Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess & Ransomeware Infection


  • This topic is locked This topic is locked
17 replies to this topic

#1 HichamElGuerrouj

HichamElGuerrouj

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 27 September 2013 - 11:48 AM

I have a Windows 7 computer that was hit by an exploit kit and had ZeroAccess delivered to it.  The infected computer was running two instances of the Java Runtime Environment, with both being outdated versions of JRE 6 and JRE 7.  Sophos Anti-virus was running and up-to-date on the computer when it was attacked, but Sophos did not stop an infection from occurring.  The computer is periodically attempting to check into two IP addresses (217.23.6.122 and 109.206.160.212) that have been blocked via our intrusion prevention system.

 

I have run TDSS Killer on the machine, but it did not find any malicious files.  Using Windows Explorer, I found one malicious file in C:\Windows that I submitted to Virus Total and found that 15 of 48 vendors detected it as malicious, with Sophos not being one of them.  I submitted the file to Sophos and they created a signature file for a variant named Troj/Swrort-J.

 

I am now running a Gmer scan on the machine and found two suspicious entries, one of type "?" and one of type "Device", that I do not know how to remediate.  Can you provide some guidance?



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 27 September 2013 - 12:08 PM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs
DDS.txt
Attach.txt
Save both reports to your desktop.

 

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 HichamElGuerrouj

HichamElGuerrouj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 27 September 2013 - 02:04 PM

TB-Psychotic (Marius),

 

Here are the contents of the three log files:

 

dds.txt

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16686  BrowserJavaVersion: 10.40.2
Run by Administrator at 13:34:46 on 2013-09-27
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.3477.2206 [GMT -5:00]
.
AV: Sophos Anti-Virus *Enabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Sophos Anti-Virus *Enabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\LogonUI.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSrv.EXE
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Quest Software\Toad for Data Analysts 3.0\SQLLIB\BIN\db2mgmtsvc.exe
C:\Program Files\Identity Finder 4\idfEndpoint.exe
C:\Program Files\ImageNow6\bin\inausvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Secunia\CSI Agent\csia.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe
C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files\Altiris\Dagent\dagent.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
C:\Program Files\Altiris\Dagent\dagentui.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files\TechSmith\Snagit 11\Snagit32.exe
C:\Program Files\TechSmith\Snagit 11\TSCHelp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\TechSmith\Snagit 11\SnagPriv.exe
C:\Program Files\TechSmith\Snagit 11\snagiteditor.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.

uURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - <orphaned>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Do Not Track Plus: {6E45F3E8-2683-4824-A6BE-08108022FB36} - c:\program files\donottrackplus\ie

\DNTPAddon.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft

office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java

\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google

toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files

\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files

\microsoft office\office15\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java

\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe

\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat

\activex\AcroIEFavClient.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar

\GoogleToolbar_32.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat

\activex\AcroIEFavClient.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar

\GoogleToolbar_32.dll
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DagentUI] c:\program files\altiris\dagent\dagentui.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Sophos AutoUpdate Monitor] c:\program files\sophos\autoupdate\almon.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa

\UpdaterStartupUtility.exe"
mRun: [AdobeCS6ServiceManager] "c:\program files\common files\adobe\cs6servicemanager

\CS6ServiceManager.exe" -launchedbylogin
dRun: [Bomgar_Cleanup_ZD584378492] cmd.exe /C rd /S /Q "c:\programdata\bomgar-scc-503e3fae" & reg

delete hkcu\software\microsoft\windows\currentversion\Run /v Bomgar_Cleanup_ZD584378492 /f
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snagit~1.lnk - c:\program files

\techsmith\snagit 11\Snagit32.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoWelcomeScreen = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:1
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: dontdisplaylastusername = dword:1
mPolicies-System: legalnoticecaption = NOTICE:
mPolicies-System: legalnoticetext = Now entering Organization. Unauthorized access is

prohibited. All users are instructed to abide by university computing guidelines.
mPolicies-System: HideFastUserSwitching = dword:1
mPolicies-Windows\System: UserPolicyMode = dword:1
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex

\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex

\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex

\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex

\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program

files\microsoft office\office14\ONBttnIE.dll
IE: {6E45F3E8-2683-4824-A6BE-08108022FB36} - {23249465-AA46-4DED-BD4B-8EFB20F968FE} - c:\program

files\donottrackplus\ie\DNTPAddon.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program

files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: site.com
Trusted Zone: site.com
Trusted Zone: contoso.org
Trusted Zone: contoso.org
Trusted Zone: contoso.edu
Trusted Zone: contoso.edu
Trusted Zone: site.com
Trusted Zone: site.com
Trusted Zone: smartevals.com
Trusted Zone: contoso.org
Trusted Zone: contoso.org
Trusted Zone: contoso.edu
Trusted Zone: contoso.edu

 

 

 

TCP: NameServer = 192.168.49.138 192.168.49.157
TCP: Interfaces\{028B16A4-3DA9-41DD-A6B1-603A498B24B2} : DHCPNameServer = 192.168.49.138

192.168.49.157
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - c:\program files\microsoft office

\office15\MSOSB.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\progra~1\sophos\sophos~1\sophos_detoured.dll c:\progra~1\sophos

\sophos~1\sophos_detoured.dll c:\progra~1\sophos\sophos~1\sophos_detoured.dll c:\progra~1\sophos

\sophos~1\sophos_detoured.dll c:\progra~1\sophos\sophos~1\sophos_detoured.dll c:\progra~1\sophos

\sophos~1\sophos_detoured.dll c:\progra~1\sophos\sophos~1\sophos_detoured.dll c:\progra~1\sophos

\sophos~1\sophos_detoured.dll c:\progra~1\sophos\sophos~1\sophos_detoured.dll c:\progra~1\sophos

\sophos~1\sophos_detoured.dll c:\progra~1\sophos\sophos~1\sophos_detoured.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files

\microsoft office\office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application

\29.0.1547.76\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --

multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\Administrator\appdata\roaming\mozilla\firefox\profiles\v949tx4u.default\
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\progra~1\micros~1\office15\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\acrobat 10.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\adobe\oobe\pdapp\ccm\utilities\npAdobeAAMDetect32.dll
FF - plugin: c:\program files\common files\adobe\oobe\pdapp\ccm\utilities\npAdobeAAMDetect64.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPInfotl.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iaStorF;iaStorF;c:\windows\system32\drivers\iaStorF.sys [2012-7-17 21936]
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys

[2012-1-27 13592]
R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2012-9-17 123680]
R1 SKMScan;SKMScan;c:\windows\system32\drivers\skmscan.sys [2012-9-17 31736]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2012-8-9

87968]
R2 Altiris Deployment Agent;Altiris Deployment Agent;c:\program files\altiris\dagent\dagent.exe [2010

-3-22 1254736]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-1-27

172032]
R2 DB2MGMTSVC_TACOM30;DB2 Management Service (TACOM30);c:\program files\quest software\toad for data

analysts 3.0\sqllib\bin\db2mgmtsvc.exe [2010-5-15 37736]
R2 IDFEndpointService;Identity Finder Endpoint Service;c:\program files\identity finder

4\idfEndpoint.exe [2012-2-2 9152000]
R2 ImageNow Automatic Update 6.6;ImageNow Automatic Update 6.6;c:\program files\imagenow6\bin

\inausvc.exe [2013-3-18 5787136]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus

\SAVAdminService.exe [2012-12-12 216640]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2012-9-17

139840]
R2 Secunia CSI Agent;Secunia CSI Agent;c:\program files\secunia\csi agent\csia.exe [2013-5-22 671744]
R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe

[2012-9-17 289856]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe

[2012-9-17 232512]
R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system

\RouterNT.exe [2012-9-17 818240]
R2 Sophos Web Control Service;Sophos Web Control Service;c:\program files\sophos\sophos anti-virus\web

control\swc_service.exe [2012-9-17 357400]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\sophos\sophos anti-virus\web

intelligence\swi_service.exe [2012-12-12 2869824]
R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\drivers\BazisVirtualCDBus.sys

[2011-6-4 117584]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2011-12-6 280576]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\drivers\iusb3hub.sys [2012-1-27 348440]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\drivers

\iusb3xhc.sys [2012-1-27 791832]
R3 MEI;Intel® Management Engine Interface ;c:\windows\system32\drivers\HECI.sys [2012-7-24 46080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows

\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 swi_update;Sophos Web Intelligence Update;c:\programdata\sophos\web intelligence\swi_update.exe

[2012-9-17 1459264]
S3 AltirisAgentProvider;AltirisAgentProvider;c:\program files\altiris\altiris agent\agents

\wmiprovideragent\AltirisAgentProvider.exe [2012-8-6 408448]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys

[2010-2-9 325672]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-6-14 62464]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers

\e1k6232.sys [2010-5-6 214696]
S3 iaStorA;iaStorA;c:\windows\system32\drivers\iaStorA.sys [2012-7-17 477616]
S3 iaStorS;iaStorS;c:\windows\system32\drivers\iaStorS.sys [2012-7-17 563632]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-2-21 132480]
S3 johci;JMicron 1394 Filter Driver;c:\windows\system32\drivers\johci.sys [2011-6-13 23640]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2011-6-27

58880]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys

[2011-6-27 137728]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers

\rdpvideominiport.sys [2013-1-12 14848]
S3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-6-14 48640]
S3 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-6-14 47616]
S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-6-14 38912]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2012-9-17 33696]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13

20992]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe

[2010-2-19 517096]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys

[2011-6-14 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2013-1-12

24064]
S3 tihub3;TI USB3 Hub Service;c:\windows\system32\drivers\tihub3.sys [2012-7-17 108352]
S3 tixhci;TI XHCI Service;c:\windows\system32\drivers\tixhci.sys [2012-7-17 323392]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-1-12 49664]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2013-1-12 27136]
S3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2011-6-14 112640]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-

4-22 1343400]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2012-9-17

22536]
.
=============== File Associations ===============
.
ShellExec: dreamweaver.exe: Open="c:\program files\adobe\adobe dreamweaver cs6\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2013-09-27 15:27:48 60872 ----a-w- c:\programdata\microsoft\windows defender\definition updates

\{e3b9bb59-3287-480b-ab5f-9157da622700}\offreg.dll
2013-09-27 07:48:58 7328304 ----a-w- c:\programdata\microsoft\windows defender\definition updates

\{e3b9bb59-3287-480b-ab5f-9157da622700}\mpengine.dll
2013-09-26 17:16:00 -------- d-----w- c:\programdata\Oracle
2013-09-26 17:15:42 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-09-26 16:59:00 -------- d-----w- c:\users\Administrator\appdata\local\DoNotTrackPlus
2013-09-26 16:58:58 -------- d-----w- c:\users\Administrator\appdata\local\Google
2013-09-26 16:57:31 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2013-09-26 16:55:44 -------- d-----w- c:\program files\iPod
2013-09-26 16:55:43 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-09-26 16:55:43 -------- d-----w- c:\program files\iTunes
2013-09-26 16:51:40 -------- d-----w- c:\users\Administrator\appdata\local\Apple
2013-09-26 16:48:40 -------- d-----w- c:\users\Administrator\appdata\local\Apple Computer
2013-09-26 15:02:05 -------- d-----w- c:\users\Administrator\appdata\local\Mozilla
2013-09-26 15:01:42 -------- d-----w- c:\users\Administrator\appdata\local\assembly
2013-09-26 15:01:37 -------- d-----w- c:\users\Administrator\appdata\local\TechSmith
2013-09-26 14:01:20 -------- d-sh--w- C:\$RECYCLE.BIN
2013-09-26 14:01:16 -------- d-----w- c:\users\Administrator\appdata\local\temp
2013-09-14 08:06:56 2348544 ----a-w- c:\windows\system32\win32k.sys
2013-09-03 13:53:52 187248 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2013-09-03 13:53:52 187248 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M  ====================
.
2013-09-26 17:15:38 868264 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-09-26 17:15:38 790440 ----a-w- c:\windows\system32\deployJava1.dll
2013-09-19 20:33:06 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-19 20:33:06 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-10 03:59:10 1767936 ----a-w- c:\windows\system32\wininet.dll
2013-08-10 03:58:09 2876928 ----a-w- c:\windows\system32\jscript9.dll
2013-08-10 03:58:06 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-08-10 03:58:06 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-08-10 03:07:50 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-08-10 02:17:19 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-08-05 01:56:47 133056 ----a-w- c:\windows\system32\drivers\ataport.sys
2013-08-02 01:50:36 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-08-02 01:49:19 293376 ----a-w- c:\windows\system32\KernelBase.dll
2013-08-02 00:52:57 271360 ----a-w- c:\windows\system32\conhost.exe
2013-08-02 00:43:05 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-07-25 08:57:27 1620992 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-19 01:41:01 2048 ----a-w- c:\windows\system32\tzres.dll
2013-07-09 05:03:34 3968960 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-07-09 05:03:34 3913664 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-09 04:53:46 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-07-09 04:52:10 175104 ----a-w- c:\windows\system32\wintrust.dll
2013-07-09 04:50:42 652800 ----a-w- c:\windows\system32\rpcrt4.dll
2013-07-09 04:46:31 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-07-09 04:46:31 1166848 ----a-w- c:\windows\system32\crypt32.dll
2013-07-09 04:46:31 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-07-06 05:05:35 1293760 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
============= FINISH: 13:35:11.41 ===============

 

attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 8/6/2012 11:13:40 AM
System Uptime: 9/27/2013 9:57:13 AM (4 hours ago)
.
Motherboard: Hewlett-Packard |  | 3398
Processor: Intel® Core™ i5-3570S CPU @ 3.10GHz | SOCKET 0 | 3101/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 109.777 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&112E4A53&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&112E4A53&0
Service: i8042prt
.
Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: Standard PS/2 Keyboard
Device ID: ACPI\PNP0303\4&112E4A53&0
Manufacturer: (Standard keyboards)
Name: Standard PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&112E4A53&0
Service: i8042prt
.
==== System Restore Points ===================
.
RP6452: 9/22/2013 2:50:58 AM - Windows Update
RP6453: 9/22/2013 4:38:00 AM - Windows Update
RP6454: 9/22/2013 4:40:46 AM - Windows Update
RP6455: 9/23/2013 1:38:05 AM - Windows Update
RP6456: 9/23/2013 1:39:47 AM - Windows Update
RP6457: 9/23/2013 4:23:50 AM - Windows Update
RP6458: 9/23/2013 4:25:26 AM - Windows Update
RP6459: 9/23/2013 5:19:17 AM - Windows Update
RP6460: 9/23/2013 5:20:29 AM - Windows Update
RP6461: 9/24/2013 1:24:10 AM - Windows Update
RP6462: 9/24/2013 1:26:04 AM - Windows Update
RP6463: 9/24/2013 3:12:17 AM - Windows Update
RP6464: 9/24/2013 3:15:06 AM - Windows Update
RP6465: 9/24/2013 4:03:37 AM - Windows Update
RP6466: 9/24/2013 4:05:15 AM - Windows Update
RP6467: 9/24/2013 5:01:55 AM - Windows Update
RP6468: 9/24/2013 5:54:37 AM - Windows Update
RP6469: 9/24/2013 5:56:13 AM - Windows Update
RP6470: 9/24/2013 7:40:01 AM - Windows Update
RP6471: 9/24/2013 7:41:35 AM - Windows Update
RP6472: 9/26/2013 9:06:45 AM - Removed Alchemy SDK.
RP6473: 9/26/2013 9:08:13 AM - Removed Snagit 10.0.2
RP6474: 9/26/2013 9:58:45 AM - Windows Update
RP6475: 9/26/2013 10:00:07 AM - Windows Update
RP6476: 9/26/2013 10:57:20 AM - Windows Update
RP6477: 9/26/2013 11:01:52 AM - Windows Update
RP6478: 9/26/2013 11:22:06 AM - Removed Java™ 6 Update 43
RP6479: 9/26/2013 11:55:24 AM - Windows Update
RP6480: 9/26/2013 12:08:54 PM - Installed Java 7 Update 40
.
==== Installed Programs ======================
.
32 Bit HP BiDi Channel Components Installer
7-Zip 4.65
Adobe Acrobat X Pro - English, Français, Deutsch
Adobe Creative Suite 6 Master Collection
Adobe Flash Player 11 ActiveX
Adobe Help Manager
Adobe Level 2 Install (32bit)
Adobe Reader X (10.1.8)
Adobe Shockwave Player
Adobe Widget Browser
Alchemy
Altiris Deployment Agent
Altiris Inventory Agent
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Auslogics Disk Defrag
Beyond Compare 3.3.8
Bonjour
CCleaner
Cisco WebEx Meetings
Crystal Reports 9
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Definition Update for Microsoft Office 2013 (KB2760587) 32-Bit Edition
Do Not Track Plus Add-on 2.2.1.827
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
iCloud
IDAutomation.com MICR E13B
Identity Finder
ImageNow Desktop Client
iTunes
Java 7 Update 40
Java Auto Updater
Launcher
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Mouse and Keyboard Center
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office FrontPage 2003
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office OSM MUI (English) 2013
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Proofing (English) 2013
Microsoft Office Proofing Tools 2013 - English
Microsoft Office Proofing Tools 2013 - Español
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared MUI (English) 2013
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2013
Microsoft Office Word MUI (English) 2010
Microsoft Visio MUI (English) 2013
Microsoft Visio Professional 2013
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 17.0.9 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML4SP2
OGA Notifier 2.0.0048.0
Outils de vérification linguistique 2013 de Microsoft Office - Français
Password Policy Client 6.1
PDF Settings CS6
Quest Installer
Quest Software Toad Data Modeler
Quest Software Toad for Data Analysts 3.0
Quest SQL Optimizer for Oracle
QuickTime
Realtek High Definition Audio Driver
Secunia CSI Agent (6.0.0.15015)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2510065)
Security Update for Microsoft InfoPath 2010 (KB2553322) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2553431) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2289078)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2013 (KB2810009) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft Publisher 2010 (KB2409055)
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Security Update for Microsoft Visio Viewer 2010 (KB2597981) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2345000)
Snagit 11
Sophos Anti-Virus
Sophos AutoUpdate
Sophos Remote Management System
swMSM
TextPad 6
Toad for Oracle 11
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft Office 2010 (KB2202188)
Update for Microsoft Office 2010 (KB2413186)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2523113)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition
Update for Microsoft Office 2013 (KB2727096) 32-Bit Edition
Update for Microsoft Office 2013 (KB2760267) 32-Bit Edition
Update for Microsoft Office 2013 (KB2760533) 32-Bit Edition
Update for Microsoft Office 2013 (KB2760538) 32-Bit Edition
Update for Microsoft Office 2013 (KB2760610) 32-Bit Edition
Update for Microsoft Office 2013 (KB2767851) 32-Bit Edition
Update for Microsoft Office 2013 (KB2817311) 32-Bit Edition
Update for Microsoft Office 2013 (KB2817491) 32-Bit Edition
Update for Microsoft Office 2013 (KB2817493) 32-Bit Edition
Update for Microsoft Office 2013 (KB2817624) 32-Bit Edition
Update for Microsoft Office 2013 (KB2817626) 32-Bit Edition
Update for Microsoft Office 2013 (KB2817632) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook 2013 (KB2817629) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Visual Studio 2008 Retail Assemblies For PeopleSoft
WinCDEmu
WinSCP 4.2.7
Yahoo! Messenger
.
==== Event Viewer Messages From Past Week ========
.
9/27/2013 9:58:13 AM, Error: Microsoft-Windows-GroupPolicy [1055]  - The processing of Group Policy

failed. Windows could not resolve the computer name. This could be caused by one of more of the

following:  a) Name Resolution failure on the current domain controller.  Active Directory Replication

Latency (an account created on another domain controller has not replicated to the current domain

controller).
9/27/2013 9:58:12 AM, Error: NETLOGON [5719]  - This computer was not able to set up a secure session

with a domain controller in domain XXX due to the following:  There are currently no logon servers

available to service the logon request.  This may lead to authentication problems. Make sure that this

computer is connected to the network. If the problem persists, please contact your domain

administrator.   ADDITIONAL INFO  If this computer is a domain controller for the specified domain, it

sets up the secure session to the primary domain controller emulator in the specified domain.

Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
9/26/2013 8:59:41 AM, Error: Service Control Manager [7030]  - The PEVSystemStart service is marked as

an interactive service.  However, the system is configured to not allow interactive services.  This

service may not function properly.
9/26/2013 8:50:45 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084"

attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4

-BED9-DE0991FF0623}
9/26/2013 8:49:30 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084"

attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-

11D8-B9A5-505054503030}
9/26/2013 8:49:29 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084"

attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-

4F1F-BEB7-5C22C517CE39}
9/26/2013 8:49:21 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084"

attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-

5536-11D1-B726-00C04FB926AF}
9/26/2013 8:49:13 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084"

attempting to start the service ShellHWDetection with arguments "" in order to run the server:

{DD522ACC-F821-461A-A407-50B198B896DC}
9/26/2013 8:48:57 AM, Error: Service Control Manager [7026]  - The following boot-start or system-

start driver(s) failed to load:  Aspi32 discache SAVOnAccess SKMScan spldr Wanarpv6
9/26/2013 8:48:57 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084"

attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-

F8A8-4D73-B5A8-AB610816828B}
9/26/2013 12:11:49 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001]  - The computer has

rebooted from a bugcheck.  The bugcheck was: 0x0000008e (0xc0000005, 0x0000e370, 0x9da1396c,

0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 092613-49779-01.
9/26/2013 12:01:37 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure:

Windows failed to install the following update with error 0x80070643: Update Oracle Java JRE 1.7.x /

7.x, version 7u25, Highly Critical.
9/26/2013 11:54:01 AM, Error: Service Control Manager [7031]  - The Apple Mobile Device service

terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken

in 60000 milliseconds: Restart the service.
9/26/2013 11:03:59 AM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure:

Windows failed to install the following update with error 0x80070643: Update Sun Java JRE 1.6.x / 6.x,

version 6.0.450.6, Highly Critical.
.
==== End Of File ===========================

 

ark.txt

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-09-27 13:59:56
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

Hitachi_HTS723232A7A364 rev.EC2OA70D 298.09GB
Running: 8p1wiqv6.exe; Driver: C:\Users\LOCAL_~1\AppData\Local\Temp\fgtoypog.sys

---- Devices - GMER 2.1 ----

Device  \FileSystem\04672486 \Device\KLMD13082012_208040_B  38632404.sys

---- EOF - GMER 2.1 ----

 

Thank you for your help!


Edited by HichamElGuerrouj, 27 September 2013 - 02:11 PM.


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 28 September 2013 - 11:35 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 HichamElGuerrouj

HichamElGuerrouj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 30 September 2013 - 09:04 AM

ComboFix 13-09-30.02 - tr_admin 09/30/2013   8:48.14.4 - x86
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.3477.2197 [GMT -5:00]
Running from: c:\users\Administrator\Downloads\ComboFix.exe
AV: Sophos Anti-Virus *Disabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A}
SP: Sophos Anti-Virus *Disabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Administrator\AppData\Local\assembly\tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-28 to 2013-09-30  )))))))))))))))))))))))))))))))
.
.
2013-09-30 13:55 . 2013-09-30 13:55 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2013-09-30 13:55 . 2013-09-30 13:55 -------- d-----w- c:\users\user1\AppData\Local\temp
2013-09-30 13:55 . 2013-09-30 13:55 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-09-30 13:55 . 2013-09-30 13:55 -------- d-----w- c:\users\user2\AppData\Local\temp
2013-09-30 13:55 . 2013-09-30 13:55 -------- d-----w- c:\users\user3\AppData\Local\temp
2013-09-30 13:55 . 2013-09-30 13:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-30 13:55 . 2013-09-30 13:55 -------- d-----w- c:\users\user4\AppData\Local\temp
2013-09-30 13:55 . 2013-09-30 13:55 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-09-28 05:49 . 2013-09-28 05:49 60872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E3B9BB59-3287-480B-AB5F-9157DA622700}\offreg.dll
2013-09-27 07:48 . 2013-09-05 05:02 7328304 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E3B9BB59-3287-480B-AB5F-9157DA622700}\mpengine.dll
2013-09-26 17:16 . 2013-09-26 17:16 -------- d-----w- c:\programdata\Oracle
2013-09-26 17:15 . 2013-09-26 17:15 -------- d-----w- c:\program files\Common Files\Java
2013-09-26 17:15 . 2013-09-26 17:15 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-09-26 16:59 . 2013-09-27 18:34 -------- d-----w- c:\users\Administrator\AppData\Local\DoNotTrackPlus
2013-09-26 16:58 . 2013-09-26 16:59 -------- d-----w- c:\users\Administrator\AppData\Local\Google
2013-09-26 16:57 . 2012-08-21 18:01 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2013-09-26 16:55 . 2013-09-26 16:55 -------- d-----w- c:\program files\iPod
2013-09-26 16:55 . 2013-09-26 16:57 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-09-26 16:55 . 2013-09-26 16:57 -------- d-----w- c:\program files\iTunes
2013-09-26 16:51 . 2013-09-26 16:51 -------- d-----w- c:\users\Administrator\AppData\Local\Apple
2013-09-26 16:48 . 2013-09-26 16:48 -------- d-----w- c:\users\Administrator\AppData\Local\Apple Computer
2013-09-26 15:02 . 2013-09-26 15:02 -------- d-----w- c:\users\Administrator\AppData\Local\Mozilla
2013-09-26 15:01 . 2013-09-30 13:55 -------- d-----w- c:\users\Administrator\AppData\Local\assembly
2013-09-26 15:01 . 2013-09-26 15:01 -------- d-----w- c:\users\Administrator\AppData\Local\TechSmith
2013-09-26 14:01 . 2013-09-30 13:55 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-09-20 14:26 . 2013-09-20 14:33 -------- d-----w- c:\users\user3\AppData\Local\Yahoo
2013-09-15 22:24 . 2013-09-15 22:24 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\CrashDumps
2013-09-14 08:06 . 2013-08-08 01:03 2348544 ----a-w- c:\windows\system32\win32k.sys
2013-09-03 13:53 . 2013-09-03 13:53 187248 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-26 17:15 . 2012-07-17 14:38 868264 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-09-26 17:15 . 2010-05-11 15:14 790440 ----a-w- c:\windows\system32\deployJava1.dll
2013-09-19 20:33 . 2012-08-08 15:23 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-19 20:33 . 2011-06-20 13:02 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-25 08:57 . 2013-08-17 08:04 1620992 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-19 01:41 . 2013-08-17 08:02 2048 ----a-w- c:\windows\system32\tzres.dll
2013-07-09 05:03 . 2013-08-17 08:07 3968960 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-07-09 05:03 . 2013-08-17 08:07 3913664 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-09 04:53 . 2013-08-17 08:07 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-07-09 04:52 . 2013-08-17 08:15 175104 ----a-w- c:\windows\system32\wintrust.dll
2013-07-09 04:50 . 2013-08-17 08:16 652800 ----a-w- c:\windows\system32\rpcrt4.dll
2013-07-09 04:46 . 2013-08-17 08:15 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-07-09 04:46 . 2013-08-17 08:15 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-07-09 04:46 . 2013-08-17 08:15 1166848 ----a-w- c:\windows\system32\crypt32.dll
2013-07-06 05:05 . 2013-08-17 08:04 1293760 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-09-26 16:45 . 2013-09-26 16:45 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-25 6595928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"DagentUI"="c:\program files\Altiris\Dagent\dagentui.exe" [2010-03-22 554320]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-05-23 144704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-05-23 180544]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-05-23 187712]
"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2012-09-17 900160]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-09-05 36760]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-09-05 2904984]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
"AdobeCS6ServiceManager"="c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-06-25 1073352]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Bomgar_Cleanup_ZD584378492"="rd" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snagit 11.lnk - c:\program files\TechSmith\Snagit 11\Snagit32.exe [2013-2-21 9479024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 1 (0x1)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll c:\progra~1\Sophos

\SOPHOS~1\sophos_detoured.dll c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll c:

\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2142909598-1293495619-134157935-212011\Scripts\Logon\0\0]
"Script"=office2010.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2142909598-1293495619-134157935-212011\Scripts\Logon\0\1]
"Script"=Pinitems.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-22 02:43 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 19:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-09-18 04:45 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileDocuments]
2012-02-23 17:30 59240 ----a-w- c:\program files\Common Files\Apple\Internet Services\ubd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 08:59 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDVCPL]
2012-06-12 18:42 5708432 ------w- c:\program files\Realtek\Audio\HDA\RtkNGUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2012-09-20 22:00 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 19:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-12-12 216640]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2012-09-17 139840]
R2 Sophos Web Control Service;Sophos Web Control Service;c:\program files\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [2012-09-17 357400]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-12-12 2869824]
R2 swi_update;Sophos Web Intelligence Update;c:\programdata\Sophos\Web Intelligence\swi_update.exe [2012-12-12 1459264]
R3 AltirisAgentProvider;AltirisAgentProvider;c:\program files\Altiris\Altiris Agent\Agents\WMIProviderAgent\AltirisAgentProvider.exe [2012-10-01 408448]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2009-11-05 214696]
R3 iaStorA;iaStorA;c:\windows\system32\drivers\iaStorA.sys [2012-03-15 477616]
R3 iaStorS;iaStorS;c:\windows\system32\drivers\iaStorS.sys [2012-03-31 563632]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-02-26 132480]
R3 johci;JMicron 1394 Filter Driver;c:\windows\system32\drivers\johci.sys [2011-02-09 23640]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2009-11-21 58880]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2009-11-21 137728]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2009-10-26 48640]
R3 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2009-10-28 47616]
R3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2009-09-28 38912]
R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2012-09-17 33696]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2012-08-23 24064]
R3 tihub3;TI USB3 Hub Service;c:\windows\system32\drivers\tihub3.sys [2011-09-08 108352]
R3 tixhci;TI XHCI Service;c:\windows\system32\drivers\tixhci.sys [2011-09-08 323392]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 27136]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-22 1343400]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2012-09-17 22536]
S0 iaStorF;iaStorF;c:\windows\system32\drivers\iaStorF.sys [2012-03-31 21936]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys [2012-01-27 13592]
S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2012-09-17 123680]
S1 SKMScan;SKMScan;c:\windows\system32\DRIVERS\skmscan.sys [2012-09-17 31736]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.EXE [2009-11-17 87968]
S2 Altiris Deployment Agent;Altiris Deployment Agent;c:\program files\Altiris\Dagent\dagent.exe [2010-03-22 1254736]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-01-28 172032]
S2 DB2MGMTSVC_TACOM30;DB2 Management Service (TACOM30);c:\program files\Quest Software\Toad for Data Analysts 3.0\SQLLIB\BIN\db2mgmtsvc.exe [2010-05-15 37736]
S2 IDFEndpointService;Identity Finder Endpoint Service;c:\program files\Identity Finder 4\idfEndpoint.exe [2012-02-02 9152000]
S2 ImageNow Automatic Update 6.6;ImageNow Automatic Update 6.6;c:\program files\ImageNow6\bin\inausvc.exe [2013-03-19 5787136]
S2 Secunia CSI Agent;Secunia CSI Agent;c:\program files\Secunia\CSI Agent\csia.exe [2013-05-22 671744]
S3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys [2011-08-08 117584]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2012-11-26 64624]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-06 280576]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-01-27 348440]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-01-27 791832]
S3 MEI;Intel® Management Engine Interface ;c:\windows\system32\DRIVERS\HECI.sys [2011-11-09 46080]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-19 13:36 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-08 20:33]
.
2013-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-20 22:00]
.
2013-09-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-09-20 22:00]
.
2013-09-30 c:\windows\Tasks\TCU Nightly Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2012-09-17 19:46]
.
.
------- Supplementary Scan -------
.

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: microsoft.com
Trusted Zone: contoso.net\www
Trusted Zone: contoso.com
Trusted Zone: contoso.org
Trusted Zone: microsoft.com
Trusted Zone: contoso.net
Trusted Zone: contoso.net\www
Trusted Zone: contoso.com
Trusted Zone: contoso.com\server2.is
Trusted Zone: contoso.org
TCP: DhcpNameServer = 138.237.49.138 138.237.49.157

FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\v949tx4u.default\
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
SafeBoot-04672486.sys
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router]

.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-09-30  08:56:45
ComboFix-quarantined-files.txt  2013-09-30 13:56
ComboFix2.txt  2013-09-26 14:01
ComboFix3.txt  2013-08-05 19:34
ComboFix4.txt  2013-06-27 13:29
ComboFix5.txt  2013-09-30 13:47
.
Pre-Run: 117,672,456,192 bytes free
Post-Run: 117,735,735,296 bytes free
.
- - End Of File - - EAD3F6598251DF86EC6EDEB03FAD4075
5C616939100B85E558DA92B899A0FC36



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 30 September 2013 - 09:24 AM

Is this a business/enterprise computer?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 HichamElGuerrouj

HichamElGuerrouj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 30 September 2013 - 09:26 AM

TB-Psychotic,

 

Yes, it is a business computer.



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 30 September 2013 - 09:27 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 HichamElGuerrouj

HichamElGuerrouj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 30 September 2013 - 09:54 AM

AdwCleaner Log:

 

# AdwCleaner v3.005 - Report created 30/09/2013 at 09:43:34
# Updated 22/09/2013 by Xplode
# Operating System : Windows 7 Enterprise Service Pack 1 (32 bits)
# Username : Administrator - PC-Name
# Running from : C:\Users\Administrator\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\Users\Administrator\AppData\Local\PackageAware

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16686

-\\ Mozilla Firefox v17.0.9 (en-US)

[ File : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\v949tx4u.default\prefs.js ]

[ File : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\v949tx4u.default\prefs.js ]

[ File : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\v949tx4u.default\prefs.js ]

[ File : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\v949tx4u.default\prefs.js ]

[ File : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\v949tx4u.default\prefs.js ]

[ File : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\v949tx4u.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [3674 octets] - [30/09/2013 09:42:39]
AdwCleaner[S0].txt - [3399 octets] - [30/09/2013 09:43:34]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3459 octets] ##########

 

SecurityCheck

 

 Results of screen317's Security Check version 0.99.73 
 Windows 7 Service Pack 1 x86 (UAC is disabled!) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Sophos Anti-Virus  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Secunia CSI Agent (6.0.0.15015) 
 CCleaner    
 Java 7 Update 40 
 Java version out of Date!
 Adobe Reader 10.1.8 Adobe Reader out of Date! 
 Mozilla Firefox 17.0.9 Firefox out of Date! 
 Google Chrome 29.0.1547.66 
 Google Chrome 29.0.1547.76 
````````Process Check: objlist.exe by Laurent```````` 
 Sophos Sophos Anti-Virus SavService.exe 
 Sophos Sophos Anti-Virus SAVAdminService.exe 
 Sophos Sophos Anti-Virus Web Control swc_service.exe
 Sophos Sophos Anti-Virus Web Intelligence swi_service.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 01 October 2013 - 12:07 AM

The system is clean! :)

 

 

Java runtime Environment out of date

Your Java runtime environment is outdated. We will fix this.

  • Get the actual JRE from here
  • Save jxpiinstall.exe to your desktop
  • Close all running programs, especially your browser(s)
  • Run jxpiinstall.exe. This will download the newest JRE installer and install the software
  • when finished, go to
    Start-->control panel-->add/remove programs and remove all older Java versions. (if existing)
  • When finished, reboot your computer.

After the reboot
  • Open control panel again and click the java symbol.
  • Click Settings under Temporary Internet Files.
    The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    The Delete Temporary Files dialog box appears
  • Click OK on Delete Temporary Files window.
  • Click OK again.

 

 

 

 

Adobe Reader out of date

Your Adobe Reader is outdated. We will fix this.


  • Get the actual software from here. Important: Uncheck any optional software (for example Google Chrome, etc.) offered.
  • Run setup and follow the instructions.
  • Click upon Start-->control panel-->add/remove programs.
  • Search for and remove any older reader versions.

 

 

 

 

Mozilla Firefox out of date

Your Firefox browser is outdated. Please follow these instructions to update it:

  • Get the actual firefox from here.
  • Run setup and follow the instructions on your monitor.
  • Report any problems you have with the update.

 

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.

 

 

 

How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:
  • Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice.
  • Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 HichamElGuerrouj

HichamElGuerrouj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 01 October 2013 - 09:34 AM

TB-Psychotic,

 

I appreciate the reply.  Our network firewall logs indicate the machine is still infected, unfortunately.  This morning the machine called out to 217.23.6.122 (Netherlands).  If we remove the firewall block to this IP address, the machine then calls out to 109.206.160.212 (Russia), which triggers a succession of calls to other IP addresses.  VirusTotal.com shows 1 or 2 hits for both IPs, and the second IP appears to be associated with click fraud.

 

I don't mind closing this thread if need be.  Being that no tool has been able to remove this infection, a re-image may be the best option.

 

Thanks,

 

Hicham El Guerrouj



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 01 October 2013 - 02:42 PM

On which port was the machine connecting? As one can say that from the distance, there is no malware on the machine so this could be normal IP traffiic.

If you read the google results for this IPs carefully, there is no real detection of suspicious behaviour. 2 of 46 scanners detected this IP as being dangerous - in our business this means that two scanners offer false positives.

 

Anyway - this is a business machine so the 100%-option is: Wipe the place and reimage it!

 

(Truth to tell: If that would be my own home machine, I´d handle it as clean...) ;)


Edited by TB-Psychotic, 01 October 2013 - 02:42 PM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 HichamElGuerrouj

HichamElGuerrouj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 01 October 2013 - 03:02 PM

The machine is calling outbound on TCP port 80: 

 

hxxp://217.23.6.122/m/IbQB1XVjjvBQHh5aHeNigvBhf234ieF3rCQvF8v18UmKHrsO+cSvulzzXtI5sovAu89Talxto3bSuEZoJm5XvpTFjdBglGhxHRoLzRWJgX1dWdeyo/VzMufXP+SVzNtX1gnvPBhtMFjF483ySd8ZKW5bt2OEJeCanUa3POZJmgBLqmnzji+nxQrEowdeAz5E4/uoA9S363bnBHVsWFuMiNMcSYPNH3qOxQUIIG2zqsVI+MpQZ7vzeJBSsy2INRiz9IDa1xqgc+Xrl3on4Xg1iZEt8PAxFzoBzKGcXgiV8BfXT2sJzcykqT2UB64caSsanq0JmCcDOcbkQvGbqEdFM+1QP+Zv4Y1MTliCk5VQSBQdo8OJxuZ2cIMIUj5rbBjXFO0kYQP+R3Q60v4f0ACLhKkmVicbdLQn2om2KSzuohRc2MP6QuoR7UrHADlhw4Cx6/Os0uQgLVHM7eHvsB/5h319cW7FVS+mGshv+smn/X7fBGVxjCzWndEuqTLz0SRytaMGqoa86fRCjnpPLc7TK9sbTQVDFo+jRp0YDvNMoAxijVlNfcCtLuudgTtaIic77jY1uqovM/o1KHkrc4xoFSbHGhM3PXgujZhbRI/kexd3fRjYTFzlgZj9czgPTpKLDEQqKdj//HBUCxeqyc0R1MpHcjCyXhq2uev4lgry10euhUJTBCbvQ0fF86fwurnDC7BxLQtsNVz0iol2Hy9s/IK02bzqCYe9h6HTvkPWq1izJrOw

 

This call then triggers a call over TCP 80 to a subsequent IP: 

 

hxxp://109.206.160.212/click.php?id=8kccgmcHyC4pgAcobarAL4vEcRvucct2xKb7N_8-ZlB87EFnyHU7MpExpc518eU456X8jUZaYkM17Awu9g%2C%2C

 

Note the obfuscated content and the call to click.php, likely indicating click fraud.  Given that this machine was hit by an exploit kit that delivered Zero Access, this appears to be a user-mode rootkit infection.  The fact that the calls only occur when the machine owner is logged on gives additional support to the hypothesis that a user-mode rootkit is present.

 

A machine wipe is our only 100% solution.  I may pursue this if Rootkit Revealer, McAfee's Stinger, and McAfee's Rootkit Remover do not identify the rootkit.



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 02 October 2013 - 12:33 AM

There is no user-mode rootkit running, that´s certain.

No scanner gives any hints for that - but , just for infirmation, we can try something other:

 

 

Scan with OTL

  • Download OTL by OldTimer and save it to your desktop.
  • Double click on the OTL.exe icon on your desktop. If you are using Vista, please right-click and select run as administrator
  • Click the "Scan All Users" checkbox.


    Note: If you are using a Windows 64bit machine, please make sure the checkbox next to Include 64Bit Scans is checked. It will be checked by default.

  • Push the runscanbutton.png button.
  • It will now begin to scan, please be paitent while it scans.
  • Two reports will open once it's done.
  • Please copy and paste them in your next reply:
  • OTL.txt <-- Will be opened
  • Extras.txt <-- Will be minimized


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 HichamElGuerrouj

HichamElGuerrouj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:29 AM

Posted 02 October 2013 - 01:41 PM

OTL.txt

 

OTL logfile created on: 10/2/2013 1:16:27 PM - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Administrator\Desktop
 Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16686)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.40 Gb Total Physical Memory | 0.92 Gb Available Physical Memory | 27.05% Memory free
6.79 Gb Paging File | 4.18 Gb Available in Paging File | 61.52% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 106.79 Gb Free Space | 35.83% Space Free | Partition Type: NTFS
Drive D: | 676.23 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
 
Computer Name: PC-Name | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\Administrator\Desktop\OTL.exe (OldTimer Tools)
 
 
========== Modules (No Company Name) ==========
 
 
========== Services (SafeList) ==========
 
SRV - (mfevtp) -- C:\Windows\system32\mfevtps.exe File not found
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (Secunia CSI Agent) -- C:\Program Files\Secunia\CSI Agent\csia.exe (Secunia)
SRV - (ImageNow Automatic Update 6.6) -- C:\Program Files\ImageNow6\bin\inausvc.exe (Perceptive Software, Inc.)
SRV - (swi_service) -- C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe (Sophos Limited)
SRV - (swi_update) -- C:\ProgramData\Sophos\Web Intelligence\swi_update.exe (Sophos Limited)
SRV - (SAVAdminService) -- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe (Sophos Limited)
SRV - (AltirisAgentProvider) -- C:\Program Files\Altiris\Altiris Agent\Agents\WMIProviderAgent\AltirisAgentProvider.exe (Symantec Corporation)
SRV - (AeXNSClient) -- C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe (Symantec Corporation)
SRV - (Sophos AutoUpdate Service) -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe (Sophos Limited)
SRV - (Sophos Web Control Service) -- C:\Program Files\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe (Sophos Limited)
SRV - (SAVService) -- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe (Sophos Limited)
SRV - (Sophos Message Router) -- C:\Program Files\Sophos\Remote Management System\RouterNT.exe (Sophos Limited)
SRV - (Sophos Agent) -- C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe (Sophos Limited)
SRV - (cphs) -- C:\Windows\System32\IntelCpHeciSvc.exe (Intel Corporation)
SRV - (IDFEndpointService) -- C:\Program Files\Identity Finder 4\idfEndpoint.exe (Identity Finder, LLC)
SRV - (Microsoft SharePoint Workspace Audit Service) -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE (Microsoft Corporation)
SRV - (DB2MGMTSVC_TACOM30) -- C:\Program Files\Quest Software\Toad for Data Analysts 3.0\SQLLIB\BIN\db2mgmtsvc.exe (International Business Machines Corporation)
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (Altiris Deployment Agent) -- C:\Program Files\Altiris\Dagent\dagent.exe (Altiris, Inc.)
SRV - (SwitchBoard) -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (AMD External Events Utility) -- C:\Windows\System32\atiesrxx.exe (AMD)
SRV - (AERTFilters) -- C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe (Andrea Electronics Corporation)
SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (VGPU) -- System32\drivers\rdvgkmd.sys File not found
DRV - (mferkdet) -- system32\drivers\mferkdet.sys File not found
DRV - (mfehidk) -- system32\drivers\mfehidk.sys File not found
DRV - (MFE_RR) -- C:\Users\LOCAL_~1\AppData\Local\Temp\mfe_rr.sys File not found
DRV - (catchme) -- C:\Users\MrAnderson\AppData\Local\Temp\catchme.sys File not found
DRV - (dc3d) -- C:\Windows\System32\drivers\dc3d.sys (Microsoft Corporation)
DRV - (sdcfilter) -- C:\Windows\System32\drivers\sdcfilter.sys (Sophos Limited)
DRV - (SAVOnAccess) -- C:\Windows\System32\drivers\savonaccess.sys (Sophos Limited)
DRV - (SKMScan) -- C:\Windows\System32\drivers\skmscan.sys (Sophos Plc)
DRV - (SophosBootDriver) -- C:\Windows\System32\drivers\SophosBootDriver.sys (Sophos Plc)
DRV - (terminpt) -- C:\Windows\System32\drivers\terminpt.sys (Microsoft Corporation)
DRV - (RdpVideoMiniport) -- C:\Windows\System32\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV - (TsUsbGD) -- C:\Windows\System32\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (iaStorS) -- C:\Windows\System32\drivers\iaStorS.sys (Intel Corporation)
DRV - (iaStorF) -- C:\Windows\System32\drivers\iaStorF.sys (Intel Corporation)
DRV - (iaStorA) -- C:\Windows\System32\drivers\iaStorA.sys (Intel Corporation)
DRV - (iusb3xhc) -- C:\Windows\System32\drivers\iusb3xhc.sys (Intel Corporation)
DRV - (iusb3hub) -- C:\Windows\System32\drivers\iusb3hub.sys (Intel Corporation)
DRV - (iusb3hcs) -- C:\Windows\System32\drivers\iusb3hcs.sys (Intel Corporation)
DRV - (IntcDAud) -- C:\Windows\System32\drivers\IntcDAud.sys (Intel® Corporation)
DRV - (MEI) -- C:\Windows\System32\drivers\HECI.sys (Intel Corporation)
DRV - (HECI) -- C:\Windows\System32\drivers\HECI.sys (Intel Corporation)
DRV - (tixhci) -- C:\Windows\System32\drivers\tixhci.sys (Texas Instruments Incorporated)
DRV - (tihub3) -- C:\Windows\System32\drivers\tihub3.sys (Texas Instruments Incorporated)
DRV - (BazisVirtualCDBus) -- C:\Windows\System32\drivers\BazisVirtualCDBus.sys (SysProgs.org)
DRV - (johci) -- C:\Windows\System32\drivers\johci.sys (JMicron Technology Corp.)
DRV - (Accelerometer) -- C:\Windows\System32\drivers\Accelerometer.sys (Hewlett-Packard Company)
DRV - (hpdskflt) -- C:\Windows\System32\drivers\hpdskflt.sys (Hewlett-Packard Company)
DRV - (e1cexpress) -- C:\Windows\System32\drivers\e1c6232.sys (Intel Corporation)
DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (Synth3dVsc) -- C:\Windows\System32\drivers\Synth3dVsc.sys (Microsoft Corporation)
DRV - (tsusbhub) -- C:\Windows\System32\drivers\tsusbhub.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (dmvsc) -- C:\Windows\System32\drivers\dmvsc.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (JRAID) -- C:\Windows\System32\drivers\jraid.sys (JMicron Technology Corp.)
DRV - (itecir) -- C:\Windows\System32\drivers\itecir.sys (ITE Tech. Inc. )
DRV - (Impcd) -- C:\Windows\System32\drivers\Impcd.sys (Intel Corporation)
DRV - (amdkmdag) -- C:\Windows\System32\drivers\atipmdag.sys (ATI Technologies Inc.)
DRV - (amdkmdap) -- C:\Windows\System32\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV - (nusb3xhc) -- C:\Windows\System32\drivers\nusb3xhc.sys (NEC Electronics Corporation)
DRV - (nusb3hub) -- C:\Windows\System32\drivers\nusb3hub.sys (NEC Electronics Corporation)
DRV - (Aspi32) -- C:\Windows\System32\drivers\aspi32.sys (Adaptec)
DRV - (e1kexpress) -- C:\Windows\System32\drivers\e1k6232.sys (Intel Corporation)
DRV - (risdpcie) -- C:\Windows\System32\drivers\risdpe86.sys (REDC)
DRV - (rimspci) -- C:\Windows\System32\drivers\rimspe86.sys (REDC)
DRV - (rixdpcie) -- C:\Windows\System32\drivers\rixdpe86.sys (REDC)
DRV - (ahcix86s) -- C:\Windows\System32\drivers\ahcix86s.sys (Advanced Micro Devices, Inc)
DRV - (TPM) -- C:\Windows\System32\drivers\tpm.sys (Microsoft Corporation)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=51
IE - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6E 5C 1A 3B 1A 04 CB 01  [binary data]
IE - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..\SearchScopes,DefaultScope = {2373EF9D-3449-414A-B31B-7C501DF9E4CE}
IE - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR
IE - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..\SearchScopes\{2373EF9D-3449-414A-B31B-7C501DF9E4CE}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}&rlz=1I7AURU_enUS502
IE - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
IE - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.contoso.com/
IE - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 88 30 0E F7 8F 0D CB 01  [binary data]
IE - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR
IE - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..\SearchScopes\{2373EF9D-3449-414A-B31B-7C501DF9E4CE}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.9
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.40.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.40.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\web2pdfextension@web2pdf.adobedotcom: C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2012/12/05 17:39:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/09/26 11:45:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/09/26 12:03:56 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 17.0.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/09/26 11:45:48 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 17.0.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/09/26 12:03:56 | 000,000,000 | ---D | M]
 
[2013/09/26 10:02:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\Extensions
[2013/10/01 11:36:00 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\v949tx4u.default\extensions
[2013/09/26 11:45:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/09/26 11:45:48 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2005/11/29 18:28:10 | 000,626,688 | ---- | M] (ebrary) -- C:\Program Files\mozilla firefox\plugins\NPInfotl.dll
[2013/05/09 16:42:28 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2013/05/09 16:42:28 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
 
========== Chrome  ==========
 
CHR - homepage: http://www.google.com/
CHR - Extension: Docs = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0\
CHR - Extension: Gmail = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2013/09/26 08:59:39 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS6ServiceManager] C:\Program Files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DagentUI] C:\Program Files\Altiris\Dagent\dagentui.exe (Altiris, Inc.)
O4 - HKLM..\Run: [Sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\ALMon.exe (Sophos Limited)
O4 - HKU\.DEFAULT..\Run: [Bomgar_Cleanup_ZD584378492] cmd.exe /C rd /S /Q "C:\ProgramData\bomgar-scc-503E3FAE" & reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Bomgar_Cleanup_ZD584378492 /f File not found
O4 - HKU\S-1-5-18..\Run: [Bomgar_Cleanup_ZD584378492] cmd.exe /C rd /S /Q "C:\ProgramData\bomgar-scc-503E3FAE" & reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Bomgar_Cleanup_ZD584378492 /f File not found
O4 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\New Windows present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\SQM present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 7180 ([]server2.na.contoso.com in Local intranet)
O15 - HKLM\..Trusted Domains: 7180 ([]server3.na.contoso.com in Local intranet)
O15 - HKLM\..Trusted Domains: 7280 ([]server2.na.contoso.com in Local intranet)
O15 - HKLM\..Trusted Domains: 7280 ([]server3.na.contoso.com in Local intranet)
O15 - HKLM\..Trusted Domains: 7380 ([]server2.na.contoso.com in Local intranet)
O15 - HKLM\..Trusted Domains: 7380 ([]server3.na.contoso.com in Local intranet)
O15 - HKLM\..Trusted Domains: 7480 ([]server4.na.contoso.com in Local intranet)
O15 - HKLM\..Trusted Domains: 7480 ([]server3.na.contoso.com in Local intranet)
O15 - HKLM\..Trusted Domains: microsoft.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: microsoft.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: apple.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: apple.com ([www] https in Trusted sites)
O15 - HKLM\..Trusted Domains: contoso.com ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: contoso.com ([]https in Trusted sites)
O15 - HKLM\..Trusted Domains: contoso.com ([*.cs] * in Local intranet)
O15 - HKLM\..Trusted Domains: contoso.com ([*.is] * in Local intranet)
O15 - HKLM\..Trusted Domains: contoso.com ([server.na] http in Trusted sites)
O15 - HKLM\..Trusted Domains: contoso.com ([server.na] https in Trusted sites)
O15 - HKLM\..Trusted Domains: contoso.com ([sharepoint] https in Local intranet)
O15 - HKLM\..Trusted Domains: contoso.com ([sharepoint2] https in Local intranet)
O15 - HKLM\..Trusted Domains: contoso.org ([]http in Trusted sites)
O15 - HKLM\..Trusted Domains: contoso.org ([]https in Trusted sites)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: 7180 ([]server2.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: 7180 ([]server3.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: 7280 ([]server2.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: 7280 ([]server3.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: 7380 ([]server2.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: 7380 ([]server3.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: 7480 ([]server4.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: 7480 ([]server3.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: microsoft.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: microsoft.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: apple.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: apple.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: contoso.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: contoso.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: contoso.com ([*.cs] * in Local intranet)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: contoso.com ([*.is] * in Local intranet)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: contoso.com ([server.na] http in Trusted sites)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: contoso.com ([server.na] https in Trusted sites)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: contoso.com ([sharepoint] https in Local intranet)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: contoso.com ([sharepoint2] https in Local intranet)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: contoso.org ([]http in Trusted sites)
O15 - HKU\S-1-5-21-2142909598-1293495619-134157935-20404\..Trusted Domains: contoso.org ([]https in Trusted sites)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: 7180 ([]server2.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: 7180 ([]server3.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: 7280 ([]server2.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: 7280 ([]server3.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: 7380 ([]server2.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: 7380 ([]server3.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: 7480 ([]server4.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: 7480 ([]server3.na.contoso.com in Local intranet)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: microsoft.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: microsoft.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: apple.com ([www] https in Trusted sites)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: contoso.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: contoso.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: contoso.com ([*.is] * in Local intranet)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: contoso.org ([]http in Trusted sites)
O15 - HKU\S-1-5-21-4251092034-4140123520-1242379249-1003\..Trusted Domains: contoso.org ([]https in Trusted sites)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Reg Error: Key error.)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.2.cab (DLM Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab (Java Plug-in 10.40.2)
O16 - DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab (Java Plug-in 1.7.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_17-windows-i586.cab (Java Plug-in 10.40.2)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {FBDF6343-0747-4CB4-B026-FB402580C93F} http://www.woodshedsmokehouse.com/Brickcom.cab (BRICKCOM Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.49.138 192.168.49.157
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = contoso.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{028B16A4-3DA9-41DD-A6B1-603A498B24B2}: DhcpNameServer = 192.168.49.138 192.168.49.157
O18 - Protocol\Handler\osf {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\sophos_detoured.dll) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Limited)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\sophos_detoured.dll) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Limited)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\sophos_detoured.dll) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Limited)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\sophos_detoured.dll) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Limited)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\sophos_detoured.dll) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Limited)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\sophos_detoured.dll) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Limited)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\sophos_detoured.dll) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Limited)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\sophos_detoured.dll) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Limited)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\sophos_detoured.dll) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Limited)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\sophos_detoured.dll) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Limited)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\sophos_detoured.dll) - C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Limited)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/10/01 11:36:20 | 000,167,344 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe.9bdf.deleteme
[2013/10/01 11:30:20 | 000,000,000 | ---D | C] -- C:\Program Files\stinger
[2013/10/01 11:20:00 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\RootkitRevealer
[2013/10/01 10:19:10 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\temp
[2013/10/01 10:18:05 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/09/30 09:43:35 | 000,000,000 | ---D | C] -- C:\ProgramData\boost_interprocess
[2013/09/30 09:42:33 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2013/09/27 15:34:00 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Users\Administrator\Desktop\aswmbr.exe
[2013/09/27 13:34:28 | 000,688,992 | R--- | C] (Swearware) -- C:\Users\Administrator\Desktop\dds.scr
[2013/09/27 09:53:57 | 002,237,968 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Administrator\Desktop\tdsskiller.exe
[2013/09/26 14:45:18 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2013/09/26 12:16:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Oracle
[2013/09/26 12:15:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2013/09/26 12:15:45 | 000,264,616 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2013/09/26 12:15:42 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2013/09/26 12:15:42 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2013/09/26 12:15:42 | 000,094,632 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2013/09/26 12:15:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
[2013/09/26 12:11:43 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2013/09/26 11:59:00 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Google
[2013/09/26 11:59:00 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\DoNotTrackPlus
[2013/09/26 11:58:58 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Google
[2013/09/26 11:57:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2013/09/26 11:55:44 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2013/09/26 11:55:43 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2013/09/26 11:55:43 | 000,000,000 | ---D | C] -- C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2013/09/26 11:51:40 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Apple
[2013/09/26 11:48:40 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Apple Computer
[2013/09/26 11:45:43 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/09/26 10:02:05 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Mozilla
[2013/09/26 10:02:05 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Mozilla
[2013/09/26 10:01:59 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Documents\Snagit
[2013/09/26 10:01:42 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\assembly
[2013/09/26 10:01:37 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\TechSmith
[2013/09/26 09:01:16 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/09/14 03:07:57 | 002,876,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/09/14 03:07:57 | 002,706,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/09/14 03:07:56 | 000,391,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/09/14 03:07:56 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2013/09/14 03:07:56 | 000,039,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/09/14 03:07:55 | 000,493,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/09/14 03:07:55 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2013/09/14 03:07:55 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2013/09/14 03:07:55 | 000,042,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2013/09/14 03:07:55 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2013/09/14 03:07:07 | 000,133,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\ataport.sys
[2013/09/14 03:06:56 | 002,348,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2013/09/14 03:05:12 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
[2013/09/14 03:05:12 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
[2013/09/14 03:05:12 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
[2013/09/14 03:05:12 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
[2013/09/14 03:05:12 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
[2013/09/14 03:05:12 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
[2013/09/14 03:05:12 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
[2013/09/14 03:05:12 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
[2013/09/14 03:05:12 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
[2013/09/14 03:05:12 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
[2013/09/14 03:05:11 | 000,271,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
[2013/09/14 03:05:11 | 000,169,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll
[2013/09/14 03:05:11 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
[2013/09/14 03:05:11 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
[2013/09/14 03:05:11 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
[2013/09/14 03:05:11 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
[2013/09/14 03:05:11 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
[2013/09/14 03:05:11 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
[2013/09/14 03:05:11 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
[2013/09/14 03:05:11 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
[2013/09/14 03:05:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
[2013/09/14 03:05:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
[2013/09/14 03:05:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
[2013/09/14 03:05:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
[2013/09/14 03:05:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
[2013/09/14 03:05:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
[2013/09/14 03:05:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
[2013/09/14 03:05:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
[2013/09/14 03:05:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
[2013/09/14 03:05:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/10/02 12:57:05 | 000,012,272 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/10/02 12:57:05 | 000,012,272 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/10/02 12:36:00 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/10/02 12:33:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/10/02 12:27:42 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/10/02 00:00:00 | 000,000,530 | ---- | M] () -- C:\Windows\tasks\Nightly Scan.job
[2013/10/01 14:02:26 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/10/01 14:02:25 | 003,843,704 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/10/01 14:02:02 | 2734,379,008 | -HS- | M] () -- C:\hiberfil.sys
[2013/10/01 11:36:17 | 000,167,344 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe.9bdf.deleteme
[2013/10/01 11:19:52 | 000,231,390 | ---- | M] () -- C:\Users\Administrator\Desktop\RootkitRevealer.zip
[2013/09/30 09:42:07 | 001,042,066 | ---- | M] () -- C:\Users\Administrator\Desktop\adwcleaner.exe
[2013/09/27 16:17:48 | 000,000,512 | ---- | M] () -- C:\Users\Administrator\Desktop\MBR.dat
[2013/09/27 15:34:00 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Users\Administrator\Desktop\aswmbr.exe
[2013/09/27 13:34:29 | 000,688,992 | R--- | M] (Swearware) -- C:\Users\Administrator\Desktop\dds.scr
[2013/09/27 09:54:03 | 002,237,968 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Administrator\Desktop\tdsskiller.exe
[2013/09/26 15:58:32 | 000,000,790 | ---- | M] () -- C:\Windows\ODBC.INI
[2013/09/26 15:58:32 | 000,000,634 | ---- | M] () -- C:\Windows\ODBCINST.INI
[2013/09/26 14:45:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Desktop\OTL.exe
[2013/09/26 14:30:23 | 000,147,456 | ---- | M] () -- C:\Users\Administrator\Desktop\catchme.exe
[2013/09/26 12:15:39 | 000,094,632 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2013/09/26 12:15:38 | 000,868,264 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\npdeployJava1.dll
[2013/09/26 12:15:38 | 000,790,440 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\deployJava1.dll
[2013/09/26 12:15:38 | 000,264,616 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2013/09/26 12:15:38 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2013/09/26 12:15:38 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2013/09/26 11:57:48 | 000,001,713 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2013/09/26 10:00:41 | 000,001,371 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/09/26 10:00:41 | 000,000,008 | RHS- | M] () -- C:\Users\Administrator\ntuser.pol
[2013/09/26 08:59:39 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2013/09/19 15:33:06 | 000,692,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/09/19 15:33:06 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/09/19 09:34:36 | 000,002,052 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2013/09/11 10:06:34 | 000,000,006 | ---- | M] () -- C:\Windows\System32\nodeid
[2013/09/04 15:50:55 | 000,032,496 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/10/01 14:02:08 | 003,843,704 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/10/01 11:19:51 | 000,231,390 | ---- | C] () -- C:\Users\Administrator\Desktop\RootkitRevealer.zip
[2013/09/30 09:42:04 | 001,042,066 | ---- | C] () -- C:\Users\Administrator\Desktop\adwcleaner.exe
[2013/09/27 15:45:11 | 000,000,512 | ---- | C] () -- C:\Users\Administrator\Desktop\MBR.dat
[2013/09/26 14:30:21 | 000,147,456 | ---- | C] () -- C:\Users\Administrator\Desktop\catchme.exe
[2013/09/26 11:57:48 | 000,001,713 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2013/09/26 10:00:41 | 000,001,371 | ---- | C] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/09/26 10:00:41 | 000,000,008 | RHS- | C] () -- C:\Users\Administrator\ntuser.pol
[2013/09/11 10:06:34 | 000,000,006 | ---- | C] () -- C:\Windows\System32\nodeid
[2013/08/28 10:13:47 | 000,028,672 | ---- | C] () -- C:\Windows\System32\JAWTAccessBridge.dll
[2013/02/19 12:15:54 | 002,555,580 | ---- | C] () -- C:\Windows\System32\libavcodecBC.dll
[2013/02/19 12:15:54 | 000,261,120 | ---- | C] () -- C:\Windows\System32\libmplayerBC.dll
[2013/02/19 12:15:54 | 000,000,089 | ---- | C] () -- C:\Windows\System32\Brickcom.ini
[2012/08/29 13:21:48 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/08/29 13:21:48 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/08/29 13:21:48 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/08/29 13:21:48 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/08/29 13:21:48 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/08/09 10:42:10 | 000,293,889 | ---- | C] () -- C:\Windows\System32\drivers\RTAIODAT.DAT
[2012/08/07 13:44:49 | 000,000,634 | ---- | C] () -- C:\Windows\ODBCINST.INI
[2012/07/17 15:57:19 | 000,125,736 | ---- | C] () -- C:\Windows\System32\wdcfg.exe
[2012/03/26 19:19:06 | 000,755,188 | ---- | C] () -- C:\Windows\System32\igkrng700.bin
[2012/03/26 19:19:06 | 000,561,508 | ---- | C] () -- C:\Windows\System32\igfcg700m.bin
[2012/03/26 19:03:46 | 000,058,880 | ---- | C] () -- C:\Windows\System32\igdde32.dll
[2012/03/26 17:53:42 | 013,024,768 | ---- | C] () -- C:\Windows\System32\ig7icd32.dll
[2012/03/26 17:35:32 | 000,009,216 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
[2012/03/26 17:33:54 | 000,000,264 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2012/03/26 17:33:28 | 000,094,208 | ---- | C] () -- C:\Windows\System32\IccLibDll.dll
[2010/05/11 10:03:41 | 000,032,496 | RHS- | C] () -- C:\ProgramData\ntuser.pol
 
========== ZeroAccess Check ==========
 
[2009/07/13 23:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/07/25 20:55:59 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 04:19:04 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 20:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

 

 

Extras.txt

 

OTL Extras logfile created on: 9/26/2013 2:51:22 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Administrator\Desktop
 Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16686)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.40 Gb Total Physical Memory | 2.15 Gb Available Physical Memory | 63.34% Memory free
6.79 Gb Paging File | 5.57 Gb Available in Paging File | 82.03% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 109.57 Gb Free Space | 36.76% Space Free | Partition Type: NTFS
 
Computer Name: PC-Name | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS6\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
"" =
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== System Restore Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
"PolicyVersion" = 522
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"DefaultInboundAction" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
"AllowUserPrefMerge" = 1
"Enabled" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
"8192:TCP:*:enabled:Port 8192" = 8192:TCP:*:enabled:Port 8192
"8193:TCP:*:enabled:Port 8193" = 8193:TCP:*:enabled:Port 8193
"8194:TCP:*:enabled:Port 8194" = 8194:TCP:*:enabled:Port 8194
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings]
"AllowOutboundDestinationUnreachable" = 0
"AllowOutboundSourceQuench" = 1
"AllowRedirect" = 1
"AllowInboundEchoRequest" = 1
"AllowInboundRouterRequest" = 0
"AllowOutboundTimeExceeded" = 0
"AllowOutboundParameterProblem" = 0
"AllowInboundTimestampRequest" = 0
"AllowInboundMaskRequest" = 0
"AllowOutboundPacketTooBig" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging]
"LogFilePath" = %windir%\system32\logfiles\firewall\pfirewall.log -- ()
"LogFileSize" = 32000
"LogDroppedPackets" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" = *
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = *
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules]
"FPS-ICMP4-ERQ-In" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=@FirewallAPI.dll,-28543|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502|
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile]
"EnableFirewall" = 1
"DefaultInboundAction" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging]
"LogFilePath" = %windir%\system32\logfiles\firewall\pfirewall.log -- ()
"LogFileSize" = 32000
"LogDroppedPackets" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile]
"EnableFirewall" = 1
"DefaultInboundAction" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging]
"LogFilePath" = %windir%\system32\logfiles\firewall\pfirewall.log -- ()
"LogFileSize" = 32000
"LogDroppedPackets" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
"AllowUserPrefMerge" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts]
"AllowUserPrefMerge" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings]
"AllowOutboundDestinationUnreachable" = 0
"AllowOutboundSourceQuench" = 1
"AllowRedirect" = 1
"AllowInboundEchoRequest" = 1
"AllowInboundRouterRequest" = 0
"AllowOutboundTimeExceeded" = 0
"AllowOutboundParameterProblem" = 0
"AllowInboundTimestampRequest" = 0
"AllowInboundMaskRequest" = 0
"AllowOutboundPacketTooBig" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" = *
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = *
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{D853DEFC-1E9E-4E48-B056-98421BD253B3}" = lport=7935 | protocol=6 | dir=in | name=adobe flash builder 4.6 |
"{EDD01B01-0C22-4843-9994-B403487971A6}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office14\outlook.exe |
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1547DC22-F225-4C5B-90C9-2B1DEF4D15FB}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{1628510D-E29D-48FA-8AB2-C32ABC3CC94A}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{2DF1757B-62BF-4142-84E7-0ACEF78E505F}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{3294CE0E-A897-4BF1-A44C-460D14F4A032}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{6F252C9E-5734-4F77-A053-80D2EE6037C2}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{70066161-F404-4F6B-ACE5-9A58D097A663}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{7153DACC-943F-4965-8A86-5A8F80A53B5E}" = protocol=6 | dir=in | app=c:\program files\adobe\adobe flash builder 4.6\flashbuilder.exe |
"{75CF3D02-1FF7-497A-9CE3-E5799E5F773E}" = protocol=17 | dir=in | app=c:\program files\adobe\adobe flash builder 4.6\flashbuilder.exe |
"{8B3F2497-5D31-4F00-B109-ED8B520EE745}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{A150486F-6D24-4738-9B7A-5A521FDC6375}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{A5ED7936-DECA-4F38-8100-E57AF4C54AD9}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{E360169B-F748-4031-9D45-DB47AEC1303E}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"TCP Query User{9CB4C984-3E4D-4563-83FE-54D5F1749B69}\\contoso.com\dfs1\contoso_pshomes\pt8.51.11\bin\client\winx86\psdbgsrv.exe" = protocol=6 | dir=in | app=\\contoso.com\dfs1\contoso_pshomes\pt8.51.11\bin\client\winx86\psdbgsrv.exe |
"TCP Query User{F913E2D2-A2B9-488A-886D-164B7167B715}C:\users\MrAnderson\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe" = protocol=6 | dir=in | app=c:\users\MrAnderson\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe |
"UDP Query User{4E31CFCE-B655-4D1B-B043-DBBAE17622B2}\\contoso.com\dfs1\contoso_pshomes\pt8.51.11\bin\client\winx86\psdbgsrv.exe" = protocol=17 | dir=in | app=\\contoso.com\dfs1\contoso_pshomes\pt8.51.11\bin\client\winx86\psdbgsrv.exe |
"UDP Query User{B17023F3-1507-475E-B2C7-4E149A660811}C:\users\MrAnderson\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe" = protocol=17 | dir=in | app=c:\users\MrAnderson\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\octoshape\octoshape.exe |
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0592EF96-69D8-4E4B-9CC9-88F58EA86F01}" = Apple Mobile Device Support
"{0A5B39D2-7ED6-4779-BCC9-37F381139DB3}" = Adobe AIR
"{15C418EB-7675-42be-B2B3-281952DA014D}" = Sophos AutoUpdate
"{1813E058-6A7D-44CE-93B5-7B6C89D15184}" = Quest Software Toad Data Modeler
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1896CFE4-B4B4-4D63-872A-899D05A3571A}" = Quest SQL Optimizer for Oracle
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2450192C-1F57-4E73-B989-229AB4F622D3}" = Password Policy Client 6.1
"{26A24AE4-039D-4CA4-87B4-2F83217040FF}" = Java 7 Update 40
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F04067F-0DA5-4F48-9A89-6FCFD2A9E040}" = TextPad 6
"{44BD21C2-9132-48DB-B65B-23817E4C6F4B}" = Snagit 11
"{46A3962C-8AD3-4854-B6F8-5F2A7D683F1F}" = ImageNow Desktop Client
"{46F044A5-CE8B-4196-984E-5BD6525E361D}" = Apple Application Support
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D41F3CC-3854-490A-860E-67346408D7DC}" = Toad for Oracle 11
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{6C8D5E56-CA12-42B2-9075-044B4C7067A9}" = Altiris Deployment Agent
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{71A7D000-0D1F-4CF9-BB75-BB5920436F0C}" = Crystal Reports 9
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{82B3DF7B-C701-4E7D-8D1B-FE16BBD006AE}" = Visual Studio 2008 Retail Assemblies For PeopleSoft
"{8766C1FF-2CA6-49DB-B324-9BDB51E55299}" = Alchemy
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{5BE0A48C-51FA-42F7-A8AE-66B6D4256076}" =
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90150000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proofing Tools 2013 - English
"{90150000-001F-040C-0000-0000000FF1CE}" = Outils de vérification linguistique 2013 de Microsoft Office - Français
"{90150000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proofing Tools 2013 - Español
"{90150000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2013
"{90150000-0054-0409-0000-0000000FF1CE}" = Microsoft Visio MUI (English) 2013
"{90150000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2013
"{90150000-00E1-0409-0000-0000000FF1CE}" = Microsoft Office OSM MUI (English) 2013
"{90150000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2013
"{90170409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office FrontPage 2003
"{91150000-0051-0000-0000-0000000FF1CE}" = Microsoft Visio Professional 2013
"{948168F3-F808-4A41-B370-575A2EFF28B3}" = Quest Software Toad for Data Analysts 3.0
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9ACB414D-9347-40B6-A453-5EFB2DB59DFA}" = Sophos Anti-Virus
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C8A7C4F-DE89-47D2-A38B-C910CCC5E4D4}" = Identity Finder
"{9DE3F260-B88E-42CE-90E7-73C78C37D95E}" = 32 Bit HP BiDi Channel Components Installer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-F400-7760-000000000005}" = Adobe Acrobat X Pro - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.8)
"{AD72CFB4-C2BF-424E-9DF0-C7BAD1F30A11}" = Adobe Shockwave Player
"{AF37176A-78CA-545B-34EF-8B6A21514DD1}" = Adobe Help Manager
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B67BAFBA-4C9F-48FA-9496-933E3B255044}" = QuickTime
"{B81AE9B5-B23F-4196-9005-A3B96BC73DC6}" = Altiris Inventory Agent
"{B8EC0AD1-E8E3-42C3-9BAB-6A14E96FD136}" = Microsoft Mouse and Keyboard Center
"{BFEAAE77-BD7F-4534-B286-9C5CB4697EB1}" = PDF Settings CS6
"{CF9EF752-259A-4368-81A5-8C02D5EE7A55}" = MSXML4SP2
"{D0BEAB88-C32F-4CA0-B12C-020E5846AE2B}" = Adobe Level 2 Install (32bit)
"{D58673F7-47A6-4EFA-9666-938761F32B44}" = Launcher
"{DA7DF8E2-4B8F-4286-97FE-DE3FFFE9B728}" = iCloud
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{DF9C119C-7F26-45B9-93D4-7C372CBBBA11}" = iTunes
"{E8AD3069-9EB7-4BA8-8BFE-83F4E69355C0}" = Adobe Creative Suite 6 Master Collection
"{EFBE6DD5-B224-96E5-72B9-68D328CB12A6}" = Adobe Widget Browser
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FED1005D-CBC8-45D5-A288-FFC7BB304121}" = Sophos Remote Management System
"7-Zip" = 7-Zip 4.65
"ActiveTouchMeetingClient" = Cisco WebEx Meetings
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"BeyondCompare3_is1" = Beyond Compare 3.3.8
"CCleaner" = CCleaner
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Help Manager
"com.adobe.WidgetBrowser" = Adobe Widget Browser
"Do Not Track Plus Add-on_is1" = Do Not Track Plus Add-on 2.2.1.827
"Google Chrome" = Google Chrome
"IDAutomation.com MICR E13B" = IDAutomation.com MICR E13B
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Mouse and Keyboard Center" = Microsoft Mouse and Keyboard Center
"Mozilla Firefox 17.0.9 (x86 en-US)" = Mozilla Firefox 17.0.9 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"Office15.VISPROR" = Microsoft Visio Professional 2013
"Quest Installer" = Quest Installer
"Secunia CSI Agent" = Secunia CSI Agent (6.0.0.15015)
"WinCDEmu" = WinCDEmu
"winscp3_is1" = WinSCP 4.2.7
"Yahoo! Messenger" = Yahoo! Messenger
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 9/16/2013 9:22:19 AM | Computer Name = PC-Name.con.contoso.com | Source = Application Error | ID = 1000
Description = Faulting application name: EXCEL.EXE, version: 14.0.6117.5003, time
 stamp: 0x4f622ef8  Faulting module name: psnetapi.dll, version: 8.51.0.0, time stamp:
 0x4c579f87  Exception code: 0xc0000005  Fault offset: 0x000064c5  Faulting process id:
 0xb98  Faulting application start time: 0x01ceb2df949b4654  Faulting application path:
 C:\Program Files\Microsoft Office\Office14\EXCEL.EXE  Faulting module path: \\contoso.com\dfs1\contoso_pshomes\PT8.51.22fs\bin\client\winx86\psnetapi.dll
Report
 Id: 030635f4-1ed3-11e3-a7f1-d8d38592fa39
 
Error - 9/16/2013 9:22:21 AM | Computer Name = PC-Name.con.contoso.com | Source = Application Error | ID = 1000
Description = Faulting application name: EXCEL.EXE, version: 14.0.6117.5003, time
 stamp: 0x4f622ef8  Faulting module name: psnetapi.dll, version: 8.51.0.0, time stamp:
 0x4c579f87  Exception code: 0xc0000005  Fault offset: 0x000064c5  Faulting process id:
 0x1354  Faulting application start time: 0x01ceb2df94921e94  Faulting application path:
 C:\Program Files\Microsoft Office\Office14\EXCEL.EXE  Faulting module path: \\contoso.com\dfs1\contoso_pshomes\PT8.51.22fs\bin\client\winx86\psnetapi.dll
Report
 Id: 04414e04-1ed3-11e3-a7f1-d8d38592fa39
 
Error - 9/16/2013 9:22:41 AM | Computer Name = PC-Name.con.contoso.com | Source = Application Hang | ID = 1002
Description = The program OUTLOOK.EXE version 14.0.6117.5001 stopped interacting
 with Windows and was closed. To see if more information about the problem is available,
 check the problem history in the Action Center control panel.    Process ID: 15c8    Start
 Time: 01ceb2df8e2a41e4    Termination Time: 0    Application Path: C:\Program Files\Microsoft
 Office\Office14\OUTLOOK.EXE    Report Id: ec3106c5-1ed2-11e3-a7f1-d8d38592fa39 
 
Error - 9/16/2013 9:22:54 AM | Computer Name = PC-Name.con.contoso.com | Source = Microsoft Office 14 | ID = 2000
Description = Microsoft Outlook: Accepted Safe Mode action : Outlook experienced
 a serious problem with the 'icloud outlook addin' add-in. If you have seen this
 message multiple times, you should disable this add-in and check to see if an update
 is available. Do you want to disable this add-in?.
 
Error - 9/16/2013 2:32:25 PM | Computer Name = PC-Name.con.contoso.com | Source = MsiInstaller | ID = 11606
Description =
 
Error - 9/16/2013 2:32:25 PM | Computer Name = PC-Name.con.contoso.com | Source = MsiInstaller | ID = 11606
Description =
 
Error - 9/16/2013 2:33:09 PM | Computer Name = PC-Name.con.contoso.com | Source = MsiInstaller | ID = 11606
Description =
 
Error - 9/16/2013 2:33:09 PM | Computer Name = PC-Name.con.contoso.com | Source = MsiInstaller | ID = 11606
Description =
 
Error - 9/16/2013 3:24:15 PM | Computer Name = PC-Name.con.contoso.com | Source = MsiInstaller | ID = 11606
Description =
 
Error - 9/16/2013 3:24:15 PM | Computer Name = PC-Name.con.contoso.com | Source = MsiInstaller | ID = 11606
Description =
 
[ System Events ]
Error - 6/26/2013 9:00:58 AM | Computer Name = PC-Name.con.contoso.com | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
 with error 0x80070643: Update Apple QuickTime 7.x, version 7.7.4, Highly Critical.
 
Error - 6/26/2013 9:55:00 AM | Computer Name = PC-Name.con.contoso.com | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
 with error 0x80070643: Update Apple QuickTime 7.x, version 7.7.4, Highly Critical.
 
Error - 6/27/2013 9:19:59 AM | Computer Name = PC-Name.con.contoso.com | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service.  However,
 the system is configured to not allow interactive services.  This service may not
 function properly.
 
Error - 6/27/2013 9:24:21 AM | Computer Name = PC-Name.con.contoso.com | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service.  However,
 the system is configured to not allow interactive services.  This service may not
 function properly.
 
Error - 6/27/2013 9:27:17 AM | Computer Name = PC-Name.con.contoso.com | Source = Service Control Manager | ID = 7030
Description = The PEVSystemStart service is marked as an interactive service.  However,
 the system is configured to not allow interactive services.  This service may not
 function properly.
 
Error - 6/27/2013 9:34:23 AM | Computer Name = PC-Name.con.contoso.com | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
 in domain contoso due to the following:   %%1311    This may lead to authentication problems.
 Make sure that this  computer is connected to the network. If the problem persists,
please
 contact your domain administrator.        ADDITIONAL INFO    If this computer is a domain controller
 for the specified domain, it  sets up the secure session to the primary domain controller
 emulator in the specified  domain. Otherwise, this computer sets up the secure session
 to any domain controller  in the specified domain.
 
Error - 6/27/2013 9:34:25 AM | Computer Name = PC-Name.con.contoso.com | Source = Microsoft-Windows-GroupPolicy | ID = 1055
Description = The processing of Group Policy failed. Windows could not resolve the
 computer name. This could be caused by one of more of the following:   a) Name Resolution
 failure on the current domain controller.   B) Active Directory Replication Latency
 (an account created on another domain controller has not replicated to the current
 domain controller).
 
Error - 7/13/2013 4:48:52 AM | Computer Name = PC-Name.con.contoso.com | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
 in domain contoso due to the following:   %%1311    This may lead to authentication problems.
 Make sure that this  computer is connected to the network. If the problem persists,
please
 contact your domain administrator.        ADDITIONAL INFO    If this computer is a domain controller
 for the specified domain, it  sets up the secure session to the primary domain controller
 emulator in the specified  domain. Otherwise, this computer sets up the secure session
 to any domain controller  in the specified domain.
 
Error - 7/24/2013 4:38:12 PM | Computer Name = PC-Name.con.contoso.com | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
 in domain contoso due to the following:   %%1311    This may lead to authentication problems.
 Make sure that this  computer is connected to the network. If the problem persists,
please
 contact your domain administrator.        ADDITIONAL INFO    If this computer is a domain controller
 for the specified domain, it  sets up the secure session to the primary domain controller
 emulator in the specified  domain. Otherwise, this computer sets up the secure session
 to any domain controller  in the specified domain.
 
Error - 7/24/2013 4:38:14 PM | Computer Name = PC-Name.con.contoso.com | Source = Microsoft-Windows-GroupPolicy | ID = 1055
Description = The processing of Group Policy failed. Windows could not resolve the
 computer name. This could be caused by one of more of the following:   a) Name Resolution
 failure on the current domain controller.   B) Active Directory Replication Latency
 (an account created on another domain controller has not replicated to the current
 domain controller).
 
 
< End of report >
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users