Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trend Micro blocked by group policy - Help Needed


  • This topic is locked This topic is locked
11 replies to this topic

#1 swacked941

swacked941

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 31 March 2015 - 06:41 PM

Hey guys, been using this site for a long time but for the first time I had to create an account and ask a question.  I have a domain computer that is not allowing our Trend Micro WFBS to run and I'm getting an error that the program has been blocked by group policy which is not true.  I have ran several scans and removed several infections however none seemed too sever.  I have ran Eset online scanner, TDSSKiller, and ADWCleaner but the problem remains.  I know that we are using cryptoprevent but that is not causing this problem on any other computers. I have pasted the FRST logs below.  Any help is much appreciated. 

 

FRST.txt

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by hhanford (administrator) on JD-WORKSTATION1 on 31-03-2015 19:33:14
Running from C:\Users\hhanford\Desktop
Loaded Profiles: hhanford (Available profiles: Admin & J&D Heating & Administrator & encontrol & service1 & kturner & Zeno & itsagent & ZTSAdmin & jfender & hhanford)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corp.) C:\Program Files\Broadcom\BPowMon\BPowMon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX86\officeclicktorun.exe
(Kaseya International Limited) C:\Program Files\Infinity Managed Services\Agent\INFBSN73557080053837\AgentMon.exe
() C:\Program Files\Infinity Managed Services\Agent\INFBSN73557080053837\KasAVSrv.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe
(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
(RealVNC Ltd) C:\Program Files\RealVNC\VNC4\winvnc4.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(RealVNC Ltd) C:\Program Files\RealVNC\VNC4\winvnc4.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\HostedAgent.exe
( ) C:\Program Files\Infinity Managed Services\Agent\INFBSN73557080053837\extensions\Lua.exe
( ) C:\Program Files\Infinity Managed Services\Agent\INFBSN73557080053837\extensions\Lua.exe
(Kaseya International Limited) C:\Program Files\Infinity Managed Services\Agent\INFBSN73557080053837\Kaseya.AgentEndpoint.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\CCSF\TmCCSF.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Kaseya International Limited) C:\Program Files\Infinity Managed Services\Agent\INFBSN73557080053837\KaseyaRemoteControlHost.exe
(Kaseya International Limited) C:\Program Files\Infinity Managed Services\Agent\INFBSN73557080053837\KaseyaRemoteControlHost.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Kaseya International Limited) C:\Program Files\Infinity Managed Services\Agent\INFBSN73557080053837\KaUsrTsk.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7739936 2009-09-12] (Realtek Semiconductor)
HKLM\...\Run: [KASHINFBSN73557080053837] => C:\Program Files\Infinity Managed Services\Agent\INFBSN73557080053837\KaUsrTsk.exe [574992 2014-10-08] (Kaseya International Limited)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [Intuit SyncManager] => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [3775800 2014-12-06] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [OfficeScanNT Monitor] => C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe [1316920 2015-03-06] (Trend Micro Inc.)
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: *.png.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.com <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.com <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\ <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.com <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.pif <====== ATTENTION
HKLM\...\Policies\Explorer\Run: [{765b3ca7-c34d-b2c2-1156-b76d8daf609d}] => "C:\ProgramData\Microsoft\{765b3ca7-c34d-b2c2-1156-b76d8daf609d}\{765b3ca7-c34d-b2c2-1156-b76d8daf609d}.exe" No File
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
ShellIconOverlayIdentifiers: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-3365903783-3217467649-1740745987-3631\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> {6FE6B20E-3421-4795-BCE0-A162236B849E} URL = http://www.bing.com/search?q={searchTerms}&form=DLSDF8&pc=MDDS&src=IE-SearchBox
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3365903783-3217467649-1740745987-3631 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKU\S-1-5-21-3365903783-3217467649-1740745987-3631 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKU\S-1-5-21-3365903783-3217467649-1740745987-3631 -> {6FE6B20E-3421-4795-BCE0-A162236B849E} URL = 
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\Client Server Security Agent\TmIEPlg.dll [2014-06-10] (Trend Micro Inc.)
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2015-02-10] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll [2015-01-27] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files\Windows Live\Companion\companioncore.dll [2010-11-10] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-03] (Google Inc.)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2014-12-03] (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2015-02-10] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-02-10] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-01-27] (Oracle Corporation)
BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2014-12-03] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2014-12-03] (Adobe Systems Incorporated)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-03] (Google Inc.)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Handler: intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} -  No File []
Handler: intu-help-qb8 - {CD17C364-2EC8-4929-91A9-C4839A20E909} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 15.0\HelpAsyncPluggableProtocol.dll [2014-12-06] (Intuit, Inc.)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\system32\mscoree.dll [2010-11-04] (Microsoft Corporation)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\Client Server Security Agent\TmIEPlg.dll [2014-06-10] (Trend Micro Inc.)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.10
Tcpip\..\Interfaces\{C00451BE-8892-4C55-B4E5-BD5FF799534A}: [NameServer] 192.168.0.10,8.8.8.8
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-05] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1211151.dll [2014-04-15] (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin: @ei.CouponAlert_2p.com/Plugin -> C:\Program Files\CouponAlert_2pEI\Installr\1.bin\NP2pEISB.dll No File
FF Plugin: @ei.CouponXplorer_5z.com/Plugin -> C:\Program Files\CouponXplorer_5zEI\Installr\1.bin\NP5zEISB.dll No File
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-01-27] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-27] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2014-09-10] (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2014-09-10] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin: Adobe Acrobat -> C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2013-12-21] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll [2014-03-20] (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll [2014-03-20] (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2014-08-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2014-08-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2014-08-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2014-08-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2014-08-05] (Apple Inc.)
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [2011-07-20]
FF HKLM\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2011-09-07]
FF HKLM\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\Client Server Security Agent\FirefoxExtension
FF Extension: Trend Micro NSC Firefox Extension - C:\Program Files\Trend Micro\Client Server Security Agent\FirefoxExtension [2015-03-31]
 
Chrome: 
=======
CHR Profile: C:\Users\hhanford\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Avery Toolbar) - C:\Users\hhanford\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaigmelgfmkfjicbbgbkcbagedejhj [2015-03-31]
CHR Extension: (Google Docs) - C:\Users\hhanford\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-31]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\hhanford\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-31]
CHR Extension: (Google Wallet) - C:\Users\hhanford\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-03-31]
CHR HKLM\...\Chrome\Extension: [aaaaigmelgfmkfjicbbgbkcbagedejhj] - C:\ProgramData\AskPartnerNetwork\Toolbar\AVRV7\CRX\ToolbarCR.crx [Not Found]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX86\OfficeClickToRun.exe [1843896 2015-02-10] (Microsoft Corporation)
R2 KAINFBSN73557080053837; C:\Program Files\Infinity Managed Services\Agent\INFBSN73557080053837\AgentMon.exe [1152528 2014-10-08] (Kaseya International Limited)
R2 KaseyaAVService; C:\Program Files\Infinity Managed Services\Agent\INFBSN73557080053837\KasAVSrv.exe [229376 2013-02-06] () [File not signed]
R2 ntrtscan; C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe [2507600 2015-03-06] (Trend Micro Inc.)
R2 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2014-12-06] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [65536 2014-12-06] (Intuit Inc.) [File not signed]
R2 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2014-12-06] (Intuit Inc.) [File not signed]
R2 svcGenericHost; C:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [51760 2015-03-10] (Trend Micro Inc.)
S3 TMBMServer; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [346672 2014-01-23] (Trend Micro Inc.)
R3 TmCCSF; C:\Program Files\Trend Micro\Client Server Security Agent\CCSF\TmCCSF.exe [593920 2015-03-06] (Trend Micro Inc.)
R2 tmlisten; C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe [2624248 2015-03-06] (Trend Micro Inc.)
R3 TmProxy; C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe [694832 2014-01-22] (Trend Micro Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
R2 WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [1696496 2011-08-18] (RealVNC Ltd)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 DM150Drv; C:\Windows\System32\DRIVERS\DM150Drv.sys [20600 2010-07-30] (Pitney Bowes)
R3 KAPFA; C:\Windows\system32\drivers\KAPFA.SYS [31248 2014-10-08] (Kaseya)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-03-12] (Malwarebytes Corporation)
S2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [92104 2014-07-16] (Trend Micro Inc.)
S4 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [291400 2013-12-09] (Trend Micro Inc.)
S2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [64264 2014-07-16] (Trend Micro Inc.)
R2 TmFilter; C:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys [281400 2014-08-30] (Trend Micro Inc.)
R2 TmPreFilter; C:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys [38200 2014-08-30] (Trend Micro Inc.)
S2 tmrkb; C:\Windows\System32\DRIVERS\tmrkb.sys [171408 2015-02-26] (trend_company_name)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [90448 2013-09-26] (Trend Micro Inc.)
S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [44544 2012-09-28] (Apple, Inc.) [File not signed]
R2 VSApiNt; C:\Program Files\Trend Micro\Client Server Security Agent\VSApiNt.sys [1557912 2014-08-30] (Trend Micro Inc.)
S1 MpKsle3e40927; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8AB6C072-0EDE-452B-8D4A-B0A37349CFB5}\MpKsle3e40927.sys [X]
U3 tmpfw; No ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-31 19:33 - 2015-03-31 19:34 - 00033016 _____ () C:\Users\hhanford\Desktop\FRST.txt
2015-03-31 19:32 - 2015-03-31 19:33 - 00000000 ____D () C:\FRST
2015-03-31 19:32 - 2015-03-31 19:32 - 01135104 _____ (Farbar) C:\Users\hhanford\Desktop\FRST.exe
2015-03-31 19:11 - 2015-03-31 19:19 - 00000000 ____D () C:\AdwCleaner
2015-03-31 19:09 - 2015-03-31 19:09 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\jfender\Desktop\tdsskiller.exe
2015-03-31 19:08 - 2015-03-31 19:08 - 02208768 _____ () C:\Users\jfender\Desktop\adwcleaner_4.200.exe
2015-03-31 18:51 - 2013-12-09 20:00 - 00291400 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2015-03-31 18:49 - 2015-03-31 18:49 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Trend Micro Security Agent
2015-03-31 18:47 - 2014-07-16 11:08 - 00092104 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmactmon.sys
2015-03-31 18:47 - 2014-07-16 11:08 - 00064264 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmevtmgr.sys
2015-03-31 18:47 - 2013-09-26 10:45 - 00090448 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmtdi.sys
2015-03-31 17:50 - 2015-03-31 17:50 - 00000000 ____D () C:\Users\hhanford\AppData\Roaming\Apple Computer
2015-03-31 17:42 - 2015-03-31 17:42 - 00000000 ____D () C:\Users\hhanford\AppData\Roaming\Macromedia
2015-03-31 17:32 - 2015-03-31 17:32 - 00000000 __SHD () C:\Users\hhanford\AppData\Local\EmieUserList
2015-03-31 17:32 - 2015-03-31 17:32 - 00000000 __SHD () C:\Users\hhanford\AppData\Local\EmieSiteList
2015-03-31 17:32 - 2015-03-31 17:32 - 00000000 __SHD () C:\Users\hhanford\AppData\Local\EmieBrowserModeList
2015-03-31 17:20 - 2015-03-31 19:25 - 00000452 __RSH () C:\Users\hhanford\ntuser.pol
2015-03-31 17:20 - 2015-03-31 19:25 - 00000000 ____D () C:\Users\hhanford
2015-03-31 17:20 - 2015-03-31 17:20 - 00166608 _____ () C:\Users\hhanford\AppData\Local\GDIPFONTCACHEV1.DAT
2015-03-31 17:20 - 2015-03-31 17:20 - 00001419 _____ () C:\Users\hhanford\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-03-31 17:20 - 2015-03-31 17:20 - 00000020 ___SH () C:\Users\hhanford\ntuser.ini
2015-03-31 17:20 - 2015-03-31 17:20 - 00000000 ____D () C:\Users\hhanford\AppData\Roaming\Adobe
2015-03-31 17:20 - 2015-03-31 17:20 - 00000000 ____D () C:\Users\hhanford\AppData\Local\Intuit
2015-03-31 17:20 - 2015-03-31 17:20 - 00000000 ____D () C:\Users\hhanford\AppData\Local\Google
2015-03-31 17:20 - 2013-02-06 04:10 - 00000000 ____D () C:\Users\hhanford\AppData\Local\Microsoft Help
2015-03-31 17:20 - 2009-07-14 00:42 - 00000000 ___RD () C:\Users\hhanford\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-31 17:20 - 2009-07-14 00:37 - 00000000 ___RD () C:\Users\hhanford\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-03-24 17:00 - 2015-03-24 17:00 - 00000000 ____D () C:\Users\jfender\Downloads\ver315_files
2015-03-24 14:45 - 2015-03-24 17:00 - 00009872 _____ () C:\Users\jfender\Downloads\ver315.xls
2015-03-03 12:30 - 2015-03-03 12:30 - 00000000 ____D () C:\Users\jfender\Documents\Intuit
2015-03-03 12:30 - 2015-03-03 12:30 - 00000000 ____D () C:\Users\jfender\AppData\Roaming\Nuance
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-31 19:31 - 2009-07-14 00:34 - 00014256 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-31 19:31 - 2009-07-14 00:34 - 00014256 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-31 19:28 - 2011-05-06 22:52 - 01071972 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-31 19:26 - 2009-07-14 00:55 - 01343653 _____ () C:\Windows\WindowsUpdate.log
2015-03-31 19:24 - 2013-02-04 16:37 - 00000000 ____D () C:\temp
2015-03-31 19:24 - 2012-11-19 09:16 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-31 19:24 - 2011-07-20 11:14 - 00000120 _____ () C:\Windows\system32\config\netlogon.ftl
2015-03-31 19:24 - 2011-05-06 22:57 - 00215392 _____ () C:\Windows\system32\TmInstall.log
2015-03-31 19:23 - 2009-07-14 00:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-31 19:23 - 2009-07-14 00:39 - 00039448 _____ () C:\Windows\setupact.log
2015-03-31 19:19 - 2011-10-14 15:46 - 00002213 _____ () C:\Windows\TMFilter.log
2015-03-31 19:19 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\Registration
2015-03-31 19:18 - 2012-04-26 08:43 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-03-31 18:59 - 2014-07-02 10:37 - 00000452 __RSH () C:\Users\jfender\ntuser.pol
2015-03-31 18:59 - 2014-07-02 10:37 - 00000000 ____D () C:\Users\jfender
2015-03-31 18:47 - 2013-04-30 17:01 - 00000000 ____D () C:\Program Files\Trend Micro
2015-03-31 18:36 - 2012-11-19 09:16 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-31 17:20 - 2009-07-14 00:46 - 00001515 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-03-31 17:11 - 2013-02-05 11:28 - 00220001 _____ () C:\Windows\comsetup.log
2015-03-31 14:00 - 2011-07-20 10:51 - 00000422 _____ () C:\Windows\Tasks\SystemToolsDailyTest.job
2015-03-30 08:12 - 2014-08-20 08:12 - 00000000 ____D () C:\Users\jfender\AppData\Local\Adobe
2015-03-30 08:11 - 2012-04-26 08:43 - 00778928 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-03-30 08:11 - 2011-07-20 11:16 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-03-27 16:57 - 2011-05-07 00:39 - 00201164 _____ () C:\Windows\PFRO.log
2015-03-21 15:37 - 2012-11-19 09:17 - 00002131 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-17 03:33 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-03-17 03:29 - 2014-09-10 10:26 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2015-03-12 08:57 - 2015-02-26 09:48 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-06 17:55 - 2009-07-14 00:53 - 00032638 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-03-05 23:00 - 2011-07-20 10:51 - 00000564 _____ () C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2015-03-03 12:30 - 2015-01-26 09:28 - 00000000 ____D () C:\ProgramData\Nuance
 
Some content of TEMP:
====================
C:\Users\aarias\AppData\Local\Temp\Abspdf.exe
C:\Users\aarias\AppData\Local\Temp\acfpdfu.dll
C:\Users\aarias\AppData\Local\Temp\acfpdfuamd64.dll
C:\Users\aarias\AppData\Local\Temp\acfpdfui.dll
C:\Users\aarias\AppData\Local\Temp\acfpdfuia64.dll
C:\Users\aarias\AppData\Local\Temp\acfpdfuiamd64.dll
C:\Users\aarias\AppData\Local\Temp\acfpdfuiia64.dll
C:\Users\aarias\AppData\Local\Temp\cdintf.dll
C:\Users\aarias\AppData\Local\Temp\install_flashplayer11x32axau_gtba_chra_dy_aih[1].exe
C:\Users\aarias\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_au_aih[1].exe
C:\Users\aarias\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_au_aih[1]_1.exe
C:\Users\aarias\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\aarias\AppData\Local\Temp\KcsSetup.exe
C:\Users\aarias\AppData\Local\Temp\MSIZAP.EXE
C:\Users\aarias\AppData\Local\Temp\PDFPRT400.exe
C:\Users\aarias\AppData\Local\Temp\xmllite.dll
C:\Users\Admin\AppData\Local\Temp\Intuit.Spc.Map.EntitlementClient.Install.dll
C:\Users\Admin\AppData\Local\Temp\MSNC016.exe
C:\Users\Admin\AppData\Local\Temp\qbinstal.dll
C:\Users\Admin\AppData\Local\Temp\stlport_r50.dll
C:\Users\jfender\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\jfender\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\jfender\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\jfender\AppData\Local\Temp\MouseKeyboardCenterx86_1033.exe
C:\Users\jfender\AppData\Local\Temp\MSIZAP.EXE
C:\Users\jfender\AppData\Local\Temp\Quarantine.exe
C:\Users\jfender\AppData\Local\Temp\sqlite3.dll
C:\Users\service1\AppData\Local\Temp\avg_remover_stf_x86_2012_1796.exe
C:\Users\service1\AppData\Local\Temp\Couponscom.exe
C:\Users\service1\AppData\Local\Temp\DefaultPack.exe
C:\Users\service1\AppData\Local\Temp\G2MInstallerExtractor.exe
C:\Users\service1\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\service1\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\service1\AppData\Local\Temp\mgl4zbbv.dll
C:\Users\service1\AppData\Local\Temp\WFBS-SVC_Agent_Installer.exe
C:\Users\zeno\AppData\Local\Temp\jre-6u39-windows-i586-iftw.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-03-25 00:37
 
==================== End Of Log ============================
 
addition.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 11-03-2015
Ran by hhanford at 2015-03-31 19:34:36
Running from C:\Users\hhanford\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Trend Micro Security Agent (Enabled - Up to date) {F2F88E6A-3C7A-545F-268A-5D0BDD38EE06}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Trend Micro Security Agent Anti-spyware (Enabled - Up to date) {49996F8E-1A40-5BD1-1C3A-6679A6BFA4BB}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat X Pro - English, Français, Deutsch (HKLM\...\{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.1.13 - Adobe Systems)
Adobe Flash Player 16 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Flash Player 17 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 17.0.0.134 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.06) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.06 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM\...\Adobe Shockwave Player) (Version: 12.1.1.151 - Adobe Systems, Inc.)
Apple Application Support (HKLM\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{235EBB33-3DA1-46DF-AADE-9955123409CB}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Avery Toolbar (HKLM\...\{41565256-3700-A76A-76A7-A758B70C1801}) (Version: 12.24.1.240 - APN, LLC)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Broadcom Gigabit NetLink Controller (HKLM\...\{A325B368-A9EC-40EF-A95C-9DEAD3683AE3}) (Version: 12.33.02 - Broadcom Corporation)
Broadcom Management Programs (HKLM\...\{5DB87A63-9420-48CC-9F9A-B8801D38D6B5}) (Version: 12.35.01 - Broadcom Corporation)
Brother HL-5240 (HKLM\...\{14ACC314-DE22-42EC-9CAF-1205420E0DE9}) (Version: 1.00 - Brother)
CCleaner (HKLM\...\CCleaner) (Version: 3.08 - Piriform)
CutePDF Writer 2.8 (HKLM\...\CutePDF Writer Installation) (Version:  - )
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
Dell Backup and Recovery Manager (HKLM\...\{4688EB75-28E2-4731-9BCB-55E624F7CD45}) (Version: 1.3 - Dell Inc.)
Dell Edoc Viewer (HKLM\...\{3138EAD3-700B-4A10-B617-B3F8096EE30D}) (Version: 1.0.0 - Dell Inc)
Dell Support Center (HKLM\...\Dell Support Center) (Version: 3.0.5621.01 - Dell Inc.)
Dell Support Center (Version: 3.0.5621.01 - PC-Doctor, Inc.) Hidden
DesignPro 5 (HKLM\...\InstallShield_{32821558-2C36-4FD0-A891-CA65360B0EC7}) (Version: 5.5.708 - Avery Dennison)
DesignPro 5 (Version: 5.5.708 - Avery Dennison) Hidden
Electronic Service Control (HKLM\...\{12E9DCE5-7E65-11D4-AED1-00403390F96E}) (Version: 9.00.0000 - dESCO)
FireLine HVACPack (HKLM\...\{787366C4-DAA8-4BF6-82F4-B3653C4AB514}) (Version: 9.6.4 - FireLine Systems)
Google Chrome (HKLM\...\Google Chrome) (Version: 41.0.2272.101 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.6227.252 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.26.9 - Google Inc.) Hidden
iCloud (HKLM\...\{8D9592B4-7E22-4D1F-B2CB-B5F0F2F619CB}) (Version: 4.0.3.56 - Apple Inc.)
Intel® Graphics Media Accelerator Driver (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.1995 - Intel Corporation)
iTunes (HKLM\...\{5D928931-D1D2-4A93-A82D-BF60D0E7CFA5}) (Version: 12.0.1.26 - Apple Inc.)
Java 8 Update 31 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Junk Mail filter update (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Kaseya Agent (10975.root.janddac - mgd-svcs.zts.com) (HKLM\...\KAINFBSN73557080053837) (Version: 8.0.0.4 - Kaseya)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Mesh Runtime (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Messenger Companion (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Access Runtime 2010 (HKLM\...\Office14.AccessRT) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.3.188.0 - Microsoft Corporation)
Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 15.0.4701.1002 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x86)) (Version: 10.0.50701 - Microsoft Corporation)
Mozilla Firefox 6.0 (x86 en-US) (HKLM\...\Mozilla Firefox 6.0 (x86 en-US)) (Version: 6.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Office 15 Click-to-Run Extensibility Component (Version: 15.0.4701.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4701.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (Version: 15.0.4701.1002 - Microsoft Corporation) Hidden
ProjectDox Components 7.2 (HKLM\...\{96906BDF-AC0B-4D9A-9900-D164F59EC409}) (Version: 7.2 - Avolve Software)
QuickBooks (Version: 25.0.4005.2506 - Intuit Inc.) Hidden
QuickBooks Enterprise Solutions: Contractor Edition 15.0 (HKLM\...\{A0E011AF-408B-4DEA-9136-65AA3DA5A6A9}) (Version: 25.0.4005.2506 - Intuit Inc.)
QuickBooks SDK 8.0 (HKLM\...\{17DFE70E-5FF7-4C87-BF4C-E944952B3C71}) (Version: 8.0.1.104 - Intuit Developer Network)
QuickTime 7 (HKLM\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5936 - )
Roxio Creator DE 10.3 (HKLM\...\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}) (Version: 10.3 - Roxio)
Safari (HKLM\...\{C779648B-410E-4BBA-B75B-5815BCEFE71D}) (Version: 5.34.57.2 - Apple Inc.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-001C-0000-0000-0000000FF1CE}_Office14.AccessRT_{54846D1D-E5D5-4A28-AA6D-7208259007EA}) (Version:  - Microsoft)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Trend Micro Security Agent (HKLM\...\HostedAgent) (Version: 5.7.1190 - Trend Micro Inc.)
Trend Micro Security Agent (Version: 5.7.1190 - Trend Micro Inc.) Hidden
VC12X86Redist (HKLM\...\{EA9886ED-21F8-4867-A049-CE6817291EE6}) (Version: 1.00.0000 - Intuit Inc.)
Visual Studio Tools for the Office system 3.0 Runtime (HKLM\...\Visual Studio Tools for the Office system 3.0 Runtime) (Version:  - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (HKLM\...\{8FB53850-246A-3507-8ADE-0060093FFEA6}.KB949258) (Version: 1 - Microsoft Corporation)
VNC Enterprise Edition E4.6.3 (HKLM\...\RealVNC_is1) (Version: E4.6.3 - RealVNC Ltd)
Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
20-10-2014 11:53:41 Scheduled Checkpoint
22-10-2014 08:20:16 Installed Java 7 Update 71
30-10-2014 00:00:03 Scheduled Checkpoint
06-11-2014 01:00:04 Scheduled Checkpoint
14-11-2014 01:00:05 Scheduled Checkpoint
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 22:04 - 2011-09-07 16:34 - 00001306 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 activate.adobe.com 
127.0.0.1 activate.adobe.com 
127.0.0.1 practivate.adobe.com 
127.0.0.1 ereg.adobe.com 
127.0.0.1 activate.wip3.adobe.com 
127.0.0.1 wip3.adobe.com 
127.0.0.1 3dns-3.adobe.com 
127.0.0.1 3dns-2.adobe.com 
127.0.0.1 adobe-dns.adobe.com 
127.0.0.1 adobe-dns-2.adobe.com 
127.0.0.1 adobe-dns-3.adobe.com 
127.0.0.1 ereg.wip3.adobe.com 
127.0.0.1 activate-sea.adobe.com 
127.0.0.1 wwis-dubc1-vip60.adobe.com 
127.0.0.1 activate-sjc0.adobe.com
 
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {22B172D2-888E-4AB7-84F4-BD972D2077F5} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX86\OfficeC2RClient.exe [2015-02-10] (Microsoft Corporation)
Task: {2FCF5EC5-EF7D-4543-BF37-06519481D967} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2015-02-03] (Microsoft Corporation)
Task: {3028CE3D-FC05-4258-9990-EAD5E0013D11} - System32\Tasks\SystemToolsDailyTest => C:\Program Files\Dell Support Center\pcdrcui.exe [2010-08-05] (PC-Doctor, Inc.)
Task: {406724E7-115A-4F43-A285-0BB5B182071E} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-21] (Google Inc.)
Task: {4D8073FB-59C5-405F-B3E6-A2F58AC330BF} - System32\Tasks\{0FA70BA0-9062-487B-956C-3229C1BA752C} => pcalua.exe -a "C:\Program Files\Trend Micro\Client Server Security Agent\NTRmv.exe" -d "C:\Program Files\Trend Micro\Client Server Security Agent\" -c -331 -checkblockedprograms
Task: {5BDBAB02-C65A-4D09-82C0-E71512484022} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {5EBE26B3-5EE4-43F7-AB6B-F4E062D3EC54} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {6A6693F4-A70A-40E7-9556-3125357D7135} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)
Task: {6D37125A-21E0-4D8D-B3E8-0FA30D804716} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {85FAEEFB-3ADB-4D22-B327-C30477B5D2A3} - System32\Tasks\PCDoctorBackgroundMonitorTask => C:\Program Files\Dell Support Center\uaclauncher.exe [2010-08-05] (PC-Doctor, Inc.)
Task: {88A860FA-C52C-4593-8ACB-34F2AF2DFDBF} - System32\Tasks\Games\UpdateCheck_S-1-5-21-3365903783-3217467649-1740745987-1606
Task: {9AEF97E4-EAFB-4BB6-AA3D-FBDB512BEF6A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-21] (Google Inc.)
Task: {A09C68D1-BC52-4D59-9A48-47073CAB7EAE} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {AFF57102-3716-44F7-BD8F-CDB298AE8B43} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX86\OfficeC2RClient.exe [2015-02-10] (Microsoft Corporation)
Task: {B3233E31-261B-444C-BCDE-1FE194F597F5} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)
Task: {C37295A7-2448-4FB6-A653-BB614E7B7324} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-03-30] (Adobe Systems Incorporated)
Task: {D0D19533-0316-483E-BCB2-70446D3E0E8A} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2015-02-03] (Microsoft Corporation)
Task: {D46ECF90-B193-4D1B-B42B-467B2464567D} - System32\Tasks\Microsoft Office 15 Sync Maintenance for {85b67893-ebc5-4ff8-bf19-6236a08fe499} JD-Workstation1.JDHAC.local => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2015-02-10] (Microsoft Corporation)
Task: {EC86980D-92E4-4DBC-81B2-EB4DE19B9A51} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe [2015-02-10] (Microsoft Corporation)
Task: {F1AF7501-0CCC-4F99-B89C-222DCE06E155} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2014-03-19] (Microsoft)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job => C:\Program Files\Dell Support Center\uaclauncher.exeo-backgroundmon scripts\defaultscan.xml
Task: C:\Windows\Tasks\SystemToolsDailyTest.job => C:\Program Files\Dell Support Center\pcdrcui.exe
 
==================== Loaded Modules (whitelisted) ==============
 
2011-07-20 11:19 - 2009-11-05 08:39 - 00087552 _____ () C:\Windows\System32\cpwmon2k.dll
2014-07-03 13:20 - 2014-07-03 13:20 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 13:05 - 2014-10-11 13:05 - 01044776 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2014-09-10 10:26 - 2014-05-20 02:11 - 00080040 _____ () C:\Program Files\Microsoft Office 15\ClientX86\ApiClient.dll
2013-02-04 16:36 - 2014-10-08 16:02 - 00925696 _____ () C:\Program Files\Infinity Managed Services\Agent\INFBSN73557080053837\libkacm.dll
2013-02-06 22:33 - 2013-02-06 22:33 - 00229376 _____ () C:\Program Files\Infinity Managed Services\Agent\INFBSN73557080053837\KasAVSrv.exe
2015-03-31 18:47 - 2011-08-31 13:55 - 00499712 _____ () C:\Program Files\Trend Micro\Client Server Security Agent\sqlite3.dll
2014-04-13 16:42 - 2014-10-08 16:02 - 00110592 _____ () C:\Program Files\Infinity Managed Services\Agent\INFBSN73557080053837\extensions\scripts\socket\core.dll
2014-04-13 16:42 - 2014-10-08 16:02 - 00073728 _____ () C:\Program Files\Infinity Managed Services\Agent\INFBSN73557080053837\extensions\scripts\mime\core.dll
2013-01-16 09:50 - 2013-01-16 09:50 - 00039424 _____ () C:\Program Files\Trend Micro\Client Server Security Agent\CCSF\boost_date_time-vc110-mt-1_49.dll
2013-04-02 12:25 - 2013-04-02 12:25 - 00543744 _____ () C:\Program Files\Trend Micro\Client Server Security Agent\CCSF\sqlite3.dll
2013-01-16 09:55 - 2013-01-16 09:55 - 00049152 _____ () C:\Program Files\Trend Micro\Client Server Security Agent\CCSF\boost_thread-vc110-mt-1_49.dll
2015-03-17 03:28 - 2015-01-27 10:13 - 08898720 _____ () C:\Program Files\Microsoft Office 15\root\Office15\1033\GrooveIntlResource.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KAINFBSN73557080053837 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\KAINFBSN73557080053837 => ""="Service"
 
==================== EXE Association (whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3365903783-3217467649-1740745987-3631\Control Panel\Desktop\\Wallpaper -> C:\Users\hhanford\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.0.10 - 8.8.8.8
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^OSR_TinyWeb.lnk => C:\Windows\pss\OSR_TinyWeb.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk => C:\Windows\pss\QuickBooks Update Agent.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Web Connector.lnk => C:\Windows\pss\QuickBooks Web Connector.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk => C:\Windows\pss\QuickBooks_Standard_21.lnk.CommonStartup
MSCONFIG\startupreg: Acrobat Assistant 8.0 => "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
MSCONFIG\startupreg: Adobe Acrobat Speed Launcher => "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: PCPowerSpeed => "C:\Program Files\PCPowerSpeed\PCPowerTray.exe" /startup
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: swg => "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
MSCONFIG\startupreg: VNT => "C:\Program Files\VNT\vntldr.exe"
 
==================== Accounts: =============================
 
Admin (S-1-5-21-1574006476-587093373-2914848803-1000 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-1574006476-587093373-2914848803-500 - Administrator - Disabled) => C:\Users\Administrator
Guest (S-1-5-21-1574006476-587093373-2914848803-501 - Limited - Disabled)
J&D Heating (S-1-5-21-1574006476-587093373-2914848803-1001 - Administrator - Enabled) => C:\Users\J&D Heating
 
==================== Faulty Device Manager Devices =============
 
Name: MpKsle3e40927
Description: MpKsle3e40927
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: MpKsle3e40927
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/31/2015 07:14:35 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: adwcleaner_4.200.exe, version: 4.2.0.0, time stamp: 0x551850e0
Faulting module name: adwcleaner_4.200.exe, version: 4.2.0.0, time stamp: 0x551850e0
Exception code: 0xc0000005
Fault offset: 0x0001f09e
Faulting process id: 0x834
Faulting application start time: 0xadwcleaner_4.200.exe0
Faulting application path: adwcleaner_4.200.exe1
Faulting module path: adwcleaner_4.200.exe2
Report Id: adwcleaner_4.200.exe3
 
Error: (03/31/2015 03:54:39 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "Intuit QuickBooks Enterprise Solutions: Contractor 15.0":
V25.0D R5 (M=1066, L=335, C=249, V=0 (0))
 
Error: (03/31/2015 03:54:37 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "Intuit QuickBooks Enterprise Solutions: Contractor 15.0":
V25.0D R5 (M=1066, L=335, C=249, V=0 (0))
 
Error: (03/31/2015 03:54:30 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "Intuit QuickBooks Enterprise Solutions: Contractor 15.0":
Got unexpected error 5 in call to NetShareGetInfo for path \\jdserver\quickbooks\JDHAC\J&D HVAC New Company.QBW
 
Error: (03/31/2015 03:54:29 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "Intuit QuickBooks Enterprise Solutions: Contractor 15.0":
Got unexpected error 5 in call to NetShareGetInfo for path \\jdserver\quickbooks\JDHAC\J&D HVAC New Company.QBW
 
Error: (03/31/2015 03:54:16 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Got unexpected error 5 in call to NetShareGetInfo for path \\jdserver\quickbooks\JDHAC\J&D HVAC New Company.QBW
 
Error: (03/31/2015 11:29:20 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "Intuit QuickBooks Enterprise Solutions: Contractor 15.0":
V25.0D R5 (M=1066, L=335, C=249, V=0 (0))
 
Error: (03/31/2015 11:29:19 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "Intuit QuickBooks Enterprise Solutions: Contractor 15.0":
V25.0D R5 (M=1066, L=335, C=249, V=0 (0))
 
Error: (03/31/2015 11:29:01 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "Intuit QuickBooks Enterprise Solutions: Contractor 15.0":
Got unexpected error 5 in call to NetShareGetInfo for path \\jdserver\quickbooks\JDHAC\J&D HVAC New Company.QBW
 
Error: (03/31/2015 11:28:59 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "Intuit QuickBooks Enterprise Solutions: Contractor 15.0":
Got unexpected error 5 in call to NetShareGetInfo for path \\jdserver\quickbooks\JDHAC\J&D HVAC New Company.QBW
 
 
System errors:
=============
Error: (03/31/2015 07:26:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The tmevtmgr service depends on the tmcomm service which failed to start because of the following error: 
%%1058
 
Error: (03/31/2015 07:26:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Trend Micro Unauthorized Change Prevention Service service depends on the tmactmon service which failed to start because of the following error: 
%%1068
 
Error: (03/31/2015 07:26:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The tmactmon service depends on the tmcomm service which failed to start because of the following error: 
%%1058
 
Error: (03/31/2015 07:26:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The tmevtmgr service depends on the tmcomm service which failed to start because of the following error: 
%%1058
 
Error: (03/31/2015 07:26:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Trend Micro Unauthorized Change Prevention Service service depends on the tmactmon service which failed to start because of the following error: 
%%1068
 
Error: (03/31/2015 07:26:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The tmactmon service depends on the tmcomm service which failed to start because of the following error: 
%%1058
 
Error: (03/31/2015 07:26:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The tmevtmgr service depends on the tmcomm service which failed to start because of the following error: 
%%1058
 
Error: (03/31/2015 07:26:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Trend Micro Unauthorized Change Prevention Service service depends on the tmactmon service which failed to start because of the following error: 
%%1068
 
Error: (03/31/2015 07:26:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The tmactmon service depends on the tmcomm service which failed to start because of the following error: 
%%1058
 
Error: (03/31/2015 07:23:33 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain JDHAC due to the following: 
%%1311
 
This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.
 
 
 
ADDITIONAL INFO
 
If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.
 
 
Microsoft Office Sessions:
=========================
Error: (03/31/2015 07:14:35 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: adwcleaner_4.200.exe4.2.0.0551850e0adwcleaner_4.200.exe4.2.0.0551850e0c00000050001f09e83401d06c0801531e38C:\Users\jfender\Desktop\adwcleaner_4.200.exeC:\Users\jfender\Desktop\adwcleaner_4.200.exeb1d7b3a0-d7fb-11e4-8d2b-f04da2ef2d9b
 
Error: (03/31/2015 03:54:39 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: Intuit QuickBooks Enterprise Solutions: Contractor 15.0V25.0D R5 (M=1066, L=335, C=249, V=0 (0))
 
Error: (03/31/2015 03:54:37 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: Intuit QuickBooks Enterprise Solutions: Contractor 15.0V25.0D R5 (M=1066, L=335, C=249, V=0 (0))
 
Error: (03/31/2015 03:54:30 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: Intuit QuickBooks Enterprise Solutions: Contractor 15.0Got unexpected error 5 in call to NetShareGetInfo for path \\jdserver\quickbooks\JDHAC\J&D HVAC New Company.QBW
 
Error: (03/31/2015 03:54:29 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: Intuit QuickBooks Enterprise Solutions: Contractor 15.0Got unexpected error 5 in call to NetShareGetInfo for path \\jdserver\quickbooks\JDHAC\J&D HVAC New Company.QBW
 
Error: (03/31/2015 03:54:16 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: QuickBooksGot unexpected error 5 in call to NetShareGetInfo for path \\jdserver\quickbooks\JDHAC\J&D HVAC New Company.QBW
 
Error: (03/31/2015 11:29:20 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: Intuit QuickBooks Enterprise Solutions: Contractor 15.0V25.0D R5 (M=1066, L=335, C=249, V=0 (0))
 
Error: (03/31/2015 11:29:19 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: Intuit QuickBooks Enterprise Solutions: Contractor 15.0V25.0D R5 (M=1066, L=335, C=249, V=0 (0))
 
Error: (03/31/2015 11:29:01 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: Intuit QuickBooks Enterprise Solutions: Contractor 15.0Got unexpected error 5 in call to NetShareGetInfo for path \\jdserver\quickbooks\JDHAC\J&D HVAC New Company.QBW
 
Error: (03/31/2015 11:28:59 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: Intuit QuickBooks Enterprise Solutions: Contractor 15.0Got unexpected error 5 in call to NetShareGetInfo for path \\jdserver\quickbooks\JDHAC\J&D HVAC New Company.QBW
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™2 Duo CPU E7500 @ 2.93GHz
Percentage of memory in use: 33%
Total physical RAM: 3036.8 MB
Available physical RAM: 2006.36 MB
Total Pagefile: 6071.9 MB
Available Pagefile: 4966.3 MB
Total Virtual: 2047.88 MB
Available Virtual: 1892.57 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:286.9 GB) (Free:157.21 GB) NTFS
Drive j: () (Network) (Total:558.73 GB) (Free:478.26 GB) 
Drive p: () (Network) (Total:558.73 GB) (Free:478.26 GB) 
Drive q: () (Network) (Total:558.73 GB) (Free:478.26 GB) 
Drive r: () (Network) (Total:558.73 GB) (Free:478.26 GB) 
Drive s: () (Network) (Total:558.73 GB) (Free:478.26 GB) 
Drive x: () (Network) (Total:558.73 GB) (Free:478.26 GB) 
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298.1 GB) (Disk ID: FC1C46A4)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=11.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=286.9 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
 


BC AdBot (Login to Remove)

 


#2 swacked941

swacked941
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 31 March 2015 - 06:46 PM

sorry, double post


Edited by swacked941, 31 March 2015 - 06:48 PM.


#3 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:04:37 AM

Posted 01 April 2015 - 09:19 AM

Hello Swacked941-

 

My name is Johnny Computer and I will be helping you clean up your system. 

 

PLEASE NOTE:  Logs are often long, complicated, and time consuming to analyze

 

Please give me some time to look over your logs and I will be back with further instructions A.S.A.P.       :) 


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#4 swacked941

swacked941
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 01 April 2015 - 12:05 PM

thank you very much 



#5 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:04:37 AM

Posted 01 April 2015 - 03:49 PM

 

Hi Swacked 941-

 

Hello and     :welcome: to BLEEPING COMPUTER

My name is Johnny Computer and I will be helping you with your malware related computer issues today    

Before we move on, please read the following points carefully.

 

 

 

IMPORTANT-----> Post all logfiles as a reply rather than as an attachment. If you can not post all log files in one reply, feel free to use more posts.

 

 

- First, I would like to inform you that most of us here at Bleeping Computer are volunteers. The logs you will be asked to submit can take time to analyze. Please try to match our   commitment to you with your patience toward us. 
 
-  Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.

-  Perform everything in the correct order. Sometimes one step requires the previous one.

-  If you have any problems while following my instructions, Stop and ask any questions you may have.

-  Please stay with me until I have notified you that your system is All Clean. Absence of symptoms does not necessarily mean your machine is clean. 

-  If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

IMPORTANT NOTE:  DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

 

 -----------------------------------------------------------

 

   :step1:  I see that you have already installed ad run ADWCleaner.  Please run another scan, do not delete any items, and post the log in your next reply.

 

 ----------------------------------------------

 

 

   :step2:  Can you tell me if you use or if you installed either the Avery toolbar or any of the coupon related entries shown below? 

 

FF Plugin: @ei.CouponAlert_2p.com/Plugin -> C:\Program Files\CouponAlert_2pEI\Installr\1.bin\NP2pEISB.dll No File

FF Plugin: @ei.CouponXplorer_5z.com/Plugin -> C:\Program Files\CouponXplorer_5zEI\Installr\1.bin\NP5zEISB.dll No File

FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\[2014-03-20] (Coupons, Inc.)

FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll [2014-03-20] (Coupons, Inc.)

FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-1npCouponPrinter.dll 2-03] (Adobe Systems Inc.)

 

 ---------------------------------------------------

 

  :step3:   Your logs show a large number of group policies set.  This can be legitimate if set by the user but can also be the sign of infection.  Can you tell me if you have set any custom policies?

 

======================================================

 

IN YOUR NEXT REPLY I NEED:

 

1.)  ADWCleaner log

2.)  Answer to my questions about the Avery and Coupons entries

3.)  Answer to the group policy settings question

 

Thanks   :)

 

 


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#6 swacked941

swacked941
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 01 April 2015 - 04:50 PM

Thank you for your assistance.  Yes the user had isntalled several pieces of junk such as avery tool bar, ask tool bar, coupon printer, and only God knows what else.  As far as I can tell it has all been removed but im sure there are some left over files and registry keys.  I also removed a bunch of bogus items from the host file that redirected several adobe sites back to 127.0.0.1.  I think what you are seeing in the group policy, or at least a large part of it, is from the CryptoPrevent that we run on each computer.  This is ran from the NETLOGON folder on the server when a user logs into a computer on the domain.   

 

Here is the log from ADW but its not much since I already removed a bunch of items from the first scan.  Below that one I have also pasted the log file from the first time I ran ADWCleaner. 

 

# AdwCleaner v4.200 - Logfile created 01/04/2015 at 17:43:29
# Updated 29/03/2015 by Xplode
# Database : 2015-03-29.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x86)
# Username : hhanford - JD-WORKSTATION1
# Running from : C:\Users\jfender\Desktop\adwcleaner_4.200.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\AskPartnerNetwork
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17420
 
 
-\\ Google Chrome v41.0.2272.101
 
 
*************************
 
AdwCleaner[R0].txt - [7870 bytes] - [31/03/2015 19:11:42]
AdwCleaner[R1].txt - [7572 bytes] - [31/03/2015 19:16:22]
AdwCleaner[R2].txt - [791 bytes] - [01/04/2015 17:43:29]
AdwCleaner[S0].txt - [750 bytes] - [31/03/2015 19:14:27]
AdwCleaner[S1].txt - [7634 bytes] - [31/03/2015 19:19:32]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R2].txt - [966 bytes] ##########
 
 
 
 
LOG FROM FIRST ADW SCAN
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
# AdwCleaner v4.200 - Logfile created 31/03/2015 at 19:16:22
# Updated 29/03/2015 by Xplode
# Database : 2015-03-29.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x86)
# Username : jfender - JD-WORKSTATION1
# Running from : C:\Users\jfender\Desktop\adwcleaner_4.200.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Found : C:\Program Files\Coupons
Folder Found : C:\Program Files\Coupons
Folder Found : C:\Program Files\RebateInformer
Folder Found : C:\Program Files\VNT
Folder Found : C:\Users\aarias\AppData\Local\apn
Folder Found : C:\Users\aarias\AppData\LocalLow\alotappbar
Folder Found : C:\Users\aarias\AppData\LocalLow\alotservice
Folder Found : C:\Users\aarias\AppData\LocalLow\AppGraffiti
Folder Found : C:\Users\aarias\AppData\LocalLow\Inbox Toolbar
Folder Found : C:\Users\aarias\AppData\LocalLow\RebateInformer
Folder Found : C:\Users\jfender\AppData\Local\AskPartnerNetwork
Folder Found : C:\Users\jfender\AppData\Local\Temp\apn
Folder Found : C:\Users\jfender\AppData\Local\VNT
Folder Found : C:\Users\jfender\AppData\LocalLow\AppGraffiti
Folder Found : C:\Users\jfender\AppData\LocalLow\Toolbar4
Folder Found : C:\Users\jfender\AppData\Roaming\download Manager
Folder Found : C:\Users\service1\AppData\Local\AskPartnerNetwork
Folder Found : C:\Users\service1\AppData\Local\VNT
Folder Found : C:\Users\service1\AppData\LocalLow\AppGraffiti
Folder Found : C:\Users\service1\AppData\LocalLow\Toolbar4
Folder Found : C:\Users\service1\AppData\Roaming\download Manager
Folder Found : C:\Users\zeno\AppData\LocalLow\AppGraffiti
Folder Found : C:\Users\ZTSADmin\AppData\Local\VNT
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\AskPartnerNetwork
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C4B0D422-B06E-4E27-8760-D093A2C03904}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
Key Found : HKLM\SOFTWARE\AskPartnerNetwork
Key Found : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Found : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Found : HKLM\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{44CBC005-6243-4502-8A02-3A096A282664}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{80703783-E415-4EE3-AB60-D36981C5A6F1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D8278076-BC68-4484-9233-6E7F1628B56C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F297534D-7B06-459D-BC19-2DD8EF69297B}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{80703783-E415-4EE3-AB60-D36981C5A6F1}
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbRequest.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask
Key Found : HKLM\SOFTWARE\Classes\TbHelper.TbTask.1
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper
Key Found : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9945959C-AAD8-4312-8B57-2DE11927E770}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{EEA63863-87BC-4DCA-A5B5-EB97E3B04806}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6978F29A-3493-40B2-8CDC-9C13A02F85A4}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D7949A66-D936-4028-9552-14F7DC50F38D}
Key Found : HKLM\SOFTWARE\microsoft\shared tools\msconfig\startupreg\ApnTBMon
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7AB5857A57A0687786597A857BFFFFFF
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.8
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnTbMon]
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17420
 
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [SearchAssistant] - hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80115&lng=en
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [CustomizeSearch] - hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80115
 
-\\ Google Chrome v41.0.2272.101
 
[C:\Users\jfender\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\jfender\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\jfender\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.search.ask.com/web?tpid=AVRV7&o=APN11068&l=dis&pf=V7&p2=%5EB5N%5EYYYYYY%5EYY%5EUS&gct=&itbv=12.12.2.104&doi=2014-05-13&apn_uid=5B32A347-170F-4D08-8EEC-C984A1CFEE08&apn_ptnrs=%5EB5N&apn_dtid=%5EYYYYYY%5EYY%5EUS&apn_dbr=ie_9.0.8112.16545&psv=&pt=tb&trgb=IE&q={searchTerms}
[C:\Users\service1\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
[C:\Users\service1\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\service1\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.search.ask.com/web?tpid=AVRV7&o=APN11068&l=dis&pf=V7&p2=%5EB5N%5EYYYYYY%5EYY%5EUS&gct=&itbv=12.12.2.104&doi=2014-05-13&apn_uid=5B32A347-170F-4D08-8EEC-C984A1CFEE08&apn_ptnrs=%5EB5N&apn_dtid=%5EYYYYYY%5EYY%5EUS&apn_dbr=ie_9.0.8112.16545&psv=&trgb=IE&tbv=&crxv=&q={searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [7870 bytes] - [31/03/2015 19:11:42]
AdwCleaner[R1].txt - [7376 bytes] - [31/03/2015 19:16:22]
AdwCleaner[S0].txt - [750 bytes] - [31/03/2015 19:14:27]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [7493 bytes] ##########
 

Edited by swacked941, 01 April 2015 - 04:53 PM.


#7 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:04:37 AM

Posted 02 April 2015 - 05:18 AM

Hi Swacked941- 

 

The following steps will address some minor issues that need to be cleaned up.  Then we will tend to the Trend Micro issue.   :)

 

I also removed a bunch of bogus items from the host file that redirected several adobe sites back to 127.0.0.1.

 

 
The host issues are still present.  The script I am giving you to run should take care of it.
 
  --------------------------------------------------------------

 

    :step1: Your logs indicate that the Avery toolbar is still installed.  Please uninstall this and we will clean up any remnants with a script

 

 ---------------------------------------------------
 

   :step2:  Double click on AdwCleaner.exe to run the tool again. Vista/Windows 7/8 users right-click and select Run As Administrator

  • The tool will start to update the database, please wait a bit.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
    <-insert any special instructions here for what to uncheck OR remove this line if there are none->
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

  -----------------------------------------------------------------------------------------
 
   :step3:
   Please copy and paste the contents of the code box below into a notepad file, save it to your desktop as Fixlist.txt

 
NOTE: It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
 

CHR Extension: (Avery Toolbar) - C:\Users\hhanford\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaigmelgfmkfjicbbgbkcbagedejhj [2015-03-31]
SearchScopes: HKU\S-1-5-21-3365903783-3217467649-1740745987-3631 -> {3276BF67-8076-499B-93E8-72A227BABE4C} URL = http://www.search.ask.com/web?tpid=AVRV7&o=APN11068&pf=V7&p2=^B5N^YYYYYY^YY^US&gct=&itbv=12.12.2.104&apn_uid=5B32A347-170F-4D08-8EEC-C984A1CFEE08&apn_ptnrs=^B5N&apn_dtid=^YYYYYY^YY^US&apn_dbr=ie_9.0.8112.16545&doi=2014-05-13&trgb=IE&q={searchTerms}&psv=&pt=tb
FF Plugin: @ei.CouponAlert_2p.com/Plugin -> C:\Program Files\CouponAlert_2pEI\Installr\1.bin\NP2pEISB.dll No File
FF Plugin: @ei.CouponXplorer_5z.com/Plugin -> C:\Program Files\CouponXplorer_5zEI\Installr\1.bin\NP5zEISB.dll No File
HKLM\...\Run: [] => [X]
HKLM\...\Policies\Explorer\Run: [{765b3ca7-c34d-b2c2-1156-b76d8daf609d}] => "C:\ProgramData\Microsoft\{765b3ca7-c34d-b2c2-1156-b76d8daf609d}\{765b3ca7-c34d-b2c2-1156-b76d8daf609d}.exe" No File
Handler: intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} -  No File []
FF Plugin: @microsoft.com/GENUINE -> disabled No File
CHR HKLM\...\Chrome\Extension: [aaaaigmelgfmkfjicbbgbkcbagedejhj] - C:\ProgramData\AskPartnerNetwork\Toolbar\AVRV7\CRX\ToolbarCR.crx [Not Found]
S1 MpKsle3e40927; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8AB6C072-0EDE-452B-8D4A-B0A37349CFB5}\MpKsle3e40927.sys [X]
U3 tmpfw; No ImagePath
Hosts:
Emptytemp:

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 
Run FRST/FRST64and press the Fix button just once and wait.
 
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
 
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
 ======================================================
 
IN YOUR NEXT REPLY I NEED:
 
1.)  Confirmation that you have uninstalled the Avery Toolbar

2.)  ADWCleaner log
3.)  FRST fixlist log

Thanks :)
 


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#8 swacked941

swacked941
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 02 April 2015 - 09:46 AM

1) I removed avery toolbar as requested

 

THe ADW scan did not find anything this time around. Here is the log file: 

 

 AdwCleaner v4.200 - Logfile created 02/04/2015 at 10:30:35
# Updated 29/03/2015 by Xplode
# Database : 2015-03-29.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x86)
# Username : hhanford - JD-WORKSTATION1
# Running from : C:\Users\jfender\Desktop\adwcleaner_4.200.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17420
 
 
-\\ Google Chrome v41.0.2272.101
 
 
*************************
 
AdwCleaner[R0].txt - [7870 bytes] - [31/03/2015 19:11:42]
AdwCleaner[R1].txt - [7572 bytes] - [31/03/2015 19:16:22]
AdwCleaner[R2].txt - [1044 bytes] - [01/04/2015 17:43:29]
AdwCleaner[R3].txt - [1118 bytes] - [02/04/2015 10:28:23]
AdwCleaner[S0].txt - [750 bytes] - [31/03/2015 19:14:27]
AdwCleaner[S1].txt - [7634 bytes] - [31/03/2015 19:19:32]
AdwCleaner[S2].txt - [1111 bytes] - [01/04/2015 17:51:57]
AdwCleaner[S3].txt - [1044 bytes] - [02/04/2015 10:30:35]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1103  bytes] ##########
 
 
3) Here is the Log from the FRST fix:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by hhanford at 2015-04-02 10:39:04 Run:1
Running from C:\Users\hhanford\Desktop\FRST
Loaded Profiles: hhanford (Available profiles: Admin & J&D Heating & Administrator & encontrol & service1 & kturner & Zeno & itsagent & ZTSAdmin & jfender & hhanford)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
CHR Extension: (Avery Toolbar) - C:\Users\hhanford\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaigmelgfmkfjicbbgbkcbagedejhj [2015-03-31]
FF Plugin: @ei.CouponAlert_2p.com/Plugin -> C:\Program Files\CouponAlert_2pEI\Installr\1.bin\NP2pEISB.dll No File
FF Plugin: @ei.CouponXplorer_5z.com/Plugin -> C:\Program Files\CouponXplorer_5zEI\Installr\1.bin\NP5zEISB.dll No File
HKLM\...\Run: [] => [X]
HKLM\...\Policies\Explorer\Run: [{765b3ca7-c34d-b2c2-1156-b76d8daf609d}] => "C:\ProgramData\Microsoft\{765b3ca7-c34d-b2c2-1156-b76d8daf609d}\{765b3ca7-c34d-b2c2-1156-b76d8daf609d}.exe" No File
Handler: intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} -  No File []
FF Plugin: @microsoft.com/GENUINE -> disabled No File
CHR HKLM\...\Chrome\Extension: [aaaaigmelgfmkfjicbbgbkcbagedejhj] - C:\ProgramData\AskPartnerNetwork\Toolbar\AVRV7\CRX\ToolbarCR.crx [Not Found]
S1 MpKsle3e40927; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8AB6C072-0EDE-452B-8D4A-B0A37349CFB5}\MpKsle3e40927.sys [X]
U3 tmpfw; No ImagePath
Hosts:
Emptytemp:
*****************
 
C:\Users\hhanford\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaigmelgfmkfjicbbgbkcbagedejhj => Moved successfully.
HKU\S-1-5-21-3365903783-3217467649-1740745987-3631\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3276BF67-8076-499B-93E8-72A227BABE4C} => Key not found. 
HKCR\CLSID\{3276BF67-8076-499B-93E8-72A227BABE4C} => Key not found. 
"HKLM\Software\MozillaPlugins\@ei.CouponAlert_2p.com/Plugin" => Key deleted successfully.
"HKLM\Software\MozillaPlugins\@ei.CouponXplorer_5z.com/Plugin" => Key deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\{765b3ca7-c34d-b2c2-1156-b76d8daf609d} => Value not found.
"HKCR\PROTOCOLS\Handler\intu-help-qb6" => Key deleted successfully.
HKCR\CLSID\{6898B29B-BF49-43cb-A0B1-D0B9496AF491} => Key not found. 
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\aaaaigmelgfmkfjicbbgbkcbagedejhj => Key not found. 
MpKsle3e40927 => Service deleted successfully.
tmpfw => Service deleted successfully.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 547.4 MB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog 10:40:01 ====


#9 swacked941

swacked941
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 02 April 2015 - 09:49 AM

Also, the Host file now just says:

 

#      127.0.0.1       localhost

 

Nothing else.  completely blank except for that one line of text. 

 

 

Thanks



#10 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:04:37 AM

Posted 02 April 2015 - 11:21 AM

Hi Swacked941-
 

Also, the Host file now just says:
 
#      127.0.0.1       localhost
 
Nothing else.  completely blank except for that one line of text. 

 
That is correct.  That is how a reset host file should look.
 
  -----------------------------------------------------
 

   :step1:   Please download Malwarebytes Anti-Malware photo.jpg?sz=48 and save it to your desktop.

  • Double-click on the setup file (mbam-setup.exe), then click on Run to install.
  • Malwarebytes will automatically open to it's Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system"
     
  • Click on Update Now to download the current database definitions, then click the Scan Now >> button.
     
  • If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".
  • You will be prompted to update Malwarebytes...click on the Update Now button..
  • The THREAT SCAN will automatically begin..
  • When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.
     
  • To complete any actions taken you will be prompted to restart your computer...click on YesFailure to reboot normally will prevent Malwarebytes from removing all the malware.
     
  • After rebooting the computer, copy and past the mbam.log in your next reply.

.
To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 1)

  • Open Malwarebytes Anti-Malware.
  • Click the History Tab at the top and select Application Logs.
  • Select (check) the box next to Scan Log. Choose the most current scan.
  • Click the View button.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 2)

  • Open Malwarebytes Anti-Malware.
  • Click the Scan Tab at the top.
  • Click the View detailed log link on the right.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7/8: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd

 
  ----------------------------------------------------------
 
   :step2:   Please make sure the additions.txt option is checked,  re run FRST, just the scan not the fix, and post the 2 logs
 
  ------------------------------------------------
 
   :step3:   How is your system running now?  Are you still having issues with Trend Micro running?  I suspect that the issue still remains.  If so, I would suggest uninstalling Crypto Prevent and then trying to run Trend.  You had indicated on your original post that:
 

Quote

 I have a domain computer that is not allowing our Trend Micro WFBS to run and I'm getting an error that the program has been blocked by group policy which is not true.  I know that we are using cryptoprevent but that is not causing this problem on any other computers

 
 
Your FRST log clearly shows a policy that is blocking Trend:
 
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
 
I downloaded Crypto Prevent on my own machine and ran FRST to confirm that those policy settings are indeed set by Crypto Prevent and they were.  As I do not use Trend I did not have that exact entry but as it shows up among all the other policies set by Crypto Prevent so it is pretty clear that Crypto Prevent set it.  I strongly suspect if you uninstall Crypto Prevent your Trend issue will clear up.
 
It is odd that it is only effecting 1 computer.
 
I can tell you that your logs show only minor issues and nothing that would be blocking trend aside from the above entry.  You may want to consult trend and or the Crypto Prevent developers and ask if anyone else has had similar issues.
 
 ======================================================
 
IN YOUR NEXT REPLY I NEED:
 
1.)  MBAM log
2.)  FRST logs
3.)  Is Trend able to run now?  If not were you able to run it after uninstalling Crypto Prevent?
 
 
Thanks  :)


Edited by Johnny Computer, 02 April 2015 - 11:22 AM.

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#11 swacked941

swacked941
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 02 April 2015 - 07:01 PM

I appreciate the help but I am going to go onsite and Format/Reinstall OS tomorrow.  Thanks



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,929 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:37 PM

Posted 06 April 2015 - 01:54 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users