Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Gozi/Neverquest Trojan


  • This topic is locked This topic is locked
18 replies to this topic

#1 Stilgard

Stilgard

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 06 February 2015 - 12:25 PM

My network access has been blocked since this was detected.  I am using a laptop with a connection to download the necessary files and transferring them to this machine to do any cleaning attempts.  I am now ready for your instructions.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 05-02-2015
Ran by RBERLIN (administrator) on ITS120339 on 06-02-2015 11:42:14
Running from C:\Users\rberlin\Desktop
Loaded Profiles: RBERLIN (Available profiles: RBERLIN & itslocal & Administrator)
Platform: Windows 7 Enterprise Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Safe Mode (minimal)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM\...\Run: [NWTRAY] => C:\Program Files\Novell\Client\nwtray.exe [39992 2013-01-15] ()
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [RemoteControl9] => C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD9LanguageShortcut] => C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [290688 2012-10-25] (Intel Corporation)
HKLM-x32\...\Run: [ShStatEXE] => C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE [243560 2014-01-15] (McAfee, Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41360 2014-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840592 2014-12-03] (Adobe Systems Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1075296 2013-04-25] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [WD Drive Unlocker] => C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe [1688008 2012-09-06] (Western Digital)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5562736 2014-07-22] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-10-08] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [135536 2010-12-13] (Microsoft Corporation)
HKLM-x32\...\Run: [McAfeeUpdaterUI] => C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe [333856 2013-09-27] (McAfee, Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [LogitechCommunicationsManager] => C:\Program Files (x86)\Common Files\LogiShrd\LComMgr\Communications_Helper.exe [488984 2007-02-08] (Logitech Inc.)
HKLM-x32\...\Run: [LogitechQuickCamRibbon] => C:\Program Files (x86)\Logitech\QuickCam10\QuickCam10.exe [774168 2007-02-08] ()
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2014-11-21] (Malwarebytes Corporation)
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\Run: [Novell Messenger] => C:\Novell\Messenger\NMCL32.exe [1417293 2007-09-05] (Novell, Inc.)
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\Run: [SkyDrive] => C:\Users\rberlin\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe [277672 2014-09-25] (Microsoft Corporation)
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\Run: [CityWatch] => C:\Program Files (x86)\CityWatch\CityWatch.exe [3365306 2013-10-19] ()
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\Run: [GoogleChromeAutoLaunch_91097F094A70A00A40D693F1E43823BC] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [856904 2014-12-05] (Google Inc.)
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\Run: [PTIM.exe] => C:\Program Files (x86)\WebEx\Productivity Tools\PTIM.exe [665384 2015-02-05] (Cisco WebEx LLC)
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\Run: [FedikLiklo] => regsvr32.exe "C:\ProgramData\FedikLiklo\VelzuYralh.lnl"
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\RunOnce: [Uninstall C:\Users\rberlin\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\rberlin\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64"
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\RunOnce: [Uninstall C:\Users\rberlin\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\rberlin\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64"
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\RunOnce: [Uninstall C:\Users\rberlin\AppData\Local\Microsoft\SkyDrive\17.0.4029.0217\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\rberlin\AppData\Local\Microsoft\SkyDrive\17.0.4029.0217\amd64"
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\RunOnce: [Uninstall C:\Users\rberlin\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\rberlin\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64"
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\Policies\Explorer: [NoLogOff] 0
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\MountPoints2: {04d936e8-f22e-11e3-86b3-90b11c84d0a5} - "E:\WD Drive Unlock.exe" autoplay=true
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\MountPoints2: {19a819bb-c081-11e3-bc24-90b11c84d0a5} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-18\...\Run: [Bomgar_Cleanup_ZD241337152] => cmd.exe /C rd /S /Q "C:\ProgramData\bomgar-scc-0x5231d850" & reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Bomgar_Cleanup_ZD241337152 /f
Lsa: [Authentication Packages] msv1_0 ncv1_0
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SafeConnect.lnk
ShortcutTarget: SafeConnect.lnk -> C:\Program Files (x86)\SafeConnect\SCClient.exe (Impulse Point, LLC)
Startup: C:\Users\rberlin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Verizon Wireless Software Utility Application for Android – Samsung.lnk
ShortcutTarget: Verizon Wireless Software Utility Application for Android – Samsung.lnk -> C:\Users\rberlin\AppData\Roaming\VERIZON\UA_ar\UA.exe (SAMSUNG Electornics Co., Ltd.)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20140410171927.dll (McAfee, Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: WebEx Productivity Tools -> {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} -> C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli64.dll (Cisco WebEx LLC)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO-x32: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20140410171929.dll (McAfee, Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: WebEx Productivity Tools -> {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} -> C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll (Cisco WebEx LLC)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli64.dll (Cisco WebEx LLC)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - WebEx Productivity Tools - {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll (Cisco WebEx LLC)
Toolbar: HKU\S-1-5-21-168584002-1222538047-2102726425-1461 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} https://dip.aug.edu:7778/forms/jinitiator/jinit.exe
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler-x32: nim - {3D206AE2-3039-413B-B748-3ACC562EC22A} - C:\Novell\Messenger\nmcg32.dll (Novell, Inc.)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\rberlin\AppData\Roaming\Mozilla\Firefox\Profiles\0p6otidk.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\Win64Plugin\npAdobeExManDetectX64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin-x32: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll (Adobe Systems)
FF Plugin HKU\S-1-5-21-168584002-1222538047-2102726425-1461: @citrixonline.com/appdetectorplugin -> C:\Users\rberlin\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF user.js: detected! => C:\Users\rberlin\AppData\Roaming\Mozilla\Firefox\Profiles\0p6otidk.default\user.js
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPJinit13128.dll (Oracle Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\rberlin\AppData\Roaming\mozilla\plugins\npatgpc.dll (Cisco WebEx LLC)
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2014-07-14]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2013-05-08]
FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore
FF Extension: IDS_SS_NAME - C:\Program Files (x86)\Common Files\McAfee\SystemCore [2013-05-08]
FF HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\Firefox\Extensions: [ocplugin@webex.com] - C:\Program Files (x86)\WebEx\Productivity Tools
FF Extension: WebEx Productivity Tools - C:\Program Files (x86)\WebEx\Productivity Tools [2014-08-07]

Chrome:
=======
CHR Profile: C:\Users\rberlin\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\rberlin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-05-08]
CHR Extension: (Google Drive) - C:\Users\rberlin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-05-08]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\rberlin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-22]
CHR Extension: (YouTube) - C:\Users\rberlin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-05-08]
CHR Extension: (Google Search) - C:\Users\rberlin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-05-08]
CHR Extension: (Hangouts) - C:\Users\rberlin\AppData\Local\Google\Chrome\User Data\Default\Extensions\knipolnnllmklapflnccelgolnpehhpl [2015-02-04]
CHR Extension: (Hangouts) - C:\Users\rberlin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nckgahadagoaajjgafhacjanaoiihapd [2014-06-09]
CHR Extension: (Google Wallet) - C:\Users\rberlin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-21]
CHR Extension: (Gmail) - C:\Users\rberlin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-05-08]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
S2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
S2 Cisco Media Services Interface; C:\Program Files (x86)\Cisco Systems\Media Services Interface\msid.exe [1622760 2012-11-05] ()
S2 LVSrvLauncher; C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe [173344 2007-02-06] (Logitech Inc.)
S2 McAfeeFramework; C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [133152 2013-09-27] (McAfee, Inc.)
S2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [242448 2014-04-10] (McAfee, Inc.)
S2 McTaskManager; C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe [208416 2014-01-15] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [185280 2014-04-10] (McAfee, Inc.)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2014-11-17] (Hewlett-Packard) [File not signed]
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2014-11-17] (Hewlett-Packard) [File not signed]
S2 SCManager; C:\Program Files (x86)\SafeConnect\scManager.sys [176520 2012-11-19] (Impulse Point, LLC)
S2 SoftshieldService; C:\Program Files (x86)\Examsoft\Softest 11.0\Examsoft.ShieldRunner.exe [67848 2015-01-23] (Hewlett-Packard)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1042808 2014-12-02] (Western Digital Technologies, Inc.)
S2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [296312 2014-06-02] (Western Digital Technologies, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 XTSvcMgr; C:\Program Files\Novell\Client\XTier\Services\XTSvcMgr.exe [20536 2013-01-15] (Novell, Inc.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AndNetDiag; C:\Windows\System32\DRIVERS\lgandnetdiag64.sys [29184 2013-04-18] (LG Electronics Inc.)
S3 AndNetGps; C:\Windows\System32\DRIVERS\lgandnetgps64.sys [28672 2013-04-18] (LG Electronics Inc.)
S3 ANDNetModem; C:\Windows\System32\DRIVERS\lgandnetmodem64.sys [36352 2013-06-28] (LG Electronics Inc.)
S3 andnetndis; C:\Windows\System32\DRIVERS\lgandnetndis64.sys [93696 2013-04-23] (LG Electronics Inc.)
S3 bgdspdrv; C:\Windows\System32\DRIVERS\bgdspdrv.sys [37200 2012-05-21] (Bomgar Corporation)
S3 LVcKap64; C:\Windows\System32\DRIVERS\LVcKap64.sys [1013024 2007-02-06] (Logitech Inc.)
S3 LVMVDrv; C:\Windows\System32\DRIVERS\LVMVDrv.sys [2346016 2007-02-06] (Logitech Inc.)
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [31520 2007-02-06] ()
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-02-06] (Malwarebytes Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [180272 2014-04-10] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311600 2014-04-10] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [782968 2014-04-10] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [107032 2014-04-10] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [344176 2014-04-10] (McAfee, Inc.)
S3 Msidriver; C:\Windows\System32\DRIVERS\msidriver.sys [61856 2012-11-05] (Cisco Systems)
R0 NCFilter; C:\Windows\System32\DRIVERS\NCFilter.sys [112696 2013-01-15] ()
S2 NCFSD; C:\Program Files\Novell\Client\XTier\Drivers\ncfsd.sys [115256 2013-01-15] ()
S2 NCIOCTL; C:\Program Files\Novell\Client\XTier\Drivers\ncioctl.sys [90680 2013-01-15] ()
R0 NCRecognizer; C:\Windows\System32\DRIVERS\NCRecognizer.sys [120376 2013-01-15] ()
R0 NCUncFilter; C:\Windows\System32\DRIVERS\NCUncFilter.sys [26680 2013-01-15] ()
S1 NICM; C:\Program Files\Novell\Client\XTier\Drivers\nicm.sys [31800 2013-01-15] (Novell, Inc.)
S2 SPCD; C:\Windows\SysWOW64\drivers\spcd.sys [33168 2011-03-29] (Calabrio)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-06 11:42 - 2015-02-06 11:42 - 00025355 _____ () C:\Users\rberlin\Desktop\FRST.txt
2015-02-06 11:41 - 2015-02-06 11:42 - 00000000 ____D () C:\FRST
2015-02-06 11:41 - 2015-02-06 09:56 - 02131968 _____ (Farbar) C:\Users\rberlin\Desktop\FRST64.exe
2015-02-06 09:31 - 2015-02-06 09:31 - 00001067 _____ () C:\Users\Public\Desktop\DriveImage XML.lnk
2015-02-06 09:31 - 2015-02-06 09:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Runtime Software
2015-02-06 09:31 - 2015-02-06 09:31 - 00000000 ____D () C:\Program Files (x86)\Runtime Software
2015-02-05 11:51 - 2015-02-05 11:51 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 9.5
2015-02-05 08:41 - 2015-02-05 08:41 - 01046528 _____ () C:\Users\rberlin\Downloads\MicrosoftFixit50848.msi
2015-01-29 11:41 - 2015-01-29 11:41 - 00002945 _____ () C:\Users\rberlin\Desktop\HiJackThis.lnk
2015-01-29 11:41 - 2015-01-29 11:41 - 00000000 ____D () C:\Users\rberlin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
2015-01-29 11:41 - 2015-01-29 11:41 - 00000000 ____D () C:\Program Files (x86)\Trend Micro
2015-01-29 11:09 - 2013-02-06 17:17 - 00544568 _____ (Intel Corporation) C:\Windows\system32\PROUnstl.exe
2015-01-29 11:09 - 2006-01-12 15:52 - 00001904 ____N () C:\Windows\system32\SetupBD.din
2015-01-29 11:08 - 2015-01-29 11:08 - 00000000 ____D () C:\ProgramData\Dell
2015-01-29 11:08 - 2013-02-20 22:14 - 00495888 _____ (Intel Corporation) C:\Windows\system32\Drivers\e1c62x64.sys
2015-01-29 11:08 - 2012-12-06 03:21 - 00073032 _____ (Intel Corporation) C:\Windows\system32\e1cmsg.dll
2015-01-29 11:08 - 2012-11-14 04:07 - 00101224 _____ (Intel Corporation) C:\Windows\system32\NicInstC.dll
2015-01-29 11:05 - 2015-02-06 08:27 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-29 11:05 - 2015-01-29 11:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-29 11:05 - 2015-01-29 11:05 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-29 11:05 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-29 11:05 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-28 10:28 - 2015-02-05 12:02 - 00004958 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for AC.EDU-RBERLIN ITS120339.aug.edu
2015-01-26 08:26 - 2015-02-05 10:56 - 00000000 ____D () C:\Users\rberlin\AppData\Roaming\.purple
2015-01-26 08:26 - 2015-01-26 08:26 - 00000000 ____D () C:\Users\rberlin\AppData\Local\enchant
2015-01-26 08:24 - 2015-01-26 08:24 - 00000951 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pidgin.lnk
2015-01-26 08:24 - 2015-01-26 08:24 - 00000000 ____D () C:\Program Files (x86)\Pidgin
2015-01-26 08:22 - 2015-01-26 08:22 - 09670472 _____ () C:\Users\rberlin\Downloads\pidgin-2.10.11.exe
2015-01-23 15:08 - 2015-01-23 15:08 - 00000000 ____D () C:\Users\rberlin\AppData\Roaming\GoldWave
2015-01-23 15:07 - 2015-01-23 15:07 - 00000000 ____D () C:\Users\rberlin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GoldWave
2015-01-23 15:07 - 2015-01-23 15:07 - 00000000 ____D () C:\Program Files\GoldWave
2015-01-23 13:21 - 2015-01-28 10:11 - 00000099 _____ () C:\Users\rberlin\Desktop\reopen.txt
2015-01-23 11:02 - 2015-01-23 11:02 - 00000000 ____D () C:\Users\rberlin\Downloads\GoldWave
2015-01-23 11:01 - 2015-01-23 11:01 - 12229000 _____ (GoldWave Inc.) C:\Users\rberlin\Downloads\InstallGoldWave610.exe
2015-01-22 09:02 - 2015-02-04 17:40 - 00000000 ____D () C:\ProgramData\boost_interprocess
2015-01-22 09:01 - 2015-01-22 09:01 - 32688488 _____ (Fitbit Inc.) C:\Users\rberlin\Downloads\FitbitConnect_Win_20141107_2.0.0.6512.exe
2015-01-21 15:56 - 2015-01-29 11:18 - 00000000 ____D () C:\Quarantine
2015-01-21 11:57 - 2015-01-21 11:57 - 00000000 ____D () C:\Users\Public\Documents\CrashDump
2015-01-21 11:21 - 2015-02-05 08:48 - 00008027 _____ () C:\Windows\system32\lvcoinst.log
2015-01-21 11:21 - 2007-02-03 10:32 - 00041504 _____ (Logitech Inc.) C:\Windows\SysWOW64\Drivers\LVUSBSta.sys
2015-01-21 11:19 - 2007-02-03 10:32 - 00527136 _____ (Logitech Inc.) C:\Windows\SysWOW64\LVUI2RC.dll
2015-01-21 11:19 - 2007-02-03 10:32 - 00215840 _____ (Logitech Inc.) C:\Windows\SysWOW64\LVUI2.dll
2015-01-21 11:19 - 2007-02-03 10:30 - 00366368 _____ (Logitech Inc.) C:\Windows\system32\LVUIRC64.dll
2015-01-21 11:19 - 2007-02-03 10:30 - 00139552 _____ (Logitech Inc.) C:\Windows\system32\LVUI64.dll
2015-01-21 11:19 - 2007-02-03 10:30 - 00058528 _____ (Logitech Inc.) C:\Windows\system32\Drivers\LVUSBS64.sys
2015-01-21 11:19 - 2007-02-03 10:29 - 00264992 _____ (Logitech Inc.) C:\Windows\SysWOW64\lvcodec2.dll
2015-01-21 11:19 - 2007-02-03 10:28 - 00098592 _____ (Logitech Inc.) C:\Windows\system32\lvco1051.dll
2015-01-21 11:19 - 2007-02-03 10:27 - 00280864 _____ (Logitech Inc.) C:\Windows\system32\lvcod64.dll
2015-01-21 11:19 - 2007-02-03 10:26 - 00154400 _____ (Logitech Inc.) C:\Windows\SysWOW64\CamExL20.dll
2015-01-21 11:19 - 2007-02-03 10:25 - 00955680 _____ (Logitech Inc.) C:\Windows\system32\Drivers\CamDrL64.sys
2015-01-21 11:19 - 2007-02-03 10:25 - 00117536 _____ (Logitech Inc.) C:\Windows\SysWOW64\CamExL20.ax
2015-01-21 11:19 - 2007-02-03 10:25 - 00085280 _____ (Logitech Inc.) C:\Windows\system32\CamExL64.ax
2015-01-21 11:19 - 2007-02-03 09:01 - 00013398 _____ () C:\Windows\system32\Repository.reg
2015-01-21 11:19 - 2007-02-03 08:59 - 00050127 _____ () C:\Windows\system32\lvcoin64.ini
2015-01-21 11:19 - 2003-02-21 04:42 - 00348160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2015-01-21 11:18 - 2015-01-21 11:21 - 00000000 ____D () C:\Program Files\Common Files\LogiShrd
2015-01-21 11:18 - 2015-01-21 11:18 - 00002024 _____ () C:\Users\Public\Desktop\Logitech QuickCam.lnk
2015-01-21 11:18 - 2015-01-21 11:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logitech
2015-01-21 11:18 - 2015-01-21 11:18 - 00000000 ____D () C:\ProgramData\Logitech
2015-01-21 11:18 - 2015-01-21 11:18 - 00000000 ____D () C:\ProgramData\Logishrd
2015-01-21 10:33 - 2015-01-21 11:18 - 00000000 ____D () C:\Program Files (x86)\Logitech
2015-01-21 10:33 - 2015-01-21 10:33 - 00000000 ____D () C:\Users\rberlin\Downloads\Logitech
2015-01-20 14:04 - 2015-01-20 14:04 - 00000000 ____D () C:\ProgramData\FedikLiklo
2015-01-20 13:30 - 2015-01-21 15:56 - 00000000 ____D () C:\Users\rberlin\AppData\Roaming\Windows
2015-01-12 08:22 - 2015-01-12 08:22 - 00880784 _____ (Google Inc.) C:\Users\rberlin\Downloads\ChromeSetup.exe
2015-01-07 15:15 - 2014-11-20 08:14 - 00162032 _____ (Hewlett-Packard) C:\Windows\system32\hpmtp175.dll
2015-01-07 15:15 - 2014-11-20 08:13 - 00217328 _____ (Hewlett-Packard) C:\Windows\system32\hpmml175.dll
2015-01-07 15:15 - 2014-11-20 08:13 - 00200432 _____ (Hewlett-Packard) C:\Windows\system32\hpmja175.dll
2015-01-07 15:15 - 2014-11-20 08:13 - 00189680 _____ (Hewlett-Packard) C:\Windows\system32\hpmpm081.dll
2015-01-07 15:15 - 2014-11-20 08:13 - 00073968 _____ (Hewlett-Packard) C:\Windows\system32\hpmpw081.dll
2015-01-07 15:15 - 2014-11-20 08:11 - 00457456 _____ (Hewlett-Packard Corporation) C:\Windows\system32\hpcpn175.dll
2015-01-07 15:15 - 2014-11-20 08:11 - 00140016 _____ (Hewlett-Packard) C:\Windows\system32\hpcjpm.dll
2015-01-07 15:15 - 2014-11-20 08:07 - 00452336 _____ (Hewlett Packard Corporation) C:\Windows\SysWOW64\hpcc3175.dll
2015-01-07 15:14 - 2015-01-07 15:14 - 19282160 _____ () C:\Users\rberlin\Downloads\upd-pcl6-x64-6.0.0.18849.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-06 09:31 - 2009-07-14 00:13 - 00803566 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-06 08:42 - 2010-11-20 22:47 - 00204860 _____ () C:\Windows\PFRO.log
2015-02-06 08:42 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-06 08:42 - 2009-07-13 23:51 - 00090299 _____ () C:\Windows\setupact.log
2015-02-05 12:59 - 2013-05-08 11:10 - 01840728 _____ () C:\Windows\WindowsUpdate.log
2015-02-05 12:34 - 2013-05-08 17:37 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-05 12:32 - 2013-05-08 12:13 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-05 12:31 - 2014-06-05 13:03 - 00000542 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-168584002-1222538047-2102726425-1461.job
2015-02-05 11:51 - 2014-08-07 15:53 - 00001957 _____ () C:\Users\Public\Desktop\WebEx One-Click.lnk
2015-02-05 11:51 - 2013-05-15 07:38 - 00008192 _____ () C:\Windows\SysWOW64\WDPABKP.dat
2015-02-05 11:51 - 2013-05-08 17:37 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-05 11:06 - 2009-07-13 23:45 - 00022208 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-05 11:06 - 2009-07-13 23:45 - 00022208 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-05 10:57 - 2013-11-13 10:34 - 00000000 ____D () C:\Users\rberlin\Documents\E-mail
2015-02-05 10:57 - 2013-06-11 07:34 - 00000000 ___RD () C:\Users\rberlin\SkyDrive
2015-02-05 09:54 - 2013-05-08 17:35 - 00000000 ____D () C:\Program Files (x86)\SafeConnect
2015-02-05 09:00 - 2013-05-09 06:50 - 00004958 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for {90614ff0-7f2b-4afa-b0c0-4b36cd41b4d0} ITS120339.aug.edu
2015-02-05 08:48 - 2013-05-08 11:48 - 00000232 _____ () C:\Windows\system32\config\netlogon.ftl
2015-02-05 05:32 - 2013-05-08 12:13 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-05 05:32 - 2013-05-08 12:13 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-05 05:32 - 2013-05-08 12:13 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-05 05:28 - 2013-05-08 17:37 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-05 05:28 - 2013-05-08 17:37 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-02-05 02:00 - 2013-05-08 16:03 - 00000000 ____D () C:\Users\rberlin\AppData\Local\Adobe
2015-02-04 12:47 - 2013-05-10 13:06 - 00000000 ____D () C:\Users\rberlin\AppData\Local\JabberWerxCPP
2015-02-04 12:09 - 2014-10-16 07:07 - 10286474 _____ () C:\Windows\SysWOW64\debug.log
2015-02-04 12:08 - 2013-05-08 11:34 - 00000000 ____D () C:\ProgramData\Sonic
2015-01-29 11:44 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-29 11:05 - 2013-05-08 12:50 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-28 07:54 - 2014-06-05 13:03 - 00003572 _____ () C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-168584002-1222538047-2102726425-1461
2015-01-27 17:09 - 2014-04-07 08:48 - 00000044 _____ () C:\Windows\hpmnwun.ini
2015-01-27 16:33 - 2013-05-08 16:03 - 00000000 ____D () C:\Users\rberlin\AppData\Roaming\Apple Computer
2015-01-27 16:08 - 2014-05-30 15:31 - 00000000 ____D () C:\Users\rberlin\Documents\TurningPoint 5
2015-01-23 23:39 - 2014-06-16 07:23 - 00000000 ____D () C:\ProgramData\SofTest
2015-01-23 23:39 - 2014-06-16 07:22 - 00000000 ____D () C:\Program Files (x86)\Examsoft
2015-01-23 15:32 - 2013-05-14 10:25 - 00000000 ____D () C:\Users\rberlin\Documents\RanMan
2015-01-21 13:31 - 2014-04-04 08:53 - 00000000 ____D () C:\Users\rberlin\Documents\CAHS
2015-01-21 11:58 - 2014-05-13 14:41 - 00000000 ____D () C:\Users\rberlin\AppData\Roaming\VERIZON
2015-01-12 09:03 - 2014-04-08 15:16 - 00000000 ____D () C:\Users\rberlin\Documents\Desire2Learn
2015-01-12 08:23 - 2013-05-08 17:37 - 00002215 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-07 15:15 - 2014-04-07 08:44 - 00000000 ____D () C:\HP Universal Print Driver
2015-01-07 14:50 - 2014-12-19 16:01 - 00000679 _____ () C:\ProgramData\hpzinstall.log
2015-01-07 14:48 - 2014-12-19 16:03 - 00000420 _____ () C:\Windows\hpntwksetup.ini

==================== Files in the root of some directories =======

2013-06-13 15:08 - 2014-08-15 16:12 - 0000132 _____ () C:\Users\rberlin\AppData\Roaming\Adobe PNG Format CS6 Prefs
2013-05-15 08:54 - 2013-05-15 08:54 - 0000092 _____ () C:\Users\rberlin\AppData\Roaming\mbam.context.scan
2014-04-04 16:46 - 2014-06-27 15:24 - 0003584 _____ () C:\Users\rberlin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-01-06 12:53 - 2013-10-09 00:12 - 0010240 _____ () C:\Users\rberlin\AppData\Local\Z@!-7d6be9c3-b30c-49a2-aaf3-13b2a42b1932.tmp
2014-01-06 12:53 - 2013-10-09 00:12 - 0009216 _____ () C:\Users\rberlin\AppData\Local\Z@S!-5f0529bb-bbbf-4820-9b6e-e9e3ff14ac2f.tmp
2013-05-08 12:00 - 2010-06-10 14:39 - 0000047 _____ () C:\ProgramData\Alertus v2.6.40.111.txt
2014-12-19 16:01 - 2015-01-07 14:50 - 0000679 _____ () C:\ProgramData\hpzinstall.log
2013-05-13 12:15 - 2013-05-13 12:17 - 0000837 _____ () C:\ProgramData\NCIDebug.log

Some content of TEMP:
====================
C:\Users\csvtst13\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\rberlin\AppData\Local\Temp\atgpcdec.dll
C:\Users\rberlin\AppData\Local\Temp\jna2612576382759323030.dll
C:\Users\rberlin\AppData\Local\Temp\jna6397987711545583293.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-02-03 00:58

==================== End Of Log ============================

Attached Files


Edited by nasdaq, 10 February 2015 - 10:40 AM.
FRST log posted


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:45 PM

Posted 10 February 2015 - 10:43 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-168584002-1222538047-2102726425-1461\...\Run: [FedikLiklo] => regsvr32.exe "C:\ProgramData\FedikLiklo\VelzuYralh.lnl"
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-168584002-1222538047-2102726425-1461 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF user.js: detected! => C:\Users\rberlin\AppData\Roaming\Mozilla\Firefox\Profiles\0p6otidk.default\user.js
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
AlternateDataStreams: C:\ProgramData\Microsoft:HDxkM6NGfviyr9Qm8Z5E84jU
AlternateDataStreams: C:\ProgramData\Microsoft:IrLSzFotWMbkSTM3Mprn
AlternateDataStreams: C:\ProgramData\Microsoft:sHTOWTHsvgK3Fyg4
AlternateDataStreams: C:\ProgramData\Temp:373E1720
AlternateDataStreams: C:\ProgramData\Temp:F0D7EE30
AlternateDataStreams: C:\Users\rberlin\Cookies:PjoZZEgbmopvxzDovkJQ4a9
AlternateDataStreams: C:\Users\rberlin\AppData\Local\uF79Y3UW7T:do7lJkY9vTN40Op6oS1SWRPgjMVi
C:\Users\csvtst13\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\rberlin\AppData\Local\Temp\atgpcdec.dll
C:\Users\rberlin\AppData\Local\Temp\jna2612576382759323030.dll
C:\Users\rberlin\AppData\Local\Temp\jna6397987711545583293.dll

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

How is the computer running now?

#3 Stilgard

Stilgard
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 10 February 2015 - 11:25 AM

First,  thanks for the response and your time.  The computer took a while to log in.  Much longer than usual.  Still no network access I will need to call my ISP once it is clean to allow them to turn it back on for them to scan.

 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:45 PM

Posted 10 February 2015 - 01:52 PM

Try this it may restore you Internet connection.

Click the StartBtn.gif button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

ipconfig /release

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7/8 with Elevated Privilege
http://www.bleepingcomputer.com/tutorials/windows-elevated-command-prompt/
<<<>>>

#5 Stilgard

Stilgard
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 10 February 2015 - 02:52 PM

I have done this "an error occurred trying to renew...." I think I am blocked until I contact them.  Did running the fixlist in the previous step get rid of the virus or are they getting a false positive?



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:45 PM

Posted 11 February 2015 - 08:22 AM

The error message is important.
What do you get?

Everything in my fix was removed.
After you have solved you IP issue we can check further is the is still some bad entries left.

#7 Stilgard

Stilgard
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 12 February 2015 - 10:25 AM

My original scan was in safe mode.  Was I suppose to do that?  If not here is another scan booted regularly.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:45 PM

Posted 12 February 2015 - 01:42 PM

Nothing has changed.

Try this.

Please Download Tweaking.com - Windows Repair from Here
[list]
  • Install and then run the program
  • Click Next at the Welcome Screen, Click Next on Step 1 Screen
  • Click Next on Step 2 Screen, Click Do it on Step 3 Screen, After is has completed click Next
  • On Step 4 Under System Restore Click Create, Then under registry back-up Click Backup When you have completed this click Next
  • Click on Repairs
  • Click Open repairs - Icon in the bottom right corner
  • Click the Unselect All button then select just the item(s) below

  • 13 - Repair Winsock & DNS Cache
    14 - Remove Temp Files
    15 - Repair Proxy Settings
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===



#9 Stilgard

Stilgard
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 12 February 2015 - 04:56 PM

Only error I get is when trying to log in.  "The tree or server cannot be found.  Choose a different tree or server.  Would you still like to try to log in to windows?"  I think this is because my MAC address is blocked other than this I do get to log into the machine but not the network.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:45 PM

Posted 13 February 2015 - 08:35 AM

Please confirm that you have run the Windows repair fix.

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply

#11 Stilgard

Stilgard
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 13 February 2015 - 03:19 PM

Yes I ran the Windows Repair fix.

Attached Files

  • Attached File  FSS.txt   2.69KB   1 downloads


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:45 PM

Posted 14 February 2015 - 08:44 AM

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • Click Go and copy/paste the log (Result.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


#13 Stilgard

Stilgard
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 16 February 2015 - 08:49 AM

Called ISP and got computer unblocked.  Ran above application.

MiniToolBox by Farbar Version: 30-11-2014
Ran by RBERLIN (administrator) on 16-02-2015 at 08:46:51
Running from "C:\Users\rberlin\Desktop"
Microsoft Windows 7 Enterprise Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================



========================= IP Configuration: ================================

Intel® 82579LM Gigabit Network Connection = Local Area Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : ITS120339
Primary Dns Suffix . . . . . . . : aug.edu
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : aug.edu
mcghi.mcg.edu

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : gru.edu
Description . . . . . . . . . . . : Intel® 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . : 90-B1-1C-70-13-B6
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::584c:5453:3208:1bd5%16(Preferred)
IPv4 Address. . . . . . . . . . . : 10.16.69.56(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Lease Obtained. . . . . . . . . . : Friday, February 13, 2015 3:54:29 PM
Lease Expires . . . . . . . . . . : Monday, February 16, 2015 9:24:42 AM
Default Gateway . . . . . . . . . : 10.16.68.1
DHCP Server . . . . . . . . . . . : 10.6.12.65
DHCPv6 IAID . . . . . . . . . . . : 328249628
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-64-C1-65-90-B1-1C-70-13-B6
DNS Servers . . . . . . . . . . . : 10.6.12.65
Primary WINS Server . . . . . . . : 10.6.10.134
Secondary WINS Server . . . . . . : 10.6.10.23
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.gru.edu:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : gru.edu
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: mainstreet1.mcg.edu
Address: 10.6.12.65

Name: google.com
Addresses: 2607:f8b0:4002:c07::8a
143.215.193.238
143.215.193.210
143.215.193.237
143.215.193.217
143.215.193.231
143.215.193.223
143.215.193.244
143.215.193.230
143.215.193.224
143.215.193.216
143.215.193.251
143.215.193.245


Pinging google.com [143.215.193.245] with 32 bytes of data:
Reply from 143.215.193.245: bytes=32 time=7ms TTL=54
Reply from 143.215.193.245: bytes=32 time=7ms TTL=54

Ping statistics for 143.215.193.245:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 7ms, Maximum = 7ms, Average = 7ms
Server: mainstreet1.mcg.edu
Address: 10.6.12.65

Name: yahoo.com
Addresses: 206.190.36.45
98.138.253.109
98.139.183.24


Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=51ms TTL=46
Reply from 98.139.183.24: bytes=32 time=54ms TTL=46

Ping statistics for 98.139.183.24:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 51ms, Maximum = 54ms, Average = 52ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
16...90 b1 1c 70 13 b6 ......Intel® 82579LM Gigabit Network Connection
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.16.68.1 10.16.69.56 20
10.16.68.0 255.255.254.0 On-link 10.16.69.56 276
10.16.69.56 255.255.255.255 On-link 10.16.69.56 276
10.16.69.255 255.255.255.255 On-link 10.16.69.56 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.16.69.56 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.16.69.56 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
16 276 fe80::/64 On-link
16 276 fe80::584c:5453:3208:1bd5/128
On-link
1 306 ff00::/8 On-link
16 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145648] (Microsoft Corp.)
Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145648] (Microsoft Corp.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171760] (Microsoft Corp.)
x64-Catalog5 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171760] (Microsoft Corp.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (02/13/2015 05:14:25 PM) (Source: McLogEvent) (User: AC.EDU)
Description: The scan found detections. Scan engine version 5700.7163 DAT version 7711.

Error: (02/12/2015 04:08:12 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/12/2015 02:44:13 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/10/2015 11:19:40 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/10/2015 09:28:33 AM) (Source: Application Error) (User: )
Description: Faulting application name: TeamViewer.exe, version: 9.0.32494.0, time stamp: 0x541337c3
Faulting module name: TeamViewer.exe, version: 9.0.32494.0, time stamp: 0x541337c3
Exception code: 0x40000015
Fault offset: 0x0081796c
Faulting process id: 0x504
Faulting application start time: 0xTeamViewer.exe0
Faulting application path: TeamViewer.exe1
Faulting module path: TeamViewer.exe2
Report Id: TeamViewer.exe3

Error: (02/10/2015 09:28:19 AM) (Source: Application Error) (User: )
Description: Faulting application name: TeamViewer.exe, version: 9.0.32494.0, time stamp: 0x541337c3
Faulting module name: TeamViewer.exe, version: 9.0.32494.0, time stamp: 0x541337c3
Exception code: 0x40000015
Fault offset: 0x0081796c
Faulting process id: 0x1d8
Faulting application start time: 0xTeamViewer.exe0
Faulting application path: TeamViewer.exe1
Faulting module path: TeamViewer.exe2
Report Id: TeamViewer.exe3

Error: (02/06/2015 08:46:03 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/05/2015 01:18:14 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/05/2015 10:59:41 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/05/2015 08:48:21 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (02/13/2015 00:08:48 PM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain AC.EDU due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (02/13/2015 08:08:21 AM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain AC.EDU due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (02/13/2015 04:08:01 AM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain AC.EDU due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (02/13/2015 00:07:29 AM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain AC.EDU due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (02/12/2015 08:06:58 PM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain AC.EDU due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (02/12/2015 05:55:34 PM) (Source: Microsoft-Windows-GroupPolicy) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (02/12/2015 04:54:17 PM) (Source: Microsoft-Windows-GroupPolicy) (User: AC.EDU)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (02/12/2015 04:08:06 PM) (Source: Service Control Manager) (User: )
Description: The Cisco Media Services Interface service hung on starting.

Error: (02/12/2015 04:06:30 PM) (Source: Microsoft-Windows-GroupPolicy) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
B) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Error: (02/12/2015 04:06:28 PM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain AC.EDU due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.


Microsoft Office Sessions:
=========================
Error: (02/13/2015 05:14:25 PM) (Source: McLogEvent)(User: AC.EDU)
Description: The scan found detections. Scan engine version 5700.7163 DAT version 7711.

Error: (02/12/2015 04:08:12 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/12/2015 02:44:13 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/10/2015 11:19:40 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/10/2015 09:28:33 AM) (Source: Application Error)(User: )
Description: TeamViewer.exe9.0.32494.0541337c3TeamViewer.exe9.0.32494.0541337c3400000150081796c50401d0453dcff6627cC:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exeC:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe16c474a9-b131-11e4-8221-e6ec47b2f5f6

Error: (02/10/2015 09:28:19 AM) (Source: Application Error)(User: )
Description: TeamViewer.exe9.0.32494.0541337c3TeamViewer.exe9.0.32494.0541337c3400000150081796c1d801d0453dc6949608C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exeC:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe0e720514-b131-11e4-8221-e6ec47b2f5f6

Error: (02/06/2015 08:46:03 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/05/2015 01:18:14 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/05/2015 10:59:41 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/05/2015 08:48:21 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


**** End of log ****

Attached Files


Edited by nasdaq, 16 February 2015 - 08:52 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:45 PM

Posted 16 February 2015 - 08:53 AM

How is the computer running now?

#15 Stilgard

Stilgard
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:45 AM

Posted 16 February 2015 - 08:57 AM

So far so good.  I have had a stable connection during the whole weekend.  Either Gozi is gone or it hasn't detected anything yet.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users