Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Server 2003 Compromised


  • This topic is locked This topic is locked
3 replies to this topic

#1 txbigden1

txbigden1

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 20 September 2015 - 02:24 PM

My Server 2003 was compromised.  It created several users and was creating tons of traffic.  I was able to remove the users and stop the programs (removed them), but a couple of weeks later I see a couple of new users have been added in my active directory users and odd programs are running in my processes.  I've run eset and adwcleaner in the past but this is all of a sudden reoccuring. Any help would be appreciated.
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:15-09-2015
Ran by administrator (administrator) on SHELDON (20-09-2015 13:57:44)
Running from C:\Documents and Settings\Administrator.BIGBANG\Desktop
Loaded Profiles: QBDataServiceUser24 & administrator (Available Profiles: QBDataServiceUser24 & ETB User & mysql & MssqlUool & IUSR_SSQL & mike & iusr_qa & administrator)
Platform: Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> spoolsv.exe
Failed to access process -> msdtc.exe
Failed to access process -> dfssvc.exe
Failed to access process -> dns.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> inetinfo.exe
Failed to access process -> ismserv.exe
Failed to access process -> svchost.exe
Failed to access process -> ntfrs.exe
Failed to access process -> svchost.exe
Failed to access process -> QBCFMonitorService.exe
Failed to access process -> QBIDPService.exe
Failed to access process -> svchost.exe
Failed to access process -> snmp.exe
Failed to access process -> svchost.exe
Failed to access process -> wdfmgr.exe
Failed to access process -> dfsr.exe
Failed to access process -> tcpsvcs.exe
Failed to access process -> exmgmt.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> mssearch.exe
Failed to access process -> svchost.exe
Failed to access process -> store.exe
Failed to access process -> svchost.exe
Failed to access process -> QBDBMgrN.exe
Failed to access process -> svchost.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> rdpclip.exe
Failed to access process -> explorer.exe
Failed to access process -> ctfmon.exe
Failed to access process -> qbupdate.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> logon.scr
Failed to access process -> w3wp.exe
Failed to access process -> firefox.exe
Failed to access process -> w3wp.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> FRST.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Intuit SyncManager] => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2829624 2013-12-02] (Intuit Inc. All rights reserved.)
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Command Processor:  <======= ATTENTION
HKU\S-1-5-19\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
HKU\S-1-5-21-273214551-2702688601-832094456-1144\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
IFEO\sethc.exe: [Debugger] cmd.exe
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnk [2015-01-04]
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2015-01-04]
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk [2015-01-04]
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2014\QBW32.EXE (Intuit Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 03 C:\WINDOWS\system32\mswsock.dll [256000 2008-06-20] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Tcpip\..\Interfaces\{CAD52BD2-E364-4B17-8496-D3D6284E7A48}: [NameServer] 192.168.9.254

Internet Explorer:
==================
HKU\S-1-5-21-273214551-2702688601-832094456-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
HKU\S-1-5-21-273214551-2702688601-832094456-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: [S-1-5-21-273214551-2702688601-832094456-1144] ATTENTION => Default URLSearchHook is missing
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1420147654453
Handler: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - C:\Program Files\Intuit\QuickBooks 2014\HelpAsyncPluggableProtocol.dll [2013-12-02] (Intuit, Inc.)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\WINDOWS\system32\mscoree.dll [2010-03-18] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator.BIGBANG\Application Data\Mozilla\Firefox\Profiles\6xpobqh0.default
FF DefaultSearchEngine.US: Google
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-01-03]

Chrome:
=======
CHR Profile: C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-08-19]
CHR Extension: (Google Docs) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-08-19]
CHR Extension: (Google Drive) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-08-19]
CHR Extension: (YouTube) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-08-19]
CHR Extension: (Google Search) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-08-19]
CHR Extension: (Google Sheets) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-08-19]
CHR Extension: (Chrome Hotword Shared Module) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-08-19]
CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-19]
CHR Extension: (Gmail) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-19]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

"eapihdrv" => service could not be unlocked. <===== ATTENTION

S2 CodeMeter.exe; C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe [2568120 2012-07-19] (WIBU-SYSTEMS AG)
R2 Dfs; C:\WINDOWS\system32\Dfssvc.exe [164864 2007-02-17] (Microsoft Corporation)
R2 DHCPServer; C:\WINDOWS\system32\tcpsvcs.exe [21504 2006-03-22] (Microsoft Corporation)
R2 DNS; C:\WINDOWS\System32\dns.exe [450560 2012-01-30] (Microsoft Corporation)
R3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [225280 2007-01-02] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [131072 2006-12-11] (Hewlett-Packard Co.) [File not signed]
R2 IISADMIN; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
S4 IMAP4Svc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 IsmServ; C:\WINDOWS\System32\ismserv.exe [40448 2007-02-17] (Microsoft Corporation)
R2 kdc; C:\WINDOWS\System32\lsass.exe [13312 2006-03-22] (Microsoft Corporation)
S4 LicenseService; C:\WINDOWS\System32\llssrv.exe [94720 2007-02-18] (Microsoft Corporation)
S3 MSExchangeES; C:\Program Files\Exchsrvr\bin\events.exe [94720 2003-06-24] (Microsoft Corporation) [File not signed]
R2 MSExchangeIS; C:\Program Files\Exchsrvr\bin\store.exe [5227520 2005-10-04] (Microsoft Corporation) [File not signed]
R2 MSExchangeMGMT; C:\Program Files\Exchsrvr\bin\exmgmt.exe [3217408 2005-08-25] (Microsoft Corporation) [File not signed]
S2 MSExchangeMTA; C:\Program Files\Exchsrvr\bin\emsmta.exe [3592704 2005-08-25] (Microsoft Corporation) [File not signed]
S2 MSExchangeSA; C:\Program Files\Exchsrvr\bin\mad.exe [8920064 2005-08-25] (Microsoft Corporation) [File not signed]
S4 MSExchangeSRS; C:\Program Files\Exchsrvr\bin\srsmain.exe [339456 2005-08-25] (Microsoft Corporation) [File not signed]
R2 MSFtpsvc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 MSSEARCH; C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe [69632 2005-08-17] (Microsoft Corporation) [File not signed]
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [45568 2014-04-28] (Hewlett-Packard) [File not signed]
S4 NntpSvc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 NtFrs; C:\WINDOWS\system32\ntfrs.exe [792064 2007-02-17] (Microsoft Corporation)
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [55808 2014-04-28] (Hewlett-Packard) [File not signed]
S4 POP3Svc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2013-12-02] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [65536 2013-12-02] (Intuit Inc.) [File not signed]
R2 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2013-12-02] (Intuit Inc.) [File not signed]
R3 QuickBooksDB24; C:\Program Files\Intuit\QuickBooks 2014\QBDBMgrN.exe [679936 2013-12-02] (Intuit, Inc.) [File not signed]
R2 RESvc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
S3 RSoPProv; C:\WINDOWS\system32\RSoPProv.exe [67072 2007-02-17] (Microsoft Corporation)
S3 sacsvr; C:\WINDOWS\system32\sacsvr.dll [12288 2006-03-22] (Microsoft Corporation)
R2 SMTPSVC; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
S3 SrmReports; C:\WINDOWS\system32\srmhost.exe [10752 2005-11-23] (Microsoft Corporation) [File not signed]
R2 SrmSvc; C:\WINDOWS\system32\srmsvc.dll [1593344 2007-02-17] (Microsoft Corporation)
S4 TrkSvr; C:\WINDOWS\system32\trksvr.dll [50688 2006-03-22] (Microsoft Corporation)
S4 Tssdis; C:\WINDOWS\System32\tssdis.exe [71168 2007-02-17] (Microsoft Corporation)
S3 WinHttpAutoProxySvc; winhttp.dll [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 ClusDisk; C:\WINDOWS\System32\DRIVERS\ClusDisk.sys [69120 2007-02-17] (Microsoft Corporation)
R0 Datascrn; C:\WINDOWS\System32\DRIVERS\datascrn.sys [48640 2007-02-17] (Microsoft Corporation)
R0 DfsDriver; C:\WINDOWS\System32\drivers\Dfs.sys [34816 2007-02-17] (Microsoft Corporation)
R2 EXIFS; C:\WINDOWS\system32\drivers\exifs.sys [196192 2005-08-25] (Microsoft Corporation) [File not signed]
R3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2005-10-21] (HP)
R3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2005-10-21] (HP)
R3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2005-10-21] (HP)
R3 l2nd; C:\WINDOWS\System32\DRIVERS\bxnd52x.sys [50176 2007-10-18] (Broadcom Corporation)
R0 percsas; C:\WINDOWS\System32\drivers\percsas.sys [20992 2007-10-18] (LSI Corporation)
R0 Quota; C:\WINDOWS\System32\DRIVERS\quota.sys [88064 2007-02-17] (Microsoft Corporation)
S3 WLBS; C:\WINDOWS\System32\DRIVERS\wlbs.sys [169984 2007-02-17] (Microsoft Corporation)
S4 afcnt; no ImagePath
S4 cpqarry2; no ImagePath
S4 cpqcissm; no ImagePath
S4 cpqfcalm; no ImagePath
S4 dellcerc; no ImagePath
S5 eapihdrv;  <===== ATTENTION: Locked Service
S4 hpt3xx; no ImagePath
S4 iirsp; no ImagePath
S4 IntelIde; no ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S4 ipsraidn; no ImagePath
U3 LicenseInfo; no ImagePath
S4 lp6nds35; no ImagePath
S4 nfrd960; no ImagePath
S4 ql2100; no ImagePath
S4 ql2200; no ImagePath
S4 ql2300; no ImagePath
U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [72704 2007-02-17] (Microsoft Corporation)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [105472 2007-02-17] (Microsoft Corporation)
S4 symmpi; no ImagePath
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: Sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
NETSVC: TrkSvr -> C:\Windows\system32\trksvr.dll (Microsoft Corporation)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-20 13:57 - 2015-09-20 13:57 - 00015611 _____ C:\Documents and Settings\Administrator.BIGBANG\Desktop\FRST.txt
2015-09-20 13:57 - 2015-09-20 13:57 - 00000000 ____D C:\FRST
2015-09-20 13:56 - 2015-09-20 13:56 - 01695232 _____ (Farbar) C:\Documents and Settings\Administrator.BIGBANG\Desktop\FRST.exe
2015-09-20 12:37 - 2015-09-20 12:37 - 00000000 ____D C:\Program Files\ESET
2015-09-20 12:29 - 2015-09-20 12:29 - 00000000 ____D C:\AdwCleaner
2015-09-20 10:20 - 2015-09-20 10:20 - 00000000 _____ C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Temp\~DF7F.tmp
2015-09-16 21:07 - 2015-09-16 21:17 - 00000178 ___SH C:\Documents and Settings\oprrs\ntuser.ini
2015-09-16 21:07 - 2015-09-16 21:07 - 00000803 _____ C:\Documents and Settings\oprrs\Start Menu\Programs\Internet Explorer.lnk
2015-09-16 21:07 - 2015-09-16 21:07 - 00000738 _____ C:\Documents and Settings\oprrs\Start Menu\Programs\Outlook Express.lnk
2015-09-16 21:07 - 2015-09-16 21:07 - 00000000 __SHD C:\Documents and Settings\oprrs\IETldCache
2015-09-16 21:07 - 2015-09-16 21:07 - 00000000 ___RD C:\Documents and Settings\oprrs\Start Menu\Programs\Accessories
2015-09-16 21:07 - 2015-09-16 21:07 - 00000000 ____D C:\Documents and Settings\oprrs
2015-09-16 21:07 - 2015-08-21 05:59 - 00000000 ____D C:\Documents and Settings\oprrs\Application Data\Foxit Software
2015-09-16 21:07 - 2015-01-01 11:56 - 00001503 _____ C:\Documents and Settings\oprrs\Start Menu\Programs\Remote Assistance.lnk
2015-09-16 21:07 - 2015-01-01 05:54 - 00000000 _____ C:\Documents and Settings\oprrs\Sti_Trace.log
2015-09-16 20:49 - 2015-09-16 20:49 - 00025214 _____ C:\Documents and Settings\ETB User\Local Settings\Temp\dat69E.tmp
2015-09-13 18:18 - 2015-09-13 18:18 - 00000889 _____ C:\Documents and Settings\Administrator.BIGBANG\Desktop\Recover My Files v5.lnk
2015-09-13 18:18 - 2015-09-13 18:18 - 00000000 ____D C:\Program Files\GetData
2015-09-13 18:18 - 2015-09-13 18:18 - 00000000 ____D C:\Program Files\CodeMeter
2015-09-13 18:18 - 2015-09-13 18:18 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG\Start Menu\Programs\Recover My Files v5
2015-09-13 18:18 - 2012-07-19 16:18 - 00666024 _____ (WIBU-SYSTEMS AG) C:\WINDOWS\system32\WibuCm32.dll
2015-09-13 18:14 - 2015-09-20 13:57 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Temp\1
2015-09-11 05:47 - 2015-09-11 05:47 - 00000000 _____ C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Temp\~DF1F.tmp
2015-09-08 11:38 - 2015-09-08 11:44 - 00000000 ____D C:\Documents and Settings\iusr_qa\Desktop\DuB
2015-09-08 11:37 - 2015-09-08 11:37 - 04974489 _____ C:\Documents and Settings\iusr_qa\Desktop\bad33new.exe
2015-09-08 11:37 - 2015-09-08 11:37 - 03578493 _____ C:\Documents and Settings\iusr_qa\Desktop\dub.exe
2015-09-08 11:34 - 2015-09-09 16:55 - 00000178 ___SH C:\Documents and Settings\iusr_qa\ntuser.ini
2015-09-08 11:34 - 2015-09-08 11:34 - 00000803 _____ C:\Documents and Settings\iusr_qa\Start Menu\Programs\Internet Explorer.lnk
2015-09-08 11:34 - 2015-09-08 11:34 - 00000738 _____ C:\Documents and Settings\iusr_qa\Start Menu\Programs\Outlook Express.lnk
2015-09-08 11:34 - 2015-09-08 11:34 - 00000000 __SHD C:\Documents and Settings\iusr_qa\IETldCache
2015-09-08 11:34 - 2015-09-08 11:34 - 00000000 ___RD C:\Documents and Settings\iusr_qa\Start Menu\Programs\Accessories
2015-09-08 11:34 - 2015-09-08 11:34 - 00000000 ____D C:\Documents and Settings\iusr_qa
2015-09-08 11:34 - 2015-08-21 05:59 - 00000000 ____D C:\Documents and Settings\iusr_qa\Application Data\Foxit Software
2015-09-08 11:34 - 2015-01-01 11:56 - 00001503 _____ C:\Documents and Settings\iusr_qa\Start Menu\Programs\Remote Assistance.lnk
2015-09-08 11:34 - 2015-01-01 05:54 - 00000000 _____ C:\Documents and Settings\iusr_qa\Sti_Trace.log
2015-08-30 03:02 - 2015-08-30 03:04 - 00000000 ____D C:\Documents and Settings\mike\Local Settings\Temp\1
2015-08-30 03:02 - 2015-08-30 03:02 - 00000803 _____ C:\Documents and Settings\mike\Start Menu\Programs\Internet Explorer.lnk
2015-08-30 03:02 - 2015-08-30 03:02 - 00000738 _____ C:\Documents and Settings\mike\Start Menu\Programs\Outlook Express.lnk
2015-08-30 03:02 - 2015-08-30 03:02 - 00000020 ___SH C:\Documents and Settings\mike\ntuser.ini
2015-08-30 03:02 - 2015-08-30 03:02 - 00000000 __SHD C:\Documents and Settings\mike\IETldCache
2015-08-30 03:02 - 2015-08-30 03:02 - 00000000 ___RD C:\Documents and Settings\mike\Start Menu\Programs\Accessories
2015-08-30 03:02 - 2015-08-30 03:02 - 00000000 ____D C:\Documents and Settings\mike
2015-08-30 03:02 - 2015-08-21 05:59 - 00000000 ____D C:\Documents and Settings\mike\Application Data\Foxit Software
2015-08-30 03:02 - 2015-01-01 11:56 - 00001503 _____ C:\Documents and Settings\mike\Start Menu\Programs\Remote Assistance.lnk
2015-08-30 03:02 - 2015-01-01 05:54 - 00000000 _____ C:\Documents and Settings\mike\Sti_Trace.log
2015-08-22 04:13 - 2015-08-22 04:13 - 00000000 ____D C:\Documents and Settings\IUSR_SSQL\Application Data\Mozilla
2015-08-21 08:56 - 2015-09-03 08:24 - 00000178 ___SH C:\Documents and Settings\IUSR_SSQL\ntuser.ini
2015-08-21 08:56 - 2015-08-21 08:56 - 00000803 _____ C:\Documents and Settings\IUSR_SSQL\Start Menu\Programs\Internet Explorer.lnk
2015-08-21 08:56 - 2015-08-21 08:56 - 00000738 _____ C:\Documents and Settings\IUSR_SSQL\Start Menu\Programs\Outlook Express.lnk
2015-08-21 08:56 - 2015-08-21 08:56 - 00000000 __SHD C:\Documents and Settings\IUSR_SSQL\IETldCache
2015-08-21 08:56 - 2015-08-21 08:56 - 00000000 ___RD C:\Documents and Settings\IUSR_SSQL\Start Menu\Programs\Accessories
2015-08-21 08:56 - 2015-08-21 08:56 - 00000000 ____D C:\Documents and Settings\IUSR_SSQL
2015-08-21 08:56 - 2015-08-21 05:59 - 00000000 ____D C:\Documents and Settings\IUSR_SSQL\Application Data\Foxit Software
2015-08-21 08:56 - 2015-01-01 11:56 - 00001503 _____ C:\Documents and Settings\IUSR_SSQL\Start Menu\Programs\Remote Assistance.lnk
2015-08-21 08:56 - 2015-01-01 05:54 - 00000000 _____ C:\Documents and Settings\IUSR_SSQL\Sti_Trace.log
2015-08-21 06:02 - 2015-08-21 06:02 - 00000000 ____D C:\Documents and Settings\tot\Application Data\Adobe
2015-08-21 06:01 - 2015-08-21 06:05 - 00000000 ____D C:\Documents and Settings\tot\Application Data\Stamps.com Internet Postage
2015-08-21 06:00 - 2015-08-21 06:00 - 00000812 _____ C:\Documents and Settings\tot\Desktop\Shortcut to dciinst.exe.lnk
2015-08-21 05:59 - 2015-08-21 05:59 - 00000000 ____D C:\Documents and Settings\tot\Application Data\Foxit Software
2015-08-21 05:59 - 2015-08-21 05:59 - 00000000 ____D C:\Documents and Settings\Default User\Application Data\Foxit Software
2015-08-21 05:59 - 2015-08-21 05:59 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Foxit PDF Creator
2015-08-21 05:52 - 2015-08-21 05:52 - 00000000 ____D C:\Documents and Settings\tot\Application Data\Mozilla
2015-08-21 05:51 - 2015-08-21 06:05 - 00000178 ___SH C:\Documents and Settings\tot\ntuser.ini
2015-08-21 05:51 - 2015-08-21 05:51 - 00000803 _____ C:\Documents and Settings\tot\Start Menu\Programs\Internet Explorer.lnk
2015-08-21 05:51 - 2015-08-21 05:51 - 00000738 _____ C:\Documents and Settings\tot\Start Menu\Programs\Outlook Express.lnk
2015-08-21 05:51 - 2015-08-21 05:51 - 00000000 __SHD C:\Documents and Settings\tot\IETldCache
2015-08-21 05:51 - 2015-08-21 05:51 - 00000000 ___RD C:\Documents and Settings\tot\Start Menu\Programs\Accessories
2015-08-21 05:51 - 2015-08-21 05:51 - 00000000 ____D C:\Documents and Settings\tot
2015-08-21 05:51 - 2015-01-01 11:56 - 00001503 _____ C:\Documents and Settings\tot\Start Menu\Programs\Remote Assistance.lnk
2015-08-21 05:51 - 2015-01-01 05:54 - 00000000 _____ C:\Documents and Settings\tot\Sti_Trace.log
2015-08-21 01:35 - 2015-08-21 01:35 - 00000803 _____ C:\Documents and Settings\ETB User\Start Menu\Programs\Internet Explorer.lnk
2015-08-21 01:35 - 2015-08-21 01:35 - 00000738 _____ C:\Documents and Settings\ETB User\Start Menu\Programs\Outlook Express.lnk
2015-08-21 01:35 - 2015-08-21 01:35 - 00000000 __SHD C:\Documents and Settings\ETB User\IETldCache

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-20 13:50 - 2015-01-03 11:39 - 00000438 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{97A271E6-CF4F-4DEE-BA1F-93138D7B20BD}.job
2015-09-20 13:50 - 2015-01-01 11:55 - 02002571 _____ C:\WINDOWS\WindowsUpdate.log
2015-09-20 13:31 - 2015-08-01 02:52 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-09-20 13:28 - 2015-01-04 08:57 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG\Desktop\6400
2015-09-20 13:23 - 2015-01-04 08:33 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-09-20 13:11 - 2015-01-01 05:46 - 00000000 ____D C:\WINDOWS\system32\dhcp
2015-09-20 13:06 - 2015-07-02 13:40 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-09-20 12:54 - 2015-01-01 05:46 - 00000000 ____D C:\WINDOWS\system32\inetsrv
2015-09-20 12:26 - 2015-01-01 13:07 - 00065536 _____ C:\WINDOWS\NETLOGON.CHG
2015-09-20 09:06 - 2015-07-02 13:40 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-09-20 05:20 - 2015-01-01 11:59 - 00032526 _____ C:\WINDOWS\Tasks\SchedLgU.Txt
2015-09-20 05:09 - 2015-08-19 10:02 - 00000178 ___SH C:\Documents and Settings\ETB User\ntuser.ini
2015-09-19 22:00 - 2015-01-01 05:46 - 00000000 ____D C:\WINDOWS\security
2015-09-18 20:01 - 2015-01-07 10:01 - 00000000 ____D C:\Documents and Settings\QBDataServiceUser24\Local Settings\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1
2015-09-18 09:01 - 2015-01-21 08:01 - 00022657 _____ C:\Documents and Settings\QBDataServiceUser24\Local Settings\Temp\QBSearchIndexerError.txt
2015-09-16 21:07 - 2015-01-01 11:55 - 00011227 _____ C:\WINDOWS\wmsetup.log
2015-09-15 21:45 - 2015-01-01 05:51 - 00206472 _____ C:\WINDOWS\setupapi.log
2015-09-13 16:52 - 2015-01-01 12:16 - 00000178 ___SH C:\Documents and Settings\Administrator.BIGBANG\ntuser.ini
2015-09-13 16:52 - 2015-01-01 12:16 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG
2015-09-10 03:02 - 2015-01-03 11:08 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-09-09 17:10 - 2015-01-01 05:51 - 01491898 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-09-09 17:07 - 2015-01-01 13:07 - 00002368 _____ C:\WINDOWS\system32\config\netlogon.dnb
2015-09-09 17:07 - 2015-01-01 13:07 - 00002235 _____ C:\WINDOWS\system32\config\netlogon.dns
2015-09-09 17:06 - 2015-01-01 05:40 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2015-09-09 17:04 - 2015-01-01 13:03 - 00000000 ____D C:\WINDOWS\NTDS
2015-09-09 17:04 - 2015-01-01 11:59 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-09-09 16:56 - 2015-01-01 13:08 - 00065536 _____ C:\WINDOWS\system32\config\DnsEvent.Evt
2015-09-09 16:56 - 2015-01-01 13:04 - 00393216 _____ C:\WINDOWS\system32\config\NTDS.Evt
2015-09-09 16:56 - 2015-01-01 13:04 - 00065536 _____ C:\WINDOWS\system32\config\NtFrs.Evt
2015-09-09 16:56 - 2015-01-01 12:44 - 00065536 _____ C:\WINDOWS\system32\config\dfsr.evt
2015-09-09 16:47 - 2015-01-01 11:55 - 00000000 ____D C:\Program Files\NetMeeting
2015-09-09 16:41 - 2015-08-18 17:43 - 00000000 __SHD C:\Documents and Settings\All Users\Application Data\MPK
2015-08-26 18:36 - 2015-01-03 11:08 - 132039072 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-08-26 13:46 - 2015-01-01 11:59 - 00484916 _____ C:\WINDOWS\PFRO.log
2015-08-21 06:02 - 2015-07-31 22:27 - 00000036 ____H C:\WINDOWS\system32\f9t.dat
2015-08-21 01:35 - 2015-08-19 10:02 - 00000000 ___RD C:\Documents and Settings\ETB User\Start Menu\Programs\Accessories

==================== Files in the root of some directories =======

2015-01-01 15:36 - 2015-01-01 15:36 - 0000144 _____ () C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\fusioncache.dat

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION


ATTENTION: ==> Could not access BCD.

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version:15-09-2015
Ran by administrator (2015-09-20 13:58:12)
Running from C:\Documents and Settings\Administrator.BIGBANG\Desktop
Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86) (2015-01-01 16:57:33)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile
Guest (0 - Administrator - Disabled) => %systemroot%\system32\config\systemprofile
krbtgt (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
SUPPORT_388945a0 (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
dennis (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile
jenny (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
wyatt (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
lynn (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
QBDataServiceUser20 (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
QBDataServiceUser22 (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
dw (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dalton (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
QBDataServiceUser24 (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
ETB User (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile
IUSR_SHELDON (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IWAM_SHELDON (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
42D5F5AF-862A-4EE6-A (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
baskets (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
mysql (0 - Administrator - Disabled) => %systemroot%\system32\config\systemprofile
MssqlUool (0 - Administrator - Disabled) => %systemroot%\system32\config\systemprofile
IUSR_SSQL (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile
mike (0 - Administrator - Disabled) => %systemroot%\system32\config\systemprofile
iusr_qa (0 - Administrator - Disabled) => %systemroot%\system32\config\systemprofile
PENNY$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
J630$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
DENNIS-PC$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
D630$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IT2RESCUE-W8$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IT2RESCUEW8$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
D7YTKCG1$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IT2RESCUEW8-2$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
JENNYW8$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
DENNISP8$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
JENNYP8$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IT2RESCUEG-W81$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SHELDON$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IT2RESCUE$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 Bit HP CIO Components Installer (Version: 17.1.1 - Hewlett-Packard) Hidden
Adobe Flash Player 18 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 18.0.0.232 - Adobe Systems Incorporated)
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.24.3-060405a-041210C-Dell - )
BPD_Scan (Version: 3.00.0000 - Hewlett-Packard) Hidden
BPDSoftware (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Enterprise (Version: 50.0.165.000 - Hewlett-Packard) Hidden
Foxit Creator (HKLM\...\Foxit Creator) (Version: 3,1,0,1210 - Foxit Corporation)
Google Chrome (HKLM\...\Google Chrome) (Version: 45.0.2454.93 - Google Inc.)
Google Update Helper (Version: 1.3.26.9 - Google Inc.) Hidden
HP Officejet J5700 AiO Series Corporate Edition 8.0 (HKLM\...\{8AFE6E90-060E-4774-861B-2408299A357C}) (Version: 1.0 - HP)
Microsoft .NET Framework 1.1 -- Device Update 4.0 (HKLM\...\{A34AC564-B4A3-4D45-B969-403BC39F0E6A}) (Version: 1.1.4322 - Microsoft Corporation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Exchange (HKLM\...\9161A261-6ABE-4668-BBFA-AD06B3F642CF) (Version: - Microsoft Corporation)
Mozilla Firefox 39.0 (x86 en-US) (HKLM\...\Mozilla Firefox 39.0 (x86 en-US)) (Version: 39.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6 Service Pack 2 (KB2957482) (HKLM\...\{87741E76-9D88-49FD-9C7C-14E2B37EB065}) (Version: 6.20.2017.0 - Microsoft Corporation)
No-IP DUC (HKLM\...\NoIPDUC) (Version: 4.1.0 - Vitalwerks Internet Solutions LLC)
QuickBooks (Version: 24.0.4004.2403 - Intuit Inc.) Hidden
QuickBooks Pro 2014 (HKLM\...\{4A21D17E-2FE8-42CD-88B7-ACF8E8860834}) (Version: 24.0.4004.2403 - Intuit Inc.)
Recover My Files (HKLM\...\Recover My Files v5_is1) (Version: 5.2.1.1903 - GetData Pty Ltd)
Scan (Version: 8.1.0.0 - Hewlett-Packard) Hidden
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Server 2003 Service Pack 2 (HKLM\...\Windows Server 2003 Service Pack) (Version: 20070217.021455 - Microsoft Corporation)
Windows Support Tools (HKLM\...\{F07F0BCD-5C6D-4499-9F05-6ED747078A72}) (Version: 5.2.3790.1830 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{05EC5C13-D255-4592-9CCB-98615172F0D6}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{0ADF9C35-0D5E-4B75-88DD-B64868907E17}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{123FAF7F-3FB1-4B8F-AD18-0047401D436A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{37A2FC00-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{37A2FC02-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{4716D3CE-55DB-4D2A-818C-87D912895890}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{4844F3F7-2161-4AC4-B219-B3B4311782AA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{4A56F19E-9F50-4F43-93C8-050E44AA83A9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{4E5E74B5-8EB5-4859-A335-837EED412620}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{5428A9ED-6CD8-11D6-9C8A-0001023DCAA2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{547C8F00-5567-4AE3-8BB0-CC3CE2AB9070}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{57D590F1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{596801D8-2C9D-4627-9C67-195CB81B655A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{5B7331FA-8910-4748-A8A4-60B445041F28}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{5ED8AC89-B2DE-476D-8EEA-E170B2FCB058}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{7694F1CD-A55B-4B7C-8820-A90892EB4E9E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{7DBF8260-30AD-4D1B-876A-8032B87B809F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{828E5386-74CF-4019-B356-C857CD028A7D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{82CC31B3-53B4-4161-A4E9-6B4F1290A6C8}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{8572570D-12D9-4F2C-8BB8-EB8848178B94}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{8E590317-1329-11D1-B70B-00805F29CD16}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2014\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{8FEDE364-AB37-4551-80C9-6D468E222AB2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F2-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F3-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F4-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F5-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F6-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F7-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{A63E42D0-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{A63E42D2-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{AF5E0A13-CEAB-47CE-991D-77E82CD1BF3F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{B10BFAC3-EFF1-40D9-ADA0-BEBE037C24CA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{B66F2BF1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{CBEF1FB5-78FF-4B14-9B0F-275493FB589C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D14FD6B3-6A9F-4537-9460-07B836707127}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D4A12AAF-E15E-470B-A6B6-63032186F91F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9B9C060-0954-11D3-9E07-00104BD2BE34}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSource.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6F81-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6F84-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6F87-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6FA1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6FA6-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6FB2-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\StorageClasses.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{DA654E0C-E75D-4507-8AC2-71698C5B5C93}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2014\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{DCB2B478-EFF6-48F6-B718-13E98876854E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{DFD0AF10-B86C-4AF3-B609-1348D513E565}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E1A173E1-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E1A173E3-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{EADA914E-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{EAEF733D-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{F2C593CC-74B2-4F71-8556-DD4D426D0409}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{FAC93D42-FFC2-11d1-9DEB-0008C7A08EBA}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2014\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{FB17915F-06D1-4214-A902-CC5EE05186E9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{FB359C2A-6927-4AD7-8F1B-B6472CA7CDE7}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

==================== Restore Points =========================

ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2015-01-01 05:37 - 2006-03-22 02:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{97A271E6-CF4F-4DEE-BA1F-93138D7B20BD}.job => C:\WINDOWS\system32\msfeedssync.exe

==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-273214551-2702688601-832094456-1144\Control Panel\Desktop\\Wallpaper -> (None)
HKU\S-1-5-21-273214551-2702688601-832094456-500\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.9.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: ) (ConsentPromptBehaviorUser: ) (EnableLUA: )
mpsdrv Firewall Service is not running.
MpsSvc Firewall Service is not running.
bfe Firewall Service is not running.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Faulty Device Manager Devices =============

Name: Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
Description: Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Broadcom Corporation
Service: l2nd
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Could not list Devices. Check "winmgmt" service or repair WMI.


==================== Event log errors: =========================

Application errors:
==================
Error: (09/20/2015 01:06:01 PM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (09/20/2015 12:06:00 PM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (09/20/2015 11:06:00 AM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (09/20/2015 10:06:00 AM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (09/20/2015 09:06:00 AM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (09/20/2015 08:06:00 AM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (09/20/2015 07:06:00 AM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (09/20/2015 06:06:00 AM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (09/20/2015 05:06:00 AM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (09/20/2015 04:06:00 AM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)


System errors:
=============
Error: (09/20/2015 12:27:41 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Microsoft Exchange MTA Stacks service terminated unexpectedly. It has done this 1 time(s).

Error: (09/20/2015 12:27:34 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Microsoft Exchange System Attendant service terminated unexpectedly. It has done this 1 time(s).

Error: (09/20/2015 12:27:25 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The CodeMeter Runtime Server service terminated unexpectedly. It has done this 1 time(s).

Error: (09/20/2015 12:25:37 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver Microsoft Print To PDF required for printer Microsoft Print to PDF is unknown. Contact the administrator to install the driver before you log in again.

Error: (09/20/2015 12:25:37 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.

Error: (09/20/2015 12:25:37 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver Microsoft Shared Fax Driver required for printer Fax is unknown. Contact the administrator to install the driver before you log in again.

Error: (09/20/2015 12:25:30 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver HP Officejet J5700 Series fax required for printer HP Officejet J5700 Series fax is unknown. Contact the administrator to install the driver before you log in again.

Error: (09/20/2015 12:25:30 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver HP Universal Printing PCL 6 required for printer HP8100DN is unknown. Contact the administrator to install the driver before you log in again.

Error: (09/16/2015 11:57:15 PM) (Source: Schannel) (EventID: 4106) (User: )
Description: An SSL connection request was received from a remote client application, but none
of the cipher suites supported by the client application are supported by the
server. The SSL connection request has failed.

Error: (09/16/2015 09:07:32 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver Microsoft Shared Fax Driver required for printer Fax (重新導向 5) (redirected 6) is unknown. Contact the administrator to install the driver before you log in again.


==================== Memory info ===========================

Processor: Intel® Xeon® CPU 5160 @ 3.00GHz
Percentage of memory in use: 35%
Total physical RAM: 4094.98 MB
Available physical RAM: 2641.33 MB
Total Virtual: 5973.68 MB
Available Virtual: 4504.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:278.82 GB) (Free:257.24 GB) NTFS
Drive d: (DATA) (Fixed) (Total:836.62 GB) (Free:546.76 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 278.9 GB) (Disk ID: 54A39D80)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=278.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 836.6 GB) (Disk ID: 7934D7D9)
Partition 1: (Not Active) - (Size=836.6 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Attached Files


Edited by Oh My!, 25 September 2015 - 01:25 PM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,967 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:21 AM

Posted 25 September 2015 - 02:01 PM

Greetings txbigden1 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. We do not routinely work on Servers but I will do the best I can.

Can you tell me if you have access to another Server 2003 computer?

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
CreateRestorePoint:
CloseProcesses:
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Command Processor:  <======= ATTENTION
IFEO\sethc.exe: [Debugger] cmd.exe
Winsock: Catalog5 03 C:\WINDOWS\system32\mswsock.dll [256000 2008-06-20] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
URLSearchHook: [S-1-5-21-273214551-2702688601-832094456-1144] ATTENTION => Default URLSearchHook is missing
S3 WinHttpAutoProxySvc; winhttp.dll [X]
2015-09-16 20:49 - 2015-09-16 20:49 - 00025214 _____ C:\Documents and Settings\ETB User\Local Settings\Temp\dat69E.tmp
C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Temp\~DF7F.tmp
2015-09-13 18:14 - 2015-09-20 13:57 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Temp\1
2015-09-11 05:47 - 2015-09-11 05:47 - 00000000 _____ C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Temp\~DF1F.tmp
2015-09-08 11:37 - 2015-09-08 11:37 - 04974489 _____ C:\Documents and Settings\iusr_qa\Desktop\bad33new.exe
2015-09-08 11:37 - 2015-09-08 11:37 - 03578493 _____ C:\Documents and Settings\iusr_qa\Desktop\dub.exe
2015-08-30 03:02 - 2015-08-30 03:04 - 00000000 ____D C:\Documents and Settings\mike\Local Settings\Temp\1
2015-09-18 20:01 - 2015-01-07 10:01 - 00000000 ____D C:\Documents and Settings\QBDataServiceUser24\Local Settings\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1
2015-08-21 06:02 - 2015-07-31 22:27 - 00000036 ____H C:\WINDOWS\system32\f9t.dat
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eapihdrv
Reg: reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eapihdrv

  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Another Server 2003 computer?
  • Fixlog
  • System Summary Information
  • Update on computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,967 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:21 AM

Posted 30 September 2015 - 09:33 AM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,967 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:21 AM

Posted 02 October 2015 - 09:18 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users