Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Web searches hijacked - 2008R2 Remote Desktop Server


  • This topic is locked This topic is locked
26 replies to this topic

#1 Stung One

Stung One

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 08 January 2012 - 06:39 PM

This is a followup to http://www.bleepingcomputer.com/forums/topic436736.html as requested by Broni.

Windows 2008 R2 server running Remote Desktop Services

Both Firefox and Internet Explorer lead users to 95p.com pages. For example, searching for "Hello World" within Google takes me to legit search engine results but when I click on the Wikipedia link, I get a link to http://95p.com/?search=hello%20world&subid=25&key=f10a8a2532c7caa708d7 instead.

Tried both TDSSKiller (renamed to iexplorer.exe before being copied to this server - nothing found) and MalwareBytes (one Trojen.Agent found in Temporary Internet Files) but the problem remains.

Proxy server settings in both browsers appear correct (blank) as do DNS and router settings.

The browser hijacking appears to affect all users.


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-08 11:55:01
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000055 VMware__ rev.1.0_
Running: m113pviu.exe; Driver: C:\Users\admin\AppData\Local\Temp\pxldipow.sys


---- Kernel code sections - GMER 1.0.15 ----

? System32\drivers\bnqlumn.sys The system cannot find the path specified. !
.text dfsc.sys 92759302 501 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text dfsc.sys 927594FD 340 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text dfsc.sys 92759652 1027 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text dfsc.sys 92759A60 181 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text dfsc.sys 92759B17 35 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ...
.INIT C:\Windows\System32\Drivers\dfsc.sys entry point in ".INIT" section [0x92766922]
? C:\Windows\System32\Drivers\dfsc.sys suspicious PE modification

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[244] @ C:\Windows\system32\IpHlpApi.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[2632] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[2740] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\SAMLIB.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2996] @ C:\Windows\system32\IPHLPAPI.DLL [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [735FA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [735FA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3132] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [735FA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) 9274B000-92759000 (57344 bytes)
Module (noname) (*** hidden *** ) 92792000-9279C000 (40960 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:420] 92796E40
Thread System [4:424] 85D7A520

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB45907$\2745626378 0 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\@ 2048 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\L 0 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\L\iqvahbdf 75264 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\loader.tlb 2632 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U 0 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@00000001 45968 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@000000c0 3072 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@000000cb 3072 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@000000cf 1536 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@80000000 26112 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@800000c0 32768 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@800000cb 24064 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@800000cf 31232 bytes
File C:\Windows\$NtUninstallKB45907$\646048435 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CJXMVWE\list_bullet[1].gif 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CJXMVWE\city.css.pagespeed.ce.A2Oj9EtpsY[1].css 5643 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CJXMVWE\top-curvebotr.gif.pagespeed.ce.i424HwbCCO[1].gif 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CJXMVWE\jquery-1.7.min.js.pagespeed.jm.23AGiqcFTn[1].js 93967 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CJXMVWE\homeScript.js.pagespeed.jm.wBjzPdlly6[1].js 15175 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CJXMVWE\xblog_btn_lft.gif.pagespeed.ic.6SA2YK7vF3[1].png 1126 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O2L0U0ZT\likeCADW525Z.php 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O2L0U0ZT\likeCAGGXTMY.php 0 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 14 January 2012 - 06:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/437042 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Stung One

Stung One
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 15 January 2012 - 02:01 AM

Windows 2008 R2 server running Remote Desktop Services

Both Firefox and Internet Explorer lead users to 95p.com pages. For example, searching for "Hello World" within Google takes me to legit search engine results but when I click on the Wikipedia link, I get a link to http://95p.com/?search=hello%20world&subid=25&key=f10a8a2532c7caa708d7 instead.

Tried both TDSSKiller (renamed to iexplorer.exe before being copied to this server - nothing found) and MalwareBytes (one Trojen.Agent found in Temporary Internet Files) but the problem remains.

Proxy server settings in both browsers appear correct (blank) as do DNS and router settings.

The browser hijacking appears to affect all users.


1 -- Done
2a - DDS does not run on Windows Server 2008R2
2b - Though the instructions say GMER will not run on a 64-bit system, it does appear to run successfully. Updated log below
3 -- Yes, the original media is available
4 -- Thank you in advance.


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-15 01:27:22
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000055 VMware__ rev.1.0_
Running: m113pviu.exe; Driver: C:\Users\admin\AppData\Local\Temp\pxldipow.sys


---- Kernel code sections - GMER 1.0.15 ----

.INIT C:\Windows\System32\Drivers\dfsc.sys entry point in ".INIT" section [0x9276F922]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[9800] USER32.dll!DialogBoxIndirectParamAorW 75D62EB6 5 Bytes [33, C0, C2, 18, 00] {XOR EAX, EAX; RET 0x18}

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[316] @ C:\Windows\system32\IpHlpApi.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[1896] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\SAMLIB.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2392] @ C:\Windows\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[5860] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [72CBA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [72CBA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[6684] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [72CBA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) 92754000-92762000 (57344 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:420] 85B7A520

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB45907$\2745626378 0 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\@ 2048 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\L 0 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\L\iqvahbdf 75264 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\loader.tlb 2632 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U 0 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@00000001 45968 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@000000c0 3072 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@000000cb 3072 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@000000cf 1536 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@80000000 73728 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@800000c0 32768 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@800000cb 24064 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@800000cf 31232 bytes
File C:\Windows\$NtUninstallKB45907$\646048435 0 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\89HW82JW\stCA63GRB2 4472 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\89HW82JW\stCANBZRJI 4475 bytes

---- EOF - GMER 1.0.15 ----

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:48 PM

Posted 15 January 2012 - 08:42 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Like so may people you have TDL4, a rootkit. Like so few people you are running Windows 2008. Some tools may not work and I apologise in advance for that.

Please run FixTDSS

I would like you to run this tool for me - fixTDSS

Download it to your desktop and start the program

Follow the prompts and OK any security prompts

When it is complete it will say the infection was cleared or no infection was found - let me know what it says
Posted Image
m0le is a proud member of UNITE

#5 Stung One

Stung One
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 15 January 2012 - 09:20 PM

[*]Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.


Done earlier though I don't seem to get any e-mails alerting me of posts.


Like so may people you have TDL4, a rootkit. Like so few people you are running Windows 2008. Some tools may not work and I apologise in advance for that.

Please run FixTDSS


Understandable. Appreciate the help. Hopefully the knowledge we gain in fixing this will help others in the future.

When it is complete it will say the infection was cleared or no infection was found - let me know what it says


"Backdoor.Tidserv has not been found on your computer."

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:48 PM

Posted 16 January 2012 - 04:34 PM

DDS is no good here so please run OTL

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE

#7 Stung One

Stung One
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 16 January 2012 - 08:39 PM

OTL logfile created on: 1/16/2012 7:55:15 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\admin\Desktop
Windows Vista Server Standard Edition (full installation) Service Pack 2 (Version = 6.0.6002) - Type = NTServer
Internet Explorer (Version = 8.0.6001.19170)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.37 Gb Available Physical Memory | 84.32% Memory free
8.16 Gb Paging File | 7.69 Gb Available in Paging File | 94.16% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 250.00 Gb Total Space | 198.67 Gb Free Space | 79.47% Space Free | Partition Type: NTFS
Drive E: | 499.99 Gb Total Space | 388.49 Gb Free Space | 77.70% Space Free | Partition Type: NTFS

Computer Name: TS1 | User Name: admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\admin\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe (Carbonite, Inc. (www.carbonite.com))
PRC - C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
PRC - C:\Windows\System32\dns.exe (Microsoft Corporation)
PRC - C:\Program Files\Retrospect\Retrospect 7.7\retrorun.exe (EMC Corporation)
PRC - C:\Program Files\APC\PowerChute\group1\pcns.exe (APC by Schneider Electric)
PRC - C:\DeltaCopy\DCServce.exe (Synametrics Technologies)
PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
PRC - C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe (VMware, Inc.)
PRC - C:\Program Files\VMware\VMware Tools\VMwareService.exe (VMware, Inc.)
PRC - C:\Program Files\VMware\VMware Tools\VMwareTray.exe (VMware, Inc.)
PRC - C:\Program Files\VMware\VMware Tools\VMwareUser.exe (VMware, Inc.)
PRC - C:\Windows\System32\wsrm.exe (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\APC\jre\jre1.5.0_18\bin\java.exe (Sun Microsystems, Inc.)
PRC - C:\DeltaCopy\rsync.exe ()
PRC - C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe (iAnywhere Solutions, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\VMware\VMware Tools\sigc-2.0.dll ()
MOD - \\?\globalroot\systemroot\system32\mswsock.dll ()


========== Win32 Services (SafeList) ==========

SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (CarboniteService) -- C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe (Carbonite, Inc. (www.carbonite.com))
SRV - (DNS) -- C:\Windows\System32\dns.exe (Microsoft Corporation)
SRV - (MSSQL$MICROSOFT##SSEE) Windows Internal Database (MICROSOFT##SSEE) -- C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (RetroLauncher) -- C:\Program Files\Retrospect\Retrospect 7.7\retrorun.exe (EMC Corporation)
SRV - (Xerox MFP Fax Server) -- C:\Windows\System32\spool\drivers\w32x86\3\XrxFaxServer.exe (Xerox)
SRV - (PCNS1) -- C:\Program Files\APC\PowerChute\group1\pcns.exe (APC by Schneider Electric)
SRV - (DeltaCopyService) -- C:\DeltaCopy\DCServce.exe (Synametrics Technologies)
SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
SRV - (VMUpgradeHelper) -- C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe (VMware, Inc.)
SRV - (VMTools) -- C:\Program Files\VMware\VMware Tools\VMwareService.exe (VMware, Inc.)
SRV - (WSRM) -- C:\Windows\System32\wsrm.exe (Microsoft Corporation)
SRV - (RSoPProv) -- C:\Windows\System32\rsopprov.exe (Microsoft Corporation)
SRV - (sacsvr) -- C:\Windows\System32\sacsvr.dll (Microsoft Corporation)
SRV - (FCRegSvc) -- C:\Windows\System32\FCRegSvc.dll (Microsoft Corporation)
SRV - (antivirscheduler) -- C:\Windows\System32\SE26obex.dll (Iomega)
SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)
SRV - (QuickBooksDB18) -- C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe (iAnywhere Solutions, Inc.)


========== Driver Services (SafeList) ==========

DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (SSPORT) -- C:\Windows\System32\drivers\SSPORT.SYS (Samsung Electronics)
DRV - (VMMEMCTL) -- C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys (VMware, Inc.)
DRV - (vmdebug) -- C:\Windows\System32\drivers\vmdebug.sys (VMware, Inc.)
DRV - (vmrawdsk) -- C:\Program Files\VMware\VMware Tools\vmrawdsk.sys (VMware, Inc.)
DRV - (vmx_svga) -- C:\Windows\System32\drivers\vmx_svga.sys (VMware, Inc.)
DRV - (vmmouse) -- C:\Windows\System32\drivers\vmmouse.sys (VMware, Inc.)
DRV - (vmci) -- C:\Windows\System32\drivers\vmci.sys (VMware, Inc.)
DRV - (vmbus) -- C:\Windows\system32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\system32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (sacdrv) -- C:\Windows\system32\DRIVERS\sacdrv.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\system32\drivers\storflt.sys (Microsoft Corporation)
DRV - (ioatdma) Intel® -- C:\Windows\system32\drivers\qd26032.sys (Intel Corporation)
DRV - (s3cap) -- C:\Windows\system32\drivers\s3cap.sys (Microsoft Corporation)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/HardAdmin.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/HardAdmin.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/HardAdmin.htm
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = res://iesetup.dll/HardAdmin.htm
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)

IE - HKU\S-1-5-20\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)

IE - HKU\S-1-5-21-1549487650-4274992449-2030996898-1004\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)

IE - HKU\S-1-5-21-476008693-991253212-3787012541-1107\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
IE - HKU\S-1-5-21-476008693-991253212-3787012541-1107\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-476008693-991253212-3787012541-1107\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKU\S-1-5-21-476008693-991253212-3787012541-1107\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-476008693-991253212-3787012541-1107\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKU\S-1-5-21-476008693-991253212-3787012541-1107\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
IE - HKU\S-1-5-21-476008693-991253212-3787012541-1107\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)
IE - HKU\S-1-5-21-476008693-991253212-3787012541-1107\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.13
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/12/14 17:31:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/07 04:33:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/14 00:50:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/03/10 23:41:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/03/19 20:36:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admin\AppData\Roaming\mozilla\Extensions
[2010/03/19 20:36:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admin\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2011/02/10 00:44:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admin\AppData\Roaming\mozilla\Firefox\Profiles\tpycyvk4.default\extensions
[2010/04/21 17:16:22 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\admin\AppData\Roaming\mozilla\Firefox\Profiles\tpycyvk4.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/07 04:33:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/07 04:33:21 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2012/01/07 04:33:21 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/11/10 05:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2006/10/26 20:12:16 | 000,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL
[2009/02/27 13:13:42 | 000,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/12/17 01:26:28 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/12/17 01:26:29 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/12/17 01:26:29 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/12/17 01:26:29 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/12/17 01:26:29 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/12/17 01:26:29 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/12/17 01:26:29 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2012/01/07 04:33:19 | 000,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2012/01/07 04:33:19 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/07 04:33:19 | 000,001,131 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2012/01/07 04:33:19 | 000,002,364 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2012/01/07 04:33:19 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
[2012/01/07 04:33:19 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2012/01/07 04:33:19 | 000,001,096 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe (VMware, Inc.)
O4 - HKLM..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe (VMware, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BindDirectlyToPropertySetStorage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\winrnr.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\VMware\VMware Tools\VSock SDK\bin\win32\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\VMware\VMware Tools\VSock SDK\bin\win32\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\System32\winrnr.dll File not found
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-476008693-991253212-3787012541-1107\..Trusted Domains: localhost ([]* in Local intranet)
O16 - DPF: {173D9E48-B527-4AA0-A929-30B446002AA8} http://10.1.1.250:81/DVRemoteAx.cab (DVRemoteControl Class)
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab (DLC Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FFF4DA51-AB4D-4299-A310-4B924BCECD86}: NameServer = 10.1.1.21
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\qbwc {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) -C:\Windows\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") -C:\Windows\System32\sysdm.cpl (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\System32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\Windows\System32\browseui.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (credssp.dll) -C:\Windows\System32\credssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) -C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) -C:\Windows\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) -C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) -C:\Windows\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) -C:\Windows\System32\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) -C:\Windows\System32\tspkg.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{31020970-e93d-11de-ad22-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{31020970-e93d-11de-ad22-806e6f6e6963}\Shell\AutoRun\command - "" = D:\sources\sperr32.exe x64
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/16 17:05:41 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL.exe
[2012/01/15 20:36:03 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2012/01/12 03:10:06 | 001,314,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
[2012/01/12 03:10:06 | 000,497,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\qdvd.dll
[2012/01/12 03:02:19 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mciseq.dll
[2012/01/12 03:02:15 | 000,376,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll
[2012/01/12 03:02:11 | 000,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\packager.dll
[2012/01/07 23:53:34 | 000,000,000 | ---D | C] -- C:\Users\admin\Desktop\a
[2012/01/07 03:19:06 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Malwarebytes
[2012/01/07 03:19:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/07 03:19:00 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/01/07 03:19:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/01/07 03:18:59 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/01/04 01:41:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/01/04 01:40:10 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2012/01/04 01:40:10 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2012/01/04 01:40:10 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2012/01/03 14:49:10 | 000,000,000 | ---D | C] -- C:\Program Files\Hewlett-Packard

========== Files - Modified Within 30 Days ==========

[2012/01/16 19:53:59 | 000,001,356 | ---- | M] () -- C:\Users\admin\AppData\Local\d3d9caps.dat
[2012/01/16 19:53:15 | 000,004,928 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/16 19:53:15 | 000,004,928 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/16 19:53:09 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/16 19:53:00 | 4294,500,352 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/16 19:45:38 | 000,000,428 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{85545043-ED3B-4C86-8B37-4D9D1DFEABC3}.job
[2012/01/16 19:25:00 | 000,000,928 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-476008693-991253212-3787012541-1166UA.job
[2012/01/16 17:03:19 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL.exe
[2012/01/16 12:25:00 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-476008693-991253212-3787012541-1166Core.job
[2012/01/16 08:37:42 | 000,000,424 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{083FF9B5-411D-4EC3-8268-2DC6450484D8}.job
[2012/01/16 08:29:25 | 000,000,426 | ---- | M] () -- C:\Windows\BRWMARK.INI
[2012/01/16 08:29:25 | 000,000,034 | ---- | M] () -- C:\Windows\System32\BD7420.DAT
[2012/01/16 07:55:18 | 000,000,426 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{980A8B5B-2C56-4E26-9689-C1E2211F496C}.job
[2012/01/15 20:42:59 | 000,682,388 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/01/15 20:42:59 | 000,132,114 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/01/15 20:35:43 | 096,298,866 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/01/15 20:21:01 | 000,000,000 | -HS- | M] () -- C:\Windows\System32\dds_log_trash.cmd
[2012/01/08 18:01:22 | 000,000,000 | ---- | M] () -- C:\Users\admin\defogger_reenable
[2012/01/07 03:19:01 | 000,000,807 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

========== Files Created - No Company Name ==========

[2012/01/15 20:35:43 | 096,298,866 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/01/12 17:21:56 | 000,000,000 | -HS- | C] () -- C:\Windows\System32\dds_log_trash.cmd
[2012/01/08 18:01:22 | 000,000,000 | ---- | C] () -- C:\Users\admin\defogger_reenable
[2012/01/07 03:19:01 | 000,000,807 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/09/19 07:43:38 | 160,405,140 | ---- | C] () -- C:\ProgramData\SamPCFax000013DC0002
[2011/09/19 07:42:10 | 007,455,944 | ---- | C] () -- C:\ProgramData\SamPCFax00000E5C0001
[2011/08/02 14:43:44 | 003,730,356 | ---- | C] () -- C:\ProgramData\SamPCFax000020640001
[2011/06/16 08:36:59 | 007,455,944 | ---- | C] () -- C:\ProgramData\SamPCFax00001D240001
[2011/06/10 13:26:10 | 007,455,944 | ---- | C] () -- C:\ProgramData\SamPCFax000025540001
[2011/01/04 11:53:38 | 007,455,944 | ---- | C] () -- C:\ProgramData\SamPCFax00001CF40001
[2010/11/29 09:32:42 | 007,455,944 | ---- | C] () -- C:\ProgramData\SamPCFax000014D80002
[2010/11/24 10:56:50 | 003,730,356 | ---- | C] () -- C:\ProgramData\SamPCFax00000B580001
[2010/11/22 13:38:51 | 000,274,432 | ---- | C] () -- C:\Windows\System32\SaMinDrv.dll
[2010/11/22 13:38:51 | 000,106,496 | ---- | C] () -- C:\Windows\System32\SaImgFlt.dll
[2010/11/22 13:38:51 | 000,090,112 | ---- | C] () -- C:\Windows\System32\SaSegFlt.dll
[2010/11/22 13:38:51 | 000,061,440 | ---- | C] () -- C:\Windows\System32\SaErHdlr.dll
[2010/07/15 01:23:52 | 000,032,768 | ---- | C] () -- C:\Users\admin\AppData\Roaming\fin.zup
[2010/03/19 11:07:59 | 000,001,356 | ---- | C] () -- C:\Users\admin\AppData\Local\d3d9caps.dat
[2010/03/07 18:08:16 | 000,000,034 | ---- | C] () -- C:\Windows\System32\BD7420.DAT
[2010/03/07 17:56:16 | 000,000,426 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2010/02/27 21:10:52 | 000,000,107 | ---- | C] () -- C:\Windows\asasrv.ini
[2010/01/26 09:48:55 | 000,000,000 | ---- | C] () -- C:\Windows\HPMProp.INI
[2009/12/14 22:59:43 | 000,000,438 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/04/11 07:57:41 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/04/11 07:57:41 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/04/11 07:57:39 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2008/01/19 06:43:05 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2008/01/19 06:35:10 | 000,385,760 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2008/01/19 06:24:26 | 000,001,702 | ---- | C] () -- C:\Windows\System32\StorageMgmt.dll.config
[2008/01/19 06:24:26 | 000,001,048 | ---- | C] () -- C:\Windows\System32\SetupNfsIdMap.exe.config
[2008/01/19 06:24:26 | 000,000,989 | ---- | C] () -- C:\Windows\System32\NfsConfigGuide.exe.config
[2008/01/19 06:24:26 | 000,000,940 | ---- | C] () -- C:\Windows\System32\ProvisionShare.exe.config
[2008/01/19 06:24:26 | 000,000,933 | ---- | C] () -- C:\Windows\System32\ProvisionStorage.exe.config
[2008/01/19 03:56:38 | 000,682,388 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2008/01/19 03:56:38 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2008/01/19 03:56:38 | 000,132,114 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2008/01/19 03:56:38 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2008/01/19 03:45:36 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2008/01/19 00:56:52 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2008/01/18 23:34:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2008/01/03 14:04:28 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2008/01/03 13:57:53 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[1997/04/01 19:01:18 | 000,029,184 | ---- | C] () -- C:\Windows\System32\Sp32w.dll
[1996/08/01 10:56:20 | 000,036,352 | ---- | C] () -- C:\Windows\System32\Sx32w.dll

========== LOP Check ==========

[2010/11/22 13:39:57 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Leadertech
[2011/09/14 07:39:06 | 000,000,000 | ---D | M] -- C:\Users\plenahan\AppData\Roaming\LivePerson
[2012/01/16 19:51:33 | 000,029,934 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012/01/16 08:37:42 | 000,000,424 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{083FF9B5-411D-4EC3-8268-2DC6450484D8}.job
[2012/01/16 19:45:38 | 000,000,428 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{85545043-ED3B-4C86-8B37-4D9D1DFEABC3}.job
[2012/01/16 07:55:18 | 000,000,426 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{980A8B5B-2C56-4E26-9689-C1E2211F496C}.job

========== Purity Check ==========



< End of report >


OTL Extras logfile created on: 1/16/2012 7:55:15 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\admin\Desktop
Windows Vista Server Standard Edition (full installation) Service Pack 2 (Version = 6.0.6002) - Type = NTServer
Internet Explorer (Version = 8.0.6001.19170)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.37 Gb Available Physical Memory | 84.32% Memory free
8.16 Gb Paging File | 7.69 Gb Available in Paging File | 94.16% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 250.00 Gb Total Space | 198.67 Gb Free Space | 79.47% Space Free | Partition Type: NTFS
Drive E: | 499.99 Gb Total Space | 388.49 Gb Free Space | 77.70% Space Free | Partition Type: NTFS

Computer Name: TS1 | User Name: admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-476008693-991253212-3787012541-1107\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0458D0CC-6FC3-48E1-ACA8-2C30283399AD}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{21C724DA-9273-487D-9828-960A89A130F1}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{2994F4F9-C3C9-4D30-96F2-A04FD9F01838}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{366DECDB-4296-4379-BA9A-788676202DA6}" = lport=137 | protocol=17 | dir=in | app=system |
"{3DBC4160-DE73-4893-B559-D0B02D3CF978}" = lport=139 | protocol=6 | dir=in | app=system |
"{41F70D64-807F-4AC0-9346-6330B0E6E45C}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{48785B6A-0864-4B9F-BAFB-FB4D975ED8D6}" = lport=138 | protocol=17 | dir=in | app=system |
"{4BB0489F-F6A1-42C5-B343-47457B049D3D}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{59E4CA1B-81DB-4357-96B6-25E5E57B89CE}" = rport=139 | protocol=6 | dir=out | app=system |
"{59F3BECF-0183-45A4-B1D4-A8A8A3BB6DF5}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{605FFB32-B47F-45E3-93B4-DB52E67E86E5}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{71D2D137-E70F-4460-A85B-05AD7679979B}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{74FEF6DA-A19A-4188-9E21-46DF56D7B41A}" = rport=137 | protocol=17 | dir=out | app=system |
"{75B54534-3C2B-4C6A-BED0-6B667CDC6574}" = lport=5358 | protocol=6 | dir=in | app=system |
"{7B083D91-BBB7-48F5-9DEC-779B60D01F15}" = lport=137 | protocol=17 | dir=in | app=system |
"{80434980-5CF6-49F1-BDFC-BEADECC0209F}" = lport=138 | protocol=17 | dir=in | app=system |
"{80682144-1955-467E-A352-40DAAFA5AC84}" = rport=137 | protocol=17 | dir=out | app=system |
"{82E7677E-E22A-45BE-91D9-2ED5AFD64609}" = lport=2869 | protocol=6 | dir=in | app=system |
"{846FF6B6-86F2-4565-BE76-00E39A87179F}" = rport=139 | protocol=6 | dir=out | app=system |
"{89EAFECD-271D-4B75-9FBB-8BEA25B596D0}" = rport=138 | protocol=17 | dir=out | app=system |
"{9282DD0A-39B8-4907-B64F-18B7873EACEA}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{95FAAEC2-7A32-4714-9CC2-25D77E6BB692}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{9F44028E-2FF2-4E0C-8018-FA7477D8E4B4}" = rport=138 | protocol=17 | dir=out | app=system |
"{A5173BEF-6A87-45E6-B290-FD514337E47A}" = lport=445 | protocol=6 | dir=in | app=system |
"{AB58E37F-D9CF-4B56-8F34-E8C163D64B9D}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{B1F00CDB-EEB4-4523-9EC8-BE331C650CC1}" = rport=137 | protocol=17 | dir=out | app=system |
"{B3746CF5-36DF-4CBF-A0DB-1C1F340C56AC}" = lport=3389 | protocol=6 | dir=in | app=system |
"{C512EFEB-B463-4E62-8E33-37486CC02A2F}" = lport=5357 | protocol=6 | dir=in | app=system |
"{C62A6082-452B-4807-8FD2-6E9CC36BB5A3}" = rport=445 | protocol=6 | dir=out | app=system |
"{C7686DCE-1611-400F-AC15-437E739D28C2}" = rport=445 | protocol=6 | dir=out | app=system |
"{C834A024-23D3-4F08-AFDB-1BA471402FD9}" = rport=138 | protocol=17 | dir=out | app=system |
"{CA6A8181-EA61-4CB1-B2D4-5EA3E1DD1F06}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{D15F650F-7B86-48E5-BD42-93580158D3ED}" = lport=138 | protocol=17 | dir=in | app=system |
"{D7353CC6-07AB-4401-97C8-0D0B1CA3912D}" = lport=137 | protocol=17 | dir=in | app=system |
"{D7C6BEFE-D08B-4345-B7A9-8068188E9DFF}" = lport=3052 | protocol=17 | dir=in | name=pcns nmc communication port (udp 3052) |
"{DB47C3BE-FB4B-48AF-B7C0-892D85712532}" = rport=5358 | protocol=6 | dir=out | app=system |
"{E8DAFA28-A374-4698-A550-36B790AC8514}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{ECE9F25F-E678-4F76-AC09-3B56AB30219F}" = rport=5357 | protocol=6 | dir=out | app=system |
"{F7D66C98-0425-4163-A167-EFFBEAB008B1}" = lport=139 | protocol=6 | dir=in | app=system |
"{FC097E33-D3D8-46FE-837E-F66DFCD68CA8}" = lport=445 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{120D27FB-CAA6-43D4-B7FB-0E8152CA8622}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{1DA83C52-4BF8-490B-B4A5-2B6B02776181}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{22DB8EF7-D3BD-440E-B2F2-855C507638E8}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{2A619BAB-8E3F-4C20-85ED-51111FD0BEB7}" = protocol=6 | dir=in | app=c:\windows\twain_32\xerox\wc3550\sscan2io.exe |
"{2DBC2810-67D8-4057-B650-113009F59B9C}" = protocol=6 | dir=in | app=c:\program files\microsoft dynamics nav\60\roletailored client\microsoft.dynamics.nav.client.exe |
"{411EB3C0-3A4A-461A-B7CF-C47065C5E5C9}" = protocol=17 | dir=in | app=c:\program files\microsoft dynamics nav\60\roletailored client\microsoft.dynamics.nav.client.exe |
"{46DFFD80-9200-42B0-B968-102A479AFAB1}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{4C873EDF-2A49-4D67-A0EA-212D7BECB2B7}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{50346C58-8042-4A0D-9BB0-9AFF233BA1F7}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{52C381D8-EA79-4D54-8D2C-F734736A7CF7}" = protocol=17 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe |
"{5C2E7202-F245-4897-B826-5C8174656337}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{5CC39693-6B5D-4532-971C-573FDBCFCA6F}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{6AE87151-19EE-4B7F-9A9D-107350E67B7E}" = protocol=6 | dir=out | app=system |
"{71893719-0951-4804-8693-CFAD6666C78D}" = protocol=6 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe |
"{85B810D3-0EB3-477F-A5BB-00615CF9FD00}" = protocol=6 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe |
"{971BAC5B-820C-492A-BAE8-8B1A1161608E}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{AD42AB5C-D1B2-4F26-A4D2-92AD7F58010A}" = protocol=6 | dir=in | app=c:\program files\retrospect\retrospect 7.7\retrospect.exe |
"{BD73CD17-4100-4A0D-8CDE-91E673DCA138}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{BE0F0A7A-49B9-4CD9-8191-B394AB986907}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{D90492E4-17D3-47CA-BCCC-24FA9466F58B}" = protocol=17 | dir=in | app=c:\windows\twain_32\xerox\wc3550\sscan2io.exe |
"{DD9D0A86-056A-43C7-B987-6DFCC1CCC428}" = protocol=17 | dir=in | app=c:\program files\microsoft dynamics nav\60\roletailored client\microsoft.dynamics.nav.client.exe |
"{DDC93A7D-798A-4933-8A7F-E45DBAD58535}" = protocol=17 | dir=in | app=c:\program files\retrospect\retrospect 7.7\retrospect.exe |
"{E2D9B2CC-BB41-4254-86F5-7FCEBCC16973}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{E358EA1F-D3C5-408F-85BA-5487199D1C01}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{E528C498-9003-4541-A0A7-5225384218BD}" = protocol=17 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe |
"{F776140B-AAEA-4113-AA12-4885B911EE77}" = protocol=6 | dir=in | app=c:\program files\microsoft dynamics nav\60\roletailored client\microsoft.dynamics.nav.client.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000000-0000-6001-8EA3-0000836BD2D2}" = Documentation
"{00000000-0000-6002-0000-0000836BD2D2}" = Microsoft Dynamics NAV 2009 Classic
"{00000000-0000-6002-0006-0000836BD2D2}" = Microsoft Dynamics NAV Components for Microsoft SQL Server
"{00000000-0000-6002-0020-0000836BD2D2}" = Microsoft Dynamics NAV 2009 RoleTailored Client
"{00000000-0000-6002-0C0C-0CE90DA3512B}" = Canadian Module for Microsoft Dynamics NAV Role Tailored Client
"{00000000-0000-6002-0C0C-39E2AE882700}" = Canadian Module for Microsoft Dynamics NAV Documentation
"{00000000-0000-6002-0C0C-FDACB85853AF}" = Canadian Module for Microsoft Dynamics NAV Classic Client
"{00000000-0000-6002-2400-0CE90DA3512B}" = Canadian Module for Microsoft Dynamics NAV Role Tailored Client
"{00000000-0000-6002-2400-39E2AE882700}" = Canadian Module for Microsoft Dynamics NAV Documentation
"{00000000-0000-6002-2400-FDACB85853AF}" = Canadian Module for Microsoft Dynamics NAV Classic Client
"{00000000-0000-6002-8EA3-0000836BD2D2}" = Documentation
"{00000000-0000-6002-9000-0CE90DA3512B}" = Mexican Module for Microsoft Dynamics NAV Role Tailored Client
"{00000000-0000-6002-9000-39E2AE882700}" = Mexican Module for Microsoft Dynamics NAV Documentation
"{00000000-0000-6002-9000-FDACB85853AF}" = Mexican Module for Microsoft Dynamics NAV Classic Client
"{00000000-0000-6002-A577-0000836BD2D2}" = Microsoft Dynamics NAV 6.0 Setup
"{00000000-0000-6002-D800-0CE90DA3512B}" = American Module for Microsoft Dynamics NAV Role Tailored Client
"{00000000-0000-6002-D800-39E2AE882700}" = American Module for Microsoft Dynamics NAV Documentation
"{00000000-0000-6002-D800-FDACB85853AF}" = American Module for Microsoft Dynamics NAV Classic Client
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{02C8B592-B343-4FA4-ADF3-EDA874FD0B57}" = Enterprise
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 30
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{60FFB3E0-6D5B-4D73-AE5B-07E58B83AF0C}" = 32 Bit HP CIO Components Installer
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{70AFBE92-931E-42BF-8A1D-7413E0BBA936}" = Xerox MFP PC Fax
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{72DE3C67-FB48-450E-8BEA-4EB1B3B5355D}" = Microsoft SQL Server 2008 R2 Setup (English)
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{87A9A9A9-FAB7-4224-9328-0FA2058C0FD5}" = Network
"{8ECB8220-F422-4BEB-9596-97033C533702}" = QuickBooks Pro 2008
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9530EAAE-C5DA-4B79-BB35-892DC0ADC007}" = Retrospect 7.7
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C5725B7-2219-410C-A364-90767F71F00C}" = Network Scan
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AF2A8E58-DBC6-36D3-A145-7252029F6F48}" = Microsoft Report Viewer Redistributable 2008 SP1
"{BCC7E198-1D10-4B55-956E-550A196F8056}" = Microsoft Office Live Meeting 2007
"{C40698F9-A861-4531-9F8C-FA7F8961375B}" = VMware vSphere Client 4.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB}" = Windows Internal Database (MICROSOFT##SSEE)
"{D6E5F58F-C879-4EC1-90F7-BA31BABF10C9}" = DeltaCopy
"{DFAA3D2B-7087-464E-823B-738A23C29C27}" = Microsoft Visual J# 2.0 Redistributable Package - SE
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{FE2F6A2C-196E-4210-9C04-2B1BC21F07EF}" = VMware Tools
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Carbonite Backup" = Carbonite
"DynamicsNav60" = Microsoft Dynamics NAV 2009 R2
"ENTERPRISE" = Microsoft Office Enterprise 2007
"IsoBuster_is1" = IsoBuster 2.8
"LivePerson" = LivePerson
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Report Viewer Redistributable 2008 SP1" = Microsoft Report Viewer Redistributable 2008 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual J# 2.0 Redistributable Package - SE" = Microsoft Visual J# 2.0 Redistributable Package - SE
"Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
"Mozilla Thunderbird (2.0.0.23)" = Mozilla Thunderbird (2.0.0.23)
"PowerChute Network Shutdown" = PowerChute Network Shutdown
"Xerox WorkCentre 3550" = Xerox WorkCentre 3550

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/16/2012 11:06:29 AM | Computer Name = TS1.local | Source = QuickBooks | ID = 4
Description =

Error - 1/16/2012 11:06:29 AM | Computer Name = TS1.local | Source = QuickBooks | ID = 4
Description =

Error - 1/16/2012 11:09:09 AM | Computer Name = TS1.local | Source = Application Hang | ID = 1002
Description = The program qbw32.exe version 18.0.4010.606 stopped interacting with
Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 1b9c Start Time: 01ccd4606bbc6359 Termination Time: 169

Error - 1/16/2012 11:09:11 AM | Computer Name = TS1.local | Source = QuickBooks | ID = 4
Description =

Error - 1/16/2012 11:09:11 AM | Computer Name = TS1.local | Source = QuickBooks | ID = 4
Description =

Error - 1/16/2012 11:09:11 AM | Computer Name = TS1.local | Source = QuickBooks | ID = 4
Description =

Error - 1/16/2012 12:37:39 PM | Computer Name = TS1.local | Source = QuickBooks | ID = 4
Description =

Error - 1/16/2012 8:53:26 PM | Computer Name = TS1.local | Source = Application Error | ID = 1000
Description = Faulting application XrxFaxServer.exe, version 1.4.2.0, time stamp
0x4ba3291b, faulting module ntdll.dll, version 6.0.6002.18541, time stamp 0x4ec3e3d5,
exception code 0xc0000138, fault offset 0x00009f5d, process id 0x634, application
start time 0x01ccd4b26b99bc2a.

Error - 1/16/2012 8:53:44 PM | Computer Name = TS1.local | Source = Application Error | ID = 1000
Description = Faulting application XrxFaxServer.exe, version 1.4.2.0, time stamp
0x4ba3291b, faulting module ntdll.dll, version 6.0.6002.18541, time stamp 0x4ec3e3d5,
exception code 0xc0000138, fault offset 0x00009f5d, process id 0xbbc, application
start time 0x01ccd4b276704c8e.

Error - 1/16/2012 8:55:53 PM | Computer Name = TS1.local | Source = Application Error | ID = 1000
Description = Faulting application mbamservice.exe, version 1.60.0.25, time stamp
0x4eea3ac1, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x0045660b, process id 0xe04, application start time
0x01ccd4b2c375060a.

[ DNS Server Events ]
Error - 12/15/2009 12:46:37 AM | Computer Name = TS1.local | Source = DNS | ID = 6525
Description = A zone transfer request for the secondary zone local
was refused by the master DNS server at 10.1.1.21. Check the zone at the master
server 10.1.1.21 to verify that zone transfer is enabled to this server. To do
so, use the DNS console, and select master server 10.1.1.21 as the applicable
server, then in secondary zone local Properties, view the
settings on the Zone Transfers tab. Based on the settings you choose, make any
configuration adjustments there (or possibly in the Name Servers tab) so that a
zone transfer can be made to this server.

Error - 12/15/2009 12:46:51 AM | Computer Name = TS1.local | Source = DNS | ID = 6525
Description = A zone transfer request for the secondary zone 1.1.10.in-addr.arpa
was refused by the master DNS server at 10.1.1.21. Check the zone at the master
server 10.1.1.21 to verify that zone transfer is enabled to this server. To do
so, use the DNS console, and select master server 10.1.1.21 as the applicable
server, then in secondary zone 1.1.10.in-addr.arpa Properties, view the settings
on the Zone Transfers tab. Based on the settings you choose, make any configuration
adjustments there (or possibly in the Name Servers tab) so that a zone transfer
can be made to this server.

Error - 12/15/2009 12:47:48 AM | Computer Name = TS1.local | Source = DNS | ID = 6525
Description = A zone transfer request for the secondary zone _msdcs.local
was refused by the master DNS server at 10.1.1.21. Check the zone at the master
server 10.1.1.21 to verify that zone transfer is enabled to this server. To do
so, use the DNS console, and select master server 10.1.1.21 as the applicable
server, then in secondary zone _msdcs.local Properties,
view the settings on the Zone Transfers tab. Based on the settings you choose,
make any configuration adjustments there (or possibly in the Name Servers tab) so
that a zone transfer can be made to this server.

Error - 12/15/2009 12:47:48 AM | Computer Name = TS1.local | Source = DNS | ID = 6525
Description = A zone transfer request for the secondary zone local
was refused by the master DNS server at 10.1.1.21. Check the zone at the master
server 10.1.1.21 to verify that zone transfer is enabled to this server. To do
so, use the DNS console, and select master server 10.1.1.21 as the applicable
server, then in secondary zone local Properties, view the
settings on the Zone Transfers tab. Based on the settings you choose, make any
configuration adjustments there (or possibly in the Name Servers tab) so that a
zone transfer can be made to this server.

Error - 12/15/2009 12:48:48 AM | Computer Name = TS1.local | Source = DNS | ID = 6525
Description = A zone transfer request for the secondary zone _msdcs.local
was refused by the master DNS server at 10.1.1.21. Check the zone at the master
server 10.1.1.21 to verify that zone transfer is enabled to this server. To do
so, use the DNS console, and select master server 10.1.1.21 as the applicable
server, then in secondary zone _msdcs.local Properties,
view the settings on the Zone Transfers tab. Based on the settings you choose,
make any configuration adjustments there (or possibly in the Name Servers tab) so
that a zone transfer can be made to this server.

Error - 12/15/2009 12:48:48 AM | Computer Name = TS1.local | Source = DNS | ID = 6525
Description = A zone transfer request for the secondary zone 1.1.10.in-addr.arpa
was refused by the master DNS server at 10.1.1.21. Check the zone at the master
server 10.1.1.21 to verify that zone transfer is enabled to this server. To do
so, use the DNS console, and select master server 10.1.1.21 as the applicable
server, then in secondary zone 1.1.10.in-addr.arpa Properties, view the settings
on the Zone Transfers tab. Based on the settings you choose, make any configuration
adjustments there (or possibly in the Name Servers tab) so that a zone transfer
can be made to this server.

Error - 12/15/2009 12:48:48 AM | Computer Name = TS1.local | Source = DNS | ID = 6525
Description = A zone transfer request for the secondary zone local
was refused by the master DNS server at 10.1.1.21. Check the zone at the master
server 10.1.1.21 to verify that zone transfer is enabled to this server. To do
so, use the DNS console, and select master server 10.1.1.21 as the applicable
server, then in secondary zone local Properties, view the
settings on the Zone Transfers tab. Based on the settings you choose, make any
configuration adjustments there (or possibly in the Name Servers tab) so that a
zone transfer can be made to this server.

Error - 12/15/2009 12:49:48 AM | Computer Name = TS1.local | Source = DNS | ID = 6525
Description = A zone transfer request for the secondary zone 1.1.10.in-addr.arpa
was refused by the master DNS server at 10.1.1.21. Check the zone at the master
server 10.1.1.21 to verify that zone transfer is enabled to this server. To do
so, use the DNS console, and select master server 10.1.1.21 as the applicable
server, then in secondary zone 1.1.10.in-addr.arpa Properties, view the settings
on the Zone Transfers tab. Based on the settings you choose, make any configuration
adjustments there (or possibly in the Name Servers tab) so that a zone transfer
can be made to this server.

Error - 1/29/2011 5:01:42 PM | Computer Name = TS1.local | Source = DNS | ID = 6525
Description = A zone transfer request for the secondary zone 1.1.10.in-addr.arpa
was refused by the master DNS server at 10.1.1.21. Check the zone at the master
server 10.1.1.21 to verify that zone transfer is enabled to this server. To do
so, use the DNS console, and select master server 10.1.1.21 as the applicable
server, then in secondary zone 1.1.10.in-addr.arpa Properties, view the settings
on the Zone Transfers tab. Based on the settings you choose, make any configuration
adjustments there (or possibly in the Name Servers tab) so that a zone transfer
can be made to this server.

[ OSession Events ]
Error - 4/27/2011 4:51:57 PM | Computer Name = TS1.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6555.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 29544
seconds with 5880 seconds of active time. This session ended with a crash.

Error - 4/29/2011 11:51:20 AM | Computer Name = TS1.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6555.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 11567
seconds with 1800 seconds of active time. This session ended with a crash.

Error - 6/24/2011 4:41:26 PM | Computer Name = TS1.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 14514
seconds with 3540 seconds of active time. This session ended with a crash.

Error - 7/5/2011 8:33:07 AM | Computer Name = TS1.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 108
seconds with 0 seconds of active time. This session ended with a crash.

Error - 7/17/2011 3:27:19 AM | Computer Name = TS1.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 134367
seconds with 60 seconds of active time. This session ended with a crash.

Error - 8/26/2011 7:23:27 PM | Computer Name = TS1.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 21653
seconds with 6420 seconds of active time. This session ended with a crash.

Error - 8/31/2011 7:48:25 PM | Computer Name = TS1.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6557.5001, Microsoft Office Version: 12.0.6425.1000. This session lasted 1421672
seconds with 9060 seconds of active time. This session ended with a crash.

Error - 9/9/2011 12:06:37 PM | Computer Name = TS1.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2431485
seconds with 1680 seconds of active time. This session ended with a crash.

Error - 10/10/2011 11:56:25 AM | Computer Name = TS1.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6565.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 10013
seconds with 1260 seconds of active time. This session ended with a crash.

Error - 12/22/2011 12:39:16 PM | Computer Name = TS1.local | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 11253
seconds with 2340 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 1/16/2012 8:53:38 PM | Computer Name = TS1.local | Source = Service Control Manager | ID = 7003
Description =

Error - 1/16/2012 8:53:38 PM | Computer Name = TS1.local | Source = Service Control Manager | ID = 7003
Description =

Error - 1/16/2012 8:53:38 PM | Computer Name = TS1.local | Source = Service Control Manager | ID = 7009
Description =

Error - 1/16/2012 8:53:38 PM | Computer Name = TS1.local | Source = Service Control Manager | ID = 7009
Description =

Error - 1/16/2012 8:53:38 PM | Computer Name = TS1.local | Source = Service Control Manager | ID = 7000
Description =

Error - 1/16/2012 8:53:45 PM | Computer Name = TS1.local | Source = Print | ID = 19
Description = The print spooler failed to share printer HP Color LaserJet 3800 (direct)
with shared resource name HP Color LaserJet 3800 (TS1). Error 1753. The printer
cannot be used by others on the network.

Error - 1/16/2012 8:53:47 PM | Computer Name = TS1.local | Source = Service Control Manager | ID = 7009
Description =

Error - 1/16/2012 8:53:47 PM | Computer Name = TS1.local | Source = Service Control Manager | ID = 7000
Description =

Error - 1/16/2012 8:56:00 PM | Computer Name = TS1.local | Source = Service Control Manager | ID = 7009
Description =

Error - 1/16/2012 8:56:00 PM | Computer Name = TS1.local | Source = Service Control Manager | ID = 7000
Description =


< End of report >

Edited by Stung One, 16 January 2012 - 08:50 PM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:48 PM

Posted 17 January 2012 - 06:24 PM

Let's replace the infected system file

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    dfsc.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#9 Stung One

Stung One
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 17 January 2012 - 07:12 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 18:36 on 17/01/2012 by admin
Administrator - Elevation successful

========== filefind ==========

Searching for "dfsc.sys"
C:\Windows\System32\drivers\dfsc.sys --a---- 75264 bytes [07:02 16/06/2011] [14:59 14/04/2011] C7F297AEF0C09C2A85227240B1E2285F
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.18633_none_877cca5be63173a0\dfsc.sys --a---- 75264 bytes [07:02 16/06/2011] [14:24 14/04/2011] A3E9FA213F443AC77C7746119D13FEEC
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.22899_none_87cb8b40ff7a5041\dfsc.sys --a---- 75264 bytes [07:02 16/06/2011] [13:22 13/04/2011] E20FB30D720810646ED24FB7CA9899A2
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18005_none_8985a6e9e33db02a\dfsc.sys --a---- 75264 bytes [12:57 11/04/2009] [12:57 11/04/2009] 218D8AE46C88E82014F5D73D0236D9B2
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.18451_none_894b9dbde369cb1f\dfsc.sys --a---- 75264 bytes [07:02 16/06/2011] [14:59 14/04/2011] C7F297AEF0C09C2A85227240B1E2285F
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6002.22625_none_89f9ad5afc6b7999\dfsc.sys --a---- 75264 bytes [07:02 16/06/2011] [14:36 14/04/2011] 3A3436F7DFE0E0C58CD5C3B6C9F21634

-= EOF =-

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:48 PM

Posted 17 January 2012 - 08:18 PM

We have no way of using a tool to replace the infected file on a Windows 2008 server so we need to do this manually.

We need to replace the infected file in the Recovery Environment


First we need to copy a clean file to replace the infected one.

Please do this:
  • Click on the Start button, then click on Run...

  • In the empty "Open:" box provided, type cmd and press Enter This will launch a Command Prompt window (looks like DOS).

  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.0.6001.22899_none_87cb8b40ff7a5041\dfsc.sys C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

  • Press Enter. When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
  • Exit the Command Prompt window.
Now we need to boot into the Recovery Environment:

Reboot your computer. There's help to do that here


Next

Type cd system32\drivers and press Enter.
Type ren dfsc.sys dfsc.vir and press Enter.
Then type copy C:\dfsc.sys dfsc.sys and press Enter.
Now type exit and press Enter to reboot your computer into normal mode.


Please run Gmer again and post the log.
Posted Image
m0le is a proud member of UNITE

#11 Stung One

Stung One
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 18 January 2012 - 01:04 AM

We have no way of using a tool to replace the infected file on a Windows 2008 server so we need to do this manually.


No problem - thank you again for the help. I'm happy/able to do stuff manually, just don't have the intimate malware knowledge.


Please run Gmer again and post the log.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-18 00:28:21
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000055 VMware__ rev.1.0_
Running: m113pviu.exe; Driver: C:\Users\admin\AppData\Local\Temp\pxldipow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text afd.sys 91C4F000 99 Bytes [90, 90, 90, 90, 90, FF, 15, ...]
.text afd.sys 91C4F066 89 Bytes [53, BB, C8, 06, C6, 91, 8B, ...]
.text afd.sys 91C4F0C0 52 Bytes [0F, 84, 25, 01, 00, 00, 8B, ...]
.text afd.sys 91C4F0F5 6 Bytes [1C, 8D, 55, E4, FF, 15]
.text afd.sys 91C4F0FC 51 Bytes [E2, C5, 91, F7, 47, 04, 00, ...]
.text ...
? C:\Windows\system32\drivers\afd.sys suspicious PE modification

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\afd.sys[HAL.dll!KfLowerIrql] 3B37EBC0
IAT \SystemRoot\system32\drivers\afd.sys[HAL.dll!KeGetCurrentIrql] 890575D3
IAT \SystemRoot\system32\drivers\afd.sys[HAL.dll!KfRaiseIrql] 06EBEC5D

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe[2044] @ C:\Windows\system32\IpHlpApi.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareTray.exe[3684] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\VMware\VMware Tools\VMwareUser.exe[3692] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe[3704] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3748] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] [738EA3C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\SAMLIB.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [738EA4C9] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)
IAT C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[3800] @ C:\Windows\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [738EA44C] C:\Windows\system32\tsappcmp.dll (Terminal Services Application Compatibility DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\MBAMProtector \Device\MBAMProtector 9D1F8490
Device \FileSystem\cdfs \Cdfs 9BB9A05C

---- Threads - GMER 1.0.15 ----

Thread System [4:1544] 9BB92540

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report0bc93831

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB45907$\2733124306 0 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378 0 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\@ 2048 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\L 0 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\L\iqvahbdf 273408 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\loader.tlb 2632 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U 0 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@00000001 45968 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@000000c0 3072 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@000000cb 3072 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@000000cf 1536 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@80000000 73728 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@800000c0 32768 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@800000cb 24064 bytes
File C:\Windows\$NtUninstallKB45907$\2745626378\U\@800000cf 31232 bytes

---- EOF - GMER 1.0.15 ----


Also, anticipating your next request...

SystemLook 30.07.11 by jpshortstuff
Log created at 00:29 on 18/01/2012 by admin
Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys"
C:\Windows\System32\drivers\afd.sys --a---- 273408 bytes [07:07 16/06/2011] [13:58 21/04/2011] 3911B972B55FEA0478476B2E777B29FA
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c\afd.sys --a---- 273408 bytes [07:07 16/06/2011] [13:16 21/04/2011] 48EB99503533C27AC6135648E5474457
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys --a---- 273920 bytes [07:07 16/06/2011] [13:12 21/04/2011] C8AF25017CECB75906A571AC70D2D306
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys --a---- 273920 bytes [12:57 11/04/2009] [12:57 11/04/2009] A201207363AA900ABF1A388468688570
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_d99fb42e5bb59d9b\afd.sys --a---- 273408 bytes [07:07 16/06/2011] [13:58 21/04/2011] 3911B972B55FEA0478476B2E777B29FA
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys --a---- 273920 bytes [07:07 16/06/2011] [13:28 21/04/2011] 70EE0FC7A0F384DBD929A01384AEEB4B

-= EOF =-

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:48 PM

Posted 18 January 2012 - 06:31 PM

Hmm, but what's the betting that a new driver appears on the next Gmer log?

  • Please run OTL. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Please copy the following into the Custom Scans box at the bottom

    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    afd.sys
    /md5stop
    
  • Now click the Run Scan button on the toolbar.
  • Let it run until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it

Post the log in the next reply.
Posted Image
m0le is a proud member of UNITE

#13 Stung One

Stung One
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 19 January 2012 - 04:10 AM

OTL logfile created on: 1/18/2012 10:27:27 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\admin\Desktop
Windows Vista Server Standard Edition (full installation) Service Pack 2 (Version = 6.0.6002) - Type = NTServer
Internet Explorer (Version = 8.0.6001.19170)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.34 Gb Available Physical Memory | 83.53% Memory free
8.16 Gb Paging File | 7.65 Gb Available in Paging File | 93.71% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 250.00 Gb Total Space | 198.87 Gb Free Space | 79.55% Space Free | Partition Type: NTFS
Drive E: | 499.99 Gb Total Space | 388.44 Gb Free Space | 77.69% Space Free | Partition Type: NTFS

Computer Name: TS1 | User Name: admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\admin\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe (Carbonite, Inc. (www.carbonite.com))
PRC - C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
PRC - C:\Windows\System32\dns.exe (Microsoft Corporation)
PRC - C:\Program Files\Retrospect\Retrospect 7.7\retrorun.exe (EMC Corporation)
PRC - C:\Program Files\APC\PowerChute\group1\pcns.exe (APC by Schneider Electric)
PRC - C:\DeltaCopy\DCServce.exe (Synametrics Technologies)
PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
PRC - C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe (VMware, Inc.)
PRC - C:\Program Files\VMware\VMware Tools\VMwareService.exe (VMware, Inc.)
PRC - C:\Program Files\VMware\VMware Tools\VMwareTray.exe (VMware, Inc.)
PRC - C:\Program Files\VMware\VMware Tools\VMwareUser.exe (VMware, Inc.)
PRC - C:\Windows\System32\wsrm.exe (Microsoft Corporation)
PRC - C:\Windows\System32\rdpclip.exe (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\WerFault.exe (Microsoft Corporation)
PRC - C:\Program Files\APC\jre\jre1.5.0_18\bin\java.exe (Sun Microsystems, Inc.)
PRC - C:\DeltaCopy\rsync.exe ()
PRC - C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe (iAnywhere Solutions, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\VMware\VMware Tools\sigc-2.0.dll ()
MOD - \\?\globalroot\systemroot\system32\mswsock.dll ()


========== Win32 Services (SafeList) ==========

SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (CarboniteService) -- C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe (Carbonite, Inc. (www.carbonite.com))
SRV - (DNS) -- C:\Windows\System32\dns.exe (Microsoft Corporation)
SRV - (MSSQL$MICROSOFT##SSEE) Windows Internal Database (MICROSOFT##SSEE) -- C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (RetroLauncher) -- C:\Program Files\Retrospect\Retrospect 7.7\retrorun.exe (EMC Corporation)
SRV - (Xerox MFP Fax Server) -- C:\Windows\System32\spool\drivers\w32x86\3\XrxFaxServer.exe (Xerox)
SRV - (PCNS1) -- C:\Program Files\APC\PowerChute\group1\pcns.exe (APC by Schneider Electric)
SRV - (DeltaCopyService) -- C:\DeltaCopy\DCServce.exe (Synametrics Technologies)
SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
SRV - (VMUpgradeHelper) -- C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe (VMware, Inc.)
SRV - (VMTools) -- C:\Program Files\VMware\VMware Tools\VMwareService.exe (VMware, Inc.)
SRV - (WSRM) -- C:\Windows\System32\wsrm.exe (Microsoft Corporation)
SRV - (RSoPProv) -- C:\Windows\System32\rsopprov.exe (Microsoft Corporation)
SRV - (sacsvr) -- C:\Windows\System32\sacsvr.dll (Microsoft Corporation)
SRV - (FCRegSvc) -- C:\Windows\System32\FCRegSvc.dll (Microsoft Corporation)
SRV - (antivirscheduler) -- C:\Windows\System32\SE26obex.dll (Iomega)
SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)
SRV - (QuickBooksDB18) -- C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe (iAnywhere Solutions, Inc.)


========== Driver Services (SafeList) ==========

DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (SSPORT) -- C:\Windows\System32\drivers\SSPORT.SYS (Samsung Electronics)
DRV - (VMMEMCTL) -- C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys (VMware, Inc.)
DRV - (vmdebug) -- C:\Windows\System32\drivers\vmdebug.sys (VMware, Inc.)
DRV - (vmrawdsk) -- C:\Program Files\VMware\VMware Tools\vmrawdsk.sys (VMware, Inc.)
DRV - (vmx_svga) -- C:\Windows\System32\drivers\vmx_svga.sys (VMware, Inc.)
DRV - (vmmouse) -- C:\Windows\System32\drivers\vmmouse.sys (VMware, Inc.)
DRV - (vmci) -- C:\Windows\System32\drivers\vmci.sys (VMware, Inc.)
DRV - (vmbus) -- C:\Windows\system32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\system32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (sacdrv) -- C:\Windows\system32\DRIVERS\sacdrv.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\system32\drivers\storflt.sys (Microsoft Corporation)
DRV - (ioatdma) Intel® -- C:\Windows\system32\drivers\qd26032.sys (Intel Corporation)
DRV - (s3cap) -- C:\Windows\system32\drivers\s3cap.sys (Microsoft Corporation)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.13
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/12/14 17:31:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/07 04:33:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/14 00:50:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/03/10 23:41:41 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/03/19 20:36:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admin\AppData\Roaming\mozilla\Extensions
[2010/03/19 20:36:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admin\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2011/02/10 00:44:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\admin\AppData\Roaming\mozilla\Firefox\Profiles\tpycyvk4.default\extensions
[2010/04/21 17:16:22 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\admin\AppData\Roaming\mozilla\Firefox\Profiles\tpycyvk4.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/07 04:33:22 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/01/07 04:33:21 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2012/01/07 04:33:21 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/11/10 05:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2006/10/26 20:12:16 | 000,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL
[2009/02/27 13:13:42 | 000,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/12/17 01:26:28 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2009/12/17 01:26:29 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2009/12/17 01:26:29 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2009/12/17 01:26:29 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2009/12/17 01:26:29 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2009/12/17 01:26:29 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2009/12/17 01:26:29 | 000,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2012/01/07 04:33:19 | 000,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2012/01/07 04:33:19 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/07 04:33:19 | 000,001,131 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2012/01/07 04:33:19 | 000,002,364 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2012/01/07 04:33:19 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
[2012/01/07 04:33:19 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2012/01/07 04:33:19 | 000,001,096 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe (VMware, Inc.)
O4 - HKLM..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe (VMware, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BindDirectlyToPropertySetStorage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\winrnr.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\VMware\VMware Tools\VSock SDK\bin\win32\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\VMware\VMware Tools\VSock SDK\bin\win32\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\System32\winrnr.dll File not found
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: localhost ([]* in Local intranet)
O16 - DPF: {173D9E48-B527-4AA0-A929-30B446002AA8} http://10.1.1.250:81/DVRemoteAx.cab (DVRemoteControl Class)
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab (DLC Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FFF4DA51-AB4D-4299-A310-4B924BCECD86}: NameServer = 10.1.1.21
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\qbwc {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) -C:\Windows\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") -C:\Windows\System32\sysdm.cpl (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\System32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\Windows\System32\browseui.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (credssp.dll) -C:\Windows\System32\credssp.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) -C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) -C:\Windows\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) -C:\Windows\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) -C:\Windows\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) -C:\Windows\System32\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) -C:\Windows\System32\tspkg.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{31020970-e93d-11de-ad22-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{31020970-e93d-11de-ad22-806e6f6e6963}\Shell\AutoRun\command - "" = D:\sources\sperr32.exe x64
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/01/17 23:39:12 | 000,075,264 | ---- | C] (Microsoft Corporation) -- C:\dfsc.sys
[2012/01/16 17:05:41 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL.exe
[2012/01/15 20:36:03 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2012/01/12 03:10:06 | 001,314,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
[2012/01/12 03:10:06 | 000,497,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\qdvd.dll
[2012/01/12 03:02:19 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mciseq.dll
[2012/01/12 03:02:15 | 000,376,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll
[2012/01/12 03:02:11 | 000,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\packager.dll
[2012/01/07 23:53:34 | 000,000,000 | ---D | C] -- C:\Users\admin\Desktop\a
[2012/01/07 03:19:06 | 000,000,000 | ---D | C] -- C:\Users\admin\AppData\Roaming\Malwarebytes
[2012/01/07 03:19:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/07 03:19:00 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/01/07 03:19:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/01/07 03:18:59 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/01/04 01:41:30 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/01/04 01:40:10 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2012/01/04 01:40:10 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2012/01/04 01:40:10 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2012/01/03 14:49:10 | 000,000,000 | ---D | C] -- C:\Program Files\Hewlett-Packard

========== Files - Modified Within 30 Days ==========

[2012/01/18 22:25:00 | 000,000,928 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-476008693-991253212-3787012541-1166UA.job
[2012/01/18 22:24:56 | 000,004,928 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/01/18 22:24:55 | 000,004,928 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/01/18 22:24:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/01/18 22:24:21 | 4292,411,392 | -HS- | M] () -- C:\hiberfil.sys
[2012/01/18 22:15:50 | 000,000,428 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{85545043-ED3B-4C86-8B37-4D9D1DFEABC3}.job
[2012/01/18 22:09:34 | 000,001,356 | ---- | M] () -- C:\Users\admin\AppData\Local\d3d9caps.dat
[2012/01/18 12:25:00 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-476008693-991253212-3787012541-1166Core.job
[2012/01/18 11:12:20 | 000,000,424 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{083FF9B5-411D-4EC3-8268-2DC6450484D8}.job
[2012/01/18 10:51:55 | 000,000,426 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{980A8B5B-2C56-4E26-9689-C1E2211F496C}.job
[2012/01/18 08:30:40 | 000,000,426 | ---- | M] () -- C:\Windows\BRWMARK.INI
[2012/01/18 08:30:40 | 000,000,034 | ---- | M] () -- C:\Windows\System32\BD7420.DAT
[2012/01/18 03:22:48 | 000,682,388 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/01/18 03:22:48 | 000,132,114 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/01/18 03:16:37 | 000,000,000 | -HS- | M] () -- C:\Windows\System32\dds_log_trash.cmd
[2012/01/17 23:51:04 | 000,048,016 | -HS- | M] () -- C:\Windows\System32\c_82626.nl_
[2012/01/17 18:35:49 | 000,139,264 | ---- | M] () -- C:\Users\admin\Desktop\SystemLook.exe
[2012/01/16 17:03:19 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\admin\Desktop\OTL.exe
[2012/01/15 20:35:43 | 096,298,866 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/01/08 18:01:22 | 000,000,000 | ---- | M] () -- C:\Users\admin\defogger_reenable
[2012/01/07 03:19:01 | 000,000,807 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

========== Files Created - No Company Name ==========

[2012/01/17 23:51:04 | 000,048,016 | -HS- | C] () -- C:\Windows\System32\c_82626.nl_
[2012/01/17 18:36:08 | 000,139,264 | ---- | C] () -- C:\Users\admin\Desktop\SystemLook.exe
[2012/01/15 20:35:43 | 096,298,866 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/01/12 17:21:56 | 000,000,000 | -HS- | C] () -- C:\Windows\System32\dds_log_trash.cmd
[2012/01/08 18:01:22 | 000,000,000 | ---- | C] () -- C:\Users\admin\defogger_reenable
[2012/01/07 03:19:01 | 000,000,807 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/09/19 07:43:38 | 160,405,140 | ---- | C] () -- C:\ProgramData\SamPCFax000013DC0002
[2011/09/19 07:42:10 | 007,455,944 | ---- | C] () -- C:\ProgramData\SamPCFax00000E5C0001
[2011/08/02 14:43:44 | 003,730,356 | ---- | C] () -- C:\ProgramData\SamPCFax000020640001
[2011/06/16 08:36:59 | 007,455,944 | ---- | C] () -- C:\ProgramData\SamPCFax00001D240001
[2011/06/10 13:26:10 | 007,455,944 | ---- | C] () -- C:\ProgramData\SamPCFax000025540001
[2011/01/04 11:53:38 | 007,455,944 | ---- | C] () -- C:\ProgramData\SamPCFax00001CF40001
[2010/11/29 09:32:42 | 007,455,944 | ---- | C] () -- C:\ProgramData\SamPCFax000014D80002
[2010/11/24 10:56:50 | 003,730,356 | ---- | C] () -- C:\ProgramData\SamPCFax00000B580001
[2010/11/22 13:38:51 | 000,274,432 | ---- | C] () -- C:\Windows\System32\SaMinDrv.dll
[2010/11/22 13:38:51 | 000,106,496 | ---- | C] () -- C:\Windows\System32\SaImgFlt.dll
[2010/11/22 13:38:51 | 000,090,112 | ---- | C] () -- C:\Windows\System32\SaSegFlt.dll
[2010/11/22 13:38:51 | 000,061,440 | ---- | C] () -- C:\Windows\System32\SaErHdlr.dll
[2010/07/15 01:23:52 | 000,032,768 | ---- | C] () -- C:\Users\admin\AppData\Roaming\fin.zup
[2010/03/19 11:07:59 | 000,001,356 | ---- | C] () -- C:\Users\admin\AppData\Local\d3d9caps.dat
[2010/03/07 18:08:16 | 000,000,034 | ---- | C] () -- C:\Windows\System32\BD7420.DAT
[2010/03/07 17:56:16 | 000,000,426 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2010/02/27 21:10:52 | 000,000,107 | ---- | C] () -- C:\Windows\asasrv.ini
[2010/01/26 09:48:55 | 000,000,000 | ---- | C] () -- C:\Windows\HPMProp.INI
[2009/12/14 22:59:43 | 000,000,438 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/04/11 07:57:41 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/04/11 07:57:41 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/04/11 07:57:39 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2008/01/19 06:43:05 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2008/01/19 06:35:10 | 000,385,760 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2008/01/19 06:24:26 | 000,001,702 | ---- | C] () -- C:\Windows\System32\StorageMgmt.dll.config
[2008/01/19 06:24:26 | 000,001,048 | ---- | C] () -- C:\Windows\System32\SetupNfsIdMap.exe.config
[2008/01/19 06:24:26 | 000,000,989 | ---- | C] () -- C:\Windows\System32\NfsConfigGuide.exe.config
[2008/01/19 06:24:26 | 000,000,940 | ---- | C] () -- C:\Windows\System32\ProvisionShare.exe.config
[2008/01/19 06:24:26 | 000,000,933 | ---- | C] () -- C:\Windows\System32\ProvisionStorage.exe.config
[2008/01/19 03:56:38 | 000,682,388 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2008/01/19 03:56:38 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2008/01/19 03:56:38 | 000,132,114 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2008/01/19 03:56:38 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2008/01/19 03:45:36 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2008/01/19 00:56:52 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2008/01/18 23:34:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2008/01/03 14:04:28 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2008/01/03 13:57:53 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[1997/04/01 19:01:18 | 000,029,184 | ---- | C] () -- C:\Windows\System32\Sp32w.dll
[1996/08/01 10:56:20 | 000,036,352 | ---- | C] () -- C:\Windows\System32\Sx32w.dll

========== LOP Check ==========

[2010/11/22 13:39:57 | 000,000,000 | ---D | M] -- C:\Users\admin\AppData\Roaming\Leadertech
[2012/01/18 22:23:30 | 000,031,450 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012/01/18 11:12:20 | 000,000,424 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{083FF9B5-411D-4EC3-8268-2DC6450484D8}.job
[2012/01/18 22:15:50 | 000,000,428 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{85545043-ED3B-4C86-8B37-4D9D1DFEABC3}.job
[2012/01/18 10:51:55 | 000,000,426 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{980A8B5B-2C56-4E26-9689-C1E2211F496C}.job

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: AFD.SYS >
[2011/04/21 08:58:27 | 000,273,408 | ---- | M] (Microsoft Corporation) MD5=3911B972B55FEA0478476B2E777B29FA -- C:\Windows\System32\drivers\afd.sys
[2011/04/21 08:58:27 | 000,273,408 | ---- | M] (Microsoft Corporation) MD5=3911B972B55FEA0478476B2E777B29FA -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_d99fb42e5bb59d9b\afd.sys
[2011/04/21 08:16:42 | 000,273,408 | ---- | M] (Microsoft Corporation) MD5=48EB99503533C27AC6135648E5474457 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c\afd.sys
[2011/04/21 08:28:53 | 000,273,920 | ---- | M] (Microsoft Corporation) MD5=70EE0FC7A0F384DBD929A01384AEEB4B -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys
[2009/04/11 07:57:17 | 000,273,920 | ---- | M] (Microsoft Corporation) MD5=A201207363AA900ABF1A388468688570 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys
[2011/04/21 08:12:21 | 000,273,920 | ---- | M] (Microsoft Corporation) MD5=C8AF25017CECB75906A571AC70D2D306 -- C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys

< MD5 for: AGP440.SYS >
[2009/04/11 07:57:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys
[2009/04/11 07:57:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008/01/19 02:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_c3c08b9d\AGP440.sys
[2009/04/11 07:57:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/04/11 07:57:02 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/11 07:57:02 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2009/04/11 07:57:02 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/19 02:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_f8794617\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2008/01/19 04:04:05 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6001.18000_none_e863eb252f947dba\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2008/01/19 02:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
[2008/01/19 02:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_3c56f9ed\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/04/11 07:57:13 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2009/04/11 07:57:13 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2008/01/19 02:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/19 02:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_c9a21b45\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/04/11 07:57:34 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2009/04/11 07:57:34 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< End of report >

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:48 PM

Posted 19 January 2012 - 05:59 PM

Our problem is this group of files in Gmer's log which starts with this file:

File C:\Windows\$NtUninstallKB45907$\2733124306 0 bytes

This belongs to a rootkit called ZeroAccess. They can be removed through two tools but neither are compatible with the 2008 server.

We can attempt to remove them using OTL and we will see how it looks afterwards.


Open OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:files
C:\data
c:\data\default\us_sres.data
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
C:\Windows\$NtUninstallKB45907$\2733124306 
C:\Windows\$NtUninstallKB45907$\2745626378
C:\Windows\$NtUninstallKB45907$\2745626378\@
C:\Windows\$NtUninstallKB45907$\2745626378\L
C:\Windows\$NtUninstallKB45907$\2745626378\L\iqvahbdf
C:\Windows\$NtUninstallKB45907$\2745626378\loader.tlb 
C:\Windows\$NtUninstallKB45907$\2745626378\U 
C:\Windows\$NtUninstallKB45907$\2745626378\U\@00000001 
C:\Windows\$NtUninstallKB45907$\2745626378\U\@000000c0 
C:\Windows\$NtUninstallKB45907$\2745626378\U\@000000cb 
C:\Windows\$NtUninstallKB45907$\2745626378\U\@000000cf 
C:\Windows\$NtUninstallKB45907$\2745626378\U\@80000000 
C:\Windows\$NtUninstallKB45907$\2745626378\U\@800000c0 
C:\Windows\$NtUninstallKB45907$\2745626378\U\@800000cb 
C:\Windows\$NtUninstallKB45907$\2745626378\U\@800000cf 
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"

Then click the Run Fix button at the top

Let the program run unhindered.

When done it will say "Fix Complete press ok to open the log"
Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Next we need to boot into the recovery console again and replace the new infected file

As before but the change of instructions is below:

  • Click on the Start button, then click on Run...

  • In the empty "Open:" box provided, type cmd and press Enter This will launch a Command Prompt window (looks like DOS).

  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_d99fb42e5bb59d9b\afd.sys

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

  • Press Enter. When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
  • Exit the Command Prompt window.
Now we need to boot into the Recovery Environment:

Reboot your computer. Combofix should have installed the recovery console so this should already be available.

Follow the instructions here to start it

Next

Type cd system32\drivers and press Enter.
Type ren afd.sys.sys afd.sys.vir and press Enter.
Then type copy C:\afd.sys.sys afd.sys.sys and press Enter.
Now type exit and press Enter to reboot your computer into normal mode.


Then please run Gmer and post the log.
Posted Image
m0le is a proud member of UNITE

#15 Stung One

Stung One
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 20 January 2012 - 04:51 AM

OTL log is below. Unfortunately, after running the Fix and being prompted to restart, the system now just blue screens on boot. (It loads all the way up to saying "Press Ctrl-Alt-Delete to login" and then blue screens about five seconds later.) I can get in via Safe Mode but that's it.

IRQL_NOT_LESS_OR_EQUAL

STOP: 0x0000000A (0x00000000, 0x00000002, 0x0000001, 0x81c4983c)

I tried to move the files back manually to see if that would help but no luck. I was able to move "c:\documents and settings\Administrator\WINDOWS" and the various subfolders (only file is a desktop.ini in Fonts) and I could move the "U" and "L" directories back as well. But I cannot find any of the ones that start with @ to even try to move them back. (I did not try to undo the registry change.)

GMER is running now; I will post a followup with that log.


========== FILES ==========
File\Folder C:\data not found.
File\Folder c:\data\default\us_sres.data not found.
c:\documents and settings\Administrator\WINDOWS\system folder moved successfully.
c:\documents and settings\Administrator\WINDOWS\Fonts folder moved successfully.
c:\documents and settings\Administrator\WINDOWS folder moved successfully.
File\Folder c:\documents and settings\Default User\WINDOWS not found.
File\Folder C:\Windows\$NtUninstallKB45907$\2733124306 not found.
File\Folder C:\Windows\$NtUninstallKB45907$\2745626378 not found.
File move failed. C:\Windows\$NtUninstallKB45907$\2745626378\@ scheduled to be moved on reboot.
Folder move failed. C:\Windows\$NtUninstallKB45907$\2745626378\L scheduled to be moved on reboot.
C:\Windows\$NtUninstallKB45907$\2745626378\L\iqvahbdf moved successfully.
File move failed. C:\Windows\$NtUninstallKB45907$\2745626378\loader.tlb scheduled to be moved on reboot.
Folder move failed. C:\Windows\$NtUninstallKB45907$\2745626378\U scheduled to be moved on reboot.
C:\Windows\$NtUninstallKBa45907$\2745626378\U\@00000001 moved successfully.
C:\Windows\$NtUninstallKB45907$\2745626378\U\@000000c0 moved successfully.
C:\Windows\$NtUninstallKB45907$\2745626378\U\@000000cb moved successfully.
C:\Windows\$NtUninstallKB45907$\2745626378\U\@000000cf moved successfully.
C:\Windows\$NtUninstallKB45907$\2745626378\U\@80000000 moved successfully.
C:\Windows\$NtUninstallKB45907$\2745626378\U\@800000c0 moved successfully.
C:\Windows\$NtUninstallKB45907$\2745626378\U\@800000cb moved successfully.
C:\Windows\$NtUninstallKB45907$\2745626378\U\@800000cf moved successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\\""|""%1" %*" /E : value set successfully!

OTL by OldTimer - Version 3.2.31.0 log created on 01202012_030204




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users