Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect and had content.ie5 contain 400GB of .js files


  • This topic is locked This topic is locked
19 replies to this topic

#1 tomforti

tomforti

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 15 March 2013 - 07:40 AM

At this time I have ran TDSS Killer and ESTS. Both came back saying no infections. My original post is located at

http://www.bleepingcomputer.com/forums/t/487685/contentie5-folder-contains-js-files-about-450gbs-in-size-with-google-redirect/#entry2998619

 

I attempted to run DDS as per the prep guide but was unable to run it on my OS. Boopme from the original post asked me to run RSIT and post logs here.

 

Log.txt

Logfile of random's system information tool 1.09 (written by random/random)
Run by tom at 2013-03-15 08:26:45
Microsoft Windows Server 2008 R2 Enterprise  Service Pack 1
System drive C: has 418 GB (88%) free of 477 GB
Total RAM: 4095 MB (31% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:26:58 AM, on 3/15/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\program files (x86)\quick macros 2\qm.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\tom\Desktop\RSIT.exe
C:\Program Files (x86)\trend micro\tom.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKCU\..\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE"
O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\Microsoft Office\Office14\ONBttnIE.dll/105
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tforti.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4143F62-31FD-469B-80AA-89BE0010EE78}: NameServer = 8.8.8.8,8.8.4.4,208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tforti.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tforti.local
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%systemroot%\system32\dfssvc.exe,-101 (Dfs) - Unknown owner - C:\Windows\system32\dfssvc.exe (file missing)
O23 - Service: @dfsrress.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSRs.exe (file missing)
O23 - Service: @%systemroot%\system32\dns.exe,-49157 (DNS) - Unknown owner - C:\Windows\system32\dns.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: @%SystemRoot%\System32\ismserv.exe,-1 (IsmServ) - Unknown owner - C:\Windows\System32\ismserv.exe (file missing)
O23 - Service: @%SystemRoot%\System32\kdcsvc.dll,-1 (kdc) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\System32\ntdsmsg.dll,-1 (NTDS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: File Replication Service (NtFrs) - Unknown owner - C:\Windows\system32\ntfrs.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Quick Macros (quickmacros2) - Unknown owner - C:\Program Files (x86)\Quick Macros 2\qmserv.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%Systemroot%\system32\rqs.exe,-200 (rqs) - Unknown owner - C:\Windows\system32\rqs.exe (file missing)
O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 6492 bytes

======Scheduled tasks folder======

C:\Windows\tasks\QM - RAMP.job

======Registry dump======

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"=C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE []

C:\Users\tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
MagicDisc.lnk - C:\Program Files (x86)\MagicDisc\MagicDisc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
wlnotify.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
wlnotify.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
WlNotify.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
wlnotify.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=RASSFM
KDCSVC
WDIGEST
scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll, pwdssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EFS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Power]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcEptMapper]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vmms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AppInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AppMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Base]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BFE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Boot Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Boot file system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\bowser]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Browser]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\CryptSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\DcomLaunch]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\dfsc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Dhcp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\DnsCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Dot3Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Eaphost]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\EFS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\EventLog]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\File system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\HelpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\IKEEXT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ipnat.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\KeyIso]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\LanmanServer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\LanmanWorkstation]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\LmHosts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Messenger]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MPSDrv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MPSSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mrxsmb]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mrxsmb10]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mrxsmb20]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NativeWifiP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NDIS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NDIS Wrapper]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ndiscap]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Ndisuio]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetBIOS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetBIOSGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetBT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetDDEGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Netlogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetMan]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\netprofm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Network]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetworkProvider]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NlaSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Nsi]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nsiproxy.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NTDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PCI Configuration]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PlugPlay]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PNP Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PNP_TDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PolicyAgent]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Power]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Primary disk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ProfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rdbss]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rdpencdd.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rdsessmgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\RpcEptMapper]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\RpcSs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sacsvr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SCardSvr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SCSI Class]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sermouse.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SharedAccess]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Streams Drivers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SWPRV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\System Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TabletInputService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TBS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Tcpip]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TrustedInstaller]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\VaultSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\VDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vga.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vgasave.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vmms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\volmgr.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\volmgrx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wlansvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{36FC9E60-C465-11CF-8056-444553540000}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E965-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E967-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E969-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E972-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E973-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E974-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E975-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E977-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E980-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{50DD5230-BA8A-11D1-BF5D-0000F805F530}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=5
"ConsentPromptBehaviorUser"=3
"EnableUIADesktopToggle"=0
"disablecad"=0
"dontdisplaylastusername"=0
"shutdownwithoutlogon"=0
"undockwithoutlogon"=1
"legalnoticecaption"=
"legalnoticetext"=

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=0
"NoActiveDesktopChanges"=1
"ForceActiveDesktopOn"=0
"ShowSuperHidden"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.msadpcm"=msadp32.acm
"midimapper"=midimap.dll
"wavemapper"=msacm32.drv
"vidc.uyvy"=msyuv.dll
"vidc.yuy2"=msyuv.dll
"vidc.yvyu"=msyuv.dll
"vidc.iyuv"=iyuv_32.dll
"vidc.i420"=iyuv_32.dll
"vidc.yvu9"=tsbyuv.dll
"msacm.l3acm"=C:\Windows\SysWOW64\l3codeca.acm
"msacm.msaudio1"=msaud32.acm
"msacm.msg723"=msg723.acm
"msacm.sl_anet"=sl_anet.acm
"msacm.trspch"=tssoft32.acm

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 month======

2013-03-15 08:26:47 ----D---- C:\Program Files (x86)\trend micro
2013-03-15 08:26:45 ----D---- C:\rsit
2013-03-14 17:47:27 ----A---- C:\dds.com
2013-03-14 17:31:56 ----A---- C:\TDSSKiller.2.8.16.0_14.03.2013_17.31.56_log.txt
2013-03-09 18:35:03 ----D---- C:\Program Files (x86)\ESET
2013-03-09 18:30:55 ----A---- C:\TDSSKiller.2.8.16.0_09.03.2013_17.30.55_log.txt
2013-03-09 18:30:28 ----D---- C:\Program Files (x86)\Microsoft Security Client
2013-03-09 15:05:12 ----D---- C:\Program Files (x86)\VS Revo Group
2013-03-02 23:30:59 ----D---- C:\Users\tom\AppData\Roaming\Malwarebytes
2013-03-02 23:30:34 ----D---- C:\ProgramData\Malwarebytes
2013-03-02 23:29:46 ----D---- C:\ProgramData\HitmanPro
2013-02-28 18:14:56 ----A---- C:\Windows\oodjobd.INI
2013-02-28 18:05:24 ----A---- C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-02-28 16:30:48 ----D---- C:\ProgramData\OO Software
2013-02-25 22:22:22 ----D---- C:\Users\tom\AppData\Roaming\JAM Software
2013-02-17 01:38:09 ----D---- C:\Program Files (x86)\PC Tools
2013-02-17 01:36:16 ----D---- C:\Windows\6B6C4C461B7E4A419E70ACFBB22B1D81.TMP
2013-02-17 01:35:38 ----D---- C:\Program Files (x86)\Common Files\PC Tools
2013-02-17 01:35:21 ----D---- C:\ProgramData\PC Tools
2013-02-17 01:35:21 ----AD---- C:\ProgramData\TEMP
2013-02-17 01:35:20 ----D---- C:\Users\tom\AppData\Roaming\TestApp
2013-02-17 01:30:46 ----D---- C:\ProgramData\Spybot - Search & Destroy
2013-02-17 01:30:46 ----D---- C:\Program Files (x86)\Spybot - Search & Destroy
2013-02-16 23:37:46 ----D---- C:\Program Files (x86)\WinDirStat

======List of files/folders modified in the last 1 month======

2013-03-15 08:26:47 ----RD---- C:\Program Files (x86)
2013-03-15 08:25:34 ----D---- C:\Windows\Temp
2013-03-15 02:08:52 ----SHD---- C:\System Volume Information
2013-03-15 01:00:59 ----D---- C:\Windows\NTDS
2013-03-14 19:56:35 ----D---- C:\Windows\inf
2013-03-14 19:49:52 ----D---- C:\Windows\Microsoft.NET
2013-03-14 19:49:50 ----RSD---- C:\Windows\assembly
2013-03-14 19:03:28 ----D---- C:\Windows\winsxs
2013-03-14 18:55:32 ----SHD---- C:\Windows\Installer
2013-03-14 18:55:31 ----SHD---- C:\Config.Msi
2013-03-14 18:55:07 ----D---- C:\ProgramData\Microsoft Help
2013-03-14 18:52:17 ----SD---- C:\ProgramData\Microsoft
2013-03-14 18:52:17 ----RD---- C:\Program Files
2013-03-14 18:52:17 ----D---- C:\Windows
2013-03-14 18:52:17 ----D---- C:\Program Files (x86)\Microsoft.NET
2013-03-14 18:51:14 ----RSD---- C:\Windows\Fonts
2013-03-14 18:50:55 ----D---- C:\Program Files (x86)\MSBuild
2013-03-14 18:50:51 ----D---- C:\Program Files (x86)\Common Files\microsoft shared
2013-03-14 18:50:50 ----D---- C:\Windows\System32
2013-03-14 18:45:34 ----D---- C:\Program Files (x86)\Mozilla Firefox
2013-03-14 18:43:59 ----D---- C:\Users
2013-03-14 17:41:08 ----D---- C:\Windows\Downloaded Program Files
2013-03-14 17:25:55 ----D---- C:\Windows\Logs
2013-03-09 19:01:49 ----D---- C:\Windows\rescache
2013-03-09 15:32:36 ----D---- C:\Windows\debug
2013-03-09 15:05:33 ----D---- C:\ProgramData
2013-03-09 14:47:22 ----D---- C:\Windows\security
2013-03-09 12:57:57 ----D---- C:\Windows\SoftwareDistribution
2013-03-02 23:35:20 ----D---- C:\FTP Files
2013-02-28 18:06:17 ----D---- C:\ProgramData\Adobe
2013-02-28 18:05:24 ----D---- C:\Windows\SysWOW64
2013-02-28 17:50:25 ----D---- C:\Program Files (x86)\QuickTime
2013-02-28 17:48:48 ----D---- C:\Users\tom\AppData\Roaming\Dropbox
2013-02-28 17:47:58 ----D---- C:\Program Files (x86)\Java
2013-02-28 17:47:32 ----D---- C:\Program Files (x86)\Common Files
2013-02-25 22:31:01 ----SD---- C:\Windows\Tasks
2013-02-25 21:10:14 ----SD---- C:\Users\tom\AppData\Roaming\Microsoft
2013-02-23 13:00:17 ----D---- C:\Windows\SysWOW64\LogFiles
2013-02-17 01:36:05 ----D---- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2013-02-17 00:43:42 ----D---- C:\Support

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 ACPI;Microsoft ACPI Driver; C:\Windows\system32\drivers\ACPI.sys []
R0 amdxata;amdxata; C:\Windows\system32\drivers\amdxata.sys []
R0 atapi;IDE Channel; C:\Windows\system32\drivers\atapi.sys []
R0 CLFS;@%SystemRoot%\system32\clfs.sys,-100; C:\Windows\System32\CLFS.sys []
R0 CNG;CNG; C:\Windows\System32\Drivers\cng.sys []
R0 DfsrRo;@dfsrress.dll,-124; C:\Windows\system32\drivers\dfsrro.sys []
R0 Disk;Disk Driver; C:\Windows\system32\DRIVERS\disk.sys []
R0 FltMgr;@%SystemRoot%\system32\drivers\fltmgr.sys,-10001; C:\Windows\system32\drivers\fltmgr.sys []
R0 hwpolicy;@%systemroot%\system32\drivers\hwpolicy.sys,-101; C:\Windows\System32\drivers\hwpolicy.sys []
R0 intelide;intelide; C:\Windows\system32\drivers\intelide.sys []
R0 KSecDD;KSecDD; C:\Windows\System32\Drivers\ksecdd.sys []
R0 KSecPkg;KSecPkg; C:\Windows\System32\Drivers\ksecpkg.sys []
R0 mountmgr;@%SystemRoot%\system32\drivers\mountmgr.sys,-100; C:\Windows\System32\drivers\mountmgr.sys []
R0 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys []
R0 msisadrv;msisadrv; C:\Windows\system32\drivers\msisadrv.sys []
R0 Mup;@%systemroot%\system32\drivers\mup.sys,-101; C:\Windows\System32\Drivers\mup.sys []
R0 NDIS;@%SystemRoot%\system32\drivers\ndis.sys,-200; C:\Windows\system32\drivers\ndis.sys []
R0 partmgr;@%SystemRoot%\system32\drivers\partmgr.sys,-100; C:\Windows\System32\drivers\partmgr.sys []
R0 pci;PCI Bus Driver; C:\Windows\system32\drivers\pci.sys []
R0 pcw;Performance Counters for Windows Driver; C:\Windows\System32\drivers\pcw.sys []
R0 spldr;Security Processor Loader Driver; C:\Windows\SysWOW64\drivers\spldr.sys []
R1 AFD;@%systemroot%\system32\drivers\afd.sys,-1000; C:\Windows\system32\drivers\afd.sys []
R1 Beep;Beep; C:\Windows\SysWOW64\drivers\Beep.sys []
R1 blbdrive;blbdrive; C:\Windows\system32\DRIVERS\blbdrive.sys []
R1 cdrom;CD-ROM Driver; C:\Windows\system32\drivers\cdrom.sys []
R1 DfsC;@%systemroot%\system32\drivers\dfsc.sys,-101; C:\Windows\System32\Drivers\dfsc.sys []
R1 DfsDriver;@%systemroot%\system32\drivers\dfs.sys,-101; C:\Windows\system32\drivers\dfs.sys []
R1 discache;@%systemroot%\system32\drivers\discache.sys,-102; C:\Windows\System32\drivers\discache.sys []
R1 Msfs;Msfs; C:\Windows\SysWOW64\drivers\Msfs.sys []
R1 mssmbios;Microsoft System Management BIOS Driver; C:\Windows\system32\drivers\mssmbios.sys []
R1 NetBIOS;NetBIOS Interface; C:\Windows\system32\DRIVERS\netbios.sys []
R1 NetBT;@%SystemRoot%\system32\drivers\netbt.sys,-2; C:\Windows\System32\DRIVERS\netbt.sys []
R1 Npfs;Npfs; C:\Windows\SysWOW64\drivers\Npfs.sys []
R1 nsiproxy;@%SystemRoot%\system32\drivers\nsiproxy.sys,-2; C:\Windows\system32\drivers\nsiproxy.sys []
R1 Null;Null; C:\Windows\SysWOW64\drivers\Null.sys []
R1 Psched;@%SystemRoot%\System32\drivers\pacer.sys,-101; C:\Windows\system32\DRIVERS\pacer.sys []
R1 rdbss;@%systemroot%\system32\wkssvc.dll,-1000; C:\Windows\system32\DRIVERS\rdbss.sys []
R1 RDPCDD;@%systemroot%\system32\DRIVERS\RDPCDD.sys,-100; C:\Windows\System32\DRIVERS\RDPCDD.sys []
R1 RDPENCDD;@%systemroot%\system32\drivers\RDPENCDD.sys,-101; C:\Windows\system32\drivers\rdpencdd.sys []
R1 RDPREFMP;@%systemroot%\system32\drivers\RdpRefMp.sys,-101; C:\Windows\system32\drivers\rdprefmp.sys []
R1 Serial;Serial port driver; C:\Windows\system32\DRIVERS\serial.sys []
R2 lltdio;Link-Layer Topology Discovery Mapper I/O Driver; C:\Windows\system32\DRIVERS\lltdio.sys []
R2 luafv;@%systemroot%\system32\drivers\luafv.sys,-100; C:\Windows\system32\drivers\luafv.sys []
R2 NisDrv;Microsoft Network Inspection System; C:\Windows\system32\DRIVERS\NisDrvWFP.sys []
R2 PEAUTH;PEAUTH; C:\Windows\system32\drivers\peauth.sys []
R2 rspndr;Link-Layer Topology Discovery Responder; C:\Windows\system32\DRIVERS\rspndr.sys []
R2 secdrv;Security Driver; C:\Windows\SysWOW64\drivers\secdrv.sys []
R3 AsyncMac;@%systemroot%\system32\rascfg.dll,-32000; C:\Windows\system32\DRIVERS\asyncmac.sys []
R3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60a.sys []
R3 bowser;@%systemroot%\system32\browser.dll,-102; C:\Windows\system32\DRIVERS\bowser.sys []
R3 CompositeBus;Composite Bus Enumerator Driver; C:\Windows\system32\drivers\CompositeBus.sys []
R3 fdc;Floppy Disk Controller Driver; C:\Windows\system32\DRIVERS\fdc.sys []
R3 HidUsb;Microsoft HID Class Driver; C:\Windows\system32\DRIVERS\hidusb.sys []
R3 HTTP;@%SystemRoot%\system32\drivers\http.sys,-1; C:\Windows\system32\drivers\HTTP.sys []
R3 i8042prt;i8042 Keyboard and PS/2 Mouse Port Driver; C:\Windows\system32\drivers\i8042prt.sys []
R3 intelppm;Intel Processor Driver; C:\Windows\system32\DRIVERS\intelppm.sys []
R3 IPMIDRV;IPMIDRV; C:\Windows\system32\drivers\IPMIDrv.sys []
R3 kbdclass;Keyboard Class Driver; C:\Windows\system32\drivers\kbdclass.sys []
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\Windows\system32\DRIVERS\mcdbus.sys [2009-02-24 255552]
R3 monitor;Microsoft Monitor Class Function Driver Service; C:\Windows\system32\DRIVERS\monitor.sys []
R3 mouclass;Mouse Class Driver; C:\Windows\system32\DRIVERS\mouclass.sys []
R3 mouhid;Mouse HID Driver; C:\Windows\system32\DRIVERS\mouhid.sys []
R3 mpsdrv;@%SystemRoot%\system32\FirewallAPI.dll,-23092; C:\Windows\System32\drivers\mpsdrv.sys []
R3 mrxsmb;@%systemroot%\system32\wkssvc.dll,-1002; C:\Windows\system32\DRIVERS\mrxsmb.sys []
R3 mrxsmb10;@%systemroot%\system32\wkssvc.dll,-1004; C:\Windows\system32\DRIVERS\mrxsmb10.sys []
R3 mrxsmb20;@%systemroot%\system32\wkssvc.dll,-1006; C:\Windows\system32\DRIVERS\mrxsmb20.sys []
R3 NdisTapi;@%systemroot%\system32\rascfg.dll,-32001; C:\Windows\system32\DRIVERS\ndistapi.sys []
R3 NdisWan;@%systemroot%\system32\rascfg.dll,-32002; C:\Windows\system32\DRIVERS\ndiswan.sys []
R3 NDProxy;NDIS Proxy; C:\Windows\SysWOW64\drivers\NDProxy.sys []
R3 Ntfs;Ntfs; C:\Windows\SysWOW64\drivers\Ntfs.sys []
R3 PptpMiniport;@%systemroot%\system32\rascfg.dll,-32006; C:\Windows\system32\DRIVERS\raspptp.sys []
R3 RasAgileVpn;WAN Miniport (IKEv2); C:\Windows\system32\DRIVERS\AgileVpn.sys []
R3 Rasl2tp;@%systemroot%\system32\rascfg.dll,-32005; C:\Windows\system32\DRIVERS\rasl2tp.sys []
R3 RasPppoe;@%systemroot%\system32\rascfg.dll,-32007; C:\Windows\system32\DRIVERS\raspppoe.sys []
R3 RasSstp;@%systemroot%\system32\sstpsvc.dll,-202; C:\Windows\system32\DRIVERS\rassstp.sys []
R3 rdpbus;Remote Desktop Device Redirector Bus Driver; C:\Windows\system32\DRIVERS\rdpbus.sys []
R3 RDPDR;Terminal Server Device Redirector Driver; C:\Windows\System32\drivers\rdpdr.sys []
R3 RDPWD;RDP Winstation Driver; C:\Windows\SysWOW64\drivers\RDPWD.sys []
R3 Serenum;Serenum Filter Driver; C:\Windows\system32\DRIVERS\serenum.sys []
R3 srv;@%systemroot%\system32\srvsvc.dll,-102; C:\Windows\System32\DRIVERS\srv.sys []
S0 sacdrv;sacdrv; C:\Windows\system32\DRIVERS\sacdrv.sys []
S1 gwxhkwzv;gwxhkwzv; \??\C:\Windows\system32\drivers\gwxhkwzv.sys []
S1 hbsoboge;hbsoboge; \??\C:\Windows\system32\drivers\hbsoboge.sys []
S1 jhnlttbm;jhnlttbm; \??\C:\Windows\system32\drivers\jhnlttbm.sys []
S3 1394ohci;1394 OHCI Compliant Host Controller; C:\Windows\system32\drivers\1394ohci.sys []
S3 AcpiPmi;ACPI Power Meter Driver; C:\Windows\system32\drivers\acpipmi.sys []
S3 adp94xx;adp94xx; C:\Windows\system32\DRIVERS\adp94xx.sys []
S3 adpahci;adpahci; C:\Windows\system32\DRIVERS\adpahci.sys []
S3 adpu320;adpu320; C:\Windows\system32\DRIVERS\adpu320.sys []
S3 agp440;Intel AGP Bus Filter; C:\Windows\system32\drivers\agp440.sys []
S3 aliide;aliide; C:\Windows\system32\drivers\aliide.sys []
S3 amdide;amdide; C:\Windows\system32\drivers\amdide.sys []
S3 AmdK8;AMD K8 Processor Driver; C:\Windows\system32\DRIVERS\amdk8.sys []
S3 AmdPPM;AMD Processor Driver; C:\Windows\system32\DRIVERS\amdppm.sys []
S3 amdsata;amdsata; C:\Windows\system32\drivers\amdsata.sys []
S3 amdsbs;amdsbs; C:\Windows\system32\DRIVERS\amdsbs.sys []
S3 AppID;@%systemroot%\system32\appidsvc.dll,-102; C:\Windows\system32\drivers\appid.sys []
S3 arc;arc; C:\Windows\system32\DRIVERS\arc.sys []
S3 arcsas;arcsas; C:\Windows\system32\DRIVERS\arcsas.sys []
S3 b06bdrv;Broadcom NetXtreme II VBD; C:\Windows\system32\DRIVERS\bxvbda.sys []
S3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver; C:\Windows\system32\DRIVERS\BrFiltLo.sys []
S3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver; C:\Windows\system32\DRIVERS\BrFiltUp.sys []
S3 Brserid;Brother MFC Serial Port Interface Driver (WDM); C:\Windows\System32\Drivers\Brserid.sys []
S3 BrSerWdm;Brother WDM Serial driver; C:\Windows\System32\Drivers\BrSerWdm.sys []
S3 BrUsbMdm;Brother MFC USB Fax Only Modem; C:\Windows\System32\Drivers\BrUsbMdm.sys []
S3 BrUsbSer;Brother MFC USB Serial WDM Driver; C:\Windows\System32\Drivers\BrUsbSer.sys []
S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys []
S3 cmdide;cmdide; C:\Windows\system32\drivers\cmdide.sys []
S3 Compbatt;Compbatt; C:\Windows\system32\DRIVERS\compbatt.sys []
S3 DXGKrnl;LDDM Graphics Subsystem; C:\Windows\System32\drivers\dxgkrnl.sys []
S3 ebdrv;Broadcom NetXtreme II 10 GigE VBD; C:\Windows\system32\DRIVERS\evbda.sys []
S3 elxstor;elxstor; C:\Windows\system32\DRIVERS\elxstor.sys []
S3 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys []
S3 exfat;exFAT File System Driver; C:\Windows\SysWOW64\drivers\exfat.sys []
S3 fastfat;FAT12/16/32 File System Driver; C:\Windows\SysWOW64\drivers\fastfat.sys []
S3 FileInfo;@%SystemRoot%\system32\drivers\fileinfo.sys,-100; C:\Windows\system32\drivers\fileinfo.sys []
S3 Filetrace;@%SystemRoot%\system32\drivers\filetrace.sys,-10001; C:\Windows\system32\drivers\filetrace.sys []
S3 flpydisk;Floppy Disk Driver; C:\Windows\system32\DRIVERS\flpydisk.sys []
S3 FsDepends;@%SystemRoot%\system32\drivers\fsdepends.sys,-10001; C:\Windows\System32\drivers\FsDepends.sys []
S3 gagp30kx;Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms; C:\Windows\system32\DRIVERS\gagp30kx.sys []
S3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\Windows\system32\drivers\HDAudBus.sys []
S3 HidBatt;HID UPS Battery Driver; C:\Windows\system32\DRIVERS\HidBatt.sys []
S3 HpSAMD;HpSAMD; C:\Windows\system32\drivers\HpSAMD.sys []
S3 iaStorV;Intel RAID Controller Windows 7; C:\Windows\system32\drivers\iaStorV.sys []
S3 iirsp;iirsp; C:\Windows\system32\DRIVERS\iirsp.sys []
S3 ioatdma;Intel® QuickData Technology Device; C:\Windows\System32\Drivers\qd260x64.sys []
S3 IpFilterDriver;@%systemroot%\system32\rascfg.dll,-32013; C:\Windows\system32\DRIVERS\ipfltdrv.sys []
S3 IPNAT;IP Network Address Translator; C:\Windows\System32\drivers\ipnat.sys []
S3 isapnp;isapnp; C:\Windows\system32\drivers\isapnp.sys []
S3 iScsiPrt;iScsiPort Driver; C:\Windows\system32\drivers\msiscsi.sys []
S3 kbdhid;Keyboard HID Driver; C:\Windows\system32\drivers\kbdhid.sys []
S3 ksthunk;Kernel Streaming Thunks; C:\Windows\system32\drivers\ksthunk.sys []
S3 LSI_FC;LSI_FC; C:\Windows\system32\DRIVERS\lsi_fc.sys []
S3 LSI_SAS;LSI_SAS; C:\Windows\system32\DRIVERS\lsi_sas.sys []
S3 LSI_SAS2;LSI_SAS2; C:\Windows\system32\DRIVERS\lsi_sas2.sys []
S3 LSI_SCSI;LSI_SCSI; C:\Windows\system32\DRIVERS\lsi_scsi.sys []
S3 megasas;megasas; C:\Windows\system32\DRIVERS\megasas.sys []
S3 MegaSR;MegaSR; C:\Windows\system32\DRIVERS\MegaSR.sys []
S3 Modem;Modem; C:\Windows\system32\drivers\modem.sys []
S3 mpio;Microsoft Multi-Path Bus Driver; C:\Windows\system32\drivers\mpio.sys []
S3 MRxDAV;@%systemroot%\system32\webclnt.dll,-104; C:\Windows\system32\drivers\mrxdav.sys [2010-11-20 115712]
S3 msahci;msahci; C:\Windows\system32\drivers\msahci.sys []
S3 msdsm;Microsoft Multi-Path Device Specific Module; C:\Windows\system32\drivers\msdsm.sys []
S3 mshidkmdf;@%SystemRoot%\system32\drivers\mshidkmdf.sys,-100; C:\Windows\System32\drivers\mshidkmdf.sys []
S3 MsRPC;MsRPC; C:\Windows\SysWOW64\drivers\MsRPC.sys []
S3 MTConfig;Microsoft Input Configuration Driver; C:\Windows\system32\DRIVERS\MTConfig.sys []
S3 NdisCap;NDIS Capture LightWeight Filter; C:\Windows\system32\DRIVERS\ndiscap.sys []
S3 Ndisuio;NDIS Usermode I/O Protocol; C:\Windows\system32\DRIVERS\ndisuio.sys []
S3 nfrd960;nfrd960; C:\Windows\system32\DRIVERS\nfrd960.sys []
S3 nv_agp;NVIDIA nForce AGP Bus Filter; C:\Windows\system32\drivers\nv_agp.sys []
S3 nvraid;nvraid; C:\Windows\system32\drivers\nvraid.sys []
S3 nvstor;nvstor; C:\Windows\system32\drivers\nvstor.sys []
S3 ohci1394;1394 OHCI Compliant Host Controller (Legacy); C:\Windows\system32\drivers\ohci1394.sys []
S3 Parport;Parallel port driver; C:\Windows\system32\DRIVERS\parport.sys []
S3 pciide;pciide; C:\Windows\system32\drivers\pciide.sys []
S3 pcmcia;pcmcia; C:\Windows\system32\DRIVERS\pcmcia.sys []
S3 Processor;Processor Driver; C:\Windows\system32\DRIVERS\processr.sys []
S3 ql2300;ql2300; C:\Windows\system32\DRIVERS\ql2300.sys []
S3 ql40xx;ql40xx; C:\Windows\system32\DRIVERS\ql40xx.sys []
S3 qmphook;QM process triggers; \??\C:\Program Files (x86)\Quick Macros 2\x64\qmphook.sys [2007-05-25 14016]
S3 RasAcd;Remote Access Auto Connection Driver; C:\Windows\System32\DRIVERS\rasacd.sys []
S3 s3cap;s3cap; C:\Windows\system32\drivers\vms3cap.sys []
S3 sbp2port;SBP-2 Transport/Protocol Bus Driver; C:\Windows\system32\drivers\sbp2port.sys []
S3 scfilter;@%SystemRoot%\System32\drivers\scfilter.sys,-11; C:\Windows\System32\DRIVERS\scfilter.sys []
S3 sermouse;Serial Mouse Driver; C:\Windows\system32\DRIVERS\sermouse.sys []
S3 sffdisk;SFF Storage Class Driver; C:\Windows\system32\drivers\sffdisk.sys []
S3 sffp_mmc;SFF Storage Protocol Driver for MMC; C:\Windows\system32\drivers\sffp_mmc.sys []
S3 sffp_sd;SFF Storage Protocol Driver for SDBus; C:\Windows\system32\drivers\sffp_sd.sys []
S3 sfloppy;High-Capacity Floppy Disk Drive; C:\Windows\system32\DRIVERS\sfloppy.sys []
S3 SiSRaid2;SiSRaid2; C:\Windows\system32\DRIVERS\SiSRaid2.sys []
S3 SiSRaid4;SiSRaid4; C:\Windows\system32\DRIVERS\sisraid4.sys []
S3 Smb;@%SystemRoot%\system32\tcpipcfg.dll,-50005; C:\Windows\system32\DRIVERS\smb.sys []
S4 cdfs;CD/DVD File System Reader; C:\Windows\system32\DRIVERS\cdfs.sys []
S4 crcdisk;Crcdisk Filter Driver; C:\Windows\system32\DRIVERS\crcdisk.sys []
S4 CSC;@%systemroot%\system32\cscsvc.dll,-202; C:\Windows\system32\drivers\csc.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ADWS;@%SystemRoot%\ADWS\adwsres.dll,-1; C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe [2010-11-20 487424]
R2 AppHostSvc;@%windir%\system32\inetsrv\iisres.dll,-30011; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 BFE;@%SystemRoot%\system32\bfe.dll,-1001; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 CryptSvc;@%SystemRoot%\system32\cryptsvc.dll,-1001; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 DcomLaunch;@oleres.dll,-5012; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 Dfs;@%systemroot%\system32\dfssvc.exe,-101; C:\Windows\system32\dfssvc.exe []
R2 DFSR;@dfsrress.dll,-101; C:\Windows\system32\DFSRs.exe []
R2 Dhcp;@%SystemRoot%\system32\dhcpcore.dll,-100; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 DNS;@%systemroot%\system32\dns.exe,-49157; C:\Windows\system32\dns.exe []
R2 Dnscache;@%SystemRoot%\System32\dnsapi.dll,-101; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 DPS;@%systemroot%\system32\dps.dll,-500; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R2 eventlog;@%SystemRoot%\system32\wevtsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R2 EventSystem;@comres.dll,-2450; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 ftpsvc;@%windir%\system32\inetsrv\ftpres.dll,-30001; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 gpsvc;@gpapi.dll,-112; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 IISADMIN;@%windir%\system32\inetsrv\iisres.dll,-30007; C:\Windows\system32\inetsrv\inetinfo.exe []
R2 IKEEXT;@%SystemRoot%\system32\ikeext.dll,-501; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 IpHlpSvc;@%SystemRoot%\system32\iphlpsvc.dll,-500; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R2 IsmServ;@%SystemRoot%\System32\ismserv.exe,-1; C:\Windows\System32\ismserv.exe []
R2 kdc;@%SystemRoot%\System32\kdcsvc.dll,-1; C:\Windows\System32\lsass.exe []
R2 LanmanServer;@%systemroot%\system32\srvsvc.dll,-100; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 LanmanWorkstation;@%systemroot%\system32\wkssvc.dll,-100; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R2 lmhosts;@%SystemRoot%\system32\lmhsvc.dll,-101; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 MpsSvc;@%SystemRoot%\system32\FirewallAPI.dll,-23090; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 MSExchangeAB;Microsoft Exchange Address Book; C:\Program Files\Microsoft\Exchange Server\V14\bin\Microsoft.Exchange.AddressBook.Service.exe [2011-10-25 141976]
R2 MSExchangeADTopology;Microsoft Exchange Active Directory Topology; C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeADTopologyService.exe [2011-10-25 104744]
R2 MSExchangeAntispamUpdate;Microsoft Exchange Anti-spam Update; C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe [2011-10-25 35656]
R2 MSExchangeEdgeSync;Microsoft Exchange EdgeSync; C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.EdgeSyncSvc.exe [2011-10-25 105264]
R2 MSExchangeFBA;Microsoft Exchange Forms-Based Authentication service; C:\Program Files\Microsoft\Exchange Server\V14\Bin\ExFBA.exe [2011-10-25 101624]
R2 MSExchangeFDS;Microsoft Exchange File Distribution; C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeFDS.exe [2011-10-25 101128]
R2 MSExchangeIS;Microsoft Exchange Information Store; C:\Program Files\Microsoft\Exchange Server\V14\bin\store.exe [2011-10-25 6897912]
R2 MSExchangeMailboxAssistants;Microsoft Exchange Mailbox Assistants; C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailboxAssistants.exe [2011-10-25 756352]
R2 MSExchangeMailboxReplication;Microsoft Exchange Mailbox Replication; C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailboxReplication.exe [2011-10-25 18216]
R2 MSExchangeMailSubmission;Microsoft Exchange Mail Submission; C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailSubmission.exe [2011-10-25 109176]
R2 MSExchangeProtectedServiceHost;Microsoft Exchange Protected Service Host; C:\Program Files\Microsoft\Exchange Server\V14\bin\Microsoft.Exchange.ProtectedServiceHost.exe [2011-10-25 23192]
R2 MSExchangeRepl;Microsoft Exchange Replication; C:\Program Files\Microsoft\Exchange Server\V14\bin\msexchangerepl.exe [2011-10-25 60000]
R2 MSExchangeRPC;Microsoft Exchange RPC Client Access; C:\Program Files\Microsoft\Exchange Server\V14\bin\Microsoft.Exchange.RpcClientAccess.Service.exe [2011-10-25 80544]
R2 MSExchangeSA;Microsoft Exchange System Attendant; C:\Program Files\Microsoft\Exchange Server\V14\bin\mad.exe [2011-10-25 1359608]
R2 MSExchangeSearch;Microsoft Exchange Search Indexer; C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.Search.ExSearch.exe [2011-10-25 404104]
R2 MSExchangeServiceHost;Microsoft Exchange Service Host; C:\Program Files\Microsoft\Exchange Server\V14\bin\Microsoft.Exchange.ServiceHost.exe [2011-10-25 26240]
R2 MSExchangeThrottling;Microsoft Exchange Throttling; C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeThrottling.exe [2011-10-25 39704]
R2 MSExchangeTransport;Microsoft Exchange Transport; C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeTransport.exe [2011-10-25 72472]
R2 MSExchangeTransportLogSearch;Microsoft Exchange Transport Log Search; C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeTransportLogSearch.exe [2011-10-25 203392]
R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Client\MsMpEng.exe [2013-01-27 22056]
R2 MSSQL$BLACKBERRY;SQL Server (BLACKBERRY); c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
R2 Netlogon;@%SystemRoot%\System32\netlogon.dll,-102; C:\Windows\system32\lsass.exe []
R2 NetPipeActivator;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\ServiceModelInstallRC.dll,-8197; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]
R2 NetTcpActivator;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\ServiceModelInstallRC.dll,-8199; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]
R2 NetTcpPortSharing;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\ServiceModelInstallRC.dll,-8201; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]
R2 NlaSvc;@%SystemRoot%\System32\nlasvc.dll,-1; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R2 nsi;@%SystemRoot%\system32\nsisvc.dll,-200; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 NTDS;@%SystemRoot%\System32\ntdsmsg.dll,-1; C:\Windows\System32\lsass.exe []
R2 NtFrs;File Replication Service; C:\Windows\system32\ntfrs.exe []
R2 PlugPlay;@%SystemRoot%\system32\umpnpmgr.dll,-100; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 PolicyAgent;@%SystemRoot%\System32\polstore.dll,-5010; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 Power;@%SystemRoot%\system32\umpo.dll,-100; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 ProfSvc;@%systemroot%\system32\profsvc.dll,-300; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 quickmacros2;Quick Macros; C:\Program Files (x86)\Quick Macros 2\qmserv.exe [2008-09-08 9728]
R2 RemoteRegistry;@regsvc.dll,-1; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 RpcEptMapper;@%windir%\system32\RpcEpMap.dll,-1001; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 RpcSs;@oleres.dll,-5010; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 SamSs;@%SystemRoot%\system32\samsrv.dll,-1; C:\Windows\system32\lsass.exe []
R2 SCardSvr;Smart Card; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 Schedule;@%SystemRoot%\system32\schedsvc.dll,-100; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 seclogon;Secondary Logon; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 SessionEnv;Remote Desktop Configuration; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R2 ShellHWDetection;@%SystemRoot%\System32\shsvcs.dll,-12288; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R2 Spooler;@%systemroot%\system32\spoolsv.exe,-1; C:\Windows\System32\spoolsv.exe []
R2 SQLBrowser;SQL Server Browser; c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2010-12-10 238944]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2010-12-10 153440]
R3 AeLookupSvc;@%SystemRoot%\system32\aelupsvc.dll,-1; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R3 Appinfo;@%systemroot%\system32\appinfo.dll,-100; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R3 aspnet_state;ASP.NET State Service; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe [2010-03-18 44376]
R3 AudioEndpointBuilder;@%SystemRoot%\system32\audiosrv.dll,-204; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R3 BITS;@%SystemRoot%\system32\qmgr.dll,-1000; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R3 CertPropSvc;@%SystemRoot%\System32\certprop.dll,-11; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R3 defragsvc;@%SystemRoot%\system32\defragsvc.dll,-101; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R3 FCRegSvc;@%SystemRoot%\system32\FCRegSvc.dll,-5000; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R3 fdPHost;@%systemroot%\system32\fdPHost.dll,-100; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R3 msftesql-Exchange;Microsoft Search  (Exchange); C:\Program Files\Microsoft\Exchange Server\V14\Bin\msftesql.exe [2010-08-22 183728]
R3 Netman;@%SystemRoot%\system32\netman.dll,-109; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R3 netprofm;@%SystemRoot%\system32\netprofm.dll,-202; C:\Windows\System32\svchost.exe [2009-07-13 20992]
R3 NisSrv;@c:\Program Files\Microsoft Security Client\MpAsDesc.dll,-243; c:\Program Files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]
R3 RpcLocator;Remote Procedure Call (RPC) Locator; C:\Windows\system32\locator.exe []
S2 AudioSrv;@%SystemRoot%\system32\audiosrv.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 MSDTC;@comres.dll,-2797; C:\Windows\System32\msdtc.exe []
S2 sppsvc;@%SystemRoot%\system32\sppsvc.exe,-101; C:\Windows\system32\sppsvc.exe []
S3 ALG;@%SystemRoot%\system32\Alg.exe,-112; C:\Windows\System32\alg.exe []
S3 AppIDSvc;@%systemroot%\system32\appidsvc.dll,-100; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S3 COMSysApp;@comres.dll,-947; C:\Windows\system32\dllhost.exe [2009-07-13 7168]
S3 dot3svc;@%systemroot%\system32\dot3svc.dll,-1102; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S3 EapHost;@%systemroot%\system32\eapsvc.dll,-1; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 EFS;@%SystemRoot%\system32\efssvc.dll,-100; C:\Windows\System32\lsass.exe []
S3 FDResPub;@%systemroot%\system32\fdrespub.dll,-100; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S3 FontCache3.0.0.0;@%SystemRoot%\system32\PresentationHost.exe,-3309; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2010-11-04 42856]
S3 hidserv;@%SystemRoot%\System32\hidserv.dll,-101; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S3 hkmsvc;@%SystemRoot%\system32\kmsvc.dll,-6; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 idsvc;@%systemroot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8193; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe [2010-11-04 856400]
S3 KeyIso;@keyiso.dll,-100; C:\Windows\system32\lsass.exe []
S3 KtmRm;@comres.dll,-2946; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 lltdsvc;@%SystemRoot%\system32\lltdres.dll,-1; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 MMCSS;@%systemroot%\system32\mmcss.dll,-100; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S3 MSExchangeImap4;Microsoft Exchange IMAP4; C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe [2011-10-25 19592]
S3 MSExchangeMonitoring;Microsoft Exchange Monitoring; C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.Monitoring.exe [2011-10-25 64128]
S3 MSExchangePop3;Microsoft Exchange POP3; C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe [2011-10-25 19584]
S3 MSiSCSI;@%SystemRoot%\system32\iscsidsc.dll,-5000; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S3 msiserver;@%SystemRoot%\system32\msimsg.dll,-27; C:\Windows\system32\msiexec.exe [2010-11-20 73216]
S3 napagent;@%SystemRoot%\system32\qagentrt.dll,-6; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 PerfHost;@%systemroot%\sysWow64\perfhost.exe,-2; C:\Windows\SysWow64\perfhost.exe [2009-07-13 20992]
S3 pla;@%systemroot%\system32\pla.dll,-500; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 ProtectedStorage;@%systemroot%\system32\psbase.dll,-300; C:\Windows\system32\lsass.exe []
S3 RasAuto;@%Systemroot%\system32\rasauto.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 RasMan;@%Systemroot%\system32\rasmans.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 RPCHTTPLBS;@%systemroot%\system32\RpcProxy\RpcProxy.dll,-2; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S3 rqs;@%Systemroot%\system32\rqs.exe,-200; C:\Windows\system32\rqs.exe []
S3 RSoPProv;@gpapi.dll,-114; C:\Windows\system32\RSoPProv.exe []
S3 sacsvr;@%systemroot%\system32\sacsvr.dll,-500; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S3 SCPolicySvc;@%SystemRoot%\System32\certprop.dll,-13; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S3 sppuinotify;@%SystemRoot%\system32\sppuinotify.dll,-103; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S4 Browser;@%systemroot%\system32\browser.dll,-100; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S4 clr_optimization_v2.0.50727_32;Microsoft .NET Framework NGEN v2.0.50727_X86; C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2009-06-10 66384]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-06-10 89920]
S4 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S4 IPBusEnum;@%systemroot%\system32\IPBusEnum.dll,-102; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2010-12-10 44384]
S4 NetMsmqActivator;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\ServiceModelInstallRC.dll,-8195; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [2010-03-18 124240]
S4 RemoteAccess;@%Systemroot%\system32\mprdim.dll,-200; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S4 SENS;System Event Notification Service; C:\Windows\system32\svchost.exe [2009-07-13 20992]
S4 SharedAccess;@%SystemRoot%\system32\ipnathlp.dll,-106; C:\Windows\System32\svchost.exe [2009-07-13 20992]
S4 SNMPTRAP;SNMP Trap; C:\Windows\System32\snmptrap.exe []

-----------------EOF-----------------
 

 

info.txt

 

info.txt logfile of random's system information tool 1.09 2013-03-15 08:27:07

======Uninstall list======

Adobe Flash Player 11 ActiveX-->C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_171_ActiveX.exe -maintain activex
Citrix XenApp 6 Fundamentals Edition-->"C:\Program Files (x86)\Citrix\CAE Uninstall\setup.exe" /remove
MagicDisc 2.7.106-->C:\PROGRA~2\MAGICD~1\UNWISE.EXE C:\PROGRA~2\MAGICD~1\INSTALL.LOG
Messaging API and Collaboration Data Objects 1.2.1-->MsiExec.exe /X{5A8751A2-684E-4D42-846C-3A58CE36C1F9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Express Edition (BLACKBERRY)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Tools Express Edition-->MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server 2005-->"c:\Program Files (x86)\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft Visual Studio 2005 Tools for Office Runtime-->MsiExec.exe /X{388E4B09-3E71-4649-8921-F44A3A2954A7}
OST2PST v2.1-->C:\PROGRA~2\PWDService\UNWISE.EXE /U C:\PROGRA~2\PWDService\ost2pst.log
Quick Macros 2-->"C:\Program Files (x86)\Quick Macros 2\unins000.exe"
Revo Uninstaller 1.94-->C:\Program Files (x86)\VS Revo Group\Revo Uninstaller\uninst.exe
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {FD8D7C9A-E56A-3E7B-BA6D-FE68F13296E3} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {F66C3466-1FDB-347C-B3AE-FB6C50627B10} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {E720AD01-93D5-3E8E-BB8D-E4EF5AF4E5DD} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {BCD37DCB-F479-3D4D-A90E-A0F7575549C4} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {FF811680-AECE-3F35-A98C-1B84B6E09168} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)-->c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\setup.exe /uninstallpatch {3162617C-537F-3BB6-8D0C-C6021F442391} /parameterfolder Extended
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)-->c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\setup.exe /uninstallpatch {9D621E6E-E010-3C80-A055-135891134750} /parameterfolder Extended
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {29C7BE97-DE59-37A2-A687-2ADD5321948A} /parameterfolder Client
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {7D799A81-5661-3159-BF92-754161CED6E6} /parameterfolder Client
Update for Microsoft .NET Framework 4 Extended (KB2468871)-->c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\setup.exe /uninstallpatch {29C7BE97-DE59-37A2-A687-2ADD5321948A} /parameterfolder Extended
Update for Microsoft .NET Framework 4 Extended (KB2533523)-->c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Extended\setup.exe /uninstallpatch {7D799A81-5661-3159-BF92-754161CED6E6} /parameterfolder Extended
Visual Studio 2005 Tools for Office Second Edition Runtime-->C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\8.0\Microsoft Visual Studio 2005 Tools for Office Runtime\install.exe

======System event log======

Computer Name: mail-server.tforti.local
Event Code: 29
Message: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
Record Number: 135155
Source Name: Microsoft-Windows-Kerberos-Key-Distribution-Center
Time Written: 20120814065447.000000-000
Event Type: Warning
User:

Computer Name: mail-server.tforti.local
Event Code: 36888
Message: The following fatal alert was generated: 10. The internal error state is 1203.
Record Number: 135125
Source Name: Schannel
Time Written: 20120814040146.167995-000
Event Type: Error
User: NT AUTHORITY\SYSTEM

Computer Name: mail-server.tforti.local
Event Code: 36888
Message: The following fatal alert was generated: 10. The internal error state is 1203.
Record Number: 135124
Source Name: Schannel
Time Written: 20120814040046.145562-000
Event Type: Error
User: NT AUTHORITY\SYSTEM

Computer Name: mail-server.tforti.local
Event Code: 5782
Message: Dynamic registration or deregistration of one or more DNS records failed with the following error:
No DNS servers configured for local system.
Record Number: 135091
Source Name: NETLOGON
Time Written: 20120814031056.000000-000
Event Type: Warning
User:

Computer Name: mail-server.tforti.local
Event Code: 5782
Message: Dynamic registration or deregistration of one or more DNS records failed with the following error:
No DNS servers configured for local system.
Record Number: 135050
Source Name: NETLOGON
Time Written: 20120813231056.000000-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: mail-server.tforti.local
Event Code: 14003
Message: Unable to create Group Metrics distribution share.
Share: GroupMetrics
Directory: C:\Program Files\Microsoft\Exchange Server\V14\GroupMetrics
Message: 000006D9
Record Number: 293517
Source Name: MSExchange MailTips
Time Written: 20121210032958.000000-000
Event Type: Error
User:

Computer Name: mail-server.tforti.local
Event Code: 1000
Message: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000001
Faulting process id: 0x307c
Faulting application start time: 0x01cdd662a799ae7c
Faulting application path: C:\Windows\SysWOW64\svchost.exe
Faulting module path: unknown
Report Id: 1f339fe8-4256-11e2-890f-0015c5fa64a3
Record Number: 293477
Source Name: Application Error
Time Written: 20121209231404.000000-000
Event Type: Error
User:

Computer Name: mail-server.tforti.local
Event Code: 1000
Message: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x7748c9f1
Faulting process id: 0x25dc
Faulting application start time: 0x01cdd654baab41c7
Faulting application path: C:\Windows\SysWOW64\svchost.exe
Faulting module path: unknown
Report Id: 425c1cbb-4248-11e2-890f-0015c5fa64a3
Record Number: 293463
Source Name: Application Error
Time Written: 20121209213450.000000-000
Event Type: Error
User:

Computer Name: mail-server.tforti.local
Event Code: 1000
Message: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: jscript9.dll, version: 9.0.8112.16437, time stamp: 0x4e5eef88
Exception code: 0xc0000005
Fault offset: 0x0000ce3e
Faulting process id: 0x2f5c
Faulting application start time: 0x01cdd64e823bed07
Faulting application path: C:\Windows\SysWOW64\svchost.exe
Faulting module path: C:\Windows\SysWOW64\jscript9.dll
Report Id: 6967fd0b-4242-11e2-890f-0015c5fa64a3
Record Number: 293456
Source Name: Application Error
Time Written: 20121209205258.000000-000
Event Type: Error
User:

Computer Name: mail-server.tforti.local
Event Code: 20000
Message:
Record Number: 293447
Source Name: BlackBerry Policy Service
Time Written: 20121209200316.000000-000
Event Type: Warning
User:

=====Security event log=====

Computer Name: mail-server.tforti.local
Event Code: 4658
Message: The handle to an object was closed.

Subject :
    Security ID:        S-1-5-18
    Account Name:        MAIL-SERVER$
    Account Domain:        TFORTI
    Logon ID:        0x3e7

Object:
    Object Server:        Microsoft Exchange
    Handle ID:        0x150ad20

Process Information:
    Process ID:        0x544
    Process Name:        C:\Program Files\Microsoft\Exchange Server\V14\Bin\store.exe
Record Number: 19734768
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20130315023031.379160-000
Event Type: Audit Success
User:

Computer Name: mail-server.tforti.local
Event Code: 4658
Message: The handle to an object was closed.

Subject :
    Security ID:        S-1-5-18
    Account Name:        MAIL-SERVER$
    Account Domain:        TFORTI
    Logon ID:        0x3e7

Object:
    Object Server:        Microsoft Exchange
    Handle ID:        0x150ad20

Process Information:
    Process ID:        0x544
    Process Name:        C:\Program Files\Microsoft\Exchange Server\V14\Bin\store.exe
Record Number: 19734767
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20130315023031.377910-000
Event Type: Audit Success
User:

Computer Name: mail-server.tforti.local
Event Code: 4658
Message: The handle to an object was closed.

Subject :
    Security ID:        S-1-5-18
    Account Name:        MAIL-SERVER$
    Account Domain:        TFORTI
    Logon ID:        0x3e7

Object:
    Object Server:        Microsoft Exchange
    Handle ID:        0x44c9aeb0

Process Information:
    Process ID:        0x544
    Process Name:        C:\Program Files\Microsoft\Exchange Server\V14\Bin\store.exe
Record Number: 19734766
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20130315023031.369160-000
Event Type: Audit Success
User:

Computer Name: mail-server.tforti.local
Event Code: 4658
Message: The handle to an object was closed.

Subject :
    Security ID:        S-1-5-18
    Account Name:        MAIL-SERVER$
    Account Domain:        TFORTI
    Logon ID:        0x3e7

Object:
    Object Server:        Microsoft Exchange
    Handle ID:        0x44c9aeb0

Process Information:
    Process ID:        0x544
    Process Name:        C:\Program Files\Microsoft\Exchange Server\V14\Bin\store.exe
Record Number: 19734765
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20130315023031.346660-000
Event Type: Audit Success
User:

Computer Name: mail-server.tforti.local
Event Code: 4634
Message: An account was logged off.

Subject:
    Security ID:        S-1-5-18
    Account Name:        MAIL-SERVER$
    Account Domain:        TFORTI
    Logon ID:        0x73f7a8ed

Logon Type:            3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Record Number: 19734764
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20130315023029.551632-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;%systemroot%\idmu\common;C:\Program Files\Microsoft\Exchange Server\V14\bin;C:\Program Files (x86)\ExchangeMapi\;c:\Program Files (x86)\Microsoft SQL Server\90\Tools\binn\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=AMD64
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\
"NUMBER_OF_PROCESSORS"=2
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=Intel64 Family 15 Model 6 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0604
"ClusterLog"=C:\WINDOWS\Cluster\cluster.log
"ExchangeInstallPath"=C:\Program Files\Microsoft\Exchange Server\V14\

-----------------EOF-----------------
 

Attached Files

  • Attached File  log.txt   56.95KB   0 downloads
  • Attached File  info.txt   11.77KB   0 downloads

Edited by tomforti, 15 March 2013 - 07:44 AM.


BC AdBot (Login to Remove)

 


#2 tomforti

tomforti
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 15 March 2013 - 07:56 AM

Just wanted to add, because I was looking over my logs. Quick Macros 2 and the scheduled job "RAMP" is a daily task that I set up and is ok.



#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:53 PM

Posted 15 March 2013 - 08:38 AM


Hello tomforti

Welcome to The Forums!!

Around here they call me Gringo and I'll be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-
  • Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
-AdwCleaner-
  • Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+
  • Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 tomforti

tomforti
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 15 March 2013 - 09:29 AM

Security Check

 

 Results of screen317's Security Check version 0.99.61  

   x64 (UAC is enabled)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Security Center service is not running! This report may not be accurate! 
 Windows Firewall Enabled!  
 Windows Firewall Disabled!  
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 
 
AdwCleaner
 

# AdwCleaner v2.114 - Logfile created 03/15/2013 at 10:00:46
# Updated 05/03/2013 by Xplode
# Operating system : Windows Server 2008 R2 Enterprise Service Pack 1 (64 bits)
# User : tom - MAIL-SERVER
# Boot Mode : Normal
# Running from : C:\Users\tom\Desktop\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
 
***** [Registry] *****
 
Key Deleted : HKLM\Software\Description
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v9.0.8112.16421
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v [Unable to get version]
 
File : C:\Users\tom\AppData\Roaming\Mozilla\Firefox\Profiles\vq12x7br.default\prefs.js
 
[OK] File is clean.
 
File : C:\Users\vivi\AppData\Roaming\Mozilla\Firefox\Profiles\0s6a9nx6.default\prefs.js
 
[OK] File is clean.
 
File : C:\Users\MDT\AppData\Roaming\Mozilla\Firefox\Profiles\it08y1zm.default\prefs.js
 
[OK] File is clean.
 
File : C:\Users\Administrator.MAIL-SERVER\AppData\Roaming\Mozilla\Firefox\Profiles\6x8z0evc.default\prefs.js
 
[OK] File is clean.
 
*************************
 
AdwCleaner[S1].txt - [1090 octets] - [15/03/2013 10:00:46]
 
########## EOF - C:\AdwCleaner[S1].txt - [1150 octets] ##########
 
 
RogueKiller
 

RogueKiller V8.5.3 [Mar 13 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Server 2008 R2 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : tom [Admin rights]
Mode : Remove -- Date : 03/15/2013 10:28:46
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 7 ¤¤¤
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\Users\tom\AppData\Local\{39c16caf-d3ea-8331-f2d8-3653e351ec2b}\@ [-] --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{39c16caf-d3ea-8331-f2d8-3653e351ec2b}\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Users\tom\AppData\Local\{39c16caf-d3ea-8331-f2d8-3653e351ec2b}\U --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\Windows\Installer\{39c16caf-d3ea-8331-f2d8-3653e351ec2b}\L\00000004.@ [-] --> REMOVED
[Del.Parent][FILE] 201d3dde : C:\Windows\Installer\{39c16caf-d3ea-8331-f2d8-3653e351ec2b}\L\201d3dde [-] --> REMOVED
[Del.Parent][FILE] 4cce1f70 : C:\Windows\Installer\{39c16caf-d3ea-8331-f2d8-3653e351ec2b}\L\4cce1f70 [-] --> REMOVED
[Del.Parent][FILE] 76603ac3 : C:\Windows\Installer\{39c16caf-d3ea-8331-f2d8-3653e351ec2b}\L\76603ac3 [-] --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{39c16caf-d3ea-8331-f2d8-3653e351ec2b}\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Users\tom\AppData\Local\{39c16caf-d3ea-8331-f2d8-3653e351ec2b}\L --> REMOVED
 
¤¤¤ Driver : [NOT LOADED] ¤¤¤
 
¤¤¤ Infection : ZeroAccess ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: WDC WD5000AAJS-00YFA0 ATA Device +++++
--- User ---
[MBR] e95d884cf7091c7de3de1773acb82c46
[BSP] 987d0702764828e7446e1e5864f25f5d : MBR Code unknown
Partition table:
0 - [ACTIVE] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 476938 Mo
1 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 976769087 | Size: 0 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: WDC WD5000AAJS-00YFA0 ATA Device +++++
--- User ---
[MBR] 818ec2aebe3e42b777e98a9eaba7928a
[BSP] d00e12b75b1ee7679298b534b89b719a : Windows XP MBR Code
Partition table:
0 - [ACTIVE] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 476938 Mo
1 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 976769087 | Size: 0 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[2]_D_03152013_02d1028.txt >>
RKreport[1]_S_03152013_02d1025.txt ; RKreport[2]_D_03152013_02d1028.txt
 
 
 


#5 tomforti

tomforti
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 15 March 2013 - 09:42 AM

So i know you asked for me to let you know how things are running following everything. It looks like the google redirect might be gone, i did a couple of searches and haven't had any problems. And i noticed that my content.ie5 folder is still clean, including the folder i wasn't able to delete before. So can i get excited that everything is gone?



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:53 PM

Posted 15 March 2013 - 10:10 AM


Hello tomforti

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

  • Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 tomforti

tomforti
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 15 March 2013 - 10:27 AM

ComboFix say my OS is not supported



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:53 PM

Posted 15 March 2013 - 10:43 AM


Hello tomforti

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.
  • Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 tomforti

tomforti
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 15 March 2013 - 11:03 AM

OTL logfile created on: 3/15/2013 11:49:32 AM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\tom\Desktop
64bit- Server Enterprise Edition (full installation) Service Pack 1 (Version = 6.1.7601) - Type = NTDomainController
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
4.00 Gb Total Physical Memory | 1.48 Gb Available Physical Memory | 37.10% Memory free
8.00 Gb Paging File | 3.62 Gb Available in Paging File | 45.23% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465.76 Gb Total Space | 412.60 Gb Free Space | 88.59% Space Free | Partition Type: NTFS
 
Computer Name: MAIL-SERVER | User Name: tom | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\tom\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
PRC - C:\Program Files (x86)\Quick Macros 2\qmserv.exe ()
 
 
========== Modules (No Company Name) ==========
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - (NisSrv) -- c:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
SRV:64bit: - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeADTopology) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeADTopologyService.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeImap4) -- C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangePop3) -- C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeFBA) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\exfba.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeIS) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\store.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeTransportLogSearch) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeTransportLogSearch.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeProtectedServiceHost) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.ProtectedServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeServiceHost) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.ServiceHost.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeMailSubmission) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailSubmission.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeThrottling) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeThrottling.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeMailboxAssistants) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailboxAssistants.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeAntispamUpdate) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeAB) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.AddressBook.Service.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeRPC) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeRepl) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\msexchangerepl.exe (Microsoft Corporation)
SRV:64bit: - (wsbexchange) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\wsbexchange.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeMonitoring) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.Monitoring.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeEdgeSync) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.EdgeSyncSvc.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeMailboxReplication) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailboxReplication.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeTransport) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeTransport.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeSearch) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.Search.ExSearch.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeFDS) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\MsExchangeFDS.exe (Microsoft Corporation)
SRV:64bit: - (MSExchangeSA) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\mad.exe (Microsoft Corporation)
SRV:64bit: - (DNS) -- C:\Windows\SysNative\dns.exe (Microsoft Corporation)
SRV:64bit: - (ftpsvc) -- C:\Windows\SysNative\inetsrv\ftpsvc.dll (Microsoft Corporation)
SRV:64bit: - (RPCHTTPLBS) -- C:\Windows\SysNative\rpcproxy\LBService.dll (Microsoft Corporation)
SRV:64bit: - (rqs) -- C:\Windows\SysNative\rqs.exe (Microsoft Corporation)
SRV:64bit: - (NtFrs) -- C:\Windows\SysNative\ntfrs.exe (Microsoft Corporation)
SRV:64bit: - (IsmServ) -- C:\Windows\SysNative\ismserv.exe (Microsoft Corporation)
SRV:64bit: - (IISADMIN) -- C:\Windows\SysNative\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV:64bit: - (DFSR) -- C:\Windows\SysNative\dfsrs.exe (Microsoft Corporation)
SRV:64bit: - (Dfs) -- C:\Windows\SysNative\dfssvc.exe (Microsoft Corporation)
SRV:64bit: - (msftesql-Exchange) -- C:\Program Files\Microsoft\Exchange Server\V14\Bin\msftesql.exe (Microsoft Corporation)
SRV:64bit: - (sacsvr) -- C:\Windows\SysNative\sacsvr.dll (Microsoft Corporation)
SRV:64bit: - (FCRegSvc) -- C:\Windows\SysNative\FCRegSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV:64bit: - (TlntSvr) -- C:\Windows\SysNative\tlntsvr.exe (Microsoft Corporation)
SRV:64bit: - (RSoPProv) -- C:\Windows\SysNative\rsopprov.exe (Microsoft Corporation)
SRV - (ADWS) -- C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe (Microsoft Corporation)
SRV - (WAS) -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (W3SVC) -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (AppHostSvc) -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (quickmacros2) -- C:\Program Files (x86)\Quick Macros 2\qmserv.exe ()
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (DfsrRo) -- C:\Windows\SysNative\drivers\dfsrro.sys (Microsoft Corporation)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (storvsp) -- C:\Windows\SysNative\drivers\storvsp.sys (Microsoft Corporation)
DRV:64bit: - (Vid) -- C:\Windows\SysNative\drivers\Vid.sys (Microsoft Corporation)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (DfsDriver) -- C:\Windows\SysNative\drivers\dfs.sys (Microsoft Corporation)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (sacdrv) -- C:\Windows\SysNative\drivers\sacdrv.sys (Microsoft Corporation)
DRV:64bit: - (ioatdma) -- C:\Windows\SysNative\drivers\qd260x64.sys (Intel Corporation)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (mcdbus) -- C:\Windows\SysNative\drivers\mcdbus.sys (MagicISO, Inc.)
DRV:64bit: - (XGIGraphics_XG2X) -- C:\Windows\SysNative\drivers\xg20grp.sys (XGI Technology Inc.)
DRV - (MRxDAV) -- C:\Windows\SysWOW64\drivers\mrxdav.sys (Microsoft Corporation)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
DRV - (mcdbus) -- C:\Windows\SysWOW64\drivers\mcdbus.sys (MagicISO, Inc.)
DRV - (qmphook) -- C:\Program Files (x86)\Quick Macros 2\x64\qmphook.sys ()
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE:64bit: - HKLM\..\SearchScopes,DefaultScope =
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-21-571101966-2089619450-2027659016-1126\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
IE - HKU\S-1-5-21-571101966-2089619450-2027659016-1126\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-571101966-2089619450-2027659016-1126\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-571101966-2089619450-2027659016-1126\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKU\S-1-5-21-571101966-2089619450-2027659016-1126\..\SearchScopes,DefaultScope = {F1DCC83D-4C2E-43AE-A7FC-CA9117E1F415}
IE - HKU\S-1-5-21-571101966-2089619450-2027659016-1126\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-571101966-2089619450-2027659016-1126\..\SearchScopes\{F1DCC83D-4C2E-43AE-A7FC-CA9117E1F415}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-571101966-2089619450-2027659016-1126\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-571101966-2089619450-2027659016-1126\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}:6.0.30
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
 
 
[2010/11/09 18:52:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\tom\AppData\Roaming\mozilla\Extensions
[2012/10/29 12:47:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\tom\AppData\Roaming\mozilla\Firefox\Profiles\vq12x7br.default\extensions
[2011/11/10 06:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
 
O1 HOSTS File: ([2007/02/18 08:00:00 | 000,000,734 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O4:64bit: - HKLM..\Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey File not found
O4:64bit: - HKLM..\Run: [OODefragTray] C:\Program Files\OO Software\Defrag\oodtray.exe File not found
O4 - HKU\S-1-5-21-571101966-2089619450-2027659016-1126..\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE" File not found
O4 - Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
O4 - Startup: C:\Users\tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office14\EXCEL.EXE/3000 File not found
O8:64bit: - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\Microsoft Office\Office14\ONBttnIE.dll/105 File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office14\EXCEL.EXE/3000 File not found
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\Microsoft Office\Office14\ONBttnIE.dll/105 File not found
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-571101966-2089619450-2027659016-1126\..Trusted Domains: heart.org ([learn] https in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (Reg Error: Key error.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab (DLC Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tforti.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A4143F62-31FD-469B-80AA-89BE0010EE78}: NameServer = 8.8.8.8,8.8.4.4,208.67.222.222,208.67.220.220
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) -  File not found
O20 - Winlogon\Notify\Schedule: DllName - (wlnotify.dll) -  File not found
O20 - Winlogon\Notify\SensLogn: DllName - (WlNotify.dll) -  File not found
O20 - Winlogon\Notify\wlballoon: DllName - (wlnotify.dll) -  File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O29:64bit: - HKLM SecurityProviders - (pwdssp.dll) -  File not found
O29 - HKLM SecurityProviders - (pwdssp.dll) -  File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/08 10:44:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{7472423c-73bd-11df-b50d-ffef5fbbc8c2}\Shell - "" = AutoRun
O33 - MountPoints2\{7472423c-73bd-11df-b50d-ffef5fbbc8c2}\Shell\AutoRun\command - "" = H:\autorun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/03/15 11:47:15 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\tom\Desktop\OTL.exe
[2013/03/15 10:23:35 | 000,000,000 | ---D | C] -- C:\Users\tom\Desktop\RK_Quarantine
[2013/03/15 08:26:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\trend micro
[2013/03/15 08:26:45 | 000,000,000 | ---D | C] -- C:\rsit
[2013/03/14 17:47:27 | 000,688,992 | ---- | C] (Swearware) -- C:\dds.com
[2013/03/09 18:30:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2013/03/09 18:30:24 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2013/03/09 15:05:12 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\VS Revo Group
[2013/03/09 15:05:12 | 000,000,000 | ---D | C] -- C:\Users\tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller
[2013/03/02 23:30:59 | 000,000,000 | ---D | C] -- C:\Users\tom\AppData\Roaming\Malwarebytes
[2013/03/02 23:30:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/03/02 23:30:14 | 000,000,000 | ---D | C] -- C:\Users\tom\AppData\Local\Programs
[2013/03/02 23:29:46 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2013/02/28 18:17:56 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\oodag
[2013/02/28 18:11:53 | 000,000,000 | ---D | C] -- C:\Users\tom\AppData\Local\O&O
[2013/02/28 18:05:24 | 000,691,568 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013/02/28 18:05:24 | 000,071,024 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013/02/25 22:22:22 | 000,000,000 | ---D | C] -- C:\Users\tom\AppData\Roaming\JAM Software
[2013/02/17 01:41:11 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2013/02/17 01:38:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\PC Tools
[2013/02/17 01:35:39 | 000,253,256 | ---- | C] (PC Tools) -- C:\Windows\SysNative\drivers\PCTSD64.sys
[2013/02/17 01:35:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\PC Tools
[2013/02/17 01:35:21 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2013/02/17 01:35:21 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2013/02/17 01:35:20 | 000,000,000 | ---D | C] -- C:\Users\tom\AppData\Roaming\TestApp
[2013/02/17 01:30:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2013/02/17 01:30:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2013/02/16 23:37:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat
[2013/02/16 23:37:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinDirStat
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/03/15 11:47:15 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\tom\Desktop\OTL.exe
[2013/03/15 10:15:35 | 000,010,960 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/03/15 10:15:35 | 000,010,960 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/03/15 10:13:39 | 000,815,616 | ---- | M] () -- C:\Users\tom\Desktop\RogueKiller.exe
[2013/03/15 10:11:02 | 002,653,690 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/03/15 10:11:02 | 002,030,368 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/03/15 10:11:02 | 000,574,954 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/03/15 10:05:53 | 000,404,152 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013/03/15 10:05:53 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/03/15 09:59:06 | 000,597,667 | ---- | M] () -- C:\Users\tom\Desktop\adwcleaner.exe
[2013/03/15 09:52:44 | 000,890,798 | ---- | M] () -- C:\Users\tom\Desktop\SecurityCheck.exe
[2013/03/15 04:05:10 | 000,000,288 | ---- | M] () -- C:\Windows\tasks\QM - RAMP.job
[2013/03/14 18:17:55 | 000,000,078 | ---- | M] () -- C:\Users\tom\Desktop\Del file.bat
[2013/03/14 17:47:27 | 000,688,992 | ---- | M] (Swearware) -- C:\dds.com
[2013/03/14 17:23:25 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\null
[2013/03/14 17:23:19 | 000,000,445 | ---- | M] () -- C:\Users\tom\Desktop\Del ContentIE.bat
[2013/03/14 17:18:04 | 000,000,116 | ---- | M] () -- C:\Users\tom\Desktop\ShowDelContentie.bat
[2013/03/10 20:02:01 | 000,000,127 | ---- | M] () -- C:\Users\tom\Desktop\DelOlny.bat
[2013/03/09 18:30:44 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2013/03/09 18:25:21 | 000,007,619 | ---- | M] () -- C:\Users\tom\AppData\Local\resmon.resmoncfg
[2013/03/03 00:34:01 | 000,328,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe
[2013/02/28 18:14:56 | 000,000,042 | ---- | M] () -- C:\Windows\oodjobd.INI
[2013/02/28 18:05:24 | 000,691,568 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013/02/28 18:05:24 | 000,071,024 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013/02/28 17:53:49 | 000,001,734 | ---- | M] () -- C:\Users\tom\Documents\cc_20130228_165345.reg
[2013/02/28 17:53:26 | 000,071,346 | ---- | M] () -- C:\Users\tom\Documents\cc_20130228_165321.reg
[2013/02/28 17:44:44 | 000,004,154 | ---- | M] () -- C:\Users\tom\Documents\cc_20130228_164431.reg
[2013/02/28 17:44:08 | 000,149,724 | ---- | M] () -- C:\Users\tom\Documents\cc_20130228_164339.reg
[2013/02/28 17:41:33 | 000,000,977 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2013/02/25 22:17:35 | 000,000,000 | ---- | M] () -- C:\Users\tom\vssadmin
[2013/02/17 01:37:08 | 002,202,083 | ---- | M] () -- C:\Windows\SysNative\drivers\Cat.DB
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/03/15 10:13:39 | 000,815,616 | ---- | C] () -- C:\Users\tom\Desktop\RogueKiller.exe
[2013/03/15 10:05:25 | 000,404,152 | ---- | C] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013/03/15 09:59:06 | 000,597,667 | ---- | C] () -- C:\Users\tom\Desktop\adwcleaner.exe
[2013/03/15 09:52:44 | 000,890,798 | ---- | C] () -- C:\Users\tom\Desktop\SecurityCheck.exe
[2013/03/14 18:17:55 | 000,000,078 | ---- | C] () -- C:\Users\tom\Desktop\Del file.bat
[2013/03/14 17:23:25 | 000,000,000 | ---- | C] () -- C:\Windows\SysNative\null
[2013/03/10 20:01:55 | 000,000,127 | ---- | C] () -- C:\Users\tom\Desktop\DelOlny.bat
[2013/03/10 09:04:07 | 000,000,116 | ---- | C] () -- C:\Users\tom\Desktop\ShowDelContentie.bat
[2013/03/10 08:53:29 | 000,000,445 | ---- | C] () -- C:\Users\tom\Desktop\Del ContentIE.bat
[2013/03/09 18:30:38 | 000,002,133 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2013/03/03 00:07:54 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2013/02/28 18:14:56 | 000,000,042 | ---- | C] () -- C:\Windows\oodjobd.INI
[2013/02/28 17:53:46 | 000,001,734 | ---- | C] () -- C:\Users\tom\Documents\cc_20130228_165345.reg
[2013/02/28 17:53:23 | 000,071,346 | ---- | C] () -- C:\Users\tom\Documents\cc_20130228_165321.reg
[2013/02/28 17:44:33 | 000,004,154 | ---- | C] () -- C:\Users\tom\Documents\cc_20130228_164431.reg
[2013/02/28 17:43:44 | 000,149,724 | ---- | C] () -- C:\Users\tom\Documents\cc_20130228_164339.reg
[2013/02/25 22:17:35 | 000,000,000 | ---- | C] () -- C:\Users\tom\vssadmin
[2013/02/17 01:35:47 | 002,202,083 | ---- | C] () -- C:\Windows\SysNative\drivers\Cat.DB
[2011/04/19 08:37:00 | 000,007,619 | ---- | C] () -- C:\Users\tom\AppData\Local\resmon.resmoncfg
[2010/06/09 11:30:05 | 000,003,084 | RHS- | C] () -- C:\ProgramData\ntuser.pol
 
========== ZeroAccess Check ==========
 
[2009/07/14 00:58:08 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2011/08/30 01:25:09 | 014,173,184 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2011/08/30 00:21:25 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 21:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 08:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 21:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:DFC5A2B2

< End of report >
 



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:53 PM

Posted 15 March 2013 - 11:29 AM


Hello tomforti

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script
  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png text box.
    :OTL
    IE - HKU\S-1-5-21-571101966-2089619450-2027659016-1126\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
    FF - user.js - File not found
    O4:64bit: - HKLM..\Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey File not found
    O4:64bit: - HKLM..\Run: [OODefragTray] C:\Program Files\OO Software\Defrag\oodtray.exe File not found
    O4 - HKU\S-1-5-21-571101966-2089619450-2027659016-1126..\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE" File not found
    O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office14\EXCEL.EXE/3000 File not found
    O8:64bit: - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\Microsoft Office\Office14\ONBttnIE.dll/105 File not found
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office14\EXCEL.EXE/3000 File not found
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\Microsoft Office\Office14\ONBttnIE.dll/105 File not found
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (Reg Error: Key error.)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O20 - Winlogon\Notify\ScCertProp: DllName - (wlnotify.dll) -  File not found
    O20 - Winlogon\Notify\Schedule: DllName - (wlnotify.dll) -  File not found
    O20 - Winlogon\Notify\SensLogn: DllName - (WlNotify.dll) -  File not found
    O20 - Winlogon\Notify\wlballoon: DllName - (wlnotify.dll) -  File not found
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
    @Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:DFC5A2B2   
    O33 - MountPoints2\{7472423c-73bd-11df-b50d-ffef5fbbc8c2}\Shell - "" = AutoRun
    O33 - MountPoints2\{7472423c-73bd-11df-b50d-ffef5fbbc8c2}\Shell\AutoRun\command - "" = H:\autorun.exe
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]
    
  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.


  • Let me know How things are doing

    Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 tomforti

tomforti
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 15 March 2013 - 02:20 PM

========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-571101966-2089619450-2027659016-1126\Software\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\MSC deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\OODefragTray deleted successfully.
Registry value HKEY_USERS\S-1-5-21-571101966-2089619450-2027659016-1126\Software\Microsoft\Windows\CurrentVersion\Run\\OfficeSyncProcess deleted successfully.
64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ deleted successfully.
64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ not found.
Starting removal of ActiveX control {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
C:\Windows\Downloaded Program Files\QTPlugin.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\ not found.
Starting removal of ActiveX control {7530BFB8-7293-4D34-9923-61A11451AFC5}
C:\Windows\Downloaded Program Files\OnlineScanner.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon\ deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
ADS C:\ProgramData\TEMP:430C6D84 deleted successfully.
ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7472423c-73bd-11df-b50d-ffef5fbbc8c2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7472423c-73bd-11df-b50d-ffef5fbbc8c2}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7472423c-73bd-11df-b50d-ffef5fbbc8c2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7472423c-73bd-11df-b50d-ffef5fbbc8c2}\ not found.
File H:\autorun.exe not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\tom\Desktop\cmd.bat deleted successfully.
C:\Users\tom\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYJAVA]
 
User: Administrator
 
User: Administrator.MAIL-SERVER
->Java cache emptied: 0 bytes
 
User: All Users
 
User: Classic .NET AppPool
 
User: Default
 
User: Default User
 
User: MDT
->Java cache emptied: 0 bytes
 
User: Public
 
User: tom
->Java cache emptied: 5286 bytes
 
User: vivi
 
Total Java Files Cleaned = 0.00 mb
 
 
[EMPTYFLASH]
 
User: Administrator
 
User: Administrator.MAIL-SERVER
->Flash cache emptied: 506 bytes
 
User: All Users
 
User: Classic .NET AppPool
 
User: Default
 
User: Default User
 
User: MDT
->Flash cache emptied: 60660 bytes
 
User: Public
 
User: tom
->Flash cache emptied: 619 bytes
 
User: vivi
->Flash cache emptied: 57128 bytes
 
Total Flash Files Cleaned = 0.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 03152013_141331
 



#12 tomforti

tomforti
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 15 March 2013 - 02:23 PM

Still no google redirect, unless something is wrong that i can't see at this time. My biggest fear is that that content.ie5 folder is going to collect .js files again. That was a huge nightmare



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:53 PM

Posted 15 March 2013 - 09:12 PM



Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

Clean Out Temp Files
  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. default settings are fine
    • Click Run Cleaner.
    • Close CCleaner.
Run Malwarebytes

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
    Click OK to either and let MBAM proceed with the disinfection process.
    If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


    Download HijackThis
    • Go Here to download HijackThis program
    • Save HijackThis to your desktop.
    • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
    • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
    • copy and paste hijackthis report into the topic
    "information and logs"
    • In your next post I need the following
      • Log From MBAM
        • report from Hijackthis
          • let me know of any problems you may have had
            • How is the computer doing now?
          Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 tomforti

tomforti
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 15 March 2013 - 10:19 PM

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.16.03

Windows Server 2008 R2 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
tom :: MAIL-SERVER [administrator]

Protection: Disabled

3/15/2013 11:14:16 PM
mbam-log-2013-03-15 (23-14-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 321765
Time elapsed: 2 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:18:16 PM, on 3/15/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_171_ActiveX.exe
C:\Users\tom\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tforti.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4143F62-31FD-469B-80AA-89BE0010EE78}: NameServer = 8.8.8.8,8.8.4.4,208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tforti.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tforti.local
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%systemroot%\system32\dfssvc.exe,-101 (Dfs) - Unknown owner - C:\Windows\system32\dfssvc.exe (file missing)
O23 - Service: @dfsrress.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSRs.exe (file missing)
O23 - Service: @%systemroot%\system32\dns.exe,-49157 (DNS) - Unknown owner - C:\Windows\system32\dns.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: @%SystemRoot%\System32\ismserv.exe,-1 (IsmServ) - Unknown owner - C:\Windows\System32\ismserv.exe (file missing)
O23 - Service: @%SystemRoot%\System32\kdcsvc.dll,-1 (kdc) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\System32\ntdsmsg.dll,-1 (NTDS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: File Replication Service (NtFrs) - Unknown owner - C:\Windows\system32\ntfrs.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Quick Macros (quickmacros2) - Unknown owner - C:\Program Files (x86)\Quick Macros 2\qmserv.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%Systemroot%\system32\rqs.exe,-200 (rqs) - Unknown owner - C:\Windows\system32\rqs.exe (file missing)
O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 5671 bytes


 



Computer still seems to be running better then it was a week ago. So again if something is wrong I cant see it.



#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:53 PM

Posted 15 March 2013 - 10:26 PM




Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

I normaly remove any extra startups That I see in the Hijackthis report to speed things up but yours look very good - Great Job!! :)

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.

  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish
  • When the scan is complete
    • If no threats were found
      • put a checkmark in "Uninstall application on close"
      • close program
      • report to me that nothing was found
  • If threats were found
    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish
    • close program
    • copy and paste the report here
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users