Files (x86)\Dropbox\Client\pythoncom27.dll
2018-01-30 13:44 - 2018-01-22 06:22 - 000392520 _____ () C:\Program Files (x86)\Dropbox\Client\win32com.shell.shell.pyd
2018-01-30 13:44 - 2018-01-22 06:22 - 000026464 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.kernel32.compiled._winffi_kernel32.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000024016 _____ () C:\Program Files (x86)\Dropbox\Client\win32clipboard.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000175560 _____ () C:\Program Files (x86)\Dropbox\Client\win32gui.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000030160 _____ () C:\Program Files (x86)\Dropbox\Client\win32pipe.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000043472 _____ () C:\Program Files (x86)\Dropbox\Client\win32process.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000026056 _____ () C:\Program Files (x86)\Dropbox\Client\win32job.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000048592 _____ () C:\Program Files (x86)\Dropbox\Client\win32service.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000057808 _____ () C:\Program Files (x86)\Dropbox\Client\win32evtlog.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000021840 _____ () C:\Program Files (x86)\Dropbox\Client\cpuid.compiled._cpuid.pyd
2018-01-30 13:44 - 2018-01-22 06:22 - 000023376 _____ () C:\Program Files (x86)\Dropbox\Client\winshell.compiled._winshell.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000022864 _____ () C:\Program Files (x86)\Dropbox\Client\crashpad.compiled._Crashpad.pyd
2018-01-30 13:44 - 2018-01-22 06:22 - 000066400 _____ () C:\Program Files (x86)\Dropbox\Client\winenumhandles.compiled._WinEnumHandles.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 001796928 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtCore.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000084424 _____ () C:\Program Files (x86)\Dropbox\Client\sip.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 001956160 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtGui.pyd
2018-01-30 13:43 - 2018-01-22 06:22 - 003859272 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtWidgets.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000155472 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtWebEngineWidgets.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000521032 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtNetwork.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000050512 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtWebEngineCore.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000042312 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtWebChannel.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000131400 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtWebKit.pyd
2018-01-30 13:43 - 2018-01-22 06:22 - 000218960 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtWebKitWidgets.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000204104 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtPrintSupport.pyd
2018-01-30 13:44 - 2018-01-22 06:22 - 000025440 _____ () C:\Program Files (x86)\Dropbox\Client\winscreenshot.compiled._CaptureScreenshot.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000060880 _____ () C:\Program Files (x86)\Dropbox\Client\win32print.pyd
2018-01-30 13:44 - 2018-01-22 06:22 - 000054616 _____ () C:\Program Files (x86)\Dropbox\Client\winrpcserver.compiled._RPCServer.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000024016 _____ () C:\Program Files (x86)\Dropbox\Client\win32profile.pyd
2018-01-30 13:44 - 2018-01-22 06:22 - 000022880 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.user32.compiled._winffi_user32.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000028616 _____ () C:\Program Files (x86)\Dropbox\Client\win32ts.pyd
2018-01-30 13:44 - 2018-01-22 06:22 - 000024416 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.shell32.compiled._winffi_shell32.pyd
2018-01-30 13:44 - 2018-01-22 06:22 - 000022368 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.iphlpapi.compiled._winffi_iphlpapi.pyd
2018-01-30 13:44 - 2018-01-22 06:22 - 000021856 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.winerror.compiled._winffi_winerror.pyd
2018-01-30 13:44 - 2018-01-22 06:22 - 000022368 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.wininet.compiled._winffi_wininet.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000027496 _____ () C:\Program Files (x86)\Dropbox\Client\dropbox.infinite.win.compiled._driverinstallation.pyd
2018-01-30 13:44 - 2018-01-22 06:19 - 000349128 _____ () C:\Program Files (x86)\Dropbox\Client\winxpgui.pyd
2018-01-30 13:44 - 2018-01-22 06:22 - 000023904 _____ () C:\Program Files (x86)\Dropbox\Client\winverifysignature.compiled._VerifySignature.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000025432 _____ () C:\Program Files (x86)\Dropbox\Client\librsyncffi.compiled._librsyncffi.pyd
2018-01-30 13:43 - 2018-01-22 06:19 - 000036296 _____ () C:\Program Files (x86)\Dropbox\Client\librsync.dll
2018-01-30 13:44 - 2018-01-22 06:22 - 000021856 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.advapi32.compiled._winffi_advapi32.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000181064 _____ () C:\Program Files (x86)\Dropbox\Client\dropbox_sqlite_ext.DLL
2018-01-30 13:44 - 2018-01-22 06:22 - 000030544 _____ () C:\Program Files (x86)\Dropbox\Client\wind3d11.compiled._wind3d11.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000024384 _____ () C:\Program Files (x86)\Dropbox\Client\libEGL.DLL
2018-01-30 13:43 - 2018-01-22 06:21 - 001638208 _____ () C:\Program Files (x86)\Dropbox\Client\libGLESv2.dll
2018-01-30 13:44 - 2018-01-22 06:22 - 000026464 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.winhttp.compiled._winffi_winhttp.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000545096 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtQuick.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000359232 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtQml.pyd
2018-01-30 13:43 - 2018-01-22 06:21 - 000038216 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtWebEngine.pyd
2016-05-08 13:32 - 2015-09-08 01:31 - 040640808 _____ () C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\libcef.dll
2016-05-08 13:32 - 2014-09-02 19:29 - 000912384 _____ () C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\libglesv2.dll
2016-05-08 13:32 - 2014-09-02 19:29 - 000134144 _____ () C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\libegl.dll
2016-05-08 13:32 - 2014-09-02 19:29 - 000950272 _____ () C:\Program Files (x86)\Autodesk\Autodesk Desktop App\acwebbrowser\ffmpegsumo.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Windows\system32\hpmco118.dll:com.apple.quarantine [42]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{6AFBADCC-F7E5-4944-8B20-F25400C96DCB}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\Software\Classes\.scr: AutoCADScriptFile => C:\Windows\system32\notepad.exe "%1"
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\davita.corp -> davita.corp
IE trusted site: HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\emailopen.com -> emailopen.com
IE trusted site: HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\labscope.com -> phys.labscope.com
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 21:34 - 2016-12-14 06:44 - 000000147 _____ C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1 localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\Control Panel\Desktop\\Wallpaper -> C:\Users\bholscher\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 75.75.76.76 - 75.75.75.75
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\startupreg: ShopAtHomeUpdater => C:\Users\bholscher\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\ShopAtHomeUpdater.exe
MSCONFIG\startupreg: ShopAtHomeWatcher => C:\Users\bholscher\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\ShopAtHomeWatcher.exe
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{73F970B9-52E0-460A-A06C-360B93421909}] => (Allow) C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{4B1CBCF6-9B6B-4898-8CF0-89EC229EE447}] => (Allow) C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{AA479482-40AE-4FD8-9DC7-86DAF531C9C3}] => (Allow) C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe
FirewallRules: [{951DD849-B6D0-4943-9113-1DFD1887198E}] => (Allow) C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe
FirewallRules: [{CC91E198-775D-41C5-8DDD-A553D018C624}] => (Allow) C:\Users\bholscher\AppData\Local\Temp\7zS7488\EasyInst64.exe
FirewallRules: [{C859D8CB-F12A-42CB-BB80-BA9C733AB64B}] => (Allow) C:\Users\bholscher\AppData\Local\Temp\7zS7488\EasyInst64.exe
FirewallRules: [{EF628D52-002C-4BD3-823D-6A8F1BCB4780}] => (Allow) LPort=9100
FirewallRules: [{0E79A70E-0C04-42EC-ADA6-103F8B2D3A0F}] => (Allow) LPort=427
FirewallRules: [{37220DDA-3D52-40E3-A465-00C23740F47A}] => (Allow) LPort=161
FirewallRules: [{317C1C8F-2981-4D31-92E2-B9385D69E004}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{897140B6-FD34-40EC-AE42-145F26151FDE}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqkygrp.exe
FirewallRules: [{A82482D1-49F9-44B4-9E96-492A02AAD208}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpfccopy.exe
FirewallRules: [{F3046008-3566-40A3-8FD2-AC30114095D2}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpiscnapp.exe
FirewallRules: [{B8D7C043-EC49-48C4-A85F-E690D1E9982A}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{4282953D-B684-4D9D-BE95-9554C9BCD302}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{18A2ADBA-6E24-4962-8CD4-D9B8DCC51192}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{E1F45673-12AA-42F6-B287-1F1A939494D9}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{F0B78BE6-3E8A-403F-A4C7-A89974297DB2}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{0F61DFFF-AAFE-4591-BC94-04D7FD2A5426}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{93875732-D8F4-4C80-B483-941B81BD7541}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{12E2BA1C-787F-44F0-8134-660859B622B4}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{29B7D0FE-C749-4670-B0A8-F68226BE3986}] => (Allow) LPort=50248
FirewallRules: [{B3600C50-D694-4394-AC5C-E177A2C84291}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin\Smc.exe
FirewallRules: [{9CE64269-7801-4E99-BA18-F863BFBF8687}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin\Smc.exe
FirewallRules: [{FB0CEB36-6373-4069-B374-A9AE06081AE4}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin64\snac64.exe
FirewallRules: [{70F9A06F-503E-49EF-A9BF-A3B5C51122AB}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.6860.6400.105\Bin64\snac64.exe
FirewallRules: [{D7D4B690-32E2-4E36-B206-772DA463E1E4}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\issuser.exe
FirewallRules: [{451CC14A-C211-4970-955C-19D0AD9D0186}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\issuser.exe
FirewallRules: [{29825DB0-36E7-47F0-8045-F5A29F6BF031}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\tmcsvc.exe
FirewallRules: [{DE0C670B-4CBB-46AC-B7C1-39A48EE82AB5}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\tmcsvc.exe
FirewallRules: [{95334B1C-C43C-46EA-A1C9-BFF7C7D0AD60}] => (Allow) C:\Windows\SysWOW64\cba\pds.exe
FirewallRules: [{5721A480-CD8F-46D3-9455-E23855093D42}] => (Allow) C:\Windows\SysWOW64\cba\pds.exe
FirewallRules: [{18A458E6-BBA2-4CD9-B7C6-97D6CCA60B92}] => (Allow) C:\Windows\SysWOW64\msgsys.exe
FirewallRules: [{5C1C7AB6-7CC2-491B-BDC9-A88AB1DDE4F5}] => (Allow) C:\Windows\SysWOW64\msgsys.exe
FirewallRules: [{92B735C4-5F2E-4977-9DE6-AB5B441C0DB6}] => (Allow) C:\Program Files (x86)\Audinate\Shared Files\mDNSResponder.exe
FirewallRules: [{C58EF84E-2316-4019-AD9B-48A920F4AFD7}] => (Allow) C:\Program Files (x86)\Audinate\Shared Files\mDNSResponder.exe
FirewallRules: [{903CC99C-13E4-4F66-A5FD-7948A47C551C}] => (Allow) LPort=8751
FirewallRules: [{B2888ECF-A67F-40AA-99AF-667650DF77B2}] => (Allow) LPort=65211
FirewallRules: [{D1042682-B69B-48C9-8C33-5F129AF98A33}] => (Allow) LPort=2020
FirewallRules: [{2BC87EAF-4366-4864-8208-E53B7572BA2E}] => (Allow) LPort=65211
FirewallRules: [{F9DF0287-CFA2-4916-BC54-B3B29A182339}] => (Allow) LPort=2020
FirewallRules: [{9886BF7E-3661-47D2-BAD6-C6EE56DE4DD2}] => (Allow) C:\Windows\system32\enstart64.exe
FirewallRules: [{0B063243-D6DD-4096-A560-34503C8876DD}] => (Allow) C:\Windows\SysWOW64\cba\pds.exe
FirewallRules: [{4CD63FD3-970B-4004-9DAB-08D769716231}] => (Allow) C:\Windows\SysWOW64\cba\pds.exe
FirewallRules: [{885E1D91-3415-4068-8D78-50825428EC48}] => (Allow) C:\Windows\SysWOW64\cba\pds.exe
FirewallRules: [{3A6B0D3D-9B38-4C00-81EE-B40C0EC3374A}] => (Allow) C:\Windows\SysWOW64\cba\pds.exe
FirewallRules: [{64FEB180-BAE0-4FE9-B5AB-1AAEEF87579F}] => (Allow) C:\Windows\SysWOW64\msgsys.exe
FirewallRules: [{9FE46831-6425-414F-B2CE-1B846213B08B}] => (Allow) C:\Windows\SysWOW64\msgsys.exe
FirewallRules: [{810694B0-AE9D-46BD-9B68-FF1F74E8EEB7}] => (Allow) C:\Windows\SysWOW64\msgsys.exe
FirewallRules: [{F863D719-ECB4-4D3A-9E37-74032DF7CE97}] => (Allow) C:\Windows\SysWOW64\msgsys.exe
FirewallRules: [{7D043BEC-2A21-4B26-B85D-F251B656E599}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\issuser.exe
FirewallRules: [{D36CACCB-503E-4805-B223-E806B125D00E}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\issuser.exe
FirewallRules: [{AFB7C700-83C2-4940-91B2-A71716E5C1FB}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\issuser.exe
FirewallRules: [{8F74BD39-66B3-4984-9875-F195228E15E5}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\issuser.exe
FirewallRules: [{AE73AC0C-096D-48B4-A143-D8C1F130B191}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\tmcsvc.exe
FirewallRules: [{272F008B-97C9-47F7-BBEE-5ABC0AD9D4D6}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\tmcsvc.exe
FirewallRules: [{F35BA5C7-8041-48F1-A785-A63439B3F0AD}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\tmcsvc.exe
FirewallRules: [{DA0AC334-F056-4C06-A8FB-E796C0B24561}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\tmcsvc.exe
FirewallRules: [{E5D7CC66-8D26-46A7-BF9C-CB80B1506485}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{1FF8925E-D22F-449E-A954-7697198E9EB6}] => (Allow) LPort=65211
FirewallRules: [{2767C298-F70E-4396-A7B0-F7FED07BEBC8}] => (Allow) LPort=22000
FirewallRules: [{563802B1-0F5A-4E7A-BE7E-77A0333574BD}] => (Allow) LPort=2020
FirewallRules: [{22C63CCA-CC0E-485F-BAC6-EB8C21148D94}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\XDDClient.exe
FirewallRules: [{A02C0FF4-42EA-4FBA-BA76-37655275DC33}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\XDDClient.exe
FirewallRules: [{ED46A5E5-9474-4ED9-ACE6-AA65756A7277}] => (Allow) LPort=22000
FirewallRules: [{9C9BB901-129A-403D-9303-756CCF55D8AF}] => (Allow) C:\Program Files (x86)\AirPort\APAgent.exe
FirewallRules: [{370BF8A9-E32D-427F-8E71-2B6DDA7ECB51}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\XDDClient.exe
FirewallRules: [{E9A28B35-D3D3-45A4-838A-2443821D3921}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\XDDClient.exe
FirewallRules: [{57FA1936-1C12-410C-A01C-F951EA4760C4}] => (Allow) C:\Program Files (x86)\ION\EZ VHS Converter\MediaTV.exe
FirewallRules: [{3E73BEB9-0648-4DC1-9BC2-BA619A001C7B}] => (Allow) C:\Program Files (x86)\ION\EZ VHS Converter\MediaTV.exe
FirewallRules: [{DE9F56C2-E97B-4187-AF01-4ACE0EA6157D}] => (Allow) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
FirewallRules: [{AA67271B-2A60-4223-AA15-9AA1011CE0D1}] => (Allow) C:\Program Files (x86)\LANDesk\Shared Files\residentAgent.exe
FirewallRules: [{C8F0235B-AEEE-4F03-9E00-043ED87C8D3A}] => (Allow) C:\Program Files (x86)\LANDesk\Shared Files\residentAgent.exe
FirewallRules: [{44E0D8CA-DC0B-434A-9856-8E009938247A}] => (Allow) C:\Program Files (x86)\LANDesk\Shared Files\residentAgent.exe
FirewallRules: [{CD001228-485B-4BA6-9F36-A61643204FCB}] => (Allow) C:\Program Files (x86)\LANDesk\Shared Files\residentAgent.exe
FirewallRules: [{D98E1607-6CD6-4269-B915-B0937F10DE33}] => (Allow) C:\Program Files (x86)\LANDesk\Shared Files\residentAgent.exe
FirewallRules: [{1FA038BB-AC1D-4337-AF02-33D7CD38B7E1}] => (Allow) C:\Program Files (x86)\LANDesk\Shared Files\residentAgent.exe
FirewallRules: [{6FB70094-CF45-4FB3-BE47-0B34D13D55BF}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\XDDClient.exe
FirewallRules: [{BBA66598-DFF0-4DE8-9010-98BD3C201D09}] => (Allow) C:\Program Files (x86)\LANDesk\LDClient\XDDClient.exe
FirewallRules: [{798C2F1A-CC59-4209-85C8-715AF077AA5A}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
28-01-2018 20:50:00 Scheduled Checkpoint
05-02-2018 00:02:04 Scheduled Checkpoint
05-02-2018 06:07:34 JRT Pre-Junkware Removal
 
==================== Faulty Device Manager Devices =============
 
Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Description: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Cisco Systems
Service: vpnva
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/05/2018 08:14:38 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/05/2018 08:11:18 AM) (Source: Credant EMS) (EventID: 4097) (User: )
Description: Failure: ERROR 0xe9 in MessageClientThread thread: ERROR reading from named pipe
 
Error: (02/05/2018 06:45:46 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/05/2018 03:13:43 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Integro\IEMx Client\adxloader.dll.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Integro\IEMx Client\adxloader.dll.Manifest" on line 2.
The manifest file root element must be assembly.
 
Error: (02/04/2018 02:52:46 PM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Integro\IEMx Client\adxloader.dll.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Integro\IEMx Client\adxloader.dll.Manifest" on line 2.
The manifest file root element must be assembly.
 
Error: (02/04/2018 02:35:32 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/03/2018 08:35:26 AM) (Source: Credant EMS) (EventID: 4097) (User: )
Description: Failure: ERROR 0xe9 in MessageClientThread thread: ERROR reading from named pipe
 
Error: (02/03/2018 03:51:23 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Integro\IEMx Client\adxloader.dll.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Integro\IEMx Client\adxloader.dll.Manifest" on line 2.
The manifest file root element must be assembly.
 
Error: (02/02/2018 03:58:49 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Integro\IEMx Client\adxloader.dll.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Integro\IEMx Client\adxloader.dll.Manifest" on line 2.
The manifest file root element must be assembly.
 
Error: (02/01/2018 03:32:30 AM) (Source: SideBySide) (EventID: 9) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Integro\IEMx Client\adxloader.dll.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Integro\IEMx Client\adxloader.dll.Manifest" on line 2.
The manifest file root element must be assembly.
 
 
System errors:
=============
Error: (02/05/2018 12:42:47 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 808.
 
Error: (02/05/2018 12:14:53 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain DAVITA due to the following: 
There are currently no logon servers available to service the logon request.
 
 
This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.
 
 
 
ADDITIONAL INFO
 
If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.
 
Error: (02/05/2018 11:01:10 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 808.
 
Error: (02/05/2018 10:56:43 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 808.
 
Error: (02/05/2018 08:23:32 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Google Update Service (gupdate) service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (02/05/2018 08:16:52 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 808.
 
Error: (02/05/2018 08:16:40 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: DAVITA)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
 
Error: (02/05/2018 08:16:30 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
 
Error: (02/05/2018 08:14:19 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 48.
 
Error: (02/05/2018 08:14:18 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 48.
 
 
CodeIntegrity:
===================================
  Date: 2015-07-28 12:53:12.101
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-07-28 12:53:12.021
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-2540M CPU @ 2.60GHz
Percentage of memory in use: 75%
Total physical RAM: 3977.05 MB
Available physical RAM: 971.13 MB
Total Virtual: 7952.29 MB
Available Virtual: 4359 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:298.09 GB) (Free:98.55 GB) NTFS ==>[drive with boot components (obtained from BCD)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 238374D3)
Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================
 
 


#6 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:35 AM

Posted 05 February 2018 - 06:18 PM

Thank you for the logs.

 

I'm in GB and it's 11:15pm here so I'll look at the logs tomorrow as soon as work/family gives me the chance.

 

Meanwhile, can you tell me if the problem is still there.

 

Thanks

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 holsch

holsch
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 05 February 2018 - 06:23 PM

Thank You Satchfan,

 

So far, I haven't experienced any of the issues I was having, I'll keep you posted.

It's 6:22pm in Pennsylvania, US, so I'll be online for awhile yet this evening.

Thanks again!



#8 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:35 AM

Posted 05 February 2018 - 06:35 PM

I've just had a glance at the first part of your log and there seem to be a lot of restrictions in IE. Did you do this intentionally?


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:35 AM

Posted 06 February 2018 - 07:08 AM

I've just had a glance at the first part of your log and there seem to be a lot of restrictions in IE. Did you do this intentionally?

Also, is this a company computer? Apart from various restrictions, there also seems to be a proxy setting which indicates more than one user:

 

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <==== ATTENTION (Restriction - ProxySettings)


Edited by satchfan, 06 February 2018 - 08:22 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#10 holsch

holsch
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 06 February 2018 - 08:54 AM

The restrictions were set up by the previous IT department, of which I no longer work for.

I don't use IE, (per my old IT departments suggestion), but Firefox and Chrome. I was told IE wasn't very secure(?)



#11 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:35 AM

Posted 06 February 2018 - 10:22 AM

I don't use IE, (per my old IT departments suggestion), but Firefox and Chrome. I was told IE wasn't very secure(?)

I use IE for everything except the forums, (the format of replies work better in FF. Chrome is the one we spend most time cleaning up on these forums.

 

Let's clear up what's left.

 

You need to move Farbar Recovery Scan Tool to your desktop otherwise fixes will not work.

  • go to your Downloads folder and locate Farbar Recovery Scan Tool
  • right click and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

================================================

Run Farbar Recovery Scan Tool

  • right-click FRST/FRST64 and select ‘Run as administrator’
  • highlight the contents of the code box below, then press Ctrl+c):
Start::
CloseProcesses:
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Run: [Zoom] => [X]
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\MountPoints2: {5ab2eb48-f0b6-11e3-be19-d4bed97accfc} - E:\Autorun.exe
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <==== ATTENTION (Restriction - ProxySettings)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-698646121-1254382694-1581587538-329973 -> DefaultScope {5A3A5B5E-D846-481A-8642-BD661A44C822} URL =
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-12]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-01-15]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-01-15]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2017-01-15]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-12]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-01-16]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2017-07-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-28]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-01-15]
CHR Extension: (Chrome Media Router) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-02-05]
2018-02-05 08:13 - 2017-06-04 18:44 - 000000000 ____D C:\Users\bholscher\AppData\Local\03a35d1
2018-02-05 06:41 - 2014-07-30 09:23 - 000000000 ____D C:\Users\ITSupport\AppData\Roaming\Yahoo!
2018-02-05 06:41 - 2014-07-30 09:22 - 000000000 ____D C:\Users\ITSupport\AppData\LocalLow\Yahoo!
2018-02-05 06:41 - 2013-02-18 16:50 - 000000000 ____D C:\Users\bholscher\AppData\LocalLow\Yahoo!
C:\Users\bholscher\AppData\Local\Temp\AcDeltree.exe
C:\Users\bholscher\AppData\Local\Temp\CptInstall.exe
C:\Users\bholscher\AppData\Local\Temp\CptShare.dll
C:\Users\bholscher\AppData\Local\Temp\dllnt_dump.dll
C:\Users\bholscher\AppData\Local\Temp\jre-8u66-windows-au.exe
C:\Users\bholscher\AppData\Local\Temp\jre-8u73-windows-au.exe
C:\Users\bholscher\AppData\Local\Temp\jre-8u91-windows-au.exe
C:\Users\bholscher\AppData\Local\Temp\vc_redist.x86.exe
C:\Users\bholscher\AppData\Local\Temp\zCrashReport.dll
C:\Users\daves\AppData\Local\Temp\enuinst32.dll
C:\Users\daves\AppData\Local\Temp\inst32.exe
C:\Users\daves\AppData\Local\Temp\_DelAll.EXE
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.33.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Citrix\GoToMeeting\4670\G2MOutlookAddin64.dll => No File
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
C:\Users\bholscher\AppData\Roaming\ShopAtHome
EmptyTemp:
cmd: ipconfig /flushdns
CMD: bitsadmin /reset /allusers
Hosts:
RemoveProxy:
EmptyTemp:
End::

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • in the FRST window, press the ‘Fix’ button once and wait
  • please reboot the computer if requested
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

Can you tell me if there are any outstanding problems

Satchfan
 


Edited by satchfan, 06 February 2018 - 11:05 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#12 holsch

holsch
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 06 February 2018 - 01:51 PM

Hello,

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018
Ran by BHOLSCHER (06-02-2018 13:33:02) Run:1
Running from C:\Users\bholscher\Desktop
Loaded Profiles: BHOLSCHER (Available Profiles: ITSupport & cba_anonymous & Administrator & BHOLSCHER)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CloseProcesses:
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\Run: [Zoom] => [X]
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\...\MountPoints2: {5ab2eb48-f0b6-11e3-be19-d4bed97accfc} - E:\Autorun.exe
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <==== ATTENTION (Restriction - ProxySettings)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-698646121-1254382694-1581587538-329973\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-698646121-1254382694-1581587538-329973 -> DefaultScope {5A3A5B5E-D846-481A-8642-BD661A44C822} URL =
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-12]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-01-15]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-01-15]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2017-01-15]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-12]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-01-16]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2017-07-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-28]
CHR Extension: (No Name) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-01-15]
CHR Extension: (Chrome Media Router) - C:\Users\bholscher\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-02-05]
2018-02-05 08:13 - 2017-06-04 18:44 - 000000000 ____D C:\Users\bholscher\AppData\Local\03a35d1
2018-02-05 06:41 - 2014-07-30 09:23 - 000000000 ____D C:\Users\ITSupport\AppData\Roaming\Yahoo!
2018-02-05 06:41 - 2014-07-30 09:22 - 000000000 ____D C:\Users\ITSupport\AppData\LocalLow\Yahoo!
2018-02-05 06:41 - 2013-02-18 16:50 - 000000000 ____D C:\Users\bholscher\AppData\LocalLow\Yahoo!
C:\Users\bholscher\AppData\Local\Temp\AcDeltree.exe
C:\Users\bholscher\AppData\Local\Temp\CptInstall.exe
C:\Users\bholscher\AppData\Local\Temp\CptShare.dll
C:\Users\bholscher\AppData\Local\Temp\dllnt_dump.dll
C:\Users\bholscher\AppData\Local\Temp\jre-8u66-windows-au.exe
C:\Users\bholscher\AppData\Local\Temp\jre-8u73-windows-au.exe
C:\Users\bholscher\AppData\Local\Temp\jre-8u91-windows-au.exe
C:\Users\bholscher\AppData\Local\Temp\vc_redist.x86.exe
C:\Users\bholscher\AppData\Local\Temp\zCrashReport.dll
C:\Users\daves\AppData\Local\Temp\enuinst32.dll
C:\Users\daves\AppData\Local\Temp\inst32.exe
C:\Users\daves\AppData\Local\Temp\_DelAll.EXE
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.33.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Citrix\GoToMeeting\4670\G2MOutlookAddin64.dll => No File
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-698646121-1254382694-1581587538-329973_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\bholscher\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
C:\Users\bholscher\AppData\Roaming\ShopAtHome
EmptyTemp:
cmd: ipconfig /flushdns
CMD: bitsadmin /reset /allusers
Hosts:
RemoveProxy:
EmptyTemp:
 
*****************
 
Processes closed successfully.
"HKU\S-1-5-21-698646121-1254382694-1581587538-329973\Software\Microsoft\Windows\CurrentVersion\Run\\Zoom" => removed successfully
"HKU\S-1-5-21-698646121-1254382694-1581587538-329973\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5ab2eb48-f0b6-11e3-be19-d4bed97accfc}" => removed successfully
 
 
I haven't noticed anything as of yet out of the norm.


#13 satchfan

satchfan

  • Malware Response Team
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:12:35 AM

Posted 06 February 2018 - 04:31 PM

That is not the complete Fixlog.txt.

 

Please post the full log.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 holsch

holsch
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 06 February 2018 - 04:36 PM

I'm sorry, that's all the text in the file. I don't understand what's missing.



#15 holsch

holsch
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 06 February 2018 - 04:40 PM

Should I reattempt the fix? Or is there another way to recreate the report?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users