Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Backdoor on computer created 4 user profiles and remote download

Backdoor:MSIL/Bladabindi HackTool:Win32/Rabased!rfn

  • Please log in to reply

#1
reppucci

reppucci

    New Member

  • Member
  • Pip
  • 5 posts
Got hit with a virus/trojan..created new users Oldona, Temp, Admin, Host, Adminsitrator
Oldona would allow remote dektop connection. I disabled remote desktop.
 
Ran malware bytes and MSE would like to remove all from computer abd fix all registry chnages. Windows logon is not at welcome screen.
 
Would appreciate any assistance
 
Thank You
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21.01.2018
Ran by Eyeformatics (administrator) on EMRSERVERHPZ600 (23-01-2018 19:10:09)
Running from C:\Users\Eyeformatics\Desktop
Loaded Profiles: VSRUSER & Eyeformatics & MSSQL$SQLEXPRESS & ReportServer$SQLEXPRESS & MSSQLFDLauncher$SQLEXPRESS (Available Profiles: User & VSRUSER & Eyeformatics & Adminsitrator & Host & Temp & Oldona & Admin & Administrator & Guest & MSSQL$SQLEXPRESS & ReportServer$SQLEXPRESS & MSSQLFDLauncher$SQLEXPRESS & Classic .NET AppPool & ConnectEHR AppPool & CQMsolution AppPool & DefaultAppPool & ConnectEHR Patient Portal AppPool)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Bitvise Limited) C:\Program Files\Bitvise SSH Server\BvSshServer.exe
(CobianSoft, Luis Cobian) C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe
(Luis Cobian, CobianSoft) C:\Program Files (x86)\Cobian Backup 11\cbService.exe
(Dynamic Health IT, Inc.) C:\Program Files\ConnectEHR\ConnectEHR Agent\ConnectEHR Agent.exe
(Dynamic Health IT, Inc.) C:\Program Files\CQMsolution\CQMAgent\CQMAgent.exe
(FileMaker, Inc.) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmshelper.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
(FileMaker, Inc.) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmsib.exe
(FileMaker, Inc.) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmserver.exe
(Cyber Power Systems, Inc.) C:\Program Files (x86)\CyberPower PowerPanel Personal Edition\ppped.exe
(FileMaker, Inc.) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmxdbc_listener.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSRS11.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe
(Oracle Corporation) C:\Program Files\Java\jre1.8.0_131\bin\java.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(FileMaker, Inc.) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmsase.exe
(FileMaker, Inc.) C:\Program Files\FileMaker\FileMaker Server\Web Publishing\publishing-engine\cwpc\fmscwpc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Oracle Corporation) C:\Program Files\Java\jre1.8.0_131\bin\java.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\fdhost.exe
(PcWinTech.com) C:\Program Files (x86)\CleanMem\Mini_Monitor.exe
() C:\Program Files\Bitvise SSH Server\BssCtrl.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
(Luis Cobian, CobianSoft) C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(Cyber Power Systems, Inc.) C:\Program Files (x86)\CyberPower PowerPanel Personal Edition\pppeuser.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\regedit.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1353680 2016-11-14] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-10-17] (Intel Corporation)
HKLM-x32\...\Run: [Cobian Backup 11 interface] => C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe [4407808 2013-03-07] (Luis Cobian, CobianSoft)
HKLM-x32\...\Run: [Bitvise SSH Server Activation State Checker] => C:\Program Files\Bitvise SSH Server\BssActStateCheck.exe [245064 2015-04-09] (Bitvise Limited)
HKLM-x32\...\Run: [PowerPanel Personal Edition User Interaction] => C:\Program Files (x86)\CyberPower PowerPanel Personal Edition\pppeuser.exe [379824 2016-07-27] (Cyber Power Systems, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-03-15] (Oracle Corporation)
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1185\g2ax_winlogonx64.dll [X]
HKU\S-1-5-21-3866400975-1191489592-655960364-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8619224 2016-01-15] (Piriform Ltd)
HKU\S-1-5-21-3866400975-1191489592-655960364-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8619224 2016-01-15] (Piriform Ltd)
Lsa: [Authentication Packages] msv1_0 BvLsa
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\..\Interfaces\{385993E2-FCF6-42E8-989B-34FDF866CEFA}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{5FCA3713-F36F-4F94-BA68-BA1AF0357EF2}: [DhcpNameServer] 167.206.112.138 167.206.7.4
 
Internet Explorer:
==================
HKU\S-1-5-21-3866400975-1191489592-655960364-1002\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_131\bin\ssv.dll [2017-05-16] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-05-16] (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssv.dll [2017-05-16] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-05-16] (Oracle Corporation)
DPF: HKLM-x32 {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect1262.cab
 
FireFox:
========
FF DefaultProfile: y1n7dfxv.default
FF ProfilePath: C:\Users\Eyeformatics\AppData\Roaming\Mozilla\Firefox\Profiles\y1n7dfxv.default [2018-01-23]
FF Extension: (Site Deployment Checker) - C:\Program Files (x86)\Mozilla Firefox\browser\features\[email protected] [2017-04-07] [Legacy] [not signed]
FF Plugin: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-05-16] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-05-16] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-05-16] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-05-16] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2012-02-09] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2012-02-09] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-01-17] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3866400975-1191489592-655960364-1001: @citrixonline.com/appdetectorplugin -> C:\Users\VSRUSER\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2016-02-03] (Citrix Online)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default [2018-01-23]
CHR Extension: (Google Drive) - C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-19]
CHR Extension: (YouTube) - C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-30]
CHR Extension: (Google Search) - C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-19]
CHR Extension: (Google Docs Offline) - C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-05-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-31]
CHR Extension: (Gmail) - C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-08]
CHR Extension: (Chrome Media Router) - C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-01-23]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 BvSshServer; C:\Program Files\Bitvise SSH Server\BvSshServer.exe [14359408 2015-04-09] (Bitvise Limited)
R2 cbVSCService11; C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe [67584 2013-03-07] (CobianSoft, Luis Cobian) [File not signed]
R2 CobianBackup11; C:\Program Files (x86)\Cobian Backup 11\cbService.exe [1131008 2013-03-07] (Luis Cobian, CobianSoft) [File not signed]
R2 ConnectEHR_Agent; C:\Program Files\ConnectEHR\ConnectEHR Agent\ConnectEHR Agent.exe [49152 2014-09-25] (Dynamic Health IT, Inc.) [File not signed]
R2 CQMsolution_Agent; C:\Program Files\CQMsolution\CQMAgent\CQMAgent.exe [23552 2014-09-17] (Dynamic Health IT, Inc.) [File not signed]
R2 FileMaker Server; C:\Program Files\FileMaker\FileMaker Server\Database Server\fmshelper.exe [379224 2014-11-11] (FileMaker, Inc.)
S2 GoToAssist Remote Support Customer; C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1185\g2ax_service.exe [607240 2016-11-14] (Citrix Systems, Inc.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [119864 2016-11-14] (Microsoft Corporation)
R2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [190904 2012-06-12] (Microsoft Corporation)
R3 MSSQLFDLauncher$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe [49752 2012-02-11] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-11-14] (Microsoft Corporation)
R2 ppped; C:\Program Files (x86)\CyberPower PowerPanel Personal Edition\ppped.exe [1113008 2016-07-27] (Cyber Power Systems, Inc.)
R2 ReportServer$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSRS11.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2348472 2012-06-12] (Microsoft Corporation)
S2 SQLAgent$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [608696 2012-06-12] (Microsoft Corporation)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10803440 2017-12-18] (TeamViewer GmbH)
S3 TermService; C:\Program Files\RDP Wrapper\rdpwrap.dll [116736 2018-01-19] (Stas'M Corp.) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2009-07-13] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77432 2017-11-29] ()
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193968 2018-01-23] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [110016 2018-01-23] (Malwarebytes)
R3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [46008 2018-01-23] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2018-01-23] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [84256 2018-01-23] (Malwarebytes)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)
S3 pwdrvio; C:\Windows\system32\pwdrvio.sys [19152 2013-09-30] ()
S3 pwdspio; C:\Windows\system32\pwdspio.sys [12504 2013-09-30] ()
S4 RsFx0200; C:\Windows\System32\DRIVERS\RsFx0200.sys [334936 2012-02-11] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-23 19:10 - 2018-01-23 19:13 - 000016044 _____ C:\Users\Eyeformatics\Desktop\FRST.txt
2018-01-23 19:01 - 2018-01-23 19:10 - 000000000 ____D C:\FRST
2018-01-23 18:58 - 2018-01-23 18:58 - 000110016 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-01-23 18:51 - 2018-01-23 18:50 - 002393088 _____ (Farbar) C:\Users\Eyeformatics\Desktop\FRST64.exe
2018-01-23 18:34 - 2018-01-23 18:58 - 000084256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-01-23 18:34 - 2018-01-23 18:58 - 000046008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-01-23 18:34 - 2018-01-23 18:34 - 000193968 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-01-23 18:11 - 2018-01-23 18:11 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-01-23 18:10 - 2018-01-23 18:10 - 000001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-01-23 18:10 - 2018-01-23 18:10 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-01-23 18:10 - 2018-01-23 18:10 - 000000000 ____D C:\Program Files\Malwarebytes
2018-01-23 18:10 - 2017-11-29 09:11 - 000077432 _____ C:\Windows\system32\Drivers\mbae64.sys
2018-01-23 17:40 - 2018-01-23 17:40 - 000038890 _____ C:\Users\Eyeformatics\Documents\cc_20180123_174001.reg
2018-01-23 17:37 - 2018-01-23 17:38 - 082823000 _____ (Malwarebytes ) C:\Users\Eyeformatics\Downloads\mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.3764.exe
2018-01-23 17:16 - 2018-01-23 18:10 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-01-23 09:28 - 2018-01-23 09:28 - 000266992 _____ C:\Windows\system32\FNTCACHE.DAT
2018-01-22 17:48 - 2018-01-22 17:48 - 000000000 ____D C:\Users\Oldona\.freerdp
2018-01-22 17:28 - 2018-01-22 17:29 - 061807384 _____ C:\Users\Oldona\Downloads\Новая папка.rar
2018-01-22 16:32 - 2018-01-22 16:32 - 000022505 _____ C:\Users\Oldona\Downloads\SystemResetSSO.rar
2018-01-22 16:28 - 2018-01-22 16:28 - 004060160 _____ C:\Users\Oldona\Downloads\11 (1).exe
2018-01-22 16:26 - 2018-01-22 16:26 - 005875643 _____ C:\Users\Oldona\Downloads\ProXy CheCkeR by BoYRinG v1.4 Silver Edition (1).7z
2018-01-22 16:25 - 2018-01-23 09:51 - 000000000 ____D C:\Program Files (x86)\System
2018-01-22 16:24 - 2018-01-23 14:30 - 000000000 ____D C:\Program Files\WinRAR
2018-01-22 16:24 - 2018-01-22 16:24 - 005875643 _____ C:\Users\Oldona\Downloads\ProXy CheCkeR by BoYRinG v1.4 Silver Edition.7z
2018-01-22 16:24 - 2018-01-22 16:24 - 002220872 _____ C:\Users\Oldona\Downloads\winrar-x64-550.exe
2018-01-22 16:24 - 2018-01-22 16:24 - 000000000 ____D C:\Users\Oldona\AppData\Roaming\WinRAR
2018-01-22 16:24 - 2018-01-22 16:24 - 000000000 ____D C:\Users\Oldona\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2018-01-22 15:53 - 2018-01-23 18:56 - 000000000 __SHD C:\Program Files (x86)\XPS Rasterization Service Component
2018-01-22 15:53 - 2018-01-22 15:53 - 004060160 _____ C:\Users\Oldona\Downloads\11.exe
2018-01-22 15:53 - 2018-01-22 15:53 - 000000098 __RSH C:\Windows\SysWOW64\xservice.bat
2018-01-22 13:14 - 2018-01-22 13:14 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Sun
2018-01-22 13:14 - 2018-01-22 13:14 - 000000000 ____D C:\Users\Admin\AppData\LocalLow\Sun
2018-01-22 13:13 - 2018-01-22 13:13 - 000000000 ____D C:\Users\Temp\AppData\Roaming\Sun
2018-01-22 13:13 - 2018-01-22 13:13 - 000000000 ____D C:\Users\Temp\AppData\LocalLow\Sun
2018-01-22 13:11 - 2018-01-22 13:17 - 000000000 ____D C:\Users\Admin\AppData\LocalLow\Mozilla
2018-01-22 13:11 - 2018-01-22 13:11 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Mozilla
2018-01-22 13:11 - 2018-01-22 13:11 - 000000000 ____D C:\Users\Admin\AppData\Local\Mozilla
2018-01-22 13:09 - 2018-01-22 22:17 - 000000000 ____D C:\Users\Admin\AppData\Local\Google
2018-01-22 13:09 - 2018-01-22 13:09 - 000001413 _____ C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-01-22 13:09 - 2018-01-22 13:09 - 000000020 ___SH C:\Users\Admin\ntuser.ini
2018-01-22 13:09 - 2018-01-22 13:09 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Intel Corporation
2018-01-22 13:09 - 2018-01-22 13:09 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Adobe
2018-01-22 13:09 - 2018-01-22 13:09 - 000000000 ____D C:\Users\Admin\AppData\Local\VirtualStore
2018-01-22 13:09 - 2018-01-22 13:09 - 000000000 ____D C:\Users\Admin
2018-01-22 13:09 - 2016-02-06 11:37 - 000000000 ____D C:\Users\Admin\Documents\Visual Studio 2010
2018-01-22 13:09 - 2011-04-12 03:28 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Media Center Programs
2018-01-22 13:08 - 2018-01-22 13:08 - 000057560 _____ C:\Users\Temp\AppData\Local\GDIPFONTCACHEV1.DAT
2018-01-22 13:08 - 2018-01-22 13:08 - 000000000 ____D C:\Users\Temp\AppData\Roaming\Intel Corporation
2018-01-22 13:07 - 2018-01-22 13:07 - 000001413 _____ C:\Users\Temp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-01-22 13:07 - 2018-01-22 13:07 - 000000020 ___SH C:\Users\Temp\ntuser.ini
2018-01-22 13:07 - 2018-01-22 13:07 - 000000000 ____D C:\Users\Temp\AppData\Roaming\Adobe
2018-01-22 13:07 - 2018-01-22 13:07 - 000000000 ____D C:\Users\Temp\AppData\Local\VirtualStore
2018-01-22 13:07 - 2018-01-22 13:07 - 000000000 ____D C:\Users\Temp\AppData\Local\Google
2018-01-22 13:07 - 2018-01-22 13:07 - 000000000 ____D C:\Users\Temp
2018-01-22 13:07 - 2016-02-06 11:37 - 000000000 ____D C:\Users\Temp\Documents\Visual Studio 2010
2018-01-22 13:07 - 2011-04-12 03:28 - 000000000 ____D C:\Users\Temp\AppData\Roaming\Media Center Programs
2018-01-22 12:12 - 2018-01-22 12:12 - 000000000 ____D C:\Users\Oldona\AppData\Roaming\Sun
2018-01-22 12:12 - 2018-01-22 12:12 - 000000000 ____D C:\Users\Oldona\AppData\LocalLow\Sun
2018-01-22 12:07 - 2018-01-23 13:43 - 000000000 ____D C:\Users\Oldona\AppData\LocalLow\Mozilla
2018-01-22 12:07 - 2018-01-22 17:48 - 000000000 ____D C:\Users\Oldona
2018-01-22 12:07 - 2018-01-22 17:26 - 000000000 ____D C:\Users\Oldona\AppData\Local\Google
2018-01-22 12:07 - 2018-01-22 12:07 - 000057560 _____ C:\Users\Oldona\AppData\Local\GDIPFONTCACHEV1.DAT
2018-01-22 12:07 - 2018-01-22 12:07 - 000001413 _____ C:\Users\Oldona\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-01-22 12:07 - 2018-01-22 12:07 - 000000020 ___SH C:\Users\Oldona\ntuser.ini
2018-01-22 12:07 - 2018-01-22 12:07 - 000000000 ____D C:\Users\Oldona\AppData\Roaming\Mozilla
2018-01-22 12:07 - 2018-01-22 12:07 - 000000000 ____D C:\Users\Oldona\AppData\Roaming\Intel Corporation
2018-01-22 12:07 - 2018-01-22 12:07 - 000000000 ____D C:\Users\Oldona\AppData\Roaming\Adobe
2018-01-22 12:07 - 2018-01-22 12:07 - 000000000 ____D C:\Users\Oldona\AppData\Local\VirtualStore
2018-01-22 12:07 - 2018-01-22 12:07 - 000000000 ____D C:\Users\Oldona\AppData\Local\Mozilla
2018-01-22 12:07 - 2016-02-06 11:37 - 000000000 ____D C:\Users\Oldona\Documents\Visual Studio 2010
2018-01-22 12:07 - 2011-04-12 03:28 - 000000000 ____D C:\Users\Oldona\AppData\Roaming\Media Center Programs
2018-01-22 05:16 - 2018-01-22 05:16 - 000000000 ____D C:\Users\VSRUSER\AppData\Roaming\Mozilla
2018-01-22 05:16 - 2018-01-22 05:16 - 000000000 ____D C:\Users\VSRUSER\AppData\LocalLow\Mozilla
2018-01-22 05:16 - 2018-01-22 05:16 - 000000000 ____D C:\Users\VSRUSER\AppData\Local\Mozilla
2018-01-21 15:15 - 2018-01-21 15:15 - 000002401 _____ C:\Users\Host\Desktop\Person 11 - Chrome.lnk
2018-01-21 14:55 - 2018-01-21 14:55 - 000002397 _____ C:\Users\Host\Desktop\Person 10 - Chrome.lnk
2018-01-21 14:11 - 2018-01-21 14:11 - 000002397 _____ C:\Users\Host\Desktop\Person 9 - Chrome.lnk
2018-01-21 14:00 - 2018-01-21 14:00 - 000002397 _____ C:\Users\Host\Desktop\Person 8 - Chrome.lnk
2018-01-21 13:40 - 2018-01-21 13:40 - 000002397 _____ C:\Users\Host\Desktop\Person 7 - Chrome.lnk
2018-01-20 17:56 - 2018-01-20 17:56 - 000002397 _____ C:\Users\Host\Desktop\Person 6 - Chrome.lnk
2018-01-20 17:54 - 2018-01-20 17:54 - 000002397 _____ C:\Users\Host\Desktop\Person 5 - Chrome.lnk
2018-01-20 17:52 - 2018-01-20 17:52 - 000002397 _____ C:\Users\Host\Desktop\Person 4 - Chrome.lnk
2018-01-20 17:40 - 2018-01-20 17:40 - 000002397 _____ C:\Users\Host\Desktop\Person 3 - Chrome.lnk
2018-01-20 16:22 - 2018-01-20 16:22 - 000000000 ____D C:\Users\Host\AppData\Roaming\Sun
2018-01-20 16:22 - 2018-01-20 16:22 - 000000000 ____D C:\Users\Host\AppData\LocalLow\Sun
2018-01-20 16:21 - 2018-01-20 16:21 - 000002397 _____ C:\Users\Host\Desktop\Person 2 - Chrome.lnk
2018-01-20 16:21 - 2018-01-20 16:21 - 000002353 _____ C:\Users\Host\Desktop\Person 1 - Chrome.lnk
2018-01-20 16:17 - 2018-01-20 16:25 - 000000000 ____D C:\Users\Host\AppData\Local\Google
2018-01-20 16:17 - 2018-01-20 16:17 - 000057560 _____ C:\Users\Host\AppData\Local\GDIPFONTCACHEV1.DAT
2018-01-20 16:17 - 2018-01-20 16:17 - 000001413 _____ C:\Users\Host\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-01-20 16:17 - 2018-01-20 16:17 - 000000020 ___SH C:\Users\Host\ntuser.ini
2018-01-20 16:17 - 2018-01-20 16:17 - 000000000 ____D C:\Users\Host\AppData\Roaming\Intel Corporation
2018-01-20 16:17 - 2018-01-20 16:17 - 000000000 ____D C:\Users\Host\AppData\Roaming\Adobe
2018-01-20 16:17 - 2018-01-20 16:17 - 000000000 ____D C:\Users\Host\AppData\Local\VirtualStore
2018-01-20 16:17 - 2018-01-20 16:17 - 000000000 ____D C:\Users\Host
2018-01-20 16:17 - 2016-02-06 11:37 - 000000000 ____D C:\Users\Host\Documents\Visual Studio 2010
2018-01-20 16:17 - 2011-04-12 03:28 - 000000000 ____D C:\Users\Host\AppData\Roaming\Media Center Programs
2018-01-19 04:58 - 2018-01-19 04:58 - 000000000 ____D C:\Users\Adminsitrator\AppData\Roaming\Sun
2018-01-19 04:58 - 2018-01-19 04:58 - 000000000 ____D C:\Users\Adminsitrator\AppData\LocalLow\Sun
2018-01-19 04:55 - 2018-01-19 04:55 - 000000000 ____D C:\Program Files\RDP Wrapper
2018-01-19 04:53 - 2018-01-19 04:53 - 000057560 _____ C:\Users\Adminsitrator\AppData\Local\GDIPFONTCACHEV1.DAT
2018-01-19 04:53 - 2018-01-19 04:53 - 000001413 _____ C:\Users\Adminsitrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-01-19 04:53 - 2018-01-19 04:53 - 000000000 ____D C:\Users\Adminsitrator\AppData\Roaming\Intel Corporation
2018-01-19 04:53 - 2018-01-19 04:53 - 000000000 ____D C:\Users\Adminsitrator\AppData\Roaming\Adobe
2018-01-19 04:53 - 2018-01-19 04:53 - 000000000 ____D C:\Users\Adminsitrator\AppData\Local\Google
2018-01-19 04:52 - 2018-01-19 04:53 - 000000000 ____D C:\Users\Adminsitrator
2018-01-19 04:52 - 2018-01-19 04:52 - 000000020 ___SH C:\Users\Adminsitrator\ntuser.ini
2018-01-19 04:52 - 2018-01-19 04:52 - 000000000 ____D C:\Users\Adminsitrator\AppData\Local\VirtualStore
2018-01-19 04:52 - 2016-02-06 11:37 - 000000000 ____D C:\Users\Adminsitrator\Documents\Visual Studio 2010
2018-01-19 04:52 - 2011-04-12 03:28 - 000000000 ____D C:\Users\Adminsitrator\AppData\Roaming\Media Center Programs
2018-01-18 06:03 - 2018-01-18 06:03 - 000000000 ____D C:\Users\VSRUSER\AppData\Roaming\Sun
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-23 19:12 - 2009-07-13 22:20 - 000000000 ___HD C:\Windows\system32\GroupPolicy
2018-01-23 19:10 - 2017-08-31 13:39 - 000000576 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3866400975-1191489592-655960364-1002.job
2018-01-23 19:09 - 2009-07-13 23:45 - 000024704 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-01-23 19:09 - 2009-07-13 23:45 - 000024704 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-01-23 19:03 - 2009-07-14 00:13 - 000998986 _____ C:\Windows\system32\PerfStringBackup.INI
2018-01-23 19:03 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\inf
2018-01-23 19:01 - 2015-03-04 15:02 - 000000600 _____ C:\Users\Eyeformatics\AppData\Roaming\winscp.rnd
2018-01-23 18:57 - 2017-04-25 13:58 - 000000000 ____D C:\Program Files (x86)\CyberPower PowerPanel Personal Edition
2018-01-23 18:56 - 2013-06-18 14:00 - 000000000 ____D C:\ProgramData\NVIDIA
2018-01-23 18:56 - 2009-07-14 00:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-01-23 18:27 - 2017-08-31 13:39 - 000000672 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-3866400975-1191489592-655960364-1002.job
2018-01-23 17:39 - 2016-02-03 16:00 - 000002818 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2018-01-23 14:41 - 2014-12-23 15:22 - 000000000 ____D C:\Users\Eyeformatics\360Works
2018-01-23 14:38 - 2017-04-24 17:15 - 000000600 _____ C:\Users\Eyeformatics\AppData\Roaming\PUTTY.RND
2018-01-23 14:38 - 2015-04-16 11:44 - 000000600 _____ C:\Users\Eyeformatics\AppData\Local\PUTTY.RND
2018-01-23 14:38 - 2015-04-08 09:50 - 422563840 _____ C:\Users\Eyeformatics\Desktop\EyeFormatics_PM_2014.fmp12
2018-01-23 14:38 - 2015-04-08 09:49 - 1103224832 _____ C:\Users\Eyeformatics\Desktop\EyeFormatics_EMR_2014.fmp12
2018-01-23 14:38 - 2014-12-23 15:22 - 000000000 ____D C:\Users\Eyeformatics\AppData\Roaming\FMNexusWebServices
2018-01-23 14:31 - 2014-12-23 14:21 - 000000000 ____D C:\Users\MSSQLFDLauncher$SQLEXPRESS
2018-01-23 14:15 - 2014-12-20 12:30 - 000000000 ____D C:\Program Files (x86)\TeamViewer
2018-01-23 09:22 - 2015-04-28 06:24 - 000057560 _____ C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2018-01-22 13:18 - 2013-06-18 16:13 - 000000000 ____D C:\Windows\Panther
2018-01-22 05:17 - 2014-12-19 15:31 - 000000000 __SHD C:\Users\VSRUSER\AppData\Local\EmieUserList
2018-01-22 05:17 - 2014-12-19 15:31 - 000000000 __SHD C:\Users\VSRUSER\AppData\Local\EmieSiteList
2018-01-19 12:50 - 2017-08-31 13:39 - 000003726 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-3866400975-1191489592-655960364-1002
2018-01-19 12:50 - 2017-08-31 13:39 - 000003630 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-3866400975-1191489592-655960364-1002
2018-01-19 12:50 - 2017-08-31 13:39 - 000000000 ____D C:\Users\Eyeformatics\AppData\Local\GoToMeeting
2018-01-19 12:03 - 2015-03-04 14:07 - 000000000 ____D C:\HL7
2018-01-19 04:55 - 2009-07-14 00:32 - 000000000 ____D C:\Windows\system32\FxsTmp
2018-01-18 05:58 - 2014-12-19 13:34 - 000057560 _____ C:\Users\VSRUSER\AppData\Local\GDIPFONTCACHEV1.DAT
2018-01-04 18:01 - 2014-12-19 15:34 - 000002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-01-04 18:01 - 2014-12-19 15:34 - 000002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-12-26 23:22 - 2017-07-08 17:48 - 000000971 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk
2017-12-26 23:22 - 2017-07-08 17:48 - 000000959 _____ C:\Users\Public\Desktop\TeamViewer 12.lnk
 
==================== Files in the root of some directories =======
 
2015-04-24 07:20 - 2015-04-24 07:18 - 000000022 _____ () C:\Users\SuperContainer\get all files recursive.bat
2017-04-24 17:15 - 2018-01-23 14:38 - 000000600 _____ () C:\Users\Eyeformatics\AppData\Roaming\PUTTY.RND
2015-03-04 15:02 - 2018-01-23 19:01 - 000000600 _____ () C:\Users\Eyeformatics\AppData\Roaming\winscp.rnd
2015-04-16 11:44 - 2018-01-23 14:38 - 000000600 _____ () C:\Users\Eyeformatics\AppData\Local\PUTTY.RND
2015-04-20 14:23 - 2017-03-20 13:28 - 000007605 _____ () C:\Users\Eyeformatics\AppData\Local\Resmon.ResmonCfg
 
Some files in TEMP:
====================
2016-03-26 01:51 - 2016-03-26 01:51 - 000736320 _____ (Oracle Corporation) C:\Users\Administrator\AppData\Local\Temp\jre-8u77-windows-au.exe
2017-05-16 15:38 - 2017-05-16 15:38 - 000739904 _____ (Oracle Corporation) C:\Users\Eyeformatics\AppData\Local\Temp\jre-8u131-windows-au.exe
2017-07-28 09:20 - 2017-07-28 09:20 - 000740416 _____ (Oracle Corporation) C:\Users\Eyeformatics\AppData\Local\Temp\jre-8u144-windows-au.exe
2017-10-20 09:20 - 2017-10-20 09:20 - 001856576 _____ (Oracle Corporation) C:\Users\Eyeformatics\AppData\Local\Temp\jre-8u151-windows-au.exe
2018-01-22 16:25 - 2018-01-22 16:36 - 000756224 _____ () C:\Users\Oldona\AppData\Local\Temp\ProXy CheCkeR by BoYRinG v1.4 Silver Edition.exe
2014-10-07 20:19 - 2014-10-07 20:21 - 223339967 _____ (AMD Inc.) C:\Users\User\AppData\Local\Temp\FirePro_8.911.3.4_VistaWin7_X32X64_140087.exe
2016-04-23 01:51 - 2016-04-23 01:51 - 000736320 _____ (Oracle Corporation) C:\Users\VSRUSER\AppData\Local\Temp\jre-8u77-windows-au.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2018-01-18 00:22
 
==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 21.01.2018
Ran by Eyeformatics (23-01-2018 19:14:33)
Running from C:\Users\Eyeformatics\Desktop
Windows 7 Professional Service Pack 1 (X64) (2013-06-18 17:40:28)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Admin (S-1-5-21-3866400975-1191489592-655960364-1011 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-3866400975-1191489592-655960364-500 - Administrator - Enabled) => C:\Users\Administrator
Adminsitrator (S-1-5-21-3866400975-1191489592-655960364-1007 - Administrator - Enabled) => C:\Users\Adminsitrator
ConnectEHRService (S-1-5-21-3866400975-1191489592-655960364-1005 - Administrator - Enabled)
CQMSolution (S-1-5-21-3866400975-1191489592-655960364-1006 - Administrator - Enabled)
Eyeformatics (S-1-5-21-3866400975-1191489592-655960364-1002 - Administrator - Enabled) => C:\Users\Eyeformatics
Guest (S-1-5-21-3866400975-1191489592-655960364-501 - Limited - Enabled) => C:\Users\Guest
Host (S-1-5-21-3866400975-1191489592-655960364-1008 - Administrator - Enabled) => C:\Users\Host
Oldona (S-1-5-21-3866400975-1191489592-655960364-1010 - Administrator - Enabled) => C:\Users\Oldona
Temp (S-1-5-21-3866400975-1191489592-655960364-1009 - Administrator - Enabled) => C:\Users\Temp
User (S-1-5-21-3866400975-1191489592-655960364-1000 - Administrator - Disabled) => C:\Users\User
VSRUSER (S-1-5-21-3866400975-1191489592-655960364-1001 - Administrator - Enabled) => C:\Users\VSRUSER
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {71A27EC9-3DA6-45FC-60A7-004F623C6189}
AS: Microsoft Security Essentials (Enabled - Up to date) {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version:  - )
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.023.20070 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{44E71915-81AF-94DC-C1B7-292BEB98D0A7}) (Version: 3.0.851.0 - Advanced Micro Devices, Inc.)
Bitvise SSH Server 6.24 (remove only) (HKLM-x32\...\Bitvise SSH Server) (Version:  - )
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.14 - Piriform)
Citrix Online Launcher (HKLM-x32\...\{09DA5EE2-7E46-4DC4-96F9-BFEE50D40659}) (Version: 1.0.408 - Citrix)
CleanMem (HKLM-x32\...\CleanMem) (Version: v2.5.0 - PcWinTech.com)
Cobian Backup 11 Gravity (HKLM-x32\...\CobBackup11) (Version:  - )
CPUID CPU-Z 1.78 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
CyberPower PowerPanel Personal Edition 1.6.2 (HKLM-x32\...\{3A53EB0A-8E61-4A33-9ECE-385C7EA26BED}) (Version: 1.6.2 - Cyber Power Systems, Inc.)
FileMaker ODBC Driver (64-bit) (HKLM\...\{E967A54C-BABE-4FDF-A6F7-9F9607BBBE68}) (Version: 13.2.14 - FileMaker, Inc.)
FileMaker ODBC Driver (HKLM-x32\...\{124DFD5B-44A5-42B3-BA31-D17D98C57CCB}) (Version: 13.2.14 - FileMaker, Inc.)
FileMaker Pro 13 (HKLM-x32\...\{EA92821A-03A5-4B00-85F4-834BBD8ABC24}) (Version: 13.0.4.0 - FileMaker, Inc.) Hidden
FileMaker Pro 13 (HKLM-x32\...\{EA92821A-03A5-4B00-85F4-834BBD8ABC24}_FileMaker) (Version: 13.0.4.0 - FileMaker, Inc.)
FileMaker Pro 13 Advanced (HKLM-x32\...\{4B2ABFE4-3A1D-4FFB-B6E8-A256ADFB0D7A}) (Version: 13.0.5.0 - FileMaker, Inc.) Hidden
FileMaker Pro 13 Advanced (HKLM-x32\...\{4B2ABFE4-3A1D-4FFB-B6E8-A256ADFB0D7A}_FileMaker) (Version: 13.0.5.0 - FileMaker, Inc.)
FileMaker Server 13 (HKLM\...\{71356255-96FC-4A56-AAF4-F9331034CCBF}) (Version: 13.0.5.520 - FileMaker, Inc.)
FreeFileSync 8.10 (HKLM-x32\...\FreeFileSync_is1) (Version: 8.10 - www.FreeFileSync.org)
GDR 2218 for SQL Server 2012 (KB2716442) (64-bit) (HKLM\...\KB2716442) (Version: 11.0.2218.0 - Microsoft Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.132 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
GoTo Opener (HKLM-x32\...\{8B2D47CC-1558-4939-B27F-41E30530072A}) (Version: 1.0.467 - LogMeIn, Inc.)
GoToAssist Customer 3.0.0.1185 (HKLM-x32\...\GoToAssist Express Customer) (Version: 3.0.0.1185 - Citrix Online)
GoToMeeting 8.20.0.8199 (HKU\S-1-5-21-3866400975-1191489592-655960364-1002\...\GoToMeeting) (Version: 8.20.0.8199 - LogMeIn, Inc.)
HP Product Detection (HKLM-x32\...\{ACAA0152-96A4-4D93-92F5-1B4728C3D984}) (Version: 11.15.0008 - HP)
HydraVision (HKLM-x32\...\{F1218521-0C19-8D0C-817A-648C767F07A2}) (Version: 4.2.218.0 - Advanced Micro Devices, Inc.) Hidden
IIS URL Rewrite Module 2 (HKLM\...\{EB675D0A-2C95-405B-BEE8-B42A65D23E11}) (Version: 7.2.2 - Microsoft Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.8.0.1003 - Intel Corporation)
Java 8 Update 131 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180131F0}) (Version: 8.0.1310.11 - Oracle Corporation)
Java 8 Update 131 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180131F0}) (Version: 8.0.1310.11 - Oracle Corporation)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Multi-Targeting Pack (HKLM-x32\...\{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Application Request Routing 3.0 (HKLM\...\{78FD26A2-9214-48CD-AF71-7F33D1A78892}) (Version: 3.0.1750 - Microsoft Corporation)
Microsoft External Cache Version 1 for IIS 7 (HKLM\...\{4F11656E-9861-4A97-B224-CFF2996998C6}) (Version: 1.1.0490 - Microsoft Corporation)
Microsoft Help Viewer 1.1 (HKLM\...\Microsoft Help Viewer 1.1) (Version: 1.1.40219 - Microsoft Corporation)
Microsoft Report Viewer 2012 Runtime (HKLM-x32\...\{9CCE40CE-A9E6-4916-8729-B008558EEF3F}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.10.209.0 - Microsoft Corporation)
Microsoft SQL Server 2008 R2 Management Objects (HKLM-x32\...\{83F2B8F4-5CF3-4BE9-9772-9543EAE4AC5F}) (Version: 10.51.2500.0 - Microsoft Corporation)
Microsoft SQL Server 2008 Setup Support Files  (HKLM\...\{B40EE88B-400A-4266-A17B-E3DE64E94431}) (Version: 10.1.2731.0 - Microsoft Corporation)
Microsoft SQL Server 2012 (64-bit) (HKLM\...\Microsoft SQL Server SQLServer2012) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2012 Data-Tier App Framework  (HKLM\...\{A007BD05-ECFD-4F64-89F6-7E95F91F0DFB}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects  (HKLM-x32\...\{DA1C1761-5F4F-4332-AB9D-29EDF3F8EA0A}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects  (x64) (HKLM\...\{FA0A244E-F3C2-4589-B42A-3D522DE79A42}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Native Client  (HKLM\...\{587F8B5C-D30D-4EEC-849B-FC410EA38AAF}) (Version: 11.0.2218.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Setup (English) (HKLM\...\{8CB0713F-CFE0-445D-BCB2-538465860E1A}) (Version: 11.1.3128.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL Compiler Service  (HKLM\...\{03A2AE02-CBC9-4746-A376-0F7BF6AF5F39}) (Version: 11.0.2218.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL ScriptDom  (HKLM\...\{0E8670B8-3965-4930-ADA6-570348B67153}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 T-SQL Language Service  (HKLM\...\{CC8B009A-98C9-497F-99AF-CEBE35D8C0CF}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server Data Tools – Database Projects – Web installer entry point (HKLM-x32\...\{F3BBC56F-2282-4464-952F-A89772181F30}) (Version: 10.3.20116.0 - Microsoft Corporation)
Microsoft SQL Server System CLR Types (HKLM-x32\...\{C3F6F200-6D7B-4879-B9EE-700C0CE1FCDA}) (Version: 10.51.2500.0 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (HKLM-x32\...\{E2082604-4BA5-44BB-BBFB-AF0F3CB8C6AB}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (x64) (HKLM\...\{F1949145-EB64-4DE7-9D81-E6D27937146C}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974 (HKLM-x32\...\{B7E38540-E355-3503-AFD7-635B2F2F76E1}) (Version: 9.0.30729.4974 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Runtime - 10.0.40219 (HKLM-x32\...\{5D9ED403-94DE-3BA0-B1D6-71F4BDA412E6}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{6e8f74e0-43bd-4dce-8477-6ff6828acc07}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Shell (Integrated) - ENU (HKLM-x32\...\{012D26C3-E12A-3BDA-8ECE-DF14E721A507}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Shell (Isolated) - ENU (HKLM-x32\...\{D64B6984-242F-32BC-B008-752806E5FC44}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio Tools for Applications Design-Time 3.0 (HKLM-x32\...\{5A03C202-08B4-3F1D-9A60-A4F53EF1B636}) (Version: 10.0.40220 - Microsoft Corporation)
Microsoft Visual Studio Tools for Applications x86 Runtime 3.0 (HKLM-x32\...\{191A6F65-6878-398D-A272-EF011B80F371}) (Version: 10.0.40220 - Microsoft Corporation)
Microsoft VSS Writer for SQL Server 2012 (HKLM\...\{3E0DD83F-BE4C-4478-86A0-AD0D79D1353E}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft Web Farm Framework (HKLM\...\{997E542E-B134-49E6-882E-66AA05E46464}) (Version: 1.1.1292 - Microsoft Corporation)
MiniTool Partition Wizard Home Edition 8.1.1 (HKLM-x32\...\{05D996FA-ADCB-4D23-BA3C-A7C184A8FAC6}_is1) (Version:  - MiniTool Solution Ltd.)
Mozilla Firefox 52.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 52.0.2 (x86 en-US)) (Version: 52.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 52.0.2.6291 - Mozilla)
NVIDIA 3D Vision Controller Driver 295.73 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 295.73 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 295.73 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 295.73 - NVIDIA Corporation)
NVIDIA Graphics Driver 295.73 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 295.73 - NVIDIA Corporation)
NVIDIA nView 136.18 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView) (Version: 136.18 - NVIDIA Corporation)
Prerequisites for SSDT  (HKLM-x32\...\{9169C939-ED01-446A-BD0C-29873BAF4E48}) (Version: 11.0.2100.60 - Microsoft Corporation)
Ralink RT2870 Wireless LAN Card (HKLM-x32\...\{28DA7D8B-F9A4-4F18-8AA0-551B1E084D0D}) (Version: 1.5.14.0 - Ralink)
SQL Server 2012 BI Development Studio (HKLM\...\{656E214E-B73F-458C-AD64-ED316F008207}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 BI Development Studio (HKLM\...\{EE1B54D1-BFBC-4C19-8D66-E0AF3E967896}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Common Files (HKLM\...\{1D411379-9CE0-4B13-A19B-72D3222DD620}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Common Files (HKLM\...\{202AAF1F-69AA-442A-B59F-6B54B1AD07C6}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Services (HKLM\...\{18B2A97C-92C3-4AC7-BE72-F823E0BC895B}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Services (HKLM\...\{84FBCA4A-D650-4B0D-8094-EC0671FA9B91}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Shared (HKLM\...\{54FF8FAB-DE27-4187-82F1-EBAE6AEE869A}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Shared (HKLM\...\{6603C2CE-3C54-4F1D-92F9-8390CD4CCCA8}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Documentation Components (HKLM\...\{7272DF1C-2F88-43AC-A481-84DD67DF9746}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Documentation Components (HKLM\...\{B3192F55-2CE8-4C8E-9E40-D3B4998276B2}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Documentation Components (HKLM\...\{CECA0188-BD7A-43EF-B1F7-DDF719099C46}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Full text search (HKLM\...\{34A7A77A-A23D-44ED-B3B6-EC8198BE2622}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Management Studio (HKLM\...\{26BFF1F1-5C03-4C55-9C7C-FD65889AFA70}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Management Studio (HKLM\...\{A7037EB2-F953-4B12-B843-195F4D988DA1}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Reporting Services (HKLM\...\{DCCB1789-1DA0-4E3A-A52F-7815B602CC98}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Reporting Services (HKLM\...\{FCD81E1A-6ED6-4F19-A572-82FFE102654E}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 SQL Data Quality Common (HKLM\...\{D307B5CF-D1F0-48A4-8DA3-54765F535208}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server Browser for SQL Server 2012 (HKLM-x32\...\{4B9E6EB0-0EED-4E74-9479-F982C3254F71}) (Version: 11.0.2100.60 - Microsoft Corporation)
Sql Server Customer Experience Improvement Program (HKLM\...\{BED1EA3D-592D-4305-9D1F-20F03726EFC1}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
TeamViewer 12 (HKLM-x32\...\TeamViewer) (Version: 12.0.90922 - TeamViewer)
Update 4.0.2 for Microsoft .NET Framework 4 Client Profile (KB2544514) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2544514) (Version: 1 - Microsoft Corporation)
Update 4.0.2 for Microsoft .NET Framework 4 Extended (KB2544514) (HKLM-x32\...\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2544514) (Version: 1 - Microsoft Corporation)
Visual Studio 2010 Prerequisites - English (HKLM\...\{662014D2-0450-37ED-ABAE-157C88127BEB}) (Version: 10.0.40219 - Microsoft Corporation)
WinSCP 5.7 (HKLM-x32\...\winscp3_is1) (Version: 5.7 - Martin Prikryl)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ContextMenuHandlers1-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2010-11-18] (Igor Pavlov)
ContextMenuHandlers1-x32: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2010-11-18] (Igor Pavlov)
ContextMenuHandlers4-x32: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers5: [00nView] -> {1E9B04FB-F9E5-4718-997B-B8DA88302A48} => C:\Program Files\NVIDIA Corporation\nview\nvshell.dll [2012-02-09] ()
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2012-02-09] (NVIDIA Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0BFD6A32-D4A2-4162-8768-0F625E5BF48E} - System32\Tasks\G2MUploadTask-S-1-5-21-3866400975-1191489592-655960364-1002 => C:\Users\Eyeformatics\AppData\Local\GoToMeeting\8199\g2mupload.exe [2018-01-19] (LogMeIn, Inc.)
Task: {0D390859-4532-450F-9CE9-987B76B56DA0} - System32\Tasks\WeeklyMirror => C:\Users\Eyeformatics\Documents\mirrorffs.bat [2017-04-05] () <==== ATTENTION
Task: {1BB561B3-675E-42C4-8253-AE7D779AEE15} - System32\Tasks\G2MUpdateTask-S-1-5-21-3866400975-1191489592-655960364-1002 => C:\Users\Eyeformatics\AppData\Local\GoToMeeting\8199\g2mupdate.exe [2018-01-19] (LogMeIn, Inc.)
Task: {2FEEF02C-DDC5-440C-8838-10265ECFBE9E} - System32\Tasks\FileSync DB => C:\Users\Eyeformatics\Documents\dailyffs.bat [2017-04-05] () <==== ATTENTION
Task: {30382559-196A-4774-8FE1-33D311F14759} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {38A155C3-2909-49B0-844F-814CA416D0BA} - System32\Tasks\CleanMem Mini Monitor => C:\Program Files (x86)\CleanMem\mini_monitor.exe [2014-08-20] (PcWinTech.com)
Task: {72253400-79CA-46D2-ABAA-C50CBE5AD203} - System32\Tasks\Bitvise\Persistent BvSshServer Control Panel\S-1-5-21-3866400975-1191489592-655960364-1002 => C:\Program Files\Bitvise SSH Server\BssCtrl.exe [2015-04-09] ()
Task: {7FFE1D4F-D1F0-4EDF-85D5-11C9C6987491} - System32\Tasks\Clean System Memory => C:\Windows\syswow64\CleanMem.exe [2014-08-20] (PcWinTech.com)
Task: {83BC1EB2-B03C-452F-BBDC-0AE37FCA99A4} - System32\Tasks\fmserestart => C:\Users\Eyeformatics\Desktop\restartfmse.bat [2015-05-04] () <==== ATTENTION
Task: {973B6504-985B-4B53-B3D8-9882BEAF6CD5} - System32\Tasks\Run Hl7 Batch => C:\HL7\HL7Grab.bat [2015-03-04] () <==== ATTENTION
Task: {BD5FC1CA-5A56-4501-84E6-5B64BBD08869} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-11-23] (Adobe Systems Incorporated)
Task: {C0FEAFF2-9223-4E77-A0B8-ECFB1FECAA1A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {C31D4ACD-A586-44F0-ACA0-47A6F484B23F} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-01-15] (Piriform Ltd)
Task: {E4404C67-0974-46D2-ACFD-699D03D4361D} - System32\Tasks\hl7 Grab Messages => C:\HL7\HL7Grab.bat [2015-03-04] () <==== ATTENTION
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3866400975-1191489592-655960364-1002.job => C:\Users\Eyeformatics\AppData\Local\GoToMeeting\8199\g2mupdate.exe
Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-3866400975-1191489592-655960364-1002.job => C:\Users\Eyeformatics\AppData\Local\GoToMeeting\8199\g2mupload.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-04-09 09:29 - 2015-04-09 09:29 - 000710000 _____ () C:\Program Files\Bitvise SSH Server\CiProv64.dll
2014-12-23 14:42 - 2014-05-08 12:57 - 000201728 _____ () C:\Program Files\CQMsolution\CQMAgent\Topshelf.dll
2014-11-11 01:12 - 2014-11-11 01:12 - 000112984 _____ () C:\Program Files\FileMaker\FileMaker Server\Database Server\zlibwapi.dll
2014-11-11 01:12 - 2014-11-11 01:12 - 000439128 _____ () C:\Program Files\FileMaker\FileMaker Server\Database Server\Libetpan.dll
2014-11-11 01:12 - 2014-11-11 01:12 - 000054640 _____ () C:\Program Files\FileMaker\FileMaker Server\Database Server\XalanMessages_1_11.dll
2018-01-23 18:10 - 2017-11-29 09:11 - 002301384 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2018-01-23 18:10 - 2017-11-29 09:11 - 002358728 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2014-11-11 01:12 - 2014-11-11 01:12 - 000112984 _____ () C:\Program Files\FileMaker\FileMaker Server\Web Publishing\publishing-engine\cwpc\zlibwapi.dll
2014-11-11 01:10 - 2014-11-11 01:10 - 000439128 _____ () C:\Program Files\FileMaker\FileMaker Server\Web Publishing\publishing-engine\cwpc\Libetpan.dll
2014-11-11 01:12 - 2014-11-11 01:12 - 000054640 _____ () C:\Program Files\FileMaker\FileMaker Server\Web Publishing\publishing-engine\cwpc\XalanMessages_1_11.dll
2015-04-09 09:29 - 2015-04-09 09:29 - 004760368 _____ () C:\Program Files\Bitvise SSH Server\BssCtrl.exe
2018-01-04 18:01 - 2018-01-03 04:20 - 004063064 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.132\libglesv2.dll
2018-01-04 18:01 - 2018-01-03 04:20 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.132\libegl.dll
2015-04-09 09:29 - 2015-04-09 09:29 - 000421232 _____ () C:\Program Files\Bitvise SSH Server\CiProv32.dll
2017-05-16 16:07 - 2017-05-16 16:07 - 000172544 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\892a97dcd43f3c5a200540919825c762\IsdiInterop.ni.dll
2013-06-18 13:59 - 2011-10-17 14:08 - 000059904 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist Remote Support Customer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 21:34 - 2009-06-10 16:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3866400975-1191489592-655960364-1001\Control Panel\Desktop\\Wallpaper -> 
HKU\S-1-5-21-3866400975-1191489592-655960364-1002\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 8.8.8.8 - 8.8.4.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [TCP Query User{DA773CAA-9F84-4AED-B75B-3F28FD396A63}C:\program files (x86)\hp\common\hpdevicedetection3.exe] => (Allow) C:\program files (x86)\hp\common\hpdevicedetection3.exe
FirewallRules: [UDP Query User{C960AEBC-057E-4D0C-9C41-BDF7D0C7174A}C:\program files (x86)\hp\common\hpdevicedetection3.exe] => (Allow) C:\program files (x86)\hp\common\hpdevicedetection3.exe
FirewallRules: [{6B29E637-BED2-406E-B2EA-53F2CF6DFFC8}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{E436856A-56BC-4BF9-BC5B-A642A749BEE7}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{8BC849E9-1841-4B11-B3EE-A82E9B64C6B0}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{2C767DFA-673D-4A51-AB51-7EB0B8D3C6CA}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{28421391-A356-4193-B811-DF1EE240E5D5}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{82AEA5A8-7E25-417E-9FE8-BB2F8B2D80DF}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{4ECEBE59-4689-473B-8635-109BE671586F}] => (Allow) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmserver.exe
FirewallRules: [{BEAFC54D-8F1E-4740-A87B-634F8CF9642F}] => (Allow) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmserver.exe
FirewallRules: [{879EB1A2-59E5-406E-945D-D3654976099C}] => (Allow) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmserver.exe
FirewallRules: [{42AA337E-69A9-4313-B0EF-474401A49F48}] => (Allow) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmserver.exe
FirewallRules: [{2EC335A3-6BF8-4CC2-934C-C29A42812D0E}] => (Allow) LPort=443
FirewallRules: [{5B3AAB59-4067-4CA7-92BF-B0F708E8CA9E}] => (Allow) LPort=3364
FirewallRules: [TCP Query User{79FCC443-B645-42B6-93C5-0E03A763F721}C:\program files\filemaker\filemaker server\database server\fmsadmin.exe] => (Allow) C:\program files\filemaker\filemaker server\database server\fmsadmin.exe
FirewallRules: [UDP Query User{475F7215-0C0B-495A-937A-66EC1CFE2785}C:\program files\filemaker\filemaker server\database server\fmsadmin.exe] => (Allow) C:\program files\filemaker\filemaker server\database server\fmsadmin.exe
FirewallRules: [TCP Query User{292C386B-5899-48FA-AEC0-574A109EE61B}C:\program files (x86)\filemaker\filemaker pro 13 advanced\filemaker pro advanced.exe] => (Allow) C:\program files (x86)\filemaker\filemaker pro 13 advanced\filemaker pro advanced.exe
FirewallRules: [UDP Query User{95EFBBC4-F7DB-4453-B314-A2F8E1059B63}C:\program files (x86)\filemaker\filemaker pro 13 advanced\filemaker pro advanced.exe] => (Allow) C:\program files (x86)\filemaker\filemaker pro 13 advanced\filemaker pro advanced.exe
FirewallRules: [TCP Query User{EC1F1371-88CE-4AAD-A4CC-CA6C5CAD15BD}C:\program files\java\jre1.8.0_131\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_131\bin\javaw.exe
FirewallRules: [UDP Query User{5F1CAA5E-D9A8-4F53-A5AB-A7D93E54E7E0}C:\program files\java\jre1.8.0_131\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_131\bin\javaw.exe
FirewallRules: [{61355E49-322D-4103-9021-60B0EE95DC8D}] => (Block) LPort=5003
FirewallRules: [{9873B64D-2BB9-41FA-9A79-BAEDB3D41C0F}] => (Allow) LPort=3365
FirewallRules: [TCP Query User{DC6574D6-2859-4C8A-9E83-B44C17A81AA4}C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe] => (Block) C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe
FirewallRules: [UDP Query User{BB876D49-9BB3-4EA0-9D80-399426BF6185}C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe] => (Block) C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe
FirewallRules: [{45D43080-7732-4A24-90A7-1B4E06A37314}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{1CD0A892-D895-4E05-A619-076990D6EA1B}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{0AB7F145-A0C6-4019-A4BE-F451DBD33FBC}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{6A707AC7-9E30-4FC6-BE0A-E460578C733D}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{45DF76EF-F8F7-4C2A-BEA7-A3273B595464}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{173A4F6B-BF2E-4CF1-8E36-4F6DE32E5CAE}] => (Allow) LPort=3389
FirewallRules: [{50B8DE96-7B4A-4236-9C3C-2FF138639F7F}] => (Allow) C:\Program Files (x86)\XPS Rasterization Service Component\xps.exe
FirewallRules: [{AD4AD500-365A-422E-8CE5-9CA5227B069C}] => (Allow) C:\Program Files (x86)\XPS Rasterization Service Component\xps.exe
FirewallRules: [TCP Query User{D1BE34C7-116C-472A-BF0E-C84F9ACFC3F0}C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe] => (Allow) C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe
FirewallRules: [UDP Query User{FEFB90D0-3866-4B8E-AE24-D72C4E31B29C}C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe] => (Allow) C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe
FirewallRules: [TCP Query User{2449BF50-060F-491D-AD8A-328D88B86867}C:\program files\filemaker\filemaker server\database server\fmsadmin.exe] => (Block) C:\program files\filemaker\filemaker server\database server\fmsadmin.exe
FirewallRules: [UDP Query User{0C125622-5DE6-46C6-9469-A92B20E18F3A}C:\program files\filemaker\filemaker server\database server\fmsadmin.exe] => (Block) C:\program files\filemaker\filemaker server\database server\fmsadmin.exe
FirewallRules: [{097C2D9A-22D1-4272-9693-2C2760B556ED}] => (Allow) C:\Program Files\Bitvise SSH Server\BvSshServer.exe
 
==================== Restore Points =========================
 
23-01-2018 13:39:28 Windows Update
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (01/23/2018 07:03:26 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 3.0.0.1284, time stamp: 0x5a15ab42
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0c1ef5e8
Faulting process id: 0x514
Faulting application start time: 0x01d394a6383b4200
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Faulting module path: unknown
Report Id: fff9ac5e-0099-11e8-924e-78acc0a96278
 
Error: (01/23/2018 06:58:03 PM) (Source: SQLAgent$SQLEXPRESS) (EventID: 324) (User: )
Description: OpenSQLServerInstanceRegKey:GetRegKeyAccessMask failed (reason: 2).
 
Error: (01/23/2018 06:58:03 PM) (Source: SQLAgent$SQLEXPRESS) (EventID: 324) (User: )
Description: OpenSQLServerInstanceRegKey:GetRegKeyAccessMask failed (reason: 2).
 
Error: (01/23/2018 06:57:51 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (01/23/2018 06:33:08 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (01/23/2018 06:33:05 PM) (Source: SQLAgent$SQLEXPRESS) (EventID: 324) (User: )
Description: OpenSQLServerInstanceRegKey:GetRegKeyAccessMask failed (reason: 2).
 
Error: (01/23/2018 06:33:05 PM) (Source: SQLAgent$SQLEXPRESS) (EventID: 324) (User: )
Description: OpenSQLServerInstanceRegKey:GetRegKeyAccessMask failed (reason: 2).
 
Error: (01/23/2018 06:05:53 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (01/23/2018 06:05:17 PM) (Source: Report Server Windows Service (SQLEXPRESS)) (EventID: 107) (User: )
Description: Report Server Windows Service (SQLEXPRESS) cannot connect to the report server database.
 
Error: (01/23/2018 06:04:51 PM) (Source: SQLAgent$SQLEXPRESS) (EventID: 324) (User: )
Description: OpenSQLServerInstanceRegKey:GetRegKeyAccessMask failed (reason: 2).
 
 
System errors:
=============
Error: (01/23/2018 06:11:10 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Windows Update service hung on starting.
 
Error: (01/23/2018 02:49:44 PM) (Source: TermDD) (EventID: 56) (User: )
Description: The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
Client IP: 93.76.76.143.
 
Error: (01/23/2018 02:49:45 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.
 
Error: (01/23/2018 02:49:45 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {AAC1009F-AB33-48F9-9A21-7F5B88426A2E} did not register with DCOM within the required timeout.
 
Error: (01/23/2018 02:04:43 PM) (Source: TermDD) (EventID: 56) (User: )
Description: The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
Client IP: 5.39.216.193.
 
Error: (01/23/2018 01:45:40 PM) (Source: TermDD) (EventID: 56) (User: )
Description: The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
Client IP: 93.76.76.143.
 
Error: (01/23/2018 01:39:40 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.
 
Error: (01/23/2018 01:39:39 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.
 
Error: (01/23/2018 01:39:39 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.
 
Error: (01/23/2018 01:39:38 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.
 
 
CodeIntegrity:
===================================
  Date: 2018-01-23 14:50:21.196
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2018-01-23 13:39:21.508
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2018-01-23 07:59:04.860
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2018-01-23 07:46:10.071
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2018-01-23 07:06:01.522
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2018-01-23 06:46:42.452
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2018-01-22 23:56:14.060
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2018-01-22 23:15:42.928
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2018-01-22 23:10:27.490
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2018-01-22 22:43:10.516
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Xeon® CPU E5620 @ 2.40GHz
Percentage of memory in use: 82%
Total physical RAM: 49135.22 MB
Available physical RAM: 8636.18 MB
Total Virtual: 98933.41 MB
Available Virtual: 56823.15 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:931.41 GB) (Free:689.8 GB) NTFS
Drive e: (Backup) (Fixed) (Total:853.22 GB) (Free:322.05 GB) NTFS
Drive f: (FantomHD) (Fixed) (Total:1397.26 GB) (Free:469.37 GB) NTFS
Drive g: () (Removable) (Total:58.21 GB) (Free:42.68 GB) FAT32
Drive s: (swap) (Fixed) (Total:73.24 GB) (Free:25.3 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 2FDA0A4D)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.4 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: D5A3F0AF)
Partition 1: (Not Active) - (Size=73.2 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=853.2 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=5 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 1397.3 GB) (Disk ID: F7CC8D32)
Partition 1: (Not Active) - (Size=1397.3 GB) - (Type=07 NTFS)
 
========================================================
Disk: 3 (Size: 58.2 GB) (Disk ID: 04600986)
Partition 1: (Active) - (Size=58.2 GB) - (Type=0C)
 
==================== End of Addition.txt ============================
 

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,233 posts
  • MVP

If you did not install TeamViewer please uninstall it.

 

Download the attached fixlist.txt to the same location as FRST

Attached File  fixlist.txt   21.35KB   12 downloads

Run FRST and press Fix
A fix log will be generated please post that


Run FRST again as before.  Make sure Addition.txt is checked and hit Scan.  Post both logs.

 


  • 0

#3
reppucci

reppucci

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

Thank you for the quick reply!

 

I did install Teamviewer...several years ago. I do use it often though not for access to this particular computer almost 1 month or so.

 

Do you still wish for me to uninstall?

 

I did disconnect an external harddrive since running FRST yesterday.

 

Here are the logs and rescanned files from FRST as requested.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 21.01.2018
Ran by Eyeformatics (24-01-2018 11:04:31) Run:1
Running from C:\Users\Eyeformatics\Desktop
Loaded Profiles: User & VSRUSER & Eyeformatics & Adminsitrator & Host & Temp & Oldona & Admin & Administrator & Guest & MSSQL$SQLEXPRESS & ReportServer$SQLEXPRESS & MSSQLFDLauncher$SQLEXPRESS & Classic .NET AppPool & ConnectEHR AppPool & CQMsolution AppPool & DefaultAppPool & ConnectEHR Patient Portal AppPool (Available Profiles: User & VSRUSER & Eyeformatics & Adminsitrator & Host & Temp & Oldona & Admin & Administrator & Guest & MSSQL$SQLEXPRESS & ReportServer$SQLEXPRESS & MSSQLFDLauncher$SQLEXPRESS & Classic .NET AppPool & ConnectEHR AppPool & CQMsolution AppPool & DefaultAppPool & ConnectEHR Patient Portal AppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CMD: type C:\Windows\SysWOW64\xservice.bat
Virustotal: C:\Users\Oldona\Downloads\11.exe;C:\Users\Oldona\Downloads\SystemResetSSO.rar;C:\Users\Oldona\Downloads\Новая папка.rar
File: C:\Windows\System32\SystemResetSSO.dll
reg: reg query HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices /s
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1185\g2ax_winlogonx64.dll [X]
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_131\bin\ssv.dll [2017-05-16] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-05-16] (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssv.dll [2017-05-16] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-05-16] (Oracle Corporation)
DPF: HKLM-x32 {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect1262.cab
FF Plugin HKU\S-1-5-21-3866400975-1191489592-655960364-1001: @citrixonline.com/appdetectorplugin -> C:\Users\VSRUSER\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2016-02-03] (Citrix Online)
S3 TermService; C:\Program Files\RDP Wrapper\rdpwrap.dll [116736 2018-01-19] (Stas'M Corp.) [File not signed]
2018-01-23 19:10 - 2017-08-31 13:39 - 000000576 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3866400975-1191489592-655960364-1002.job
018-01-23 18:27 - 2017-08-31 13:39 - 000000672 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-3866400975-1191489592-655960364-1002.job
C:\Program Files\RDP Wrapper
2018-01-22 17:48 - 2018-01-22 17:48 - 000000000 ____D C:\Users\Oldona\.freerdp
2018-01-22 17:28 - 2018-01-22 17:29 - 061807384 _____ C:\Users\Oldona\Downloads\Новая папка.rar
2018-01-22 16:32 - 2018-01-22 16:32 - 000022505 _____ C:\Users\Oldona\Downloads\SystemResetSSO.rar
2018-01-22 16:28 - 2018-01-22 16:28 - 004060160 _____ C:\Users\Oldona\Downloads\11 (1).exe
2018-01-22 16:26 - 2018-01-22 16:26 - 005875643 _____ C:\Users\Oldona\Downloads\ProXy CheCkeR by BoYRinG v1.4 Silver Edition (1).7z
2018-01-22 16:25 - 2018-01-23 09:51 - 000000000 ____D C:\Program Files (x86)\System
2018-01-22 16:24 - 2018-01-23 14:30 - 000000000 ____D C:\Program Files\WinRAR
2018-01-22 16:24 - 2018-01-22 16:24 - 005875643 _____ C:\Users\Oldona\Downloads\ProXy CheCkeR by BoYRinG v1.4 Silver Edition.7z
2018-01-22 16:24 - 2018-01-22 16:24 - 002220872 _____ C:\Users\Oldona\Downloads\winrar-x64-550.exe
2018-01-22 16:24 - 2018-01-22 16:24 - 000000000 ____D C:\Users\Oldona\AppData\Roaming\WinRAR
2018-01-22 16:24 - 2018-01-22 16:24 - 000000000 ____D C:\Users\Oldona\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2018-01-22 15:53 - 2018-01-23 18:56 - 000000000 __SHD C:\Program Files (x86)\XPS Rasterization Service Component
2018-01-22 15:53 - 2018-01-22 15:53 - 004060160 _____ C:\Users\Oldona\Downloads\11.exe
2018-01-22 15:53 - 2018-01-22 15:53 - 000000098 __RSH C:\Windows\SysWOW64\xservice.bat
2018-01-22 13:14 - 2018-01-22 13:14 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Sun
2018-01-22 13:14 - 2018-01-22 13:14 - 000000000 ____D C:\Users\Admin\AppData\LocalLow\Sun
2018-01-22 13:13 - 2018-01-22 13:13 - 000000000 ____D C:\Users\Temp\AppData\Roaming\Sun
2018-01-22 13:13 - 2018-01-22 13:13 - 000000000 ____D C:\Users\Temp\AppData\LocalLow\Sun
2018-01-22 13:11 - 2018-01-22 13:17 - 000000000 ____D C:\Users\Admin\AppData\LocalLow\Mozilla
2018-01-22 13:11 - 2018-01-22 13:11 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Mozilla
2018-01-22 13:11 - 2018-01-22 13:11 - 000000000 ____D C:\Users\Admin\AppData\Local\Mozilla
2018-01-22 13:09 - 2018-01-22 22:17 - 000000000 ____D C:\Users\Admin\AppData\Local\Google
2018-01-22 13:09 - 2018-01-22 13:09 - 000001413 _____ C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-01-22 13:09 - 2018-01-22 13:09 - 000000020 ___SH C:\Users\Admin\ntuser.ini
2018-01-22 13:09 - 2018-01-22 13:09 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Intel Corporation
2018-01-22 13:09 - 2018-01-22 13:09 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Adobe
2018-01-22 13:09 - 2018-01-22 13:09 - 000000000 ____D C:\Users\Admin\AppData\Local\VirtualStore
2018-01-22 13:09 - 2018-01-22 13:09 - 000000000 ____D C:\Users\Admin
2018-01-22 13:09 - 2016-02-06 11:37 - 000000000 ____D C:\Users\Admin\Documents\Visual Studio 2010
2018-01-22 13:09 - 2011-04-12 03:28 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Media Center Programs
2018-01-22 13:08 - 2018-01-22 13:08 - 000057560 _____ C:\Users\Temp\AppData\Local\GDIPFONTCACHEV1.DAT
2018-01-22 13:08 - 2018-01-22 13:08 - 000000000 ____D C:\Users\Temp\AppData\Roaming\Intel Corporation
2018-01-22 13:07 - 2018-01-22 13:07 - 000001413 _____ C:\Users\Temp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-01-22 13:07 - 2018-01-22 13:07 - 000000020 ___SH C:\Users\Temp\ntuser.ini
2018-01-22 13:07 - 2018-01-22 13:07 - 000000000 ____D C:\Users\Temp\AppData\Roaming\Adobe
2018-01-22 13:07 - 2018-01-22 13:07 - 000000000 ____D C:\Users\Temp\AppData\Local\VirtualStore
2018-01-22 13:07 - 2018-01-22 13:07 - 000000000 ____D C:\Users\Temp\AppData\Local\Google
2018-01-22 13:07 - 2018-01-22 13:07 - 000000000 ____D C:\Users\Temp
2018-01-22 13:07 - 2016-02-06 11:37 - 000000000 ____D C:\Users\Temp\Documents\Visual Studio 2010
2018-01-22 13:07 - 2011-04-12 03:28 - 000000000 ____D C:\Users\Temp\AppData\Roaming\Media Center Programs
2018-01-22 12:12 - 2018-01-22 12:12 - 000000000 ____D C:\Users\Oldona\AppData\Roaming\Sun
2018-01-22 12:12 - 2018-01-22 12:12 - 000000000 ____D C:\Users\Oldona\AppData\LocalLow\Sun
2018-01-22 12:07 - 2018-01-23 13:43 - 000000000 ____D C:\Users\Oldona\AppData\LocalLow\Mozilla
2018-01-22 12:07 - 2018-01-22 17:48 - 000000000 ____D C:\Users\Oldona
2018-01-22 12:07 - 2018-01-22 17:26 - 000000000 ____D C:\Users\Oldona\AppData\Local\Google
2018-01-22 12:07 - 2018-01-22 12:07 - 000057560 _____ C:\Users\Oldona\AppData\Local\GDIPFONTCACHEV1.DAT
2018-01-22 12:07 - 2018-01-22 12:07 - 000001413 _____ C:\Users\Oldona\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-01-22 12:07 - 2018-01-22 12:07 - 000000020 ___SH C:\Users\Oldona\ntuser.ini
2018-01-22 12:07 - 2018-01-22 12:07 - 000000000 ____D C:\Users\Oldona\AppData\Roaming\Mozilla
2018-01-22 12:07 - 2018-01-22 12:07 - 000000000 ____D C:\Users\Oldona\AppData\Roaming\Intel Corporation
2018-01-22 12:07 - 2018-01-22 12:07 - 000000000 ____D C:\Users\Oldona\AppData\Roaming\Adobe
2018-01-22 12:07 - 2018-01-22 12:07 - 000000000 ____D C:\Users\Oldona\AppData\Local\VirtualStore
2018-01-22 12:07 - 2018-01-22 12:07 - 000000000 ____D C:\Users\Oldona\AppData\Local\Mozilla
2018-01-22 12:07 - 2016-02-06 11:37 - 000000000 ____D C:\Users\Oldona\Documents\Visual Studio 2010
2018-01-22 12:07 - 2011-04-12 03:28 - 000000000 ____D C:\Users\Oldona\AppData\Roaming\Media Center Programs
2018-01-21 15:15 - 2018-01-21 15:15 - 000002401 _____ C:\Users\Host\Desktop\Person 11 - Chrome.lnk
2018-01-21 14:55 - 2018-01-21 14:55 - 000002397 _____ C:\Users\Host\Desktop\Person 10 - Chrome.lnk
2018-01-21 14:11 - 2018-01-21 14:11 - 000002397 _____ C:\Users\Host\Desktop\Person 9 - Chrome.lnk
2018-01-21 14:00 - 2018-01-21 14:00 - 000002397 _____ C:\Users\Host\Desktop\Person 8 - Chrome.lnk
2018-01-21 13:40 - 2018-01-21 13:40 - 000002397 _____ C:\Users\Host\Desktop\Person 7 - Chrome.lnk
2018-01-20 17:56 - 2018-01-20 17:56 - 000002397 _____ C:\Users\Host\Desktop\Person 6 - Chrome.lnk
2018-01-20 17:54 - 2018-01-20 17:54 - 000002397 _____ C:\Users\Host\Desktop\Person 5 - Chrome.lnk
2018-01-20 17:52 - 2018-01-20 17:52 - 000002397 _____ C:\Users\Host\Desktop\Person 4 - Chrome.lnk
2018-01-20 17:40 - 2018-01-20 17:40 - 000002397 _____ C:\Users\Host\Desktop\Person 3 - Chrome.lnk
2018-01-20 16:22 - 2018-01-20 16:22 - 000000000 ____D C:\Users\Host\AppData\Roaming\Sun
2018-01-20 16:22 - 2018-01-20 16:22 - 000000000 ____D C:\Users\Host\AppData\LocalLow\Sun
2018-01-20 16:21 - 2018-01-20 16:21 - 000002397 _____ C:\Users\Host\Desktop\Person 2 - Chrome.lnk
2018-01-20 16:21 - 2018-01-20 16:21 - 000002353 _____ C:\Users\Host\Desktop\Person 1 - Chrome.lnk
2018-01-20 16:17 - 2018-01-20 16:25 - 000000000 ____D C:\Users\Host\AppData\Local\Google
2018-01-20 16:17 - 2018-01-20 16:17 - 000057560 _____ C:\Users\Host\AppData\Local\GDIPFONTCACHEV1.DAT
2018-01-20 16:17 - 2018-01-20 16:17 - 000001413 _____ C:\Users\Host\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-01-20 16:17 - 2018-01-20 16:17 - 000000020 ___SH C:\Users\Host\ntuser.ini
2018-01-20 16:17 - 2018-01-20 16:17 - 000000000 ____D C:\Users\Host\AppData\Roaming\Intel Corporation
2018-01-20 16:17 - 2018-01-20 16:17 - 000000000 ____D C:\Users\Host\AppData\Roaming\Adobe
2018-01-20 16:17 - 2018-01-20 16:17 - 000000000 ____D C:\Users\Host\AppData\Local\VirtualStore
2018-01-20 16:17 - 2018-01-20 16:17 - 000000000 ____D C:\Users\Host
2018-01-20 16:17 - 2016-02-06 11:37 - 000000000 ____D C:\Users\Host\Documents\Visual Studio 2010
2018-01-20 16:17 - 2011-04-12 03:28 - 000000000 ____D C:\Users\Host\AppData\Roaming\Media Center Programs
2018-01-19 04:58 - 2018-01-19 04:58 - 000000000 ____D C:\Users\Adminsitrator\AppData\Roaming\Sun
2018-01-19 04:58 - 2018-01-19 04:58 - 000000000 ____D C:\Users\Adminsitrator\AppData\LocalLow\Sun
2018-01-19 04:55 - 2018-01-19 04:55 - 000000000 ____D C:\Program Files\RDP Wrapper
2018-01-19 04:53 - 2018-01-19 04:53 - 000057560 _____ C:\Users\Adminsitrator\AppData\Local\GDIPFONTCACHEV1.DAT
2018-01-19 04:53 - 2018-01-19 04:53 - 000001413 _____ C:\Users\Adminsitrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2018-01-19 04:53 - 2018-01-19 04:53 - 000000000 ____D C:\Users\Adminsitrator\AppData\Roaming\Intel Corporation
2018-01-19 04:53 - 2018-01-19 04:53 - 000000000 ____D C:\Users\Adminsitrator\AppData\Roaming\Adobe
2018-01-19 04:53 - 2018-01-19 04:53 - 000000000 ____D C:\Users\Adminsitrator\AppData\Local\Google
2018-01-19 04:52 - 2018-01-19 04:53 - 000000000 ____D C:\Users\Adminsitrator
2018-01-19 04:52 - 2018-01-19 04:52 - 000000020 ___SH C:\Users\Adminsitrator\ntuser.ini
2018-01-19 04:52 - 2018-01-19 04:52 - 000000000 ____D C:\Users\Adminsitrator\AppData\Local\VirtualStore
2018-01-19 04:52 - 2016-02-06 11:37 - 000000000 ____D C:\Users\Adminsitrator\Documents\Visual Studio 2010
2018-01-19 04:52 - 2011-04-12 03:28 - 000000000 ____D C:\Users\Adminsitrator\AppData\Roaming\Media Center Programs
ResetHosts:
EmptyTemp:
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
 
 
 
 
 
 
 
 
 
 
 
 
 
*****************
 
 
========= type C:\Windows\SysWOW64\xservice.bat =========
 
@echo off
"C:\Program Files (x86)\XPS Rasterization Service Component\xservice.exe" %1 %2 %3 %4
 
========= End of CMD: =========
 
VirusTotal: C:\Users\Oldona\Downloads\11.exe => https://www.virustot...sis/1516809878/
VirusTotal: C:\Users\Oldona\Downloads\SystemResetSSO.rar => https://www.virustot...sis/1516809879/
VirusTotal: C:\Users\Oldona\Downloads\Новая папка.rar => (3) Error
 
========================= File: C:\Windows\System32\SystemResetSSO.dll ========================
 
"C:\Windows\System32\SystemResetSSO.dll" => not found
====== End of File: ======
 
 
========= reg query HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices /s =========
 
 
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
    \DosDevices\C:    REG_BINARY    4D0ADA2F0000500600000000
    \??\Volume{9e386f62-d853-11e2-8a4b-806e6f6e6963}    REG_BINARY    4D0ADA2F0000100000000000
    \??\Volume{9e386f63-d853-11e2-8a4b-806e6f6e6963}    REG_BINARY    4D0ADA2F0000500600000000
    \??\Volume{9e386f66-d853-11e2-8a4b-806e6f6e6963}    REG_BINARY    5C003F003F005C0049004400450023004300640052006F006D00680070005F0044005600440052004F004D005F0044004800320030004E005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0044004200300032005F005F005F005F00230034002600360036006100350062003900300026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
    \DosDevices\D:    REG_BINARY    5C003F003F005C0049004400450023004300640052006F006D00680070005F004400560044002D00520041004D005F0047004800360030004C005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0052004400300035005F005F005F005F00230034002600360036006100350062003900300026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
    \??\Volume{25d71cca-7233-11e3-b29d-806e6f6e6963}    REG_BINARY    5C003F003F005C0049004400450023004300640052006F006D00680070005F004400560044005F0041005F005F00440048003100360041004200530048005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0059004800440044005F005F005F005F002300340026003300610064003800350036006500330026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
    \??\Volume{20acc74a-7332-11e3-aea2-806e6f6e6963}    REG_BINARY    5C003F003F005C0049004400450023004300640052006F006D00680070005F004400560044002D0052004F004D005F00540053002D00480033003500330043005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0048003400330030005F005F005F005F002300340026003300610064003800350036006500330026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
    \??\Volume{5f452168-dae9-11e3-a420-806e6f6e6963}    REG_BINARY    5C003F003F005C0049004400450023004300640052006F006D00680070005F004300440044005600440057005F00540053002D00480036003500330052005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0030004B00300030005F005F005F005F002300340026003300610064003800350036006500330026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
    \??\Volume{6597f845-4e86-11e4-b361-806e6f6e6963}    REG_BINARY    5C003F003F005C0049004400450023004300640052006F006D00680070005F004400560044002D00520041004D005F0047004800360030004C005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0052004400300035005F005F005F005F00230034002600360036006100350062003900300026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
    \??\Volume{1c36f1ae-96a3-11e4-bf61-806e6f6e6963}    REG_BINARY    5C003F003F005C0049004400450023004300640052006F006D00680070005F004400560044002D00520041004D005F0047004800360030004C005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0052004400300035005F005F005F005F00230034002600360036006100350062003900300026003000260030002E0032002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
    \??\Volume{62d6bc0b-96a4-11e4-ada9-78acc0a96278}    REG_BINARY    C02A28A70000100000000000
    \??\Volume{cc33a314-9a87-11e4-b85c-78acc0a96278}    REG_BINARY    6E8402000000100000000000
    \??\Volume{cc33a339-9a87-11e4-b85c-78acc0a96278}    REG_BINARY    C8CCCD090000100000000000
    \??\Volume{ff425a26-9ab8-11e4-a353-806e6f6e6963}    REG_BINARY    11ECFEEF0000700500000000
    \??\Volume{2093fa11-9b38-11e4-91b1-78acc0a96278}    REG_BINARY    510201000000700500000000
    \??\Volume{20940772-9b38-11e4-91b1-78acc0a96278}    REG_BINARY    F3D96EFD007E000000000000
    \??\Volume{3be9bf3b-0abb-11e5-a242-78acc0a96278}    REG_BINARY    FEDF93EF007E000000000000
    \??\Volume{300834a3-77d6-11e6-9294-78acc0a96278}    REG_BINARY    5F003F003F005F00550053004200530054004F00520023004400690073006B002600560065006E005F00530061006E004400690073006B002600500072006F0064005F004300720075007A00650072005F0042006C0061006400650026005200650076005F0031002E00320037002300340043003500330030003000310033003100360030003300310033003100310030003100380032002600300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
    \??\Volume{854e6de0-0a61-11e7-a530-78acc0a96278}    REG_BINARY    328DCCF7007E000000000000
    \??\Volume{6990636e-0a66-11e7-a530-78acc0a96278}    REG_BINARY    74C312000000100000000000
    \DosDevices\F:    REG_BINARY    328DCCF7007E000000000000
    \??\Volume{0207e13a-1656-11e7-b223-78acc0a96278}    REG_BINARY    AFF0A3D500DC9D9DE7000000
    \??\Volume{0207e18b-1656-11e7-b223-78acc0a96278}    REG_BINARY    AFF0A3D50000100000000000
    \DosDevices\S:    REG_BINARY    AFF0A3D50000100000000000
    \??\Volume{0207e192-1656-11e7-b223-78acc0a96278}    REG_BINARY    AFF0A3D50000904F12000000
    #{0207e198-1656-11e7-b223-78acc0a96278}    REG_BINARY    AFF0A3D500DC9D9DE7000000
    \DosDevices\E:    REG_BINARY    AFF0A3D50000904F12000000
    \DosDevices\G:    REG_BINARY    5F003F003F005F00550053004200530054004F00520023004400690073006B002600560065006E005F00530061006E004400690073006B002600500072006F0064005F004300720075007A00650072005F0042006C0061006400650026005200650076005F0031002E00320037002300340043003500330030003000310033003100360030003300310033003100310030003100380032002600300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
 
 
 
========= End of Reg: =========
 
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist Express Customer" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => removed successfully
"HKLM\Software\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => removed successfully
"HKLM\Software\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => removed successfully
"HKLM\Software\Wow6432Node\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => removed successfully
"HKLM\Software\Wow6432Node\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{73ECB3AA-4717-450C-A2AB-D00DAD9EE203}" => removed successfully
"HKLM\Software\Wow6432Node\Classes\CLSID\{73ECB3AA-4717-450C-A2AB-D00DAD9EE203}" => removed successfully
"HKU\S-1-5-21-3866400975-1191489592-655960364-1001\Software\MozillaPlugins\@citrixonline.com/appdetectorplugin" => removed successfully
C:\Users\VSRUSER\AppData\Local\Citrix\Plugins\104\npappdetector.dll => moved successfully
"HKLM\System\CurrentControlSet\Services\TermService" => removed successfully
TermService => service removed successfully
C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3866400975-1191489592-655960364-1002.job => moved successfully
018-01-23 18:27 - 2017-08-31 13:39 - 000000672 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-3866400975-1191489592-655960364-1002.job => Error: No automatic fix found for this entry.
C:\Program Files\RDP Wrapper => moved successfully
C:\Users\Oldona\.freerdp => moved successfully
C:\Users\Oldona\Downloads\Новая папка.rar => moved successfully
C:\Users\Oldona\Downloads\SystemResetSSO.rar => moved successfully
C:\Users\Oldona\Downloads\11 (1).exe => moved successfully
C:\Users\Oldona\Downloads\ProXy CheCkeR by BoYRinG v1.4 Silver Edition (1).7z => moved successfully
C:\Program Files (x86)\System => moved successfully
C:\Program Files\WinRAR => moved successfully
C:\Users\Oldona\Downloads\ProXy CheCkeR by BoYRinG v1.4 Silver Edition.7z => moved successfully
C:\Users\Oldona\Downloads\winrar-x64-550.exe => moved successfully
C:\Users\Oldona\AppData\Roaming\WinRAR => moved successfully
C:\Users\Oldona\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR => moved successfully
C:\Program Files (x86)\XPS Rasterization Service Component => moved successfully
C:\Users\Oldona\Downloads\11.exe => moved successfully
C:\Windows\SysWOW64\xservice.bat => moved successfully
C:\Users\Admin\AppData\Roaming\Sun => moved successfully
C:\Users\Admin\AppData\LocalLow\Sun => moved successfully
C:\Users\Temp\AppData\Roaming\Sun => moved successfully
C:\Users\Temp\AppData\LocalLow\Sun => moved successfully
C:\Users\Admin\AppData\LocalLow\Mozilla => moved successfully
C:\Users\Admin\AppData\Roaming\Mozilla => moved successfully
C:\Users\Admin\AppData\Local\Mozilla => moved successfully
C:\Users\Admin\AppData\Local\Google => moved successfully
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => moved successfully
C:\Users\Admin\ntuser.ini => moved successfully
C:\Users\Admin\AppData\Roaming\Intel Corporation => moved successfully
C:\Users\Admin\AppData\Roaming\Adobe => moved successfully
C:\Users\Admin\AppData\Local\VirtualStore => moved successfully
 
"C:\Users\Admin" folder move:
 
Could not move "C:\Users\Admin" => Scheduled to move on reboot.
 
C:\Users\Admin\Documents\Visual Studio 2010 => moved successfully
C:\Users\Admin\AppData\Roaming\Media Center Programs => moved successfully
C:\Users\Temp\AppData\Local\GDIPFONTCACHEV1.DAT => moved successfully
C:\Users\Temp\AppData\Roaming\Intel Corporation => moved successfully
C:\Users\Temp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => moved successfully
C:\Users\Temp\ntuser.ini => moved successfully
C:\Users\Temp\AppData\Roaming\Adobe => moved successfully
C:\Users\Temp\AppData\Local\VirtualStore => moved successfully
C:\Users\Temp\AppData\Local\Google => moved successfully
 
"C:\Users\Temp" folder move:
 
Could not move "C:\Users\Temp" => Scheduled to move on reboot.
 
C:\Users\Temp\Documents\Visual Studio 2010 => moved successfully
C:\Users\Temp\AppData\Roaming\Media Center Programs => moved successfully
C:\Users\Oldona\AppData\Roaming\Sun => moved successfully
C:\Users\Oldona\AppData\LocalLow\Sun => moved successfully
C:\Users\Oldona\AppData\LocalLow\Mozilla => moved successfully
 
"C:\Users\Oldona" folder move:
 
Could not move "C:\Users\Oldona" => Scheduled to move on reboot.
 
C:\Users\Oldona\AppData\Local\Google => moved successfully
C:\Users\Oldona\AppData\Local\GDIPFONTCACHEV1.DAT => moved successfully
C:\Users\Oldona\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => moved successfully
C:\Users\Oldona\ntuser.ini => moved successfully
C:\Users\Oldona\AppData\Roaming\Mozilla => moved successfully
C:\Users\Oldona\AppData\Roaming\Intel Corporation => moved successfully
C:\Users\Oldona\AppData\Roaming\Adobe => moved successfully
C:\Users\Oldona\AppData\Local\VirtualStore => moved successfully
C:\Users\Oldona\AppData\Local\Mozilla => moved successfully
C:\Users\Oldona\Documents\Visual Studio 2010 => moved successfully
C:\Users\Oldona\AppData\Roaming\Media Center Programs => moved successfully
C:\Users\Host\Desktop\Person 11 - Chrome.lnk => moved successfully
C:\Users\Host\Desktop\Person 10 - Chrome.lnk => moved successfully
C:\Users\Host\Desktop\Person 9 - Chrome.lnk => moved successfully
C:\Users\Host\Desktop\Person 8 - Chrome.lnk => moved successfully
C:\Users\Host\Desktop\Person 7 - Chrome.lnk => moved successfully
C:\Users\Host\Desktop\Person 6 - Chrome.lnk => moved successfully
C:\Users\Host\Desktop\Person 5 - Chrome.lnk => moved successfully
C:\Users\Host\Desktop\Person 4 - Chrome.lnk => moved successfully
C:\Users\Host\Desktop\Person 3 - Chrome.lnk => moved successfully
C:\Users\Host\AppData\Roaming\Sun => moved successfully
C:\Users\Host\AppData\LocalLow\Sun => moved successfully
C:\Users\Host\Desktop\Person 2 - Chrome.lnk => moved successfully
C:\Users\Host\Desktop\Person 1 - Chrome.lnk => moved successfully
C:\Users\Host\AppData\Local\Google => moved successfully
C:\Users\Host\AppData\Local\GDIPFONTCACHEV1.DAT => moved successfully
C:\Users\Host\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => moved successfully
C:\Users\Host\ntuser.ini => moved successfully
C:\Users\Host\AppData\Roaming\Intel Corporation => moved successfully
C:\Users\Host\AppData\Roaming\Adobe => moved successfully
C:\Users\Host\AppData\Local\VirtualStore => moved successfully
 
"C:\Users\Host" folder move:
 
Could not move "C:\Users\Host" => Scheduled to move on reboot.
 
C:\Users\Host\Documents\Visual Studio 2010 => moved successfully
C:\Users\Host\AppData\Roaming\Media Center Programs => moved successfully
C:\Users\Adminsitrator\AppData\Roaming\Sun => moved successfully
C:\Users\Adminsitrator\AppData\LocalLow\Sun => moved successfully
"C:\Program Files\RDP Wrapper" => not found
C:\Users\Adminsitrator\AppData\Local\GDIPFONTCACHEV1.DAT => moved successfully
C:\Users\Adminsitrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => moved successfully
C:\Users\Adminsitrator\AppData\Roaming\Intel Corporation => moved successfully
C:\Users\Adminsitrator\AppData\Roaming\Adobe => moved successfully
C:\Users\Adminsitrator\AppData\Local\Google => moved successfully
 
"C:\Users\Adminsitrator" folder move:
 
Could not move "C:\Users\Adminsitrator" => Scheduled to move on reboot.
 
C:\Users\Adminsitrator\ntuser.ini => moved successfully
C:\Users\Adminsitrator\AppData\Local\VirtualStore => moved successfully
C:\Users\Adminsitrator\Documents\Visual Studio 2010 => moved successfully
C:\Users\Adminsitrator\AppData\Roaming\Media Center Programs => moved successfully
ResetHosts: => Error: No automatic fix found for this entry.
 
========= FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i" =========
 
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 2425872 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 399614161 B
Edge => 0 B
Chrome => 15966765 B
Firefox => 68218592 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 55425542 B
systemprofile32 => 66356 B
LocalService => 0 B
NetworkService => 3716748 B
User => 309037207 B
VSRUSER => 19039605 B
Eyeformatics => 100153423 B
Adminsitrator => 327561 B
Host => 152594 B
Temp => 112945 B
Oldona => 5145636 B
Admin => 144484 B
Administrator => 26548625 B
Guest => 240252 B
MSSQL$SQLEXPRESS => 8016 B
ReportServer$SQLEXPRESS => 0 B
MSSQLFDLauncher$SQLEXPRESS => 0 B
Classic .NET AppPool => 0 B
ConnectEHR AppPool => 0 B
CQMsolution AppPool => 0 B
DefaultAppPool => 0 B
ConnectEHR Patient Portal AppPool => 0 B
 
RecycleBin => 0 B
EmptyTemp: => 967.7 MB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 24-01-2018 11:30:05)
 
C:\Users\Admin => moved successfully
C:\Users\Temp => moved successfully
C:\Users\Oldona => moved successfully
C:\Users\Host => moved successfully
C:\Users\Adminsitrator => moved successfully
 
==== End of Fixlog 11:30:08 ====
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21.01.2018
Ran by Eyeformatics (administrator) on EMRSERVERHPZ600 (24-01-2018 11:31:47)
Running from C:\Users\Eyeformatics\Desktop
Loaded Profiles: VSRUSER & Eyeformatics & MSSQL$SQLEXPRESS & ReportServer$SQLEXPRESS & MSSQLFDLauncher$SQLEXPRESS (Available Profiles: User & VSRUSER & Eyeformatics & Adminsitrator & Host & Temp & Oldona & Admin & Administrator & Guest & MSSQL$SQLEXPRESS & ReportServer$SQLEXPRESS & MSSQLFDLauncher$SQLEXPRESS & Classic .NET AppPool & ConnectEHR AppPool & CQMsolution AppPool & DefaultAppPool & ConnectEHR Patient Portal AppPool)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Bitvise Limited) C:\Program Files\Bitvise SSH Server\BvSshServer.exe
(CobianSoft, Luis Cobian) C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe
(Luis Cobian, CobianSoft) C:\Program Files (x86)\Cobian Backup 11\cbService.exe
(Dynamic Health IT, Inc.) C:\Program Files\ConnectEHR\ConnectEHR Agent\ConnectEHR Agent.exe
(Dynamic Health IT, Inc.) C:\Program Files\CQMsolution\CQMAgent\CQMAgent.exe
(FileMaker, Inc.) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmshelper.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
(Cyber Power Systems, Inc.) C:\Program Files (x86)\CyberPower PowerPanel Personal Edition\ppped.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSRS11.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(FileMaker, Inc.) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmsib.exe
(FileMaker, Inc.) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmserver.exe
(FileMaker, Inc.) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmxdbc_listener.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Oracle Corporation) C:\Program Files\Java\jre1.8.0_131\bin\java.exe
(FileMaker, Inc.) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmsase.exe
(FileMaker, Inc.) C:\Program Files\FileMaker\FileMaker Server\Web Publishing\publishing-engine\cwpc\fmscwpc.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Oracle Corporation) C:\Program Files\Java\jre1.8.0_131\bin\java.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\fdhost.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\HitmanPro.exe
(PcWinTech.com) C:\Program Files (x86)\CleanMem\Mini_Monitor.exe
(Martin Prikryl) C:\Program Files (x86)\WinSCP\WinSCP.exe
() C:\Program Files\Bitvise SSH Server\BssCtrl.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Luis Cobian, CobianSoft) C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe
(Cyber Power Systems, Inc.) C:\Program Files (x86)\CyberPower PowerPanel Personal Edition\pppeuser.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1353680 2016-11-14] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-10-17] (Intel Corporation)
HKLM-x32\...\Run: [Cobian Backup 11 interface] => C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe [4407808 2013-03-07] (Luis Cobian, CobianSoft)
HKLM-x32\...\Run: [Bitvise SSH Server Activation State Checker] => C:\Program Files\Bitvise SSH Server\BssActStateCheck.exe [245064 2015-04-09] (Bitvise Limited)
HKLM-x32\...\Run: [PowerPanel Personal Edition User Interaction] => C:\Program Files (x86)\CyberPower PowerPanel Personal Edition\pppeuser.exe [379824 2016-07-27] (Cyber Power Systems, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-03-15] (Oracle Corporation)
HKU\S-1-5-21-3866400975-1191489592-655960364-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8619224 2016-01-15] (Piriform Ltd)
HKU\S-1-5-21-3866400975-1191489592-655960364-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8619224 2016-01-15] (Piriform Ltd)
Lsa: [Authentication Packages] msv1_0 BvLsa
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\..\Interfaces\{385993E2-FCF6-42E8-989B-34FDF866CEFA}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{5FCA3713-F36F-4F94-BA68-BA1AF0357EF2}: [DhcpNameServer] 167.206.112.138 167.206.7.4
 
Internet Explorer:
==================
HKU\S-1-5-21-3866400975-1191489592-655960364-1002\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
 
FireFox:
========
FF DefaultProfile: y1n7dfxv.default
FF ProfilePath: C:\Users\Eyeformatics\AppData\Roaming\Mozilla\Firefox\Profiles\y1n7dfxv.default [2018-01-24]
FF Plugin: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-05-16] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-05-16] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-05-16] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-05-16] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2012-02-09] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2012-02-09] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-01-17] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default [2018-01-24]
CHR Extension: (Google Drive) - C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-19]
CHR Extension: (YouTube) - C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-30]
CHR Extension: (Google Search) - C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-19]
CHR Extension: (Google Docs Offline) - C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-05-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-31]
CHR Extension: (Gmail) - C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-08]
CHR Extension: (Chrome Media Router) - C:\Users\Eyeformatics\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-01-23]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 BvSshServer; C:\Program Files\Bitvise SSH Server\BvSshServer.exe [14359408 2015-04-09] (Bitvise Limited)
R2 cbVSCService11; C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe [67584 2013-03-07] (CobianSoft, Luis Cobian) [File not signed]
R2 CobianBackup11; C:\Program Files (x86)\Cobian Backup 11\cbService.exe [1131008 2013-03-07] (Luis Cobian, CobianSoft) [File not signed]
R2 ConnectEHR_Agent; C:\Program Files\ConnectEHR\ConnectEHR Agent\ConnectEHR Agent.exe [49152 2014-09-25] (Dynamic Health IT, Inc.) [File not signed]
R2 CQMsolution_Agent; C:\Program Files\CQMsolution\CQMAgent\CQMAgent.exe [23552 2014-09-17] (Dynamic Health IT, Inc.) [File not signed]
R2 FileMaker Server; C:\Program Files\FileMaker\FileMaker Server\Database Server\fmshelper.exe [379224 2014-11-11] (FileMaker, Inc.)
S2 GoToAssist Remote Support Customer; C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\1185\g2ax_service.exe [607240 2016-11-14] (Citrix Systems, Inc.)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135488 2018-01-24] (SurfRight B.V.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [119864 2016-11-14] (Microsoft Corporation)
R2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [190904 2012-06-12] (Microsoft Corporation)
R3 MSSQLFDLauncher$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe [49752 2012-02-11] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-11-14] (Microsoft Corporation)
R2 ppped; C:\Program Files (x86)\CyberPower PowerPanel Personal Edition\ppped.exe [1113008 2016-07-27] (Cyber Power Systems, Inc.)
R2 ReportServer$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSRS11.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2348472 2012-06-12] (Microsoft Corporation)
S2 SQLAgent$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [608696 2012-06-12] (Microsoft Corporation)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10803440 2017-12-18] (TeamViewer GmbH)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2009-07-13] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77432 2017-11-29] ()
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193968 2018-01-23] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [110016 2018-01-24] (Malwarebytes)
R3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [46008 2018-01-24] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2018-01-23] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [84256 2018-01-24] (Malwarebytes)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)
S3 pwdrvio; C:\Windows\system32\pwdrvio.sys [19152 2013-09-30] ()
S3 pwdspio; C:\Windows\system32\pwdspio.sys [12504 2013-09-30] ()
S4 RsFx0200; C:\Windows\System32\DRIVERS\RsFx0200.sys [334936 2012-02-11] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-24 11:27 - 2018-01-24 11:27 - 000084256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-01-24 11:22 - 2018-01-24 11:22 - 000110016 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-01-24 11:04 - 2018-01-24 11:30 - 000029446 _____ C:\Users\Eyeformatics\Desktop\Fixlog.txt
2018-01-24 11:03 - 2018-01-24 11:03 - 000021866 _____ C:\Users\Eyeformatics\Downloads\fixlist.txt
2018-01-24 08:57 - 2018-01-24 08:57 - 000001893 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2018-01-24 08:57 - 2018-01-24 08:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2018-01-24 08:57 - 2018-01-24 08:57 - 000000000 ____D C:\Program Files\HitmanPro
2018-01-24 08:55 - 2018-01-24 08:56 - 011605440 _____ (SurfRight B.V.) C:\Users\Eyeformatics\Downloads\HitmanPro_x64 (1).exe
2018-01-23 19:14 - 2018-01-23 19:15 - 000039644 _____ C:\Users\Eyeformatics\Desktop\Addition.txt
2018-01-23 19:10 - 2018-01-24 11:33 - 000014667 _____ C:\Users\Eyeformatics\Desktop\FRST.txt
2018-01-23 19:01 - 2018-01-24 11:31 - 000000000 ____D C:\FRST
2018-01-23 18:51 - 2018-01-23 18:50 - 002393088 _____ (Farbar) C:\Users\Eyeformatics\Desktop\FRST64.exe
2018-01-23 18:34 - 2018-01-24 11:23 - 000046008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-01-23 18:34 - 2018-01-23 18:34 - 000193968 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-01-23 18:11 - 2018-01-23 18:11 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-01-23 18:10 - 2018-01-23 18:10 - 000001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-01-23 18:10 - 2018-01-23 18:10 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-01-23 18:10 - 2018-01-23 18:10 - 000000000 ____D C:\Program Files\Malwarebytes
2018-01-23 18:10 - 2017-11-29 09:11 - 000077432 _____ C:\Windows\system32\Drivers\mbae64.sys
2018-01-23 17:40 - 2018-01-23 17:40 - 000038890 _____ C:\Users\Eyeformatics\Documents\cc_20180123_174001.reg
2018-01-23 17:37 - 2018-01-23 17:38 - 082823000 _____ (Malwarebytes ) C:\Users\Eyeformatics\Downloads\mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.3764.exe
2018-01-23 17:16 - 2018-01-23 18:10 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-01-23 09:28 - 2018-01-23 09:28 - 000266992 _____ C:\Windows\system32\FNTCACHE.DAT
2018-01-22 05:16 - 2018-01-22 05:16 - 000000000 ____D C:\Users\VSRUSER\AppData\Roaming\Mozilla
2018-01-22 05:16 - 2018-01-22 05:16 - 000000000 ____D C:\Users\VSRUSER\AppData\LocalLow\Mozilla
2018-01-22 05:16 - 2018-01-22 05:16 - 000000000 ____D C:\Users\VSRUSER\AppData\Local\Mozilla
2018-01-18 06:03 - 2018-01-18 06:03 - 000000000 ____D C:\Users\VSRUSER\AppData\Roaming\Sun
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-24 11:32 - 2015-03-04 15:02 - 000000600 _____ C:\Users\Eyeformatics\AppData\Roaming\winscp.rnd
2018-01-24 11:28 - 2009-07-14 00:13 - 000998798 _____ C:\Windows\system32\PerfStringBackup.INI
2018-01-24 11:28 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\inf
2018-01-24 11:21 - 2017-04-25 13:58 - 000000000 ____D C:\Program Files (x86)\CyberPower PowerPanel Personal Edition
2018-01-24 11:21 - 2017-04-03 20:36 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-01-24 11:21 - 2015-03-04 18:08 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-01-24 11:21 - 2013-06-18 14:00 - 000000000 ____D C:\ProgramData\NVIDIA
2018-01-24 11:21 - 2009-07-14 00:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-01-24 11:07 - 2009-07-13 23:45 - 000024704 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-01-24 11:07 - 2009-07-13 23:45 - 000024704 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-01-24 11:02 - 2017-04-04 06:52 - 000000000 ____D C:\Users\Eyeformatics\AppData\LocalLow\Mozilla
2018-01-24 11:02 - 2015-03-04 18:08 - 000000000 ____D C:\Users\Eyeformatics\AppData\Roaming\Mozilla
2018-01-24 10:27 - 2017-08-31 13:39 - 000000672 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-3866400975-1191489592-655960364-1002.job
2018-01-24 08:57 - 2014-12-23 14:21 - 000000000 ____D C:\Users\MSSQL$SQLEXPRESS
2018-01-24 07:50 - 2014-12-20 12:30 - 000000000 ____D C:\Program Files (x86)\TeamViewer
2018-01-23 19:12 - 2009-07-13 22:20 - 000000000 ___HD C:\Windows\system32\GroupPolicy
2018-01-23 17:39 - 2016-02-03 16:00 - 000002818 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2018-01-23 14:41 - 2014-12-23 15:22 - 000000000 ____D C:\Users\Eyeformatics\360Works
2018-01-23 14:38 - 2017-04-24 17:15 - 000000600 _____ C:\Users\Eyeformatics\AppData\Roaming\PUTTY.RND
2018-01-23 14:38 - 2015-04-16 11:44 - 000000600 _____ C:\Users\Eyeformatics\AppData\Local\PUTTY.RND
2018-01-23 14:38 - 2015-04-08 09:50 - 422563840 _____ C:\Users\Eyeformatics\Desktop\EyeFormatics_PM_2014.fmp12
2018-01-23 14:38 - 2015-04-08 09:49 - 1103224832 _____ C:\Users\Eyeformatics\Desktop\EyeFormatics_EMR_2014.fmp12
2018-01-23 14:38 - 2014-12-23 15:22 - 000000000 ____D C:\Users\Eyeformatics\AppData\Roaming\FMNexusWebServices
2018-01-23 14:31 - 2014-12-23 14:21 - 000000000 ____D C:\Users\MSSQLFDLauncher$SQLEXPRESS
2018-01-23 13:58 - 2010-11-20 22:27 - 000548000 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2018-01-23 09:22 - 2015-04-28 06:24 - 000057560 _____ C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2018-01-22 13:18 - 2013-06-18 16:13 - 000000000 ____D C:\Windows\Panther
2018-01-22 05:17 - 2014-12-19 15:31 - 000000000 __SHD C:\Users\VSRUSER\AppData\Local\EmieUserList
2018-01-22 05:17 - 2014-12-19 15:31 - 000000000 __SHD C:\Users\VSRUSER\AppData\Local\EmieSiteList
2018-01-19 12:50 - 2017-08-31 13:39 - 000003726 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-3866400975-1191489592-655960364-1002
2018-01-19 12:50 - 2017-08-31 13:39 - 000003630 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-3866400975-1191489592-655960364-1002
2018-01-19 12:50 - 2017-08-31 13:39 - 000000000 ____D C:\Users\Eyeformatics\AppData\Local\GoToMeeting
2018-01-19 12:03 - 2015-03-04 14:07 - 000000000 ____D C:\HL7
2018-01-19 04:55 - 2009-07-14 00:32 - 000000000 ____D C:\Windows\system32\FxsTmp
2018-01-18 05:58 - 2014-12-19 13:34 - 000057560 _____ C:\Users\VSRUSER\AppData\Local\GDIPFONTCACHEV1.DAT
2018-01-04 18:01 - 2014-12-19 15:34 - 000002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-01-04 18:01 - 2014-12-19 15:34 - 000002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-12-26 23:22 - 2017-07-08 17:48 - 000000971 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk
2017-12-26 23:22 - 2017-07-08 17:48 - 000000959 _____ C:\Users\Public\Desktop\TeamViewer 12.lnk
 
==================== Files in the root of some directories =======
 
2015-04-24 07:20 - 2015-04-24 07:18 - 000000022 _____ () C:\Users\SuperContainer\get all files recursive.bat
2017-04-24 17:15 - 2018-01-23 14:38 - 000000600 _____ () C:\Users\Eyeformatics\AppData\Roaming\PUTTY.RND
2015-03-04 15:02 - 2018-01-24 11:32 - 000000600 _____ () C:\Users\Eyeformatics\AppData\Roaming\winscp.rnd
2015-04-16 11:44 - 2018-01-23 14:38 - 000000600 _____ () C:\Users\Eyeformatics\AppData\Local\PUTTY.RND
2015-04-20 14:23 - 2017-03-20 13:28 - 000007605 _____ () C:\Users\Eyeformatics\AppData\Local\Resmon.ResmonCfg
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2018-01-18 00:22
 
==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 21.01.2018
Ran by Eyeformatics (24-01-2018 11:33:47)
Running from C:\Users\Eyeformatics\Desktop
Windows 7 Professional Service Pack 1 (X64) (2013-06-18 17:40:28)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Admin (S-1-5-21-3866400975-1191489592-655960364-1011 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-3866400975-1191489592-655960364-500 - Administrator - Enabled) => C:\Users\Administrator
Adminsitrator (S-1-5-21-3866400975-1191489592-655960364-1007 - Administrator - Enabled) => C:\Users\Adminsitrator
ConnectEHRService (S-1-5-21-3866400975-1191489592-655960364-1005 - Administrator - Enabled)
CQMSolution (S-1-5-21-3866400975-1191489592-655960364-1006 - Administrator - Enabled)
Eyeformatics (S-1-5-21-3866400975-1191489592-655960364-1002 - Administrator - Enabled) => C:\Users\Eyeformatics
Guest (S-1-5-21-3866400975-1191489592-655960364-501 - Limited - Enabled) => C:\Users\Guest
Host (S-1-5-21-3866400975-1191489592-655960364-1008 - Administrator - Enabled) => C:\Users\Host
Oldona (S-1-5-21-3866400975-1191489592-655960364-1010 - Administrator - Enabled) => C:\Users\Oldona
Temp (S-1-5-21-3866400975-1191489592-655960364-1009 - Administrator - Enabled) => C:\Users\Temp
User (S-1-5-21-3866400975-1191489592-655960364-1000 - Administrator - Disabled) => C:\Users\User
VSRUSER (S-1-5-21-3866400975-1191489592-655960364-1001 - Administrator - Enabled) => C:\Users\VSRUSER
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {71A27EC9-3DA6-45FC-60A7-004F623C6189}
AS: Microsoft Security Essentials (Enabled - Up to date) {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version:  - )
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.023.20070 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{44E71915-81AF-94DC-C1B7-292BEB98D0A7}) (Version: 3.0.851.0 - Advanced Micro Devices, Inc.)
Bitvise SSH Server 6.24 (remove only) (HKLM-x32\...\Bitvise SSH Server) (Version:  - )
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.14 - Piriform)
Citrix Online Launcher (HKLM-x32\...\{09DA5EE2-7E46-4DC4-96F9-BFEE50D40659}) (Version: 1.0.408 - Citrix)
CleanMem (HKLM-x32\...\CleanMem) (Version: v2.5.0 - PcWinTech.com)
Cobian Backup 11 Gravity (HKLM-x32\...\CobBackup11) (Version:  - )
CPUID CPU-Z 1.78 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
CyberPower PowerPanel Personal Edition 1.6.2 (HKLM-x32\...\{3A53EB0A-8E61-4A33-9ECE-385C7EA26BED}) (Version: 1.6.2 - Cyber Power Systems, Inc.)
FileMaker ODBC Driver (64-bit) (HKLM\...\{E967A54C-BABE-4FDF-A6F7-9F9607BBBE68}) (Version: 13.2.14 - FileMaker, Inc.)
FileMaker ODBC Driver (HKLM-x32\...\{124DFD5B-44A5-42B3-BA31-D17D98C57CCB}) (Version: 13.2.14 - FileMaker, Inc.)
FileMaker Pro 13 (HKLM-x32\...\{EA92821A-03A5-4B00-85F4-834BBD8ABC24}) (Version: 13.0.4.0 - FileMaker, Inc.) Hidden
FileMaker Pro 13 (HKLM-x32\...\{EA92821A-03A5-4B00-85F4-834BBD8ABC24}_FileMaker) (Version: 13.0.4.0 - FileMaker, Inc.)
FileMaker Pro 13 Advanced (HKLM-x32\...\{4B2ABFE4-3A1D-4FFB-B6E8-A256ADFB0D7A}) (Version: 13.0.5.0 - FileMaker, Inc.) Hidden
FileMaker Pro 13 Advanced (HKLM-x32\...\{4B2ABFE4-3A1D-4FFB-B6E8-A256ADFB0D7A}_FileMaker) (Version: 13.0.5.0 - FileMaker, Inc.)
FileMaker Server 13 (HKLM\...\{71356255-96FC-4A56-AAF4-F9331034CCBF}) (Version: 13.0.5.520 - FileMaker, Inc.)
FreeFileSync 8.10 (HKLM-x32\...\FreeFileSync_is1) (Version: 8.10 - www.FreeFileSync.org)
GDR 2218 for SQL Server 2012 (KB2716442) (64-bit) (HKLM\...\KB2716442) (Version: 11.0.2218.0 - Microsoft Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.132 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
GoTo Opener (HKLM-x32\...\{8B2D47CC-1558-4939-B27F-41E30530072A}) (Version: 1.0.467 - LogMeIn, Inc.)
GoToAssist Customer 3.0.0.1185 (HKLM-x32\...\GoToAssist Express Customer) (Version: 3.0.0.1185 - Citrix Online)
GoToMeeting 8.20.0.8199 (HKU\S-1-5-21-3866400975-1191489592-655960364-1002\...\GoToMeeting) (Version: 8.20.0.8199 - LogMeIn, Inc.)
HitmanPro 3.8 (HKLM\...\HitmanPro38) (Version: 3.8.0.292 - SurfRight B.V.)
HP Product Detection (HKLM-x32\...\{ACAA0152-96A4-4D93-92F5-1B4728C3D984}) (Version: 11.15.0008 - HP)
HydraVision (HKLM-x32\...\{F1218521-0C19-8D0C-817A-648C767F07A2}) (Version: 4.2.218.0 - Advanced Micro Devices, Inc.) Hidden
IIS URL Rewrite Module 2 (HKLM\...\{EB675D0A-2C95-405B-BEE8-B42A65D23E11}) (Version: 7.2.2 - Microsoft Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.8.0.1003 - Intel Corporation)
Java 8 Update 131 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180131F0}) (Version: 8.0.1310.11 - Oracle Corporation)
Java 8 Update 131 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180131F0}) (Version: 8.0.1310.11 - Oracle Corporation)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Multi-Targeting Pack (HKLM-x32\...\{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Application Request Routing 3.0 (HKLM\...\{78FD26A2-9214-48CD-AF71-7F33D1A78892}) (Version: 3.0.1750 - Microsoft Corporation)
Microsoft External Cache Version 1 for IIS 7 (HKLM\...\{4F11656E-9861-4A97-B224-CFF2996998C6}) (Version: 1.1.0490 - Microsoft Corporation)
Microsoft Help Viewer 1.1 (HKLM\...\Microsoft Help Viewer 1.1) (Version: 1.1.40219 - Microsoft Corporation)
Microsoft Report Viewer 2012 Runtime (HKLM-x32\...\{9CCE40CE-A9E6-4916-8729-B008558EEF3F}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.10.209.0 - Microsoft Corporation)
Microsoft SQL Server 2008 R2 Management Objects (HKLM-x32\...\{83F2B8F4-5CF3-4BE9-9772-9543EAE4AC5F}) (Version: 10.51.2500.0 - Microsoft Corporation)
Microsoft SQL Server 2008 Setup Support Files  (HKLM\...\{B40EE88B-400A-4266-A17B-E3DE64E94431}) (Version: 10.1.2731.0 - Microsoft Corporation)
Microsoft SQL Server 2012 (64-bit) (HKLM\...\Microsoft SQL Server SQLServer2012) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2012 Data-Tier App Framework  (HKLM\...\{A007BD05-ECFD-4F64-89F6-7E95F91F0DFB}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects  (HKLM-x32\...\{DA1C1761-5F4F-4332-AB9D-29EDF3F8EA0A}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects  (x64) (HKLM\...\{FA0A244E-F3C2-4589-B42A-3D522DE79A42}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Native Client  (HKLM\...\{587F8B5C-D30D-4EEC-849B-FC410EA38AAF}) (Version: 11.0.2218.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Setup (English) (HKLM\...\{8CB0713F-CFE0-445D-BCB2-538465860E1A}) (Version: 11.1.3128.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL Compiler Service  (HKLM\...\{03A2AE02-CBC9-4746-A376-0F7BF6AF5F39}) (Version: 11.0.2218.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL ScriptDom  (HKLM\...\{0E8670B8-3965-4930-ADA6-570348B67153}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 T-SQL Language Service  (HKLM\...\{CC8B009A-98C9-497F-99AF-CEBE35D8C0CF}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server Data Tools – Database Projects – Web installer entry point (HKLM-x32\...\{F3BBC56F-2282-4464-952F-A89772181F30}) (Version: 10.3.20116.0 - Microsoft Corporation)
Microsoft SQL Server System CLR Types (HKLM-x32\...\{C3F6F200-6D7B-4879-B9EE-700C0CE1FCDA}) (Version: 10.51.2500.0 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (HKLM-x32\...\{E2082604-4BA5-44BB-BBFB-AF0F3CB8C6AB}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (x64) (HKLM\...\{F1949145-EB64-4DE7-9D81-E6D27937146C}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974 (HKLM-x32\...\{B7E38540-E355-3503-AFD7-635B2F2F76E1}) (Version: 9.0.30729.4974 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Runtime - 10.0.40219 (HKLM-x32\...\{5D9ED403-94DE-3BA0-B1D6-71F4BDA412E6}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{6e8f74e0-43bd-4dce-8477-6ff6828acc07}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Shell (Integrated) - ENU (HKLM-x32\...\{012D26C3-E12A-3BDA-8ECE-DF14E721A507}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Shell (Isolated) - ENU (HKLM-x32\...\{D64B6984-242F-32BC-B008-752806E5FC44}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio Tools for Applications Design-Time 3.0 (HKLM-x32\...\{5A03C202-08B4-3F1D-9A60-A4F53EF1B636}) (Version: 10.0.40220 - Microsoft Corporation)
Microsoft Visual Studio Tools for Applications x86 Runtime 3.0 (HKLM-x32\...\{191A6F65-6878-398D-A272-EF011B80F371}) (Version: 10.0.40220 - Microsoft Corporation)
Microsoft VSS Writer for SQL Server 2012 (HKLM\...\{3E0DD83F-BE4C-4478-86A0-AD0D79D1353E}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft Web Farm Framework (HKLM\...\{997E542E-B134-49E6-882E-66AA05E46464}) (Version: 1.1.1292 - Microsoft Corporation)
MiniTool Partition Wizard Home Edition 8.1.1 (HKLM-x32\...\{05D996FA-ADCB-4D23-BA3C-A7C184A8FAC6}_is1) (Version:  - MiniTool Solution Ltd.)
Mozilla Firefox 57.0 (x64 en-US) (HKLM\...\Mozilla Firefox 57.0 (x64 en-US)) (Version: 57.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 57.0.0.6525 - Mozilla)
NVIDIA 3D Vision Controller Driver 295.73 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 295.73 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 295.73 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 295.73 - NVIDIA Corporation)
NVIDIA Graphics Driver 295.73 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 295.73 - NVIDIA Corporation)
NVIDIA nView 136.18 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView) (Version: 136.18 - NVIDIA Corporation)
Prerequisites for SSDT  (HKLM-x32\...\{9169C939-ED01-446A-BD0C-29873BAF4E48}) (Version: 11.0.2100.60 - Microsoft Corporation)
Ralink RT2870 Wireless LAN Card (HKLM-x32\...\{28DA7D8B-F9A4-4F18-8AA0-551B1E084D0D}) (Version: 1.5.14.0 - Ralink)
SQL Server 2012 BI Development Studio (HKLM\...\{656E214E-B73F-458C-AD64-ED316F008207}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 BI Development Studio (HKLM\...\{EE1B54D1-BFBC-4C19-8D66-E0AF3E967896}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Common Files (HKLM\...\{1D411379-9CE0-4B13-A19B-72D3222DD620}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Common Files (HKLM\...\{202AAF1F-69AA-442A-B59F-6B54B1AD07C6}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Services (HKLM\...\{18B2A97C-92C3-4AC7-BE72-F823E0BC895B}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Services (HKLM\...\{84FBCA4A-D650-4B0D-8094-EC0671FA9B91}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Shared (HKLM\...\{54FF8FAB-DE27-4187-82F1-EBAE6AEE869A}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Database Engine Shared (HKLM\...\{6603C2CE-3C54-4F1D-92F9-8390CD4CCCA8}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Documentation Components (HKLM\...\{7272DF1C-2F88-43AC-A481-84DD67DF9746}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Documentation Components (HKLM\...\{B3192F55-2CE8-4C8E-9E40-D3B4998276B2}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Documentation Components (HKLM\...\{CECA0188-BD7A-43EF-B1F7-DDF719099C46}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Full text search (HKLM\...\{34A7A77A-A23D-44ED-B3B6-EC8198BE2622}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Management Studio (HKLM\...\{26BFF1F1-5C03-4C55-9C7C-FD65889AFA70}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Management Studio (HKLM\...\{A7037EB2-F953-4B12-B843-195F4D988DA1}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Reporting Services (HKLM\...\{DCCB1789-1DA0-4E3A-A52F-7815B602CC98}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 Reporting Services (HKLM\...\{FCD81E1A-6ED6-4F19-A572-82FFE102654E}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server 2012 SQL Data Quality Common (HKLM\...\{D307B5CF-D1F0-48A4-8DA3-54765F535208}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
SQL Server Browser for SQL Server 2012 (HKLM-x32\...\{4B9E6EB0-0EED-4E74-9479-F982C3254F71}) (Version: 11.0.2100.60 - Microsoft Corporation)
Sql Server Customer Experience Improvement Program (HKLM\...\{BED1EA3D-592D-4305-9D1F-20F03726EFC1}) (Version: 11.0.2100.60 - Microsoft Corporation) Hidden
TeamViewer 12 (HKLM-x32\...\TeamViewer) (Version: 12.0.90922 - TeamViewer)
Update 4.0.2 for Microsoft .NET Framework 4 Client Profile (KB2544514) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2544514) (Version: 1 - Microsoft Corporation)
Update 4.0.2 for Microsoft .NET Framework 4 Extended (KB2544514) (HKLM-x32\...\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2544514) (Version: 1 - Microsoft Corporation)
Visual Studio 2010 Prerequisites - English (HKLM\...\{662014D2-0450-37ED-ABAE-157C88127BEB}) (Version: 10.0.40219 - Microsoft Corporation)
WinSCP 5.7 (HKLM-x32\...\winscp3_is1) (Version: 5.7 - Martin Prikryl)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ContextMenuHandlers1-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2010-11-18] (Igor Pavlov)
ContextMenuHandlers1-x32: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2010-11-18] (Igor Pavlov)
ContextMenuHandlers4-x32: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers5: [00nView] -> {1E9B04FB-F9E5-4718-997B-B8DA88302A48} => C:\Program Files\NVIDIA Corporation\nview\nvshell.dll [2012-02-09] ()
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2012-02-09] (NVIDIA Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0BFD6A32-D4A2-4162-8768-0F625E5BF48E} - System32\Tasks\G2MUploadTask-S-1-5-21-3866400975-1191489592-655960364-1002 => C:\Users\Eyeformatics\AppData\Local\GoToMeeting\8199\g2mupload.exe [2018-01-19] (LogMeIn, Inc.)
Task: {0D390859-4532-450F-9CE9-987B76B56DA0} - System32\Tasks\WeeklyMirror => C:\Users\Eyeformatics\Documents\mirrorffs.bat [2017-04-05] () <==== ATTENTION
Task: {1BB561B3-675E-42C4-8253-AE7D779AEE15} - System32\Tasks\G2MUpdateTask-S-1-5-21-3866400975-1191489592-655960364-1002 => C:\Users\Eyeformatics\AppData\Local\GoToMeeting\8199\g2mupdate.exe [2018-01-19] (LogMeIn, Inc.)
Task: {2FEEF02C-DDC5-440C-8838-10265ECFBE9E} - System32\Tasks\FileSync DB => C:\Users\Eyeformatics\Documents\dailyffs.bat [2017-04-05] () <==== ATTENTION
Task: {30382559-196A-4774-8FE1-33D311F14759} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {38A155C3-2909-49B0-844F-814CA416D0BA} - System32\Tasks\CleanMem Mini Monitor => C:\Program Files (x86)\CleanMem\mini_monitor.exe [2014-08-20] (PcWinTech.com)
Task: {7FFE1D4F-D1F0-4EDF-85D5-11C9C6987491} - System32\Tasks\Clean System Memory => C:\Windows\syswow64\CleanMem.exe [2014-08-20] (PcWinTech.com)
Task: {83BC1EB2-B03C-452F-BBDC-0AE37FCA99A4} - System32\Tasks\fmserestart => C:\Users\Eyeformatics\Desktop\restartfmse.bat [2015-05-04] () <==== ATTENTION
Task: {973B6504-985B-4B53-B3D8-9882BEAF6CD5} - System32\Tasks\Run Hl7 Batch => C:\HL7\HL7Grab.bat [2015-03-04] () <==== ATTENTION
Task: {BD5FC1CA-5A56-4501-84E6-5B64BBD08869} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-11-23] (Adobe Systems Incorporated)
Task: {C0FEAFF2-9223-4E77-A0B8-ECFB1FECAA1A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {C31D4ACD-A586-44F0-ACA0-47A6F484B23F} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-01-15] (Piriform Ltd)
Task: {E4404C67-0974-46D2-ACFD-699D03D4361D} - System32\Tasks\hl7 Grab Messages => C:\HL7\HL7Grab.bat [2015-03-04] () <==== ATTENTION
Task: {E9180AC7-B7AB-4754-BDDC-D92CFBC2F215} - System32\Tasks\Bitvise\Persistent BvSshServer Control Panel\S-1-5-21-3866400975-1191489592-655960364-1002 => C:\Program Files\Bitvise SSH Server\BssCtrl.exe [2015-04-09] ()
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-3866400975-1191489592-655960364-1002.job => C:\Users\Eyeformatics\AppData\Local\GoToMeeting\8199\g2mupload.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-04-09 09:29 - 2015-04-09 09:29 - 000710000 _____ () C:\Program Files\Bitvise SSH Server\CiProv64.dll
2014-12-23 14:42 - 2014-05-08 12:57 - 000201728 _____ () C:\Program Files\CQMsolution\CQMAgent\Topshelf.dll
2014-11-11 01:12 - 2014-11-11 01:12 - 000112984 _____ () C:\Program Files\FileMaker\FileMaker Server\Database Server\zlibwapi.dll
2014-11-11 01:12 - 2014-11-11 01:12 - 000439128 _____ () C:\Program Files\FileMaker\FileMaker Server\Database Server\Libetpan.dll
2014-11-11 01:12 - 2014-11-11 01:12 - 000054640 _____ () C:\Program Files\FileMaker\FileMaker Server\Database Server\XalanMessages_1_11.dll
2018-01-23 18:10 - 2017-11-29 09:11 - 002301384 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2018-01-23 18:10 - 2017-11-29 09:11 - 002358728 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2014-11-11 01:12 - 2014-11-11 01:12 - 000112984 _____ () C:\Program Files\FileMaker\FileMaker Server\Web Publishing\publishing-engine\cwpc\zlibwapi.dll
2014-11-11 01:10 - 2014-11-11 01:10 - 000439128 _____ () C:\Program Files\FileMaker\FileMaker Server\Web Publishing\publishing-engine\cwpc\Libetpan.dll
2014-11-11 01:12 - 2014-11-11 01:12 - 000054640 _____ () C:\Program Files\FileMaker\FileMaker Server\Web Publishing\publishing-engine\cwpc\XalanMessages_1_11.dll
2015-04-09 09:29 - 2015-04-09 09:29 - 004760368 _____ () C:\Program Files\Bitvise SSH Server\BssCtrl.exe
2018-01-04 18:01 - 2018-01-03 04:20 - 004063064 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.132\libglesv2.dll
2018-01-04 18:01 - 2018-01-03 04:20 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.132\libegl.dll
2017-05-16 16:07 - 2017-05-16 16:07 - 000172544 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\892a97dcd43f3c5a200540919825c762\IsdiInterop.ni.dll
2013-06-18 13:59 - 2011-10-17 14:08 - 000059904 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
2015-04-09 09:29 - 2015-04-09 09:29 - 000421232 _____ () C:\Program Files\Bitvise SSH Server\CiProv32.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist Remote Support Customer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 21:34 - 2009-06-10 16:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3866400975-1191489592-655960364-1001\Control Panel\Desktop\\Wallpaper -> 
HKU\S-1-5-21-3866400975-1191489592-655960364-1002\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 8.8.8.8 - 8.8.4.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [TCP Query User{DA773CAA-9F84-4AED-B75B-3F28FD396A63}C:\program files (x86)\hp\common\hpdevicedetection3.exe] => (Allow) C:\program files (x86)\hp\common\hpdevicedetection3.exe
FirewallRules: [UDP Query User{C960AEBC-057E-4D0C-9C41-BDF7D0C7174A}C:\program files (x86)\hp\common\hpdevicedetection3.exe] => (Allow) C:\program files (x86)\hp\common\hpdevicedetection3.exe
FirewallRules: [{6B29E637-BED2-406E-B2EA-53F2CF6DFFC8}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{E436856A-56BC-4BF9-BC5B-A642A749BEE7}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{8BC849E9-1841-4B11-B3EE-A82E9B64C6B0}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{2C767DFA-673D-4A51-AB51-7EB0B8D3C6CA}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{28421391-A356-4193-B811-DF1EE240E5D5}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{82AEA5A8-7E25-417E-9FE8-BB2F8B2D80DF}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{4ECEBE59-4689-473B-8635-109BE671586F}] => (Allow) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmserver.exe
FirewallRules: [{BEAFC54D-8F1E-4740-A87B-634F8CF9642F}] => (Allow) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmserver.exe
FirewallRules: [{879EB1A2-59E5-406E-945D-D3654976099C}] => (Allow) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmserver.exe
FirewallRules: [{42AA337E-69A9-4313-B0EF-474401A49F48}] => (Allow) C:\Program Files\FileMaker\FileMaker Server\Database Server\fmserver.exe
FirewallRules: [{2EC335A3-6BF8-4CC2-934C-C29A42812D0E}] => (Allow) LPort=443
FirewallRules: [{5B3AAB59-4067-4CA7-92BF-B0F708E8CA9E}] => (Allow) LPort=3364
FirewallRules: [TCP Query User{79FCC443-B645-42B6-93C5-0E03A763F721}C:\program files\filemaker\filemaker server\database server\fmsadmin.exe] => (Allow) C:\program files\filemaker\filemaker server\database server\fmsadmin.exe
FirewallRules: [UDP Query User{475F7215-0C0B-495A-937A-66EC1CFE2785}C:\program files\filemaker\filemaker server\database server\fmsadmin.exe] => (Allow) C:\program files\filemaker\filemaker server\database server\fmsadmin.exe
FirewallRules: [TCP Query User{292C386B-5899-48FA-AEC0-574A109EE61B}C:\program files (x86)\filemaker\filemaker pro 13 advanced\filemaker pro advanced.exe] => (Allow) C:\program files (x86)\filemaker\filemaker pro 13 advanced\filemaker pro advanced.exe
FirewallRules: [UDP Query User{95EFBBC4-F7DB-4453-B314-A2F8E1059B63}C:\program files (x86)\filemaker\filemaker pro 13 advanced\filemaker pro advanced.exe] => (Allow) C:\program files (x86)\filemaker\filemaker pro 13 advanced\filemaker pro advanced.exe
FirewallRules: [TCP Query User{EC1F1371-88CE-4AAD-A4CC-CA6C5CAD15BD}C:\program files\java\jre1.8.0_131\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_131\bin\javaw.exe
FirewallRules: [UDP Query User{5F1CAA5E-D9A8-4F53-A5AB-A7D93E54E7E0}C:\program files\java\jre1.8.0_131\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_131\bin\javaw.exe
FirewallRules: [{61355E49-322D-4103-9021-60B0EE95DC8D}] => (Block) LPort=5003
FirewallRules: [{9873B64D-2BB9-41FA-9A79-BAEDB3D41C0F}] => (Allow) LPort=3365
FirewallRules: [TCP Query User{DC6574D6-2859-4C8A-9E83-B44C17A81AA4}C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe] => (Block) C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe
FirewallRules: [UDP Query User{BB876D49-9BB3-4EA0-9D80-399426BF6185}C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe] => (Block) C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe
FirewallRules: [{45D43080-7732-4A24-90A7-1B4E06A37314}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{1CD0A892-D895-4E05-A619-076990D6EA1B}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{0AB7F145-A0C6-4019-A4BE-F451DBD33FBC}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{6A707AC7-9E30-4FC6-BE0A-E460578C733D}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{45DF76EF-F8F7-4C2A-BEA7-A3273B595464}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{173A4F6B-BF2E-4CF1-8E36-4F6DE32E5CAE}] => (Allow) LPort=3389
FirewallRules: [{50B8DE96-7B4A-4236-9C3C-2FF138639F7F}] => (Allow) C:\Program Files (x86)\XPS Rasterization Service Component\xps.exe
FirewallRules: [{AD4AD500-365A-422E-8CE5-9CA5227B069C}] => (Allow) C:\Program Files (x86)\XPS Rasterization Service Component\xps.exe
FirewallRules: [TCP Query User{D1BE34C7-116C-472A-BF0E-C84F9ACFC3F0}C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe] => (Allow) C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe
FirewallRules: [UDP Query User{FEFB90D0-3866-4B8E-AE24-D72C4E31B29C}C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe] => (Allow) C:\program files (x86)\filemaker\filemaker pro 13\filemaker pro.exe
FirewallRules: [TCP Query User{2449BF50-060F-491D-AD8A-328D88B86867}C:\program files\filemaker\filemaker server\database server\fmsadmin.exe] => (Block) C:\program files\filemaker\filemaker server\database server\fmsadmin.exe
FirewallRules: [UDP Query User{0C125622-5DE6-46C6-9469-A92B20E18F3A}C:\program files\filemaker\filemaker server\database server\fmsadmin.exe] => (Block) C:\program files\filemaker\filemaker server\database server\fmsadmin.exe
FirewallRules: [{4DAE5A0E-62FE-44DB-BA0D-AEF2364416A4}] => (Allow) C:\Program Files\Bitvise SSH Server\BvSshServer.exe
 
==================== Restore Points =========================
 
24-01-2018 08:19:13 Microsoft Antimalware Checkpoint
24-01-2018 10:05:51 Checkpoint by HitmanPro
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (01/24/2018 11:22:58 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (01/24/2018 11:22:19 AM) (Source: Report Server Windows Service (SQLEXPRESS)) (EventID: 107) (User: )
Description: Report Server Windows Service (SQLEXPRESS) cannot connect to the report server database.
 
Error: (01/24/2018 11:22:03 AM) (Source: SQLAgent$SQLEXPRESS) (EventID: 324) (User: )
Description: OpenSQLServerInstanceRegKey:GetRegKeyAccessMask failed (reason: 2).
 
Error: (01/24/2018 11:22:02 AM) (Source: SQLAgent$SQLEXPRESS) (EventID: 324) (User: )
Description: OpenSQLServerInstanceRegKey:GetRegKeyAccessMask failed (reason: 2).
 
 
System errors:
=============
Error: (01/24/2018 11:28:06 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Windows Update service hung on starting.
 
Error: (01/24/2018 11:25:40 AM) (Source: BROWSER) (EventID: 8032) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{385993E2-FCF6-42E8-989B-34FDF866CEFA}.
The backup browser is stopping.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Xeon® CPU E5620 @ 2.40GHz
Percentage of memory in use: 66%
Total physical RAM: 49135.22 MB
Available physical RAM: 16483.13 MB
Total Virtual: 98933.41 MB
Available Virtual: 65092.77 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:931.41 GB) (Free:689.53 GB) NTFS
Drive e: (Backup) (Fixed) (Total:853.22 GB) (Free:268.31 GB) NTFS
Drive s: (swap) (Fixed) (Total:73.24 GB) (Free:25.3 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 2FDA0A4D)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.4 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: D5A3F0AF)
Partition 1: (Not Active) - (Size=73.2 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=853.2 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=5 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,233 posts
  • MVP

TeamViewer is OK (tho yours needs to be updated) as long as you installed it.  Sometimes malware will install it so just wanted to make sure.  I removed another remote control with the fixlist:

 

S3 TermService; C:\Program Files\RDP Wrapper\rdpwrap.dll [116736 2018-01-19] (Stas'M Corp.) [File not signed]

 

 

Are you able to go into Control Panel (View: Large Icons) User Accounts and delete the new accounts?  I suppose I can figure out how to do it with a fixlist if they won't go normally.   FRST removed the associated Users folders so it's probably just some registry entries in

HKEY_USERS.  FRST shows us the keys:

 

==================== Accounts: =============================
 
Admin (S-1-5-21-3866400975-1191489592-655960364-1011 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-3866400975-1191489592-655960364-500 - Administrator - Enabled) => C:\Users\Administrator
Adminsitrator (S-1-5-21-3866400975-1191489592-655960364-1007 - Administrator - Enabled) => C:\Users\Adminsitrator
ConnectEHRService (S-1-5-21-3866400975-1191489592-655960364-1005 - Administrator - Enabled)
CQMSolution (S-1-5-21-3866400975-1191489592-655960364-1006 - Administrator - Enabled)
Eyeformatics (S-1-5-21-3866400975-1191489592-655960364-1002 - Administrator - Enabled) => C:\Users\Eyeformatics
Guest (S-1-5-21-3866400975-1191489592-655960364-501 - Limited - Enabled) => C:\Users\Guest
Host (S-1-5-21-3866400975-1191489592-655960364-1008 - Administrator - Enabled) => C:\Users\Host
Oldona (S-1-5-21-3866400975-1191489592-655960364-1010 - Administrator - Enabled) => C:\Users\Oldona
Temp (S-1-5-21-3866400975-1191489592-655960364-1009 - Administrator - Enabled) => C:\Users\Temp
User (S-1-5-21-3866400975-1191489592-655960364-1000 - Administrator - Disabled) => C:\Users\User
VSRUSER (S-1-5-21-3866400975-1191489592-655960364-1001 - Administrator - Enabled) => C:\Users\VSRUSER
 
If you go into regedit you will find a bunch of S-1-5-21-... keys under HKEY_USERS.  Each one represents a different user.  Delete the key and the user should disappear.
The guest user is normally there but  disabled.  The keys ending in 1007, 1008, 1009, 1010 & 1011 need to go.
 

 

 

Let's check the system files to see if anything has been compromised.

 

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator.  Then type (with an Enter after each line).

sfc  /scannow

(This will check your critical system files. Does this finish without complaint?  IF it says it couldn't fix everything then:

Copy the next two lines:

findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  %UserProfile%\desktop\junk.txt
notepad %UserProfile%\desktop\junk.txt

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied line should appear.
Hit Enter. Copy and paste the text from notepad or if it is too big, just attach the file.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.  (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)
 

 

I also see it is having problems with Windows Update.

Try:

System Update Readiness Tool for Windows 7

This link is for 64 bit:
https://www.microsof...s.aspx?id=20858

 

Once that runs then get

 KB3083710 and KB3102810 if you don't already have them.

https://support.micr...n-us/kb/3083710

https://support.micr...n-us/kb/3102810

Then try Windows Update again and see if you have better luck.

 

If it still fails then try:

 

 

Windows Repair all in one

http://www.tweaking....all_in_one.html

Download it and save it then run it.

You can skip to step 4 or 5 where it gives you the same picture as in the above link.

Make sure all of these are checked before hitting Start:


Repair Hosts File

Remove Policies Set By Infections
Repair Proxy Settings

Repair Windows Updates


Reboot when done and run VEW again as before.

 

I would run a free ESET online scan to see if it finds anything:

 

Use IE and go to https://www.eset.com/us/home/online-scanner/ 

and click on SCAN NOW under  ESET online Scanner.  This can take 3 hours or more.

 

Another good scan is MBAR:

 

https://www.malwareb...om/antirootkit/

 

You might also consider dumping MSE and installing the free Avast at least long enough to run a boot time scan.

 

http://www.avast.com/index
Click on Download then choose the free version.  Save the file.  Uninstall Microsoft Security Essentials then reboot.  Install Avast (stick with the free (basic) version).  Once it installs and updates then set it up to do a boot-time scan:

 

It takes like 6 hours so I usually let it run at night.


Click on the Avast ball.  Then click on Protection, then on Antivirus, then on Other Scans then on Boot-time Scan.  Click on Install Special Definitions.  Click on Run on Next PC Reboot.

  Reboot and let it run a scan.  It may take hours.
Once it finishes it should load windows.   Mute your speakers so it doesn't wake you up when Windows boots.

When you reboot you will see the scan start.  It will tell you where it saves its log.  Usually it's C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt but it might change so verify the location.   This is a hidden location so you will need to tell Windows to let you see it:

http://www.howtogeek...-windows-vista/

Copy and paste the text from the log to a Reply when done.


 


  • 0

#5
reppucci

reppucci

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

Thank you again,

 

I think I will be able to manage most, if not all, of what you recommended. I am out of the office tomorrow but will try to do all this by Friday.

 

It may be a bit until I reply to you with the logs!


  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,233 posts
  • MVP

No hurry.  I don't keep track.


  • 0

#7
reppucci

reppucci

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

deleted accounts in control panel...then checked regedit....already removed from regedit.

 

SFC scan no problem.

 

I had run malwarebytes with rootkit check.

 

I did run eset..files deleted/cleaned at the end of post.

 

I think updates ran succesfully

 

have not booted into avast as of yet.

 

here is VEW log

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 24/01/2018 7:22:26 PM
 
Note: All dates below are in the format dd/mm/yyyy
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 24/01/2018 8:32:55 PM
Type: Error Category: 0
Event: 2001 Source: Microsoft Antimalware
Microsoft Antimalware has encountered an error trying to update signatures.  New Signature Version:    Previous Signature Version: 118.2.0.0  Update Source: Microsoft Malware Protection Center  Update Stage: Search  Source Path: http://go.microsoft.com/fwlink/?LinkID=260974&clcid=0x409&NRI=true&arch=x64&eng=2.1.14202.0&sig=118.2.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094  Signature Type: Network Inspection System  Update Type: Full  User: NT AUTHORITY\NETWORK SERVICE  Current Engine Version:    Previous Engine Version: 2.1.14202.0  Error code: 0x800704e8  Error description: The remote system is not available. For information about network troubleshooting, see Windows Help. 
 
Log: 'System' Date/Time: 24/01/2018 8:02:45 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Google Update Service (gupdate) service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
 
Log: 'System' Date/Time: 24/01/2018 8:02:45 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Google Update Service (gupdate) service to connect.
 
Log: 'System' Date/Time: 24/01/2018 8:02:45 PM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1053" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
 
Log: 'System' Date/Time: 24/01/2018 6:29:27 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Volume Shadow Copy service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
 
Log: 'System' Date/Time: 24/01/2018 6:29:27 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Volume Shadow Copy service to connect.
 
Log: 'System' Date/Time: 24/01/2018 6:28:50 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Volume Shadow Copy service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
 
Log: 'System' Date/Time: 24/01/2018 6:28:50 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Volume Shadow Copy service to connect.
 
Log: 'System' Date/Time: 24/01/2018 6:28:13 PM
Type: Error Category: 0
Event: 10005 Source: Microsoft-Windows-DistributedCOM
DCOM got error "1053" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
 
Log: 'System' Date/Time: 24/01/2018 6:28:13 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Volume Shadow Copy service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
 
Log: 'System' Date/Time: 24/01/2018 6:28:13 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Volume Shadow Copy service to connect.
 
Log: 'System' Date/Time: 24/01/2018 4:44:45 PM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The SQL Server (SQLEXPRESS) service terminated unexpectedly.  It has done this 1 time(s).
 
Log: 'System' Date/Time: 24/01/2018 4:28:06 PM
Type: Error Category: 0
Event: 7022 Source: Service Control Manager
The Windows Update service hung on starting.
 
Log: 'System' Date/Time: 24/01/2018 4:25:40 PM
Type: Error Category: 0
Event: 8032 Source: BROWSER
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{385993E2-FCF6-42E8-989B-34FDF866CEFA}. The backup browser is stopping.
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 24/01/2018 4:24:40 PM
Type: Warning Category: 0
Event: 8021 Source: BROWSER
The browser service was unable to retrieve a list of servers from the browser master \\HPZ220 on the network \Device\NetBT_Tcpip_{385993E2-FCF6-42E8-989B-34FDF866CEFA}.    Browser master: \\HPZ220  Network: \Device\NetBT_Tcpip_{385993E2-FCF6-42E8-989B-34FDF866CEFA}    This event may be caused by a temporary loss of network connectivity. If this message appears again, verify that the server is still connected to the network. The return code is in the Data text box.
 
Log: 'System' Date/Time: 24/01/2018 4:20:00 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped. 
 
Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 24/01/2018 7:25:37 PM
 
Note: All dates below are in the format dd/mm/yyyy
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 24/01/2018 4:45:07 PM
Type: Error Category: 5
Event: 107 Source: Report Server Windows Service (SQLEXPRESS)
Report Server Windows Service (SQLEXPRESS) cannot connect to the report server database.
 
Log: 'Application' Date/Time: 24/01/2018 4:22:58 PM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Log: 'Application' Date/Time: 24/01/2018 4:22:19 PM
Type: Error Category: 5
Event: 107 Source: Report Server Windows Service (SQLEXPRESS)
Report Server Windows Service (SQLEXPRESS) cannot connect to the report server database.
 
Log: 'Application' Date/Time: 24/01/2018 4:22:03 PM
Type: Error Category: 5
Event: 324 Source: SQLAgent$SQLEXPRESS
OpenSQLServerInstanceRegKey:GetRegKeyAccessMask failed (reason: 2).
 
Log: 'Application' Date/Time: 24/01/2018 4:22:02 PM
Type: Error Category: 5
Event: 324 Source: SQLAgent$SQLEXPRESS
OpenSQLServerInstanceRegKey:GetRegKeyAccessMask failed (reason: 2).
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 25/01/2018 12:21:32 AM
Type: Warning Category: 0
Event: 64 Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Certificate for local system with Thumbprint 5c 5c 0b cf 04 e1 cd fc 12 af 4e 32 62 c7 0e 49 99 32 5e 79 is about to expire or already expired.
 
Log: 'Application' Date/Time: 24/01/2018 5:20:52 PM
Type: Warning Category: 0
Event: 661 Source: FileMaker Server 13
Client "kg1 (HPfrontdesk1) [192.168.1.129]" authentication failed on database "EyeFormatics_Printing_2014.fmp12" using "kg1 [fmapp]".
 
Log: 'Application' Date/Time: 24/01/2018 5:20:52 PM
Type: Warning Category: 0
Event: 661 Source: FileMaker Server 13
Client "kg1 (HPfrontdesk1) [192.168.1.129]" authentication failed on database "EyeFormatics_MainReference_2014.fmp12" using "kg1 [fmapp]".
 
Log: 'Application' Date/Time: 24/01/2018 5:20:24 PM
Type: Warning Category: 0
Event: 661 Source: FileMaker Server 13
Client "kg1 (HPfrontdesk1) [192.168.1.129]" authentication failed on database "EyeFormatics_PM_2014.fmp12" using "kg1 [fmapp]".
 
Log: 'Application' Date/Time: 24/01/2018 5:20:18 PM
Type: Warning Category: 0
Event: 661 Source: FileMaker Server 13
Client "kg1 (HPfrontdesk1) [192.168.1.129]" authentication failed on database "EyeFormatics_EMR_2014.fmp12" using "vsruser [fmapp]".
 
Log: 'Application' Date/Time: 24/01/2018 5:20:18 PM
Type: Warning Category: 0
Event: 661 Source: FileMaker Server 13
Client "kg1 (HPfrontdesk1) [192.168.1.129]" authentication failed on database "EyeFormatics_EMR_2014.fmp12" using "user [fmapp]".
 
Log: 'Application' Date/Time: 24/01/2018 5:15:43 PM
Type: Warning Category: 0
Event: 661 Source: FileMaker Server 13
Client "Vincent Reppucci (ThinkExam3) [192.168.1.211]" authentication failed on database "EyeFormatics_Printing_2014.fmp12" using "vr [fmapp]".
 
Log: 'Application' Date/Time: 24/01/2018 5:15:43 PM
Type: Warning Category: 0
Event: 661 Source: FileMaker Server 13
Client "Vincent Reppucci (ThinkExam3) [192.168.1.211]" authentication failed on database "EyeFormatics_MainReference_2014.fmp12" using "vr [fmapp]".
 
Log: 'Application' Date/Time: 24/01/2018 5:15:43 PM
Type: Warning Category: 0
Event: 661 Source: FileMaker Server 13
Client "Vincent Reppucci (ThinkExam3) [192.168.1.211]" authentication failed on database "EyeFormatics_PM_2014.fmp12" using "vr [fmapp]".
 
Log: 'Application' Date/Time: 24/01/2018 5:15:26 PM
Type: Warning Category: 0
Event: 661 Source: FileMaker Server 13
Client "Vincent Reppucci (ThinkExam3) [192.168.1.211]" authentication failed on database "EyeFormatics_EMR_2014.fmp12" using "vsruser [fmapp]".
 
Log: 'Application' Date/Time: 24/01/2018 5:15:26 PM
Type: Warning Category: 0
Event: 661 Source: FileMaker Server 13
Client "Vincent Reppucci (ThinkExam3) [192.168.1.211]" authentication failed on database "EyeFormatics_EMR_2014.fmp12" using "user [fmapp]".
 
Log: 'Application' Date/Time: 24/01/2018 4:44:45 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   20 user registry handles leaked from \Registry\User\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133:
Process 708 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133
Process 708 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133
Process 708 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133
Process 708 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133
Process 708 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Microsoft\SystemCertificates\My
Process 708 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Microsoft\SystemCertificates\CA
Process 708 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Microsoft\SystemCertificates\trust
Process 708 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Microsoft\SystemCertificates\TrustedPeople
Process 708 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Policies\Microsoft\SystemCertificates
Process 708 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Policies\Microsoft\SystemCertificates
Process 708 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Policies\Microsoft\SystemCertificates
Process 708 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Policies\Microsoft\SystemCertificates
Process 8920 (\Device\HarddiskVolume2\Users\Eyeformatics\Desktop\FRST64.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Process 8920 (\Device\HarddiskVolume2\Users\Eyeformatics\Desktop\FRST64.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Process 8920 (\Device\HarddiskVolume2\Users\Eyeformatics\Desktop\FRST64.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Process 8920 (\Device\HarddiskVolume2\Users\Eyeformatics\Desktop\FRST64.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Process 8920 (\Device\HarddiskVolume2\Users\Eyeformatics\Desktop\FRST64.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Process 708 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Microsoft\SystemCertificates\Disallowed
Process 708 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Microsoft\SystemCertificates\Root
Process 708 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133\Software\Microsoft\SystemCertificates\SmartCardRoot
 
 
Log: 'Application' Date/Time: 24/01/2018 4:23:14 PM
Type: Warning Category: 0
Event: 64 Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Certificate for local system with Thumbprint 5c 5c 0b cf 04 e1 cd fc 12 af 4e 32 62 c7 0e 49 99 32 5e 79 is about to expire or already expired.
 
Log: 'Application' Date/Time: 24/01/2018 4:19:16 PM
Type: Warning Category: 0
Event: 26 Source: FileMaker Server 13
Client "Vincent Reppucci (ThinkExam3) [192.168.1.211]" forced to close connection.
 
Log: 'Application' Date/Time: 24/01/2018 4:19:16 PM
Type: Warning Category: 0
Event: 26 Source: FileMaker Server 13
Client "CB1 (HPZ220) [192.168.1.229]" forced to close connection.
 
 
ESET info:
 
C:\FRST\Quarantine\C\Program Files (x86)\System\install.bat BAT/RA-based.CX trojan cleaned by deleting
C:\FRST\Quarantine\C\Users\Oldona\Documents\Visual Studio 2010\Templates\Новая папка\Для дедиков\Darkode - RDP Brute\Darkode  RDP Brute.exe MSIL/HackTool.BruteForce.AF potentially unsafe application cleaned by deleting
C:\FRST\Quarantine\C\Users\Oldona\Downloads\11 (1).exe.xBAD a variant of Win32/Injector.DUTG trojan cleaned by deleting
C:\FRST\Quarantine\C\Users\Oldona\Downloads\11.exe.xBAD a variant of Win32/Injector.DUTG trojan cleaned by deleting
C:\Users\VSRUSER\Downloads\ccsetup514.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
 
 
 

  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,233 posts
  • MVP

Only the last thing that ESET found was new.  The others had already been removed by FRST. 

 

You have a lot of errors.

 

Event: 64 Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment

Certificate for local system with Thumbprint

 

This one you may need to get a domain admin to fix but give it a try:

 

https://docs.microso...774595(v=ws.10)

 

Even if you can't fix it see if you can determine what it is good for.

 

 
Event: 8021 Source: BROWSER

The browser service was unable to retrieve a list of servers from the browser master \\HPZ220 on the network \Device\NetBT_Tcpip_{385993E2-FCF6-42E8-989B-34FDF866CEFA}.    Browser master

 

 

No one needs NetBT these days so I would just turn it off.

 

Start, Control Panel,(View Large Icons), Network & Sharing Center, Under the section that starts with View Your Active Networks look for Connections:
You should see Wireless Network Connection.  Click on that and a new window will open.  Click on Properties (not on Wireless Properties).  Click on
Internet Protocol Version 4 (TCP/IPv4).  Now click on Properties then on Advanced.  Click on the WINS tab.  Uncheck Enable LMHoSTS lookup.  
Check Disable NETBIOS over TCP.

OK

Close control panel.

Might as well be through and turn off the drivers too.

Start, in the search box type:  regedit.exe  hit Enter
Yes
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS

Click on NetBIOS. Look in the right pane for Start.

Double click on Start and change it to 4 OK.

Repeat for  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT.

Reboot.

Search for:

services.msc

hit Enter

Find

TCP/IP NetBIOS Helper

right click and select Properties then change the Startup Type:

to Disabled.

OK

 

Clear the alarms:

 

Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.
 

 

Run VEW again and let's see what still needs fixing.


  • 0

#9
reppucci

reppucci

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

This computer is on a workgroup peer to peer; not a domain. This computer does have FM server installed and acts as a "server" for my business database.

 

Do the recommendations you make still apply?

 

Thanks

 

Vincent


  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,233 posts
  • MVP

Shouldn't make any difference.  I don't know of anything that uses NetBios protocol any more. See:

 

http://techgenix.com...s-still-needed/

 

As for the certificate, it needs to be updated or deleted doesn't matter what setup you have.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP