Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection on AD DNS Server 2008 R2


  • Please log in to reply
6 replies to this topic

#1 debaugh

debaugh

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 10 January 2015 - 09:05 PM

I originally posted this in Server forum which I assume was the wrong place.  Please see below for details:

 

was looking through my MB logs the other day and found that Malware Bytes has been blocking a couple of IP addresses at various times throughout the day.  I ran our virus scan, malware bytes, rootkit buster, rogue killer, tdskiller, sophos on line, eset online, MBAR, and ADWCleaner.  None of them have found anything. I have run show hidden to see if anything pops up and I have not seen anything out ouf the ordinary thus far... but I am still looking.  I am at a loss as I know this should not be happening.  The only problem I had running any of the tooks was that Rogue killer would hang up on the MBAM service which I uninstalled then reinstalled once the scan was completed. Below are some of the logs... Any assistance would be greatful as I am at a loss.

 

Show-hidden -f

Show Hidden by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
Show Hidden will display all hidden folders on your computer.
You can use the -f argument to display hidden files as well.

Program started at: 01/08/2015 06:09:52 PM
Windows Version: Windows Server 2008 R2

Please be patient while your hard drives are scanned.

Scanning the A:\ drive


Finished scanning the A:\ drive. 0 hidden items found.

Scanning the C:\ drive

 * C:\$Recycle.Bin
 * C:\$Recycle.Bin\S-1-5-21-2569257102-2185423520-2273032915-1107
 * C:\$Recycle.Bin\S-1-5-21-2569257102-2185423520-2273032915-1248
 * C:\$Recycle.Bin\S-1-5-21-2569257102-2185423520-2273032915-1290
 * C:\$Recycle.Bin\S-1-5-21-2569257102-2185423520-2273032915-500
 * C:\$Recycle.Bin\S-1-5-21-2890613172-815135678-715974545-500
 * C:\Program Files\Uninstall Information
 * C:\Program Files (x86)\Belarc\BelMonitor\System\Brands\monitor\BelNotify\control.bcf [File]
 * C:\Program Files (x86)\Uninstall Information
 * C:\ProgramData
 * C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D [File]
 * C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W [File]
 * C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W [File]
 * C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H [File]
 * C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D [File]
 * C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.Lck [File]
 * C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q [File]
 * C:\ProgramData\Microsoft\DRM\Server
 * C:\ProgramData\Microsoft\Group Policy\History
 * C:\ProgramData\ntuser.pol [File]
 * C:\Recovery
 * C:\Recovery\6fde102f-f28c-11e1-9b9a-c8c0bf91c0b5
 * C:\Recovery\6fde102f-f28c-11e1-9b9a-c8c0bf91c0b5\Winre.wim [File]
 * C:\System Volume Information
 * C:\Users\Administrator\AppData
 * C:\Users\Administrator\AppData\Local\IconCache.db [File]
 * C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
 * C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
 * C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache
 * C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\0GA3R1U3
 * C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\6V8STHIT
 * C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\F0ATPSKB
 * C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\P22CUHBY
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\Burn\Burn
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\Burn\Burn1
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\History
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2RAUFS3Z
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F76T3MYD
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXS6NE6I
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VBRIEL30
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat [File]
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 [File]
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 [File]
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat{bbdb655b-f284-11e1-b20c-000c29a5156f}.TM.blf [File]
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat{bbdb655b-f284-11e1-b20c-000c29a5156f}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat{bbdb655b-f284-11e1-b20c-000c29a5156f}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
 * C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST [File]
 * C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\SYNCHIST [File]
 * C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
 * C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
 * C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache
 * C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache\Low
 * C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
 * C:\Users\Administrator\NTUSER.DAT [File]
 * C:\Users\Administrator\ntuser.dat.LOG1 [File]
 * C:\Users\Administrator\ntuser.dat.LOG2 [File]
 * C:\Users\Administrator\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf [File]
 * C:\Users\Administrator\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Users\Administrator\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Users\Administrator\ntuser.ini [File]
 * C:\Users\Administrator\Searches\Everywhere.search-ms [File]
 * C:\Users\Administrator\Searches\Indexed Locations.search-ms [File]
 * C:\Users\administrator.SCI\AppData
 * C:\Users\administrator.SCI\AppData\Local\EmieBrowserModeList
 * C:\Users\administrator.SCI\AppData\Local\EmieBrowserModeList\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Local\EmieSiteList
 * C:\Users\administrator.SCI\AppData\Local\EmieSiteList\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Local\EmieUserList
 * C:\Users\administrator.SCI\AppData\Local\EmieUserList\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Feeds Cache
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Feeds Cache\2S6VMPO6
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Feeds Cache\43XE6XM8
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Feeds Cache\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Feeds Cache\GQGZM898
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Feeds Cache\TGHIN0XK
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Feeds Cache\U1C2O0TW
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Feeds Cache\U3D2FPLG
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Feeds Cache\XMWUNMK8
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Feeds Cache\ZVERJU0W
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\AppCache
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\AppCache\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\AppCache\U8G228U2
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\AppCache\U8G228U2\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\Burn\Burn
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\Burn\Burn1
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\History
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\History\History.IE5
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\History\History.IE5\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\History\Low\History.IE5
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\History\Low\History.IE5\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\Temporary Internet Files
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\UsrClass.dat [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\UsrClass.dat{0f89dc1e-634e-11e2-8192-000c29a5156f}.TM.blf [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\UsrClass.dat{0f89dc1e-634e-11e2-8192-000c29a5156f}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\UsrClass.dat{0f89dc1e-634e-11e2-8192-000c29a5156f}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\UsrClass.dat{bf5eaa83-7975-11e4-9a34-000c294c233a}.TM.blf [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\UsrClass.dat{bf5eaa83-7975-11e4-9a34-000c294c233a}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\UsrClass.dat{bf5eaa83-7975-11e4-9a34-000c294c233a}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\WebCache
 * C:\Users\administrator.SCI\AppData\Local\Microsoft\Windows\WebCacheLock.dat [File]
 * C:\Users\administrator.SCI\AppData\LocalLow\EmieBrowserModeList
 * C:\Users\administrator.SCI\AppData\LocalLow\EmieBrowserModeList\container.dat [File]
 * C:\Users\administrator.SCI\AppData\LocalLow\EmieSiteList
 * C:\Users\administrator.SCI\AppData\LocalLow\EmieSiteList\container.dat [File]
 * C:\Users\administrator.SCI\AppData\LocalLow\EmieUserList
 * C:\Users\administrator.SCI\AppData\LocalLow\EmieUserList\container.dat [File]
 * C:\Users\administrator.SCI\AppData\LocalLow\Microsoft\Windows\AppCache
 * C:\Users\administrator.SCI\AppData\LocalLow\Microsoft\Windows\AppCache\container.dat [File]
 * C:\Users\administrator.SCI\AppData\LocalLow\Microsoft\Windows\AppCache\H113WHSL
 * C:\Users\administrator.SCI\AppData\LocalLow\Microsoft\Windows\AppCache\H113WHSL\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Protect\CREDHIST [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Protect\S-1-5-21-2569257102-2185423520-2273032915-500\3116bbaa-0554-4155-9c12-7dee1f330914 [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Protect\S-1-5-21-2569257102-2185423520-2273032915-500\42d564ab-1431-4a2d-9d89-56e7905add8b [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Protect\S-1-5-21-2569257102-2185423520-2273032915-500\52617677-9aaf-40ba-bd8d-065cbdba45c3 [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Protect\S-1-5-21-2569257102-2185423520-2273032915-500\97e2c7d9-31dd-4364-ad40-d937c566acb4 [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Protect\S-1-5-21-2569257102-2185423520-2273032915-500\BK-SCI [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Protect\S-1-5-21-2569257102-2185423520-2273032915-500\Preferred [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Protect\SYNCHIST [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\Cookies
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\Cookies\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\Cookies\Low
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\Cookies\Low\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\DNTException
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\DNTException\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\DNTException\Low
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\IECompatCache
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\IECompatCache\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\IECompatUACache
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\IECompatUACache\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\IEDownloadHistory
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\IETldCache
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\IETldCache\container.dat [File]
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\IETldCache\Low
 * C:\Users\administrator.SCI\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
 * C:\Users\administrator.SCI\NTUSER.DAT [File]
 * C:\Users\administrator.SCI\ntuser.dat.LOG1 [File]
 * C:\Users\administrator.SCI\ntuser.dat.LOG2 [File]
 * C:\Users\administrator.SCI\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf [File]
 * C:\Users\administrator.SCI\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Users\administrator.SCI\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Users\administrator.SCI\ntuser.ini [File]
 * C:\Users\administrator.SCI\ntuser.pol [File]
 * C:\Users\administrator.SCI\Searches\Everywhere.search-ms [File]
 * C:\Users\administrator.SCI\Searches\Indexed Locations.search-ms [File]
 * C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D [File]
 * C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W [File]
 * C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W [File]
 * C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H [File]
 * C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D [File]
 * C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.Lck [File]
 * C:\Users\All Users\Microsoft\Assistance\Client\1.0\en-US\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q [File]
 * C:\Users\All Users\Microsoft\DRM\Server
 * C:\Users\All Users\Microsoft\Group Policy\History
 * C:\Users\All Users\ntuser.pol [File]
 * C:\Users\debaugh\AppData
 * C:\Users\debaugh\AppData\Local\IconCache.db [File]
 * C:\Users\debaugh\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
 * C:\Users\debaugh\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
 * C:\Users\debaugh\AppData\Local\Microsoft\Feeds Cache
 * C:\Users\debaugh\AppData\Local\Microsoft\Feeds Cache\HBNTJJY3
 * C:\Users\debaugh\AppData\Local\Microsoft\Feeds Cache\IKUPZTTV
 * C:\Users\debaugh\AppData\Local\Microsoft\Feeds Cache\P48C27MP
 * C:\Users\debaugh\AppData\Local\Microsoft\Feeds Cache\WT9OQ4HL
 * C:\Users\debaugh\AppData\Local\Microsoft\Windows\History
 * C:\Users\debaugh\AppData\Local\Microsoft\Windows\History\History.IE5
 * C:\Users\debaugh\AppData\Local\Microsoft\Windows\Temporary Internet Files
 * C:\Users\debaugh\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
 * C:\Users\debaugh\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BRO5CUYA
 * C:\Users\debaugh\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DX2L9PGP
 * C:\Users\debaugh\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FEX4UGNX
 * C:\Users\debaugh\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KCLMPV9U
 * C:\Users\debaugh\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
 * C:\Users\debaugh\AppData\Local\Microsoft\Windows\UsrClass.dat [File]
 * C:\Users\debaugh\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 [File]
 * C:\Users\debaugh\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 [File]
 * C:\Users\debaugh\AppData\Local\Microsoft\Windows\UsrClass.dat{0d7ab8f3-77b8-11e2-afd4-000c29a5156f}.TM.blf [File]
 * C:\Users\debaugh\AppData\Local\Microsoft\Windows\UsrClass.dat{0d7ab8f3-77b8-11e2-afd4-000c29a5156f}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Users\debaugh\AppData\Local\Microsoft\Windows\UsrClass.dat{0d7ab8f3-77b8-11e2-afd4-000c29a5156f}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Users\debaugh\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
 * C:\Users\debaugh\AppData\Roaming\Microsoft\Windows\Cookies
 * C:\Users\debaugh\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
 * C:\Users\debaugh\AppData\Roaming\Microsoft\Windows\IETldCache\Low
 * C:\Users\debaugh\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
 * C:\Users\debaugh\NTUSER.DAT [File]
 * C:\Users\debaugh\ntuser.dat.LOG1 [File]
 * C:\Users\debaugh\ntuser.dat.LOG2 [File]
 * C:\Users\debaugh\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf [File]
 * C:\Users\debaugh\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Users\debaugh\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Users\debaugh\ntuser.ini [File]
 * C:\Users\debaugh\Searches\Everywhere.search-ms [File]
 * C:\Users\debaugh\Searches\Indexed Locations.search-ms [File]
 * C:\Users\Default
 * C:\Users\Default\AppData
 * C:\Users\Default\NTUSER.DAT [File]
 * C:\Users\Default\NTUSER.DAT.LOG [File]
 * C:\Users\Default\NTUSER.DAT.LOG1 [File]
 * C:\Users\Default\NTUSER.DAT.LOG2 [File]
 * C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf [File]
 * C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Users\Public\Desktop
 * C:\Users\Public\Favorites
 * C:\Users\Public\Libraries
 * C:\Users\services-admin\AppData
 * C:\Users\services-admin\AppData\Local\IconCache.db [File]
 * C:\Users\services-admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
 * C:\Users\services-admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
 * C:\Users\services-admin\AppData\Local\Microsoft\Feeds Cache
 * C:\Users\services-admin\AppData\Local\Microsoft\Feeds Cache\container.dat [File]
 * C:\Users\services-admin\AppData\Local\Microsoft\Feeds Cache\H5ZDKP7R
 * C:\Users\services-admin\AppData\Local\Microsoft\Feeds Cache\O2VRFEL4
 * C:\Users\services-admin\AppData\Local\Microsoft\Feeds Cache\TJYWM8GN
 * C:\Users\services-admin\AppData\Local\Microsoft\Feeds Cache\ZDGF6NDD
 * C:\Users\services-admin\AppData\Local\Microsoft\Windows\History\History.IE5
 * C:\Users\services-admin\AppData\Local\Microsoft\Windows\History\History.IE5\container.dat [File]
 * C:\Users\services-admin\AppData\Local\Microsoft\Windows\Temporary Internet Files
 * C:\Users\services-admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
 * C:\Users\services-admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
 * C:\Users\services-admin\AppData\Local\Microsoft\Windows\UsrClass.dat [File]
 * C:\Users\services-admin\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 [File]
 * C:\Users\services-admin\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 [File]
 * C:\Users\services-admin\AppData\Local\Microsoft\Windows\UsrClass.dat{cb3aa040-fd86-11e2-9d84-000c29a5156f}.TM.blf [File]
 * C:\Users\services-admin\AppData\Local\Microsoft\Windows\UsrClass.dat{cb3aa040-fd86-11e2-9d84-000c29a5156f}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Users\services-admin\AppData\Local\Microsoft\Windows\UsrClass.dat{cb3aa040-fd86-11e2-9d84-000c29a5156f}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Users\services-admin\AppData\Local\Microsoft\Windows\WebCache
 * C:\Users\services-admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
 * C:\Users\services-admin\AppData\Roaming\Microsoft\Windows\Cookies
 * C:\Users\services-admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
 * C:\Users\services-admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low
 * C:\Users\services-admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
 * C:\Users\services-admin\NTUSER.DAT [File]
 * C:\Users\services-admin\ntuser.dat.LOG1 [File]
 * C:\Users\services-admin\ntuser.dat.LOG2 [File]
 * C:\Users\services-admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf [File]
 * C:\Users\services-admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Users\services-admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Users\services-admin\ntuser.ini [File]
 * C:\Users\services-admin\Searches\Everywhere.search-ms [File]
 * C:\Users\services-admin\Searches\Indexed Locations.search-ms [File]
 * C:\Users\tguilbault\AppData
 * C:\Users\tguilbault\AppData\Local\IconCache.db [File]
 * C:\Users\tguilbault\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
 * C:\Users\tguilbault\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
 * C:\Users\tguilbault\AppData\Local\Microsoft\Feeds Cache
 * C:\Users\tguilbault\AppData\Local\Microsoft\Feeds Cache\8JN10E1Q
 * C:\Users\tguilbault\AppData\Local\Microsoft\Feeds Cache\container.dat [File]
 * C:\Users\tguilbault\AppData\Local\Microsoft\Feeds Cache\WKHMGGAS
 * C:\Users\tguilbault\AppData\Local\Microsoft\Feeds Cache\YGCHPJX5
 * C:\Users\tguilbault\AppData\Local\Microsoft\Feeds Cache\YK423PXZ
 * C:\Users\tguilbault\AppData\Local\Microsoft\Windows\History\History.IE5
 * C:\Users\tguilbault\AppData\Local\Microsoft\Windows\History\History.IE5\container.dat [File]
 * C:\Users\tguilbault\AppData\Local\Microsoft\Windows\Temporary Internet Files
 * C:\Users\tguilbault\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
 * C:\Users\tguilbault\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\container.dat [File]
 * C:\Users\tguilbault\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
 * C:\Users\tguilbault\AppData\Local\Microsoft\Windows\UsrClass.dat [File]
 * C:\Users\tguilbault\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 [File]
 * C:\Users\tguilbault\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 [File]
 * C:\Users\tguilbault\AppData\Local\Microsoft\Windows\UsrClass.dat{e5971d7b-84f5-11e3-8aeb-000c29a5156f}.TM.blf [File]
 * C:\Users\tguilbault\AppData\Local\Microsoft\Windows\UsrClass.dat{e5971d7b-84f5-11e3-8aeb-000c29a5156f}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Users\tguilbault\AppData\Local\Microsoft\Windows\UsrClass.dat{e5971d7b-84f5-11e3-8aeb-000c29a5156f}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Users\tguilbault\AppData\Local\Microsoft\Windows\WebCache
 * C:\Users\tguilbault\AppData\Local\Microsoft\Windows\WebCacheLock.dat [File]
 * C:\Users\tguilbault\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
 * C:\Users\tguilbault\AppData\Roaming\Microsoft\Windows\Cookies
 * C:\Users\tguilbault\AppData\Roaming\Microsoft\Windows\DNTException\Low
 * C:\Users\tguilbault\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
 * C:\Users\tguilbault\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low
 * C:\Users\tguilbault\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
 * C:\Users\tguilbault\NTUSER.DAT [File]
 * C:\Users\tguilbault\ntuser.dat.LOG1 [File]
 * C:\Users\tguilbault\ntuser.dat.LOG2 [File]
 * C:\Users\tguilbault\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf [File]
 * C:\Users\tguilbault\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Users\tguilbault\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Users\tguilbault\ntuser.ini [File]
 * C:\Users\tguilbault\Searches\Everywhere.search-ms [File]
 * C:\Users\tguilbault\Searches\Indexed Locations.search-ms [File]
 * C:\Windows\assembly\NativeImages_v2.0.50727_32\index588.dat [File]
 * C:\Windows\assembly\NativeImages_v2.0.50727_32\index589.dat [File]
 * C:\Windows\assembly\NativeImages_v2.0.50727_64\index50f.dat [File]
 * C:\Windows\assembly\NativeImages_v2.0.50727_64\index5c0.dat [File]
 * C:\Windows\assembly\NativeImages_v2.0.50727_64\index5c1.dat [File]
 * C:\Windows\assembly\PublisherPolicy.tme [File]
 * C:\Windows\assembly\pubpol1.dat [File]
 * C:\Windows\Fonts\fms_metadata.xml [File]
 * C:\Windows\Fonts\StaticCache.dat [File]
 * C:\Windows\Installer
 * C:\Windows\Installer\$PatchCache$
 * C:\Windows\Installer\$PatchCache$\Managed
 * C:\Windows\Installer\$PatchCache$\Managed\4C628BB85BC40B241A42AAB9968FBC14
 * C:\Windows\Installer\$PatchCache$\Managed\4C628BB85BC40B241A42AAB9968FBC14\4.3.129
 * C:\Windows\Installer\$PatchCache$\Managed\BE4EBED704B66673BB53C5BB3C58AD73
 * C:\Windows\Installer\$PatchCache$\Managed\BE4EBED704B66673BB53C5BB3C58AD73\4.5.50938
 * C:\Windows\security\templates\policies
 * C:\Windows\ServiceProfiles\LocalService\AppData
 * C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT [File]
 * C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG [File]
 * C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1 [File]
 * C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2 [File]
 * C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf [File]
 * C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{bf5eaa79-7975-11e4-9a34-000c294c233a}.TM.blf [File]
 * C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{bf5eaa79-7975-11e4-9a34-000c294c233a}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{bf5eaa79-7975-11e4-9a34-000c294c233a}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Windows\ServiceProfiles\NetworkService\AppData
 * C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT [File]
 * C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG [File]
 * C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1 [File]
 * C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2 [File]
 * C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf [File]
 * C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{bf5eaa75-7975-11e4-9a34-806e6f6e6963}.TM.blf [File]
 * C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{bf5eaa75-7975-11e4-9a34-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms [File]
 * C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{bf5eaa75-7975-11e4-9a34-806e6f6e6963}.TMContainer00000000000000000002.regtrans-ms [File]
 * C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-downlevel-shlwapi-l2-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-security-lsalookup-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-security-sddl-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-service-core-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-service-management-l1-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-service-management-l2-1-0.dll [File]
 * C:\Windows\System32\api-ms-win-service-winsvc-l1-1-0.dll [File]
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1FA4OC0L
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A5OS7C95
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JM4M8754
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XUVHNTW8
 * C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies
 * C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-downlevel-normaliz-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-downlevel-ole32-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-downlevel-user32-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-downlevel-version-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-security-lsalookup-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-security-sddl-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-service-core-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-service-management-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-service-management-l2-1-0.dll [File]
 * C:\Windows\SysWOW64\api-ms-win-service-winsvc-l1-1-0.dll [File]
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1FA4OC0L
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A5OS7C95
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JM4M8754
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XUVHNTW8
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies
 * C:\Windows\Tasks\SA.DAT [File]
 * C:\Windows\WindowsShell.Manifest [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-baseapinamespace_31bf3856ad364e35_6.1.7601.17514_none_a4272f399040a523\api-ms-win-core-ums-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-d..evelapisets-windows_31bf3856ad364e35_7.1.7601.16492_none_e249fd3fed68cb81\api-ms-win-downlevel-user32-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-downlevelapisets-base_31bf3856ad364e35_7.1.7601.16492_none_1ed670cbaddb31b7\api-ms-win-downlevel-advapi32-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-downlevelapisets-base_31bf3856ad364e35_7.1.7601.16492_none_1ed670cbaddb31b7\api-ms-win-downlevel-advapi32-l2-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-downlevelapisets-base_31bf3856ad364e35_7.1.7601.16492_none_1ed670cbaddb31b7\api-ms-win-downlevel-normaliz-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-downlevelapisets-com_31bf3856ad364e35_7.1.7601.16492_none_5b1161f912e23f6d\api-ms-win-downlevel-ole32-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-downlevelapisets-shell_31bf3856ad364e35_7.1.7601.16492_none_2b20f882c1c0eaca\api-ms-win-downlevel-shell32-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-downlevelapisets-shell_31bf3856ad364e35_7.1.7601.16492_none_2b20f882c1c0eaca\api-ms-win-downlevel-shlwapi-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-downlevelapisets-shell_31bf3856ad364e35_7.1.7601.16492_none_2b20f882c1c0eaca\api-ms-win-downlevel-shlwapi-l2-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-downlevelapisets-shell_31bf3856ad364e35_7.1.7601.16492_none_2b20f882c1c0eaca\api-ms-win-downlevel-version-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minioapinamespace_31bf3856ad364e35_6.1.7600.16385_none_c8b8ba7bcb4e2c66\api-ms-win-security-lsalookup-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minioapinamespace_31bf3856ad364e35_6.1.7600.16385_none_c8b8ba7bcb4e2c66\api-ms-win-security-sddl-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minioapinamespace_31bf3856ad364e35_6.1.7600.16385_none_c8b8ba7bcb4e2c66\api-ms-win-service-core-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minioapinamespace_31bf3856ad364e35_6.1.7600.16385_none_c8b8ba7bcb4e2c66\api-ms-win-service-management-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minioapinamespace_31bf3856ad364e35_6.1.7600.16385_none_c8b8ba7bcb4e2c66\api-ms-win-service-management-l2-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minioapinamespace_31bf3856ad364e35_6.1.7600.16385_none_c8b8ba7bcb4e2c66\api-ms-win-service-winsvc-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-console-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-datetime-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-debug-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-delayload-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-errorhandling-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-fibers-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-file-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-handle-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-heap-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-interlocked-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-io-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-libraryloader-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-localization-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-localregistry-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-memory-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-misc-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-namedpipe-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-processenvironment-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-processthreads-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-profile-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-rtlsupport-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-string-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-synch-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-sysinfo-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-threadpool-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-util-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-core-xstate-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_66a6e19d9580f9e3\api-ms-win-security-base-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-console-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-datetime-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-debug-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-delayload-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-errorhandling-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-fibers-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-file-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-handle-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-heap-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-interlocked-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-io-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-libraryloader-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-localization-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-localregistry-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-memory-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-misc-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-namedpipe-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-processenvironment-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-processthreads-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-profile-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-rtlsupport-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-string-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-synch-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-sysinfo-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-threadpool-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-util-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-core-xstate-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_68d8d569926ebeb2\api-ms-win-security-base-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-console-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-datetime-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-debug-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-delayload-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-errorhandling-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-fibers-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-file-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-handle-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-heap-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-interlocked-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-io-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-libraryloader-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-localization-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-localregistry-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-memory-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-misc-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-namedpipe-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-processenvironment-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-processthreads-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-profile-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-rtlsupport-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-string-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-synch-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-sysinfo-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-threadpool-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-util-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-core-xstate-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_68d20a7192733a4d\api-ms-win-security-base-l1-1-0.dll [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-serverceipassistant_31bf3856ad364e35_6.1.7601.17514_none_dee2dcc10287db8b\ceipdata.xml [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-serverceipassistant_31bf3856ad364e35_6.1.7601.17514_none_dee2dcc10287db8b\ceiproleusage.xml [File]
 * C:\Windows\winsxs\amd64_microsoft-windows-serverrolecollector_31bf3856ad364e35_6.1.7601.17514_none_d014c0101f66419f\ceiprole.xml [File]
 * C:\Windows\winsxs\Temp\PendingDeletes
 * C:\Windows\winsxs\x86_microsoft-windows-d..evelapisets-windows_31bf3856ad364e35_7.1.7601.16492_none_862b61bc350b5a4b\api-ms-win-downlevel-user32-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-downlevelapisets-base_31bf3856ad364e35_7.1.7601.16492_none_c2b7d547f57dc081\api-ms-win-downlevel-advapi32-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-downlevelapisets-base_31bf3856ad364e35_7.1.7601.16492_none_c2b7d547f57dc081\api-ms-win-downlevel-advapi32-l2-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-downlevelapisets-base_31bf3856ad364e35_7.1.7601.16492_none_c2b7d547f57dc081\api-ms-win-downlevel-normaliz-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-downlevelapisets-com_31bf3856ad364e35_7.1.7601.16492_none_fef2c6755a84ce37\api-ms-win-downlevel-ole32-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-downlevelapisets-shell_31bf3856ad364e35_7.1.7601.16492_none_cf025cff09637994\api-ms-win-downlevel-shell32-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-downlevelapisets-shell_31bf3856ad364e35_7.1.7601.16492_none_cf025cff09637994\api-ms-win-downlevel-shlwapi-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-downlevelapisets-shell_31bf3856ad364e35_7.1.7601.16492_none_cf025cff09637994\api-ms-win-downlevel-shlwapi-l2-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-downlevelapisets-shell_31bf3856ad364e35_7.1.7601.16492_none_cf025cff09637994\api-ms-win-downlevel-version-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minioapinamespace_31bf3856ad364e35_6.1.7600.16385_none_6c9a1ef812f0bb30\api-ms-win-security-lsalookup-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minioapinamespace_31bf3856ad364e35_6.1.7600.16385_none_6c9a1ef812f0bb30\api-ms-win-security-sddl-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minioapinamespace_31bf3856ad364e35_6.1.7600.16385_none_6c9a1ef812f0bb30\api-ms-win-service-core-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minioapinamespace_31bf3856ad364e35_6.1.7600.16385_none_6c9a1ef812f0bb30\api-ms-win-service-management-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minioapinamespace_31bf3856ad364e35_6.1.7600.16385_none_6c9a1ef812f0bb30\api-ms-win-service-management-l2-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minioapinamespace_31bf3856ad364e35_6.1.7600.16385_none_6c9a1ef812f0bb30\api-ms-win-service-winsvc-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-console-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-datetime-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-debug-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-delayload-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-errorhandling-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-fibers-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-file-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-handle-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-heap-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-interlocked-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-io-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-libraryloader-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-localization-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-localregistry-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-memory-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-misc-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-namedpipe-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-processenvironment-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-processthreads-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-profile-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-rtlsupport-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-string-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-synch-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-sysinfo-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-threadpool-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-util-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-core-xstate-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7600.16385_none_0a884619dd2388ad\api-ms-win-security-base-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-console-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-datetime-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-debug-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-delayload-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-errorhandling-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-fibers-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-file-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-handle-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-heap-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-interlocked-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-io-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-libraryloader-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-localization-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-localregistry-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-memory-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-misc-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-namedpipe-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-processenvironment-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-processthreads-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-profile-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-rtlsupport-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-string-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-synch-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-sysinfo-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-threadpool-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-util-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-core-xstate-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18015_none_0cba39e5da114d7c\api-ms-win-security-base-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-console-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-datetime-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-debug-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-delayload-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-errorhandling-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-fibers-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-file-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-handle-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-heap-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-interlocked-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-io-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-libraryloader-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-localization-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-localregistry-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-memory-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-misc-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-namedpipe-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-processenvironment-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-processthreads-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-profile-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-rtlsupport-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-string-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-synch-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-sysinfo-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-threadpool-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-util-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-core-xstate-l1-1-0.dll [File]
 * C:\Windows\winsxs\x86_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.18229_none_0cb36eedda15c917\api-ms-win-security-base-l1-1-0.dll [File]

Finished scanning the C:\ drive. 645 hidden items found.

Program finished at: 01/08/2015 06:11:08 PM
Execution time: 0 hours(s), 1 minute(s), and 15 seconds(s)

 

 

Root Kit Buster

 

2015/01/05 18:19:28 GMT-05:00    2044:1476    00    F    [LogWritter_setEnable()]:  -+-+-+  RootkitBuster-5.00.01180,2015/01/05 18:19:28 Turn ON logging -+-+-+     [  (0)]
2015/01/05 18:19:28 GMT-05:00    2044:1476    00    F    [LogWritter_setEnable()]:  -+-+-+  RootkitBuster-5.00.01180,2015/01/05 18:19:28 Turn ON logging -+-+-+     [  (0)]
2015/01/05 18:19:28 GMT-05:00    2044:1476    00    E    [getModuleFolder]: Module path: C:\Users\administrator.SCI\Desktop\Tools
    [  (0)]
2015/01/05 18:19:39 GMT-05:00    2044:1476    00    E    [CTMRKScanWinApp::InitDriverAndLibrariesX64]: Can't start tmcomm service(0)    [  (0)]
2015/01/05 18:19:39 GMT-05:00    2044:1476    00    E    [CTMRKScanWinApp::InitDriverAndLibrariesX64]: TMTAPI_InitializeTAPI() fail(0)    [  (0)]
2015/01/05 18:19:39 GMT-05:00    2044:1476    00    E    [CTMRKScanWinApp::InitDriverAndLibrariesX64]: Initialization of TmCommEng library success.    [  (0)]
2015/01/05 18:19:39 GMT-05:00    2044:1476    00    E    [GetVersionFromInstalledModule()]: No version information at registry    [  (0)]
2015/01/05 18:19:44 GMT-05:00    1868:1416    00    F    [LogWritter_setEnable()]:  -+-+-+  RootkitBuster-5.00.01180,2015/01/05 18:19:44 Turn ON logging -+-+-+     [  (0)]
2015/01/05 18:19:44 GMT-05:00    1868:1416    00    F    [LogWritter_setEnable()]:  -+-+-+  RootkitBuster-5.00.01180,2015/01/05 18:19:44 Turn ON logging -+-+-+     [  (0)]
2015/01/05 18:19:44 GMT-05:00    1868:1416    00    E    [getModuleFolder]: Module path: C:\Users\administrator.SCI\Desktop\Tools
    [  (0)]
2015/01/05 18:21:16 GMT-05:00    2044:1864    00    E    [CConsoleDialog::ScanHiddenMBR]: Scan Hidden MBR
    [  (0)]
2015/01/05 18:21:17 GMT-05:00    2044:1864    00    E    [CConsoleDialog::ScanHiddenFile]: Scan Hidden File
    [  (0)]
2015/01/05 18:21:17 GMT-05:00    2044:1864    00    E    [CConsoleDialog::ScanKernelCodePatch()]: Scan KernelCodePatch
    [  (0)]
2015/01/05 18:21:17 GMT-05:00    2044:1864    00    E    [CConsoleDialog::ScanHiddenService()]: Scan Hidden Service
    [  (0)]
2015/01/05 18:21:17 GMT-05:00    2044:1476    00    E    [CConsoleDialog::updateLogHistoryList()]: # of items: 0
    [  (0)]
2015/01/05 18:21:17 GMT-05:00    2044:1476    00    E    [CConsoleDialog::updateLogHistoryList()]: requestLogHistoryList: {"LOG_HISTORY_LIST": [{"ID": 1, "SCAN_DATE": 1420500076}]}
    [  (0)]
2015/01/05 18:21:17 GMT-05:00    2044:1476    00    E    [CConsoleDialog::requestLogHistory]: 1420500076
    [  (0)]
2015/01/05 18:21:17 GMT-05:00    2044:1476    00    E    [CConsoleDialog::requestLogHistory]: # of items: 0x0
    [  (0)]
2015/01/05 18:21:25 GMT-05:00    2044:1476    00    E    [CSICReportLogger::_CloseLogFile]: CloseLogFile    [  (0)]
2015/01/05 18:21:25 GMT-05:00    2044:1476    00    E    [WinAppDestructor()]: (Needn't waiting)bStopped=1    [  (0)]
2015/01/05 18:21:25 GMT-05:00    2044:1476    00    E    [WinAppDestructor()]: After uninstall driver=1    [  (0)]
2015/01/05 18:21:25 GMT-05:00    2044:1476    00    F    [LogWritter_setEnable()]:  -+-+-+  RootkitBuster-5.00.01180,2015/01/05 18:21:25 Turn OFF logging -+-+-+     [  (0)]
2015/01/05 18:21:32 GMT-05:00    1768:1784    00    F    [LogWritter_setEnable()]:  -+-+-+  RootkitBuster-5.00.01180,2015/01/05 18:21:32 Turn ON logging -+-+-+     [  (0)]
2015/01/05 18:21:32 GMT-05:00    1768:1784    00    F    [LogWritter_setEnable()]:  -+-+-+  RootkitBuster-5.00.01180,2015/01/05 18:21:32 Turn ON logging -+-+-+     [  (0)]
2015/01/05 18:21:32 GMT-05:00    1768:1784    00    E    [getModuleFolder]: Module path: C:\Users\administrator.SCI\Desktop\Tools
    [  (0)]
2015/01/05 18:21:43 GMT-05:00    1768:1784    00    E    [CTMRKScanWinApp::InitDriverAndLibrariesX64]: Can't start tmcomm service(0)    [  (0)]
2015/01/05 18:21:43 GMT-05:00    1768:1784    00    E    [CTMRKScanWinApp::InitDriverAndLibrariesX64]: TMTAPI_InitializeTAPI() fail(0)    [  (0)]
2015/01/05 18:21:43 GMT-05:00    1768:1784    00    E    [CTMRKScanWinApp::InitDriverAndLibrariesX64]: Initialization of TmCommEng library success.    [  (0)]
2015/01/05 18:21:43 GMT-05:00    1768:1784    00    E    [GetVersionFromInstalledModule()]: No version information at registry    [  (0)]
2015/01/05 18:21:49 GMT-05:00    1768:1228    00    E    [CConsoleDialog::ScanHiddenMBR]: Scan Hidden MBR
    [  (0)]
2015/01/05 18:21:49 GMT-05:00    1768:1228    00    E    [CConsoleDialog::ScanHiddenFile]: Scan Hidden File
    [  (0)]
2015/01/05 18:21:49 GMT-05:00    1768:1228    00    E    [CConsoleDialog::ScanKernelCodePatch()]: Scan KernelCodePatch
    [  (0)]
2015/01/05 18:21:49 GMT-05:00    1768:1228    00    E    [CConsoleDialog::ScanHiddenService()]: Scan Hidden Service
    [  (0)]
2015/01/05 18:21:49 GMT-05:00    1768:1784    00    E    [CConsoleDialog::updateLogHistoryList()]: # of items: 0
    [  (0)]
2015/01/05 18:21:49 GMT-05:00    1768:1784    00    E    [CConsoleDialog::updateLogHistoryList()]: requestLogHistoryList: {"LOG_HISTORY_LIST": [{"ID": 1, "SCAN_DATE": 1420500109}]}
    [  (0)]
2015/01/05 18:21:49 GMT-05:00    1768:1784    00    E    [CConsoleDialog::requestLogHistory]: 1420500109
    [  (0)]
2015/01/05 18:21:49 GMT-05:00    1768:1784    00    E    [CConsoleDialog::requestLogHistory]: # of items: 0x0
    [  (0)]
2015/01/05 18:21:59 GMT-05:00    1768:1784    00    E    [CSICReportLogger::_CloseLogFile]: CloseLogFile    [  (0)]
2015/01/05 18:21:59 GMT-05:00    1768:1784    00    E    [WinAppDestructor()]: (Needn't waiting)bStopped=1    [  (0)]
2015/01/05 18:22:00 GMT-05:00    1768:1784    00    E    [WinAppDestructor()]: After uninstall driver=1    [  (0)]
2015/01/05 18:22:00 GMT-05:00    1768:1784    00    F    [LogWritter_setEnable()]:  -+-+-+  RootkitBuster-5.00.01180,2015/01/05 18:22:00 Turn OFF logging -+-+-+     [  (0)]

 

Trend Micro RookKitBuster

 

+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version:
| Computer Name: SCI-MI-DC2
| OS version: 6.1-7601
| User Name: administrator
+----------------------------------------------------


--== Dump malicious MBR ==--
No hidden MBR found.

--== Dump Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.

--== Dump Kernel Code Patching ==--
No kernel code patching detected.

--== Dump Hidden Services ==--
No hidden services found.

 

Also, looking at TCP view and other types of similar programs, I do not see any connections that I cannot explain or do not expect.



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:27 PM

Posted 12 January 2015 - 08:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
Keep in mind that MBAM may be doing what it is intended for.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Wait for further instructions.

#3 debaugh

debaugh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 12 January 2015 - 10:03 AM

From ADW Cleaner

 

# AdwCleaner v4.107 - Report created 12/01/2015 at 09:57:49
# Updated 07/01/2015 by Xplode
# Database : 2015-01-11.2 [Live]
# Operating System : Windows Server 2008 R2 Enterprise Service Pack 1 (64 bits)
# Username : Administrator - SCI-MI-DC2
# Running from : C:\Users\administrator.SCI\Desktop\Tools\adwcleaner_4.107.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Mozilla Firefox v35.0 (x86 en-US)


*************************

AdwCleaner[R0].txt - [789 octets] - [05/01/2015 19:25:06]
AdwCleaner[R1].txt - [716 octets] - [12/01/2015 09:57:49]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [775 octets] ##########



#4 debaugh

debaugh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 12 January 2015 - 10:09 AM

Addition Text:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-01-2015
Ran by Administrator at 2015-01-12 10:05:39
Running from C:\Users\administrator.SCI\Desktop\Tools
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Barracuda Backup Agent (HKLM\...\Barracuda Backup Agent) (Version: 5.4.05-rel - Barracuda Networks, Inc.)
BelMonitor Client (HKLM-x32\...\{104E10E5-E052-11D6-8057-00105A2087AE}) (Version: 8.2.13.0 - Belarc, Inc.)
Fortinet SSO Collector Agent v4.3.0129 (HKLM-x32\...\{8BB826C4-4CB5-42B0-A124-AA9B69F8CB41}) (Version: 4.3.0129 - Fortinet)
Malwarebytes Anti-Malware MSI (HKLM-x32\...\{FBC350D5-10D0-4B9B-A9AC-5F2EA07770D5}) (Version: 1.60.2 - Malwarebytes Corporation)
Meraki Systems Manager Agent (HKLM-x32\...\{107230DA-EBE4-4473-9A3B-FFB8DAB4951C}) (Version: 1.0.87 - Meraki)
Meraki Systems Manager Agent (HKLM-x32\...\{709F1D7D-7F65-4014-AC66-848B1202B5AC}) (Version: 1.0.86 - Meraki)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Mozilla Firefox 35.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 35.0 (x86 en-US)) (Version: 35.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0 - Mozilla)
Sophos Anti-Virus (HKLM-x32\...\{72E30858-FC95-4C87-A697-670081EBF065}) (Version: 10.4.1 - Sophos Limited)
Sophos AutoUpdate (HKLM-x32\...\{7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16}) (Version: 4.0.5.39 - Sophos Limited)
Sophos Management Communications System (HKLM-x32\...\{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B}) (Version: 1.5.7 - Sophos Limited)
VMware Tools (HKLM\...\{5DB26083-3561-4205-9D14-BFE56F2F091E}) (Version: 9.4.10.2068191 - VMware, Inc.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

Check "winmgmt" service or repair WMI.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2009-07-13] (Microsoft Corporation)
Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)
Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2010-11-20] (Microsoft Corporation)
Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)

==================== Loaded Modules (whitelisted) =============

2013-11-22 01:46 - 2013-11-22 01:46 - 03103317 _____ () C:\Program Files (x86)\Meraki\PCC Agent 1.0.87\m_agent_service.exe
2014-10-27 12:02 - 2014-10-27 12:02 - 00306472 _____ () C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\log4cplus.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAVService => ""="service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-4195109208-910180384-3527119682-500 - Administrator - Enabled)
John T. Spraggins (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
krbtgt (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
debaugh (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile
aflores (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
astefos (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
bcatterall (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
bauerbach (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
bheaven (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
bciolfi (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
croy (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
csmith (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
contractor1 (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
contractor2 (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
contractor3 (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dshuffett (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dgruenwald (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dbutler (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dgirard (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dsimmons (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dbrown (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
efriday (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
eandrews (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
FloatingMech (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
gslater (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
gpetersen (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
gcameron (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
ggiles (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
gwood (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
htaleb (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
iparker (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jlake (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jsipka (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jfedukovich (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
jgroomes (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jcameron (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jmilligan (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
jroderick (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jharris (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jburnand (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jmather (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jradke (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jbeach (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jgreene (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jjohnson1 (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
jdeboer (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jsanders (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jhiggins (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jkrisko (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jmckernan (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
kkalosky (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
kpoublon (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
kbutler (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
kfells (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
kwheeler (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
ljones (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
lsobkow (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mmanage (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mbehrens (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mdowd (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mmuoio (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
msobkow (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mtysinger (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mcosenza (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mdouglass (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
melliott (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mblenman (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mcruz (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
mnolaga (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
mparis (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mchelenyak (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mcowles (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mglynn (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
meagle (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
mstallsmith (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
oezidi (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
pbrault (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
rflamini (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
rbrodzik (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
rlangdon (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
rpellock (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
rpalanacki (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
rmanuel (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
resume (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
rzahor (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
rschiller (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
rkotrych (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
remery (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
rtemplin (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
rdennis (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
rdavis (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
rherman (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
rkilbride (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile
sabbawi (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
sciqc (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
stay (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
sseidel (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
senberg (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
shipping (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
shaldar (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
sbroser (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
sweingrot (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
tikram (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
trodler (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
tsisk (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
tamrine (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
tguilbault (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile
tloftis (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
toor (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile
tpeters (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
tcantrell (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
tgreen (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
trumpf (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
vdomin (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
vkoncsol (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
wwood (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
Zrichmond (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
zdavidson (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mingram (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jsee (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jpoirier (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
pbugg (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
Services-Admin (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile
jmessick (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
qcreator (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
belliott (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
aisuser (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
belmanage (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
cgaylord (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
easylobby (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SM_fd49468ca621474d8 (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
SM_f9acbc95eddf4f9db (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
SM_c0883926659f48df9 (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
SM_e3e1f32ccb17411f9 (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
kgibson (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
sspade (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
payments (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
arhelp (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
poinvoice (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
npoinvoice (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
aphelp (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
mnice (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
slemon (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jrogers (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
cblackmore (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
smiller (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
droane (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jhill (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mthompson (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
kpresley (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
vbaumgartner (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
narmstrong (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
apapazian (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
nperrone (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
cjohnson (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
cmsuser (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
helpdesk (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
hbajwa (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
MainConfRm (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
PBX (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jpierson (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
engineering1 (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
voicemail (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
gbailey (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
chall (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
wtucker (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
quotes (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
confrm1 (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
cthomas (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
aspradlin (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dcoffield (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jmatthews (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
DTavernit (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
KZaiser (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCIBoardRoom (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
NHarris (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
cwang (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
tvollman (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
clittle (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
ftersigni (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
erobinson (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
frush (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
eliskiewicz (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jyoung (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-G2M-1 (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
ghusted (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
tadair (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
GOB (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
gsteiner (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
ExchangeBackup (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
fvaldes (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
shoffman (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
cvaccaro (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
orders1 (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
bcavinder (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dolson (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
icoomer (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jmccartney (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
kchristian (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
juwayo (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
msturtevant (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dkulik (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mharden (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
agreene (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
ngoebel (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dslaughter (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
kharris (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
support (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
descurel (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
HR (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
eSupport (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
lvargo (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
clake (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jstefanski (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
Dgonyea (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
besmith (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
DMcdonald (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
cciatti (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
jmsmith (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
tsimpson (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
gmcgahey (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
seaport (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
SCICONFRMA (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
manderson (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
sbrodzik (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
confirmb (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-G2M-3 (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
SCI-G2M-4 (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
SCI-G2M-2 (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
zshutes (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
warroom (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
postmaster (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
cfulk (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
webbackup (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SophosSAUSCI-MI-DC20 (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
msiedlik (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
smallbuild (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
tkovacs (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
akowalski (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jpruett (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dbaldrica (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
skssupport (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jbrodzik (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
awasson (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dhett (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
ACullen (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mweber (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jdallas (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
KVostal (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dcampbell (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
jkurtz (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-DC1$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-DC2$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-FP$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-VEEAM$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D049$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D059$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L071$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L103$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L092$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L011$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D043$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L3$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
CMTH-78DA3521DF$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L064$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L100$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L128$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D071$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
VIRTUALXP-98464$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
VIRTUALXP-65321$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L039$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L104$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L112$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
M2M-RMT-ACCESS$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-WS-PURCHASE$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L102$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L095$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
VIRTUALXP-95421$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
sci-tandberg$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L111$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
BELARC$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D2000$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D060$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D067$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L105$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D200$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L008$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L138$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L088$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
ROCKWELL$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-OFFCLIP$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L142$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
BOEINGTEST1$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L144$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L145$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L146$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L147$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L148$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-FS$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L149$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
RVMI-0001$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L081$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-0090$ (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
VIRTUALXP-54269$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D036$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L150$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L086$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L084$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L151$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L153$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D074$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D075$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D076$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D078$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L156$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L055$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L157$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D077$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D051$ (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
SCI-L048$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L132$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-MGMT$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-EX$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
APACHESERVER$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-ICE$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-ADMT1$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-M2M$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D057$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D039$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D044$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D054$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D058$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D040$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D042$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D056$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L113$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L077$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L035$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L129$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L013$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L006$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L106$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L108$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L047$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L127$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L126$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
VIRTUALXP-53643$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
VIRTUALXP-90112$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D070$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L036$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L107$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-FPS$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L072$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L002$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-ORION$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-SFTP$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L133$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D045$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-TREND$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-VM-KEPWARE$ (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
SCI-MI-TEST$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L099$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L085$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L078$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L110$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L134$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L135$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L136$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-PDM-ARCH$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L137$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L080$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D072$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L139$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L019$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L140$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L056$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L143$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-WEBSVR$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D073$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-MI-POS$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SUSESERVER$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
BOEINGTEST2$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
BOEINGTEST3$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L097$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L152$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D063$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L155$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L101$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L160$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L158$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D046$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L070$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L161$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L163$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D080$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
VIRTUALXP-51215$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L141$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L165$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D006$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L166$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L168$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-LEITZ-CMM$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L131$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D010$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D066$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D079$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
RVMI-0058$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
VIRTUALXP-23790$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D037$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D048$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L028$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L162$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L167$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L079$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L089$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
NSA$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L087$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L164$ (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
SCI-L170$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L003$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L154$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D041$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L074$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-D038$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SCI-L130$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
RVMI-0090$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
REDVIKING$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/08/2015 00:56:09 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: collectoragent.exe, version: 4.3.129.0, time stamp: 0x508b277e
Faulting module name: collectoragent.exe, version: 4.3.129.0, time stamp: 0x508b277e
Exception code: 0xc0000005
Fault offset: 0x0001e9f5
Faulting process id: 0x658
Faulting application start time: 0xcollectoragent.exe0
Faulting application path: collectoragent.exe1
Faulting module path: collectoragent.exe2
Report Id: collectoragent.exe3

Error: (01/06/2015 06:45:59 PM) (Source: SceSrv) (EventID: 1003) (User: )
Description: Notification of policy change from LSA/SAM has been retried and failed.
Error 4312 to save policy change for account S-1-5-21-2569257102-2185423520-2273032915-1745 in the default GPOs. For more debugging information, please look security\logs\scepol.log under Windows root.

Error: (01/06/2015 06:40:39 PM) (Source: SceSrv) (EventID: 1003) (User: )
Description: Notification of policy change from LSA/SAM has been retried and failed.
Error 4312 to save policy change for account S-1-5-21-2569257102-2185423520-2273032915-1745 in the default GPOs. For more debugging information, please look security\logs\scepol.log under Windows root.

Error: (01/05/2015 06:56:48 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...).  hr = 0x80070005, Access is denied.
.


Operation:
   Initializing Writer

Context:
   Writer Class Id: {35e81631-13e1-48db-97fc-d5bc721bb18a}
   Writer Name: NPS VSS Writer
   Writer Instance ID: {de477aa0-d940-49e7-a558-353e097f6b00}

Error: (01/05/2015 02:50:51 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/05/2015 06:54:24 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...).  hr = 0x80070005, Access is denied.
.


Operation:
   Initializing Writer

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {82fde835-2a08-47fc-a7c2-113139f48b91}

Error: (01/05/2015 06:27:02 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...).  hr = 0x80070005, Access is denied.
.


Operation:
   Initializing Writer

Context:
   Writer Class Id: {35e81631-13e1-48db-97fc-d5bc721bb18a}
   Writer Name: NPS VSS Writer
   Writer Instance ID: {126cf63f-e64d-4b2a-82db-dba35a97cbff}

Error: (01/05/2015 02:21:09 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/05/2015 06:23:41 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...).  hr = 0x80070005, Access is denied.
.


Operation:
   Initializing Writer

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {c756f4a2-c139-48da-8875-25ba43f77512}

Error: (01/05/2015 06:05:44 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (01/12/2015 10:03:14 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1006) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Error: (01/12/2015 09:58:13 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1006) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Error: (01/12/2015 09:56:16 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sci-mi-dc2$. The target name used was cifs/SCI-MI-DC2.sci.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (SCI.LOCAL) is different from the client domain (SCI.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Error: (01/12/2015 09:54:55 AM) (Source: DfsSvc) (EventID: 14550) (User: )
Description:

Error: (01/12/2015 09:54:55 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sci-mi-dc1$. The target name used was cifs/sci-mi-dc1.sci.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (SCI.LOCAL) is different from the client domain (SCI.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Error: (01/12/2015 09:53:12 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1006) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Error: (01/12/2015 09:49:35 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sci-mi-dc1$. The target name used was cifs/SCI-MI-DC1.sci.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (SCI.LOCAL) is different from the client domain (SCI.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Error: (01/12/2015 09:48:11 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1006) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Error: (01/12/2015 09:43:10 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1006) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Error: (01/12/2015 09:42:49 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sci-mi-dc2$. The target name used was LDAP/SCI-MI-DC2. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (SCI.LOCAL) is different from the client domain (SCI.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.


Microsoft Office Sessions:
=========================
Error: (01/08/2015 00:56:09 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: collectoragent.exe4.3.129.0508b277ecollectoragent.exe4.3.129.0508b277ec00000050001e9f565801d02942ef68e121C:\Program Files (x86)\Fortinet\FSAE\collectoragent.exeC:\Program Files (x86)\Fortinet\FSAE\collectoragent.exe9fe97c6b-975f-11e4-a988-000c294c233a

Error: (01/06/2015 06:45:59 PM) (Source: SceSrv) (EventID: 1003) (User: )
Description: Error 4312 to save policy change for account S-1-5-21-2569257102-2185423520-2273032915-1745 in the default GPOs. For more debugging information, please look security\logs\scepol.log under Windows root.

Error: (01/06/2015 06:40:39 PM) (Source: SceSrv) (EventID: 1003) (User: )
Description: Error 4312 to save policy change for account S-1-5-21-2569257102-2185423520-2273032915-1745 in the default GPOs. For more debugging information, please look security\logs\scepol.log under Windows root.

Error: (01/05/2015 06:56:48 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...)0x80070005, Access is denied.


Operation:
   Initializing Writer

Context:
   Writer Class Id: {35e81631-13e1-48db-97fc-d5bc721bb18a}
   Writer Name: NPS VSS Writer
   Writer Instance ID: {de477aa0-d940-49e7-a558-353e097f6b00}

Error: (01/05/2015 02:50:51 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/05/2015 06:54:24 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...)0x80070005, Access is denied.


Operation:
   Initializing Writer

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {82fde835-2a08-47fc-a7c2-113139f48b91}

Error: (01/05/2015 06:27:02 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...)0x80070005, Access is denied.


Operation:
   Initializing Writer

Context:
   Writer Class Id: {35e81631-13e1-48db-97fc-d5bc721bb18a}
   Writer Name: NPS VSS Writer
   Writer Instance ID: {126cf63f-e64d-4b2a-82db-dba35a97cbff}

Error: (01/05/2015 02:21:09 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/05/2015 06:23:41 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...)0x80070005, Access is denied.


Operation:
   Initializing Writer

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {c756f4a2-c139-48da-8875-25ba43f77512}

Error: (01/05/2015 06:05:44 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


==================== Memory info ===========================

Processor: AMD Opteron™ Processor 6234
Percentage of memory in use: 43%
Total physical RAM: 4095.55 MB
Available physical RAM: 2320.82 MB
Total Pagefile: 8189.29 MB
Available Pagefile: 6505.68 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:59.9 GB) (Free:35.18 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 60 GB) (Disk ID: 5750F7E4)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=59.9 GB) - (Type=07 NTFS)

==================== End Of Log ============================


FRST Txt:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-01-2015
Ran by Administrator (administrator) on SCI-MI-DC2 on 12-01-2015 10:04:07
Running from C:\Users\administrator.SCI\Desktop\Tools
Loaded Profile: Administrator (Available profiles: debaugh & tguilbault & Services-Admin & Administrator)
Platform: Windows Server 2008 R2 Enterprise Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
(Barracuda Networks, Inc.) C:\Program Files\Barracuda\Barracuda Backup Agent\win\x86_64\bbwinsdr.exe
(Microsoft Corporation) C:\Windows\System32\dfsrs.exe
(Microsoft Corporation) C:\Windows\System32\dns.exe
(Microsoft Corporation) C:\Windows\System32\ismserv.exe
() C:\Program Files (x86)\Meraki\PCC Agent 1.0.87\m_agent_service.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
(Microsoft Corporation) C:\Windows\System32\dfssvc.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\vdsldr.exe
(Microsoft Corporation) C:\Windows\System32\iashost.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\McsAgent.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\McsClient.exe
(Microsoft Corporation) C:\Windows\System32\UI0Detect.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FSAE\collectoragent.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [VMware User Process] => C:\Program Files\VMware\VMware Tools\vmtoolsd.exe [74456 2014-08-22] (VMware, Inc.)
HKLM-x32\...\Run: [BelNotify] => C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\Belarc\BelMonitor\System\NPBelv32.dll",RunDll32_BelNotify
HKLM-x32\...\Run: [Sophos AutoUpdate Monitor] => C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe [1593640 2015-01-06] (Sophos Limited)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] => C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [532040 2013-04-04] (Malwarebytes Corporation)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll [217672 2014-11-13] (Sophos Limited)
AppInit_DLLs-x32: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll [275352 2014-11-13] (Sophos Limited)
Lsa: [Notification Packages] scecli rassfm
SecurityProviders: credssp.dll, pwdssp.dll

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2569257102-2185423520-2273032915-500\Software\Microsoft\Internet Explorer\Main,Start Page = http://localhost/
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Winsock: Catalog9 01 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760] (Sophos Limited)
Winsock: Catalog9 02 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760] (Sophos Limited)
Winsock: Catalog9 03 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760] (Sophos Limited)
Winsock: Catalog9 04 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760] (Sophos Limited)
Winsock: Catalog9 05 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760] (Sophos Limited)
Winsock: Catalog9 06 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760] (Sophos Limited)
Winsock: Catalog9 07 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760] (Sophos Limited)
Winsock: Catalog9 08 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760] (Sophos Limited)
Winsock: Catalog9 21 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [126760] (Sophos Limited)
Winsock: Catalog9-x64 01 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864] (Sophos Limited)
Winsock: Catalog9-x64 02 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864] (Sophos Limited)
Winsock: Catalog9-x64 03 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864] (Sophos Limited)
Winsock: Catalog9-x64 04 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864] (Sophos Limited)
Winsock: Catalog9-x64 05 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864] (Sophos Limited)
Winsock: Catalog9-x64 06 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864] (Sophos Limited)
Winsock: Catalog9-x64 07 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864] (Sophos Limited)
Winsock: Catalog9-x64 08 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864] (Sophos Limited)
Winsock: Catalog9-x64 21 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [173864] (Sophos Limited)
Tcpip\..\Interfaces\{F99DF06B-261A-48C4-8DB1-58C81D6CDA3B}: [NameServer] 127.0.0.1,10.2.100.10

FireFox:
========
FF ProfilePath: C:\Users\administrator.SCI\AppData\Roaming\Mozilla\Firefox\Profiles\ui7det1n.default
FF NetworkProxy: "no_proxies_on", "localhost,127.0.0.1"
FF NetworkProxy: "type", 0
FF Extension: Test Pilot - C:\Users\administrator.SCI\AppData\Roaming\Mozilla\Firefox\Profiles\ui7det1n.default\Extensions\testpilot@labs.mozilla.com.xpi [2013-08-03]

Chrome:
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ADWS; C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe [487424 2013-01-25] (Microsoft Corporation)
R2 bbagent; C:\Program Files\Barracuda\Barracuda Backup Agent\win\x86_64\bbwinsdr.exe [53760 2014-06-20] (Barracuda Networks, Inc.) [File not signed]
S4 BelMonitorService; C:\Program Files (x86)\Belarc\BelMonitor\BANTMonitorSvc.exe [202800 2013-03-26] (Belarc, Inc.)
R2 Dfs; C:\Windows\system32\dfssvc.exe [377344 2010-11-20] (Microsoft Corporation)
R2 DFSR; C:\Windows\system32\DFSRs.exe [4518400 2010-11-20] (Microsoft Corporation)
R2 DHCPServer; C:\Windows\System32\dhcpssvc.dll [729088 2010-11-20] (Microsoft Corporation)
R2 DNS; C:\Windows\system32\dns.exe [696832 2011-12-26] (Microsoft Corporation)
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-13] (Microsoft Corporation)
R2 Fortinet_FSAE; C:\Program Files (x86)\Fortinet\FSAE\collectoragent.exe [281976 2012-10-26] (Fortinet Inc.)
R2 IAS; C:\Windows\System32\ias.dll [26624 2009-07-13] (Microsoft Corporation)
R2 IAS; C:\Windows\SysWOW64\ias.dll [19456 2009-07-13] (Microsoft Corporation)
R2 IsmServ; C:\Windows\System32\ismserv.exe [59392 2010-11-20] (Microsoft Corporation)
R2 kdc; C:\Windows\System32\lsass.exe [31232 2014-04-11] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 MerakiPCCAgent; C:\Program Files (x86)\Meraki\PCC Agent 1.0.87\m_agent_service.exe [3103317 2013-11-22] () [File not signed]
R2 NTDS; C:\Windows\System32\lsass.exe [31232 2014-04-11] (Microsoft Corporation)
S4 NtFrs; C:\Windows\system32\ntfrs.exe [1020416 2010-11-20] (Microsoft Corporation)
S3 rqs; C:\Windows\system32\rqs.exe [41472 2010-11-20] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-13] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-13] (Microsoft Corporation)
R2 SAVAdminService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [294696 2014-11-13] (Sophos Limited)
R2 SAVService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [208168 2014-11-13] (Sophos Limited)
R2 Sophos AutoUpdate Service; C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe [340776 2015-01-06] (Sophos Limited)
R2 Sophos MCS Agent; C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\McsAgent.exe [331048 2014-10-27] (Sophos Limited)
R2 Sophos MCS Client; C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\McsClient.exe [901416 2014-10-27] (Sophos Limited)
R2 Sophos Web Control Service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [341800 2014-11-13] (Sophos Limited)
R2 swi_service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [3274536 2014-11-13] (Sophos Limited)
S2 swi_update_64; C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe [2065704 2014-11-13] (Sophos Limited)
R3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
S3 vmvss; C:\Windows\system32\dllhost.exe /Processid:{A95C1BCE-B0BF-4CE1-AE6A-10F3DD8141E3}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 DfsDriver; C:\Windows\System32\drivers\dfs.sys [51776 2009-07-13] (Microsoft Corporation)
R0 DfsrRo; C:\Windows\System32\drivers\dfsrro.sys [66944 2010-11-20] (Microsoft Corporation)
S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-13] (Microsoft Corporation)
R1 SAVOnAccess; C:\Windows\System32\DRIVERS\savonaccess.sys [167168 2014-11-13] (Sophos Limited)
S3 sdcfilter; C:\Windows\System32\DRIVERS\sdcfilter.sys [38144 2014-11-13] (Sophos Limited)
S4 SophosBootDriver; C:\Windows\System32\DRIVERS\SophosBootDriver.sys [27904 2014-11-13] (Sophos Limited)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-01-05] ()
R2 VMMEMCTL; C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys [22744 2014-08-22] (VMware, Inc.)
R1 vnetflt; C:\Windows\system32\Drivers\vnetflt.sys [65240 2014-08-22] (VMware, Inc.)
R0 vsepflt; C:\Windows\System32\Drivers\vsepflt.sys [301272 2014-08-22] (VMware, Inc.)
R0 vsock; C:\Windows\System32\drivers\vsock.sys [73944 2014-02-10] (VMware, Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-12 10:03 - 2015-01-12 10:04 - 00000000 ____D () C:\FRST
2015-01-08 10:58 - 2015-01-08 18:11 - 00138938 _____ () C:\Users\administrator.SCI\Desktop\Show-Hidden.txt
2015-01-06 17:57 - 2015-01-06 17:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
2015-01-06 17:57 - 2014-11-13 15:36 - 00035624 _____ (Sophos Limited) C:\Windows\system32\SophosBootTasks.exe
2015-01-06 17:56 - 2014-11-13 15:36 - 00176120 _____ (Sophos Limited) C:\Windows\system32\sdccoinstaller.dll
2015-01-06 17:56 - 2014-11-13 15:36 - 00167168 _____ (Sophos Limited) C:\Windows\system32\Drivers\savonaccess.sys
2015-01-06 17:56 - 2014-11-13 15:36 - 00038144 _____ (Sophos Limited) C:\Windows\system32\Drivers\sdcfilter.sys
2015-01-06 17:56 - 2014-11-13 15:36 - 00027904 _____ (Sophos Limited) C:\Windows\system32\Drivers\SophosBootDriver.sys
2015-01-06 17:47 - 2015-01-06 17:57 - 00000000 ____D () C:\ProgramData\Sophos
2015-01-06 17:47 - 2015-01-06 17:56 - 00000000 ____D () C:\Program Files (x86)\Sophos
2015-01-06 17:46 - 2015-01-06 17:46 - 17220952 _____ (Sophos Limited) C:\Users\administrator.SCI\Desktop\SophosInstall.exe
2015-01-05 19:48 - 2015-01-05 19:48 - 00000000 ____D () C:\Program Files (x86)\ESET
2015-01-05 19:36 - 2015-01-08 19:11 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-01-05 19:35 - 2015-01-08 19:11 - 00000000 ____D () C:\Users\administrator.SCI\Desktop\mbar
2015-01-05 19:35 - 2015-01-08 18:48 - 00096472 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-05 19:24 - 2015-01-12 09:59 - 00000000 ____D () C:\AdwCleaner
2015-01-05 19:05 - 2015-01-05 19:05 - 00001109 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-05 19:05 - 2015-01-05 19:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
2015-01-05 19:05 - 2015-01-05 19:05 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2015-01-05 19:05 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-05 18:58 - 2014-11-10 12:23 - 00712264 ____N () C:\Users\administrator.SCI\AppData\Local\Temp\_iu14D2N.tmp
2015-01-05 18:50 - 2015-01-05 18:50 - 00016373 _____ () C:\Users\administrator.SCI\Desktop\csrss.dmp
2015-01-05 18:19 - 2015-01-05 18:21 - 00000000 ____D () C:\Users\administrator.SCI\AppData\Local\Temp\RootkitBuster
2015-01-05 18:05 - 2014-06-20 14:22 - 01292192 _____ (Microsoft Corporation) C:\Users\administrator.SCI\AppData\Local\Temp\dllnt_dump.dll
2015-01-05 17:43 - 2015-01-05 17:43 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-05 14:21 - 2015-01-12 08:21 - 00115603 _____ () C:\Windows\WindowsUpdate.log
2015-01-05 13:03 - 2015-01-05 18:00 - 00000000 ____D () C:\Users\administrator.SCI\AppData\Local\Temp\1
2015-01-05 12:53 - 2015-01-12 10:04 - 00000000 ____D () C:\Users\administrator.SCI\AppData\Local\Temp\2
2014-12-22 07:39 - 2015-01-05 18:58 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-12-22 07:39 - 2014-12-22 07:39 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-12-22 06:55 - 2015-01-12 10:04 - 00000000 ____D () C:\Users\administrator.SCI\Desktop\Tools
2014-12-19 14:41 - 2014-12-19 18:42 - 262705095 _____ (Macrovision Corporation) C:\Users\administrator.SCI\Desktop\SPNT58.exe
2014-12-18 03:49 - 2014-12-13 00:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-12-18 03:49 - 2014-12-12 22:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-12-16 11:13 - 2014-07-08 21:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDYAK.DLL
2014-12-16 11:13 - 2014-07-08 21:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDTAT.DLL
2014-12-16 11:13 - 2014-07-08 21:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDRU1.DLL
2014-12-16 11:13 - 2014-07-08 21:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDBASH.DLL
2014-12-16 11:13 - 2014-07-08 21:03 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\KBDRU.DLL
2014-12-16 11:13 - 2014-07-08 20:31 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDYAK.DLL
2014-12-16 11:13 - 2014-07-08 20:31 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDTAT.DLL
2014-12-16 11:13 - 2014-07-08 20:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDRU1.DLL
2014-12-16 11:13 - 2014-07-08 20:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDRU.DLL
2014-12-16 11:13 - 2014-07-08 20:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDBASH.DLL
2014-12-16 11:13 - 2014-07-08 17:38 - 00419992 _____ () C:\Windows\system32\locale.nls
2014-12-16 11:13 - 2014-07-08 17:30 - 00419992 _____ () C:\Windows\SysWOW64\locale.nls
2014-12-15 22:21 - 2014-12-15 22:21 - 05198336 _____ (AVAST Software) C:\Users\administrator.SCI\Downloads\aswMBR.exe
2014-12-15 22:02 - 2014-12-15 22:02 - 02347384 _____ (ESET) C:\Users\administrator.SCI\Downloads\esetsmartinstaller_enu.exe
2014-12-15 21:15 - 2014-06-26 21:08 - 02777088 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
2014-12-15 21:15 - 2014-06-26 20:45 - 02285056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2014-12-15 21:13 - 2014-06-30 17:24 - 00008856 _____ (Microsoft Corporation) C:\Windows\system32\icardres.dll
2014-12-15 21:13 - 2014-06-30 17:14 - 00008856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardres.dll
2014-12-15 21:13 - 2014-06-06 01:16 - 00035480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TsWpfWrp.exe
2014-12-15 21:13 - 2014-06-06 01:12 - 00035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2014-12-15 21:13 - 2014-03-09 16:48 - 01389208 _____ (Microsoft Corporation) C:\Windows\system32\icardagt.exe
2014-12-15 21:13 - 2014-03-09 16:48 - 00171160 _____ (Microsoft Corporation) C:\Windows\system32\infocardapi.dll
2014-12-15 21:13 - 2014-03-09 16:47 - 00619672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardagt.exe
2014-12-15 21:13 - 2014-03-09 16:47 - 00099480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\infocardapi.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-12 09:44 - 2009-07-13 23:49 - 00025664 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-12 09:44 - 2009-07-13 23:49 - 00025664 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-12 09:42 - 2013-01-20 17:33 - 00000000 ____D () C:\Windows\system32\dhcp
2015-01-10 00:54 - 2012-08-29 21:51 - 00000000 ____D () C:\Windows\NTDS
2015-01-09 15:30 - 2009-07-14 00:07 - 00000000 ____D () C:\Windows\system32\ServerManager
2015-01-05 19:02 - 2009-07-14 00:10 - 00839154 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-05 18:58 - 2013-03-23 20:47 - 00000000 ____D () C:\Windows\system32\appmgmt
2015-01-05 18:56 - 2013-01-20 22:11 - 00005968 _____ () C:\Windows\system32\config\netlogon.dnb
2015-01-05 18:56 - 2013-01-20 22:11 - 00002024 _____ () C:\Windows\system32\config\netlogon.dns
2015-01-05 18:54 - 2012-08-29 21:51 - 00000000 ____D () C:\Windows\system32\dns
2015-01-05 18:54 - 2009-07-14 00:06 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-05 18:13 - 2012-08-30 05:21 - 00000000 ____D () C:\Windows\Panther
2015-01-05 18:03 - 2013-08-03 08:17 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-05 17:06 - 2009-07-13 23:49 - 00267672 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-05 14:49 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\Registration
2014-12-30 04:39 - 2014-01-31 15:20 - 00001417 _____ () C:\Users\tguilbault\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-12-16 07:26 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache
2014-12-16 06:34 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\SysWOW64\Dism
2014-12-16 06:34 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\Dism
2014-12-16 06:34 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-12-15 21:34 - 2013-08-10 17:54 - 00000000 ____D () C:\Windows\system32\MRT
2014-12-15 21:25 - 2013-06-29 11:33 - 00838104 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI

Some content of TEMP:
====================
C:\Users\administrator.SCI\AppData\Local\Temp\2\dllnt_dump.dll
C:\Users\administrator.SCI\AppData\Local\Temp\2\procexp64.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-04 00:28

==================== End Of Log ============================



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:27 PM

Posted 12 January 2015 - 02:26 PM

Nothing suspicious was found on your FRST log.

#6 debaugh

debaugh
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 12 January 2015 - 03:48 PM

I have run a lot of different tools and have come up with nothing... but I see the following from MalwareBytes:

 

2015/01/12 02:39:00 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.68 (Type: outgoing, Port: 59057, Process: dns.exe)
2015/01/12 02:39:00 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.117 (Type: outgoing, Port: 58385, Process: dns.exe)
2015/01/12 02:39:00 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.68 (Type: outgoing, Port: 58385, Process: dns.exe)
2015/01/12 02:39:00 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.68 (Type: outgoing, Port: 60690, Process: dns.exe)
2015/01/12 02:39:08 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.117 (Type: outgoing, Port: 60690, Process: dns.exe)
2015/01/12 02:39:08 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.68 (Type: outgoing, Port: 59403, Process: dns.exe)
2015/01/12 02:39:16 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.117 (Type: outgoing, Port: 59403, Process: dns.exe)
2015/01/12 02:39:16 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.68 (Type: outgoing, Port: 60625, Process: dns.exe)
2015/01/12 02:39:16 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.117 (Type: outgoing, Port: 60625, Process: dns.exe)
2015/01/12 02:39:25 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.68 (Type: outgoing, Port: 58861, Process: dns.exe)
2015/01/12 02:39:25 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.117 (Type: outgoing, Port: 58861, Process: dns.exe)
2015/01/12 02:39:33 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.117 (Type: outgoing, Port: 59018, Process: dns.exe)
2015/01/12 02:39:33 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.68 (Type: outgoing, Port: 59018, Process: dns.exe)
2015/01/12 02:39:33 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.68 (Type: outgoing, Port: 58463, Process: dns.exe)
2015/01/12 02:39:41 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.117 (Type: outgoing, Port: 58463, Process: dns.exe)
2015/01/12 04:00:36 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.117 (Type: outgoing, Port: 59439, Process: dns.exe)
2015/01/12 04:00:36 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.68 (Type: outgoing, Port: 58559, Process: dns.exe)
2015/01/12 04:00:36 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.117 (Type: outgoing, Port: 58559, Process: dns.exe)
2015/01/12 04:00:44 -0500    SCI-MI-DC2    Administrator    IP-BLOCK    202.103.0.117 (Type: outgoing, Port: 58519, Process: dns.exe)

 

As far as I can tell these are Chinese addresses and that bothers me.



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:27 PM

Posted 13 January 2015 - 09:43 AM


Check the status of the dns.exe file
http://www.file.net/process/dns.exe.html

If not sure if it's been compromised check it out at Jotti.

Submit the file and check it out.
http://virusscan.jotti.org/en

p.s.
I MBAM generating an information page every time it blocks a request?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users