Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit on Windows Server 2008 (Port Scanning Network)


  • This topic is locked This topic is locked
30 replies to this topic

#1 aznspy256

aznspy256

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:11:53 AM

Posted 19 March 2014 - 02:43 PM

Greetings Bleeping Computer community!
 
I have a major issue on the computer I work with. I just got this job about a month ago and I found out I inherited a problem from the last IT guy. I'm still a student working on my BTech degree so my knowledge is limited. Also I'm the only guy helping with the computers so there's nobody to help me. 
 
Since I started working here, we have a couple employees complaining how the database software keeps crashing. The error that pops up is a network issue. So I check the log files of ESET antivrus firewall and it shows the servers ip port scanning the machine. The server consist of two HDs, one for the primary OS and another for storage for the network. I ran a malwarebytes scan on the Server and located a couple malicious files on the D drive. It was keygens that the last IT guy downloaded o.O So I removed them with MalwareBytes and I thought that did the job but boy was I wrong. The server has the BSOD so I had to uninstall MalwareBytes in order for the server to logon. Next, the portscans are still coming and crashing the database for some users. I think I have found the process that does the portscans which is svchost.exe. This leads me to believe that the server is infected with a rootkit which is maintaining access and has altered the antivirus and firewall to dial home and maint access on the server. I have already ran rootkit scanners such as tdskiller and bootkitremoval with no avail. Please advise on what I should do. Please note that the server must be kept on for employees during work days and hours. Thank you in advance for your expertise. 
 
 
I have had some help from "boopme" and used RSIT to create two text files which is attached. I followed the Prep Guide but was unable to get DDS to run. Here is the results of the log file from RSIT (I also attached it as well):
 
Logfile of random's system information tool 1.09 (written by random/random)
Run by Administrator at 2014-03-19 15:23:39
Microsoft® Windows® Storage Server 2008 Standard  Service Pack 2
System drive C: has 422 GB (88%) free of 477 GB
Total RAM: 3036 MB (16% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:23:45 PM, on 3/19/2014
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16526)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files (x86)\Hard Drive Inspector\HDInspector.exe
C:\Program Files\trend micro\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/HardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O4 - HKLM\..\Run: [HDInspector.exe] "C:\Program Files (x86)\Hard Drive Inspector\HDInspector.exe"
O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://hyperion.zih.tu-dresden.de
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{0772F191-86F0-4D59-818C-3F19D74B4D2F}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0772F191-86F0-4D59-818C-3F19D74B4D2F}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0772F191-86F0-4D59-818C-3F19D74B4D2F}: NameServer = 192.168.1.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{0772F191-86F0-4D59-818C-3F19D74B4D2F}: NameServer = 192.168.1.1
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%systemroot%\system32\dfssvc.exe,-101 (Dfs) - Unknown owner - C:\Windows\system32\dfssvc.exe (file missing)
O23 - Service: @dfsrress.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSRs.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\grovmsg.dll,-101 (Groveler) - Unknown owner - C:\Windows\system32\grovel.exe (file missing)
O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: HDD Information Service (HDDSvc) - AltrixSoft (http://www.altrixsoft.com/) - C:\Program Files (x86)\Common Files\AltrixSoft\HDDInfoService\HDDSvc.exe
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: FTP Publishing Service (MSFTPSVC) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%windir%\system32\nfsrc.dll,-5001 (NfsClnt) - Unknown owner - C:\Windows\system32\nfsclnt.exe (file missing)
O23 - Service: @%windir%\system32\nfsrc.dll,-5007 (NfsService) - Unknown owner - C:\Windows\system32\nfssvc.exe (file missing)
O23 - Service: @ntfrsres.dll,-130 (NtFrs) - Unknown owner - C:\Windows\system32\ntfrs.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: QuickBooksDB22 - Intuit, Inc. - C:\PROGRA~2\Intuit\QuickBooks 2012\QBDBMgrN.exe
O23 - Service: QuickBooksDB23 - Intuit, Inc. - C:\PROGRA~2\Intuit\QuickBooks 2013\QBDBMgrN.exe
O23 - Service: QuickBooksDB24 - Intuit, Inc. - C:\PROGRA~2\Intuit\QuickBooks 2014\QBDBMgrN.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%windir%\system32\srm.dll,-3022 (SrmReports) - Unknown owner - C:\Windows\system32\srmhost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 7162 bytes

======Listing Processes======

\SystemRoot\System32\smss.exe
C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
wininit.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
taskeng.exe {B1214394-6AE7-411C-B431-A0D91EFD4C74}
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\DFSRs.exe
"C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe"
C:\Windows\system32\svchost.exe -k ftpsvc
C:\Windows\system32\inetsrv\inetinfo.exe
"C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe"
"c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
"C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe"
"C:\PROGRA~2\Intuit\QuickBooks 2013\QBDBMgrN.exe" -hvQuickBooksDB23
C:\Windows\system32\svchost.exe -k regsvc
"c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
taskeng.exe {DA1FC7E6-8184-48BD-813F-7009C07C50F3}
"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
C:\Windows\system32\svchost -k srmsvcs
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\Explorer.EXE
C:\Windows\system32\grovel.exe
"C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe" -s
C:\Windows\system32\nfsclnt.exe
"C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
C:\Windows\system32\dfssvc.exe
"C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
"C:\Program Files (x86)\Hard Drive Inspector\HDInspector.exe" 
"C:\Program Files (x86)\Common Files\AltrixSoft\HDDInfoService\HDDSvc.exe"
"C:\PROGRA~2\Intuit\QuickBooks 2012\QBDBMgrN.exe" -hvQuickBooksDB22
"C:\PROGRA~2\Intuit\QuickBooks 2014\QBDBMgrN.exe" -hvQuickBooksDB24
"C:\Windows\system32\wuauclt.exe"
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\msdtc.exe
"C:\PROGRA~2\Intuit\QuickBooks 2014\dbextclr11.exe" "QB_SERVER300_24" "4635e0f028d54958bd44424904706a62" "PUBLIC" "238594074:1143776792:27::2014-03-19 11:01:00.053" 
C:\Windows\System32\svchost.exe -k tapisrv
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe313_ Global\UsGthrCtrlFltPipeMssGthrPipe313 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" 
"C:\Windows\system32\SearchFilterHost.exe" 0 692 696 704 65536 700 
C:\Windows\system32\wbem\wmiprvse.exe
"C:\Users\Administrator\Downloads\RSITx64.exe" 

======Scheduled tasks folder======

C:\Windows\tasks\Adobe Flash Player Updater.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2851493328-670454209-4171175932-500Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2851493328-670454209-4171175932-500UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"egui"=C:\Program Files\ESET\ESET Smart Security\egui.exe [2011-01-12 2918656]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-11 136176]

[HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run]
"HDInspector.exe"=C:\Program Files (x86)\Hard Drive Inspector\HDInspector.exe [2012-12-05 3167184]
"LogMeIn Hamachi Ui"=C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe [2014-02-26 3814736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\System32\webcheck.dll [2013-02-23 249344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll [2009-04-11 1650688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
RASSFM

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll, pwdssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\62755242.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\62755242.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AppInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AppMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Base]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BFE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Boot Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Boot file system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\bowser]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Browser]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\CryptSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\DcomLaunch]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\dfsc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Dhcp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\DnsCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Dot3Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Eaphost]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\EventLog]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\File system]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Hamachi2Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\HelpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\IKEEXT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ipnat.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\KeyIso]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\LanmanServer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\LanmanWorkstation]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\LmHosts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Messenger]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MPSDrv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MPSSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mrxsmb]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mrxsmb10]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mrxsmb20]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NativeWifiP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NDIS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NDIS Wrapper]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Ndisuio]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetBIOS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetBIOSGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetBT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetDDEGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Netlogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetMan]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\netprofm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Network]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NetworkProvider]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NlaSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Nsi]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nsiproxy.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\NTDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PCI Configuration]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PlugPlay]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PNP Filter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PNP_TDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PolicyAgent]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Primary disk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ProfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rdbss]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rdpencdd.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rdsessmgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\RpcSs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sacsvr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SCardSvr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SCSI Class]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sermouse.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SharedAccess]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Streams Drivers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SWPRV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\System Bus Extender]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TabletInputService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TBS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Tcpip]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TrustedInstaller]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\VDS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vga.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vgasave.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\volmgr.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\volmgrx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wlansvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{36FC9E60-C465-11CF-8056-444553540000}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E965-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E967-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E969-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E972-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E973-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E974-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E975-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E977-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{4D36E980-E325-11CE-BFC1-08002BE10318}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{50DD5230-BA8A-11D1-BF5D-0000F805F530}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"EnableUIADesktopToggle"=0
"disablecad"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=0
"undockwithoutlogon"=1
"SoftwareSASGeneration"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=1
"NoActiveDesktopChanges"=1
"ForceActiveDesktopOn"=0
"ShowSuperHidden"=1
"BindDirectlyToPropertySetStorage"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.msadpcm"=msadp32.acm
"midimapper"=midimap.dll
"wavemapper"=msacm32.drv
"vidc.uyvy"=msyuv.dll
"vidc.yuy2"=msyuv.dll
"vidc.yvyu"=msyuv.dll
"vidc.iyuv"=iyuv_32.dll
"vidc.i420"=iyuv_32.dll
"vidc.yvu9"=tsbyuv.dll
"wave1"=wdmaud.drv
"midi1"=wdmaud.drv
"mixer1"=wdmaud.drv
"aux1"=wdmaud.drv
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv
"wave2"=wdmaud.drv
"midi2"=wdmaud.drv
"mixer2"=wdmaud.drv
"aux2"=wdmaud.drv

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 3 months======

2014-03-19 15:23:40 ----D---- C:\Program Files\trend micro
2014-03-19 15:23:39 ----D---- C:\rsit
2014-03-16 22:36:39 ----A---- C:\TDSSKiller.3.0.0.25_16.03.2014_22.36.39_log.txt
2014-03-14 22:11:02 ----RD---- C:\Users\Administrator\AppData\Roaming\Brother
2014-03-14 21:50:01 ----A---- C:\Windows\SYSWOW64\BRRBTOOL.EXE
2014-03-14 21:50:01 ----A---- C:\Windows\SYSWOW64\BROSNMP.DLL
2014-03-14 21:50:00 ----A---- C:\Windows\system32\BRCOMB1A.DLL
2014-03-14 21:50:00 ----A---- C:\Windows\system32\BRADM11A.DAT
2014-03-14 21:17:04 ----D---- C:\ProgramData\Brother
2014-03-14 21:17:04 ----A---- C:\Windows\BRWMARK.INI
2014-03-14 21:16:13 ----A---- C:\Windows\SYSWOW64\BRTCPCON.DLL
2014-03-14 21:16:13 ----A---- C:\Windows\SYSWOW64\BRLMW03A.INI
2014-03-14 21:16:13 ----A---- C:\Windows\SYSWOW64\BRLMW03A.DLL
2014-03-14 21:16:13 ----A---- C:\Windows\SYSWOW64\BRLM03A.DLL
2014-03-14 21:16:13 ----A---- C:\Windows\system32\BRADM08A.DAT
2014-03-14 20:39:14 ----D---- C:\Users\Administrator\AppData\Roaming\TightVNC
2014-03-14 19:54:49 ----A---- C:\Windows\system32\drivers\mbamchameleon.sys
2014-03-14 19:50:18 ----A---- C:\TDSSKiller.3.0.0.25_14.03.2014_19.50.18_log.txt
2014-03-14 19:47:23 ----A---- C:\TDSSKiller.3.0.0.25_14.03.2014_19.47.23_log.txt
2014-03-14 18:56:39 ----D---- C:\Program Files\CCleaner
2014-03-14 18:11:27 ----A---- C:\TDSSKiller.3.0.0.25_14.03.2014_18.11.27_log.txt
2014-03-14 18:07:41 ----D---- C:\Windows\pss
2014-03-14 18:02:47 ----D---- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-03-14 18:02:46 ----A---- C:\Windows\system32\drivers\MBAMSwissArmy.sys
2014-03-14 17:52:57 ----A---- C:\TDSSKiller.3.0.0.25_14.03.2014_17.52.57_log.txt
2014-03-14 17:51:46 ----D---- C:\TDSSKiller_Quarantine
2014-03-14 17:49:42 ----A---- C:\TDSSKiller.3.0.0.25_14.03.2014_17.49.42_log.txt
2014-03-14 17:28:01 ----D---- C:\Sharpdesk Desktop
2014-03-14 17:26:53 ----D---- C:\ProgramData\Sharp
2014-03-07 19:48:07 ----D---- C:\Users\Administrator\AppData\Roaming\Malwarebytes
2014-03-07 19:46:41 ----D---- C:\ProgramData\Malwarebytes
2014-03-07 13:18:15 ----D---- C:\Users\Administrator\AppData\Roaming\Sharpdesk
2014-03-07 13:13:04 ----D---- C:\ProgramData\Sharpdesk
2014-03-05 10:18:52 ----D---- C:\Program Files (x86)\LogMeIn Hamachi
2014-02-28 12:35:46 ----A---- C:\Windows\IsUninst.exe
2013-12-20 12:51:02 ----A---- C:\Windows\SYSWOW64\vbscript.dll
2013-12-20 12:51:02 ----A---- C:\Windows\SYSWOW64\mshtmled.dll
2013-12-20 12:51:02 ----A---- C:\Windows\system32\mshtmled.dll
2013-12-20 12:51:00 ----A---- C:\Windows\SYSWOW64\ieUnatt.exe
2013-12-20 12:51:00 ----A---- C:\Windows\SYSWOW64\ieui.dll
2013-12-20 12:51:00 ----A---- C:\Windows\system32\jsproxy.dll
2013-12-20 12:51:00 ----A---- C:\Windows\system32\ieUnatt.exe
2013-12-20 12:51:00 ----A---- C:\Windows\system32\ieui.dll
2013-12-20 12:50:59 ----A---- C:\Windows\SYSWOW64\url.dll
2013-12-20 12:50:59 ----A---- C:\Windows\SYSWOW64\jsproxy.dll
2013-12-20 12:50:59 ----A---- C:\Windows\system32\url.dll
2013-12-20 12:50:58 ----A---- C:\Windows\SYSWOW64\wininet.dll
2013-12-20 12:50:58 ----A---- C:\Windows\system32\wininet.dll
2013-12-20 12:50:57 ----A---- C:\Windows\SYSWOW64\urlmon.dll
2013-12-20 12:50:57 ----A---- C:\Windows\system32\urlmon.dll
2013-12-20 12:50:56 ----A---- C:\Windows\SYSWOW64\msfeeds.dll
2013-12-20 12:50:56 ----A---- C:\Windows\system32\msfeeds.dll
2013-12-20 12:50:55 ----A---- C:\Windows\system32\jscript9.dll
2013-12-20 12:50:54 ----A---- C:\Windows\SYSWOW64\jscript9.dll
2013-12-20 12:50:54 ----A---- C:\Windows\SYSWOW64\jscript.dll
2013-12-20 12:50:54 ----A---- C:\Windows\system32\vbscript.dll
2013-12-20 12:50:54 ----A---- C:\Windows\system32\jscript.dll
2013-12-20 12:50:54 ----A---- C:\Windows\system32\iertutil.dll
2013-12-20 12:50:53 ----A---- C:\Windows\SYSWOW64\iertutil.dll
2013-12-20 12:50:51 ----A---- C:\Windows\SYSWOW64\mshtml.dll
2013-12-20 12:50:48 ----A---- C:\Windows\system32\mshtml.dll
2013-12-20 12:50:45 ----A---- C:\Windows\system32\ieframe.dll
2013-12-20 12:50:43 ----A---- C:\Windows\SYSWOW64\ieframe.dll

======List of files/folders modified in the last 3 months======

2014-03-19 15:23:40 ----RD---- C:\Program Files
2014-03-19 15:22:56 ----D---- C:\Windows\Temp
2014-03-19 03:00:20 ----D---- C:\Windows\system32\inetsrv
2014-03-19 03:00:19 ----SHD---- C:\System Volume Information
2014-03-16 22:40:37 ----D---- C:\Windows\debug
2014-03-16 22:36:43 ----D---- C:\Windows\system32\drivers
2014-03-16 22:31:49 ----D---- C:\Windows\rescache
2014-03-16 22:20:49 ----D---- C:\Windows\system32\ServerManager
2014-03-16 22:10:42 ----D---- C:\Windows\System32
2014-03-16 22:02:41 ----D---- C:\Windows\winsxs
2014-03-16 20:25:46 ----D---- C:\Windows\Microsoft.NET
2014-03-16 20:25:45 ----RSD---- C:\Windows\assembly
2014-03-16 20:07:40 ----SHD---- C:\Windows\Installer
2014-03-16 20:07:39 ----D---- C:\ProgramData
2014-03-16 20:07:20 ----D---- C:\Windows\inf
2014-03-16 20:07:20 ----A---- C:\Windows\system32\PerfStringBackup.INI
2014-03-16 19:56:34 ----D---- C:\Windows\SysWOW64
2014-03-14 22:18:23 ----D---- C:\Windows\SYSWOW64\en-US
2014-03-14 22:18:23 ----D---- C:\Windows\SYSWOW64\en
2014-03-14 22:18:22 ----D---- C:\Windows\system32\en-US
2014-03-14 22:18:22 ----D---- C:\Windows\system32\en
2014-03-14 22:02:02 ----D---- C:\Windows\system32\catroot
2014-03-14 21:52:53 ----D---- C:\Windows\system32\wbem
2014-03-14 21:52:27 ----D---- C:\Windows
2014-03-14 21:28:45 ----D---- C:\Windows\system32\catroot2
2014-03-14 19:35:10 ----RD---- C:\Program Files (x86)
2014-03-14 19:24:43 ----A---- C:\Windows\ntbtlog.txt
2014-03-14 19:13:26 ----D---- C:\Windows\Minidump
2014-03-14 17:29:28 ----HD---- C:\Program Files (x86)\InstallShield Installation Information
2014-03-14 17:27:48 ----D---- C:\Program Files (x86)\Common Files
2014-03-14 17:26:39 ----D---- C:\Windows\Resources
2014-03-14 17:26:39 ----D---- C:\Windows\Help
2014-03-07 18:41:17 ----D---- C:\Windows\Tasks
2014-03-07 18:32:13 ----D---- C:\Windows\system32\Tasks
2014-03-02 14:05:02 ----A---- C:\Windows\system32\mrt.exe
2014-02-28 12:40:24 ----D---- C:\ProgramData\InstallShield
2014-02-19 01:04:06 ----D---- C:\Windows\Logs
2014-02-07 17:35:54 ----D---- C:\Windows\system32\MRT
2014-01-24 13:59:40 ----D---- C:\Windows\Intuit
2014-01-24 13:58:25 ----A---- C:\Windows\QBChanUtil_Trigger.ini
2014-01-24 13:58:14 ----RD---- C:\Users
2014-01-24 13:57:01 ----D---- C:\ProgramData\Intuit
2014-01-24 13:57:01 ----D---- C:\Program Files (x86)\Intuit
2013-12-23 13:50:50 ----D---- C:\Windows\SYSWOW64\migration
2013-12-23 13:50:50 ----D---- C:\Program Files (x86)\Internet Explorer
2013-12-23 13:50:49 ----D---- C:\Windows\system32\migration
2013-12-23 13:50:48 ----D---- C:\Program Files\Internet Explorer
2013-12-20 13:02:20 ----A---- C:\Windows\SYSWOW64\PerfStringBackup.INI
2013-12-20 12:58:58 ----SD---- C:\ProgramData\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 ACPI;Microsoft ACPI Driver; C:\Windows\system32\drivers\acpi.sys [2009-04-11 325608]
R0 atapi;IDE Channel; C:\Windows\system32\drivers\atapi.sys [2009-04-11 20952]
R0 CLFS;Common Log (CLFS); C:\Windows\System32\CLFS.sys [2009-04-11 361448]
R0 Compbatt;Microsoft Composite Battery Driver; C:\Windows\system32\DRIVERS\compbatt.sys [2008-01-19 23608]
R0 crcdisk;Crcdisk Filter Driver; C:\Windows\system32\drivers\crcdisk.sys [2008-01-19 27704]
R0 Datascrn;Datascrn; C:\Windows\system32\drivers\datascrn.sys [2009-04-11 80856]
R0 disk;Disk Driver; C:\Windows\system32\drivers\disk.sys [2009-04-11 67032]
R0 FltMgr;FltMgr; C:\Windows\system32\drivers\fltmgr.sys [2009-04-11 275432]
R0 iaStorV;Intel RAID Controller Vista; C:\Windows\system32\DRIVERS\iaStorV.sys [2008-01-19 290872]
R0 KSecDD;KSecDD; C:\Windows\System32\Drivers\ksecdd.sys [2012-06-04 516480]
R0 MiniSIS;MiniSIS; C:\Windows\system32\drivers\sisss.sys [2009-04-14 143936]
R0 mountmgr;Mount Point Manager; C:\Windows\System32\drivers\mountmgr.sys [2008-01-19 70200]
R0 msahci;msahci; C:\Windows\system32\drivers\msahci.sys [2009-04-11 29656]
R0 msisadrv;ISA/EISA Class Driver; C:\Windows\system32\drivers\msisadrv.sys [2008-01-19 17976]
R0 Mup;Mup; C:\Windows\System32\Drivers\mup.sys [2009-04-11 59880]
R0 NDIS;NDIS System Driver; C:\Windows\system32\drivers\ndis.sys [2009-04-11 738264]
R0 partmgr;Partition Manager; C:\Windows\System32\drivers\partmgr.sys [2012-03-20 72576]
R0 pci;PCI Bus Driver; C:\Windows\system32\drivers\pci.sys [2009-04-11 178664]
R0 pciide;pciide; C:\Windows\system32\drivers\pciide.sys [2009-04-11 14312]
R0 Quota;Quota; C:\Windows\system32\drivers\quota.sys [2009-04-11 162280]
R0 spldr;Security Processor Loader Driver; C:\Windows\system32\drivers\spldr.sys [2009-04-11 19432]
R0 Tcpip;@%SystemRoot%\system32\tcpipcfg.dll,-50003; C:\Windows\System32\drivers\tcpip.sys [2013-07-05 1423808]
R0 volmgr;Volume Manager Driver; C:\Windows\system32\drivers\volmgr.sys [2009-04-11 67048]
R0 volmgrx;Dynamic Volume Manager; C:\Windows\System32\drivers\volmgrx.sys [2009-04-11 408024]
R0 volsnap;Storage volumes; C:\Windows\system32\drivers\volsnap.sys [2012-08-21 267648]
R0 Wdf01000;@%SystemRoot%\system32\drivers\Wdf01000.sys,-1000; C:\Windows\system32\drivers\Wdf01000.sys [2013-06-26 785624]
R1 AFD;Ancilliary Function Driver for Winsock; C:\Windows\system32\drivers\afd.sys [2013-09-03 404992]
R1 cdrom;CD-ROM Driver; C:\Windows\system32\DRIVERS\cdrom.sys [2009-04-11 79872]
R1 DfsC;@%systemroot%\system32\drivers\dfsc.sys,-101; C:\Windows\System32\Drivers\dfsc.sys [2011-04-14 97792]
R1 DfsDriver;@%systemroot%\system32\drivers\dfs.sys,-101; C:\Windows\system32\drivers\dfs.sys [2009-04-14 45112]
R1 ehdrv;ehdrv; C:\Windows\system32\DRIVERS\ehdrv.sys [2010-12-21 141264]
R1 kbdclass;Keyboard Class Driver; C:\Windows\system32\DRIVERS\kbdclass.sys [2008-01-19 42040]
R1 kbdhid;Keyboard HID Driver; C:\Windows\system32\DRIVERS\kbdhid.sys [2009-04-11 22528]
R1 mouclass;Mouse Class Driver; C:\Windows\system32\DRIVERS\mouclass.sys [2008-01-19 39992]
R1 Msfs;Msfs; C:\Windows\system32\drivers\Msfs.sys [2008-01-19 26112]
R1 NetBIOS;NetBIOS Interface; C:\Windows\system32\DRIVERS\netbios.sys [2008-01-19 44544]
R1 NetBT;NETBT; C:\Windows\System32\DRIVERS\netbt.sys [2009-04-11 248320]
R1 Npfs;Npfs; C:\Windows\system32\drivers\Npfs.sys [2009-04-11 44544]
R1 nsiproxy;NSI proxy service; C:\Windows\system32\drivers\nsiproxy.sys [2008-01-19 24064]
R1 Null;Null; C:\Windows\system32\drivers\Null.sys [2006-11-02 6144]
R1 PSched;@%SystemRoot%\System32\drivers\pacer.sys,-101; C:\Windows\system32\DRIVERS\pacer.sys [2009-04-11 94208]
R1 RasAcd;Remote Access Auto Connection Driver; C:\Windows\System32\DRIVERS\rasacd.sys [2008-01-19 14848]
R1 rdbss;Redirected Buffering Sub Sysytem; C:\Windows\system32\DRIVERS\rdbss.sys [2009-04-11 287744]
R1 RDPCDD;RDPCDD; C:\Windows\System32\DRIVERS\RDPCDD.sys [2008-01-19 7168]
R1 RDPENCDD;RDP Encoder Mirror Driver; C:\Windows\system32\drivers\rdpencdd.sys [2008-01-19 7168]
R1 Serial;Serial port driver; C:\Windows\system32\DRIVERS\serial.sys [2008-01-19 94208]
R1 Smb;@%SystemRoot%\system32\tcpipcfg.dll,-50005; C:\Windows\system32\DRIVERS\smb.sys [2009-04-11 88064]
R1 tdx;@%SystemRoot%\system32\tcpipcfg.dll,-50004; C:\Windows\system32\DRIVERS\tdx.sys [2009-04-11 94720]
R1 TermDD;Terminal Device Driver; C:\Windows\system32\DRIVERS\termdd.sys [2009-04-11 62440]
R1 VgaSave;VgaSave; C:\Windows\System32\drivers\vga.sys [2008-01-19 28672]
R1 Wanarpv6;@%systemroot%\system32\rascfg.dll,-32012; C:\Windows\system32\DRIVERS\wanarp.sys [2009-04-11 86528]
R2 eamonm;eamonm; C:\Windows\system32\DRIVERS\eamonm.sys [2010-12-21 170640]
R2 epfw;epfw; C:\Windows\system32\DRIVERS\epfw.sys [2010-12-21 170640]
R2 epfwwfp;epfwwfp; C:\Windows\system32\DRIVERS\epfwwfp.sys [2010-12-21 50624]
R2 lltdio;Link-Layer Topology Discovery Mapper I/O Driver; C:\Windows\system32\DRIVERS\lltdio.sys [2008-01-19 59392]
R2 luafv;UAC File Virtualization; C:\Windows\system32\drivers\luafv.sys [2008-01-19 109568]
R2 PEAUTH;PEAUTH; C:\Windows\system32\drivers\peauth.sys [2006-10-23 712704]
R2 rspndr;Link-Layer Topology Discovery Responder; C:\Windows\system32\DRIVERS\rspndr.sys [2008-01-19 75776]
R2 secdrv;Security Driver; C:\Windows\system32\drivers\secdrv.sys [2006-09-29 23040]
R2 tcpipreg;TCP/IP Registry Compatibility; C:\Windows\System32\drivers\tcpipreg.sys [2009-12-08 40448]
R3 AsyncMac;@%systemroot%\system32\rascfg.dll,-32000; C:\Windows\system32\DRIVERS\asyncmac.sys [2008-01-19 22016]
R3 blbdrive;blbdrive; C:\Windows\system32\DRIVERS\blbdrive.sys [2008-01-19 55296]
R3 bowser;Bowser; C:\Windows\system32\DRIVERS\bowser.sys [2011-02-18 90624]
R3 Epfwndis;Eset Personal Firewall; C:\Windows\system32\DRIVERS\Epfwndis.sys [2010-12-21 34144]
R3 hamachi;Hamachi Network Interface; C:\Windows\system32\DRIVERS\hamachi.sys [2009-09-23 33856]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2009-04-11 275456]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\Windows\system32\DRIVERS\HDAudBus.sys [2009-04-11 948736]
R3 HidBatt;HID UPS Battery Driver; C:\Windows\system32\DRIVERS\HidBatt.sys [2008-01-19 26624]
R3 HidUsb;Microsoft HID Class Driver; C:\Windows\system32\DRIVERS\hidusb.sys [2009-04-11 15872]
R3 HTTP;HTTP; C:\Windows\system32\drivers\HTTP.sys [2010-02-20 620032]
R3 intelppm;Intel Processor Driver; C:\Windows\system32\DRIVERS\intelppm.sys [2008-01-19 48128]
R3 iScsiPrt;iScsiPort Driver; C:\Windows\system32\DRIVERS\msiscsi.sys [2009-04-11 215528]
R3 ksthunk;Kernel Streaming Thunks; C:\Windows\system32\drivers\ksthunk.sys [2008-01-19 20864]
R3 mouhid;Mouse HID Driver; C:\Windows\system32\DRIVERS\mouhid.sys [2008-01-19 19968]
R3 mpsdrv;@%SystemRoot%\system32\FirewallAPI.dll,-23092; C:\Windows\System32\drivers\mpsdrv.sys [2008-01-19 81408]
R3 mrxsmb;SMB MiniRedirector Wrapper and Engine; C:\Windows\system32\DRIVERS\mrxsmb.sys [2011-04-29 135680]
R3 mrxsmb10;SMB 1.x MiniRedirector; C:\Windows\system32\DRIVERS\mrxsmb10.sys [2011-07-06 275456]
R3 mrxsmb20;SMB 2.0 MiniRedirector; C:\Windows\system32\DRIVERS\mrxsmb20.sys [2011-04-29 107008]
R3 msnfsflt;@%windir%\system32\nfsrc.dll,-5005; C:\Windows\system32\drivers\msnfsflt.sys [2009-04-11 30208]
R3 mssmbios;Microsoft System Management BIOS Driver; C:\Windows\system32\DRIVERS\mssmbios.sys [2008-01-19 34872]
R3 NdisTapi;@%systemroot%\system32\rascfg.dll,-32001; C:\Windows\system32\DRIVERS\ndistapi.sys [2008-01-19 24064]
R3 NdisWan;@%systemroot%\system32\rascfg.dll,-32002; C:\Windows\system32\DRIVERS\ndiswan.sys [2009-04-11 169472]
R3 NDProxy;NDIS Proxy; C:\Windows\system32\drivers\NDProxy.sys [2008-01-19 59904]
R3 NfsRdr;@%windir%\system32\nfsrc.dll,-5003; C:\Windows\system32\drivers\nfsrdr.sys [2009-04-11 252416]
R3 NfsServer;@%windir%\system32\nfsrc.dll,-5009; C:\Windows\system32\drivers\nfssvr.sys [2009-04-11 646144]
R3 Ntfs;Ntfs; C:\Windows\system32\drivers\Ntfs.sys [2013-03-03 1513320]
R3 Portmap;@%windir%\system32\nfsrc.dll,-5013; C:\Windows\system32\drivers\portmap.sys [2009-04-14 56832]
R3 PptpMiniport;@%systemroot%\system32\rascfg.dll,-32006; C:\Windows\system32\DRIVERS\raspptp.sys [2009-04-11 98816]
R3 Rasl2tp;@%systemroot%\system32\rascfg.dll,-32005; C:\Windows\system32\DRIVERS\rasl2tp.sys [2009-04-11 124928]
R3 RasPppoe;@%systemroot%\system32\rascfg.dll,-32007; C:\Windows\system32\DRIVERS\raspppoe.sys [2009-04-11 50176]
R3 RasSstp;@%systemroot%\system32\sstpsvc.dll,-202; C:\Windows\system32\DRIVERS\rassstp.sys [2009-04-11 78336]
R3 rdpdr;Terminal Server Device Redirector Driver; C:\Windows\system32\DRIVERS\rdpdr.sys [2009-04-11 313856]
R3 RDPWD;RDP Winstation Driver; C:\Windows\system32\drivers\RDPWD.sys [2012-05-01 209920]
R3 RpcXdr;@%windir%\system32\nfsrc.dll,-5011; C:\Windows\system32\drivers\rpcxdr.sys [2009-04-11 89600]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh64.sys [2009-01-20 195584]
R3 Serenum;Serenum Filter Driver; C:\Windows\system32\DRIVERS\serenum.sys [2008-01-19 23552]
R3 srv;srv; C:\Windows\System32\DRIVERS\srv.sys [2011-02-18 450560]
R3 srv2;srv2; C:\Windows\System32\DRIVERS\srv2.sys [2011-04-29 176128]
R3 srvnet;srvnet; C:\Windows\System32\DRIVERS\srvnet.sys [2011-04-29 145920]
R3 swenum;Software Bus Driver; C:\Windows\system32\DRIVERS\swenum.sys [2006-11-02 13032]
R3 TDTCP;TDTCP; C:\Windows\system32\drivers\tdtcp.sys [2008-01-19 29696]
R3 tssecsrv;Terminal Services Security Filter Driver; C:\Windows\System32\DRIVERS\tssecsrv.sys [2013-06-15 29184]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\Windows\system32\DRIVERS\tunmp.sys [2008-01-19 18432]
R3 tunnel;Microsoft IPv6 Tunnel Miniport Adapter Driver; C:\Windows\system32\DRIVERS\tunnel.sys [2010-02-18 29696]
R3 umbus;UMBus Enumerator Driver; C:\Windows\system32\DRIVERS\umbus.sys [2008-01-19 41984]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\Windows\system32\DRIVERS\usbehci.sys [2011-05-05 49664]
R3 usbhub;USB2 Enabled Hub; C:\Windows\system32\DRIVERS\usbhub.sys [2013-06-28 274944]
R3 USBSTOR;USB Mass Storage Driver; C:\Windows\system32\DRIVERS\USBSTOR.SYS [2009-04-11 77824]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\Windows\system32\DRIVERS\usbuhci.sys [2011-05-05 29184]
R4 cdfs;CD/DVD File System Reader; C:\Windows\system32\DRIVERS\cdfs.sys [2008-01-19 90624]
S0 sacdrv;sacdrv; C:\Windows\system32\DRIVERS\sacdrv.sys [2009-04-14 103992]
S0 storflt;Disk VMBUS Acceleration Filter Driver; C:\Windows\system32\drivers\storflt.sys []
S3 agp440;Intel AGP Bus Filter; C:\Windows\system32\drivers\agp440.sys [2008-01-19 64568]
S3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60a.sys [2008-01-05 214016]
S3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver; C:\Windows\system32\drivers\brfiltlo.sys [2006-09-18 18432]
S3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver; C:\Windows\system32\drivers\brfiltup.sys [2006-09-18 8704]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver; C:\Windows\system32\drivers\brusbser.sys [2006-09-19 14720]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 6144]
S3 DXGKrnl;LDDM Graphics Subsystem; C:\Windows\System32\drivers\dxgkrnl.sys [2013-08-01 901568]
S3 exfat;exFAT File System Driver; C:\Windows\system32\drivers\exfat.sys [2009-04-11 187904]
S3 fastfat;FAT12/16/32 File System Driver; C:\Windows\system32\drivers\fastfat.sys [2009-04-11 198144]
S3 FileInfo;File Information FS MiniFilter; C:\Windows\system32\drivers\fileinfo.sys [2008-01-19 70200]
S3 Filetrace;FileTrace; C:\Windows\system32\drivers\filetrace.sys [2008-01-19 33280]
S3 gagp30kx;Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms; C:\Windows\system32\drivers\gagp30kx.sys [2008-01-19 68152]
S3 IpFilterDriver;@%systemroot%\system32\rascfg.dll,-32013; C:\Windows\system32\DRIVERS\ipfltdrv.sys [2009-04-11 67584]
S3 IPNAT;IP Network Address Translator; C:\Windows\System32\drivers\ipnat.sys [2008-01-19 115712]
S3 IRENUM;IR Bus Enumerator; C:\Windows\system32\drivers\irenum.sys [2008-01-19 17408]
S3 m4cxvst64;NDIS6.0 Miniport Driver for D-Link DGE-5xx Gigabit Ethernet Adapter; C:\Windows\system32\DRIVERS\m4cxvst64.sys [2009-02-19 392704]
S3 Modem;Modem; C:\Windows\system32\drivers\modem.sys [2008-01-19 40448]
S3 monitor;Microsoft Monitor Class Function Driver Service; C:\Windows\system32\DRIVERS\monitor.sys [2008-01-19 49152]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 11008]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 7040]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 6656]
S3 MsRPC;MsRPC; C:\Windows\system32\drivers\MsRPC.sys [2009-04-11 310760]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 7936]
S3 Ndisuio;NDIS Usermode I/O Protocol; C:\Windows\system32\DRIVERS\ndisuio.sys [2008-01-19 22016]
S3 nv_agp;NVIDIA nForce AGP Bus Filter; C:\Windows\system32\drivers\nv_agp.sys [2008-01-19 126520]
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvm60x64.sys [2006-10-09 742696]
S3 sffp_mmc;SFF Storage Protocol Driver for MMC; C:\Windows\system32\drivers\sffp_mmc.sys [2008-01-19 14336]
S3 sffp_sd;SFF Storage Protocol Driver for SDBus; C:\Windows\system32\drivers\sffp_sd.sys [2008-01-19 13824]
S3 Tcpip6;Microsoft IPv6 Protocol Driver; C:\Windows\system32\DRIVERS\tcpip.sys [2013-07-05 1423808]
S3 TDPIPE;TDPIPE; C:\Windows\system32\drivers\tdpipe.sys [2008-01-19 16384]
S3 uagp35;Microsoft AGPv3.5 Filter; C:\Windows\system32\drivers\uagp35.sys [2008-01-19 67128]
S3 uliagpkx;Uli AGP Bus Filter; C:\Windows\system32\drivers\uliagpkx.sys [2008-01-19 68152]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\Windows\system32\DRIVERS\usbccgp.sys [2013-06-28 95744]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 41984]
S3 vga;vga; C:\Windows\system32\DRIVERS\vgapnp.sys [2008-01-19 29184]
S3 Wanarp;@%systemroot%\system32\rascfg.dll,-32011; C:\Windows\system32\DRIVERS\wanarp.sys [2009-04-11 86528]
S3 WudfPf;@%SystemRoot%\system32\drivers\Wudfpf.sys,-1000; C:\Windows\system32\drivers\WudfPf.sys [2012-07-25 87040]
S4 adp94xx;adp94xx; C:\Windows\system32\drivers\adp94xx.sys [2008-01-19 486456]
S4 adpahci;adpahci; C:\Windows\system32\drivers\adpahci.sys [2008-01-19 342584]
S4 adpu160m;adpu160m; C:\Windows\system32\drivers\adpu160m.sys [2008-01-19 126520]
S4 adpu320;adpu320; C:\Windows\system32\drivers\adpu320.sys [2008-01-19 185912]
S4 aic78xx;aic78xx; C:\Windows\system32\drivers\djsvs.sys [2006-11-02 88168]
S4 aliide;aliide; C:\Windows\system32\drivers\aliide.sys [2006-11-02 15976]
S4 amdide;amdide; C:\Windows\system32\drivers\amdide.sys [2006-11-02 15976]
S4 AmdK8;AMD K8 Processor Driver; C:\Windows\system32\DRIVERS\amdk8.sys [2008-01-19 50688]
S4 arc;arc; C:\Windows\system32\drivers\arc.sys [2008-01-19 90680]
S4 arcsas;arcsas; C:\Windows\system32\drivers\arcsas.sys [2008-01-19 91192]
S4 b06bdrv;Broadcom NetXtreme II VBD; C:\Windows\system32\drivers\bxvbda.sys [2009-04-14 429568]
S4 Brserid;Brother MFC Serial Port Interface Driver (WDM); C:\Windows\system32\drivers\brserid.sys [2006-11-02 86528]
S4 BrSerWdm;Brother WDM Serial driver; C:\Windows\system32\drivers\brserwdm.sys [2006-09-18 47104]
S4 BrUsbMdm;Brother MFC USB Fax Only Modem; C:\Windows\system32\drivers\brusbmdm.sys [2006-09-18 14976]
S4 BTHMODEM;Bluetooth Serial Communications Driver; C:\Windows\system32\drivers\bthmodem.sys []
S4 circlass;Consumer IR Devices; C:\Windows\system32\drivers\circlass.sys [2008-01-19 41984]
S4 cmdide;cmdide; C:\Windows\system32\drivers\cmdide.sys [2006-11-02 18024]
S4 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2009-04-11 460800]
S4 elxstor;elxstor; C:\Windows\system32\drivers\elxstor.sys [2008-01-19 397368]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-19 8704]
S4 fdc;Floppy Disk Controller Driver; C:\Windows\system32\drivers\fdc.sys [2008-01-19 29696]
S4 flpydisk;Floppy Disk Driver; C:\Windows\system32\drivers\flpydisk.sys [2008-01-19 24576]
S4 HidBth;Microsoft Bluetooth HID Miniport; C:\Windows\system32\drivers\hidbth.sys [2008-01-19 34304]
S4 HidIr;Microsoft Infrared HID Driver; C:\Windows\system32\drivers\hidir.sys [2008-01-19 25600]
S4 HpCISSs;HpCISSs; C:\Windows\system32\drivers\hpcisss.sys [2008-01-19 47672]
S4 i2omp;i2omp; C:\Windows\system32\drivers\i2omp.sys [2008-01-19 35896]
S4 i8042prt;i8042 Keyboard and PS/2 Mouse Port Driver; C:\Windows\system32\DRIVERS\i8042prt.sys [2008-01-19 64000]
S4 iirsp;iirsp; C:\Windows\system32\drivers\iirsp.sys [2006-11-02 44648]
S4 intelide;intelide; C:\Windows\system32\drivers\intelide.sys [2008-01-19 19512]
S4 ioatdma;Intel(R) QuickData Technology Device; C:\Windows\system32\drivers\qd260x64.sys [2009-04-14 35328]
S4 IPMIDRV;IPMIDRV; C:\Windows\system32\drivers\ipmidrv.sys [2008-01-19 76288]
S4 isapnp;PnP ISA/EISA Bus Driver; C:\Windows\system32\drivers\isapnp.sys [2008-01-19 23608]
S4 iteatapi;ITEATAPI_Service_Install; C:\Windows\system32\drivers\iteatapi.sys [2006-11-02 37480]
S4 iteraid;ITERAID_Service_Install; C:\Windows\system32\drivers\iteraid.sys [2006-11-02 37480]
S4 LSI_FC;LSI_FC; C:\Windows\system32\drivers\lsi_fc.sys [2008-01-19 113720]
S4 LSI_SAS;LSI_SAS; C:\Windows\system32\drivers\lsi_sas.sys [2008-01-19 105016]
S4 LSI_SCSI;LSI_SCSI; C:\Windows\system32\drivers\lsi_scsi.sys [2008-01-19 113720]
S4 megasas;megasas; C:\Windows\system32\drivers\megasas.sys [2008-01-19 35896]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-19 438328]
S4 mpio;Microsoft Multi-Path Bus Driver; C:\Windows\system32\drivers\mpio.sys [2008-01-19 128056]
S4 Mraid35x;Mraid35x; C:\Windows\system32\drivers\mraid35x.sys [2006-11-02 39016]
S4 msdsm;Microsoft Multi-Path Device Specific Module; C:\Windows\system32\drivers\msdsm.sys [2008-01-19 113720]
S4 nfrd960;nfrd960; C:\Windows\system32\drivers\nfrd960.sys [2006-11-02 51816]
S4 nvraid;NVIDIA nForce RAID Driver   ; C:\Windows\system32\drivers\nvraid.sys [2008-01-19 128056]
S4 nvstor;nvstor; C:\Windows\system32\drivers\nvstor.sys [2008-01-19 54328]
S4 ohci1394;Texas Instruments OHCI Compliant IEEE 1394 Host Controller; C:\Windows\system32\DRIVERS\ohci1394.sys [2008-01-19 72192]
S4 Parport;Parallel port driver; C:\Windows\system32\drivers\parport.sys [2008-01-19 96768]
S4 pcmcia;pcmcia; C:\Windows\system32\drivers\pcmcia.sys [2008-01-19 217144]
S4 Processor;Processor Driver; C:\Windows\system32\drivers\processr.sys [2008-01-19 47104]
S4 ql2300;QLogic Fibre Channel Miniport Driver; C:\Windows\system32\drivers\ql2300.sys [2008-01-19 1221176]
S4 ql40xx;QLogic iSCSI Miniport Driver; C:\Windows\system32\drivers\ql40xx.sys [2006-11-02 124008]
S4 RsFx0103;RsFx0103 Driver; C:\Windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 311656]
S4 s3cap;Microsoft Emulated S3 Device Cap Driver; C:\Windows\system32\drivers\s3cap.sys []
S4 sbp2port;SBP-2 Transport/Protocol Bus Driver; C:\Windows\system32\drivers\sbp2port.sys [2008-01-19 96312]
S4 sermouse;Serial Mouse Driver; C:\Windows\system32\drivers\sermouse.sys [2008-01-19 26624]
S4 sffdisk;SFF Storage Class Driver; C:\Windows\system32\drivers\sffdisk.sys [2008-01-19 14848]
S4 sfloppy;High-Capacity Floppy Disk Drive; C:\Windows\system32\drivers\sfloppy.sys [2008-01-19 16384]
S4 SiSRaid2;SiSRaid2; C:\Windows\system32\drivers\sisraid2.sys [2008-01-19 45624]
S4 SiSRaid4;SiSRaid4; C:\Windows\system32\drivers\sisraid4.sys [2008-01-19 78392]
S4 storvsc;storvsc; C:\Windows\system32\drivers\storvsc.sys [2009-04-14 35784]
S4 Sym_hi;Sym_hi; C:\Windows\system32\drivers\sym_hi.sys [2006-11-02 44648]
S4 Sym_u3;Sym_u3; C:\Windows\system32\drivers\sym_u3.sys [2006-11-02 48232]
S4 Symc8xx;Symc8xx; C:\Windows\system32\drivers\symc8xx.sys [2006-11-02 49256]
S4 udfs;udfs; C:\Windows\system32\DRIVERS\udfs.sys [2009-04-11 299008]
S4 uliahci;uliahci; C:\Windows\system32\drivers\uliahci.sys [2008-01-19 284728]
S4 UlSata;UlSata; C:\Windows\system32\drivers\ulsata.sys [2006-11-02 148072]
S4 ulsata2;ulsata2; C:\Windows\system32\drivers\ulsata2.sys [2006-11-02 174696]
S4 UMPass;Microsoft UMPass Driver; C:\Windows\system32\drivers\umpass.sys [2008-01-19 9728]
S4 usbcir;eHome Infrared Receiver (USBCIR); C:\Windows\system32\drivers\usbcir.sys [2008-01-19 79360]
S4 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\Windows\system32\DRIVERS\usbohci.sys [2008-01-19 24064]
S4 usbprint;Microsoft USB PRINTER Class; C:\Windows\system32\drivers\usbprint.sys [2008-01-19 24064]
S4 viaide;viaide; C:\Windows\system32\drivers\viaide.sys [2006-11-02 18024]
S4 vmbus;VMBus; C:\Windows\system32\drivers\vmbus.sys [2009-04-14 201672]
S4 vsmraid;vsmraid; C:\Windows\system32\drivers\vsmraid.sys [2008-01-19 149048]
S4 WacomPen;Wacom Serial Pen HID Driver; C:\Windows\system32\drivers\wacompen.sys [2008-01-19 26624]
S4 Wd;Microsoft Watchdog Timer Driver; C:\Windows\system32\drivers\wd.sys [2008-01-19 24120]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2008-01-19 14336]
S4 ws2ifsl;Winsock IFS driver; C:\Windows\system32\drivers\ws2ifsl.sys [2008-01-19 20992]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AeLookupSvc;@%SystemRoot%\system32\aelupsvc.dll,-1; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 AppHostSvc;@%windir%\system32\inetsrv\iisres.dll,-30011; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 BFE;@%SystemRoot%\system32\bfe.dll,-1001; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 BITS;@%SystemRoot%\system32\qmgr.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R2 CryptSvc;@%SystemRoot%\system32\cryptsvc.dll,-1001; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 DcomLaunch;@oleres.dll,-5012; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 Dfs;@%systemroot%\system32\dfssvc.exe,-101; C:\Windows\system32\dfssvc.exe [2009-04-11 326656]
R2 DFSR;@dfsrress.dll,-101; C:\Windows\system32\DFSRs.exe [2009-04-11 3672576]
R2 Dhcp;@%SystemRoot%\system32\dhcpcsvc.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 Dnscache;@%SystemRoot%\System32\dnsapi.dll,-101; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 DPS;@%systemroot%\system32\dps.dll,-500; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R2 ekrn;ESET Service; C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2011-01-12 810144]
R2 EventLog;@%SystemRoot%\system32\wevtsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R2 EventSystem;@comres.dll,-2450; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 FDResPub;@%systemroot%\system32\fdrespub.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 ftpsvc;@%windir%\system32\inetsrv\ftpres.dll,-30001; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 gpsvc;@gpapi.dll,-112; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 Groveler;@%systemroot%\system32\grovmsg.dll,-101; C:\Windows\system32\grovel.exe [2009-04-14 455248]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine; C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2014-02-26 2224976]
R2 hidserv;@%SystemRoot%\System32\hidserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 IISADMIN;@%windir%\system32\inetsrv\iisres.dll,-30007; C:\Windows\system32\inetsrv\inetinfo.exe [2009-04-14 15872]
R2 IKEEXT;@%SystemRoot%\system32\ikeext.dll,-501; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 iphlpsvc;@%SystemRoot%\system32\iphlpsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R2 KtmRm;@comres.dll,-2946; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R2 LanmanServer;@%systemroot%\system32\srvsvc.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 LanmanWorkstation;@%systemroot%\system32\wkssvc.dll,-100; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R2 lmhosts;@%SystemRoot%\system32\lmhsvc.dll,-101; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 LMIGuardianSvc;LMIGuardianSvc; C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe [2014-02-26 377616]
R2 MpsSvc;@%SystemRoot%\system32\FirewallAPI.dll,-23090; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 MSDTC;@comres.dll,-2797; C:\Windows\System32\msdtc.exe [2008-01-19 106496]
R2 MSFTPSVC;FTP Publishing Service; C:\Windows\system32\inetsrv\inetinfo.exe [2009-04-14 15872]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [2009-03-30 57617752]
R2 netprofm;@%SystemRoot%\system32\netprof.dll,-246; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R2 NfsClnt;@%windir%\system32\nfsrc.dll,-5001; C:\Windows\system32\nfsclnt.exe [2009-04-11 62976]
R2 NlaSvc;@%SystemRoot%\System32\nlasvc.dll,-1; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R2 nsi;@%SystemRoot%\system32\nsisvc.dll,-200; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 PlugPlay;@%SystemRoot%\system32\umpnpmgr.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 PolicyAgent;@%SystemRoot%\System32\polstore.dll,-5010; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 ProfSvc;@%systemroot%\system32\profsvc.dll,-300; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 QBCFMonitorService;QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2013-12-02 45056]
R2 QuickBooksDB23;QuickBooksDB23; C:\PROGRA~2\Intuit\QuickBooks 2013\QBDBMgrN.exe [2013-03-11 679936]
R2 RemoteRegistry;@regsvc.dll,-1; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 RpcSs;@oleres.dll,-5010; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 SamSs;@%SystemRoot%\system32\samsrv.dll,-1; C:\Windows\system32\lsass.exe [2011-11-16 11264]
R2 Schedule;@%SystemRoot%\system32\schedsvc.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 seclogon;@%SystemRoot%\system32\seclogon.dll,-7001; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 SENS;@%SystemRoot%\system32\Sens.dll,-200; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 ShellHWDetection;@%SystemRoot%\System32\shsvcs.dll,-12288; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R2 slsvc;@%SystemRoot%\system32\SLsvc.exe,-101; C:\Windows\system32\SLsvc.exe [2009-04-11 2582016]
R2 Spooler;@%systemroot%\system32\spoolsv.exe,-1; C:\Windows\System32\spoolsv.exe [2010-08-17 273920]
R2 SQLBrowser;SQL Server Browser; c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2009-03-30 254808]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-07-10 157720]
R2 SrmSvc;@%windir%\system32\srm.dll,-3020; C:\Windows\system32\svchost -k srmsvcs []
R2 TermService;@%SystemRoot%\System32\termsrv.dll,-268; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R2 TrkWks;@%SystemRoot%\system32\trkwks.dll,-1; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R2 UxSms;@%SystemRoot%\system32\dwm.exe,-2000; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R2 W32Time;@%SystemRoot%\system32\w32time.dll,-200; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 W3SVC;@%windir%\system32\inetsrv\iisres.dll,-30003; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 WerSvc;@%SystemRoot%\System32\wersvc.dll,-100; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R2 Winmgmt;@%Systemroot%\system32\wbem\wmisvc.dll,-205; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R2 WinRM;@%Systemroot%\system32\wsmsvc.dll,-101; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R2 WSearch;@%systemroot%\system32\SearchIndexer.exe,-103; C:\Windows\system32\SearchIndexer.exe [2009-04-11 597504]
R2 wuauserv;Windows Update; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R3 CertPropSvc;@%SystemRoot%\System32\certprop.dll,-11; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R3 HDDSvc;HDD Information Service; C:\Program Files (x86)\Common Files\AltrixSoft\HDDInfoService\HDDSvc.exe [2012-11-26 484304]
R3 Netman;@%SystemRoot%\system32\netman.dll,-109; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R3 QuickBooksDB22;QuickBooksDB22; C:\PROGRA~2\Intuit\QuickBooks 2012\QBDBMgrN.exe [2011-08-19 679936]
R3 QuickBooksDB24;QuickBooksDB24; C:\PROGRA~2\Intuit\QuickBooks 2014\QBDBMgrN.exe [2013-12-02 679936]
R3 RasMan;@%Systemroot%\system32\rasmans.dll,-200; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R3 SessionEnv;@%SystemRoot%\System32\SessEnv.dll,-1026; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R3 SstpSvc;@%SystemRoot%\system32\sstpsvc.dll,-200; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R3 TapiSrv;@%SystemRoot%\system32\tapisrv.dll,-10100; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-19 27648]
R3 WAS;@%windir%\system32\inetsrv\iisres.dll,-30001; C:\Windows\system32\svchost.exe [2008-01-19 27648]
R3 WdiSystemHost;@%systemroot%\system32\wdi.dll,-500; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-09-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-09-11 124088]
S2 NfsService;@%windir%\system32\nfsrc.dll,-5007; C:\Windows\system32\nfssvc.exe [2009-04-11 31744]
S2 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S2 TBS;@%SystemRoot%\system32\tbssvc.dll,-100; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-06 250056]
S3 ALG;@%SystemRoot%\system32\Alg.exe,-112; C:\Windows\System32\alg.exe [2008-01-19 80896]
S3 Appinfo;@%systemroot%\system32\appinfo.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 aspnet_state;ASP.NET State Service; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe [2013-09-11 51808]
S3 AudioEndpointBuilder;@%SystemRoot%\system32\audiosrv.dll,-204; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S3 AudioSrv;@%SystemRoot%\system32\audiosrv.dll,-200; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S3 clr_optimization_v2.0.50727_32;Microsoft .NET Framework NGEN v2.0.50727_X86; C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2009-03-30 66368]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-03-30 89920]
S3 COMSysApp;@comres.dll,-947; C:\Windows\system32\dllhost.exe [2006-11-02 8704]
S3 dot3svc;@%systemroot%\system32\dot3svc.dll,-1102; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 EapHost;@%systemroot%\system32\eapsvc.dll,-1; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [2011-01-12 42360]
S3 FCRegSvc;@%SystemRoot%\system32\FCRegSvc.dll,-5000; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 fdPHost;@%systemroot%\system32\fdPHost.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 FontCache3.0.0.0;@%SystemRoot%\system32\PresentationHost.exe,-3309; C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [2009-02-18 42840]
S3 hkmsvc;@%SystemRoot%\system32\kmsvc.dll,-6; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S3 idsvc;@%systemroot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8193; C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe [2009-02-18 857432]
S3 KeyIso;@keyiso.dll,-100; C:\Windows\system32\lsass.exe [2011-11-16 11264]
S3 lltdsvc;@%SystemRoot%\system32\lltdres.dll,-1; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S3 MMCSS;@%systemroot%\system32\mmcss.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 MSiSCSI;@%SystemRoot%\system32\iscsidsc.dll,-5000; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 msiserver;@%SystemRoot%\system32\msimsg.dll,-27; C:\Windows\system32\msiexec /V []
S3 napagent;@%SystemRoot%\system32\qagentrt.dll,-6; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S3 Netlogon;@%SystemRoot%\System32\netlogon.dll,-102; C:\Windows\system32\lsass.exe [2011-11-16 11264]
S3 NtFrs;@ntfrsres.dll,-130; C:\Windows\system32\ntfrs.exe [2009-04-11 1019392]
S3 PerfHost;@%systemroot%\sysWow64\perfhost.exe,-2; C:\Windows\SysWow64\perfhost.exe [2008-01-19 19968]
S3 pla;@%systemroot%\system32\pla.dll,-500; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S3 ProtectedStorage;@%systemroot%\system32\psbase.dll,-300; C:\Windows\system32\lsass.exe [2011-11-16 11264]
S3 RasAuto;@%Systemroot%\system32\rasauto.dll,-200; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S3 RpcLocator;@%systemroot%\system32\Locator.exe,-2; C:\Windows\system32\locator.exe [2006-11-02 8704]
S3 RSoPProv;@gpapi.dll,-114; C:\Windows\system32\RSoPProv.exe [2009-04-11 91648]
S3 sacsvr;@%systemroot%\system32\sacsvr.dll,-500; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S3 SCardSvr;@%SystemRoot%\System32\SCardSvr.dll,-1; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 SCPolicySvc;@%SystemRoot%\System32\certprop.dll,-13; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 SLUINotify;@%SystemRoot%\system32\SLUINotify.dll,-103; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 SNMPTRAP;@%SystemRoot%\system32\snmptrap.exe,-3; C:\Windows\System32\snmptrap.exe [2006-11-02 14336]
S3 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
S3 SrmReports;@%windir%\system32\srm.dll,-3022; C:\Windows\system32\srmhost.exe [2009-04-11 64512]
S3 swprv;@%SystemRoot%\System32\swprv.dll,-103; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S3 THREADORDER;@%systemroot%\system32\mmcss.dll,-102; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 TrustedInstaller;@%SystemRoot%\servicing\TrustedInstaller.exe,-100; C:\Windows\servicing\TrustedInstaller.exe [2009-04-11 42496]
S3 UI0Detect;@%SystemRoot%\system32\ui0detect.exe,-101; C:\Windows\system32\UI0Detect.exe [2008-01-19 40960]
S3 vds;@%SystemRoot%\system32\vds.exe,-100; C:\Windows\System32\vds.exe [2009-04-11 454656]
S3 VSS;@%systemroot%\system32\vssvc.exe,-102; C:\Windows\system32\vssvc.exe [2009-04-11 1433600]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2009-04-11 1149440]
S3 WcsPlugInService;@%SystemRoot%\system32\WcsPlugInService.dll,-200; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 WdiServiceHost;@%systemroot%\system32\wdi.dll,-502; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S3 Wecsvc;@%SystemRoot%\system32\wecsvc.dll,-200; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 wercplsupport;@%SystemRoot%\System32\wercplsupport.dll,-101; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S3 WinHttpAutoProxySvc;@%SystemRoot%\system32\winhttp.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 wmiApSrv;@%Systemroot%\system32\wbem\wmiapsrv.exe,-110; C:\Windows\system32\wbem\WmiApSrv.exe [2009-04-11 209920]
S3 WPDBusEnum;@%SystemRoot%\system32\wpdbusenum.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 WPFFontCache_v0400;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2013-09-11 1012344]
S3 wudfsvc;@%SystemRoot%\system32\wudfsvc.dll,-1000; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S4 Browser;@%systemroot%\system32\browser.dll,-100; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S4 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S4 IPBusEnum;@%systemroot%\system32\IPBusEnum.dll,-102; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S4 IsmServ;@%SystemRoot%\System32\ismserv.exe,-1; C:\Windows\System32\ismserv.exe [2009-04-14 59392]
S4 kdc;@%SystemRoot%\System32\kdcsvc.dll,-1; C:\Windows\System32\lsass.exe [2011-11-16 11264]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service; c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 61976]
S4 NetMsmqActivator;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\ServiceModelInstallRC.dll,-8195; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [2013-09-11 139856]
S4 NetPipeActivator;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\ServiceModelInstallRC.dll,-8197; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [2013-09-11 139856]
S4 NetTcpActivator;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\ServiceModelInstallRC.dll,-8199; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [2013-09-11 139856]
S4 NetTcpPortSharing;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\\ServiceModelInstallRC.dll,-8201; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe [2013-09-11 139856]
S4 NTDS;@%SystemRoot%\System32\ntdsmsg.dll,-1; C:\Windows\System32\lsass.exe [2011-11-16 11264]
S4 RemoteAccess;@%Systemroot%\system32\mprdim.dll,-200; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S4 SharedAccess;@%SystemRoot%\system32\ipnathlp.dll,-106; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S4 SSDPSRV;@%systemroot%\system32\ssdpsrv.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S4 SysMain;@%SystemRoot%\system32\sysmain.dll,-1000; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S4 Themes;@%SystemRoot%\System32\shsvcs.dll,-8192; C:\Windows\System32\svchost.exe [2008-01-19 27648]
S4 upnphost;@%systemroot%\system32\upnphost.dll,-213; C:\Windows\system32\svchost.exe [2008-01-19 27648]

-----------------EOF-----------------

 



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:53 AM

Posted 24 March 2014 - 02:45 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/528037 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 aznspy256

aznspy256
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:11:53 AM

Posted 24 March 2014 - 03:07 PM

Hi I'm still having trouble with the computer. There is a malicious program on the computer that port scans my workstations on the network. I have ESET antivirus on and used mutiple virus and malware scanners. I also can't use DDS because the OS is Windows server 2008. I am still awaiting for your response for this urgent matter. Thank you.



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:53 AM

Posted 25 March 2014 - 11:42 AM

Greetings aznspy256 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Part of the extended delay in our response is because of the Operating System you are using. Generally speaking we do not have much experience with Server issues and not all of the tools we typically employ are compatible with Server 2008. I have canvassed our Malware Team to see if anyone is well versed in your system but unfortunately that is not the case. My first recommendation would be to try to find someone more knowldegeable with your operating system, even if it is from a paid source. I am willing to try to assist you but I will let you know up front I will be very conservative in my approach. We can try our best but I can't guarantee a resolution to your situation.

If you desire to continue please try to run this.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 aznspy256

aznspy256
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:11:53 AM

Posted 26 March 2014 - 11:29 AM

Hi Gary! My name is Nolan. Thanks for your help. I followed all your instructions and the logs are on the post in the respective order as you asked. 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Administrator (administrator) on SERVER300 on 26-03-2014 12:18:14
Running from C:\Users\Administrator\Downloads
Windows ® Storage Server 2008 Standard Service Pack 2 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(Microsoft Corporation) C:\Windows\system32\DFSRs.exe
(ESET) C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
(Microsoft Corporation) C:\Windows\system32\inetsrv\inetinfo.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe
(Microsoft Corporation) c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit, Inc.) C:\Program Files (x86)\Intuit\QuickBooks 2013\QBDBMgrN.exe
(Microsoft Corporation) c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Microsoft Corporation) C:\Windows\system32\grovel.exe
(LogMeIn Inc.) C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
(Microsoft Corporation) C:\Windows\system32\nfsclnt.exe
(LogMeIn Inc.) C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
(Microsoft Corporation) C:\Windows\system32\dfssvc.exe
(ESET) C:\Program Files\ESET\ESET Smart Security\egui.exe
(Altrixsoft) C:\Program Files (x86)\Hard Drive Inspector\HDInspector.exe
(AltrixSoft (http://www.altrixsoft.com/)) C:\Program Files (x86)\Common Files\AltrixSoft\HDDInfoService\HDDSvc.exe
(Intuit, Inc.) C:\Program Files (x86)\Intuit\QuickBooks 2012\QBDBMgrN.exe
(Intuit, Inc.) C:\Program Files (x86)\Intuit\QuickBooks 2014\QBDBMgrN.exe
(Microsoft Corporation) C:\Windows\system32\srmhost.exe
(iAnywhere Solutions, Inc.) C:\Program Files (x86)\Intuit\QuickBooks 2014\dbextclr11.exe
(Google Inc.) C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [egui] - C:\Program Files\ESET\ESET Smart Security\egui.exe [2918656 2011-01-12] (ESET)
HKLM-x32\...\Run: [HDInspector.exe] - C:\Program Files (x86)\Hard Drive Inspector\HDInspector.exe [3167184 2012-12-05] (Altrixsoft)
HKLM-x32\...\Run: [LogMeIn Hamachi Ui] - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe [3814736 2014-02-26] (LogMeIn Inc.)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-2851493328-670454209-4171175932-1005\...\MountPoints2: {b2b80c22-4d4c-11de-b1b3-806e6f6e6963} - E:\setup.exe
HKU\S-1-5-21-2851493328-670454209-4171175932-500\...\MountPoints2: {b0e499bd-4d4f-11de-b581-ca67e005784d} - G:\LaunchU3.exe -a
HKU\S-1-5-21-2851493328-670454209-4171175932-500\...\MountPoints2: {b2b80c22-4d4c-11de-b1b3-806e6f6e6963} - E:\start.exe
HKU\S-1-5-21-2851493328-670454209-4171175932-500\...\MountPoints2: {c8a0851e-d30a-11df-9dbb-00219b230470} - G:\DriveNavi.exe
Lsa: [Notification Packages] scecli RASSFM
SecurityProviders: credssp.dll, pwdssp.dll
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/HardAdmin.htm
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = 
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO-x32: No Name - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -  No File
BHO-x32: No Name - {DBC80044-A445-435b-BC74-9C25C1C588A9} -  No File
Handler: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} -  No File
Handler-x32: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} -  No File
Tcpip\..\Interfaces\{0772F191-86F0-4D59-818C-3F19D74B4D2F}: [NameServer]192.168.1.1
 
FireFox:
========
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dbhc3qwq.default
FF DefaultSearchEngine: Google
FF SelectedSearchEngine: Google
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_37 - C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.0.4 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Administrator\AppData\Local\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Administrator\AppData\Local\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npLegitCheckPlugin.dll (Microsoft Corporation)
FF Extension: Microsoft .NET Framework Assistant - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\dbhc3qwq.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2009-09-25]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010-06-11]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [2010-10-20]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [2011-03-11]
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird
FF Extension: ESET Smart Security Extension - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2012-06-04]
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird
FF Extension: ESET Smart Security Extension - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2012-06-04]
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Administrator\AppData\Local\Google\Chrome\Application\33.0.1750.154\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Administrator\AppData\Local\Google\Chrome\Application\33.0.1750.154\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\Administrator\AppData\Local\Google\Chrome\Application\33.0.1750.154\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
CHR Plugin: (Java™ Platform SE 6 U31) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll No File
CHR Plugin: (Google Update) - C:\Users\Administrator\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Google Wallet) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-03]
 
==================== Services (Whitelisted) =================
 
R2 Dfs; C:\Windows\system32\dfssvc.exe [326656 2009-04-11] (Microsoft Corporation)
R2 DFSR; C:\Windows\system32\DFSRs.exe [3672576 2009-04-11] (Microsoft Corporation)
S3 EhttpSrv; C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe [42360 2011-01-12] (ESET)
R2 ekrn; C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [810144 2011-01-12] (ESET)
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [26112 2009-04-14] (Microsoft Corporation)
R2 ftpsvc; C:\Windows\system32\inetsrv\ftpsvc.dll [418664 2009-03-04] (Microsoft Corporation)
R2 Groveler; C:\Windows\system32\grovel.exe [455248 2009-04-14] (Microsoft Corporation)
R3 HDDSvc; C:\Program Files (x86)\Common Files\AltrixSoft\HDDInfoService\HDDSvc.exe [484304 2012-11-26] (AltrixSoft (http://www.altrixsoft.com/))
R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2009-04-14] (Microsoft Corporation)
S4 IsmServ; C:\Windows\System32\ismserv.exe [59392 2009-04-14] (Microsoft Corporation)
S4 kdc; C:\Windows\System32\lsass.exe [11264 2011-11-16] (Microsoft Corporation)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe [377616 2014-02-26] (LogMeIn, Inc.)
R2 MSFTPSVC; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2009-04-14] (Microsoft Corporation)
R2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [57617752 2009-03-30] (Microsoft Corporation)
R2 NfsClnt; C:\Windows\system32\nfsclnt.exe [62976 2009-04-11] (Microsoft Corporation)
S2 NfsService; C:\Windows\system32\nfssvc.exe [31744 2009-04-11] (Microsoft Corporation)
S4 NTDS; C:\Windows\System32\lsass.exe [11264 2011-11-16] (Microsoft Corporation)
S3 NtFrs; C:\Windows\system32\ntfrs.exe [1019392 2009-04-11] (Microsoft Corporation)
R3 QuickBooksDB22; C:\Program Files (x86)\Intuit\QuickBooks 2012\QBDBMgrN.exe [679936 2011-08-19] (Intuit, Inc.)
R2 QuickBooksDB23; C:\Program Files (x86)\Intuit\QuickBooks 2013\QBDBMgrN.exe [679936 2013-03-11] (Intuit, Inc.)
R3 QuickBooksDB24; C:\Program Files (x86)\Intuit\QuickBooks 2014\QBDBMgrN.exe [679936 2013-12-02] (Intuit, Inc.)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-04-11] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-04-14] (Microsoft Corporation)
S3 SQLAgent$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [427880 2009-03-30] (Microsoft Corporation)
R3 SrmReports; C:\Windows\system32\srmhost.exe [64512 2009-04-11] (Microsoft Corporation)
R2 SrmSvc; C:\Windows\system32\srmsvc.dll [3171328 2009-04-11] (Microsoft Corporation)
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [427008 2010-04-21] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
R0 Datascrn; C:\Windows\System32\drivers\datascrn.sys [80856 2009-04-11] (Microsoft Corporation)
R1 DfsDriver; C:\Windows\System32\drivers\dfs.sys [45112 2009-04-14] (Microsoft Corporation)
R2 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [170640 2010-12-21] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [141264 2010-12-21] (ESET)
R2 epfw; C:\Windows\System32\DRIVERS\epfw.sys [170640 2010-12-21] (ESET)
R3 Epfwndis; C:\Windows\System32\DRIVERS\Epfwndis.sys [34144 2010-12-21] (ESET)
R2 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [50624 2010-12-21] (ESET)
S4 ioatdma; C:\Windows\system32\drivers\qd260x64.sys [35328 2009-04-14] (Intel Corporation)
S3 m4cxvst64; C:\Windows\System32\DRIVERS\m4cxvst64.sys [392704 2009-02-19] (Marvell)
R0 MiniSIS; C:\Windows\System32\drivers\sisss.sys [143936 2009-04-14] (Microsoft Corporation)
R3 msnfsflt; C:\Windows\System32\drivers\msnfsflt.sys [30208 2009-04-11] (Microsoft Corporation)
R3 NfsRdr; C:\Windows\System32\drivers\nfsrdr.sys [252416 2009-04-11] (Microsoft Corporation)
R3 NfsServer; C:\Windows\System32\drivers\nfssvr.sys [646144 2009-04-11] (Microsoft Corporation)
S3 NVENETFD; C:\Windows\System32\DRIVERS\nvm60x64.sys [742696 2006-10-09] (NVIDIA Corporation)
R3 Portmap; C:\Windows\System32\drivers\portmap.sys [56832 2009-04-14] (Microsoft Corporation)
R0 Quota; C:\Windows\System32\drivers\quota.sys [162280 2009-04-11] (Microsoft Corporation)
R3 RpcXdr; C:\Windows\System32\drivers\rpcxdr.sys [89600 2009-04-11] (Microsoft Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [103992 2009-04-14] (Microsoft Corporation)
S4 BTHMODEM; \SystemRoot\system32\drivers\bthmodem.sys [X]
S4 s3cap; \SystemRoot\system32\drivers\s3cap.sys [X]
S0 storflt; system32\drivers\storflt.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
 
==================== One Month Created Files and Folders ========
 
2014-03-26 12:18 - 2014-03-26 12:18 - 00013039 _____ () C:\Users\Administrator\Downloads\FRST.txt
2014-03-26 12:17 - 2014-03-26 12:18 - 00000000 ____D () C:\FRST
2014-03-26 12:17 - 2014-03-26 12:17 - 02157056 _____ (Farbar) C:\Users\Administrator\Downloads\FRST64.exe
2014-03-24 15:27 - 2014-03-24 15:27 - 02925760 _____ (Sysinternals - www.sysinternals.com) C:\Users\Administrator\Downloads\procexp.exe
2014-03-19 15:23 - 2014-03-24 15:58 - 00000000 ____D () C:\Program Files\trend micro
2014-03-19 15:23 - 2014-03-19 15:23 - 00000000 ____D () C:\rsit
2014-03-19 15:22 - 2014-03-19 15:22 - 00935175 _____ () C:\Users\Administrator\Downloads\RSITx64.exe
2014-03-19 15:01 - 2014-03-19 15:01 - 00688992 _____ (Swearware) C:\Users\Administrator\Downloads\dds (2).com
2014-03-19 14:53 - 2014-03-19 14:53 - 00688992 _____ (Swearware) C:\Users\Administrator\Downloads\dds.com
2014-03-19 14:53 - 2014-03-19 14:53 - 00688992 _____ (Swearware) C:\Users\Administrator\Downloads\dds (1).com
2014-03-19 11:50 - 2014-03-19 11:50 - 00550371 _____ () C:\Users\Administrator\Downloads\Autoruns (1).zip
2014-03-19 11:50 - 2014-03-19 11:50 - 00000000 ____D () C:\Users\Administrator\Desktop\autorun
2014-03-16 22:06 - 2014-03-16 22:06 - 00550371 _____ () C:\Users\Administrator\Downloads\Autoruns.zip
2014-03-16 20:10 - 2014-03-16 20:10 - 00291606 _____ () C:\Users\Administrator\Downloads\TCPView.zip
2014-03-14 22:11 - 2014-03-14 22:11 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Brother
2014-03-14 21:52 - 2014-03-14 21:52 - 08404992 _____ () C:\Windows\system32\ntds.dit
2014-03-14 21:50 - 2012-07-11 12:05 - 00221184 _____ (Brother Industries, Ltd.) C:\Windows\system32\BRCOMB1A.DLL
2014-03-14 21:50 - 2010-11-17 04:28 - 00107888 _____ (Brother Industries Ltd) C:\Windows\SysWOW64\BRRBTOOL.EXE
2014-03-14 21:50 - 2010-02-04 22:42 - 00180224 _____ (Brother Industries, Ltd.) C:\Windows\SysWOW64\BROSNMP.DLL
2014-03-14 21:50 - 1999-10-26 12:00 - 00000050 _____ () C:\Windows\system32\BRADM11A.DAT
2014-03-14 21:48 - 2014-03-14 21:48 - 15647979 _____ (A.I.SOFT,INC.) C:\Users\Administrator\Downloads\Y11E_C1-hostm-64-D1.EXE
2014-03-14 21:17 - 2014-03-14 22:15 - 00000426 _____ () C:\Windows\BRWMARK.INI
2014-03-14 21:17 - 2014-03-14 21:17 - 00000000 ____D () C:\ProgramData\Brother
2014-03-14 21:16 - 2012-06-05 02:59 - 00025299 _____ (Brother Industries, Ltd) C:\Windows\SysWOW64\BRLM03A.DLL
2014-03-14 21:16 - 2005-01-17 03:10 - 00045056 _____ () C:\Windows\SysWOW64\BRTCPCON.DLL
2014-03-14 21:16 - 2004-08-09 03:00 - 00000114 _____ () C:\Windows\SysWOW64\BRLMW03A.INI
2014-03-14 21:16 - 2004-08-09 02:42 - 00077824 _____ (Brother Industries, Ltd.) C:\Windows\SysWOW64\BRLMW03A.DLL
2014-03-14 21:16 - 1999-10-26 12:00 - 00000050 _____ () C:\Windows\system32\BRADM08A.DAT
2014-03-14 20:39 - 2014-03-14 20:39 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\TightVNC
2014-03-14 20:32 - 2014-03-14 20:32 - 02367488 _____ () C:\Users\Administrator\Downloads\tightvnc-2.7.10-setup-64bit.msi
2014-03-14 20:30 - 2014-03-14 20:30 - 26437344 _____ (Microsoft Corporation) C:\Users\Administrator\Downloads\Windows-KB890830-x64-V5.10.exe
2014-03-14 20:02 - 2014-03-14 20:02 - 00370943 _____ () C:\Users\Administrator\Downloads\gmer.zip
2014-03-14 20:00 - 2014-03-14 20:02 - 86089088 _____ (Sophos Limited) C:\Users\Administrator\Downloads\Sophos Virus Removal Tool (2).exe
2014-03-14 20:00 - 2014-03-14 20:02 - 86089088 _____ (Sophos Limited) C:\Users\Administrator\Downloads\Sophos Virus Removal Tool (1).exe
2014-03-14 19:58 - 2014-03-14 19:59 - 86089088 _____ (Sophos Limited) C:\Users\Administrator\Downloads\Sophos Virus Removal Tool.exe
2014-03-14 19:57 - 2014-03-14 19:58 - 14839344 _____ (Trend Micro Inc.) C:\Users\Administrator\Downloads\RootkitBusterV5.0-1171x64.exe
2014-03-14 19:54 - 2014-03-14 19:54 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-03-14 19:32 - 2014-03-14 19:32 - 00066913 _____ () C:\Users\Administrator\Desktop\bluescreenview.zip
2014-03-14 19:28 - 2014-03-14 19:28 - 00509264 _____ (Microsoft Corporation) C:\Users\Administrator\Downloads\winsdk_web (1).exe
2014-03-14 19:20 - 2014-03-14 19:20 - 00509264 _____ (Microsoft Corporation) C:\Users\Administrator\Downloads\winsdk_web.exe
2014-03-14 19:13 - 2014-03-14 19:13 - 00270584 _____ () C:\Windows\Minidump\Mini031414-08.dmp
2014-03-14 19:09 - 2014-03-14 19:09 - 00270584 _____ () C:\Windows\Minidump\Mini031414-07.dmp
2014-03-14 18:57 - 2014-03-14 18:57 - 00301778 _____ () C:\Users\Administrator\Documents\cc_20140314_185732.reg
2014-03-14 18:56 - 2014-03-14 18:56 - 04765152 _____ (Piriform Ltd) C:\Users\Administrator\Downloads\ccsetup411.exe
2014-03-14 18:56 - 2014-03-14 18:56 - 04765152 _____ (Piriform Ltd) C:\Users\Administrator\Downloads\ccsetup411 (1).exe
2014-03-14 18:56 - 2014-03-14 18:56 - 00000000 ____D () C:\Program Files\CCleaner
2014-03-14 18:44 - 2014-03-14 18:44 - 02683840 _____ (www.PerfectUninstaller.com ) C:\Users\Administrator\Downloads\PerfectUninstaller_Setup.exe
2014-03-14 18:40 - 2014-03-14 18:40 - 00270584 _____ () C:\Windows\Minidump\Mini031414-06.dmp
2014-03-14 18:35 - 2014-03-14 18:35 - 00270584 _____ () C:\Windows\Minidump\Mini031414-05.dmp
2014-03-14 18:30 - 2014-03-14 18:30 - 00270584 _____ () C:\Windows\Minidump\Mini031414-04.dmp
2014-03-14 18:13 - 2014-03-14 18:13 - 00274712 _____ () C:\Windows\Minidump\Mini031414-03.dmp
2014-03-14 18:07 - 2014-03-14 19:23 - 00000000 ____D () C:\Windows\pss
2014-03-14 18:02 - 2014-03-14 20:18 - 00000000 ____D () C:\Users\Administrator\Desktop\mbar
2014-03-14 18:02 - 2014-03-14 20:18 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-03-14 18:02 - 2014-03-14 19:55 - 00119000 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-03-14 18:00 - 2014-03-14 18:00 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Administrator\Desktop\mbar-1.07.0.1009.exe
2014-03-14 18:00 - 2014-03-14 18:00 - 11424328 _____ (Bitdefender LLC) C:\Users\Administrator\Desktop\BootkitRemoval_x64.exe
2014-03-14 17:57 - 2014-03-14 17:58 - 00278808 _____ () C:\Windows\Minidump\Mini031414-02.dmp
2014-03-14 17:51 - 2014-03-14 19:54 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-03-14 17:46 - 2014-03-14 17:47 - 00270584 _____ () C:\Windows\Minidump\Mini031414-01.dmp
2014-03-14 17:27 - 2014-03-14 17:27 - 00001995 _____ () C:\Users\Public\Desktop\Sharpdesk.lnk
2014-03-14 17:26 - 2014-03-14 17:29 - 00000000 ____D () C:\ProgramData\Sharp
2014-03-12 19:31 - 2014-03-12 19:31 - 01000741 _____ () C:\Users\Administrator\Downloads\NST3.3-Update-100303 (1).zip
2014-03-12 19:30 - 2014-03-12 19:30 - 01000741 _____ () C:\Users\Administrator\Downloads\NST3.3-Update-100303.zip
2014-03-12 17:23 - 2014-03-12 17:23 - 00000000 ____D () C:\Users\Administrator\Desktop\Sharpdesk32
2014-03-12 11:32 - 2014-03-12 11:32 - 04130656 _____ (Kaspersky Lab ZAO) C:\Users\Administrator\Desktop\tdsskiller.exe
2014-03-12 11:24 - 2014-03-12 11:24 - 00000079 _____ () C:\Users\Administrator\Desktop\Pid.txt
2014-03-10 14:27 - 2014-03-10 14:28 - 00270584 _____ () C:\Windows\Minidump\Mini031014-03.dmp
2014-03-10 13:17 - 2014-03-10 13:17 - 00270584 _____ () C:\Windows\Minidump\Mini031014-02.dmp
2014-03-10 13:13 - 2014-03-10 13:13 - 00270584 _____ () C:\Windows\Minidump\Mini031014-01.dmp
2014-03-07 19:48 - 2014-03-07 19:48 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Malwarebytes
2014-03-07 19:46 - 2014-03-07 19:46 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Administrator\Downloads\mbam-setup-1.75.0.1300.exe
2014-03-07 19:46 - 2014-03-07 19:46 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-07 18:52 - 2014-03-07 18:53 - 00000000 ____D () C:\Users\Administrator\Desktop\al
2014-03-07 13:50 - 2014-03-08 01:06 - 130119149 _____ () C:\Users\Administrator\Desktop\Sharpdesk32.zip
2014-03-07 13:18 - 2014-03-07 13:18 - 00391462 _____ () C:\Users\Administrator\AppData\Roaming\fontlst2.opf
2014-03-07 13:18 - 2014-03-07 13:18 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Sharpdesk
2014-03-07 13:13 - 2014-03-14 17:27 - 00000000 ____D () C:\ProgramData\Sharpdesk
2014-03-05 10:18 - 2014-03-05 10:18 - 00000000 ____D () C:\Program Files (x86)\LogMeIn Hamachi
2014-02-28 12:35 - 1998-10-29 16:45 - 00306688 _____ (InstallShield Software Corporation) C:\Windows\IsUninst.exe
2014-02-26 13:50 - 2014-02-26 13:53 - 119081568 _____ (Sanford, L.P.) C:\Users\Administrator\Downloads\DLS8Setup.8.5.1.exe
 
==================== One Month Modified Files and Folders =======
 
2014-03-26 12:18 - 2014-03-26 12:18 - 00013039 _____ () C:\Users\Administrator\Downloads\FRST.txt
2014-03-26 12:18 - 2014-03-26 12:17 - 00000000 ____D () C:\FRST
2014-03-26 12:17 - 2014-03-26 12:17 - 02157056 _____ (Farbar) C:\Users\Administrator\Downloads\FRST64.exe
2014-03-26 12:17 - 2011-03-11 17:48 - 00000940 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2851493328-670454209-4171175932-500UA.job
2014-03-26 12:15 - 2013-05-06 11:45 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-26 10:41 - 2009-04-14 08:54 - 00005264 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-26 10:41 - 2009-04-14 08:54 - 00005264 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-26 05:17 - 2011-03-11 17:48 - 00000888 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2851493328-670454209-4171175932-500Core.job
2014-03-26 03:00 - 2008-01-19 06:11 - 00000000 ____D () C:\Windows\system32\inetsrv
2014-03-25 22:48 - 2009-04-14 08:59 - 01430494 _____ () C:\Windows\WindowsUpdate.log
2014-03-25 06:02 - 2009-11-19 13:55 - 00000000 ____D () C:\Users\Administrator\AppData\Local\LogMeIn Hamachi
2014-03-24 15:58 - 2014-03-19 15:23 - 00000000 ____D () C:\Program Files\trend micro
2014-03-24 15:27 - 2014-03-24 15:27 - 02925760 _____ (Sysinternals - www.sysinternals.com) C:\Users\Administrator\Downloads\procexp.exe
2014-03-19 15:23 - 2014-03-19 15:23 - 00000000 ____D () C:\rsit
2014-03-19 15:22 - 2014-03-19 15:22 - 00935175 _____ () C:\Users\Administrator\Downloads\RSITx64.exe
2014-03-19 15:01 - 2014-03-19 15:01 - 00688992 _____ (Swearware) C:\Users\Administrator\Downloads\dds (2).com
2014-03-19 14:53 - 2014-03-19 14:53 - 00688992 _____ (Swearware) C:\Users\Administrator\Downloads\dds.com
2014-03-19 14:53 - 2014-03-19 14:53 - 00688992 _____ (Swearware) C:\Users\Administrator\Downloads\dds (1).com
2014-03-19 11:50 - 2014-03-19 11:50 - 00550371 _____ () C:\Users\Administrator\Downloads\Autoruns (1).zip
2014-03-19 11:50 - 2014-03-19 11:50 - 00000000 ____D () C:\Users\Administrator\Desktop\autorun
2014-03-19 11:09 - 2009-05-30 13:08 - 00024505 _____ () C:\Users\Administrator\volshext.log
2014-03-16 22:41 - 2009-05-30 15:23 - 00000732 _____ () C:\Users\Administrator\AppData\Local\d3d9caps64.dat
2014-03-16 22:40 - 2009-04-14 09:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-16 22:37 - 2009-04-14 09:08 - 00032540 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-16 22:31 - 2008-01-19 06:11 - 00000000 ____D () C:\Windows\rescache
2014-03-16 22:20 - 2009-05-30 15:23 - 00000000 ____D () C:\Windows\system32\ServerManager
2014-03-16 22:06 - 2014-03-16 22:06 - 00550371 _____ () C:\Users\Administrator\Downloads\Autoruns.zip
2014-03-16 20:10 - 2014-03-16 20:10 - 00291606 _____ () C:\Users\Administrator\Downloads\TCPView.zip
2014-03-16 20:07 - 2008-01-19 05:41 - 01052430 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-15 17:21 - 2011-03-11 17:51 - 00001962 _____ () C:\Users\Administrator\Desktop\Google Chrome.lnk
2014-03-14 22:15 - 2014-03-14 21:17 - 00000426 _____ () C:\Windows\BRWMARK.INI
2014-03-14 22:11 - 2014-03-14 22:11 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Brother
2014-03-14 21:52 - 2014-03-14 21:52 - 08404992 _____ () C:\Windows\system32\ntds.dit
2014-03-14 21:51 - 2009-05-30 15:23 - 00000000 ____D () C:\Users\Administrator
2014-03-14 21:48 - 2014-03-14 21:48 - 15647979 _____ (A.I.SOFT,INC.) C:\Users\Administrator\Downloads\Y11E_C1-hostm-64-D1.EXE
2014-03-14 21:28 - 2009-04-14 08:54 - 00252216 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-03-14 21:17 - 2014-03-14 21:17 - 00000000 ____D () C:\ProgramData\Brother
2014-03-14 20:39 - 2014-03-14 20:39 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\TightVNC
2014-03-14 20:32 - 2014-03-14 20:32 - 02367488 _____ () C:\Users\Administrator\Downloads\tightvnc-2.7.10-setup-64bit.msi
2014-03-14 20:30 - 2014-03-14 20:30 - 26437344 _____ (Microsoft Corporation) C:\Users\Administrator\Downloads\Windows-KB890830-x64-V5.10.exe
2014-03-14 20:18 - 2014-03-14 18:02 - 00000000 ____D () C:\Users\Administrator\Desktop\mbar
2014-03-14 20:18 - 2014-03-14 18:02 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-03-14 20:02 - 2014-03-14 20:02 - 00370943 _____ () C:\Users\Administrator\Downloads\gmer.zip
2014-03-14 20:02 - 2014-03-14 20:00 - 86089088 _____ (Sophos Limited) C:\Users\Administrator\Downloads\Sophos Virus Removal Tool (2).exe
2014-03-14 20:02 - 2014-03-14 20:00 - 86089088 _____ (Sophos Limited) C:\Users\Administrator\Downloads\Sophos Virus Removal Tool (1).exe
2014-03-14 19:59 - 2014-03-14 19:58 - 86089088 _____ (Sophos Limited) C:\Users\Administrator\Downloads\Sophos Virus Removal Tool.exe
2014-03-14 19:58 - 2014-03-14 19:57 - 14839344 _____ (Trend Micro Inc.) C:\Users\Administrator\Downloads\RootkitBusterV5.0-1171x64.exe
2014-03-14 19:55 - 2014-03-14 18:02 - 00119000 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-03-14 19:54 - 2014-03-14 19:54 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-03-14 19:54 - 2014-03-14 17:51 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-03-14 19:32 - 2014-03-14 19:32 - 00066913 _____ () C:\Users\Administrator\Desktop\bluescreenview.zip
2014-03-14 19:28 - 2014-03-14 19:28 - 00509264 _____ (Microsoft Corporation) C:\Users\Administrator\Downloads\winsdk_web (1).exe
2014-03-14 19:23 - 2014-03-14 18:07 - 00000000 ____D () C:\Windows\pss
2014-03-14 19:20 - 2014-03-14 19:20 - 00509264 _____ (Microsoft Corporation) C:\Users\Administrator\Downloads\winsdk_web.exe
2014-03-14 19:13 - 2014-03-14 19:13 - 00270584 _____ () C:\Windows\Minidump\Mini031414-08.dmp
2014-03-14 19:13 - 2009-05-30 04:29 - 362742006 _____ () C:\Windows\MEMORY.DMP
2014-03-14 19:13 - 2009-05-30 04:29 - 00000000 ____D () C:\Windows\Minidump
2014-03-14 19:09 - 2014-03-14 19:09 - 00270584 _____ () C:\Windows\Minidump\Mini031414-07.dmp
2014-03-14 18:57 - 2014-03-14 18:57 - 00301778 _____ () C:\Users\Administrator\Documents\cc_20140314_185732.reg
2014-03-14 18:56 - 2014-03-14 18:56 - 04765152 _____ (Piriform Ltd) C:\Users\Administrator\Downloads\ccsetup411.exe
2014-03-14 18:56 - 2014-03-14 18:56 - 04765152 _____ (Piriform Ltd) C:\Users\Administrator\Downloads\ccsetup411 (1).exe
2014-03-14 18:56 - 2014-03-14 18:56 - 00000000 ____D () C:\Program Files\CCleaner
2014-03-14 18:44 - 2014-03-14 18:44 - 02683840 _____ (www.PerfectUninstaller.com ) C:\Users\Administrator\Downloads\PerfectUninstaller_Setup.exe
2014-03-14 18:40 - 2014-03-14 18:40 - 00270584 _____ () C:\Windows\Minidump\Mini031414-06.dmp
2014-03-14 18:35 - 2014-03-14 18:35 - 00270584 _____ () C:\Windows\Minidump\Mini031414-05.dmp
2014-03-14 18:30 - 2014-03-14 18:30 - 00270584 _____ () C:\Windows\Minidump\Mini031414-04.dmp
2014-03-14 18:13 - 2014-03-14 18:13 - 00274712 _____ () C:\Windows\Minidump\Mini031414-03.dmp
2014-03-14 18:07 - 2009-05-30 15:27 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-03-14 18:00 - 2014-03-14 18:00 - 12589848 _____ (Malwarebytes Corp.) C:\Users\Administrator\Desktop\mbar-1.07.0.1009.exe
2014-03-14 18:00 - 2014-03-14 18:00 - 11424328 _____ (Bitdefender LLC) C:\Users\Administrator\Desktop\BootkitRemoval_x64.exe
2014-03-14 17:58 - 2014-03-14 17:57 - 00278808 _____ () C:\Windows\Minidump\Mini031414-02.dmp
2014-03-14 17:47 - 2014-03-14 17:46 - 00270584 _____ () C:\Windows\Minidump\Mini031414-01.dmp
2014-03-14 17:29 - 2014-03-14 17:26 - 00000000 ____D () C:\ProgramData\Sharp
2014-03-14 17:29 - 2009-05-30 15:49 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-03-14 17:27 - 2014-03-14 17:27 - 00001995 _____ () C:\Users\Public\Desktop\Sharpdesk.lnk
2014-03-14 17:27 - 2014-03-07 13:13 - 00000000 ____D () C:\ProgramData\Sharpdesk
2014-03-14 17:26 - 2008-01-19 06:11 - 00000000 ____D () C:\Windows\Resources
2014-03-14 17:26 - 2008-01-19 06:11 - 00000000 ____D () C:\Windows\Help
2014-03-12 19:31 - 2014-03-12 19:31 - 01000741 _____ () C:\Users\Administrator\Downloads\NST3.3-Update-100303 (1).zip
2014-03-12 19:30 - 2014-03-12 19:30 - 01000741 _____ () C:\Users\Administrator\Downloads\NST3.3-Update-100303.zip
2014-03-12 17:23 - 2014-03-12 17:23 - 00000000 ____D () C:\Users\Administrator\Desktop\Sharpdesk32
2014-03-12 11:32 - 2014-03-12 11:32 - 04130656 _____ (Kaspersky Lab ZAO) C:\Users\Administrator\Desktop\tdsskiller.exe
2014-03-12 11:24 - 2014-03-12 11:24 - 00000079 _____ () C:\Users\Administrator\Desktop\Pid.txt
2014-03-10 14:28 - 2014-03-10 14:27 - 00270584 _____ () C:\Windows\Minidump\Mini031014-03.dmp
2014-03-10 13:17 - 2014-03-10 13:17 - 00270584 _____ () C:\Windows\Minidump\Mini031014-02.dmp
2014-03-10 13:16 - 2009-06-11 12:23 - 00212690 _____ () C:\Windows\PFRO.log
2014-03-10 13:13 - 2014-03-10 13:13 - 00270584 _____ () C:\Windows\Minidump\Mini031014-01.dmp
2014-03-08 01:06 - 2014-03-07 13:50 - 130119149 _____ () C:\Users\Administrator\Desktop\Sharpdesk32.zip
2014-03-07 19:48 - 2014-03-07 19:48 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Malwarebytes
2014-03-07 19:46 - 2014-03-07 19:46 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Administrator\Downloads\mbam-setup-1.75.0.1300.exe
2014-03-07 19:46 - 2014-03-07 19:46 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-07 18:53 - 2014-03-07 18:52 - 00000000 ____D () C:\Users\Administrator\Desktop\al
2014-03-07 13:18 - 2014-03-07 13:18 - 00391462 _____ () C:\Users\Administrator\AppData\Roaming\fontlst2.opf
2014-03-07 13:18 - 2014-03-07 13:18 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Sharpdesk
2014-03-07 13:13 - 2014-01-24 13:58 - 00000000 ____D () C:\Users\QBDataServiceUser24
2014-03-07 13:13 - 2012-03-26 11:10 - 00000000 ____D () C:\Users\QBDataServiceUser22
2014-03-05 10:18 - 2014-03-05 10:18 - 00000000 ____D () C:\Program Files (x86)\LogMeIn Hamachi
2014-03-02 14:05 - 2008-01-19 05:33 - 90015360 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2014-02-28 12:40 - 2009-06-01 22:41 - 00000000 ____D () C:\ProgramData\InstallShield
2014-02-26 13:53 - 2014-02-26 13:50 - 119081568 _____ (Sanford, L.P.) C:\Users\Administrator\Downloads\DLS8Setup.8.5.1.exe
 
Some content of TEMP:
====================
C:\Users\Administrator\AppData\Local\Temp\FP_AX_MSI_INSTALLER.exe
C:\Users\Administrator\AppData\Local\Temp\Inputps.exe
C:\Users\Administrator\AppData\Local\Temp\InstallAX.exe
C:\Users\Administrator\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\Administrator\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.05.0029.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.05.0032.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.06.0051.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.06.0059.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.18.0011.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.20.0023.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.20.0027.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.20.0032.exe
C:\Users\Administrator\AppData\Local\Temp\{91DF8231-050A-4B9D-8778-2D9468AAE4BD}.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-03-26 12:01
 
==================== End Of Log ============================
 
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-03-2014
Ran by Administrator at 2014-03-26 12:19:17
Running from C:\Users\Administrator\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
 
==================== Installed Programs ======================
 
Adobe Flash Player 10 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 10.1.102.64 - Adobe Systems Incorporated)
Adobe Flash Player 11 ActiveX (HKLM-x32\...\{98616875-CF30-4BE5-AAED-36EF4AC6EE27}) (Version: 11.3.300.268 - Adobe Systems Incorporated)
Brother BRAdmin Light 1.08 (HKLM-x32\...\{DB75941E-30C4-4D97-B000-D17C764B998C}) (Version: 1.08 - Brother)
CamStudio (HKLM-x32\...\CamStudio) (Version:  - )
CCleaner (HKLM\...\CCleaner) (Version: 4.11 - Piriform)
Dell Resource CD (HKLM-x32\...\{42929F0F-CE14-47AF-9FC7-FF297A603021}) (Version: 1.00.0000 - Dell Inc.)
ESET Smart Security (HKLM\...\{C0D93E4E-0866-43C8-A104-BF41A803EA84}) (Version: 4.2.71.2 - ESET, spol. s r.o.)
FTP Service 7.5 for IIS 7.0 (HKLM\...\{36599245-6895-4CB9-8108-516E25EC5DC0}) (Version: 7.5.7055.14307 - Microsoft Corporation)
Gigabit USB Adapter (HKLM-x32\...\{3A092261-FD2E-41D2-8684-882E52E96B93}) (Version:  - )
GlobeDB (HKLM-x32\...\{AB8BECAE-E212-4BB5-96DF-0A9023D110C5}) (Version: 1.1.3 - RJB)
GlobeDB (HKLM-x32\...\{BC4CBB42-5A3D-4C24-8039-D5F5A7EF4B04}) (Version: 1.1.1 - RJB)
Google Chrome (HKCU\...\Google Chrome) (Version: 33.0.1750.154 - Google Inc.)
Hard Drive Inspector Professional 4.1 build # 145 (HKLM-x32\...\Hard Drive Inspector) (Version: 4.1.145 - AltrixSoft)
LogMeIn Hamachi (HKLM-x32\...\LogMeIn Hamachi) (Version: 2.2.0.173 - LogMeIn, Inc.)
LogMeIn Hamachi (x32 Version: 2.2.0.173 - LogMeIn, Inc.) Hidden
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office Word Viewer 2003 (HKLM-x32\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.6506.0 - Microsoft Corporation)
Microsoft SQL Server 2008 (64-bit) (HKLM\...\Microsoft SQL Server 10 Release) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2008 (64-bit) (Version:  - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Browser (HKLM-x32\...\{C688457E-03FD-4941-923B-A27F4D42A7DD}) (Version: 10.1.2531.0 - Microsoft Corporation)
Microsoft SQL Server 2008 Common Files (Version: 10.0.1600.22 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Common Files (Version: 10.1.2531.0 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Database Engine Services (Version: 10.1.2531.0 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Database Engine Shared (Version: 10.1.2531.0 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Management Studio (Version: 10.1.2531.0 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Native Client (HKLM\...\{BBDE8A3D-64A2-43A6-95F3-C27B87DF7AC1}) (Version: 10.1.2531.0 - Microsoft Corporation)
Microsoft SQL Server 2008 Policies (HKLM-x32\...\{01C5A10F-AD9B-405B-853A-6659841A1242}) (Version: 10.1.2531.0 - Microsoft Corporation)
Microsoft SQL Server 2008 RsFx Driver (Version: 10.1.2531.0 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Setup Support Files  (HKLM\...\{59D3F691-179D-4E52-832C-D22B81541AC5}) (Version: 10.1.2531.0 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP1 English (HKLM-x32\...\{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}) (Version: 3.5.5692.0 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP1 Query Tools English (HKLM-x32\...\{64CDE8F2-3791-46F5-BAD2-72FFF5252FAB}) (Version: 3.5.5692.0 - Microsoft Corporation)
Microsoft SQL Server VSS Writer (HKLM\...\{0826F9E4-787E-481D-83E0-BC6A57B056D5}) (Version: 10.1.2531.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual Studio Tools for Applications 2.0 - ENU (HKLM-x32\...\{AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB}) (Version: 9.0.30729 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
OpenOffice.org 3.2 (HKLM-x32\...\{6ADD0603-16EF-400D-9F9E-486432835002}) (Version: 3.2.9483 - OpenOffice.org)
Orb Runtime libraries (x32 Version: 1.0.0 - Orb Networks, Inc.) Hidden
QuickBooks (x32 Version: 22.0.4001.2206 - Intuit Inc.) Hidden
QuickBooks (x32 Version: 23.0.4006.2305 - Intuit Inc.) Hidden
QuickBooks (x32 Version: 24.0.4004.2403 - Intuit Inc.) Hidden
QuickBooks Runtime Redistributable (HKLM\...\{F2A4F809-2DE6-4D27-888B-4D2BB8DAF20E}) (Version: 1.00.0000 - Intuit Inc.)
QuickBooks Server 2012 (HKLM-x32\...\{230EF993-9932-4650-B7BF-E9455695BEAB}) (Version: 22.0.4001.2206 - Intuit Inc.)
QuickBooks Server 2013 (HKLM-x32\...\{354A9F6D-8652-466A-9B2E-C0F9EC2F43A0}) (Version: 23.0.4006.2305 - Intuit Inc.)
QuickBooks Server 2014 (HKLM-x32\...\{4644FF98-5DE5-4F4B-8F4D-B2C7A5528F6C}) (Version: 24.0.4004.2403 - Intuit Inc.)
Realtek 8169 8168 8101E 8102E Ethernet Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 1.00.0001 - Realtek)
Service Pack 1 for SQL Server 2008 (KB968369) (64-bit) (HKLM\...\KB968369) (Version: 10.1.2531.0 - Microsoft Corporation)
Sharpdesk (HKLM-x32\...\InstallShield_{0AEF384B-610F-4309-8DA3-91834FE4E80E}) (Version: 3.2 - SHARP CORPORATION)
Sharpdesk (x32 Version: 3.2 - SHARP CORPORATION) Hidden
Sql Server Customer Experience Improvement Program (Version: 10.1.2531.0 - Microsoft Corporation) Hidden
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM-x32\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
VLC media player 2.0.4 (HKLM-x32\...\VLC media player) (Version: 2.0.4 - VideoLAN)
WinRAR archiver (HKLM\...\WinRAR archiver) (Version:  - )
WinZip 12.1 (HKLM-x32\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}) (Version: 12.1.8497 - WinZip Computing, S.L. )
 
==================== Restore Points  =========================
 
Could not list Restore Points. Check "winmgmt" service or repair WMI.
 
 
==================== Hosts content: ==========================
 
2008-01-19 05:33 - 2006-09-18 17:37 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: {0484581A-FBB9-4616-8204-5306059B8096} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2009-04-11] (Microsoft Corporation)
Task: {11084FFF-6F0B-429E-B47F-604CC976420A} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2851493328-670454209-4171175932-500UA => C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-11] (Google Inc.)
Task: {47576398-8469-4C39-8AEC-3DFAAE4B5CD4} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2851493328-670454209-4171175932-500Core => C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-11] (Google Inc.)
Task: {5A4BBED4-94FB-45AC-B1C6-1C12D81DB9C8} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {62AA1A7B-F5E1-44BE-B2BB-E3972313603A} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {72BCD934-1B46-492B-8FD3-CBD0628A3C01} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-06] (Adobe Systems Incorporated)
Task: {98545392-4EA4-40D1-9BCD-4A0D406F7876} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-19] (Microsoft Corporation)
Task: {9FC916D0-35A5-4A23-B130-BA9E53D8E2ED} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2009-04-11] (Microsoft Corporation)
Task: {A2B466AB-BAB3-4056-85EE-2678F45B5D99} - System32\Tasks\Microsoft\Windows\PLA\System\ConvertLogEntries => Rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries
Task: {B012C1D9-B871-424E-A19C-9C55890B6AA4} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2009-04-14] (Microsoft Corporation)
Task: {C773487D-B02D-4681-AF3C-12F50467490B} - System32\Tasks\Microsoft\Windows\Backup\Microsoft-Windows-WindowsBackup => C:\Windows\System32\wbadmin.exe [2009-04-14] (Microsoft Corporation)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2851493328-670454209-4171175932-500Core.job => C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2851493328-670454209-4171175932-500UA.job => C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2009-08-12 10:13 - 2009-08-11 22:55 - 00166400 _____ () C:\Program Files\WinRAR\rarext.dll
2014-03-15 17:21 - 2014-03-14 20:50 - 00051016 _____ () C:\Users\Administrator\AppData\Local\Google\Chrome\Application\33.0.1750.154\chrome_elf.dll
2014-03-15 17:21 - 2014-03-14 20:50 - 04061000 _____ () C:\Users\Administrator\AppData\Local\Google\Chrome\Application\33.0.1750.154\pdf.dll
2014-03-15 17:21 - 2014-03-14 20:50 - 00394568 _____ () C:\Users\Administrator\AppData\Local\Google\Chrome\Application\33.0.1750.154\ppGoogleNaClPluginChrome.dll
2014-03-15 17:21 - 2014-03-14 20:50 - 01647432 _____ () C:\Users\Administrator\AppData\Local\Google\Chrome\Application\33.0.1750.154\ffmpegsumo.dll
2014-03-15 17:21 - 2014-03-14 20:50 - 13637448 _____ () C:\Users\Administrator\AppData\Local\Google\Chrome\Application\33.0.1750.154\PepperFlash\pepflashplayer.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
 
==================== Safe Mode (whitelisted) ===================
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\62755242.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\62755242.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Hamachi2Svc => ""="Service"
 
==================== Disabled items from MSCONFIG ==============
 
MSCONFIG\startupreg: Google Update => "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c
 
==================== Faulty Device Manager Devices =============
 
Name: Standard VGA Graphics Adapter
Description: Standard VGA Graphics Adapter
Class Guid: {4d36e968-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard display types)
Service: vga
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
Name: Video Controller
Description: Video Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: D-Link DGE-530T Gigabit Ethernet Adapter (rev.B)
Description: D-Link DGE-530T Gigabit Ethernet Adapter (rev.B)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: D-Link Corporation
Service: m4cxvst64
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: SM Bus Controller
Description: SM Bus Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/25/2014 00:38:03 PM) (Source: Windows Search Service) (User: )
Description: The entry <D:\FILES\EVALUATION\UKRAINE\DIPLOMA\2011 - 2015 - UKRAINE\ILYAYEVA.AYA.WPD> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (03/18/2014 05:00:59 PM) (Source: Windows Search Service) (User: )
Description: The entry <D:\FILES\TRANSLATIONS\EGYPT\7554FOUAD.CER.DOCX> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (03/18/2014 05:00:59 PM) (Source: Windows Search Service) (User: )
Description: The entry <D:\FILES\TRANSLATIONS\EGYPT\7554FOUAD.CER.DOCX> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (03/16/2014 10:52:18 PM) (Source: NfsService) (User: )
Description: The Server for NFS received a failure from the NFS driver during phase 2 initialization: (0xc0000184). Please try restarting the server after a few minutes. If the problem persists, you may need to restart the system.
 
Error: (03/16/2014 10:26:15 PM) (Source: NfsService) (User: )
Description: The Server for NFS received a failure from the NFS driver during phase 2 initialization: (0xc0000184). Please try restarting the server after a few minutes. If the problem persists, you may need to restart the system.
 
Error: (03/16/2014 10:10:19 PM) (Source: Application Hang) (User: )
Description: The program chrome.exe version 33.0.1750.154 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: da4
Start Time: 01cf418445d2be25
Termination Time: 16
 
Error: (03/16/2014 08:12:09 PM) (Source: NfsService) (User: )
Description: The Server for NFS received a failure from the NFS driver during phase 2 initialization: (0xc0000184). Please try restarting the server after a few minutes. If the problem persists, you may need to restart the system.
 
Error: (03/16/2014 08:07:40 PM) (Source: Microsoft-Windows-RestartManager) (User: SERVER300)
Description: 0tvnserver.exeTightVNC Server03026217823360
 
Error: (03/16/2014 08:04:13 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to execute command from the offline queue: uninstall "Microsoft.GroupPolicy.Targeting.Interop, Version=2.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=x86".  The error returned was Error: The specified assembly is not installed.
.
 
Error: (03/16/2014 08:04:10 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_64) - Failed to execute command from the offline queue: uninstall "Microsoft.GroupPolicy.Targeting.Interop, Version=2.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=amd64".  The error returned was Error: The specified assembly is not installed.
.
 
 
System errors:
=============
Error: (03/17/2014 11:19:25 AM) (Source: VDS Dynamic Provider) (User: )
Description: The provider failed while storing notifications from the driver. The Virtual Disk Service should be restarted. hr=80042505
 
Error: (03/16/2014 10:52:18 PM) (Source: Service Control Manager) (User: )
Description: Server for NFS%%3221225860
 
Error: (03/16/2014 10:48:50 PM) (Source: NfsServer) (User: )
Description: Server for NFS could not register with RPC Port Mapper.  Server for NFS did not start.
 
 
Network File System (NFS) clients discover NFS servers by querying the port mapper for a remote server (also known as Portmap and Rpcbind).  NFS clients will not be able to discover and communicate with Server for NFS on this computer.
 
Error: (03/16/2014 10:44:13 PM) (Source: Service Control Manager) (User: )
Description: storflt
 
Error: (03/16/2014 10:44:13 PM) (Source: Service Control Manager) (User: )
Description: Server for NFS
 
Error: (03/16/2014 10:41:45 PM) (Source: Print) (User: NT AUTHORITY)
Description: The print spooler failed to share printer FrontMFC with shared resource name FrontMFC. Error 2114. The printer cannot be used by others on the network.
 
Error: (03/16/2014 10:41:45 PM) (Source: Print) (User: NT AUTHORITY)
Description: The print spooler failed to share printer FrontPrinter with shared resource name FrontPrinter. Error 2114. The printer cannot be used by others on the network.
 
Error: (03/16/2014 10:41:45 PM) (Source: Print) (User: NT AUTHORITY)
Description: The print spooler failed to share printer Josh&Vino with shared resource name Josh&Vino. Error 2114. The printer cannot be used by others on the network.
 
Error: (03/16/2014 10:41:45 PM) (Source: Print) (User: NT AUTHORITY)
Description: The print spooler failed to share printer SharpCopyMachine with shared resource name SharpCopyMachine. Error 2114. The printer cannot be used by others on the network.
 
Error: (03/16/2014 10:41:45 PM) (Source: Print) (User: NT AUTHORITY)
Description: The print spooler failed to share printer Steve&Alex with shared resource name Steve&Alex. Error 2114. The printer cannot be used by others on the network.
 
 
Microsoft Office Sessions:
=========================
Error: (03/25/2014 00:38:03 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
D:\FILES\EVALUATION\UKRAINE\DIPLOMA\2011 - 2015 - UKRAINE\ILYAYEVA.AYA.WPD
 
Error: (03/18/2014 05:00:59 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
D:\FILES\TRANSLATIONS\EGYPT\7554FOUAD.CER.DOCX
 
Error: (03/18/2014 05:00:59 PM) (Source: Windows Search Service)(User: )
Description: Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
D:\FILES\TRANSLATIONS\EGYPT\7554FOUAD.CER.DOCX
 
Error: (03/16/2014 10:52:18 PM) (Source: NfsService)(User: )
Description: 0xc0000184
 
Error: (03/16/2014 10:26:15 PM) (Source: NfsService)(User: )
Description: 0xc0000184
 
Error: (03/16/2014 10:10:19 PM) (Source: Application Hang)(User: )
Description: chrome.exe33.0.1750.154da401cf418445d2be2516
 
Error: (03/16/2014 08:12:09 PM) (Source: NfsService)(User: )
Description: 0xc0000184
 
Error: (03/16/2014 08:07:40 PM) (Source: Microsoft-Windows-RestartManager)(User: SERVER300)
Description: 0tvnserver.exeTightVNC Server03026217823360
 
Error: (03/16/2014 08:04:13 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to execute command from the offline queue: uninstall "Microsoft.GroupPolicy.Targeting.Interop, Version=2.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=x86".  The error returned was Error: The specified assembly is not installed.
.
 
Error: (03/16/2014 08:04:10 PM) (Source: .NET Runtime Optimization Service)(User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_64) - Failed to execute command from the offline queue: uninstall "Microsoft.GroupPolicy.Targeting.Interop, Version=2.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=amd64".  The error returned was Error: The specified assembly is not installed.
.
 
 
CodeIntegrity Errors:
===================================
  Date: 2014-03-26 12:19:03.566
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-26 12:19:03.446
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-26 12:19:03.323
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-26 12:19:03.193
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-26 12:19:03.044
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-26 12:19:02.925
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-26 12:19:02.805
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-26 12:19:02.613
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-24 17:16:11.995
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_0fbe86f737e6a8d6\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-24 17:16:11.751
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_0fbe86f737e6a8d6\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 78%
Total physical RAM: 3036.2 MB
Available physical RAM: 648.13 MB
Total Pagefile: 7193.36 MB
Available Pagefile: 3944.39 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:465.7 GB) (Free:410.04 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Server) (Fixed) (Total:298.08 GB) (Free:121.85 GB) NTFS
Drive g: (Utility_HD-CXTU2) (CDROM) (Total:0.45 GB) (Free:0 GB) CDFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 2 (MBR Code: Windows 7 or Vista) (Size: 931 GB) (Disk ID: 887BCE28)
Partition 1: (Not Active) - (Size=931 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================

 



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:53 AM

Posted 26 March 2014 - 12:00 PM

Hi Nolan,

Before we do anything I would like to check the validity of a file. Please do this.

===================================================

Virustotal Online Virus Scanner

--------------------
  • Please go to Virustotal
  • Select Choose File
  • Navigate to the following file (if multiple files then one at a time), double click on it so the file name is populated, then click Scan it!
  • IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.

C:\Users\Administrator\AppData\Local\Temp\FP_AX_MSI_INSTALLER.exe

  • Once completed, highlight the information in the address bar and copy then paste the link in your reply
virustotal.jpg

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Virustotal link

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 aznspy256

aznspy256
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:11:53 AM

Posted 26 March 2014 - 12:12 PM

Hi Gary, thanks for the quick response. Here is the URL for virustotal.

 

https://www.virustotal.com/en/file/9a44baa323bbd4c84ba8a549755a9e111afb46c29cc35be85d1af26ff421c651/analysis/1395853849/


Edited by aznspy256, 26 March 2014 - 12:12 PM.


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:53 AM

Posted 26 March 2014 - 12:30 PM

Hi Nolan,

That file can be malicious but yours is clean. We are going to delete some temporary files but I don't think that is going to resolve any issues.

Keep in mind some of the programs I ask you to run may or may not work because of your OS.

Please do these things.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
BHO-x32: No Name - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -  No File
BHO-x32: No Name - {DBC80044-A445-435b-BC74-9C25C1C588A9} -  No File
Handler: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} -  No File
Handler-x32: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} -  No File
C:\Users\Administrator\AppData\Local\Temp\FP_AX_MSI_INSTALLER.exe
C:\Users\Administrator\AppData\Local\Temp\Inputps.exe
C:\Users\Administrator\AppData\Local\Temp\InstallAX.exe
C:\Users\Administrator\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\Administrator\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.05.0029.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.05.0032.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.06.0051.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.06.0059.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.18.0011.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.20.0023.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.20.0027.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.20.0032.exe
C:\Users\Administrator\AppData\Local\Temp\{91DF8231-050A-4B9D-8778-2D9468AAE4BD}.exe
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

RogueKiller by Tigzy

--------------------
  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • For Vista/7 users right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • When prompted, Click Scan
  • A report should open and a copy of the report will be placed on your desktop
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • RogueKiller log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 aznspy256

aznspy256
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:11:53 AM

Posted 26 March 2014 - 12:45 PM

Hi Gary,
 
Here are the two logs respectively. 
]Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by Administrator at 2014-03-26 13:37:57 Run:1
Running from C:\Users\Administrator\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
BHO-x32: No Name - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO-x32: No Name - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
Handler: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - No File
Handler-x32: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - No File
C:\Users\Administrator\AppData\Local\Temp\FP_AX_MSI_INSTALLER.exe
C:\Users\Administrator\AppData\Local\Temp\Inputps.exe
C:\Users\Administrator\AppData\Local\Temp\InstallAX.exe
C:\Users\Administrator\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\Administrator\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.05.0029.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.05.0032.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.06.0051.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.06.0059.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.18.0011.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.20.0023.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.20.0027.exe
C:\Users\Administrator\AppData\Local\Temp\setup_3.20.0032.exe
C:\Users\Administrator\AppData\Local\Temp\{91DF8231-050A-4B9D-8778-2D9468AAE4BD}.exe
*****************

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key not found.
HKCR\PROTOCOLS\Handler\sds => Key deleted successfully.
HKCR\CLSID\{79E0F14C-9C52-4218-89A7-7C4B0563D121} => Key not found.
HKCR\Wow6432Node\PROTOCOLS\Handler\sds => Key not found.
HKCR\Wow6432Node\CLSID\{79E0F14C-9C52-4218-89A7-7C4B0563D121} => Key not found.
C:\Users\Administrator\AppData\Local\Temp\FP_AX_MSI_INSTALLER.exe => Moved successfully.
C:\Users\Administrator\AppData\Local\Temp\Inputps.exe => Moved successfully.
C:\Users\Administrator\AppData\Local\Temp\InstallAX.exe => Moved successfully.
C:\Users\Administrator\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Administrator\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\Administrator\AppData\Local\Temp\setup_3.05.0029.exe => Moved successfully.
C:\Users\Administrator\AppData\Local\Temp\setup_3.05.0032.exe => Moved successfully.
C:\Users\Administrator\AppData\Local\Temp\setup_3.06.0051.exe => Moved successfully.
C:\Users\Administrator\AppData\Local\Temp\setup_3.06.0059.exe => Moved successfully.
C:\Users\Administrator\AppData\Local\Temp\setup_3.18.0011.exe => Moved successfully.
C:\Users\Administrator\AppData\Local\Temp\setup_3.20.0023.exe => Moved successfully.
C:\Users\Administrator\AppData\Local\Temp\setup_3.20.0027.exe => Moved successfully.
C:\Users\Administrator\AppData\Local\Temp\setup_3.20.0032.exe => Moved successfully.
C:\Users\Administrator\AppData\Local\Temp\{91DF8231-050A-4B9D-8778-2D9468AAE4BD}.exe => Moved successfully.

==== End of Fixlog ====
RogueKiller V8.8.14 [Mar 26 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Server 2008 (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 03/26/2014 13:41:19
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD5000AADS-00S9B0 ATA Device +++++
--- User ---
[MBR] 2677ed5fc55cba5e180a9d2328849380
[BSP] 33011a5e6af84273cc2c64e92fc9f6b2 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 MB
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 128520 | Size: 476876 MB
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) WDC WD3200AAKS-75L9A0 ATA Device +++++
--- User ---
[MBR] 5f62cb9f71d819f034fad2a6569a61ac
[BSP] 9a5cc8c7cb065ae6c298e631ad59e156 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 16065 | Size: 305235 MB
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) BUFFALO HD-CXTU2 USB Device +++++
--- User ---
[MBR] 1886cf4eae24d71c7d1128bb9a88d6f4
[BSP] bb6ace8510a6272852d26edcefd87af7 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953229 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

Finished : << RKreport[0]_S_03262014_134119.txt >>

Edited by Oh My, 26 March 2014 - 01:43 PM.


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:53 AM

Posted 26 March 2014 - 02:37 PM

That all looks fine. No need to post in a code box, copy and paste is a little easier for me to review.

Please do this.

===================================================

Farbar's Recovery Scan Tool Search

--------------------
  • Launch FRST
  • Copy/paste the following in the Search Field
taskeng.exe
  • Click Search File(s) button
  • When completed click OK and a Search.txt document will open on your desktop
  • Copy and paste the contents of that document your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Search log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 aznspy256

aznspy256
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:11:53 AM

Posted 26 March 2014 - 02:51 PM

Hey Gary,

 

Sorry about the code box thing. Was hoping it would help. Anyways, here are the results. Also, thanks for being so persistent in helping me :D

 

Farbar Recovery Scan Tool (x64) Version: 13-03-2014
Ran by Administrator at 2014-03-26 15:43:56
Running from C:\Users\Administrator\Desktop
Boot Mode: Normal
 
================== Search: "taskeng.exe" ===================
 
C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6002.22519_none_e81a9bd9d51e4e56\taskeng.exe
[2010-12-15 02:22] - [2010-11-04 18:15] - 0171520 ____A (Microsoft Corporation) 9AF3E523E39FD8C10EDFA3ABA702DC9B
 
C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6002.18342_none_e7698b5ebc1f53d7\taskeng.exe
[2010-12-15 02:22] - [2010-11-04 12:34] - 0171520 ____A (Microsoft Corporation) 3D50C4B10352367D5CB20ED1F50F8DA2
 
C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6002.18005_none_e797c63abbfc38a3\taskeng.exe
[2009-06-09 15:59] - [2009-04-11 02:28] - 0169984 ____A (Microsoft Corporation) E5BBFC283D6F5D69B41E464676361020
 
C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6001.22791_none_e5d5a65bd84010db\taskeng.exe
[2010-12-15 02:22] - [2010-11-05 09:43] - 0171520 ____A (Microsoft Corporation) 110B5E5AFA79DD8A45A2F6ED738469B9
 
C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6001.18551_none_e577475abf020426\taskeng.exe
[2010-12-15 02:22] - [2010-11-04 20:53] - 0171520 ____A (Microsoft Corporation) EAFB5897AC9CD84890171AC38862320F
 
C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6001.18000_none_e5ac4d2ebeda6d57\taskeng.exe
[2008-01-19 05:50] - [2008-01-19 05:50] - 0169472 ____A (Microsoft Corporation) 5F109032CE46B7184ED9E50F9FE8489E
 
C:\Windows\winsxs\amd64_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6002.22519_none_4439375d8d7bbf8c\taskeng.exe
[2010-12-15 02:22] - [2010-11-04 13:44] - 0267776 ____A (Microsoft Corporation) A7BB4FA098A6365D92A07D702926F957
 
C:\Windows\winsxs\amd64_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6002.18342_none_438826e2747cc50d\taskeng.exe
[2010-12-15 02:22] - [2010-11-04 19:58] - 0267776 ____A (Microsoft Corporation) EA85B96A8BFB435749C9004BC7340347
 
C:\Windows\winsxs\amd64_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6002.18005_none_43b661be7459a9d9\taskeng.exe
[2009-06-09 15:59] - [2009-04-11 03:10] - 0265216 ____A (Microsoft Corporation) 2009F2E44758BECD3195B40D0B3650B3
 
C:\Windows\winsxs\amd64_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6001.22791_none_41f441df909d8211\taskeng.exe
[2010-12-15 02:22] - [2010-11-04 12:54] - 0267776 ____A (Microsoft Corporation) 05CF042843679117363EA98AF20A49E6
 
C:\Windows\winsxs\amd64_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6001.18551_none_4195e2de775f755c\taskeng.exe
[2010-12-15 02:22] - [2010-11-04 17:16] - 0267776 ____A (Microsoft Corporation) DE4217BAE504F982A9C8A88CC3D4A9E8
 
C:\Windows\winsxs\amd64_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.0.6001.18000_none_41cae8b27737de8d\taskeng.exe
[2008-01-19 05:49] - [2008-01-19 05:49] - 0265216 ____A (Microsoft Corporation) 436E26D2E64EC4AABDC82EFBD3B92692
 
C:\Windows\SysWOW64\taskeng.exe
[2010-12-15 02:22] - [2010-11-04 12:34] - 0171520 ____A (Microsoft Corporation) 3D50C4B10352367D5CB20ED1F50F8DA2
 
C:\Windows\System32\taskeng.exe
[2010-12-15 02:22] - [2010-11-04 19:58] - 0267776 ____A (Microsoft Corporation) EA85B96A8BFB435749C9004BC7340347
 
C:\build\filerepository\Microsoft-Windows-TaskScheduler-Engine_ed8c9007\taskeng.exe
[2008-01-19 02:13] - [2008-01-19 04:00] - 0265216 ____A (Microsoft Corporation) 436E26D2E64EC4AABDC82EFBD3B92692
 
C:\build\filerepository\Microsoft-Windows-TaskScheduler-Engine_bb82aa27\taskeng.exe
[2008-01-19 01:38] - [2008-01-19 03:33] - 0169472 ____A (Microsoft Corporation) 5F109032CE46B7184ED9E50F9FE8489E
 
====== End Of Search ======


#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:53 AM

Posted 26 March 2014 - 02:56 PM

You are very welcome.

Thanks those files look good. I am going to have you run another program to see if we pick up any malware. Thus far I do not see any but instead see non-malware related error information.

Please do this.

===================================================

Emsisoft Emergency Kit - Portable

----------
  • From a Clean Computer download Emsisoft Emergency Kit and save it to a USB device
  • Click Start, Computer, then double click on your USB device
  • Double click EmsisoftEmergencyKit.exe
  • Click Browse and select the drive letter for your USB device
  • Click Accept and Extract
  • Once extracted locate and double click EmergencyKitScanner.bat on your USB device
  • Click Yes to update the program definitions
  • Click Yes to detect Potentially Unwanted Programs (PUP's)
  • Close out all Emsisoft windows as well as the Windows Explorer window showing the contents of your USB device
  • Remove the USB device and insert it into the infected computer
  • Click Start, Computer, then double click on your USB device
  • Double click EmergencyKitScanner.bat on your USB device
  • Click Scan now
  • Select Deep Scan (default setting) then click Scan - Note: this process may take an extended period of time to complete
  • Close our any High Risk notification screen that might appear
  • Click the Quarantine tab
  • Click View Report
  • Copy and paste the contents of the report in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Emsisoft report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 aznspy256

aznspy256
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:11:53 AM

Posted 26 March 2014 - 05:36 PM

Hi Gary,

I'm sorry but I cannot do a scan until Friday since my work schedule is MWF. I will post the results asap though. Thank you.

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,419 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:53 AM

Posted 26 March 2014 - 05:51 PM

No problem, thanks for letting me know.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 aznspy256

aznspy256
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:11:53 AM

Posted 28 March 2014 - 02:10 PM

Hi Gary,

 

Sorry for the super late reply. Came in today and the scan took for-EVER. Well, here are the results.

 

PS: I just wanted to add some info in case this might help the situation. Basically the server is port scanning some machines on the network and I can tell from the ESET firewall logs. The logs began in the middle of December, I ran MalwareBytes and it had detected like 2 or 3 files with keyword "keygen" on the D drive. I allowed it to quarantine it. I pretty sure some employee downloaded this from a torrent and placed it on the server drive. The next couple days the port scan was continuing and it was frustrating. The server BSODed a couple of times when I had it installed with TDSKiller so I uninstalled malwarebytes. Till this day, I'm still receiving these port scans. This infection is so annoying because the infection adds it self to the firewall so it can port scan. I think I have narrowed it down to svchost.exe but can't seem to go any further from there. 

 

Emsisoft Emergency Kit - Version 4.0
Last update: 3/28/2014 11:42:43 AM
User account: SERVER300\Administrator
 
Scan settings:
 
Scan type: Deep Scan
Objects: Rootkits, Memory, Traces, C:\, D:\
 
Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 3/28/2014 11:43:34 AM
Key: HKEY_USERS\S-1-5-21-2851493328-670454209-4171175932-500\SOFTWARE\YAHOOPARTNERTOOLBAR  detected: Application.Win32.YTool (A)
 
Scanned 558108
Found 1
 
Scan end: 3/28/2014 3:02:46 PM
Scan time: 3:19:12
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users