Locky Ransomware?

R

rickf

Well-known member
Joined
Jul 27, 2015
Posts
47
I just noticed that all my PC's appear to have the Locky Ransomware... I am seeing files with the .osiris extension on my users pc's (as well as my own) with time stamp of 0947 today. I'm scouring the web for help but also wanted to get a thread started here. Right now it appears that it is not widespread on these machines but that could certainly change. Would appreciate any help you might be able to give, Thanks in advance.
 
Here is the FIRST.txt:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 07-12-2016
Ran by RickF (administrator) on MIS (07-12-2016 15:30:30)
Running from C:\Users\RickF.REDHORSE\Desktop\Sysnative
Loaded Profiles: RickF (Available Profiles: RickF & RickF & Administrator & Classic .NET AppPool & DefaultAppPool & webdev)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials


==================== Processes (Whitelisted) =================


(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)


(DigitalPersona, Inc.) C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Cisco WebEx LLC) C:\Windows\SysWOW64\atashost.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Carbonite, Inc. (Online Backup, Cloud & Hybrid Server Backup | Carbonite)) C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome Remote Desktop\55.0.2883.17\remoting_host.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome Remote Desktop\55.0.2883.17\remoting_host.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
() C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe
(Motorola Mobility LLC) C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL$JJKA_KDS\Binn\sqlservr.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Motorola) C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Health\Health.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Heartbeat\Heartbeat.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\McsAgent.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\McsClient.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos Data Recorder\SDRService.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos System Protection\ssp.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Windows\System32\mqtgsvc.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sdcservice.exe
(Motorola Mobility LLC) C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
(DigitalPersona, Inc.) C:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos UI\Sophos UI.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\RickF.REDHORSE\AppData\Local\Google\Update\GoogleUpdate.exe
(Google, Inc) C:\Users\RickF.REDHORSE\AppData\Local\Programs\Google\Google Photos Backup\Google Photos Backup.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\coreshredder.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
(Microsoft Corporation) C:\Program Files (x86)\EMET 4.1\EMET_Agent.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe
(Carbonite, Inc.) C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
(DigitalPersona, Inc.) C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpAgent.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Condusiv Technologies) C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe
(HP Inc.) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PrivacyIconClient.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.EXE
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(ShadowExplorer.com - About) C:\Program Files (x86)\ShadowExplorer\sesvc.exe
(Microsoft Corporation) C:\Windows\System32\rstrui.exe
(Microsoft Corporation) C:\Windows\System32\wbengine.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(LastPass) C:\Program Files (x86)\LastPass\nplastpass.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ====================


(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)


HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6839952 2013-02-01] (Realtek Semiconductor)
HKLM\...\Run: [HPSYSDRV] => C:\Program Files (x86)\Hewlett-Packard\HP Odometer\HPSYSDRV.EXE [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [Sophos UI.exe] => C:\Program Files\Sophos\Sophos UI\Sophos UI.exe [2524296 2016-09-13] (Sophos Limited)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe [133400 2012-02-21] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [290688 2012-10-24] (Intel Corporation)
HKLM-x32\...\Run: [PDF Complete] => C:\Program Files (x86)\PDF Complete\pdfsty.exe [684064 2012-06-09] (PDF Complete Inc)
HKLM-x32\...\Run: [File Sanitizer] => c:\Program Files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe [12310616 2012-03-09] (Hewlett-Packard)
HKLM-x32\...\Run: [WD Drive Unlocker] => C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe [1694080 2013-07-10] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5571944 2016-04-19] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [EMET 4.1 Agent] => C:\Program Files (x86)\EMET 4.1\EMET_agent.exe [78992 2013-11-21] (Microsoft Corporation)
HKLM-x32\...\Run: [DriveUtilitiesHelper] => C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe [1890664 2016-01-14] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [Carbonite Backup] => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe [1154560 2016-08-04] (Carbonite, Inc.)
HKLM-x32\...\Run: [Malwarebytes Anti-Malware] => C:\Program Files (x86)\Malwarebytes Anti-Malware\BusinessMessaging.exe [3219456 2016-12-07] (Malwarebytes)
HKLM Group Policy restriction on software: %AppData%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %Temp%\7z*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %Temp%\Rar*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %Temp%\wz*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %Temp%\*.zip\*.exe <====== ATTENTION
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe,
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\DeviceNP: C:\Windows\SysWOW64\DeviceNP.dll [2012-01-31] (Hewlett-Packard Company)
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [23819048 2016-11-11] (Google)
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\Run: [78D2874DE634D4AA010A9381180B6A47D34F2CE8._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [921192 2016-11-08] (Google Inc.)
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\Run: [Google Update] => C:\Users\RickF.REDHORSE\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-11-20] (Google Inc.)
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\Run: [Google Photos Backup] => C:\Users\RickF.REDHORSE\AppData\Local\Programs\Google\Google Photos Backup\Google Photos Backup.exe [3790936 2016-04-08] (Google, Inc)
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9105112 2016-11-15] (Piriform Ltd)
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\amd64"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.4029.0217\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.4029.0217\amd64"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.4029.0217] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.4029.0217"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.4041.0512\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.4041.0512\amd64"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.4041.0512] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.0.4041.0512"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.3.1166.0618\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.3.1166.0618\amd64"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.3.1166.0618] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.3.1166.0618"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.4724.0224] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.4724.0224"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.4726.0226\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.4726.0226\amd64"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.4726.0226] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.4726.0226"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5849.0427\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5849.0427\amd64"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5849.0427] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5849.0427"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5860.0512\amd64"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5860.0512] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5860.0512"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5907.0716\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5907.0716\amd64"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5907.0716] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5907.0716"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5930.0814\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5930.0814\amd64"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\RunOnce: [Uninstall C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5930.0814] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\RickF.REDHORSE\AppData\Local\Microsoft\OneDrive\17.3.5930.0814"
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\MountPoints2: {04848bde-1428-11e4-86e2-e83935453e37} - G:\VerizonWirelessUpgradeAssistantSetup.exe -a
HKU\S-1-5-21-843312985-487402592-91182677-1221\...\MountPoints2: {6ac3c977-08dc-11e4-9b1e-e83935453e37} - G:\setup.exe -a
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll [235936 2016-09-13] (Sophos Limited)
AppInit_DLLs-x32: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll [207864 2016-09-13] (Sophos Limited)
Lsa: [Notification Packages] DPPassFilter scecli
ShellIconOverlayIdentifiers: [ GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-11] (Google)
ShellIconOverlayIdentifiers: [ GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-11] (Google)
ShellIconOverlayIdentifiers: [ GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-11] (Google)
ShellIconOverlayIdentifiers: [ Carbonite.Green] -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll [2016-08-04] (Carbonite, Inc.)
ShellIconOverlayIdentifiers: [ Carbonite.Partial] -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll [2016-08-04] (Carbonite, Inc.)
ShellIconOverlayIdentifiers: [ Carbonite.Yellow] -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll [2016-08-04] (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: [ Carbonite.Green] -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll [2016-08-04] (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: [ Carbonite.Partial] -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll [2016-08-04] (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: [ Carbonite.Yellow] -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll [2016-08-04] (Carbonite, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Service Manager.lnk [2014-05-01]
ShortcutTarget: Service Manager.lnk -> C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)
GroupPolicy: Restriction <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION


==================== Internet (Whitelisted) ====================


(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)


Winsock: Catalog9 01 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [128776 2016-02-11] (Sophos Limited)
Winsock: Catalog9 02 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [128776 2016-02-11] (Sophos Limited)
Winsock: Catalog9 03 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [128776 2016-02-11] (Sophos Limited)
Winsock: Catalog9 04 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [128776 2016-02-11] (Sophos Limited)
Winsock: Catalog9 05 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [128776 2016-02-11] (Sophos Limited)
Winsock: Catalog9 06 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [128776 2016-02-11] (Sophos Limited)
Winsock: Catalog9 07 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [128776 2016-02-11] (Sophos Limited)
Winsock: Catalog9 08 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [128776 2016-02-11] (Sophos Limited)
Winsock: Catalog9 19 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [128776 2016-02-11] (Sophos Limited)
Winsock: Catalog9-x64 01 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [177416 2016-02-11] (Sophos Limited)
Winsock: Catalog9-x64 02 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [177416 2016-02-11] (Sophos Limited)
Winsock: Catalog9-x64 03 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [177416 2016-02-11] (Sophos Limited)
Winsock: Catalog9-x64 04 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [177416 2016-02-11] (Sophos Limited)
Winsock: Catalog9-x64 05 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [177416 2016-02-11] (Sophos Limited)
Winsock: Catalog9-x64 06 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [177416 2016-02-11] (Sophos Limited)
Winsock: Catalog9-x64 07 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [177416 2016-02-11] (Sophos Limited)
Winsock: Catalog9-x64 08 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [177416 2016-02-11] (Sophos Limited)
Winsock: Catalog9-x64 19 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [177416 2016-02-11] (Sophos Limited)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{3B1048F6-0BA5-42EC-83BD-E8C7E9F047FF}: [NameServer] 216.67.153.137,8.8.8.8


Internet Explorer:
==================
HKU\S-1-5-21-843312985-487402592-91182677-1221\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/
HKU\S-1-5-21-843312985-487402592-91182677-1221\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPCOM/19
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKLM -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CMDTDF
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CMDTDF
SearchScopes: HKU\S-1-5-21-843312985-487402592-91182677-1221 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-843312985-487402592-91182677-1221 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-843312985-487402592-91182677-1221 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CMDTDF
SearchScopes: HKU\S-1-5-21-843312985-487402592-91182677-1221 -> {BCB794D7-137F-494F-8A28-FFDC04BB29F1} URL = hxxps://www.google.com/search?q={searchTerms}
BHO: Bing Bar Helper -> {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} -> C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\amd64\BingExt.dll [2014-03-11] (Microsoft Corporation.)
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2016-10-11] (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll [2013-07-17] (Sun Microsystems, Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [2016-09-20] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2016-09-27] (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [2013-07-17] (Sun Microsystems, Inc.)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2016-07-21] (HP Inc.)
BHO-x32: Bing Bar Helper -> {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} -> C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BingExt.dll [2014-03-11] (Microsoft Corporation.)
BHO-x32: File Sanitizer for HP ProtectTools -> {3134413B-49B4-425C-98A5-893C1F195601} -> c:\Program Files (x86)\Hewlett-Packard\File Sanitizer\IEBHO.dll [2012-03-09] (Hewlett-Packard)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2016-09-20] (Microsoft Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2016-07-21] (HP Inc.)
Toolbar: HKLM - Bing Bar - {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\amd64\BingExt.dll [2014-03-11] (Microsoft Corporation.)
Toolbar: HKLM-x32 - Bing Bar - {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BingExt.dll [2014-03-11] (Microsoft Corporation.)
DPF: HKLM-x32 {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} hxxp://javadl-esd.oracle.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2016-04-19] (Microsoft Corporation)


FireFox:
========
FF HKLM-x32\...\Firefox\Extensions: [otis@digitalpersona.com] - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\FirefoxExt
FF Extension: (DigitalPersona Extension) - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\FirefoxExt [2012-10-26] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_23_0_0_207.dll [2016-11-08] ()
FF Plugin: @java.com/DTPlugin,version=1.6.0_32 -> C:\Windows\system32\npdeployJava1.dll [2013-07-15] (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll [2013-07-17] (Sun Microsystems, Inc.)
FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2014-04-18] (LastPass)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_207.dll [2016-11-08] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass.dll [2014-04-18] (LastPass)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2013-07-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-05] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-09-30] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-843312985-487402592-91182677-1221: @citrixonline.com/appdetectorplugin -> C:\Users\RickF.REDHORSE\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2013-07-11] (Citrix Online)
FF Plugin HKU\S-1-5-21-843312985-487402592-91182677-1221: @tools.google.com/Google Update;version=3 -> C:\Users\RickF.REDHORSE\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin HKU\S-1-5-21-843312985-487402592-91182677-1221: @tools.google.com/Google Update;version=9 -> C:\Users\RickF.REDHORSE\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin HKU\S-1-5-21-843312985-487402592-91182677-1221: LWAPlugin15.8 -> C:\Users\RickF.REDHORSE\AppData\Roaming\Mozilla\Plugins\npLWAPlugin15.8.dll [2013-03-13] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Users\RickF.REDHORSE\AppData\Roaming\mozilla\plugins\npatgpc.dll [2015-07-31] (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Users\RickF.REDHORSE\AppData\Roaming\mozilla\plugins\npLWAPlugin15.8.dll [2013-03-13] (Microsoft Corporation)


Chrome:
=======
CHR DefaultProfile: Default
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.885\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\PepperFlash\pepflashplayer.dll => No File
CHR Profile: C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default [2016-12-07]
CHR Extension: (No Name) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-05]
CHR Extension: (No Name) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-23]
CHR Extension: (ColorZilla) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhlhnicpbhignbdhedgjhgdocnmhomnp [2015-09-10]
CHR Extension: (WOT: Web of Trust, Website Reputation Ratings) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2016-08-12]
CHR Extension: (No Name) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Google Cast) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd [2016-12-07]
CHR Extension: (uBlock Origin) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2016-12-07]
CHR Extension: (No Name) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-30]
CHR Extension: (Netflix) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\deceagebecbceejblnlcjooeohmmeldh [2015-06-05]
CHR Extension: (Gmail Offline) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejidjjhkpiempkbhmpbfngldlkglhimk [2015-06-09]
CHR Extension: (Chrome Remote Desktop) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp [2016-07-13]
CHR Extension: (HTTPS Everywhere) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcbommkclmclpchllfjekcdonpmejbdp [2016-12-06]
CHR Extension: (GoToMeeting Pro Screensharing) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcgikpombjkodabhbdalkcdhmllafipp [2015-10-29]
CHR Extension: (No Name) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-23]
CHR Extension: (LastPass: Free Password Manager) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2016-12-07]
CHR Extension: (IE Tab) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\hehijbfgiekmjfkfjpbkbammjbdenadd [2016-12-06]
CHR Extension: (No Name) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2015-07-31]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2014-11-11]
CHR Extension: (No Name) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlbejmccbhkncgokjcmghpfloaajcffj [2016-12-07]
CHR Extension: (Chrome Web Store Payments) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-08]
CHR Extension: (No Name) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-06]
CHR Extension: (Chrome Media Router) - C:\Users\RickF.REDHORSE\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-26]
CHR HKU\S-1-5-21-843312985-487402592-91182677-1221\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx


==================== Services (Whitelisted) ====================


(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


R2 CarboniteService; C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe [9037824 2016-08-04] (Carbonite, Inc. (Online Backup, Cloud & Hybrid Server Backup | Carbonite)) [File not signed]
S4 CenLPD; C:\Program Files (x86)\Century\TinyTERM\cenlpd.exe [157008 2012-12-19] ()
R2 chromoting; C:\Program Files (x86)\Google\Chrome Remote Desktop\55.0.2883.17\remoting_host.exe [76392 2016-10-16] (Google Inc.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3040496 2016-10-04] (Microsoft Corporation)
R2 Diskeeper; C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe [2721656 2012-06-13] (Condusiv Technologies)
R2 DpHost; c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe [493904 2012-04-28] (DigitalPersona, Inc.)
S3 FLCDLOCK; c:\Windows\SysWOW64\flcdlock.exe [477056 2012-01-31] (Hewlett-Packard Company)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [29728 2016-08-15] (HP Inc.)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2012-02-21] (Intel Corporation)
R2 McAfee Endpoint Encryption Agent; C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [1327104 2012-06-01] () [File not signed]
R2 Motorola Device Manager; C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [137528 2014-04-08] (Motorola Mobility LLC)
R2 MSMQTriggers; C:\Windows\system32\mqtgsvc.exe [189440 2010-11-20] (Microsoft Corporation)
R2 MSSQL$JJKA_KDS; C:\Program Files (x86)\Microsoft SQL Server\MSSQL$JJKA_KDS\Binn\sqlservr.exe [7520337 2002-12-17] (Microsoft Corporation) [File not signed]
S3 MSSQLServerADHelper; C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [66112 2002-12-17] (Microsoft Corporation) [File not signed]
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1134624 2012-06-09] (PDF Complete Inc)
R2 PST Service; C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [65657 2011-09-02] (Motorola) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201360 2013-02-01] (Realtek Semiconductor)
R2 SAVAdminService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [229672 2016-09-13] (Sophos Limited)
R2 SAVService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [200064 2016-09-13] (Sophos Limited)
R2 sesvc; C:\Program Files (x86)\ShadowExplorer\sesvc.exe [9216 2013-01-02] (ShadowExplorer.com - About) [File not signed]
R2 SntpService; C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe [925832 2016-10-19] (Sophos Limited)
R2 Sophos AutoUpdate Service; C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe [780432 2016-09-12] (Sophos Limited)
R3 Sophos Device Control Service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sdcservice.exe [502944 2016-09-13] (Sophos Limited)
R2 Sophos Health Service; C:\Program Files (x86)\Sophos\Health\Health.exe [1704088 2016-09-12] (Sophos Limited)
R2 Sophos Heartbeat; C:\Program Files (x86)\Sophos\Heartbeat\Heartbeat.exe [2433888 2016-09-04] (Sophos Limited)
R2 Sophos MCS Agent; C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\McsAgent.exe [1379856 2016-11-02] (Sophos Limited)
R2 Sophos MCS Client; C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\McsClient.exe [1806904 2016-11-02] (Sophos Limited)
R2 Sophos Web Control Service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [360040 2016-09-13] (Sophos Limited)
R2 SophosDataRecorderService; C:\Program Files\Sophos\Sophos Data Recorder\SDRService.exe [996240 2016-09-12] (Sophos Limited)
R2 sophossps; C:\Program Files\Sophos\Sophos System Protection\ssp.exe [5366040 2016-09-12] (Sophos Limited)
S3 SQLAgent$JJKA_KDS; C:\Program Files (x86)\Microsoft SQL Server\MSSQL$JJKA_KDS\Binn\sqlagent.EXE [311872 2002-12-17] (Microsoft Corporation) [File not signed]
R2 swi_service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [3644368 2016-09-13] (Sophos Limited)
S2 swi_update_64; C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe [2121224 2016-09-13] (Sophos Limited)
R2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1049464 2016-04-19] (Western Digital Technologies, Inc.)
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [314744 2016-04-19] (Western Digital Technologies, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)


===================== Drivers (Whitelisted) ======================


(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


S3 DAMDrv; C:\Windows\System32\DRIVERS\DAMDrv64.sys [64312 2012-01-31] (Hewlett-Packard Company)
R0 DKDFM; C:\Windows\System32\drivers\DKDFM.sys [40752 2012-04-05] (Condusiv Technologies)
R3 DKRtWrt; C:\Windows\System32\DRIVERS\DKRtWrt.sys [52048 2012-05-22] (Condusiv Technologies)
R0 DKTLFSMF; C:\Windows\System32\drivers\DKTLFSMF.sys [106832 2012-06-07] (Condusiv Technologies)
S3 IFCoEMP; C:\Windows\system32\drivers\ifM60x64.sys [348944 2011-06-15] (Intel(R) Corporation)
S3 IFCoEVB; C:\Windows\system32\drivers\ifP60X64.sys [70928 2011-06-15] (Intel(R) Corporation)
R0 MfeEpeOpal; C:\Windows\System32\Drivers\MfeEpeOpal.sys [90736 2012-06-01] (McAfee, Inc.)
R0 MfeEpePc; C:\Windows\System32\Drivers\MfeEpePc.sys [158832 2012-06-01] (McAfee, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
R0 nlem64nt; C:\Windows\System32\Drivers\nlem64nt.sys [73320 2011-08-23] ()
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2012-10-26] ()
R1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [201168 2016-08-20] (Sophos Limited)
R3 sdcfilter; C:\Windows\System32\DRIVERS\sdcfilter.sys [38144 2016-08-20] (Sophos Limited)
R2 sntp; C:\Windows\System32\DRIVERS\sntp.sys [123848 2016-10-19] (Sophos Limited)
R0 Sophos Endpoint Defense; C:\Windows\System32\DRIVERS\SophosED.sys [200760 2016-10-17] (Sophos Limited)
S4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [27904 2016-08-20] (Sophos Limited)
S3 WDC_SAM; C:\Windows\System32\DRIVERS\wdcsam64_prewin8.sys [23200 2016-01-14] (Western Digital Technologies)
S3 BTCFilterService; system32\DRIVERS\motfilt.sys [X]
S3 motccgp; system32\DRIVERS\motccgp.sys [X]
S3 motccgpfl; system32\DRIVERS\motccgpfl.sys [X]
S3 motmodem; system32\DRIVERS\motmodem.sys [X]
S3 MotoSwitchService; system32\DRIVERS\motswch.sys [X]
S3 Motousbnet; system32\DRIVERS\Motousbnet.sys [X]
S3 motusbdevice; system32\DRIVERS\motusbdevice.sys [X]


==================== NetSvcs (Whitelisted) ===================


(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)




==================== One Month Created files and folders ========


(If an entry is included in the fixlist, the file/folder will be moved.)


2016-12-07 15:30 - 2016-12-07 15:30 - 00000000 ____D C:\FRST
2016-12-07 15:29 - 2016-12-07 15:30 - 00000000 ____D C:\Users\RickF.REDHORSE\Desktop\Sysnative
2016-12-07 14:31 - 2016-12-07 14:33 - 00000000 ____D C:\Program Files\Recuva
2016-12-07 14:31 - 2016-12-07 14:31 - 00001660 _____ C:\Users\Public\Desktop\Recuva.lnk
2016-12-07 14:31 - 2016-12-07 14:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Recuva
2016-12-07 14:16 - 2016-12-07 14:16 - 00001883 _____ C:\Users\RickF.REDHORSE\Desktop\ShadowExplorer.lnk
2016-12-07 14:16 - 2016-12-07 14:16 - 00000000 ____D C:\Users\RickF.REDHORSE\AppData\Roaming\ShadowExplorer.com - About
2016-12-07 14:16 - 2016-12-07 14:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ShadowExplorer
2016-12-07 14:16 - 2016-12-07 14:16 - 00000000 ____D C:\Program Files (x86)\ShadowExplorer
2016-12-07 14:09 - 2016-12-07 14:09 - 00059288 _____ C:\Users\RickF.REDHORSE\Documents\cc_20161207_140914.reg
2016-12-07 14:00 - 2016-12-07 14:45 - 00000000 ____D C:\Users\RickF.REDHORSE\Desktop\LOCKY
2016-12-06 08:21 - 2016-12-06 08:23 - 00000000 ____D C:\Users\RickF.REDHORSE\Desktop\Data
2016-11-23 11:10 - 2016-11-23 16:23 - 00226459 _____ C:\Users\RickF.REDHORSE\Desktop\Cigs analysis.xlsx
2016-11-23 09:27 - 2016-11-23 09:27 - 00001657 _____ C:\Users\RickF.REDHORSE\Downloads\cloud.carbonite
2016-11-22 10:18 - 2016-12-06 08:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2016-11-21 16:45 - 2016-11-21 16:45 - 00000000 ____D C:\Users\RickF.REDHORSE\Desktop\GridView
2016-11-15 05:56 - 2016-10-19 09:25 - 00123848 _____ (Sophos Limited) C:\Windows\system32\Drivers\sntp.sys
2016-11-08 20:13 - 2016-11-02 08:36 - 00382696 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2016-11-08 20:13 - 2016-11-02 08:32 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2016-11-08 20:13 - 2016-11-02 08:32 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2016-11-08 20:13 - 2016-11-02 08:32 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2016-11-08 20:13 - 2016-11-02 08:32 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2016-11-08 20:13 - 2016-11-02 08:22 - 00308456 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2016-11-08 20:13 - 2016-11-02 08:16 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2016-11-08 20:13 - 2016-11-02 08:16 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2016-11-08 20:13 - 2016-11-02 08:16 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2016-11-08 20:13 - 2016-11-02 07:53 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2016-11-08 20:13 - 2016-10-27 20:59 - 00394440 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-11-08 20:13 - 2016-10-27 20:14 - 00346320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2016-11-08 20:13 - 2016-10-27 12:13 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-11-08 20:13 - 2016-10-27 12:13 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-11-08 20:13 - 2016-10-27 11:55 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-11-08 20:13 - 2016-10-27 11:54 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-11-08 20:13 - 2016-10-27 11:54 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-11-08 20:13 - 2016-10-27 11:53 - 00576000 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-11-08 20:13 - 2016-10-27 11:53 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-11-08 20:13 - 2016-10-27 11:51 - 02896384 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-11-08 20:13 - 2016-10-27 11:44 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-11-08 20:13 - 2016-10-27 11:43 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-11-08 20:13 - 2016-10-27 11:38 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-11-08 20:13 - 2016-10-27 11:37 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-11-08 20:13 - 2016-10-27 11:37 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-11-08 20:13 - 2016-10-27 11:37 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-11-08 20:13 - 2016-10-27 11:37 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-11-08 20:13 - 2016-10-27 11:28 - 25763328 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-11-08 20:13 - 2016-10-27 11:28 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-11-08 20:13 - 2016-10-27 11:24 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-11-08 20:13 - 2016-10-27 11:19 - 06047744 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-11-08 20:13 - 2016-10-27 11:15 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-11-08 20:13 - 2016-10-27 11:13 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-11-08 20:13 - 2016-10-27 11:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-11-08 20:13 - 2016-10-27 11:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-11-08 20:13 - 2016-10-27 11:05 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-11-08 20:13 - 2016-10-27 11:02 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-11-08 20:13 - 2016-10-27 10:49 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-11-08 20:13 - 2016-10-27 10:46 - 00806912 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-11-08 20:13 - 2016-10-27 10:46 - 00725504 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-11-08 20:13 - 2016-10-27 10:44 - 02131456 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-11-08 20:13 - 2016-10-27 10:44 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-11-08 20:13 - 2016-10-27 10:17 - 15257088 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-11-08 20:13 - 2016-10-27 10:16 - 02920448 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-11-08 20:13 - 2016-10-27 10:03 - 01543680 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-11-08 20:13 - 2016-10-27 09:54 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-11-08 20:13 - 2016-10-27 08:05 - 20304896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-11-08 20:13 - 2016-10-25 08:02 - 03219456 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-11-08 20:13 - 2016-10-22 10:54 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2016-11-08 20:13 - 2016-10-22 10:36 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2016-11-08 20:13 - 2016-10-22 10:36 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2016-11-08 20:13 - 2016-10-22 10:35 - 00498688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-11-08 20:13 - 2016-10-22 10:35 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2016-11-08 20:13 - 2016-10-22 10:34 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2016-11-08 20:13 - 2016-10-22 10:27 - 02287616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-11-08 20:13 - 2016-10-22 10:27 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2016-11-08 20:13 - 2016-10-22 10:26 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2016-11-08 20:13 - 2016-10-22 10:22 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2016-11-08 20:13 - 2016-10-22 10:21 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-11-08 20:13 - 2016-10-22 10:21 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2016-11-08 20:13 - 2016-10-22 10:20 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2016-11-08 20:13 - 2016-10-22 10:09 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2016-11-08 20:13 - 2016-10-22 10:04 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2016-11-08 20:13 - 2016-10-22 10:03 - 00091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2016-11-08 20:13 - 2016-10-22 09:59 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2016-11-08 20:13 - 2016-10-22 09:58 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2016-11-08 20:13 - 2016-10-22 09:56 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-11-08 20:13 - 2016-10-22 09:54 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2016-11-08 20:13 - 2016-10-22 09:46 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2016-11-08 20:13 - 2016-10-22 09:45 - 00693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-11-08 20:13 - 2016-10-22 09:44 - 04608000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-11-08 20:13 - 2016-10-22 09:43 - 02055680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-11-08 20:13 - 2016-10-22 09:43 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2016-11-08 20:13 - 2016-10-22 09:30 - 13654016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-11-08 20:13 - 2016-10-22 09:12 - 02444800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-11-08 20:13 - 2016-10-22 09:09 - 01312256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-11-08 20:13 - 2016-10-22 09:09 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2016-11-08 20:13 - 2016-10-15 08:31 - 00976896 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2016-11-08 20:13 - 2016-10-15 08:31 - 00084480 _____ (Microsoft Corporation) C:\Windows\system32\INETRES.dll
2016-11-08 20:13 - 2016-10-15 08:13 - 00741888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2016-11-08 20:13 - 2016-10-15 08:13 - 00084480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\INETRES.dll
2016-11-08 20:13 - 2016-10-11 08:37 - 00370920 _____ (Microsoft Corporation) C:\Windows\system32\clfs.sys
2016-11-08 20:13 - 2016-10-11 08:31 - 01148416 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10.IME
2016-11-08 20:13 - 2016-10-11 08:31 - 01068544 _____ (Microsoft Corporation) C:\Windows\system32\msctf.dll
2016-11-08 20:13 - 2016-10-11 08:31 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2016-11-08 20:13 - 2016-10-11 08:31 - 00457216 _____ (Microsoft Corporation) C:\Windows\system32\imkr80.ime
2016-11-08 20:13 - 2016-10-11 08:31 - 00246784 _____ (Microsoft Corporation) C:\Windows\system32\input.dll
2016-11-08 20:13 - 2016-10-11 08:31 - 00176128 _____ (Microsoft Corporation) C:\Windows\system32\tintlgnt.ime
2016-11-08 20:13 - 2016-10-11 08:31 - 00175104 _____ (Microsoft Corporation) C:\Windows\system32\quick.ime
2016-11-08 20:13 - 2016-10-11 08:31 - 00175104 _____ (Microsoft Corporation) C:\Windows\system32\qintlgnt.ime
2016-11-08 20:13 - 2016-10-11 08:31 - 00175104 _____ (Microsoft Corporation) C:\Windows\system32\phon.ime
2016-11-08 20:13 - 2016-10-11 08:31 - 00175104 _____ (Microsoft Corporation) C:\Windows\system32\cintlgnt.ime
2016-11-08 20:13 - 2016-10-11 08:31 - 00175104 _____ (Microsoft Corporation) C:\Windows\system32\chajei.ime
2016-11-08 20:13 - 2016-10-11 08:31 - 00132608 _____ (Microsoft Corporation) C:\Windows\system32\pintlgnt.ime
2016-11-08 20:13 - 2016-10-11 08:18 - 01027584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10.IME
2016-11-08 20:13 - 2016-10-11 08:18 - 00829952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msctf.dll
2016-11-08 20:13 - 2016-10-11 08:18 - 00701440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10K.DLL
2016-11-08 20:13 - 2016-10-11 08:18 - 00430080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\imkr80.ime
2016-11-08 20:13 - 2016-10-11 08:18 - 00202240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\input.dll
2016-11-08 20:13 - 2016-10-11 08:18 - 00126976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tintlgnt.ime
2016-11-08 20:13 - 2016-10-11 08:18 - 00125952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\quick.ime
2016-11-08 20:13 - 2016-10-11 08:18 - 00125952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qintlgnt.ime
2016-11-08 20:13 - 2016-10-11 08:18 - 00125952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\phon.ime
2016-11-08 20:13 - 2016-10-11 08:18 - 00125952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cintlgnt.ime
2016-11-08 20:13 - 2016-10-11 08:18 - 00125952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\chajei.ime
2016-11-08 20:13 - 2016-10-11 08:18 - 00090112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pintlgnt.ime
2016-11-08 20:13 - 2016-10-11 06:33 - 00187392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UIAnimation.dll
2016-11-08 20:13 - 2016-10-11 06:06 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\UIAnimation.dll
2016-11-08 20:13 - 2016-10-10 08:38 - 00154856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-11-08 20:13 - 2016-10-10 08:38 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-11-08 20:13 - 2016-10-10 08:34 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-11-08 20:13 - 2016-10-10 08:34 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-11-08 20:13 - 2016-10-10 08:34 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-11-08 20:13 - 2016-10-10 08:34 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2016-11-08 20:13 - 2016-10-10 08:33 - 01462272 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-11-08 20:13 - 2016-10-10 08:33 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-11-08 20:13 - 2016-10-10 08:33 - 00730624 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-11-08 20:13 - 2016-10-10 08:33 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-11-08 20:13 - 2016-10-10 08:33 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2016-11-08 20:13 - 2016-10-10 08:33 - 00345600 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-11-08 20:13 - 2016-10-10 08:33 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-11-08 20:13 - 2016-10-10 08:33 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-11-08 20:13 - 2016-10-10 08:33 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2016-11-08 20:13 - 2016-10-10 08:33 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-11-08 20:13 - 2016-10-10 08:33 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-11-08 20:13 - 2016-10-10 08:33 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-11-08 20:13 - 2016-10-10 08:33 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-11-08 20:13 - 2016-10-10 08:33 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-11-08 20:13 - 2016-10-10 08:16 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2016-11-08 20:13 - 2016-10-10 08:16 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2016-11-08 20:13 - 2016-10-10 08:16 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2016-11-08 20:13 - 2016-10-10 08:16 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2016-11-08 20:13 - 2016-10-10 08:16 - 00261120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2016-11-08 20:13 - 2016-10-10 08:16 - 00254464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2016-11-08 20:13 - 2016-10-10 08:16 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2016-11-08 20:13 - 2016-10-10 08:16 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2016-11-08 20:13 - 2016-10-10 08:16 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2016-11-08 20:13 - 2016-10-10 08:16 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2016-11-08 20:13 - 2016-10-10 08:16 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2016-11-08 20:13 - 2016-10-10 08:16 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2016-11-08 20:13 - 2016-10-10 08:16 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2016-11-08 20:13 - 2016-10-10 08:16 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2016-11-08 20:13 - 2016-10-10 08:16 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2016-11-08 20:13 - 2016-10-10 08:02 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-11-08 20:13 - 2016-10-10 07:56 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-11-08 20:13 - 2016-10-10 07:55 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-11-08 20:13 - 2016-10-10 07:55 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-11-08 20:13 - 2016-10-10 07:55 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-11-08 20:13 - 2016-10-10 07:54 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2016-11-08 20:13 - 2016-10-10 07:50 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2016-11-08 20:13 - 2016-10-07 08:40 - 00631176 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2016-11-08 20:13 - 2016-10-07 08:37 - 05547752 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-11-08 20:13 - 2016-10-07 08:37 - 00706792 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2016-11-08 20:13 - 2016-10-07 08:35 - 01732864 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 03649536 _____ (Microsoft Corporation) C:\Windows\system32\MSVidCtl.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00880640 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00877056 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00419840 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\asycfilt.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00059904 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00034816 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:32 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:18 - 04000488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2016-11-08 20:13 - 2016-10-07 08:18 - 03944680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2016-11-08 20:13 - 2016-10-07 08:15 - 01314112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 02291712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MSVidCtl.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00644096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00581632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00275456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\asycfilt.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 08:04 - 00148480 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2016-11-08 20:13 - 2016-10-07 08:04 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2016-11-08 20:13 - 2016-10-07 08:04 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2016-11-08 20:13 - 2016-10-07 08:01 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2016-11-08 20:13 - 2016-10-07 08:00 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2016-11-08 20:13 - 2016-10-07 07:56 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2016-11-08 20:13 - 2016-10-07 07:50 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2016-11-08 20:13 - 2016-10-07 07:50 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2016-11-08 20:13 - 2016-10-07 07:50 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2016-11-08 20:13 - 2016-10-07 07:50 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2016-11-08 20:13 - 2016-10-07 07:49 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 07:49 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 07:49 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2016-11-08 20:13 - 2016-10-07 07:49 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2016-11-08 20:13 - 2016-10-05 07:54 - 00090112 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\bowser.sys
2016-11-08 20:13 - 2016-09-15 07:56 - 00041984 _____ (Microsoft Corporation) C:\Windows\system32\UtcResources.dll
2016-11-08 20:13 - 2016-09-13 08:37 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-11-08 20:13 - 2016-09-13 08:11 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2016-11-08 20:13 - 2016-09-09 11:20 - 00756736 _____ (Microsoft Corporation) C:\Windows\system32\win32spl.dll
2016-11-08 20:13 - 2016-09-09 11:00 - 00497152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2016-11-08 20:13 - 2016-08-22 09:19 - 01386496 _____ (Microsoft Corporation) C:\Windows\system32\diagtrack.dll


==================== One Month Modified files and folders ========


(If an entry is included in the fixlist, the file/folder will be moved.)


2016-12-07 15:29 - 2013-01-31 16:26 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-12-07 15:21 - 2014-01-05 10:23 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-12-07 15:16 - 2016-05-27 14:11 - 00000332 _____ C:\Windows\Tasks\HPCeeScheduleForRickF.job
2016-12-07 15:04 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf
2016-12-07 14:59 - 2009-07-13 22:13 - 00986368 _____ C:\Windows\system32\PerfStringBackup.INI
2016-12-07 14:52 - 2014-02-04 16:28 - 00000598 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-843312985-487402592-91182677-1221.job
2016-12-07 14:47 - 2013-02-01 15:56 - 00000000 ____D C:\ScanFolder
2016-12-07 14:08 - 2013-07-10 10:31 - 00000000 ____D C:\Users\RickF.REDHORSE\AppData\Local\CrashDumps
2016-12-07 13:54 - 2013-04-23 17:03 - 00002000 ____H C:\Users\RickF.REDHORSE\Documents\Default.rdp
2016-12-07 13:42 - 2016-09-20 09:07 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-12-07 13:33 - 2015-05-31 00:14 - 00000694 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-843312985-487402592-91182677-1221.job
2016-12-07 13:30 - 2016-09-20 09:08 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-12-07 13:23 - 2013-02-01 12:39 - 00003926 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{41596195-E1F3-4B0D-B88B-5E33F89F9882}
2016-12-07 10:00 - 2014-10-14 15:22 - 00038111 _____ C:\Users\RickF.REDHORSE\Documents\North Diesel Transactions.xlsx
2016-12-07 09:59 - 2012-10-26 08:21 - 00000000 ____D C:\ProgramData\PDFC
2016-12-07 09:07 - 2009-07-13 21:45 - 00027568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-07 09:07 - 2009-07-13 21:45 - 00027568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-07 09:01 - 2013-07-18 10:20 - 00000000 ___RD C:\Users\RickF.REDHORSE\Google Drive
2016-12-07 09:00 - 2014-06-06 10:11 - 00008192 _____ C:\Windows\SysWOW64\WDPABKP.dat
2016-12-07 09:00 - 2013-02-01 15:47 - 00000000 ____D C:\temp
2016-12-07 09:00 - 2013-01-31 16:26 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-12-07 08:59 - 2013-02-01 12:32 - 00000216 _____ C:\Windows\system32\config\netlogon.ftl
2016-12-07 08:59 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-07 08:08 - 2015-09-29 09:52 - 00000000 ____D C:\Users\RickF.REDHORSE\Desktop\Cardlock Tests - Intevacon
2016-12-06 08:17 - 2013-07-31 12:57 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-12-06 08:14 - 2015-12-17 17:34 - 00128592 _____ C:\Windows\system32\RW_FileType.dat
2016-12-06 08:14 - 2015-12-17 17:34 - 00123246 _____ C:\Windows\system32\RW_AppData.dat
2016-12-06 08:14 - 2015-12-17 17:34 - 00001504 _____ C:\Windows\system32\EvGr_Data{52804FC4-6BF0-11E2-BD09-806E6F6E6963}.dat
2016-12-06 08:14 - 2015-12-17 17:34 - 00001296 _____ C:\Windows\system32\EvGr_Data{25365CC5-1F84-11E2-AE92-806E6F6E6963}.dat
2016-12-06 08:14 - 2015-12-17 17:34 - 00000576 _____ C:\Windows\system32\RW_FileFlag.dat
2016-12-06 08:14 - 2015-12-17 17:34 - 00000168 _____ C:\Windows\system32\RW_{898B62EF-8939-11E3-A39B-E83935453E37}.dat
2016-12-06 08:14 - 2015-12-17 17:34 - 00000168 _____ C:\Windows\system32\RW_{52804FC5-6BF0-11E2-BD09-806E6F6E6963}.dat
2016-12-06 08:14 - 2015-12-17 17:34 - 00000168 _____ C:\Windows\system32\RW_{52804FC4-6BF0-11E2-BD09-806E6F6E6963}.dat
2016-12-06 08:14 - 2015-12-17 17:34 - 00000168 _____ C:\Windows\system32\RW_{25365CC5-1F84-11E2-AE92-806E6F6E6963}.dat
2016-12-06 08:14 - 2015-12-17 17:34 - 00000168 _____ C:\Windows\system32\RW_{25365CC3-1F84-11E2-AE92-806E6F6E6963}.dat
2016-12-06 08:14 - 2015-12-17 17:34 - 00000016 _____ C:\Windows\system32\EvGr_Data{898B62EF-8939-11E3-A39B-E83935453E37}.dat
2016-12-06 08:14 - 2015-12-17 17:34 - 00000016 _____ C:\Windows\system32\EvGr_Data{52804FC5-6BF0-11E2-BD09-806E6F6E6963}.dat
2016-12-02 15:16 - 2016-05-27 14:11 - 00003186 _____ C:\Windows\System32\Tasks\HPCeeScheduleForRickF
2016-12-02 09:19 - 2015-10-16 13:10 - 00000000 ____D C:\Users\RickF.REDHORSE\Documents\City of Green River
2016-11-30 10:25 - 2014-06-05 10:33 - 00000000 ____D C:\Users\RickF.REDHORSE\Desktop\PRICEBOOK
2016-11-27 01:00 - 2016-10-21 16:06 - 00000000 ____D C:\Users\RickF.REDHORSE\AppData\Local\ElevatedDiagnostics
2016-11-21 11:33 - 2013-07-18 10:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
2016-11-18 21:21 - 2015-05-31 00:14 - 00003720 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-843312985-487402592-91182677-1221
2016-11-18 21:21 - 2014-02-04 16:28 - 00003624 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-843312985-487402592-91182677-1221
2016-11-15 06:21 - 2013-07-10 15:03 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-11-15 06:19 - 2013-07-10 14:51 - 00000000 ____D C:\Program Files\Microsoft Office 15
2016-11-14 16:31 - 2013-01-31 16:29 - 00002197 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-11-11 17:35 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache
2016-11-11 15:49 - 2009-07-13 21:45 - 00326640 _____ C:\Windows\system32\FNTCACHE.DAT
2016-11-11 12:39 - 2013-07-16 09:33 - 00000000 ____D C:\Windows\system32\MRT
2016-11-11 12:28 - 2013-01-31 13:38 - 141011376 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-11-11 00:30 - 2013-01-31 16:26 - 00000000 ____D C:\Program Files (x86)\Google
2016-11-08 05:21 - 2014-01-05 10:23 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-11-08 05:21 - 2012-10-26 08:21 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-11-08 05:21 - 2012-10-26 08:21 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-11-08 05:21 - 2012-10-26 08:21 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-11-08 05:21 - 2012-10-26 08:21 - 00000000 ____D C:\Windows\system32\Macromed
2016-11-07 21:18 - 2014-12-24 12:35 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task


==================== Files in the root of some directories =======


2014-04-30 15:27 - 2014-04-30 15:27 - 0000102 _____ () C:\Users\RickF.REDHORSE\AppData\Local\fusioncache.dat


==================== Bamital & volsnap ======================


(There is no automatic fix for files that do not pass verification.)


C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-12-04 00:54


==================== End of FRST.txt ============================

Here is ADDITION.txt:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-12-2016
Ran by RickF (07-12-2016 15:31:22)
Running from C:\Users\RickF.REDHORSE\Desktop\Sysnative
Windows 7 Professional Service Pack 1 (X64) (2013-01-31 19:02:16)
Boot Mode: Normal
==========================================================




==================== Accounts: =============================


Administrator (S-1-5-21-3994167903-621086645-1199970853-500 - Administrator - Disabled)
ASPNET (S-1-5-21-3994167903-621086645-1199970853-1020 - Limited - Enabled)
Guest (S-1-5-21-3994167903-621086645-1199970853-501 - Limited - Disabled)
RickF (S-1-5-21-3994167903-621086645-1199970853-1001 - Administrator - Enabled) => C:\Users\RickF
SophosSAUMIS0 (S-1-5-21-3994167903-621086645-1199970853-1021 - Limited - Enabled)


==================== Security Center ========================


(If an entry is included in the fixlist, it will be removed.)


AV: Microsoft Security Essentials (Disabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AV: Sophos Anti-Virus (Enabled - Up to date) {FFADE7EA-DC92-4602-D6B2-626CD3450A0F}
AS: Microsoft Security Essentials (Disabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Sophos Anti-Virus (Enabled - Up to date) {44CC060E-FAA8-498C-EC02-591EA8C240B2}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


==================== Installed Programs ======================


(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)


7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.020.20042 - Adobe Systems Incorporated)
Adobe Flash Player 23 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 23.0.0.207 - Adobe Systems Incorporated)
Adobe Flash Player 23 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 23.0.0.207 - Adobe Systems Incorporated)
Bing Bar (HKLM-x32\...\{3365E735-48A6-4194-9988-CE59AC5AE503}) (Version: 7.3.132.0 - Microsoft Corporation)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Carbonite (HKLM-x32\...\{D0D08FBC-6D5F-482C-B2ED-32E67D8FFAFF}) (Version: 6.0.1 build 6421 (Aug-04-2016) - Carbonite)
CCleaner (HKLM\...\CCleaner) (Version: 5.24 - Piriform)
Chrome Remote Desktop Host (HKLM-x32\...\{D669DC52-B1A4-4933-878D-CB80F660D95D}) (Version: 55.0.2883.17 - Google Inc.)
Cisco WebEx Meetings (HKU\S-1-5-21-843312985-487402592-91182677-1221\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC)
Citrix Online Launcher (HKLM-x32\...\{09DA5EE2-7E46-4DC4-96F9-BFEE50D40659}) (Version: 1.0.408 - Citrix)
CoffeeCup Responsive Layout Maker Pro (HKLM\...\CoffeeCup Responsive Layout Maker Pro 1.0-2521) (Version: 1.0-2521 - CoffeeCup Software, Inc.)
Crystal Reports for .NET Framework 2.0 (x64) (HKLM\...\{E679FCFF-4429-40CC-A7BF-0602261969ED}) (Version: 10.2.0 - Business Objects)
CrystalXIRedist (HKLM-x32\...\{EAFA3FF9-009E-4654-BA6F-845459517DD3}) (Version: 11.5.1 - Business Objects)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Device Access Manager for HP ProtectTools (HKLM\...\{55B52830-024A-443E-AF61-61E1E71AFA1B}) (Version: 7.0.0.4 - Hewlett-Packard Company)
DirectX for Managed Code Update (Summer 2004) (x32 Version: 9.02.2904 - Microsoft) Hidden
Diskeeper 12 Professional (HKLM\...\{B67BB88D-120B-4635-83C9-2E60CF9C70AC}) (Version: 16.0.1012.64 - Condusiv Technologies)
Drive Encryption For HP ProtectTools (HKLM\...\{27F1E086-5691-4EB8-8BA1-5CBA87D67EB5}) (Version: 7.0.38.31665 - Hewlett-Packard Company)
E1 Terminal (HKLM-x32\...\E1 Terminal_is1) (Version: - )
EMET 4.1 (HKLM-x32\...\{65BC2BDA-D828-4596-99E4-A8799C45C84C}) (Version: 4.1 - Microsoft Corporation)
File Sanitizer For HP ProtectTools (HKLM-x32\...\{6D6ADF03-B257-4EA5-BBC1-1D145AF8D514}) (Version: 7.0.0.4 - Hewlett-Packard Company)
FileZilla Client 3.22.1 (HKLM-x32\...\FileZilla Client) (Version: 3.22.1 - Tim Kosse)
Firestream Ascend Retail (HKLM-x32\...\FirestreamAscendRetail) (Version: 4.08.1.0010 - Firestream Worldwide)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 54.0.2840.99 - Google Inc.)
Google Drive (HKLM-x32\...\{8696116E-F4C2-4C64-AD7E-FF365E244FA4}) (Version: 1.32.3889.0961 - Google, Inc.)
Google Photos Backup (HKU\S-1-5-21-843312985-487402592-91182677-1221\...\Google Photos Backup) (Version: 1.1.2.13 - Google, Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
GoToMeeting 7.27.0.5922 (HKU\S-1-5-21-843312985-487402592-91182677-1221\...\GoToMeeting) (Version: 7.27.0.5922 - CitrixOnline)
Hewlett-Packard ACLM.NET v1.2.1.1 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version: - )
HP Odometer (HKLM-x32\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard)
HP ProtectTools Security Manager (HKLM\...\HPProtectTools) (Version: 7.0.1.1199 - Hewlett-Packard Company)
HP Setup (HKLM-x32\...\{438363A8-F486-4C37-834C-4955773CB3D3}) (Version: 9.1.15430.4033 - Hewlett-Packard Company)
HP Support Assistant (HKLM-x32\...\{E959FD01-BD01-4CC4-9BB8-4EBE8309BF37}) (Version: 8.3.34.7 - HP)
HP Support Information (HKLM-x32\...\{B2B7B1C8-7C8B-476C-BE2C-049731C55992}) (Version: 11.00.0001 - Hewlett-Packard)
HP Support Solutions Framework (HKLM-x32\...\{E2CB09C1-3C76-4395-BB47-50C066535CF8}) (Version: 12.5.32.37 - HP)
HPISDataManager (HKLM-x32\...\{A682ACFC-C295-44F9-B745-6656B3272E7D}) (Version: 1.0.0.27 - Hewlett-Packard Company)
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.3.1427 - Intel Corporation)
Intel(R) Network Connections 16.8.45.1 (HKLM\...\PROSetDX) (Version: 16.8.45.1 - Intel)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2849 - Intel Corporation)
Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Intel(R) USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.6.245 - Intel Corporation)
Intel® Trusted Connect Service Client (HKLM\...\{09536BA1-E498-4CC3-B834-D884A67D7E34}) (Version: 1.23.605.1 - Intel Corporation)
Java(TM) 6 Update 32 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416032FF}) (Version: 6.0.320 - Oracle)
Keller's DMS/FTM Quarterly Update (HKLM-x32\...\InstallShield_{E5CDDE8C-760C-42F6-910B-C5C34A57FDF9}) (Version: 6.00.0000 - J.J. Keller & Associates, Inc.)
Keller's DMS/FTM Quarterly Update (x32 Version: 6.00.0000 - J.J. Keller & Associates, Inc.) Hidden
Keller's Log Checker Product Install (HKLM-x32\...\InstallShield_{16E8D0BB-6010-4C81-8483-6CE46A6C4C9C}) (Version: 6.00.0000 - J.J. Keller & Associates, Inc.)
Keller's Log Checker Product Install (x32 Version: 6.00.0000 - J.J. Keller & Associates, Inc.) Hidden
LastPass (uninstall only) (HKLM-x32\...\LastPass) (Version: - LastPass)
Macromedia Fireworks 8 (HKLM-x32\...\{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}) (Version: 8.0.0.777 - Macromedia)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 1.1 (HKLM-x32\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Lync Web App Plug-in (HKLM\...\{530923FF-A970-4952-9D2F-5FF3C874B50A}) (Version: 15.8.8308.920 - Microsoft Corporation)
Microsoft Office 2003 Web Components (HKLM-x32\...\{90120000-00A4-0409-0000-0000000FF1CE}) (Version: 12.0.6213.1000 - Microsoft Corporation)
Microsoft Office Home and Business 2013 - en-us (HKLM\...\HomeBusinessRetail - en-us) (Version: 15.0.4875.1001 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-843312985-487402592-91182677-1221\...\OneDriveSetup.exe) (Version: 17.3.5951.0827 - Microsoft Corporation)
Microsoft Report Viewer Redistributable 2008 SP1 (HKLM-x32\...\Microsoft Report Viewer Redistributable 2008 (KB971119)) (Version: - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft SQL Server Desktop Engine (JJKA_KDS) (HKLM-x32\...\{E09B48B5-E141-427A-AB0C-D3605127224A}) (Version: 8.00.761 - Microsoft Corporation)
Microsoft SQL Server Native Client (HKLM\...\{751EE164-9F12-4E57-ADB0-02D8F34A10AD}) (Version: 9.00.1399.06 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Core Components (x64) ENU (HKLM\...\{8CCBEC22-D2DB-4DC9-A58A-E1A1F3A38C8A}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Database Providers (x64) ENU (HKLM\...\{29FF483A-A9C2-44E5-9BFF-E1607E9B35B1}) (Version: 3.0.1578.0 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Provider Services (x64) ENU (HKLM\...\{03AC245F-4C64-425C-89CF-7783C1D3AB2C}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218 (HKLM-x32\...\{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}) (Version: 9.0.21022.218 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft Works 6-9 Converter (HKLM-x32\...\{95140000-0137-0409-0000-0000000FF1CE}) (Version: 14.0.6120.5002 - Microsoft Corporation)
Mobirise (HKLM-x32\...\Mobirise_is1) (Version: - Mobirise.com)
MotoHelper MergeModules (x32 Version: 1.2.0 - Motorola) Hidden
Motorola Device Manager (HKLM-x32\...\{28DB8373-C1BB-444F-A427-A55585A12ED7}) (Version: 2.4.5 - Motorola Mobility)
Motorola Device Software Update (x32 Version: 13.09.3001 - Motorola Mobility) Hidden
Motorola Mobile Drivers Installation 6.3.0 (HKLM\...\{759E6A2F-1F01-45EF-A0C4-22F1B56CB975}) (Version: 6.3.0 - Motorola Mobility LLC)
Movie Maker (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
MozBackup 1.5.1 (HKLM-x32\...\MozBackup) (Version: - Pavel Cvrcek)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 45.5.1.6178 - Mozilla)
Mozilla Thunderbird 45.5.1 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 45.5.1 (x86 en-US)) (Version: 45.5.1 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
NetLib Encryptionizer DE Distribution (HKLM-x32\...\NetLib Encryptionizer DE Distribution-2008.6.22.0) (Version: 2008.6.22.0 - Communication Horizons)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.8.1 - Notepad++ Team)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4875.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4875.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4875.1001 - Microsoft Corporation) Hidden
opensource (x32 Version: 1.0.14960.3876 - Your Company Name) Hidden
PDF Complete Corporate Edition (HKLM-x32\...\PDF Complete) (Version: 4.1.2 - PDF Complete, Inc)
Privacy Manager for HP ProtectTools (HKLM\...\{CA2F6FAD-D8CD-42C1-B04D-6E5B1B1CFDCC}) (Version: 7.0.0.862 - Hewlett-Packard Company)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6730 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.0.5223 - CyberLink Corp.) Hidden
Recuva (HKLM\...\Recuva) (Version: 1.53 - Piriform)
Sage Abra Suite (HKU\S-1-5-21-843312985-487402592-91182677-1221\...\8b549dcb11fbac01) (Version: 9.11.46.1 - Sage Software)
Sage Abra Suite Components (HKLM-x32\...\{E65E7559-55BC-46C5-B14D-11A609960B3E}) (Version: 9.10.63 - Sage)
ShadowExplorer 0.9 (HKLM-x32\...\ShadowExplorer_is1) (Version: 0.9.462.0 - ShadowExplorer.com)
Sophos Anti-Virus (x32 Version: 10.7.0.301 - Sophos Limited) Hidden
Sophos AutoUpdate XG (x32 Version: 5.5.0.26 - Sophos Limited) Hidden
Sophos Diagnostic Utility (x32 Version: 1.13.0.4 - Sophos Limited) Hidden
Sophos Endpoint (Version: 1.0.0.301 - Sophos Limited) Hidden
Sophos Endpoint Agent (HKLM\...\Sophos Endpoint Agent) (Version: 11.5.2 - Sophos Ltd)
Sophos Endpoint Defense (Version: 1.0.0.265 - Sophos Limited) Hidden
Sophos Health (x32 Version: 2.0.3.32 - Sophos Limited) Hidden
Sophos Heartbeat (x32 Version: 4.2.0.79 - Sophos Limited) Hidden
Sophos Management Communications System (x32 Version: 4.3.1.5 - Sophos Limited) Hidden
Sophos Network Threat Protection (Version: 1.3.1.12 - Sophos Limited) Hidden
Sophos System Protection (Version: 2.6.0.71 - Sophos Limited) Hidden
Theft Recovery for HP ProtectTools (HKLM-x32\...\InstallShield_{10F5A72A-1E07-4FAE-A7E7-14B10CC66B17}) (Version: 7.0.0.9 - Hewlett-Packard Company)
Theft Recovery for HP ProtectTools (x32 Version: 7.0.0.9 - Hewlett-Packard Company) Hidden
TinyTERM (HKLM-x32\...\{3E456FC1-2DAD-4810-B9F0-5FB6A2E4875A}) (Version: 4.7.0 - Century Software, Inc.)
Verizon Software Upgrade Assistant (x32 Version: 14.08.0601 - Motorola Mobility) Hidden
Verizon Wireless Software Upgrade Assistant for Motorola (HKLM-x32\...\{9BEDD987-AC68-44D2-8803-EC0650F6C43F}) (Version: 1.3.1 - Motorola Mobility)
VIP Access SDK (1.1.0.2) (HKLM-x32\...\VIP Access SDK) (Version: 1.1.0.2 - Symantec Inc.)
WD Drive Utilities (HKLM-x32\...\{eab1fb93-61fb-48de-b815-b4e9b68d2ef1}) (Version: 1.3.2.2 - Western Digital Technologies, Inc.)
WD Drive Utilities (x32 Version: 1.3.2.2 - Western Digital Technologies, Inc.) Hidden
WD Quick View (HKLM-x32\...\{F4F2EF32-EAFE-4F87-B7DC-E19C9F8E76FC}) (Version: 2.4.16.16 - Western Digital Technologies, Inc.)
WD Security (HKLM-x32\...\{2B58AB2C-D980-47FD-8633-E360314BA662}) (Version: 1.0.6.3 - Western Digital Technologies, Inc.)
WD SmartWare (HKLM\...\{515B34CA-1229-4EDA-AE7C-53CBA68B8A7A}) (Version: 2.4.16.16 - Western Digital Technologies, Inc.)
WD SmartWare Installer (HKLM-x32\...\{4555885d-a64c-4234-9aac-72a8a6b5590b}) (Version: 2.4.16.16 - Western Digital Technologies, Inc.)
Windows Automated Installation Kit (HKLM\...\{31E8F586-4EF7-4500-844D-BA8756474FF1}) (Version: 2.0.0.0 - Microsoft Corporation)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3508.0205 - Microsoft Corporation)


==================== Custom CLSID (Whitelisted): ==========================


(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


CustomCLSID: HKU\S-1-5-21-843312985-487402592-91182677-1221_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\RickF.REDHORSE\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-843312985-487402592-91182677-1221_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\RickF.REDHORSE\AppData\Local\Citrix\GoToMeeting\5808\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-843312985-487402592-91182677-1221_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\RickF.REDHORSE\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll (Google Inc.)


==================== Scheduled Tasks (Whitelisted) =============


(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


Task: {0605318C-353B-433D-9D02-8341C9A68B42} - System32\Tasks\{5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} => C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe
Task: {0C86BDA3-949C-4752-A744-2D25156B357C} - System32\Tasks\{5870D776-B7B1-4122-8174-AD3CCE4F83E1} => C:\Program Files\Ascend Retail\AuditingManager.exe [2012-12-19] ()
Task: {1D9FB234-15DA-49ED-844E-53EEA9F40A4C} - System32\Tasks\Hewlett-Packard\HP Active Health\HP Active Health Scan (HPSA) => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2016-11-07] (HP Inc.)
Task: {23267C6E-6EA1-4AF4-8ABA-285CBCBB8385} - System32\Tasks\G2MUpdateTask-S-1-5-21-843312985-487402592-91182677-1221 => C:\Users\RickF.REDHORSE\AppData\Local\Citrix\GoToMeeting\5922\g2mupdate.exe [2016-11-18] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {274C7B0F-5170-47AE-8D80-56614C9854EB} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Report => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSFReport.exe [2016-05-09] (Hewlett-Packard)
Task: {2E692FDD-3ADF-44F5-B7A2-13AD00E8E3D9} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-10-21] (Adobe Systems Incorporated)
Task: {4845093B-970C-4706-A324-59E0E8DCE7E3} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {48572540-B2C0-47E3-B667-546774D2878D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {4C6A86E0-2C89-4429-904D-73E06CDAEF97} - System32\Tasks\{95BDE0C1-AE6F-43D5-9119-2F92112B0CCD} => pcalua.exe -a C:\Users\RickF.REDHORSE\Desktop\LogCheckerImport.exe -d C:\Users\RickF.REDHORSE\Desktop
Task: {61140F09-E083-4B70-90EC-C9F2C7F8836F} - System32\Tasks\{11C59448-DCF1-4ED7-9C46-0469AE5A3D10} => C:\Program Files\Ascend Retail\AuditingManager.exe [2012-12-19] ()
Task: {66DF3BF7-F620-4BB6-8427-902994074087} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: {8F977A14-447F-4AC8-996A-6ECDED78EA5D} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-10-04] (Microsoft Corporation)
Task: {90121799-FE8D-4C73-ACD5-42CBB0408B80} - System32\Tasks\G2MUploadTask-S-1-5-21-843312985-487402592-91182677-1221 => C:\Users\RickF.REDHORSE\AppData\Local\Citrix\GoToMeeting\5922\g2mupload.exe [2016-11-18] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {90E78081-5688-4C19-8D90-C6A945502F69} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-10-04] (Microsoft Corporation)
Task: {93E6944E-92D2-47DE-AB91-5EBFDB09E278} - System32\Tasks\Verizon Wireless Upgrade Assistant Update Initial Update => C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\VerizonWirelessUpgradeAssistantUpdate.exe [2014-07-29] ()
Task: {968F431C-7542-4D34-A6F5-365A09741A93} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-08-03] (HP Inc.)
Task: {993FB62A-BA1E-445F-A516-77F0A4981D2C} - System32\Tasks\Motorola Device Manager Initial Update => C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotorolaDeviceManagerUpdate.exe [2013-10-31] ()
Task: {9F696BF8-89D3-4C50-B577-5C233EC3E37E} - System32\Tasks\{E65F48B4-135F-45E4-93BE-130F9CDFEFB9} => C:\Program Files\Ascend Retail\AuditingManager.exe [2012-12-19] ()
Task: {AD37FCD2-87D1-40A2-9CB7-3995CCC5B95B} - System32\Tasks\Motorola Device Manager Engine => C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotorolaDeviceManagerUpdate.exe [2013-10-31] ()
Task: {B2D44782-7E61-4E09-A20B-9A42A849716E} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2016-08-23] (HP Inc.)
Task: {B44A37A9-CDAC-4FE7-88F0-09720ADB8E70} - System32\Tasks\Motorola Device Manager Update => C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotorolaDeviceManagerUpdate.exe [2013-10-31] ()
Task: {B9C7A317-2AFA-461F-9040-36F69ACC0A6D} - System32\Tasks\Verizon Wireless Upgrade Assistant Update => C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\VerizonWirelessUpgradeAssistantUpdate.exe [2014-07-29] ()
Task: {C69FB3AA-B688-4A0A-B6F8-490046BEF56C} - System32\Tasks\Verizon Wireless Upgrade Assistant Update Engine => C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\VerizonWirelessUpgradeAssistantUpdate.exe [2014-07-29] ()
Task: {D59128C9-FBE4-4774-9433-CF7A24E37A14} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-11-08] (Adobe Systems Incorporated)
Task: {DC10D1F1-4914-4CCF-B69E-F41E67317476} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-11-15] (Piriform Ltd)
Task: {E0BD0A26-BC05-417D-BE51-48296A141B04} - System32\Tasks\HPCeeScheduleForRickF => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2015-06-16] (Hewlett-Packard)
Task: {FFE0FF9A-2B33-4383-B4B7-B85801761165} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2016-08-23] (HP Inc.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-843312985-487402592-91182677-1221.job => C:\Users\RickF.REDHORSE\AppData\Local\Citrix\GoToMeeting\5922\g2mupdate.exe C:\Users\RickF.RED
Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-843312985-487402592-91182677-1221.job => C:\Users\RickF.REDHORSE\AppData\Local\Citrix\GoToMeeting\5922\g2mupload.exe C:\Users\RickF.RED
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-843312985-487402592-91182677-1221Core.job => C:\Users\RickF.REDHORSE\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-843312985-487402592-91182677-1221Core1d123e9e48b71d.job => C:\Users\RickF.REDHORSE\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-843312985-487402592-91182677-1221Core1d12ce71e843fa.job => C:\Users\RickF.REDHORSE\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-843312985-487402592-91182677-1221Core1d163cbacd18f1.job => C:\Users\RickF.REDHORSE\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-843312985-487402592-91182677-1221Core1d1aafe15cf8453.job => C:\Users\RickF.REDHORSE\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-843312985-487402592-91182677-1221Core1d1e916e247de40.job => C:\Users\RickF.REDHORSE\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HPCeeScheduleForRickF.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe


==================== Shortcuts =============================


(The entries could be listed to be restored or removed.)


ShortcutWithArgument: C:\Users\RickF.REDHORSE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Chrome Remote Desktop.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=gbchcmhmhahfdphkhkmpfmihenigjmpp


==================== Loaded Modules (Whitelisted) ==============


2013-11-21 09:14 - 2013-11-21 09:14 - 00089232 _____ () C:\Program Files (x86)\EMET 4.1\EMET_CE64.DLL
2012-06-01 16:55 - 2012-06-01 16:55 - 03346432 _____ () C:\Program Files\Hewlett-Packard\Drive Encryption\EpeHpFve64.dll
2012-06-01 16:13 - 2012-06-01 16:13 - 00141824 _____ () C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHostInterface64.dll
2014-11-04 10:11 - 2012-08-31 15:03 - 00288768 _____ () C:\Windows\System32\HP1100LM.DLL
2014-11-04 10:11 - 2012-08-31 15:02 - 00074240 _____ () C:\Windows\system32\spool\PRTPROCS\x64\HP1100PP.DLL
2014-06-06 10:26 - 2016-05-24 09:51 - 00116416 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2012-06-01 16:16 - 2012-06-01 16:16 - 01327104 _____ () C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe
2016-10-19 09:25 - 2016-10-19 09:25 - 00234336 _____ () C:\Program Files\Sophos\Sophos Network Threat Protection\bin\plugins\http.plg
2016-10-19 09:25 - 2016-10-19 09:25 - 00141432 _____ () C:\Program Files\Sophos\Sophos Network Threat Protection\bin\plugins\ip.plg
2016-10-19 09:25 - 2016-10-19 09:25 - 00120080 _____ () C:\Program Files\Sophos\Sophos Network Threat Protection\bin\plugins\ipv6.plg
2016-10-19 09:25 - 2016-10-19 09:25 - 00077432 _____ () C:\Program Files\Sophos\Sophos Network Threat Protection\bin\plugins\portmap.plg
2016-10-19 09:25 - 2016-10-19 09:25 - 00165736 _____ () C:\Program Files\Sophos\Sophos Network Threat Protection\bin\plugins\tcp.plg
2016-10-19 09:25 - 2016-10-19 09:25 - 00149168 _____ () C:\Program Files\Sophos\Sophos Network Threat Protection\bin\plugins\udp.plg
2016-10-03 07:57 - 2016-10-03 07:57 - 00052400 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext_64.dll
2015-04-15 13:13 - 2015-04-15 13:13 - 00222720 _____ () C:\Program Files (x86)\Notepad++\NppShell_06.dll
2012-03-19 16:09 - 2012-03-19 16:09 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2012-06-13 07:05 - 2012-06-13 07:05 - 00088440 _____ () C:\Program Files\Condusiv Technologies\Diskeeper\DK_Net.dll
2013-11-21 09:14 - 2013-11-21 09:14 - 00080528 _____ () C:\Program Files (x86)\EMET 4.1\EMET_CE.DLL
2012-06-01 16:41 - 2012-06-01 16:41 - 02854912 _____ () C:\Program Files\Hewlett-Packard\Drive Encryption\EpePcEncryptionProviderPlugin.dll
2012-06-01 16:13 - 2012-06-01 16:13 - 00126976 _____ () C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHostInterface.dll
2012-06-01 16:40 - 2012-06-01 16:40 - 03031040 _____ () C:\Program Files\Hewlett-Packard\Drive Encryption\EpeOpalEncryptionProviderPlugin.dll
2012-06-01 16:45 - 2012-06-01 16:45 - 02867200 _____ () C:\Program Files\Hewlett-Packard\Drive Encryption\EpeHpDpHostPlugin.dll
2012-06-01 16:43 - 2012-06-01 16:43 - 00053248 _____ () C:\Program Files\Hewlett-Packard\Drive Encryption\EpeOpalATASec4SATA.dll
2012-06-01 16:17 - 2012-06-01 16:17 - 02043904 _____ () C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeCoreEncryptionPlugin.dll
2012-06-01 16:18 - 2012-06-01 16:18 - 01949696 _____ () C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeProductDetectionPlugin.dll
2014-04-07 07:31 - 2014-04-07 07:31 - 00172032 _____ () C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\css_core.dll
2016-04-08 15:35 - 2016-04-08 15:35 - 03481600 _____ () C:\Users\RickF.REDHORSE\AppData\Local\Programs\Google\Google Photos Backup\gpuploader_i18n.dll
2016-12-07 09:00 - 2016-12-07 09:00 - 00098816 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\win32api.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00110080 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\pywintypes27.dll
2016-12-07 09:00 - 2016-12-07 09:00 - 00364544 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\pythoncom27.dll
2016-12-07 09:00 - 2016-12-07 09:00 - 00320512 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\win32com.shell.shell.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00914432 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\_hashlib.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 01176576 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\wx._core_.pyd
2016-12-07 09:01 - 2016-12-07 09:01 - 00806400 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\wx._gdi_.pyd
2016-12-07 09:01 - 2016-12-07 09:01 - 00816128 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\wx._windows_.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 01067008 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\wx._controls_.pyd
2016-12-07 09:01 - 2016-12-07 09:01 - 00733184 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\wx._misc_.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00682496 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\pysqlite2._sqlite.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00088064 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\_ctypes.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00686080 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\unicodedata.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00119808 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\win32file.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00108544 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\win32security.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00007168 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\hashobjs_ext.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00017920 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\thumbnails_ext.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00088064 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\usb_ext.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00012800 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\common.time34.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00018432 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\win32event.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00167936 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\win32gui.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00046080 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\_socket.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 01303552 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\_ssl.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00128512 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\_elementtree.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00127488 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\pyexpat.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00038912 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\win32inet.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00036864 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\_psutil_windows.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00525208 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\windows._lib_cacheinvalidation.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00011264 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\win32crypt.pyd
2016-12-07 09:01 - 2016-12-07 09:01 - 00123392 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\wx._wizard.pyd
2016-12-07 09:01 - 2016-12-07 09:01 - 00077312 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\wx._html2.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00027648 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\_multiprocessing.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00020480 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\_yappi.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00035840 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\win32process.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00078848 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\wx._animate.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00024064 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\win32pipe.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00010240 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\select.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00025600 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\win32pdh.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00017408 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\win32profile.pyd
2016-12-07 09:00 - 2016-12-07 09:00 - 00022528 ____R () C:\Users\RICKF~1.RED\AppData\Local\Temp\_MEI63122\win32ts.pyd
2012-10-26 08:16 - 2012-02-21 13:09 - 01198872 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\ACE.dll
2016-11-14 16:31 - 2016-11-08 13:29 - 01819240 _____ () C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\libglesv2.dll
2016-11-14 16:31 - 2016-11-08 13:29 - 00093288 _____ () C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\libegl.dll


==================== Alternate Data Streams (Whitelisted) =========


(If an entry is included in the fixlist, only the ADS will be removed.)




==================== Safe Mode (Whitelisted) ===================


(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\atashost => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAVService => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SntpService => ""="service"


==================== Association (Whitelisted) ===============


(If an entry is included in the fixlist, the registry item will be restored to default or removed.)




==================== Internet Explorer trusted/restricted ===============


(If an entry is included in the fixlist, it will be removed from the registry.)




==================== Hosts content: ==========================


(If needed Hosts: directive could be included in the fixlist to reset Hosts.)


2009-07-13 19:34 - 2013-12-19 14:42 - 00000966 ____A C:\Windows\system32\Drivers\etc\hosts


127.0.0.1 localhost
216.67.153.131 a3716
216.67.153.137 PHOENIX
216.67.153.139 FIREBIRD
216.67.153.146 MYBOOKWORLD


==================== Other Areas ============================


(Currently there is no automatic fix for this section.)


HKU\S-1-5-21-843312985-487402592-91182677-1221\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 216.67.153.137 - 8.8.8.8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.


==================== MSCONFIG/TASK MANAGER disabled items ==




==================== FirewallRules (Whitelisted) ===============


(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


FirewallRules: [SPPSVC-In-TCP] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [VirtualPC-In-UDP-1] => %SystemRoot%\System32\vpc.exe
FirewallRules: [VirtualPC-In-UDP-2] => %SystemRoot%\System32\vpc.exe
FirewallRules: [VirtualPC-In-TCP-1] => %SystemRoot%\System32\vpc.exe
FirewallRules: [{B656AD8D-89C2-43ED-8236-F20F39CF00CA}] => C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{29CD498E-0D1E-4793-B3E0-7428BA37EA3B}] => C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{E06C128C-4154-452F-9721-0DC9FD2C6ED5}] => C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{29D08119-3449-46A5-BBF0-92BF59C913CB}] => C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{31F33676-E525-4794-AF78-7688B868871A}] => LPort=8194
FirewallRules: [MSMQ-In-TCP] => %systemroot%\system32\mqsvc.exe
FirewallRules: [MSMQ-Out-TCP] => %systemroot%\system32\mqsvc.exe
FirewallRules: [MSMQ-In-UDP] => %systemroot%\system32\mqsvc.exe
FirewallRules: [MSMQ-Out-UDP] => %systemroot%\system32\mqsvc.exe
FirewallRules: [TCP Query User{45F9D02D-747C-45C7-ADDB-17C807033591}C:\program files (x86)\google\chrome\application\chrome.exe] => C:\program files (x86)\google\chrome\application\chrome.exe
FirewallRules: [UDP Query User{A14EEF22-36EF-4AFA-A85C-879B6E59F2A5}C:\program files (x86)\google\chrome\application\chrome.exe] => C:\program files (x86)\google\chrome\application\chrome.exe
FirewallRules: [{BFBEA4CE-22B1-4B36-B072-4C492AEE90CE}] => LPort=1433
FirewallRules: [{894ED942-91C2-46DA-98BF-8D88842F0447}] => LPort=1433
FirewallRules: [{46A900E9-CB1C-4AD7-847C-7A6B6A16AE5C}] => LPort=1433
FirewallRules: [{4362D051-0D0A-4EA8-95AF-E4D69A5FA342}] => LPort=1433
FirewallRules: [{CAEF7E9D-E0E2-4CA7-B0DA-78C1EDFBD3C5}] => LPort=1433
FirewallRules: [{95BAA04E-F596-4E9D-BD7D-02446E98D334}] => LPort=1433
FirewallRules: [{67D7757D-52BE-4A7C-87BD-B23457667401}] => LPort=4022
FirewallRules: [{928DF0B8-430A-4E59-9120-BCF07DDF40B2}] => LPort=4022
FirewallRules: [{59EF298A-4E69-423E-8A9A-AEE68637C987}] => LPort=4022
FirewallRules: [{A2001C7F-A544-458C-8900-636B613D87E9}] => LPort=4022
FirewallRules: [{4829EAFC-9023-4D9D-A06D-A8837631A03A}] => LPort=4022
FirewallRules: [{9BFA7115-C870-44FE-806D-57BD0271FC03}] => LPort=4022
FirewallRules: [{F7718966-DBB4-4D47-9DC6-D044B8E87918}] => LPort=20
FirewallRules: [{ECBE6545-1479-4CA1-B55F-5F0ED052CF44}] => LPort=20
FirewallRules: [{026A505D-B1ED-4679-9F55-9A0D884D9DAF}] => LPort=20
FirewallRules: [{E583C718-40A9-4E4B-B20A-37091C3134D0}] => LPort=20
FirewallRules: [{CC9C297C-6799-4016-98F5-447A01DF4CD0}] => LPort=20
FirewallRules: [{889E730B-2949-4D0C-9DD9-FB5235F7E7F1}] => LPort=20
FirewallRules: [{0F403590-FEEC-4A35-B6FE-90D14DB5F739}] => LPort=21
FirewallRules: [{05CAF6CB-94E2-41D9-98F8-BB7780B13F6F}] => LPort=21
FirewallRules: [{267D7193-9406-4B1E-B132-4C4FB6D904BB}] => LPort=21
FirewallRules: [{57609B73-F85C-46A2-A876-8C3C0609867E}] => LPort=21
FirewallRules: [{E9E94616-9E5A-4DA5-8723-E79A23D1B5DA}] => LPort=21
FirewallRules: [{7FBD5DA1-DE1F-4425-B147-40C960B9FC89}] => LPort=21
FirewallRules: [{B9E51BC5-F799-4A71-A604-5375D24760BA}] => LPort=137
FirewallRules: [{B49BF7AB-F957-4A65-8E32-CD79AD72CFC7}] => LPort=137
FirewallRules: [{DEB5B176-A63A-4B22-B63B-177BA2F8B7AE}] => LPort=137
FirewallRules: [{501464E0-E5B8-49EE-B8B8-DD4CC094CD7C}] => LPort=137
FirewallRules: [{D42F2478-0D38-4113-BCE3-279D05647ED4}] => LPort=137
FirewallRules: [{A67CFA5D-BB6C-429C-A366-B38D3A51557A}] => LPort=137
FirewallRules: [{23E7F22D-AC5C-4849-9F00-764588A79B3A}] => LPort=138
FirewallRules: [{54AFBE2B-8D16-4B47-9455-CD1C60E11E62}] => LPort=138
FirewallRules: [{DB90DCC3-27BD-4BA9-AAAE-C30D92457502}] => LPort=138
FirewallRules: [{CD8912CB-67A8-4057-8A5A-1015967D0061}] => LPort=138
FirewallRules: [{B307787B-0643-4B25-ABF1-4B0B83FF9940}] => LPort=138
FirewallRules: [{2DD897AB-4ED9-4467-B4A3-F45D122E2B18}] => LPort=138
FirewallRules: [{9BA10C67-C745-482F-A02E-993B5787FE09}] => LPort=139
FirewallRules: [{783A8EE0-49A2-4AF5-B8C7-F945B85CBD83}] => LPort=139
FirewallRules: [{BB2F7003-5F3C-4842-8136-06CDBE6E5FAD}] => LPort=139
FirewallRules: [{111AE545-805E-4C07-AD4C-D99CB30F5AC3}] => LPort=139
FirewallRules: [{5EDDC6E7-CFA6-435C-A27C-20C20E564719}] => LPort=139
FirewallRules: [{BBF4502B-0F82-4135-BE9A-192C583FE499}] => LPort=139
FirewallRules: [{6BBA5D54-E858-4545-A84D-5063527756C2}] => LPort=445
FirewallRules: [{5609493A-40E6-4486-957F-50E509A6B1DA}] => LPort=445
FirewallRules: [{295BA4F1-7AE8-4EFE-962B-36360E0B315B}] => LPort=445
FirewallRules: [{CD72A546-89DA-45E6-99B2-62C1DA685A3D}] => LPort=445
FirewallRules: [{0175A1D0-4F04-489A-9BC2-CE28A8D3F008}] => LPort=445
FirewallRules: [{6974C96A-8950-46FB-9FDE-6A3B8AF1962C}] => LPort=445
FirewallRules: [TCP Query User{4263623C-2515-4D19-A0DC-244350F2289A}C:\windows\system32\ftp.exe] => C:\windows\system32\ftp.exe
FirewallRules: [UDP Query User{F340AAD5-AC78-4F32-B0A0-515079FD8D8A}C:\windows\system32\ftp.exe] => C:\windows\system32\ftp.exe
FirewallRules: [{D6DC5DEB-6BD2-4146-A2FA-BB13E1C1F06A}] => C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{64C1EF68-2644-4314-9941-5747740F09C4}] => LPort=2869
FirewallRules: [{0B0FF2D0-7D6F-439A-AEAC-B5A891ABDA3C}] => LPort=1900
FirewallRules: [{80AEA3A0-3F0C-4D08-B458-46D6B1FA3D6E}] => C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [{78280E5D-F73C-47C6-9EEE-3F3EFE7BD275}] => LPort=9100
FirewallRules: [{4B1CEF4F-5BDD-49FB-AAB6-A16DE02465DB}] => LPort=427
FirewallRules: [{205D55D2-A59B-4425-8834-784DCEDDF763}] => LPort=161
FirewallRules: [{B64CAD62-5FFD-49DE-BE09-8B61E39CAAC9}] => C:\Program Files (x86)\Google\Chrome Remote Desktop\55.0.2883.17\remoting_host.exe
FirewallRules: [{E9747109-CF67-47BC-A48B-86A18756164D}] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe


==================== Restore Points =========================


07-12-2016 11:18:56 Scheduled Checkpoint


==================== Faulty Device Manager Devices =============




==================== Event log errors: =========================


Application errors:
==================
Error: (12/07/2016 03:02:51 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CheckTokenMembership. hr = 0x80070005, Access is denied.
.


Error: (12/07/2016 03:02:51 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CheckTokenMembership. hr = 0x80070005, Access is denied.
.


Error: (12/07/2016 03:00:57 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CheckTokenMembership. hr = 0x80070005, Access is denied.
.


Error: (12/07/2016 02:59:52 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CheckTokenMembership. hr = 0x80070005, Access is denied.
.


Error: (12/07/2016 02:59:52 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CheckTokenMembership. hr = 0x80070005, Access is denied.
.


Error: (12/07/2016 02:58:44 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CheckTokenMembership. hr = 0x80070005, Access is denied.
.


Error: (12/07/2016 02:58:44 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CheckTokenMembership. hr = 0x80070005, Access is denied.
.


Error: (12/07/2016 02:58:34 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CheckTokenMembership. hr = 0x80070005, Access is denied.
.


Error: (12/07/2016 02:58:28 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CheckTokenMembership. hr = 0x80070005, Access is denied.
.


Error: (12/07/2016 12:40:58 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CheckTokenMembership. hr = 0x80070005, Access is denied.
.




System errors:
=============
Error: (12/07/2016 03:26:35 PM) (Source: SAVOnAccess) (EventID: 769) (User: )
Description: The on-access driver could not check device control for volume \Device\Harddisk1\DR6.


Error: (12/07/2016 03:25:35 PM) (Source: SAVOnAccess) (EventID: 769) (User: )
Description: The on-access driver could not check device control for volume \Device\Harddisk1\DR6.


Error: (12/07/2016 03:24:14 PM) (Source: SAVOnAccess) (EventID: 769) (User: )
Description: The on-access driver could not check device control for volume \Device\Harddisk1\DR6.


Error: (12/07/2016 03:23:12 PM) (Source: SAVOnAccess) (EventID: 769) (User: )
Description: The on-access driver could not check device control for volume \Device\Harddisk1\DR6.


Error: (12/07/2016 03:22:12 PM) (Source: SAVOnAccess) (EventID: 769) (User: )
Description: The on-access driver could not check device control for volume \Device\Harddisk1\DR6.


Error: (12/07/2016 03:21:22 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1054) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.


Error: (12/07/2016 03:21:11 PM) (Source: SAVOnAccess) (EventID: 769) (User: )
Description: The on-access driver could not check device control for volume \Device\Harddisk1\DR6.


Error: (12/07/2016 03:20:11 PM) (Source: SAVOnAccess) (EventID: 769) (User: )
Description: The on-access driver could not check device control for volume \Device\Harddisk1\DR6.


Error: (12/07/2016 03:19:11 PM) (Source: SAVOnAccess) (EventID: 769) (User: )
Description: The on-access driver could not check device control for volume \Device\Harddisk1\DR6.


Error: (12/07/2016 03:04:38 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR4.




CodeIntegrity:
===================================
Date: 2013-08-08 16:57:38.249
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.


Date: 2013-08-08 16:14:06.959
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.


Date: 2013-08-08 16:02:29.460
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.


Date: 2013-07-11 16:09:55.264
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.


Date: 2013-02-01 16:17:52.056
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SRSLabs\{176F4E15-8F7C-4833-ADED-81FAE8CCD186}\sluapo64.dll because the set of per-page image hashes could not be found on the system.


Date: 2013-02-01 15:57:01.483
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SRSLabs\{176F4E15-8F7C-4833-ADED-81FAE8CCD186}\sluapo64.dll because the set of per-page image hashes could not be found on the system.


Date: 2013-02-01 15:56:48.447
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SRSLabs\{176F4E15-8F7C-4833-ADED-81FAE8CCD186}\sluapo64.dll because the set of per-page image hashes could not be found on the system.


Date: 2013-02-01 15:56:27.054
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SRSLabs\{176F4E15-8F7C-4833-ADED-81FAE8CCD186}\sluapo64.dll because the set of per-page image hashes could not be found on the system.


Date: 2013-02-01 15:50:53.273
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SRSLabs\{176F4E15-8F7C-4833-ADED-81FAE8CCD186}\sluapo64.dll because the set of per-page image hashes could not be found on the system.


Date: 2013-02-01 15:48:12.742
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\SRSLabs\{176F4E15-8F7C-4833-ADED-81FAE8CCD186}\sluapo64.dll because the set of per-page image hashes could not be found on the system.




==================== Memory info ===========================


Processor: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
Percentage of memory in use: 50%
Total physical RAM: 8066.95 MB
Available physical RAM: 4003.33 MB
Total Virtual: 16132.08 MB
Available Virtual: 12001.05 MB


==================== Drives ================================


Drive c: (OS) (Fixed) (Total:922 GB) (Free:832.91 GB) NTFS
Drive d: (HP_RECOVERY) (Fixed) (Total:9.32 GB) (Free:1.05 GB) NTFS ==>[system with boot components (obtained from drive)]


==================== MBR & Partition Table ==================


========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: F9C70120)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=922 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=9.3 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=100 MB) - (Type=27)


==================== End of Addition.txt ============================

Here is SLAog.txt:

Result of Security Analysis by Rocket Grannie (x86) Updated: 7th December, 2016
Running from:C:\Users\RickF.REDHORSE\Desktop\Sysnative (15:33:58 - 12/07/2016)
***---------------------------------------------------------***
Microsoft Windows 7 Professional X64 Service Pack 1
UAC is Enabled!
Internet Explorer 11
Default Browser: Google Chrome
***------------Antivirus - Antispyware - Firewall-----------***
Microsoft Security Essentials (Disabled - Up to Date)
Sophos Anti-Virus (Enabled - Up to Date)
Microsoft Security Essentials (Disabled - Up to Date)
Sophos Anti-Virus (Enabled - Up to Date)
Windows Defender (Enabled - Up to Date)
Windows Firewall (Enabled)
*No other Firewall Installed*
***-------Security Programs - Browsers - Miscellaneous------***
Adobe Flash Player Plugin (version 23.0.0.207)
Adobe Flash Player 23 ActiveX (version 23.0.0.205)
CCleaner (version 5.24)
Google Chrome (version 54)
Malwarebytes Anti-Malware (version 2.2.1.1043)
Microsoft Silverlight (version 5.1)
Thunderbird (version 45)
Windows Live Essentials (version 16.4)


Java(TM) 6 Update 32 (64-bit) (version 6.0.320) is *out of Date*


***----------------Analysis Complete-------------------------***
 
Hi, RickF.

I'm not seeing the same signs on this device as in the logs you posted for Amber. However, just to be cautions, it won't hurt to run MBAR on this device as well as her's:

Please download Malwarebytes Anti-Rootkit from here

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
 
Hi Corrine. Amber is the one that clicked the file and her machine is the only one that has the popup saying her files are encrypted. However, every machine on the network, including the two servers has some .osiris extensions on files. On the PC's they are confined to a folder called ScanFolder which is a folder the user uses when items are scanned on the copy machine to their PC. On one server the files on in a folder Public\Junk and on the other server they are all over the place.
 
Scan finished - no malware found. Here are the results:
Malwarebytes Anti-Rootkit BETA 1.9.3.1001
Malwarebytes | Free Cyber Security & Anti-Malware Software


Database version:
main: v2016.12.08.11
rootkit: v2016.11.20.01


Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.18524
RickF :: MIS [administrator]


12/08/2016 9:02:40 AM
mbar-log-2016-12-08 (09-02-40).txt


Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 479367
Time elapsed: 17 minute(s), 2 second(s)


Memory Processes Detected: 0
(No malicious items detected)


Memory Modules Detected: 0
(No malicious items detected)


Registry Keys Detected: 0
(No malicious items detected)


Registry Values Detected: 0
(No malicious items detected)


Registry Data Items Detected: 0
(No malicious items detected)


Folders Detected: 0
(No malicious items detected)


Files Detected: 0
(No malicious items detected)


Physical Sectors Detected: 0
(No malicious items detected)


(end)

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.3.1001


(c) Malwarebytes Corporation 2011-2012


OS version: 6.1.7601 Windows 7 Service Pack 1 x64


Account is Administrative


Internet Explorer version: 11.0.9600.18524


File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 3.192000 GHz
Memory total: 8458809344, free: 5239685120


Downloaded database version: v2016.12.08.11
Downloaded database version: v2016.11.20.01
Downloaded database version: v2016.11.29.02
=======================================
Driver version: 0.3.0.4
------------ Kernel report ------------
12/08/2016 09:02:32
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\iusb3hcs.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\iaStor.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\DKDFM.sys
\SystemRoot\system32\drivers\FLTMGR.SYS
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\system32\drivers\DKTLFSMF.sys
\SystemRoot\System32\Drivers\nlem64nt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\system32\DRIVERS\SophosED.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\MfeEpeOpal.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\Drivers\MfeEpePc.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\savonaccess.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vpcnfltr.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\drivers\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\vpcvmm.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\iusb3xhc.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\HECIx64.sys
\SystemRoot\system32\drivers\serenum.sys
\SystemRoot\system32\DRIVERS\e1c62x64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\drivers\mouclass.sys
\SystemRoot\system32\drivers\parport.sys
\SystemRoot\system32\drivers\tpm.sys
\SystemRoot\system32\DRIVERS\sdcfilter.sys
\SystemRoot\system32\drivers\intelppm.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\rdpbus.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\vpcusb.sys
\SystemRoot\system32\DRIVERS\usbrpm.sys
\SystemRoot\system32\drivers\vpchbus.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\iusb3hub.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_MfeEpeHb.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\mqac.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\system32\DRIVERS\sntp.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\drivers\rdpdr.sys
\SystemRoot\system32\drivers\tdtcp.sys
\SystemRoot\System32\DRIVERS\tssecsrv.sys
\SystemRoot\System32\Drivers\RDPWD.SYS
\SystemRoot\system32\DRIVERS\DKRtWrt.sys
\SystemRoot\system32\DRIVERS\WSDPrint.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\wdcsam64_prewin8.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\lpk.dll
\Windows\System32\comdlg32.dll
\Windows\System32\usp10.dll
\Windows\System32\shell32.dll
\Windows\System32\user32.dll
\Windows\System32\wininet.dll
\Windows\System32\Wldap32.dll
\Windows\System32\nsi.dll
\Windows\System32\shlwapi.dll
\Windows\System32\psapi.dll
\Windows\System32\msvcrt.dll
\Windows\System32\imm32.dll
\Windows\System32\clbcatq.dll
\Windows\System32\sechost.dll
\Windows\System32\kernel32.dll
\Windows\System32\urlmon.dll
\Windows\System32\oleaut32.dll
\Windows\System32\setupapi.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\normaliz.dll
\Windows\System32\ws2_32.dll
\Windows\System32\ole32.dll
\Windows\System32\gdi32.dll
\Windows\System32\msctf.dll
\Windows\System32\iertutil.dll
\Windows\System32\imagehlp.dll
\Windows\System32\difxapi.dll
\Windows\System32\advapi32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\devobj.dll
\Windows\System32\wintrust.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
----------- End -----------
Done!


Scan started
Database versions:
main: v2016.12.08.11
rootkit: v2016.11.20.01


<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800a067060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800a069040, DeviceName: Unknown, DriverName: \Driver\DKDFM\
DevicePointer: 0xfffffa8009eabb00, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800a067af0, DeviceName: Unknown, DriverName: \Driver\MfeEpeOpal\
DevicePointer: 0xfffffa800a068040, DeviceName: Unknown, DriverName: \Driver\MfeEpePc\
DevicePointer: 0xfffffa800a067060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80071edbf0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa8007241050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\partmgr\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: F9C70120


Partition information:


Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition is bootable
Partition file system is NTFS


Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 1933563904
Partition is not bootable
Partition file system is NTFS


Partition 2 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 1933770752 Numsec = 19546112
Partition is bootable
Partition file system is NTFS


Partition 3 type is Other (0x27)
Partition is NOT ACTIVE.
Partition starts at LBA: 1953316864 Numsec = 204800
Partition is not bootable
Partition file system is FAT32


Disk Size: 1000204886016 bytes
Sector size: 512 bytes


Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xfffffa8007573240, DeviceName: \Device\Harddisk1\DR9\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800b115040, DeviceName: Unknown, DriverName: \Driver\DKDFM\
DevicePointer: 0xfffffa8006d659c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800a6ba040, DeviceName: Unknown, DriverName: \Driver\MfeEpeOpal\
DevicePointer: 0xfffffa800d357210, DeviceName: Unknown, DriverName: \Driver\MfeEpePc\
DevicePointer: 0xfffffa8007573240, DeviceName: \Device\Harddisk1\DR9\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800ae91060, DeviceName: \Device\000000aa\, DriverName: \Driver\USBSTOR\
------------ End ----------
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0838D01DBCD3874401496B04F99DACAC0F44F6C8.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0838D01DBCD3874401496B04F99DACAC0F44F6C8.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0838D01DBCD3874401496B04F99DACAC0F44F6C8.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0838D01DBCD3874401496B04F99DACAC0F44F6C8.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0838D01DBCD3874401496B04F99DACAC0F44F6C8.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0838D01DBCD3874401496B04F99DACAC0F44F6C8.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0838D01DBCD3874401496B04F99DACAC0F44F6C8.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0838D01DBCD3874401496B04F99DACAC0F44F6C8.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0838D01DBCD3874401496B04F99DACAC0F44F6C8.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0838D01DBCD3874401496B04F99DACAC0F44F6C8.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0838D01DBCD3874401496B04F99DACAC0F44F6C8.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0838D01DBCD3874401496B04F99DACAC0F44F6C8.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0838D01DBCD3874401496B04F99DACAC0F44F6C8.bin.7C" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0838D01DBCD3874401496B04F99DACAC0F44F6C8.bin.83" is compressed (flags = 1)
File "C:\ProgramData\Sophos\Sophos Anti-Virus\logs\SAV.txt" is compressed (flags = 1)
File "C:\ProgramData\Sophos\Sophos Device Control\logs\DeviceControl.txt" is compressed (flags = 1)
Scan finished
=======================================




Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-206848-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-2-1933770752-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-3-1953316864-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 
rickf said:
Hi Corrine. Amber is the one that clicked the file and her machine is the only one that has the popup saying her files are encrypted. However, every machine on the network, including the two servers has some .osiris extensions on files. On the PC's they are confined to a folder called ScanFolder which is a folder the user uses when items are scanned on the copy machine to their PC. On one server the files on in a folder Public\Junk and on the other server they are all over the place.
Click to expand...

Although Locky first showed up earlier this year, the variant with the .osiris extension is the latest, discovered December 5: Locky Ransomware switches to Egyptian Mythology with the Osiris Extension. However, when it comes to servers, I'm sorry, but that is not my area. I help individuals, not businesses. Don't you have an internal IT department? IF not, since you have the full Sophos package, including Sophos Network Threat Protection, I suggest you submit a ticket with Sophos to assist with your servers and the other devices on your network.

In the meantime, you may want to also scan Amber's computer with Emsisoft Anti-Malware.

BTW, the version of Java installed on your and Amber's devices is extremely out of date: Java(TM) 6 Update 32 (64-bit). The latest update addressing critical security issues is Java 8 Update 111, with the next security update expected January 17.
 
If you're finding files with the .osiris extension on the server in Shared server folders, that's normal for the virus, since it seeks out shares it has access to. If those files are appearing in non-shared folders, the server may be infected and I would take it offline asap until it's cleaned and you can find the source. Or at least restrict Amber's access in A.D. until you're sure that machine is clean.

rickf said:
Hi Corrine. Amber is the one that clicked the file and her machine is the only one that has the popup saying her files are encrypted. However, every machine on the network, including the two servers has some .osiris extensions on files. On the PC's they are confined to a folder called ScanFolder which is a folder the user uses when items are scanned on the copy machine to their PC. On one server the files on in a folder Public\Junk and on the other server they are all over the place.
Click to expand...
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top