Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake google chrome.exe virus


  • This topic is locked This topic is locked
9 replies to this topic

#1 Slickvik

Slickvik

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 15 September 2014 - 01:40 PM

Hello this morning I noticed my computer was slow. The file was coming from a folder called Locallow in my Appdata folder. I renamed the file and deleted that folder because I thought it would do the trick but it recreates 5 minutes later. I suspect I have a virus. It's a work laptop.

Edited by Slickvik, 15 September 2014 - 01:43 PM.


BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:01 AM

Posted 15 September 2014 - 01:50 PM

Hi there,

please run a FRST scan:


Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.


#3 Slickvik

Slickvik
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 15 September 2014 - 09:33 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-09-2014
Ran by VIKRA323 (ATTENTION: The logged in user is not administrator) on LPC-LR9GF3DM on 15-09-2014 21:31:10
Running from \\FILE-NA1-05\USERDATA2$\vikra323\Desktop
Platform: Microsoft Windows 7 Enterprise  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization Client\sftdcc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Lync\communicator.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Program Files\CONEXANT\ForteConfig\fmapp.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\concentr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Cisco Systems, Inc.) C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
(Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\wfcrun32.exe
() C:\Users\vikra323\AppData\Roaming\Microsoft\Office\ctfmon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Broadcom Corporation.) C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
() C:\Program Files\Lenovo\Basic USB Dock\IgfxTskMgr.exe
(Docking Station) C:\Program Files\Lenovo\USB3.0 Dock\igpxtskmgn32win7.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\pnamain.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(SnapComms Ltd) C:\Program Files\SnapComms\Client\417\SnapClient.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Farbar) \\FILE-NA1-05\USERDATA2$\vikra323\Desktop\FRST.exe
(Google Inc.) C:\Users\vikra323\AppData\LocalLow\Microsoft\vkppvcb\Kppmxego\fqhycnwdv.exe
(Google Inc.) C:\Users\vikra323\AppData\LocalLow\Microsoft\vkppvcb\Kppmxego\fqhycnwdv.exe
(Google Inc.) C:\Users\vikra323\AppData\LocalLow\Microsoft\vkppvcb\Kppmxego\fqhycnwdv.exe
(Google Inc.) C:\Users\vikra323\AppData\LocalLow\Microsoft\vkppvcb\Kppmxego\fqhycnwdv.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SoftGridTray] => C:\Program Files\Microsoft Application Virtualization Client\SFTTray.exe [854760 2012-09-03] (Microsoft Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [Communicator] => C:\Program Files\Microsoft Lync\communicator.exe [12117160 2013-10-28] (Microsoft Corporation)
HKLM\...\Run: [PasswordRegistration] => C:\WINDOWS\system32\MsPwdRegistration.exe [27496 2010-02-01] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2221352 2011-03-31] (Synaptics Incorporated)
HKLM\...\Run: [ForteConfig] => C:\Program Files\Conexant\ForteConfig\fmapp.exe [49568 2010-10-26] ()
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [316032 2011-03-14] (Conexant systems, Inc.)
HKLM\...\Run: [ConnectionCenter] => C:\Program Files\Citrix\ICA Client\concentr.exe [305088 2011-04-25] (Citrix Systems, Inc.)
HKLM\...\Run: [IntelliType Pro] => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [1093272 2012-10-12] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [1668248 2012-10-12] (Microsoft Corporation)
HKLM\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [702024 2012-12-13] (Cisco Systems, Inc.)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [40376 2011-09-07] (Adobe Systems Incorporated)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [Acrobat Assistant 8.0] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [640440 2010-09-22] (Adobe Systems Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)
HKLM\...\Run: [IMSS] => C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [111488 2012-05-24] (Intel Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [995176 2013-06-20] (Microsoft Corporation)
HKLM\...\RunOnce: [MSPCLOCK] => rundll32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D0-A5D6-28DB04C10000},{53172480-4791-11D0-A5D6-28DB04C10000}
HKLM\...\RunOnce: [MSPQM] => rundll32.exe streamci,StreamingDeviceSetup {DDF4358E-BB2C-11D0-A42F-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196}
HKLM\...\RunOnce: [MSKSSRV] => rundll32.exe streamci,StreamingDeviceSetup {96E080C7-143C-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196}
HKLM\...\RunOnce: [MSTEE.CxTransform] => rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},C:\WINDOWS\inf\ksfilter.inf,MSTEE.Interf (the data entry has 11 more characters).
HKLM\...\RunOnce: [MSTEE.Splitter] => rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},C:\WINDOWS\inf\ksfilter.inf,MSTEE.Interf (the data entry has 11 more characters).
HKLM\...\RunOnce: [WDM_DRMKAUD] => rundll32.exe streamci,StreamingDeviceSetup {EEC12DB6-AD9C-4168-8658-B03DAEF417FE},{ABD61E00-9350-47e2-A632-4438B90C6641},{FFBB6E3F-CCFE-4D84-90D9-421418B03A8E},C:\WINDOWS\inf\WDMAUDIO.inf,WDM_DRMKAUD. (the data entry has 17 more characters).
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,"C:\Program Files\Microsoft Application Virtualization Client\sftdcc.exe"
HKLM\...\Policies\Explorer: [UseDefaultTile] 1
HKLM\...\Policies\Explorer: [NoAutorun] 1
HKU\.DEFAULT\...\RunOnce: [Microsoft Security Client] => C:\Program Files\Microsoft Security Client\msseces.exe [995176 2013-06-20] (Microsoft Corporation)
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Run: [Microsoft Text Services] => C:\Users\vikra323\AppData\Roaming\Microsoft\Office\ctfmon.exe [793088 2013-01-29] ()
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-03-09] (Microsoft Corporation)
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Run: [rqwckbj] => rundll32.exe "C:\Users\vikra323\AppData\Local\assembly\rqwckbj.dll",DllRegisterServer <===== ATTENTION
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\system: [Wallpaper] C:\Windows\System32\TowersWatsonWallpaper.bmp
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\system: [WallpaperStyle] 2
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\system: [SetVisualStyle] %windir%\resources\Themes\Aero\aero.msstyles
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoRecentDocsNetHood] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoPropertiesRecycleBin] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [ForceStartMenuLogOff] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoSimpleStartMenu] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoStartMenuMyMusic] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoSMMyPictures] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoSMHelp] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoStartMenuMyGames] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoWindowsUpdate] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoOnlinePrintsWizard] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoComputersNearMe] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoNetHood] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoUserFolderInStartMenu] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoStartMenuMFUprogramsList] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [DisallowCpl] 1
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IgfxTskMgr.lnk
ShortcutTarget: IgfxTskMgr.lnk -> C:\Program Files\Lenovo\Basic USB Dock\IgfxTskMgr.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\igpxtskmgn.lnk
ShortcutTarget: igpxtskmgn.lnk -> C:\Program Files\Lenovo\USB3.0 Dock\igpxtskmgn32win7.exe (Docking Station)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Online plug-in.lnk
ShortcutTarget: Online plug-in.lnk -> C:\Windows\Installer\{E7C5763F-948D-453B-9138-4A8F552B3CE3}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vantage.internal.towerswatson.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vantage.internal.towerswatson.com
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Lync\OCHelper.dll (Microsoft Corporation)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} http://10.240.114.135/DBD/Admin/Calc/smsx.cab
DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} http://10.240.114.135/DBD/Admin/viewer9/activeXViewer/activexviewer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://twlearning.webex.com/client/WBXclient-T28L10NSP4-14953/nbr/ieatgpc1.cab
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=1.6.0_37 -> C:\WINDOWS\system32\#npdeployJava1.dll No File
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: Adobe Acrobat -> C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMeetingJoinPluginOC.dll ()

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 CcmExec; C:\WINDOWS\system32\CCM\CcmExec.exe [764768 2009-09-18] (Microsoft Corporation)
R2 ciscod.exe; C:\Program Files\Cisco\Cisco Hostscan\bin\ciscod.exe [47056 2011-03-30] (Cisco Systems, Inc.)
R2 CxAudMsg; C:\WINDOWS\system32\CxAudMsg32.exe [190592 2010-12-17] (Conexant Systems Inc.)
R2 DisplayLinkService; C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [7676720 2013-10-11] (DisplayLink Corp.)
R2 FIMPasswordReset; C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\PwdMgmtProxy.exe [75608 2010-02-01] (Microsoft Corporation)
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2013-04-04] (Macrovision Europe Ltd.) [File not signed]
R2 lmhosts; C:\WINDOWS\system32\svchost.exe [21504 2012-10-18] (Microsoft Corporation)
R2 Lotus Notes Diagnostics; C:\Program Files\IBM\Lotus\Notes\nsd.exe [3417480 2010-08-11] (IBM)
R2 MBAMAgent; C:\Program Files\Microsoft\MDOP MBAM\MBAMAgent.exe [233728 2013-01-24] (Microsoft Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-06-20] (Microsoft Corporation)
S4 NetMsmqActivator; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [139680 2012-07-09] (Microsoft Corporation) [File not signed]
S4 NetPipeActivator; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [139680 2012-07-09] (Microsoft Corporation) [File not signed]
S4 NetTcpActivator; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [139680 2012-07-09] (Microsoft Corporation) [File not signed]
S4 NetTcpPortSharing; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [139680 2012-07-09] (Microsoft Corporation) [File not signed]
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295376 2013-06-20] (Microsoft Corporation)
R2 NlaSvc; C:\WINDOWS\System32\svchost.exe [21504 2012-10-18] (Microsoft Corporation)
R2 nsi; C:\WINDOWS\system32\svchost.exe [21504 2012-10-18] (Microsoft Corporation)
R2 PasswordManager; C:\WINDOWS\system32\PasswordManager.exe [20480 2011-08-18] () [File not signed]
R2 SAService; C:\WINDOWS\system32\SAsrv.exe [446592 2011-03-14] (Conexant Systems, Inc.)
S3 smstsmgr; C:\WINDOWS\system32\CCM\TSManager.exe [246624 2009-09-18] () [File not signed]
R2 SnapClientService; C:\Program Files\SnapComms\Client\417\SnapClientService.exe [202928 2012-09-19] (SnapComms Ltd)
R2 Towers Watson Room Reservation Client Service; C:\Program Files\Towers Watson\Towers Watson Room Reservation Client Service 1.0\WS.TW.RoomReservationClientService.exe [21504 2013-08-23] (Towers Watson) [File not signed]
R2 vpnagent; C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [544840 2012-12-13] (Cisco Systems, Inc.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 acsock; C:\WINDOWS\System32\DRIVERS\acsock.sys [92112 2012-12-13] (Cisco Systems, Inc.)
S3 BTWAMPFL; C:\WINDOWS\System32\DRIVERS\btwampfl.sys [367656 2010-12-18] (Broadcom Corporation.)
R3 e1cexpress; C:\WINDOWS\System32\DRIVERS\e1c6232.sys [238760 2010-12-20] (Intel Corporation)
R3 MEI; C:\WINDOWS\System32\DRIVERS\HECI.sys [41216 2011-09-22] (Intel Corporation)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
S3 netvsc; C:\WINDOWS\system32\drivers\netvsc60.sys [126464 2010-11-20] (Microsoft Corporation)
R3 NETwNs32; C:\WINDOWS\System32\DRIVERS\NETwNs32.sys [7434240 2011-01-06] (Intel Corporation)
S3 nusb3hub; C:\WINDOWS\system32\drivers\nusb3hub.sys [62336 2010-12-10] (Renesas Electronics Corporation)
S3 nusb3xhc; C:\WINDOWS\system32\drivers\nusb3xhc.sys [141440 2010-12-10] (Renesas Electronics Corporation)
R3 prepdrvr; C:\WINDOWS\system32\CCM\prepdrv.sys [20848 2009-09-18] () [File not signed]
R2 risdxc; C:\WINDOWS\System32\DRIVERS\risdxc86.sys [75264 2011-03-23] (REDC)
R3 Sftfs; C:\WINDOWS\System32\DRIVERS\Sftfswin7.sys [582376 2012-09-03] (Microsoft Corporation)
R3 Sftplay; C:\WINDOWS\System32\DRIVERS\Sftplaywin7.sys [197352 2012-09-03] (Microsoft Corporation)
R3 Sftredir; C:\WINDOWS\System32\DRIVERS\Sftredirwin7.sys [22248 2012-09-03] (Microsoft Corporation)
R3 Sftvol; C:\WINDOWS\System32\DRIVERS\Sftvolwin7.sys [19688 2012-09-03] (Microsoft Corporation)
S3 SynthVid; C:\WINDOWS\system32\drivers\VMBusVideoM.sys [19456 2010-11-20] (Microsoft Corporation)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-15 21:30 - 2014-09-15 21:31 - 00000000 ____D () C:\FRST
2014-09-11 14:33 - 2011-07-20 09:55 - 00000538 ____N () C:\Users\vikra323\.java.policy
2014-09-07 10:12 - 2014-09-07 10:37 - 00699056 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-09-07 10:12 - 2014-09-07 10:37 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-15 21:31 - 2014-09-15 21:30 - 00000000 ____D () C:\FRST
2014-09-15 21:28 - 2012-10-19 05:32 - 01740449 _____ () C:\WINDOWS\WindowsUpdate.log
2014-09-15 21:26 - 2011-09-23 12:55 - 00000497 _____ () C:\WINDOWS\SMSCFG.INI
2014-09-15 21:25 - 2012-10-19 12:00 - 00000000 ____D () C:\Users\vikra323\Tracing
2014-09-15 21:25 - 2009-07-13 23:53 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-09-15 21:25 - 2009-07-13 23:39 - 00087935 _____ () C:\WINDOWS\setupact.log
2014-09-15 21:24 - 2012-10-19 11:58 - 00000000 ____D () C:\Users\vikra323\AppData\Roaming\SoftGrid Client
2014-09-15 21:21 - 2011-04-22 13:45 - 00799976 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-09-15 21:20 - 2009-07-13 23:34 - 00012592 ____H () C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-15 21:20 - 2009-07-13 23:34 - 00012592 ____H () C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-15 17:08 - 2012-10-19 11:49 - 00000000 ____D () C:\Users\vikra323
2014-09-15 17:08 - 2011-09-23 12:57 - 00000000 ____D () C:\Program Files\Java
2014-09-15 08:43 - 2012-10-19 11:03 - 00282690 __RSH () C:\ProgramData\ntuser.pol
2014-09-11 20:16 - 2011-09-23 13:11 - 00100458 _____ () C:\WINDOWS\PFRO.log
2014-09-07 10:37 - 2014-09-07 10:12 - 00699056 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-09-07 10:37 - 2014-09-07 10:12 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2014-09-05 08:42 - 2012-10-19 10:44 - 00000000 ____D () C:\Program Files\Towers Watson
2014-09-03 08:49 - 2012-10-19 11:49 - 00050214 __RSH () C:\Users\vikra323\ntuser.pol
2014-08-25 13:16 - 2012-11-02 09:28 - 00000000 ____D () C:\ProgramData\WebEx
2014-08-22 06:17 - 2009-07-13 23:53 - 00032576 _____ () C:\WINDOWS\Tasks\SCHEDLGU.TXT
2014-08-20 12:42 - 2014-03-17 09:10 - 00001945 _____ () C:\WINDOWS\epplauncher.mif
2014-08-20 12:42 - 2012-10-19 11:47 - 00002169 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Forefront Endpoint Protection.lnk
2014-08-20 12:42 - 2011-09-23 13:12 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-08-17 22:38 - 2009-07-13 21:37 - 00000000 ____D () C:\WINDOWS\system32\NDF

Some content of TEMP:
====================
C:\Users\vikra323\AppData\Local\Temp\install_flashplayer13x32axau_gtbd_chrd_dn_aaa_aih[1].exe
C:\Users\vikra323\AppData\Local\Temp\MouseKeyboardCenterx86_1033.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

ATTENTION: ==> Could not access BCD, see Addition.txt for additional information.

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 12-09-2014
Ran by VIKRA323 at 2014-09-15 21:31:36
Running from \\FILE-NA1-05\USERDATA2$\vikra323\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Forefront Endpoint Protection (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Forefront Endpoint Protection (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat 9 Pro (HKLM\...\{AC76BA86-1033-0000-7760-000000000004}{AC76BA86-1033-0000-7760-000000000004}) (Version: 9.4.6 - Adobe Systems)
Adobe Acrobat 9 Pro (Version: 9.4.6 - Adobe Systems) Hidden
Adobe Flash Player - Disable Auto Updates (HKLM\...\{AFE20C85-9C73-45F1-B649-E5EBB2A57174}) (Version: 1.0.0 - Towers Watson)
Adobe Flash Player 14 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.06)  MUI (HKLM\...\{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.06 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (HKLM\...\{58597FDC-CDF0-4760-A57C-250DF09F4A21}) (Version: 12.0.2.122 - Adobe Systems, Inc)
BlackBerry Desktop Software 5.0 (HKLM\...\BlackBerry_{079678D0-BBBC-4D2C-8541-6EC47FF930D0}) (Version: 5.0.0.7 - Research In Motion Ltd.)
BlackBerry Desktop Software 5.0 (Version: 5.0.0.7 - Research In Motion Ltd.) Hidden
Broadcom InConcert Maestro (HKLM\...\{57DD35E9-D9BB-4089-BB05-EF933C586CB3}) (Version: 1.0.1.1500 - Broadcom Corporation)
Cisco AnyConnect Posture Module (HKLM\...\{9E5BB719-AD76-4544-AEB4-CF7777F717BB}) (Version: 3.0.3050 - Cisco Systems, Inc.)
Cisco AnyConnect Secure Mobility Client  (HKLM\...\Cisco AnyConnect Secure Mobility Client) (Version: 3.1.02026 - Cisco Systems, Inc.)
Cisco AnyConnect Secure Mobility Client (Version: 3.1.02026 - Cisco Systems, Inc.) Hidden
Cisco AnyConnect TowersWatson Active X Controls (HKLM\...\{490B9E1B-B5D1-4C50-8175-50898AC069E8}) (Version: 1.00.0000 - Your Company Name)
Cisco AnyConnect TowersWatson VPN Profile (HKLM\...\{AA003535-3718-43E5-AFDB-14D4E39BBEBF}) (Version: 1.00.0000 - Towers Watson)
Cisco Hostscan (HKLM\...\{542D7DFD-D2F2-4970-8DED-7153576C959F}) (Version: 3.6.181 - Cisco)
Cisco WebEx Meetings (HKCU\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix online plug-in (DV) (Version: 12.1.44.1 - Citrix Systems, Inc.) Hidden
Citrix online plug-in (HDX) (Version: 12.1.44.1 - Citrix Systems, Inc.) Hidden
Citrix online plug-in (HKLM\...\CitrixOnlinePluginFull) (Version: 12.1.44.1 - Citrix Systems, Inc.)
Citrix online plug-in (PNA) (Version: 12.1.44.1 - Citrix Systems, Inc.) Hidden
Citrix online plug-in (SSON) (Version: 12.1.44.1 - Citrix Systems, Inc.) Hidden
Citrix online plug-in (USB) (Version: 12.1.44.1 - Citrix Systems, Inc.) Hidden
Citrix online plug-in (Web) (Version: 12.1.44.1 - Citrix Systems, Inc.) Hidden
Colligo Email Manager (HKLM\...\{039E1C69-53E6-4C8C-8281-15E0FAB77754}) (Version: 5.5.7 - Colligo Networks)
Conexant 20672 SmartAudio HD (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.32.23.0 - Conexant)
Configuration Manager Client (Version: 4.00.6487.2000 - Microsoft Corporation) Hidden
DisplayLink Core Software (HKLM\...\{CE65763B-7251-4DC8-9AFB-86FDE94A1140}) (Version: 7.4.51572.0 - DisplayLink Corp.)
eDocPrinter PDF Pro 6.82 MSI (HKLM\...\{E3DF0404-F1F8-413F-BA22-EB078976299B}) (Version: 6.82.6139 - ITeksoft Corporation)
Forefront Identity Manager Add-ins and Extensions (HKLM\...\{82602802-91A2-449B-98BF-7F86BDE7F7E5}) (Version: 4.0.2592.0 - Microsoft Corporation)
Forefront Identity Manager Add-ins and Extensions LP (HKLM\...\{21BC06BD-3E55-4EFD-A5B6-EB9B241845F6}) (Version: 4.0.2592.0 - Microsoft Corporation)
fxAct (HKLM\...\{DE99B882-DBCF-474D-90F0-FACDAE5333C1}) (Version: 2.4.3 - RPSystems)
Intel® Management Engine Components (HKLM\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.1.50.1172 - Intel Corporation)
Java™ 6 Update 37 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216037FF}) (Version: 6.0.370 - Oracle)
Lenovo USB Graphics (HKLM\...\{2845E89E-DD21-46C9-A179-D8185C8D4B5F}) (Version: 7.4.51587.0 - Lenovo)
Lotus Notes 8.5.2 (HKLM\...\{E11DFB27-BAF4-46D6-AD76-D5519C0E6786}) (Version: 8.52.10222 - IBM)
MDOP MBAM (HKLM\...\{CFBFD28C-654B-4E23-B61E-6160491375A6}) (Version: 2.0.5301.1 - Microsoft Corporation)
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft .NET Framework 4.5 (Version: 4.5.50709 - Microsoft Corporation) Hidden
Microsoft Access Runtime 2010 (HKLM\...\Office14.AccessRT) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden
Microsoft Application Virtualization Desktop Client (HKLM\...\{E999B723-79AD-478C-BC6D-634A20920482}) (Version: 4.6.2.24020 - Microsoft Corporation)
Microsoft Endpoint Protection Management Components (Version: 4.3.0215.0 - Microsoft Corporation) Hidden
Microsoft Forefront Endpoint Protection (Version: 4.3.215.0 - Microsoft Corporation) Hidden
Microsoft Forefront Endpoint Protection 2010 Server Management (Version: 4.3.0215.0 - Microsoft Corporation) Hidden
Microsoft Lync - Welcome (HKCU\...\2840325737.localhost) (Version:  - localhost)
Microsoft Lync 2010 (HKLM\...\{81BE0B17-563B-45D4-B198-5721E6C665CD}) (Version: 4.0.7577.4415 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.0.161.0 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (Version: 2.0.161.0 - Microsoft Corporation) Hidden
Microsoft Office 2010 Deployment Kit for App-V (HKLM\...\{90140000-0073-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office 2010 Primary Interop Assemblies (HKLM\...\{90140000-1105-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1024 - Microsoft Corporation)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Runtime 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Runtime MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Live Meeting 2007 (HKLM\...\{EA710A0A-BF5D-433C-8EB5-D17DC54CC298}) (Version: 8.0.6362.201 - Microsoft Corporation)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Security Client (Version: 4.3.0215.0 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft Visio Viewer 2010 (HKLM\...\{95140000-0052-0409-0000-0000000FF1CE}) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x86)) (Version: 10.0.31117 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (Version: 10.0.31121 - Microsoft Corporation) Hidden
MS_OfficeCalenderControl_1.0 (HKLM\...\{6D3FD0A3-F55B-4A63-A766-45D11316346C}) (Version: 1.00.0000 - Towers Watson)
MS_Outlook_Office2010Pre-Reqs_1.0 (HKLM\...\{F273B808-A969-4123-913A-D9001BEFC129}) (Version: 1.00.0000 - Towers Watson)
MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2721691) (HKLM\...\{355B5AC0-CEEE-42C5-AD4D-7F3CFD806C36}) (Version: 4.30.2114.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
Oracle Java - SSVAgent (HKLM\...\{D2666929-E6E8-4B2D-A9EB-C3FA2518F453}) (Version: 1.0.0 - Towers Watson)
Oracle® Essbase Spreadsheet Add-in, Fusion Edition (HKLM\...\{FCF14701-7CD0-485E-A8D2-2B39B430B271}) (Version: 11.1.1.3 - Oracle Corporation)
Password Manager (HKLM\...\{3EBDB092-58EB-4809-9106-CB3C38612BF2}) (Version: 2.0.1 - Towers Watson)
Retware Prereqs (HKLM\...\{C8F8828E-206D-4054-BD16-1B3ABEFB89F2}) (Version: 1.01.00 - Towers Watson)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-001C-0000-0000-0000000FF1CE}_Office14.AccessRT_{54846D1D-E5D5-4A28-AA6D-7208259007EA}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (Version:  - Microsoft) Hidden
SnapComms Client (HKLM\...\{ECE0B9B6-E596-11E1-AF2A-0003FF319E3E}) (Version: 3.0.417 - SnapComms Limited)
Symantec Enterprise Vault Outlook Add-In 10.0.2.1210 (HKLM\...\{817220AB-B36A-4AD2-A15F-D57779A8ACE7}) (Version: 10.0.9402 - Symantec Corporation)
ThinkPad Basic USB 3.0 Dock (HKLM\...\{8B294E72-A417-489C-B55F-9259C1EDFADB}_is1) (Version: 1.07.46 - Lenovo Group Limited)
ThinkPad Bluetooth with Enhanced Data Rate Software (HKLM\...\{C6C9D5F7-630C-4125-8C4E-94AF77C1896E}) (Version: 6.4.0.1500 - Broadcom Corporation)
ThinkPad Power Management Driver (HKLM\...\Power Management Driver) (Version: 1.62.00.00 - )
ThinkPad UltraNav Driver (HKLM\...\SynTPDeinstKey) (Version: 15.2.20.0 - )
ThinkPad USB 3.0 Dock (HKLM\...\{69109A9C-1D00-4A84-9ABF-AAE9CADD20DD}) (Version: 1.07.15 - Lenovo)
Towers Watson CIS Outlook Addin (HKLM\...\{3204D316-C380-4013-9220-2E78802F5761}) (Version: 1.1.8 - Towers Watson)
Towers Watson Room Reservation Client Service 1.0 (HKLM\...\{1792C183-799A-43E9-B26C-2879396228B9}) (Version: 1.0.0 - Towers Watson)
Towers Watson Room Reservation Outlook Addin 2.1.6 (US) (HKLM\...\{F6DE897F-1F03-4BC0-B3E4-79DD90957681}) (Version: 2.1.6 - Towers Watson)
TW Disable send to bluetooth within MS Office 2010 (HKLM\...\{0FE5F5EB-FBE7-418F-937D-FAD1D81BF7D4}) (Version: 1.0.0 - Towers Watson)
TW FIM Registration_1.0 (HKLM\...\{08469898-7968-4B39-9382-94D8D0C7E6BB}) (Version: 1.00.0000 - Towers Watson)
TW OfficeTools (HKLM\...\{DBEB1DD9-A543-43CA-951E-16A1251F0171}) (Version: 3.1 - Towers Watson)
TW Timesheet Tools 2.03.03 (Global) (HKLM\...\{D7D437DA-87AD-480F-8208-C4FEFBA649F1}) (Version: 2.03.03 - Towers Watson)
TW_RunPrograms_1.0 (HKLM\...\{D2AB329D-3CE5-4EE3-A0C7-EDBDFFA79173}) (Version: 1.00.0000 - Towers Watson)
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version:  - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{39767ECA-1731-45DB-AB5B-6BF40E151D66}) (Version:  - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUS_{DCE104A1-1875-4469-A83D-A5BFA6C4640F}) (Version:  - Microsoft)
WinZip 15.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240C0}) (Version: 15.0.9334 - WinZip Computing, S.L. )

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points  =========================

Could not list Restore Points. Check "winmgmt" service or repair WMI.

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:04 - 2009-06-10 16:39 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Loaded Modules (whitelisted) =============

2013-04-04 04:09 - 2013-04-04 04:09 - 04300456 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 16:45 - 2010-10-20 16:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2011-11-28 12:39 - 2011-03-31 13:31 - 00066856 _____ () C:\Program Files\Synaptics\SynTP\SynTPEnhPS.dll
2011-11-28 12:39 - 2011-04-10 12:40 - 00094208 _____ () C:\Windows\System32\IccLibDll.dll
2012-10-19 10:37 - 2010-10-26 07:39 - 00049568 ____N () C:\Program Files\CONEXANT\ForteConfig\fmapp.exe
2012-12-13 08:45 - 2012-12-13 08:45 - 00063560 _____ () C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\zlib1.dll
2013-02-06 16:11 - 2013-01-29 08:31 - 00793088 _____ () C:\Users\vikra323\AppData\Roaming\Microsoft\Office\ctfmon.exe
2014-07-15 09:11 - 2013-02-27 14:27 - 00106496 _____ () C:\Program Files\Lenovo\Basic USB Dock\IgfxTskMgr.exe
2014-09-15 21:29 - 2014-09-15 21:29 - 00718152 _____ () C:\Users\vikra323\AppData\LocalLow\Microsoft\vkppvcb\Kppmxego\36.0.1985.143\libglesv2.dll
2014-09-15 21:29 - 2014-09-15 21:29 - 00126280 _____ () C:\Users\vikra323\AppData\LocalLow\Microsoft\vkppvcb\Kppmxego\36.0.1985.143\libegl.dll
2014-09-15 21:29 - 2014-09-15 21:29 - 08537928 _____ () C:\Users\vikra323\AppData\LocalLow\Microsoft\vkppvcb\Kppmxego\36.0.1985.143\pdf.dll
2014-09-15 21:29 - 2014-09-15 21:29 - 00353096 _____ () C:\Users\vikra323\AppData\LocalLow\Microsoft\vkppvcb\Kppmxego\36.0.1985.143\ppGoogleNaClPluginChrome.dll
2014-09-15 21:29 - 2014-09-15 21:29 - 01732936 _____ () C:\Users\vikra323\AppData\LocalLow\Microsoft\vkppvcb\Kppmxego\36.0.1985.143\ffmpegsumo.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

==================== Faulty Device Manager Devices =============

Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
Description: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Cisco Systems
Service: vpnva
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (09/11/2014 11:30:58 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/11/2014 11:30:58 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/10/2014 11:09:08 PM) (Source: SmsClient) (EventID: 11800) (User: )
Description: ScopeId_AF06609C-B3EC-4F77-874E-25FF5F015EB8/Baseline_57f6fe08-f1bf-40e3-840b-c9b6e4e0d17d1Failed to download baseline CI Id ScopeId_AF06609C-B3EC-4F77-874E-25FF5F015EB8/Baseline_57f6fe08-f1bf-40e3-840b-c9b6e4e0d17d, version 1.00.

Error: (09/10/2014 08:54:27 PM) (Source: SmsClient) (EventID: 11800) (User: )
Description: ScopeId_AF06609C-B3EC-4F77-874E-25FF5F015EB8/Baseline_57f6fe08-f1bf-40e3-840b-c9b6e4e0d17d1Failed to download baseline CI Id ScopeId_AF06609C-B3EC-4F77-874E-25FF5F015EB8/Baseline_57f6fe08-f1bf-40e3-840b-c9b6e4e0d17d, version 1.00.

Error: (09/10/2014 01:07:33 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/10/2014 01:07:33 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/09/2014 07:41:21 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 10.0.9200.16866 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: e10

Start Time: 01cfcc892bf8236a

Termination Time: 140

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id:

Error: (09/08/2014 08:38:11 PM) (Source: Group Policy Registry) (EventID: 8194) (User: NT AUTHORITY)
Description: The client-side extension could not apply computer policy settings for 'PROD - Workstation - Office 2010 {313316F0-DF94-4252-B2E4-00D07AD32C8A}' because it failed with error code '0x80070035 The network path was not found.'%apply00790275

Error: (09/08/2014 00:13:06 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/08/2014 00:13:06 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

System errors:
=============
Error: (09/15/2014 09:28:10 PM) (Source: TermService) (EventID: 1067) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.

Error: (09/15/2014 09:26:24 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{24FF4FDC-1D9F-4195-8C79-0DA39248FF48}{B292921D-AF50-400C-9B75-0C57A7F29BA1}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (09/15/2014 09:25:46 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: INTERNAL)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (09/15/2014 09:25:40 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
B) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Error: (09/15/2014 09:25:40 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain INTERNAL due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (09/15/2014 09:15:39 PM) (Source: TermService) (EventID: 1067) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.

Error: (09/15/2014 09:14:19 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{24FF4FDC-1D9F-4195-8C79-0DA39248FF48}{B292921D-AF50-400C-9B75-0C57A7F29BA1}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (09/15/2014 09:13:42 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: INTERNAL)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (09/15/2014 09:13:36 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
B) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Error: (09/15/2014 09:13:36 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain INTERNAL due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Microsoft Office Sessions:
=========================
Error: (09/11/2014 11:30:58 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\Lenovo\usb3.0 dock\igpxtskmgn64vista.exe

Error: (09/11/2014 11:30:58 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\Lenovo\usb3.0 dock\igpxtskmgn64.exe

Error: (09/10/2014 11:09:08 PM) (Source: SmsClient) (EventID: 11800) (User: )
Description: ScopeId_AF06609C-B3EC-4F77-874E-25FF5F015EB8/Baseline_57f6fe08-f1bf-40e3-840b-c9b6e4e0d17d1.00

Error: (09/10/2014 08:54:27 PM) (Source: SmsClient) (EventID: 11800) (User: )
Description: ScopeId_AF06609C-B3EC-4F77-874E-25FF5F015EB8/Baseline_57f6fe08-f1bf-40e3-840b-c9b6e4e0d17d1.00

Error: (09/10/2014 01:07:33 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\Lenovo\usb3.0 dock\igpxtskmgn64vista.exe

Error: (09/10/2014 01:07:33 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\Lenovo\usb3.0 dock\igpxtskmgn64.exe

Error: (09/09/2014 07:41:21 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe10.0.9200.16866e1001cfcc892bf8236a140C:\Program Files\Internet Explorer\iexplore.exe

Error: (09/08/2014 08:38:11 PM) (Source: Group Policy Registry) (EventID: 8194) (User: NT AUTHORITY)
Description: applycomputerPROD - Workstation - Office 2010 {313316F0-DF94-4252-B2E4-00D07AD32C8A}0x80070035 The network path was not found.

Error: (09/08/2014 00:13:06 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\Lenovo\usb3.0 dock\igpxtskmgn64vista.exe

Error: (09/08/2014 00:13:06 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\Lenovo\usb3.0 dock\igpxtskmgn64.exe

==================== Memory info ===========================

Processor: Intel® Core™ i5-2520M CPU @ 2.50GHz
Percentage of memory in use: 55%
Total physical RAM: 3493.23 MB
Available physical RAM: 1566.48 MB
Total Pagefile: 6984.76 MB
Available Pagefile: 4633.54 MB
Total Virtual: 2047.88 MB
Available Virtual: 1887.88 MB

==================== Drives ================================

Drive c: (v1.07 32-Bit) (Fixed) (Total:148.75 GB) (Free:108.38 GB) NTFS

==================== MBR & Partition Table ==================

==================== End Of Log ============================



#4 Slickvik

Slickvik
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 15 September 2014 - 09:38 PM

Files are attached also here

Attached Files



#5 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:01 AM

Posted 16 September 2014 - 07:01 AM

Ok, here we go:


Step 1

Please download this attached Attached File  fixlist.txt   314bytes   26 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


Step 2

Please visit VirusTotal and scan a file as follows:
  • Click on Choose File.
  • Copy and paste the following into the file name textbox:
    C:\Users\vikra323\AppData\Roaming\Microsoft\Office\ctfmon.exe
    and click Open.
  • Now hit the Scan it! button on the website to scan the selected file.
  • If you get the message

    File already analysed - This file was last analyse by VirusTotal on ....

    then click on Reanalyse!
  • Wait until the scan has finished.
  • Copy the URL from your browsers address bar and paste it in your next reply.


Step 3

Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.


#6 Slickvik

Slickvik
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 16 September 2014 - 10:16 AM

Hello, below are the three steps you asked for. Also, I've attached the requested logs and screenshots of the virustotal page as well. Thank you!

 

Step 1: FixLog.txt contents below

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-09-2014
Ran by Vikra323 at 2014-09-16 09:25:51 Run:6
Running from \\FILE-NA1-05\USERDATA2$\vikra323\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
CloseProcesses:
C:\Users\vikra323\AppData\LocalLow\Microsoft\vkppvcb
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Run: [rqwckbj] => rundll32.exe "C:\Users\vikra323\AppData\Local\assembly\rqwckbj.dll",DllRegisterServer <===== ATTENTION
C:\Users\vikra323\AppData\Local\assembly\rqwckbj.dll
EmptyTemp:
*****************

Processes closed successfully.
"C:\Users\vikra323\AppData\LocalLow\Microsoft\vkppvcb" => File/Directory not found.
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\Software\Microsoft\Windows\CurrentVersion\Run\\rqwckbj => Value not found.
"C:\Users\vikra323\AppData\Local\assembly\rqwckbj.dll" => File/Directory not found.

 

Step 2: Virustotal URL below

 

https://www.virustotal.com/en/file/10cc231b83816815d5676ff45969dfebb4be12f9b3b6d236b1c70a1309f2d8e7/analysis/1410879599/

 

Step 3: Frst.txt below

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-09-2014
Ran by Vikra323 (ATTENTION: The logged in user is not administrator) on LPC-LR9GF3DM on 16-09-2014 10:13:51
Running from \\FILE-NA1-05\USERDATA2$\vikra323\Desktop
Platform: Microsoft Windows 7 Enterprise  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization Client\sftdcc.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Microsoft Corporation) C:\Program Files\Microsoft Lync\communicator.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Program Files\CONEXANT\ForteConfig\fmapp.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\concentr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Cisco Systems, Inc.) C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
(Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Broadcom Corporation.) C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
() C:\Program Files\Lenovo\Basic USB Dock\IgfxTskMgr.exe
(Docking Station) C:\Program Files\Lenovo\USB3.0 Dock\igpxtskmgn32win7.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\pnamain.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\wfcrun32.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(Microsoft Corporation) C:\Program Files\Microsoft Lync\UcMapi.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
(SnapComms Ltd) C:\Program Files\SnapComms\Client\417\SnapClient.exe
(Farbar) \\FILE-NA1-05\USERDATA2$\vikra323\Desktop\FRST.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SoftGridTray] => C:\Program Files\Microsoft Application Virtualization Client\SFTTray.exe [854760 2012-09-03] (Microsoft Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [Communicator] => C:\Program Files\Microsoft Lync\communicator.exe [12117312 2014-04-14] (Microsoft Corporation)
HKLM\...\Run: [PasswordRegistration] => C:\WINDOWS\system32\MsPwdRegistration.exe [27496 2010-02-01] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2221352 2011-03-31] (Synaptics Incorporated)
HKLM\...\Run: [ForteConfig] => C:\Program Files\Conexant\ForteConfig\fmapp.exe [49568 2010-10-26] ()
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [316032 2011-03-14] (Conexant systems, Inc.)
HKLM\...\Run: [ConnectionCenter] => C:\Program Files\Citrix\ICA Client\concentr.exe [305088 2011-04-25] (Citrix Systems, Inc.)
HKLM\...\Run: [IntelliType Pro] => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [1093272 2012-10-12] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [1668248 2012-10-12] (Microsoft Corporation)
HKLM\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [702024 2012-12-13] (Cisco Systems, Inc.)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [40376 2011-09-07] (Adobe Systems Incorporated)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [Acrobat Assistant 8.0] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [640440 2010-09-22] (Adobe Systems Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)
HKLM\...\Run: [IMSS] => C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [111488 2012-05-24] (Intel Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKLM\...\RunOnce: [MSPCLOCK] => rundll32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D0-A5D6-28DB04C10000},{53172480-4791-11D0-A5D6-28DB04C10000}
HKLM\...\RunOnce: [MSPQM] => rundll32.exe streamci,StreamingDeviceSetup {DDF4358E-BB2C-11D0-A42F-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196}
HKLM\...\RunOnce: [MSKSSRV] => rundll32.exe streamci,StreamingDeviceSetup {96E080C7-143C-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196}
HKLM\...\RunOnce: [MSTEE.CxTransform] => rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},C:\WINDOWS\inf\ksfilter.inf,MSTEE.Interf (the data entry has 11 more characters).
HKLM\...\RunOnce: [MSTEE.Splitter] => rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},C:\WINDOWS\inf\ksfilter.inf,MSTEE.Interf (the data entry has 11 more characters).
HKLM\...\RunOnce: [WDM_DRMKAUD] => rundll32.exe streamci,StreamingDeviceSetup {EEC12DB6-AD9C-4168-8658-B03DAEF417FE},{ABD61E00-9350-47e2-A632-4438B90C6641},{FFBB6E3F-CCFE-4D84-90D9-421418B03A8E},C:\WINDOWS\inf\WDMAUDIO.inf,WDM_DRMKAUD. (the data entry has 17 more characters).
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,"C:\Program Files\Microsoft Application Virtualization Client\sftdcc.exe",
HKLM\...\Policies\Explorer\Run: [BootRacer] => C:\Program Files\BootRacer\Bootrace.exe [3812624 2014-02-19] ( (Greatis Software))
HKLM\...\Policies\Explorer: [UseDefaultTile] 1
HKLM\...\Policies\Explorer: [NoAutorun] 1
HKU\.DEFAULT\...\RunOnce: [Microsoft Security Client] => C:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\system: [Wallpaper] C:\Windows\System32\TowersWatsonWallpaper.bmp
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\system: [WallpaperStyle] 2
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\system: [SetVisualStyle] %windir%\resources\Themes\Aero\aero.msstyles
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoRecentDocsNetHood] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoPropertiesRecycleBin] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [ForceStartMenuLogOff] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoSimpleStartMenu] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoStartMenuMyMusic] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoSMMyPictures] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoStartMenuMyGames] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoWindowsUpdate] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoOnlinePrintsWizard] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoComputersNearMe] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoNetHood] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoUserFolderInStartMenu] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [NoStartMenuMFUprogramsList] 1
HKU\S-1-5-21-4255863253-1233835171-2685878428-327856\...\Policies\Explorer: [DisallowCpl] 1
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IgfxTskMgr.lnk
ShortcutTarget: IgfxTskMgr.lnk -> C:\Program Files\Lenovo\Basic USB Dock\IgfxTskMgr.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\igpxtskmgn.lnk
ShortcutTarget: igpxtskmgn.lnk -> C:\Program Files\Lenovo\USB3.0 Dock\igpxtskmgn32win7.exe (Docking Station)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Online plug-in.lnk
ShortcutTarget: Online plug-in.lnk -> C:\Windows\Installer\{E7C5763F-948D-453B-9138-4A8F552B3CE3}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vantage.internal.towerswatson.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vantage.internal.towerswatson.com
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Lync\OCHelper.dll (Microsoft Corporation)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} http://10.240.114.135/DBD/Admin/Calc/smsx.cab
DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} http://10.240.114.135/DBD/Admin/viewer9/activeXViewer/activexviewer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://twlearning.webex.com/client/WBXclient-T28L10NSP4-14953/nbr/ieatgpc1.cab
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.240.100.21 10.244.100.16

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=1.6.0_37 -> C:\WINDOWS\system32\#npdeployJava1.dll No File
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: Adobe Acrobat -> C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMeetingJoinPluginOC.dll ()

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 BootRacerServ; C:\Program Files\BootRacer\BootRacerServ.exe [65296 2013-07-26] (Greatis Software, LLC)
R2 CcmExec; C:\WINDOWS\system32\CCM\CcmExec.exe [764768 2009-09-18] (Microsoft Corporation)
R2 ciscod.exe; C:\Program Files\Cisco\Cisco Hostscan\bin\ciscod.exe [47056 2011-03-30] (Cisco Systems, Inc.)
R2 CxAudMsg; C:\WINDOWS\system32\CxAudMsg32.exe [190592 2010-12-17] (Conexant Systems Inc.)
R2 DisplayLinkService; C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [7676720 2013-10-11] (DisplayLink Corp.)
R2 FIMPasswordReset; C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\PwdMgmtProxy.exe [75608 2010-02-01] (Microsoft Corporation)
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2013-04-04] (Macrovision Europe Ltd.) [File not signed]
R2 lmhosts; C:\WINDOWS\system32\svchost.exe [21504 2012-10-18] (Microsoft Corporation)
R2 Lotus Notes Diagnostics; C:\Program Files\IBM\Lotus\Notes\nsd.exe [3417480 2010-08-11] (IBM)
R2 MBAMAgent; C:\Program Files\Microsoft\MDOP MBAM\MBAMAgent.exe [233728 2013-01-24] (Microsoft Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [279776 2014-03-11] (Microsoft Corporation)
R2 NlaSvc; C:\WINDOWS\System32\svchost.exe [21504 2012-10-18] (Microsoft Corporation)
R2 nsi; C:\WINDOWS\system32\svchost.exe [21504 2012-10-18] (Microsoft Corporation)
R2 PasswordManager; C:\WINDOWS\system32\PasswordManager.exe [20480 2011-08-18] () [File not signed]
R2 SAService; C:\WINDOWS\system32\SAsrv.exe [446592 2011-03-14] (Conexant Systems, Inc.)
S3 smstsmgr; C:\WINDOWS\system32\CCM\TSManager.exe [246624 2009-09-18] () [File not signed]
R2 SnapClientService; C:\Program Files\SnapComms\Client\417\SnapClientService.exe [202928 2012-09-19] (SnapComms Ltd)
R2 Towers Watson Room Reservation Client Service; C:\Program Files\Towers Watson\Towers Watson Room Reservation Client Service 1.0\WS.TW.RoomReservationClientService.exe [21504 2013-08-23] (Towers Watson) [File not signed]
R2 vpnagent; C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [544840 2012-12-13] (Cisco Systems, Inc.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 acsock; C:\WINDOWS\System32\DRIVERS\acsock.sys [92112 2012-12-13] (Cisco Systems, Inc.)
S3 BTWAMPFL; C:\WINDOWS\System32\DRIVERS\btwampfl.sys [367656 2010-12-18] (Broadcom Corporation.)
R3 e1cexpress; C:\WINDOWS\System32\DRIVERS\e1c6232.sys [238760 2010-12-20] (Intel Corporation)
R3 MEI; C:\WINDOWS\System32\DRIVERS\HECI.sys [41216 2011-09-22] (Intel Corporation)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
S3 netvsc; C:\WINDOWS\system32\drivers\netvsc60.sys [126464 2010-11-20] (Microsoft Corporation)
R3 NETwNs32; C:\WINDOWS\System32\DRIVERS\NETwNs32.sys [7434240 2011-01-06] (Intel Corporation)
S3 nusb3hub; C:\WINDOWS\system32\drivers\nusb3hub.sys [62336 2010-12-10] (Renesas Electronics Corporation)
S3 nusb3xhc; C:\WINDOWS\system32\drivers\nusb3xhc.sys [141440 2010-12-10] (Renesas Electronics Corporation)
R3 prepdrvr; C:\WINDOWS\system32\CCM\prepdrv.sys [20848 2009-09-18] () [File not signed]
R2 risdxc; C:\WINDOWS\System32\DRIVERS\risdxc86.sys [75264 2011-03-23] (REDC)
R3 Sftfs; C:\WINDOWS\System32\DRIVERS\Sftfswin7.sys [582376 2012-09-03] (Microsoft Corporation)
R3 Sftplay; C:\WINDOWS\System32\DRIVERS\Sftplaywin7.sys [197352 2012-09-03] (Microsoft Corporation)
R3 Sftredir; C:\WINDOWS\System32\DRIVERS\Sftredirwin7.sys [22248 2012-09-03] (Microsoft Corporation)
R3 Sftvol; C:\WINDOWS\System32\DRIVERS\Sftvolwin7.sys [19688 2012-09-03] (Microsoft Corporation)
S3 SynthVid; C:\WINDOWS\system32\drivers\VMBusVideoM.sys [19456 2010-11-20] (Microsoft Corporation)
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-16 09:34 - 2014-09-16 09:34 - 00000000 ____D () C:\Users\Sie-seanm1adm
2014-09-16 09:34 - 2014-09-16 09:34 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-16 09:29 - 2014-04-03 21:14 - 00418816 _____ (Microsoft Corporation) C:\WINDOWS\system32\cscui.dll
2014-09-16 09:26 - 2014-09-16 09:26 - 00000000 ____D () C:\Program Files\Common Files\DESIGNER
2014-09-16 09:25 - 2014-03-24 21:18 - 12877312 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2014-09-16 09:25 - 2013-06-14 22:40 - 00918528 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpcorets.dll
2014-09-16 09:25 - 2013-06-14 22:38 - 00031232 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\tssecsrv.sys
2014-09-16 09:24 - 2014-09-16 09:24 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-09-16 09:24 - 2013-05-12 22:08 - 00903168 _____ (Microsoft Corporation) C:\WINDOWS\system32\certutil.exe
2014-09-16 09:24 - 2013-05-12 22:08 - 00043008 _____ (Microsoft Corporation) C:\WINDOWS\system32\certenc.dll
2014-09-16 09:23 - 2014-04-11 21:15 - 00136640 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2014-09-16 09:23 - 2014-04-11 21:15 - 00067520 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecdd.sys
2014-09-16 09:23 - 2014-04-11 21:12 - 00100352 _____ (Microsoft Corporation) C:\WINDOWS\system32\sspicli.dll
2014-09-16 09:23 - 2014-04-11 21:12 - 00022016 _____ (Microsoft Corporation) C:\WINDOWS\system32\secur32.dll
2014-09-16 09:23 - 2014-04-11 21:12 - 00015872 _____ (Microsoft Corporation) C:\WINDOWS\system32\sspisrv.dll
2014-09-16 09:23 - 2014-04-11 21:11 - 01059840 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2014-09-16 09:23 - 2014-04-11 21:11 - 00022528 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsass.exe
2014-09-16 09:23 - 2014-04-11 21:06 - 00097792 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidpolicyconverter.exe
2014-09-16 09:23 - 2014-04-11 21:06 - 00069632 _____ (Microsoft Corporation) C:\WINDOWS\system32\smss.exe
2014-09-16 09:23 - 2014-04-11 21:06 - 00050688 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidapi.dll
2014-09-16 09:23 - 2014-04-11 21:06 - 00038912 _____ (Microsoft Corporation) C:\WINDOWS\system32\csrsrv.dll
2014-09-16 09:23 - 2014-04-11 21:06 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidsvc.dll
2014-09-16 09:23 - 2014-04-11 21:06 - 00016896 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidcertstorecheck.exe
2014-09-16 09:23 - 2014-04-11 21:03 - 00006656 _____ (Microsoft Corporation) C:\WINDOWS\system32\apisetschema.dll
2014-09-16 09:23 - 2014-04-11 20:17 - 00050176 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\appid.sys
2014-09-16 09:23 - 2014-03-04 05:42 - 03974080 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntkrnlpa.exe
2014-09-16 09:23 - 2014-03-04 05:42 - 03918784 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2014-09-16 09:23 - 2014-03-04 04:17 - 00868352 _____ (Microsoft Corporation) C:\WINDOWS\system32\kernel32.dll
2014-09-16 09:23 - 2014-03-04 04:17 - 00550912 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2014-09-16 09:23 - 2014-03-04 04:17 - 00538112 _____ (Microsoft Corporation) C:\WINDOWS\system32\objsel.dll
2014-09-16 09:23 - 2014-03-04 04:17 - 00304128 _____ (Microsoft Corporation) C:\WINDOWS\system32\winlogon.exe
2014-09-16 09:23 - 2014-03-04 04:17 - 00293376 _____ (Microsoft Corporation) C:\WINDOWS\system32\KernelBase.dll
2014-09-16 09:23 - 2014-03-04 04:17 - 00259584 _____ (Microsoft Corporation) C:\WINDOWS\system32\msv1_0.dll
2014-09-16 09:23 - 2014-03-04 04:17 - 00247808 _____ (Microsoft Corporation) C:\WINDOWS\system32\schannel.dll
2014-09-16 09:23 - 2014-03-04 04:17 - 00172032 _____ (Microsoft Corporation) C:\WINDOWS\system32\wdigest.dll
2014-09-16 09:23 - 2014-03-04 04:17 - 00065536 _____ (Microsoft Corporation) C:\WINDOWS\system32\TSpkg.dll
2014-09-16 09:23 - 2014-03-04 04:17 - 00051200 _____ (Microsoft Corporation) C:\WINDOWS\system32\cngprovider.dll
2014-09-16 09:23 - 2014-03-04 04:17 - 00049664 _____ (Microsoft Corporation) C:\WINDOWS\system32\adprovider.dll
2014-09-16 09:23 - 2014-03-04 04:17 - 00048128 _____ (Microsoft Corporation) C:\WINDOWS\system32\capiprovider.dll
2014-09-16 09:23 - 2014-03-04 04:17 - 00047616 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpapiprovider.dll
2014-09-16 09:23 - 2014-03-04 04:17 - 00036864 _____ (Microsoft Corporation) C:\WINDOWS\system32\dimsroam.dll
2014-09-16 09:23 - 2014-03-04 04:17 - 00035328 _____ (Microsoft Corporation) C:\WINDOWS\system32\wincredprovider.dll
2014-09-16 09:23 - 2014-03-04 04:17 - 00017408 _____ (Microsoft Corporation) C:\WINDOWS\system32\credssp.dll
2014-09-16 09:23 - 2013-10-11 20:57 - 00657920 _____ (Microsoft Corporation) C:\WINDOWS\system32\nshwfp.dll
2014-09-16 09:23 - 2013-10-11 20:56 - 00681472 _____ (Microsoft Corporation) C:\WINDOWS\system32\IKEEXT.DLL
2014-09-16 09:23 - 2013-10-11 20:56 - 00216576 _____ (Microsoft Corporation) C:\WINDOWS\system32\FWPUCLNT.DLL
2014-09-16 09:23 - 2013-10-11 20:55 - 00496128 _____ (Microsoft Corporation) C:\WINDOWS\system32\BFE.DLL
2014-09-16 09:23 - 2013-09-24 20:56 - 00220160 _____ (Microsoft Corporation) C:\WINDOWS\system32\ncrypt.dll
2014-09-16 09:23 - 2013-08-01 20:50 - 00169984 _____ (Microsoft Corporation) C:\WINDOWS\system32\winsrv.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00005120 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-file-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00004608 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-processthreads-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00004096 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00004096 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-synch-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00004096 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-misc-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00004096 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-localregistry-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00004096 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-localization-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-memory-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-interlocked-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-heap-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-string-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-profile-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-io-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-handle-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-fibers-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-delayload-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-debug-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-datetime-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 20:48 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-console-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 19:52 - 00271360 _____ (Microsoft Corporation) C:\WINDOWS\system32\conhost.exe
2014-09-16 09:23 - 2013-08-01 19:43 - 00006144 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-security-base-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 19:43 - 00004608 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-threadpool-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 19:43 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-xstate-l1-1-0.dll
2014-09-16 09:23 - 2013-08-01 19:43 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-util-l1-1-0.dll
2014-09-16 09:23 - 2013-07-08 23:52 - 00175104 _____ (Microsoft Corporation) C:\WINDOWS\system32\wintrust.dll
2014-09-16 09:23 - 2013-07-04 07:16 - 00369848 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2014-09-16 09:21 - 2014-09-16 09:42 - 00000000 ____D () C:\Program Files\BootRacer
2014-09-16 09:21 - 2014-09-16 09:21 - 00001723 _____ () C:\WINDOWS\bootracer.mif
2014-09-16 09:19 - 2014-09-16 09:19 - 00002167 _____ () C:\Users\vikra323\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Oracle R12 via GoTo.lnk
2014-09-15 21:30 - 2014-09-16 10:13 - 00000000 ____D () C:\FRST
2014-09-11 14:33 - 2011-07-20 09:55 - 00000538 ____N () C:\Users\vikra323\.java.policy
2014-09-07 10:12 - 2014-09-07 10:37 - 00699056 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-09-07 10:12 - 2014-09-07 10:37 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-16 10:13 - 2014-09-15 21:30 - 00000000 ____D () C:\FRST
2014-09-16 09:57 - 2009-07-13 23:34 - 00012592 ____H () C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-16 09:57 - 2009-07-13 23:34 - 00012592 ____H () C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-16 09:52 - 2012-10-22 10:27 - 00000576 _____ () C:\WINDOWS\test2.txt
2014-09-16 09:52 - 2012-10-22 10:27 - 00000041 _____ () C:\WINDOWS\test3.txt
2014-09-16 09:50 - 2011-04-22 13:45 - 00799976 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-09-16 09:48 - 2012-10-19 12:00 - 00000000 ____D () C:\Users\vikra323\Tracing
2014-09-16 09:48 - 2012-10-19 05:32 - 02030061 _____ () C:\WINDOWS\WindowsUpdate.log
2014-09-16 09:46 - 2012-10-19 11:49 - 00000000 ____D () C:\Users\vikra323
2014-09-16 09:46 - 2011-09-23 12:57 - 00000000 ____D () C:\Program Files\Java
2014-09-16 09:43 - 2011-09-23 12:55 - 00000497 _____ () C:\WINDOWS\SMSCFG.INI
2014-09-16 09:43 - 2009-07-13 21:37 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-09-16 09:42 - 2014-09-16 09:21 - 00000000 ____D () C:\Program Files\BootRacer
2014-09-16 09:42 - 2009-07-13 23:53 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-09-16 09:42 - 2009-07-13 23:39 - 00088081 _____ () C:\WINDOWS\setupact.log
2014-09-16 09:34 - 2014-09-16 09:34 - 00000000 ____D () C:\Users\Sie-seanm1adm
2014-09-16 09:34 - 2014-09-16 09:34 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-16 09:32 - 2012-10-19 05:32 - 00000000 ____D () C:\Intel
2014-09-16 09:26 - 2014-09-16 09:26 - 00000000 ____D () C:\Program Files\Common Files\DESIGNER
2014-09-16 09:26 - 2011-09-23 13:02 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-09-16 09:24 - 2014-09-16 09:24 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-09-16 09:24 - 2014-03-17 09:10 - 00001945 _____ () C:\WINDOWS\epplauncher.mif
2014-09-16 09:24 - 2012-10-19 11:47 - 00002169 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Forefront Endpoint Protection.lnk
2014-09-16 09:24 - 2012-10-19 11:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Lync
2014-09-16 09:24 - 2012-10-19 11:47 - 00000000 ____D () C:\Program Files\Microsoft Lync
2014-09-16 09:24 - 2011-09-23 13:12 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-09-16 09:21 - 2014-09-16 09:21 - 00001723 _____ () C:\WINDOWS\bootracer.mif
2014-09-16 09:21 - 2012-10-19 11:58 - 00000000 ____D () C:\Users\vikra323\AppData\Roaming\SoftGrid Client
2014-09-16 09:19 - 2014-09-16 09:19 - 00002167 _____ () C:\Users\vikra323\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Oracle R12 via GoTo.lnk
2014-09-15 08:43 - 2012-10-19 11:03 - 00282690 __RSH () C:\ProgramData\ntuser.pol
2014-09-11 20:16 - 2011-09-23 13:11 - 00100458 _____ () C:\WINDOWS\PFRO.log
2014-09-07 10:37 - 2014-09-07 10:12 - 00699056 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-09-07 10:37 - 2014-09-07 10:12 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2014-09-05 08:42 - 2012-10-19 10:44 - 00000000 ____D () C:\Program Files\Towers Watson
2014-09-03 08:49 - 2012-10-19 11:49 - 00050214 __RSH () C:\Users\vikra323\ntuser.pol
2014-08-25 13:16 - 2012-11-02 09:28 - 00000000 ____D () C:\ProgramData\WebEx
2014-08-22 06:17 - 2009-07-13 23:53 - 00032576 _____ () C:\WINDOWS\Tasks\SCHEDLGU.TXT
2014-08-17 22:38 - 2009-07-13 21:37 - 00000000 ____D () C:\WINDOWS\system32\NDF

Some content of TEMP:
====================
C:\Users\vikra323\AppData\Local\Temp\install_flashplayer13x32axau_gtbd_chrd_dn_aaa_aih[1].exe
C:\Users\vikra323\AppData\Local\Temp\MouseKeyboardCenterx86_1033.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

ATTENTION: ==> Could not access BCD, see Addition.txt for additional information.

==================== End Of Log ============================

 

 

Attached Files

  • Attached File  Fixlog.txt   971bytes   4 downloads
  • Attached File  1.png   48.38KB   0 downloads
  • Attached File  2.png   23.89KB   0 downloads
  • Attached File  3.png   26.75KB   0 downloads
  • Attached File  4.png   7.11KB   0 downloads
  • Attached File  FRST.txt   35.43KB   2 downloads


#7 Slickvik

Slickvik
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 16 September 2014 - 11:00 AM

Also, after running step 1, but before steps 2 and 3, I ran malwarebytes because my IT dept told me to. I've attached those logs here.

Attached Files



#8 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:01 AM

Posted 16 September 2014 - 12:13 PM

The logs looks better now. How is the computer running? What problems or symptoms remain?
Let's do a final check up:


Please download the ESET Online Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!

#9 Slickvik

Slickvik
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 16 September 2014 - 12:33 PM

The logs looks better now. How is the computer running? What problems or symptoms remain?
Let's do a final check up:


Please download the ESET Online Scanner and save it to your Desktop.

  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!
Hi I'm not able to run that program since I don't have administrator access. However the computer seems to be smoother.

Also do I need to do anything with this file?

C:\Users\vikra323\AppData\Roaming\Microsoft\Office\ctfmon.exe

Edited by Slickvik, 16 September 2014 - 12:48 PM.


#10 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:01 AM

Posted 16 September 2014 - 04:30 PM

Hello,

I'd strongly recommend to check with your IT department now what further actions they see necessary.
The fake Chrome malware should be gone. But when tools are run without administrator privileges I cannot be sure that all malware is removed (e.g. the FRST log is incomplete when not run as administrator). Therefore I'm not confident to declare your computer clean at this point.
(But what I can tell you for sure is that the Adobe products and Java should be updated to prevent infection in the future.)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users