Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C&C Callbacks detected with Trend even after scans


  • This topic is locked This topic is locked
13 replies to this topic

#1 BerkeleyFarm

BerkeleyFarm

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 07 October 2015 - 11:37 AM

We have a test RDP 2008 server (Windows 2008 R2 SP1 with current patches).  I recently configured our new Trend Micro Office Scan 11 SP1 (with current ransomware patch) on it and configured C&C Callbacks as it is in the same group as our Production citrix server.  I am pretty much the only one who has used it. 

 

Even after running TDSS and GMER, uninstalling Dropbox, and updating Adobe (and killing the updater service), I'm getting C&C callback notices on it:

 

Callback address: http://62.210.157.90/

C&C risk level: Dangerous           

C&C list source: Global Intelligence         

Action: Blocked

 

 

I ran FRST and have the logs below.  I'd appreciate assistance ... is something wrong, is there a false positive and I need to report it to Global Intelligence/Trend.    Many thanks. 

 

========================================FRST.TXT=======================================

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-10-2015
Ran by administrator (administrator) on TS1 (07-10-2015 09:11:02)
Running from S:\MiscIT\Antivirus
Loaded Profiles: administrator (Available Profiles: Administrator & jcazares & ccazares & rpelta & cblackmer & administrator)
Platform: Windows Server 2008 R2 Standard Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe
(Microsoft Corporation) C:\Windows\System32\tssdis.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
(WinZip Computing, S.L.) C:\Program Files (x86)\WinZip\WZQKPICK.EXE
(Microsoft Corporation) C:\Windows\System32\iashost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
(WinZip Computing, S.L.) C:\Program Files (x86)\WinZip\WZQKPICK.EXE
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\Misc\xpupg.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\Misc\xpupg.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\Temp\pccntupd.exe
(Farbar) \\D4\max-data\MiscIT\Antivirus\FRST64.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [VMware User Process] => C:\Program Files\VMware\VMware Tools\vmtoolsd.exe [73944 2013-12-14] (VMware, Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41360 2015-06-26] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840592 2015-06-26] (Adobe Systems Inc.)
HKLM-x32\...\Run: [OfficeScanNT Monitor] => C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe [2462336 2015-07-24] (Trend Micro Inc.)
HKLM Group Policy restriction on software: %LocalAppData%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\Rar*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\7z*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %tmp%\Rar*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\WZ*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\wz*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %tmp%\7z*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\Rar*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\7z*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %temp%\*.zip\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %Appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %tmp%\*.zip\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %tmp%\wz*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %Appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\*.zip\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\$RecycleBin\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\$RecycleBin\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\*.zip\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
Lsa: [Notification Packages] scecli rassfm
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2013-07-30]
ShortcutTarget: Dropbox.lnk -> C:\Users\administrator.RIX\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk [2012-06-11]
ShortcutTarget: WinZip Quick Pick.lnk -> C:\Program Files (x86)\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
GroupPolicyScripts: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{B7BBF923-EFFC-48E3-AC13-7A14CFD3D699}: [NameServer] 192.168.54.46,192.168.54.97

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://atlas/default.aspx
HKU\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://atlas/default.aspx
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-03-09] (Microsoft Corporation)
BHO: Trend Micro Osprey Plugin -> {959A5673-7971-48e6-AF54-58F745AC4ABC} -> C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopIEPlg.dll [2015-06-17] (Trend Micro Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Trend Micro IE Protection -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\module\BES\TmBpIe64.dll [2015-06-05] (Trend Micro Inc.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-03-09] (Microsoft Corporation)
BHO-x32: Trend Micro Osprey Plugin -> {959A5673-7971-48e6-AF54-58F745AC4ABC} -> C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopIEPlg32.dll [2015-06-17] (Trend Micro Inc.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-06-26] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Trend Micro IE Protection -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\module\BES\IE32\TmBpIe32.dll [2015-06-05] (Trend Micro Inc.)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-06-26] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-06-26] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-666057229-37022820-4066960233-500 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\module\BES\TmBpIe64.dll [2015-06-05] (Trend Micro Inc.)
Handler-x32: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\module\BES\IE32\TmBpIe32.dll [2015-06-05] (Trend Micro Inc.)
Handler: tmop - {69FD7CE3-4604-4fe6-967C-49B9735CEE70} - C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopIEPlg.dll [2015-06-17] (Trend Micro Inc.)
Handler-x32: tmop - {69FD7CE3-4604-4fe6-967C-49B9735CEE70} - C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopIEPlg32.dll [2015-06-17] (Trend Micro Inc.)

FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll [2015-06-26] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2012-06-07]
FF HKLM-x32\...\Firefox\Extensions: [{BBB77B49-9FF4-4d5c-8FE2-92B1D6CD696C}] - C:\Program Files (x86)\Trend Micro\OfficeScan Client\FirefoxExtensionOsprey
FF Extension: Trend Micro Osprey Firefox Extension - C:\Program Files (x86)\Trend Micro\OfficeScan Client\FirefoxExtensionOsprey [2015-09-24]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-13] (Microsoft Corporation)
R2 IAS; C:\Windows\System32\ias.dll [26624 2009-07-13] (Microsoft Corporation)
R2 IAS; C:\Windows\SysWOW64\ias.dll [19456 2009-07-13] (Microsoft Corporation)
R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
S2 ntrtscan; C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe [5202160 2015-07-30] (Trend Micro Inc.)
R3 RPCHTTPLBS; C:\Windows\System32\RpcProxy\LBService.dll [24576 2010-11-20] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-13] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-13] (Microsoft Corporation)
R2 TermServLicensing; C:\Windows\System32\lserver.dll [694784 2010-11-20] (Microsoft Corporation)
S3 TMBMServer; C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe [584704 2015-07-23] (Trend Micro Inc.)
S3 tmccsf; C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\tmccsf.exe [713384 2015-07-24] (Trend Micro Inc.)
S2 tmlisten; C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe [5155520 2015-07-24] (Trend Micro Inc.)
S3 tpautoconnsvc; C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe [509776 2013-02-28] (Cortado AG)
S3 TPVCGateway; C:\Program Files\VMware\VMware Tools\TPVCGateway.exe [566096 2013-02-28] (Cortado AG)
R2 TScPubRPC; C:\Windows\system32\TSCPUBSvr.dll [180224 2010-11-20] (Microsoft Corporation)
R2 TSGateway; C:\Windows\system32\aaedge.dll [308736 2015-07-10] (Microsoft Corporation)
R2 Tssdis; C:\Windows\System32\tssdis.exe [605696 2010-11-20] (Microsoft Corporation)
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AAVStor; C:\Windows\System32\DRIVERS\AAVStor.sys [48904 2013-07-04] (AppAssure Software, Inc.)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-13] (Microsoft Corporation)
S2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [119336 2015-07-28] (Trend Micro Inc.)
S1 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [324824 2015-07-28] (Trend Micro Inc.)
S0 TMEBC; C:\Windows\System32\DRIVERS\TMEBC64.sys [61232 2015-06-19] (Trend Micro Inc.)
S3 tmeevw; C:\Windows\System32\DRIVERS\tmeevw.sys [116576 2015-06-08] (Trend Micro Inc.)
S2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [79720 2015-07-28] (Trend Micro Inc.)
S2 TmFilter; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys [368392 2015-07-02] (Trend Micro Inc.)
S3 tmnciesc; C:\Windows\System32\DRIVERS\tmnciesc.sys [416608 2015-05-28] (Trend Micro Inc.)
S2 TmPreFilter; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys [44808 2015-07-02] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [109080 2013-06-18] (Trend Micro Inc.)
S3 tmusa; C:\Windows\System32\DRIVERS\tmusa.sys [116536 2015-06-22] (Trend Micro Inc.)
R2 VMMEMCTL; C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys [18648 2013-12-14] (VMware, Inc.)
S2 VSApiNt; C:\Program Files (x86)\Trend Micro\OfficeScan Client\VSApiNt.sys [2384136 2015-07-02] (Trend Micro Inc.)
R0 vsock; C:\Windows\System32\drivers\vsock.sys [70736 2013-09-18] (VMware, Inc.)

========================== Drivers MD5 =======================

C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AAVStor.sys 5AFCA125AF23A4E70DD1F032E554E6E1
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpahci.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys FA886682CFC5D36718D3E436AACF10B9
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdk8.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys D4121AE6D0C0E7E13AA221AA57EF2D49
C:\Windows\system32\DRIVERS\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys 540DAF1CEA6094886D72126FD7C33048
C:\Windows\system32\drivers\appid.sys A0711D119BA4B48A1470C768D301013E
C:\Windows\system32\DRIVERS\arc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\bxvbda.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60a.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\cdrom.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys 404B7DF9CA4D1CB675045AF220FF3285
C:\Windows\System32\DRIVERS\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys 27667A788130A7F7A5858DE27572E6D7
C:\Windows\System32\DRIVERS\compbatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\csc.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys CF1F6326AC44C42F4615D4BD53188AC5
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\disk.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys 87CE5C8965E101CCCED1F4675557E868
C:\Windows\System32\DRIVERS\E1G6032E.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\evbda.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\flpydisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Fs_Rec.sys 6BD9295CC032DD3077C671FCCF579A7B
C:\Windows\system32\DRIVERS\gagp30kx.sys ==> MD5 is legit
C:\Windows\system32\drivers\HDAudBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidusb.sys ==> MD5 is legit
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys F61634BEC53F73702A10DE69F6DCAF57
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\system32\drivers\i8042prt.sys ==> MD5 is legit
C:\Windows\system32\drivers\iaStorV.sys AAAF44DB3BD0B9D1FB6969B23ECC8366
C:\Windows\system32\DRIVERS\iirsp.sys ==> MD5 is legit
C:\Windows\System32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\qd260x64.sys FF0FB51A0ACC2E2D0D412138A05A0B59
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdclass.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecdd.sys 67A1743377EBB5D9A370A8C2086CFDCC
C:\Windows\System32\Drivers\ksecpkg.sys 522A1595D5701800DD41B2D472F5AAED
C:\Windows\system32\drivers\ksthunk.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_fc.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\megasas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\system32\drivers\mouclass.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys 67050452C0118BAF2883928E6FCCFE47
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys AE3334958D8F631FF14A0AEB3D7EFB3A
C:\Windows\System32\DRIVERS\mrxsmb.sys B2081803D510DCE174992BA880EDCA70
C:\Windows\System32\DRIVERS\mrxsmb10.sys 552FA62B0EFECD22D8D52499324BCA4F
C:\Windows\System32\DRIVERS\mrxsmb20.sys 97687971F9CB30E2633DE0F1296B9F61
C:\Windows\system32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\system32\drivers\mssmbios.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys AA0C2BA3782E92BD85E2264BE418E67C
C:\Windows\System32\drivers\ndis.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys B98F8C6E31CD07B2E6F71F7F648E38C0
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvraid.sys 0A92CB65770442ED0DC44834632F66AD
C:\Windows\system32\drivers\nvstor.sys DAB0E87525C10052BF65F06152F37E4A
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys E9766131EEADE40A27DC27D2D68FBA9C
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\system32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ED6E75158D28D33A2E2A020AC5B2B59D
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql2300.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql40xx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys 71B6F78D6444CCE6F77BC42917A4E8F7
C:\Windows\System32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpdr.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\RDPWD.sys FE571E088C2D83619D2D48D4E961BF41
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\system32\drivers\vms3cap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\sacdrv.sys D65E5E5C59F70516E856F5350106CDAB
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serenum.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serial.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys 441FBA48BFF01FDB9D5969EBC1838F0B
C:\Windows\System32\DRIVERS\srv2.sys B4ADEBBF5E3677CCE9651E0F01F7CC28
C:\Windows\System32\DRIVERS\srvnet.sys 27E461F0BE5BFF5FC737328F749538C3
C:\Windows\system32\DRIVERS\stexstor.sys ==> MD5 is legit
C:\Windows\System32\drivers\vmstorfl.sys ==> MD5 is legit
C:\Windows\system32\drivers\storvsc.sys ==> MD5 is legit
C:\Windows\system32\drivers\storvsp.sys 3F863F5A957305E30EFCFF7742F9B5C9
C:\Windows\system32\drivers\swenum.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpip.sys 04ADD18EE5CC9FBEDAEC1DD1CD0CB45E
C:\Windows\System32\DRIVERS\tcpip.sys 04ADD18EE5CC9FBEDAEC1DD1CD0CB45E
C:\Windows\System32\drivers\tcpipreg.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdtcp.sys 51C5ECEB1CDEE2468A1748BE550CFBC8
C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
C:\Windows\system32\drivers\termdd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tmactmon.sys D0C3622875C5A676FF72F5D587B77856
C:\Windows\System32\DRIVERS\tmcomm.sys CD92B8287834B50F41F418D7D0F3E33A
C:\Windows\System32\DRIVERS\TMEBC64.sys A5763B0C0BF07FCFB07F843A1336F588
C:\Windows\System32\DRIVERS\tmeevw.sys F21BD7A3E2002A88AB471BE42141C783
C:\Windows\System32\DRIVERS\tmevtmgr.sys F427AE0D96982825A146F356590F2F2A
C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys 44ECC43BC2E37BD4C44894A86CDD413F
C:\Windows\System32\DRIVERS\tmnciesc.sys D8037AD74BD8E5C85514C78841DF72CA
C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys E873FBB6C5B8CDF58257192F5B68214F
C:\Windows\System32\DRIVERS\tmtdi.sys 8D87AEEC05A5E3DABA0F05CB0FD2F2F4
C:\Windows\System32\DRIVERS\tmusa.sys C1B391A5E25D0FDCA89F5725D7BDC19D
C:\Windows\System32\DRIVERS\tssecsrv.sys E232A3B43A894BB327FC161529BD9ED1
C:\Windows\System32\drivers\tsusbflt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\system32\drivers\umbus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\umpass.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbccgp.sys 6F1A3157A1C89435352CEB543CDB359C
C:\Windows\system32\drivers\usbehci.sys C025055FE7B87701EB042095DF1A2D7B
C:\Windows\system32\drivers\usbhub.sys 287C6C9410B111B68B52CA298F7B8C24
C:\Windows\system32\drivers\usbohci.sys 9840FC418B4CBD632D3D0A667A725C31
C:\Windows\system32\DRIVERS\usbprint.sys ==> MD5 is legit
C:\Windows\system32\drivers\USBSTOR.SYS FED648B01349A3C8395A5169DB5FB7D6
C:\Windows\system32\drivers\usbuhci.sys 62069A34518BCF9C1FD9E74B3F6DB7CD
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\system32\drivers\Vid.sys 1720D283BDB1EAA7F21976586FF52B95
C:\Windows\System32\DRIVERS\vm3dmp.sys 1E40FEC0FB5BAC86FADEFCDB290DE314
C:\Windows\System32\drivers\vmbus.sys ==> MD5 is legit
C:\Windows\system32\drivers\VMBusHID.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vmci.sys 6203C901DEFF10631AAD919B3BD1489B
C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys C1AB424A0A1DAD79F669D96A72FCD52B
C:\Windows\System32\DRIVERS\vmmouse.sys BBE7ED0ED87295C4E4F7A323D260DE19
C:\Program Files\VMware\VMware Tools\vmrawdsk.sys B6AB1E6D9DEE68E2C4416A1F7DD6B12A
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Program Files (x86)\Trend Micro\OfficeScan Client\VSApiNt.sys 0364DB6320F2FC698F9EFC9C49A52C65
C:\Windows\system32\DRIVERS\vsmraid.sys ==> MD5 is legit
C:\Windows\System32\drivers\vsock.sys 1253D471A3FE90A2903EE538DDA5A6FE
C:\Windows\system32\DRIVERS\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys 442783E2CB0DA19873B7A63833FF4CB4
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\SysWOW64\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\system32\drivers\wmiacpi.sys ==> MD5 is legit
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\drivers\WudfPf.sys AB886378EEB55C6C75B4F2D14B6C869F

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-07 09:09 - 2015-10-07 09:11 - 00000000 ____D C:\FRST
2015-10-07 09:00 - 2015-10-07 09:11 - 00000000 ____D C:\Users\administrator.RIX\AppData\Local\Temp\2
2015-10-05 08:07 - 2015-10-05 16:04 - 00000000 ____D C:\Users\administrator.RIX\AppData\Local\Temp\1
2015-10-02 12:41 - 2015-10-02 12:41 - 00000000 ____D C:\Users\administrator.RIX\AppData\Local\Temp\3
2015-10-02 11:21 - 2015-10-05 08:10 - 00000196 _____ C:\Windows\TMFilter.log
2015-10-02 11:21 - 2015-10-02 11:21 - 00003516 _____ C:\Windows\cfgwtp.ini
2015-10-02 11:19 - 2015-10-02 11:19 - 00001007 _____ C:\Windows\cfgrt_ex.ini
2015-10-02 11:19 - 2015-10-02 11:19 - 00000000 ____D C:\ProgramData\Trend Micro
2015-09-26 12:00 - 2015-10-07 02:00 - 00660016 _____ (Trend Micro Inc.) C:\Windows\TSCCensus64.exe
2015-09-24 10:59 - 2015-10-05 08:06 - 00020570 _____ C:\Windows\SysWOW64\TmInstall.log
2015-09-24 10:59 - 2015-09-24 10:59 - 00000000 _____ C:\Windows\system32\LESDebug.log
2015-09-24 10:37 - 2015-08-05 10:56 - 00275456 _____ (Microsoft Corporation) C:\Windows\system32\InkEd.dll
2015-09-24 10:37 - 2015-08-05 10:40 - 00216064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\InkEd.dll
2015-09-24 10:36 - 2015-09-01 20:04 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2015-09-24 10:36 - 2015-09-01 20:04 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-09-24 10:36 - 2015-09-01 20:04 - 00041984 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2015-09-24 10:36 - 2015-09-01 20:04 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2015-09-24 10:36 - 2015-09-01 19:48 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2015-09-24 10:36 - 2015-09-01 19:48 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2015-09-24 10:36 - 2015-09-01 19:48 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2015-09-24 10:36 - 2015-09-01 19:47 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2015-09-24 10:36 - 2015-09-01 18:51 - 03209216 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-09-24 10:36 - 2015-09-01 18:47 - 00372736 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-09-24 10:36 - 2015-09-01 18:33 - 00299520 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2015-09-24 10:34 - 2015-08-04 11:03 - 00692672 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2015-09-24 10:34 - 2015-08-04 11:00 - 00616360 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2015-09-24 10:34 - 2015-08-04 10:56 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-09-24 10:34 - 2015-08-04 10:56 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-09-24 10:34 - 2015-08-04 10:56 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-09-24 10:34 - 2015-08-04 10:55 - 00147456 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2015-09-24 10:34 - 2015-08-04 10:55 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2015-09-24 10:34 - 2015-08-04 10:47 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2015-09-24 10:34 - 2015-08-04 09:58 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2015-09-24 10:29 - 2015-09-24 10:29 - 00000000 ____D C:\Users\administrator.RIX\AppData\Local\Temp\KB3074547_10.0.30319
2015-09-24 10:26 - 2015-08-22 07:40 - 14383616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 13774848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 02865664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 02056704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 01763328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 01441280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-09-24 10:26 - 2015-08-22 07:40 - 01181696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00718848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00525312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-09-24 10:26 - 2015-08-22 06:51 - 02239488 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-09-24 10:26 - 2015-08-22 06:51 - 01409024 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-09-24 10:26 - 2015-08-22 06:51 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-09-24 10:26 - 2015-08-22 06:51 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-09-24 10:26 - 2015-08-22 06:50 - 19291648 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 15415808 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 03959808 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 02657280 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 01509376 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-09-24 10:26 - 2015-08-22 06:50 - 00857600 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-09-24 10:26 - 2015-08-20 11:53 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-09-24 10:26 - 2015-08-20 11:46 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-09-24 10:26 - 2015-08-20 11:21 - 00361984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-09-24 10:26 - 2015-08-20 11:19 - 00441856 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-09-24 10:26 - 2015-08-20 10:56 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2015-09-24 10:26 - 2015-08-20 10:55 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2015-09-24 10:25 - 2015-07-14 20:17 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2015-09-24 10:25 - 2015-07-14 19:54 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2015-09-24 10:23 - 2015-08-26 11:07 - 03165696 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-09-24 10:23 - 2015-08-26 11:07 - 02606080 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-09-24 10:23 - 2015-08-26 11:07 - 00696320 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-09-24 10:23 - 2015-08-26 11:07 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-09-24 10:23 - 2015-08-26 11:07 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-09-24 10:23 - 2015-08-26 11:07 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-09-24 10:23 - 2015-08-26 11:07 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-09-24 10:23 - 2015-08-26 11:06 - 00139776 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-09-24 10:23 - 2015-08-26 11:06 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-09-24 10:23 - 2015-08-26 11:06 - 00037376 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-09-24 10:23 - 2015-08-26 11:06 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-09-24 10:23 - 2015-08-26 10:56 - 00566784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-09-24 10:23 - 2015-08-26 10:56 - 00173056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-09-24 10:23 - 2015-08-26 10:56 - 00093184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-09-24 10:23 - 2015-08-26 10:56 - 00030208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2015-09-24 10:23 - 2015-08-26 10:55 - 00034816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-09-24 10:23 - 2015-08-11 11:10 - 00745472 _____ (Microsoft Corporation) C:\Windows\system32\samsrv.dll
2015-09-24 10:23 - 2015-08-11 11:10 - 00107008 _____ (Microsoft Corporation) C:\Windows\system32\samlib.dll
2015-09-24 10:23 - 2015-08-11 10:48 - 00060928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\samlib.dll
2015-09-24 10:23 - 2015-08-05 10:56 - 01110016 _____ (Microsoft Corporation) C:\Windows\system32\schedsvc.dll
2015-09-24 09:57 - 2015-10-07 09:01 - 00010409 _____ C:\Windows\cfgall.ini
2015-09-24 09:57 - 2015-10-05 08:06 - 00015784 _____ C:\Windows\system32\TmInstall.log
2015-09-24 09:57 - 2015-09-24 09:57 - 00000000 ____D C:\Windows\system32\log
2015-09-24 09:56 - 2015-10-02 11:21 - 00000000 ____D C:\Program Files (x86)\Trend Micro
2015-09-24 09:56 - 2015-09-24 09:57 - 00046054 _____ C:\Windows\OfcInstReg.log
2015-09-24 09:56 - 2015-09-24 09:56 - 00000000 ____D C:\ProgramData\Package Cache
2015-09-24 09:56 - 2015-09-24 09:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Trend Micro OfficeScan Agent
2015-09-24 09:52 - 2015-09-24 09:56 - 00000231 _____ C:\RemoteInstall.log
2015-09-24 09:52 - 2015-09-24 09:55 - 00000021 _____ C:\tmuninst.ini

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-07 09:00 - 2012-05-30 09:01 - 00000112 _____ C:\Windows\system32\config\netlogon.ftl
2015-10-07 08:08 - 2012-05-24 06:47 - 01617713 _____ C:\Windows\WindowsUpdate.log
2015-10-07 05:49 - 2015-07-21 15:39 - 00190192 _____ C:\Users\administrator.RIX\AppData\Local\Temp\ArmUI.ini
2015-10-07 05:49 - 2015-07-21 15:39 - 00020961 _____ C:\Users\administrator.RIX\AppData\Local\Temp\AdobeARM.log
2015-10-05 15:19 - 2015-07-21 15:40 - 00000227 _____ C:\Users\administrator.RIX\AppData\Local\Temp\AdobeARM_NotLocked.log
2015-10-05 08:24 - 2012-06-07 12:54 - 00000000 ____D C:\Users\administrator.RIX\AppData\Local\Temp\Acrobat Distiller 10
2015-10-05 08:23 - 2012-06-07 12:53 - 00002465 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat Distiller X.lnk
2015-10-05 08:23 - 2012-06-07 12:53 - 00002453 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat X Pro.lnk
2015-10-05 08:23 - 2012-06-07 12:53 - 00002026 _____ C:\Users\Public\Desktop\Adobe Acrobat X Pro.lnk
2015-10-05 08:23 - 2012-06-07 12:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe LiveCycle ES2
2015-10-05 08:23 - 2012-05-30 09:07 - 00000000 ____D C:\Users\administrator.RIX
2015-10-05 08:22 - 2012-06-07 12:53 - 00086920 _____ C:\Users\administrator.RIX\AppData\Local\Temp\PDApp.log
2015-10-05 08:12 - 2009-07-13 21:49 - 00023008 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-05 08:12 - 2009-07-13 21:49 - 00023008 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-05 08:10 - 2009-07-13 22:10 - 00846662 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-05 08:08 - 2012-10-16 10:16 - 00000000 ____D C:\Users\administrator.RIX\AppData\Roaming\Dropbox
2015-10-05 08:08 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\inetsrv
2015-10-05 08:06 - 2013-08-15 14:42 - 00000000 ____D C:\Windows\system32\tssesdir
2015-10-05 08:06 - 2012-08-10 13:40 - 00000000 ____D C:\Windows\system32\lserver
2015-10-05 08:06 - 2009-07-13 22:06 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-02 19:44 - 2012-05-30 09:07 - 00003754 __RSH C:\Users\administrator.RIX\ntuser.pol
2015-10-02 14:50 - 2012-06-07 16:00 - 00000000 ____D C:\Tools
2015-09-24 11:36 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache
2015-09-24 10:59 - 2009-07-13 21:49 - 00410992 _____ C:\Windows\system32\FNTCACHE.DAT
2015-09-24 10:58 - 2012-06-04 15:31 - 00245174 _____ C:\Windows\PFRO.log
2015-09-24 10:58 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2015-09-24 10:38 - 2012-05-30 17:22 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-09-24 10:29 - 2013-08-14 15:11 - 00105343 _____ C:\Users\administrator.RIX\AppData\Local\Temp\dd_clwireg.txt

==================== Files in the root of some directories =======

2015-04-03 10:08 - 2015-04-03 10:15 - 0597622 _____ () C:\Users\administrator.RIX\AppData\Local\dd_vcredistMSI09AA.txt
2015-04-03 10:08 - 2015-04-03 10:15 - 0445340 _____ () C:\Users\administrator.RIX\AppData\Local\dd_vcredistUI09AA.txt
2015-04-03 10:03 - 2015-04-03 10:03 - 1036990 _____ () C:\Users\administrator.RIX\AppData\Local\dd_vstor40_x64MSI0574.txt
2015-04-03 10:03 - 2015-04-03 10:03 - 0427034 _____ () C:\Users\administrator.RIX\AppData\Local\dd_vstor40_x64UI0574.txt
2012-06-07 16:19 - 2012-06-07 16:19 - 0003167 _____ () C:\ProgramData\XSCM.CONFIG

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

==================== BCD ================================

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
resumeobject            {a8b67d50-a5ae-11e1-b84d-84748743b1be}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows Server 2008 R2
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {a8b67d52-a5ae-11e1-b84d-84748743b1be}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {a8b67d50-a5ae-11e1-b84d-84748743b1be}
nx                      OptOut

Windows Boot Loader
-------------------
identifier              {a8b67d52-a5ae-11e1-b84d-84748743b1be}
device                  ramdisk=[C:]\Recovery\a8b67d52-a5ae-11e1-b84d-84748743b1be\Winre.wim,{a8b67d53-a5ae-11e1-b84d-84748743b1be}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[C:]\Recovery\a8b67d52-a5ae-11e1-b84d-84748743b1be\Winre.wim,{a8b67d53-a5ae-11e1-b84d-84748743b1be}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {a8b67d50-a5ae-11e1-b84d-84748743b1be}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume1
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {a8b67d53-a5ae-11e1-b84d-84748743b1be}
description             Ramdisk Options
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\a8b67d52-a5ae-11e1-b84d-84748743b1be\boot.sdi

 

LastRegBack: 2015-10-01 00:58

==================== End of FRST.txt ============================

 

 

 

====================ADDITION.TXT============================================

Additional scan result of Farbar Recovery Scan Tool (x64) Version:07-10-2015
Ran by administrator (2015-10-07 09:11:42)
Running from S:\MiscIT\Antivirus
Windows Server 2008 R2 Standard Service Pack 1 (X64) (2012-05-24 13:45:32)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-2165833833-4000530551-3899876304-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-2165833833-4000530551-3899876304-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat X Pro (HKLM-x32\...\{AC76BA86-1033-0000-7760-000000000005}) (Version: 10.1.15 - Adobe Systems)
ApplicationXtender Desktop 6.5 (HKLM-x32\...\{CB51DA63-756B-44F7-8CAE-FFA6043985C6}) (Version: 6.50.124 - EMC Corporation)
EMC IRM Common (x32 Version: 4.6.1.1993 - EMC Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Visio 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{CE144BF4-4950-4CDB-A5F7-CCE1888F49CB}) (Version:  - Microsoft)
Microsoft Office Visio Professional 2007 (HKLM-x32\...\VISPRO) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Project Standard 2010 (HKLM-x32\...\Office14.PRJSTD) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2008 R2 Management Objects (x64) (HKLM\...\{E016AA48-A21B-4728-9BD0-E3AAE23BEE5F}) (Version: 10.51.2500.0 - Microsoft Corporation)
Microsoft SQL Server System CLR Types (x64) (HKLM\...\{C9F697B9-FAC8-4B76-9D3D-40FA3BFA4F9E}) (Version: 10.51.2500.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
SBClient (HKLM-x32\...\{25947B60-DD2E-4D19-BD01-DAB56A9F3877}) (Version: 5.5.3.5302 - Rocket Software)
SBClient (x32 Version: 5.5.3.5302 - Rocket Software) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003A-0000-0000-0000000FF1CE}_Office14.PRJSTD_{58FA40EF-ABA9-4FED-AD3D-318A6073934D}) (Version:  - Microsoft)
Trend Micro OfficeScan Agent (HKLM-x32\...\OfficeScanNT) (Version: 11.0.4172 - Trend Micro Inc.)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
VMware Tools (HKLM\...\{0C27605D-3577-4DED-ACB7-D17FEA543B07}) (Version: 9.0.10.29005 - VMware, Inc.)
WinZip 12.0 (HKLM-x32\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}) (Version: 12.0.8252 - WinZip Computing, S.L. )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-666057229-37022820-4066960233-500_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\administrator.RIX\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay => No File

==================== Restore Points =========================

ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 19:34 - 2009-06-10 14:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2009-07-13] (Microsoft Corporation)
Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)
Task: {8AF69501-825C-44B2-B0F7-4653E0827939} - System32\Tasks\Microsoft\Windows\termsrv\licensing\TlsWarning => C:\Windows\system32\tlsbln.exe [2010-11-20] (Microsoft Corporation)
Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2010-11-20] (Microsoft Corporation)
Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)
Task: {F4A2A7E4-208A-4B9B-A71B-A793063B9BEC} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-07-07] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Loaded Modules (Whitelisted) ==============

2013-04-04 01:09 - 2013-04-04 01:09 - 04300432 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:23 - 2010-10-20 15:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-666057229-37022820-4066960233-500\...\rixindustries.com -> hxxps://portal.rixindustries.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-666057229-37022820-4066960233-500\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.54.46 - 192.168.54.97
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC] => (Allow) %systemroot%\system32\scshost.exe
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper] => (Allow) %systemroot%\system32\scshost.exe
FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) %systemroot%\system32\dllhost.exe
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [DfsMgmt-In-TCP] => (Allow) %systemroot%\system32\dfsfrsHost.exe
FirewallRules: [{5743D9A7-C8DC-4A3F-A837-1150CDD3A32D}] => (Allow) C:\Users\administrator.RIX\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [{EA85C7A2-EC4B-4D93-8DB4-8CE9972D1CC0}] => (Allow) C:\Users\administrator.RIX\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [NPS-NPSSvc-In-UDP-1645] => (Allow) LPort=1645
FirewallRules: [NPS-NPSSvc-In-UDP-1646] => (Allow) LPort=1646
FirewallRules: [NPS-NPSSvc-In-UDP-1812] => (Allow) LPort=1812
FirewallRules: [NPS-NPSSvc-In-UDP-1813] => (Allow) LPort=1813
FirewallRules: [NPS-NPSSvc-In-RPC] => (Allow) %systemroot%\system32\iashost.exe
FirewallRules: [SessionDirectoryService-In-TCP] => (Allow) %systemroot%\system32\tssdis.exe
FirewallRules: [SessionDirectoryService-RPCSS-In-TCP] => (Allow) %systemroot%\system32\tssdis.exe
FirewallRules: [SessionDirectoryService-WMI-DCOM-In-TCP] => (Allow) %systemroot%\system32\wbem\wmiprvse.exe
FirewallRules: [SessionDirectoryService-WMI-In-TCP] => (Allow) %systemroot%\system32\wbem\wmiprvse.exe
FirewallRules: [SessionDirectoryService-WMI-Out-TCP] => (Allow) %systemroot%\system32\tssdis.exe

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (10/07/2015 09:00:38 AM) (Source: ESENT) (EventID: 489) (User: )
Description: taskhost (3212) An attempt to open the file "C:\Users\administrator.RIX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (10/06/2015 03:12:19 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (10/05/2015 08:18:07 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 90080108

Error: (10/05/2015 07:17:23 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 90080108

Error: (10/05/2015 08:20:08 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (10/02/2015 04:05:00 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (10/02/2015 03:51:56 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (10/01/2015 09:11:57 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (10/01/2015 02:45:48 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (09/30/2015 07:42:06 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 90080108

System errors:
=============
Error: (10/07/2015 08:19:30 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Error: (10/07/2015 07:19:30 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Error: (10/07/2015 06:19:30 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Error: (10/07/2015 05:19:29 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Error: (10/07/2015 04:19:29 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Error: (10/07/2015 03:19:29 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Error: (10/07/2015 02:19:29 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Error: (10/07/2015 01:19:28 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Error: (10/07/2015 12:19:28 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Error: (10/06/2015 11:19:28 PM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

==================== Memory info ===========================

Processor: Intel® Xeon® CPU E5-2650 v2 @ 2.60GHz
Percentage of memory in use: 27%
Total physical RAM: 4095.55 MB
Available physical RAM: 2961.52 MB
Total Virtual: 8189.31 MB
Available Virtual: 7120.61 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:69.9 GB) (Free:29.27 GB) NTFS
Drive i: (114) (Network) (Total:196.95 GB) (Free:183.86 GB) NTFS
Drive m: (124) (Network) (Total:98.47 GB) (Free:76.72 GB) NTFS
Drive p: (New Volume) (Network) (Total:260 GB) (Free:39.27 GB) NTFS
Drive r: (Data_1) (Network) (Total:200 GB) (Free:21.47 GB) NTFS
Drive s: (New Volume) (Network) (Total:260 GB) (Free:39.27 GB) NTFS
Drive u: (New Volume) (Network) (Total:295 GB) (Free:32.8 GB) NTFS
Drive v: (Data_2) (Network) (Total:290 GB) (Free:28.76 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 70 GB) (Disk ID: A456F1DB)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=69.9 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 

 

 



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 AM

Posted 12 October 2015 - 11:40 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/592796 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 BerkeleyFarm

BerkeleyFarm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 12 October 2015 - 02:03 PM

FSRT

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:12-10-2015
Ran by administrator (administrator) on TS1 (12-10-2015 12:00:50)
Running from C:\Users\administrator.RIX\Desktop
Loaded Profiles: administrator (Available Profiles: Administrator & jcazares & ccazares & rpelta & cblackmer & administrator)
Platform: Windows Server 2008 R2 Standard Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe
(Microsoft Corporation) C:\Windows\System32\tssdis.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
(WinZip Computing, S.L.) C:\Program Files (x86)\WinZip\WZQKPICK.EXE
(Microsoft Corporation) C:\Windows\System32\iashost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrobat_sl.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\NTRTScan.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\TmCCSF.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [VMware User Process] => C:\Program Files\VMware\VMware Tools\vmtoolsd.exe [73944 2013-12-14] (VMware, Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41360 2015-06-26] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840592 2015-06-26] (Adobe Systems Inc.)
HKLM-x32\...\Run: [OfficeScanNT Monitor] => C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe [2462336 2015-07-24] (Trend Micro Inc.)
HKLM Group Policy restriction on software: %LocalAppData%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\Rar*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\7z*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %tmp%\Rar*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\WZ*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\wz*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %tmp%\7z*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\Rar*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\7z*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %temp%\*.zip\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %Appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %tmp%\*.zip\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %tmp%\wz*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %Appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\*.zip\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\$RecycleBin\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\$RecycleBin\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\Temp\*.zip\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
Lsa: [Notification Packages] scecli rassfm
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2013-07-30]
ShortcutTarget: Dropbox.lnk -> C:\Users\administrator.RIX\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)
GroupPolicyScripts: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\..\Interfaces\{B7BBF923-EFFC-48E3-AC13-7A14CFD3D699}: [NameServer] 192.168.54.46,192.168.54.97
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://atlas/default.aspx
HKU\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://atlas/default.aspx
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-03-09] (Microsoft Corporation)
BHO: Trend Micro Osprey Plugin -> {959A5673-7971-48e6-AF54-58F745AC4ABC} -> C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopIEPlg.dll [2015-06-17] (Trend Micro Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Trend Micro IE Protection -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\module\BES\TmBpIe64.dll [2015-06-05] (Trend Micro Inc.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-03-09] (Microsoft Corporation)
BHO-x32: Trend Micro Osprey Plugin -> {959A5673-7971-48e6-AF54-58F745AC4ABC} -> C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopIEPlg32.dll [2015-06-17] (Trend Micro Inc.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-06-26] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Trend Micro IE Protection -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\module\BES\IE32\TmBpIe32.dll [2015-06-05] (Trend Micro Inc.)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-06-26] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2015-06-26] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-666057229-37022820-4066960233-500 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\module\BES\TmBpIe64.dll [2015-06-05] (Trend Micro Inc.)
Handler-x32: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\module\BES\IE32\TmBpIe32.dll [2015-06-05] (Trend Micro Inc.)
Handler: tmop - {69FD7CE3-4604-4fe6-967C-49B9735CEE70} - C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopIEPlg.dll [2015-06-17] (Trend Micro Inc.)
Handler-x32: tmop - {69FD7CE3-4604-4fe6-967C-49B9735CEE70} - C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmopIEPlg32.dll [2015-06-17] (Trend Micro Inc.)
 
FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll [2015-06-26] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2012-06-07]
FF HKLM-x32\...\Firefox\Extensions: [{BBB77B49-9FF4-4d5c-8FE2-92B1D6CD696C}] - C:\Program Files (x86)\Trend Micro\OfficeScan Client\FirefoxExtensionOsprey
FF Extension: Trend Micro Osprey Firefox Extension - C:\Program Files (x86)\Trend Micro\OfficeScan Client\FirefoxExtensionOsprey [2015-09-24]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-13] (Microsoft Corporation)
R2 IAS; C:\Windows\System32\ias.dll [26624 2009-07-13] (Microsoft Corporation)
R2 IAS; C:\Windows\SysWOW64\ias.dll [19456 2009-07-13] (Microsoft Corporation)
R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
R2 ntrtscan; C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe [5202160 2015-07-30] (Trend Micro Inc.)
R3 RPCHTTPLBS; C:\Windows\System32\RpcProxy\LBService.dll [24576 2010-11-20] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-13] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-13] (Microsoft Corporation)
R2 TermServLicensing; C:\Windows\System32\lserver.dll [694784 2010-11-20] (Microsoft Corporation)
S3 TMBMServer; C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe [584704 2015-07-23] (Trend Micro Inc.)
R3 tmccsf; C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\tmccsf.exe [713384 2015-07-24] (Trend Micro Inc.)
R2 tmlisten; C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe [5155520 2015-07-24] (Trend Micro Inc.)
S3 tpautoconnsvc; C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe [509776 2013-02-28] (Cortado AG)
S3 TPVCGateway; C:\Program Files\VMware\VMware Tools\TPVCGateway.exe [566096 2013-02-28] (Cortado AG)
R2 TScPubRPC; C:\Windows\system32\TSCPUBSvr.dll [180224 2010-11-20] (Microsoft Corporation)
R2 TSGateway; C:\Windows\system32\aaedge.dll [308736 2015-07-10] (Microsoft Corporation)
R2 Tssdis; C:\Windows\System32\tssdis.exe [605696 2010-11-20] (Microsoft Corporation)
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AAVStor; C:\Windows\System32\DRIVERS\AAVStor.sys [48904 2013-07-04] (AppAssure Software, Inc.)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-13] (Microsoft Corporation)
S2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [119336 2015-07-28] (Trend Micro Inc.)
S1 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [324824 2015-07-28] (Trend Micro Inc.)
R0 TMEBC; C:\Windows\System32\DRIVERS\TMEBC64.sys [61232 2015-06-19] (Trend Micro Inc.)
R3 tmeevw; C:\Windows\System32\DRIVERS\tmeevw.sys [116576 2015-06-08] (Trend Micro Inc.)
S2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [79720 2015-07-28] (Trend Micro Inc.)
R2 TmFilter; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys [368392 2015-07-02] (Trend Micro Inc.)
R3 tmnciesc; C:\Windows\System32\DRIVERS\tmnciesc.sys [416608 2015-05-28] (Trend Micro Inc.)
R2 TmPreFilter; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys [44808 2015-07-02] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [109080 2013-06-18] (Trend Micro Inc.)
R3 tmusa; C:\Windows\System32\DRIVERS\tmusa.sys [116536 2015-06-22] (Trend Micro Inc.)
R2 VMMEMCTL; C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys [18648 2013-12-14] (VMware, Inc.)
R2 VSApiNt; C:\Program Files (x86)\Trend Micro\OfficeScan Client\VSApiNt.sys [2384136 2015-07-02] (Trend Micro Inc.)
R0 vsock; C:\Windows\System32\drivers\vsock.sys [70736 2013-09-18] (VMware, Inc.)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-10-12 12:00 - 2015-10-12 12:01 - 00014378 _____ C:\Users\administrator.RIX\Desktop\FRST.txt
2015-10-12 12:00 - 2015-10-12 12:01 - 00000000 ____D C:\Users\administrator.RIX\AppData\Local\Temp\2
2015-10-12 12:00 - 2015-10-12 12:00 - 00000000 ____D C:\Users\administrator.RIX\Desktop\old fsrt
2015-10-12 12:00 - 2015-10-12 12:00 - 00000000 ____D C:\Users\administrator.RIX\Desktop\FRST-OlderVersion
2015-10-07 09:15 - 2015-10-12 12:00 - 02196480 _____ (Farbar) C:\Users\administrator.RIX\Desktop\FRST64.exe
2015-10-07 09:09 - 2015-10-12 12:00 - 00000000 ____D C:\FRST
2015-10-05 08:07 - 2015-10-05 16:04 - 00000000 ____D C:\Users\administrator.RIX\AppData\Local\Temp\1
2015-10-02 12:41 - 2015-10-02 12:41 - 00000000 ____D C:\Users\administrator.RIX\AppData\Local\Temp\3
2015-10-02 11:21 - 2015-10-05 08:10 - 00000196 _____ C:\Windows\TMFilter.log
2015-10-02 11:21 - 2015-10-02 11:21 - 00003516 _____ C:\Windows\cfgwtp.ini
2015-10-02 11:19 - 2015-10-02 11:19 - 00001007 _____ C:\Windows\cfgrt_ex.ini
2015-10-02 11:19 - 2015-10-02 11:19 - 00000000 ____D C:\ProgramData\Trend Micro
2015-09-26 12:00 - 2015-10-07 02:00 - 00660016 _____ (Trend Micro Inc.) C:\Windows\TSCCensus64.exe
2015-09-24 10:59 - 2015-10-12 12:00 - 00024684 _____ C:\Windows\SysWOW64\TmInstall.log
2015-09-24 10:59 - 2015-09-24 10:59 - 00000000 _____ C:\Windows\system32\LESDebug.log
2015-09-24 10:37 - 2015-08-05 10:56 - 00275456 _____ (Microsoft Corporation) C:\Windows\system32\InkEd.dll
2015-09-24 10:37 - 2015-08-05 10:40 - 00216064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\InkEd.dll
2015-09-24 10:36 - 2015-09-01 20:04 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2015-09-24 10:36 - 2015-09-01 20:04 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-09-24 10:36 - 2015-09-01 20:04 - 00041984 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2015-09-24 10:36 - 2015-09-01 20:04 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2015-09-24 10:36 - 2015-09-01 19:48 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2015-09-24 10:36 - 2015-09-01 19:48 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2015-09-24 10:36 - 2015-09-01 19:48 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2015-09-24 10:36 - 2015-09-01 19:47 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2015-09-24 10:36 - 2015-09-01 18:51 - 03209216 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-09-24 10:36 - 2015-09-01 18:47 - 00372736 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-09-24 10:36 - 2015-09-01 18:33 - 00299520 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2015-09-24 10:34 - 2015-08-04 11:03 - 00692672 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2015-09-24 10:34 - 2015-08-04 11:00 - 00616360 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2015-09-24 10:34 - 2015-08-04 10:56 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-09-24 10:34 - 2015-08-04 10:56 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-09-24 10:34 - 2015-08-04 10:56 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-09-24 10:34 - 2015-08-04 10:55 - 00147456 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2015-09-24 10:34 - 2015-08-04 10:55 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2015-09-24 10:34 - 2015-08-04 10:47 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2015-09-24 10:34 - 2015-08-04 09:58 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2015-09-24 10:29 - 2015-09-24 10:29 - 00000000 ____D C:\Users\administrator.RIX\AppData\Local\Temp\KB3074547_10.0.30319
2015-09-24 10:26 - 2015-08-22 07:40 - 14383616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 13774848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 02865664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 02056704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 01763328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 01441280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-09-24 10:26 - 2015-08-22 07:40 - 01181696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00718848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00525312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-09-24 10:26 - 2015-08-22 07:40 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-09-24 10:26 - 2015-08-22 06:51 - 02239488 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-09-24 10:26 - 2015-08-22 06:51 - 01409024 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-09-24 10:26 - 2015-08-22 06:51 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-09-24 10:26 - 2015-08-22 06:51 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-09-24 10:26 - 2015-08-22 06:50 - 19291648 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 15415808 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 03959808 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 02657280 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 01509376 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-09-24 10:26 - 2015-08-22 06:50 - 00857600 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-09-24 10:26 - 2015-08-22 06:50 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-09-24 10:26 - 2015-08-20 11:53 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-09-24 10:26 - 2015-08-20 11:46 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-09-24 10:26 - 2015-08-20 11:21 - 00361984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-09-24 10:26 - 2015-08-20 11:19 - 00441856 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-09-24 10:26 - 2015-08-20 10:56 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2015-09-24 10:26 - 2015-08-20 10:55 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2015-09-24 10:25 - 2015-07-14 20:17 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2015-09-24 10:25 - 2015-07-14 19:54 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2015-09-24 10:23 - 2015-08-26 11:07 - 03165696 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-09-24 10:23 - 2015-08-26 11:07 - 02606080 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-09-24 10:23 - 2015-08-26 11:07 - 00696320 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-09-24 10:23 - 2015-08-26 11:07 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-09-24 10:23 - 2015-08-26 11:07 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-09-24 10:23 - 2015-08-26 11:07 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-09-24 10:23 - 2015-08-26 11:07 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-09-24 10:23 - 2015-08-26 11:06 - 00139776 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-09-24 10:23 - 2015-08-26 11:06 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-09-24 10:23 - 2015-08-26 11:06 - 00037376 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-09-24 10:23 - 2015-08-26 11:06 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-09-24 10:23 - 2015-08-26 10:56 - 00566784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-09-24 10:23 - 2015-08-26 10:56 - 00173056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-09-24 10:23 - 2015-08-26 10:56 - 00093184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-09-24 10:23 - 2015-08-26 10:56 - 00030208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2015-09-24 10:23 - 2015-08-26 10:55 - 00034816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-09-24 10:23 - 2015-08-11 11:10 - 00745472 _____ (Microsoft Corporation) C:\Windows\system32\samsrv.dll
2015-09-24 10:23 - 2015-08-11 11:10 - 00107008 _____ (Microsoft Corporation) C:\Windows\system32\samlib.dll
2015-09-24 10:23 - 2015-08-11 10:48 - 00060928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\samlib.dll
2015-09-24 10:23 - 2015-08-05 10:56 - 01110016 _____ (Microsoft Corporation) C:\Windows\system32\schedsvc.dll
2015-09-24 09:57 - 2015-10-12 12:00 - 00017988 _____ C:\Windows\system32\TmInstall.log
2015-09-24 09:57 - 2015-10-07 09:01 - 00010409 _____ C:\Windows\cfgall.ini
2015-09-24 09:57 - 2015-09-24 09:57 - 00000000 ____D C:\Windows\system32\log
2015-09-24 09:56 - 2015-10-02 11:21 - 00000000 ____D C:\Program Files (x86)\Trend Micro
2015-09-24 09:56 - 2015-09-24 09:57 - 00046054 _____ C:\Windows\OfcInstReg.log
2015-09-24 09:56 - 2015-09-24 09:56 - 00000000 ____D C:\ProgramData\Package Cache
2015-09-24 09:56 - 2015-09-24 09:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Trend Micro OfficeScan Agent
2015-09-24 09:52 - 2015-09-24 09:56 - 00000231 _____ C:\RemoteInstall.log
2015-09-24 09:52 - 2015-09-24 09:55 - 00000021 _____ C:\tmuninst.ini
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-10-12 12:00 - 2012-05-30 09:01 - 00000112 _____ C:\Windows\system32\config\netlogon.ftl
2015-10-12 11:49 - 2015-07-21 15:39 - 00190192 _____ C:\Users\administrator.RIX\AppData\Local\Temp\ArmUI.ini
2015-10-12 11:49 - 2015-07-21 15:39 - 00055268 _____ C:\Users\administrator.RIX\AppData\Local\Temp\AdobeARM.log
2015-10-12 08:08 - 2012-05-24 06:47 - 01647808 _____ C:\Windows\WindowsUpdate.log
2015-10-10 06:51 - 2012-08-10 13:40 - 00000000 ____D C:\Windows\system32\lserver
2015-10-10 06:50 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\inetsrv
2015-10-07 09:11 - 2009-07-13 21:49 - 00023008 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-07 09:11 - 2009-07-13 21:49 - 00023008 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-05 15:19 - 2015-07-21 15:40 - 00000227 _____ C:\Users\administrator.RIX\AppData\Local\Temp\AdobeARM_NotLocked.log
2015-10-05 08:24 - 2012-06-07 12:54 - 00000000 ____D C:\Users\administrator.RIX\AppData\Local\Temp\Acrobat Distiller 10
2015-10-05 08:23 - 2012-06-07 12:53 - 00002465 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat Distiller X.lnk
2015-10-05 08:23 - 2012-06-07 12:53 - 00002453 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat X Pro.lnk
2015-10-05 08:23 - 2012-06-07 12:53 - 00002026 _____ C:\Users\Public\Desktop\Adobe Acrobat X Pro.lnk
2015-10-05 08:23 - 2012-06-07 12:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe LiveCycle ES2
2015-10-05 08:23 - 2012-05-30 09:07 - 00000000 ____D C:\Users\administrator.RIX
2015-10-05 08:22 - 2012-06-07 12:53 - 00086920 _____ C:\Users\administrator.RIX\AppData\Local\Temp\PDApp.log
2015-10-05 08:10 - 2009-07-13 22:10 - 00846662 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-05 08:08 - 2012-10-16 10:16 - 00000000 ____D C:\Users\administrator.RIX\AppData\Roaming\Dropbox
2015-10-05 08:06 - 2013-08-15 14:42 - 00000000 ____D C:\Windows\system32\tssesdir
2015-10-05 08:06 - 2009-07-13 22:06 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-02 19:44 - 2012-05-30 09:07 - 00003754 __RSH C:\Users\administrator.RIX\ntuser.pol
2015-10-02 14:50 - 2012-06-07 16:00 - 00000000 ____D C:\Tools
2015-09-24 11:36 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache
2015-09-24 10:59 - 2009-07-13 21:49 - 00410992 _____ C:\Windows\system32\FNTCACHE.DAT
2015-09-24 10:58 - 2012-06-04 15:31 - 00245174 _____ C:\Windows\PFRO.log
2015-09-24 10:58 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2015-09-24 10:38 - 2012-05-30 17:22 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-09-24 10:29 - 2013-08-14 15:11 - 00105343 _____ C:\Users\administrator.RIX\AppData\Local\Temp\dd_clwireg.txt
 
==================== Files in the root of some directories =======
 
2015-04-03 10:08 - 2015-04-03 10:15 - 0597622 _____ () C:\Users\administrator.RIX\AppData\Local\dd_vcredistMSI09AA.txt
2015-04-03 10:08 - 2015-04-03 10:15 - 0445340 _____ () C:\Users\administrator.RIX\AppData\Local\dd_vcredistUI09AA.txt
2015-04-03 10:03 - 2015-04-03 10:03 - 1036990 _____ () C:\Users\administrator.RIX\AppData\Local\dd_vstor40_x64MSI0574.txt
2015-04-03 10:03 - 2015-04-03 10:03 - 0427034 _____ () C:\Users\administrator.RIX\AppData\Local\dd_vstor40_x64UI0574.txt
2012-06-07 16:19 - 2012-06-07 16:19 - 0003167 _____ () C:\ProgramData\XSCM.CONFIG
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-10-11 00:51
 
==================== End of FRST.txt ============================
 
Addition.txt:
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version:12-10-2015
Ran by administrator (2015-10-12 12:01:42)
Running from C:\Users\administrator.RIX\Desktop
Windows Server 2008 R2 Standard Service Pack 1 (X64) (2012-05-24 13:45:32)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2165833833-4000530551-3899876304-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-2165833833-4000530551-3899876304-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat X Pro (HKLM-x32\...\{AC76BA86-1033-0000-7760-000000000005}) (Version: 10.1.15 - Adobe Systems)
ApplicationXtender Desktop 6.5 (HKLM-x32\...\{CB51DA63-756B-44F7-8CAE-FFA6043985C6}) (Version: 6.50.124 - EMC Corporation)
EMC IRM Common (x32 Version: 4.6.1.1993 - EMC Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Visio 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{CE144BF4-4950-4CDB-A5F7-CCE1888F49CB}) (Version:  - Microsoft)
Microsoft Office Visio Professional 2007 (HKLM-x32\...\VISPRO) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Project Standard 2010 (HKLM-x32\...\Office14.PRJSTD) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2008 R2 Management Objects (x64) (HKLM\...\{E016AA48-A21B-4728-9BD0-E3AAE23BEE5F}) (Version: 10.51.2500.0 - Microsoft Corporation)
Microsoft SQL Server System CLR Types (x64) (HKLM\...\{C9F697B9-FAC8-4B76-9D3D-40FA3BFA4F9E}) (Version: 10.51.2500.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
SBClient (HKLM-x32\...\{25947B60-DD2E-4D19-BD01-DAB56A9F3877}) (Version: 5.5.3.5302 - Rocket Software)
SBClient (x32 Version: 5.5.3.5302 - Rocket Software) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003A-0000-0000-0000000FF1CE}_Office14.PRJSTD_{58FA40EF-ABA9-4FED-AD3D-318A6073934D}) (Version:  - Microsoft)
Trend Micro OfficeScan Agent (HKLM-x32\...\OfficeScanNT) (Version: 11.0.4172 - Trend Micro Inc.)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
VMware Tools (HKLM\...\{0C27605D-3577-4DED-ACB7-D17FEA543B07}) (Version: 9.0.10.29005 - VMware, Inc.)
WinZip 12.0 (HKLM-x32\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}) (Version: 12.0.8252 - WinZip Computing, S.L. )
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-666057229-37022820-4066960233-500_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\administrator.RIX\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay => No File
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 19:34 - 2009-06-10 14:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2009-07-13] (Microsoft Corporation)
Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)
Task: {8AF69501-825C-44B2-B0F7-4653E0827939} - System32\Tasks\Microsoft\Windows\termsrv\licensing\TlsWarning => C:\Windows\system32\tlsbln.exe [2010-11-20] (Microsoft Corporation)
Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2010-11-20] (Microsoft Corporation)
Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)
Task: {F4A2A7E4-208A-4B9B-A71B-A793063B9BEC} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-07-07] (Adobe Systems Incorporated)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2013-04-04 01:09 - 2013-04-04 01:09 - 04300432 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:23 - 2010-10-20 15:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2014-12-26 16:22 - 2014-12-26 16:22 - 00801792 _____ () C:\Program Files (x86)\Trend Micro\OfficeScan Client\sqlite3.dll
2007-05-16 11:42 - 2007-05-16 11:42 - 00089088 _____ () C:\Program Files (x86)\Trend Micro\OfficeScan Client\zlibwapi.dll
2012-12-19 04:06 - 2012-12-19 04:06 - 01300480 _____ () C:\Program Files (x86)\Trend Micro\OfficeScan Client\libprotobuf.dll
2013-01-16 10:19 - 2013-01-16 10:19 - 00048128 _____ () C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\boost_date_time-vc110-mt-1_49.dll
2013-04-02 12:25 - 2013-04-02 12:25 - 00675840 _____ () C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\sqlite3.dll
2012-12-19 04:06 - 2012-12-19 04:06 - 01300480 _____ () C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\libprotobuf.dll
2013-01-16 10:23 - 2013-01-16 10:23 - 00058368 _____ () C:\Program Files (x86)\Trend Micro\OfficeScan Client\CCSF\boost_thread-vc110-mt-1_49.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-666057229-37022820-4066960233-500\...\rixindustries.com -> hxxps://portal.rixindustries.com
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-666057229-37022820-4066960233-500\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 192.168.54.46 - 192.168.54.97
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC] => (Allow) %systemroot%\system32\scshost.exe
FirewallRules: [SCW-Allow-Inbound-Access-To-ScsHost-TCP-RPC-EndPointMapper] => (Allow) %systemroot%\system32\scshost.exe
FirewallRules: [ComPlusRemoteAdministration-DCOM-In] => (Allow) %systemroot%\system32\dllhost.exe
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [DfsMgmt-In-TCP] => (Allow) %systemroot%\system32\dfsfrsHost.exe
FirewallRules: [{5743D9A7-C8DC-4A3F-A837-1150CDD3A32D}] => (Allow) C:\Users\administrator.RIX\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [{EA85C7A2-EC4B-4D93-8DB4-8CE9972D1CC0}] => (Allow) C:\Users\administrator.RIX\AppData\Roaming\Dropbox\bin\Dropbox.exe
FirewallRules: [NPS-NPSSvc-In-UDP-1645] => (Allow) LPort=1645
FirewallRules: [NPS-NPSSvc-In-UDP-1646] => (Allow) LPort=1646
FirewallRules: [NPS-NPSSvc-In-UDP-1812] => (Allow) LPort=1812
FirewallRules: [NPS-NPSSvc-In-UDP-1813] => (Allow) LPort=1813
FirewallRules: [NPS-NPSSvc-In-RPC] => (Allow) %systemroot%\system32\iashost.exe
FirewallRules: [SessionDirectoryService-In-TCP] => (Allow) %systemroot%\system32\tssdis.exe
FirewallRules: [SessionDirectoryService-RPCSS-In-TCP] => (Allow) %systemroot%\system32\tssdis.exe
FirewallRules: [SessionDirectoryService-WMI-DCOM-In-TCP] => (Allow) %systemroot%\system32\wbem\wmiprvse.exe
FirewallRules: [SessionDirectoryService-WMI-In-TCP] => (Allow) %systemroot%\system32\wbem\wmiprvse.exe
FirewallRules: [SessionDirectoryService-WMI-Out-TCP] => (Allow) %systemroot%\system32\tssdis.exe
FirewallRules: [{053F4758-6541-4113-AB50-A7ED05A3859B}] => (Allow) LPort=24590
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (10/12/2015 12:00:12 PM) (Source: ESENT) (EventID: 489) (User: )
Description: taskhost (4008) An attempt to open the file "C:\Users\administrator.RIX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).
 
Error: (10/12/2015 04:17:35 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005
 
Error: (10/11/2015 09:41:04 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005
 
Error: (10/10/2015 02:22:37 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005
 
Error: (10/09/2015 12:44:44 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005
 
Error: (10/08/2015 05:22:21 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005
 
Error: (10/07/2015 10:28:42 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005
 
Error: (10/07/2015 09:00:38 AM) (Source: ESENT) (EventID: 489) (User: )
Description: taskhost (3212) An attempt to open the file "C:\Users\administrator.RIX\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).
 
Error: (10/06/2015 03:12:19 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005
 
Error: (10/05/2015 08:18:07 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 90080108
 
 
System errors:
=============
Error: (10/12/2015 11:19:53 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
 
Error: (10/12/2015 10:19:53 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
 
Error: (10/12/2015 09:19:53 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
 
Error: (10/12/2015 08:19:53 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
 
Error: (10/12/2015 07:19:52 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
 
Error: (10/12/2015 06:19:52 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
 
Error: (10/12/2015 05:19:52 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
 
Error: (10/12/2015 04:19:52 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
 
Error: (10/12/2015 03:19:52 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
 
Error: (10/12/2015 02:19:51 AM) (Source: Kerberos) (EventID: 4) (User: )
Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server av$. The target name used was cifs/vis.rix.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (RIX.LOCAL) is different from the client domain (RIX.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Xeon® CPU E5-2650 v2 @ 2.60GHz
Percentage of memory in use: 32%
Total physical RAM: 4095.55 MB
Available physical RAM: 2773.53 MB
Total Virtual: 8189.31 MB
Available Virtual: 6944.77 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:69.9 GB) (Free:29.3 GB) NTFS
Drive i: (114) (Network) (Total:196.95 GB) (Free:183.86 GB) NTFS
Drive m: (124) (Network) (Total:98.47 GB) (Free:76.72 GB) NTFS
Drive p: (New Volume) (Network) (Total:260 GB) (Free:37.47 GB) NTFS
Drive r: (Data_1) (Network) (Total:200 GB) (Free:16.82 GB) NTFS
Drive s: (New Volume) (Network) (Total:260 GB) (Free:37.47 GB) NTFS
Drive u: (New Volume) (Network) (Total:295 GB) (Free:32.26 GB) NTFS
Drive v: (Data_2) (Network) (Total:290 GB) (Free:28.56 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 70 GB) (Disk ID: A456F1DB)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=69.9 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:23 PM

Posted 17 October 2015 - 01:40 PM

Greetings BerkeleyFarm and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Part of the delay is because we don't typically work with Servers so we are not intimately familiar with the software or the manipulation of the Operating System. As a result I am hesitant to be as proactive as I normally would be with more mainstream systems. We can poke around a little bit but I may be referring you to another Forum here for more specialized help.

Please do this.

===================================================

RogueKiller by Tigzy

--------------------
  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • Right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • The program will conduct a prescan and when finished you wlll see Prescan Finished. Please hit the scan button
  • Click Scan
  • If, during the scan, you receive a request to upload a file to Virustotal please click Yes
  • A report should open and a copy of the report will be placed on your desktop. If not, hit the Report button.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply
===================================================

Farbar's MiniToolBox

--------------------
  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the icon to launch the program
  • Make sure only the following options are checked:

Flush DNS
Report IE Proxy Settings
Report FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries

  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • RogueKiller log
  • Result log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 BerkeleyFarm

BerkeleyFarm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 18 October 2015 - 12:57 PM

Greetings!  You got to me on a day I wasn't in the office.  I will get you this information as soon as possible.  



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:23 PM

Posted 18 October 2015 - 02:00 PM

No problem, thanks for touching base.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 BerkeleyFarm

BerkeleyFarm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 19 October 2015 - 12:58 PM

OK here we go  (my name is Charlotte, btw):

 

RogueKiller:

 

RogueKiller V10.11.1.0 [Oct 19 2015] by Adlice Software
 
Operating System : Windows Server 2008 R2 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : administrator [Administrator]
Started from : C:\Users\administrator.RIX\Desktop\RogueKiller.exe
Mode : Scan -- Date : 10/19/2015 08:59:13
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 14 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Internet Explorer\Main | Start Page : http://atlas/default.aspx  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Internet Explorer\Main | Start Page : http://atlas/default.aspx  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://atlas/default.aspx  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://atlas/default.aspx  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-666057229-37022820-4066960233-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: VMware Virtual disk SCSI Disk Device +++++
--- User ---
[MBR] 0cbc6e67138ebbc53f90552bce116531
[BSP] 4b16f903bc3c3119378d7120054a9d08 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 71578 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )
 
 
Result log:
 
MiniToolBox by Farbar  Version: 25-07-2015 01
Ran by administrator (administrator) on 19-10-2015 at 10:21:16
Running from "C:\Users\administrator.RIX\Desktop"
Microsoft Windows Server 2008 R2 Standard  Service Pack 1 (X64)
Model: VMware Virtual Platform Manufacturer: VMware, Inc.
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================
 
 
 
========================= IP Configuration: ================================
 
Intel® PRO/1000 MT Network Connection = Local Area Connection (Connected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
add route prefix=0.0.0.0/0 interface="Local Area Connection" nexthop=192.168.54.20 publish=Yes
add address name="Local Area Connection" address=192.168.54.107 mask=255.255.255.0
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : TS1
   Primary Dns Suffix  . . . . . . . : rix.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : rix.local
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel® PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-B9-66-6F
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.54.107(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.54.20
   DNS Servers . . . . . . . . . . . : 192.168.54.46
                                       192.168.54.97
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.{B7BBF923-EFFC-48E3-AC13-7A14CFD3D699}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  dc0.rix.local
Address:  192.168.54.46
 
Name:    google.com
Addresses:  2607:f8b0:4005:803::200e
 216.58.192.46
 
 
Pinging google.com [216.58.192.46] with 32 bytes of data:
Reply from 216.58.192.46: bytes=32 time=9ms TTL=56
Reply from 216.58.192.46: bytes=32 time=8ms TTL=56
 
Ping statistics for 216.58.192.46:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 8ms, Maximum = 9ms, Average = 8ms
Server:  dc0.rix.local
Address:  192.168.54.46
 
Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
 2001:4998:c:a06::2:4008
 2001:4998:58:c02::a9
 98.138.253.109
 98.139.183.24
 206.190.36.45
 
 
Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=202ms TTL=48
Reply from 98.139.183.24: bytes=32 time=202ms TTL=48
 
Ping statistics for 98.139.183.24:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 202ms, Maximum = 202ms, Average = 202ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 10...00 50 56 b9 66 6f ......Intel® PRO/1000 MT Network Connection
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.54.20   192.168.54.107    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.54.0    255.255.255.0         On-link    192.168.54.107    266
   192.168.54.107  255.255.255.255         On-link    192.168.54.107    266
   192.168.54.255  255.255.255.255         On-link    192.168.54.107    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    192.168.54.107    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    192.168.54.107    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    192.168.54.20  Default 
===========================================================================
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\vsocklib.dll [63568] (VMware, Inc.)
Catalog9 12 C:\Windows\SysWOW64\vsocklib.dll [63568] (VMware, Inc.)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\vsocklib.dll [67664] (VMware, Inc.)
x64-Catalog9 12 C:\Windows\System32\vsocklib.dll [67664] (VMware, Inc.)
 
**** End of log ****
 


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:23 PM

Posted 19 October 2015 - 02:14 PM

I do not have this software so I am going on what I read. Do you have the following information screen for the Callback?

Callback Event Investigation


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 BerkeleyFarm

BerkeleyFarm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 19 October 2015 - 03:08 PM

I'm not sure we are licensed for that software either!   I'll pull the basic info on the callbacks we got recently.  



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:23 PM

Posted 19 October 2015 - 03:23 PM

Thanks,

And is there any specific computer activity associated with the warnings?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 BerkeleyFarm

BerkeleyFarm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 19 October 2015 - 04:55 PM

The computer was not being used.  It is not a production server and nobody (including me) was on it at the time.   It was not being backed up or anything, either. 

 

I found the CVE number for the suspicious connection in another log on the computer and ran a google search on it.  My results came up with a Trend Micro tool (amazingly).  I am running that tool against the system so let me see if I still have a problem tomorrow ;).  



#12 BerkeleyFarm

BerkeleyFarm
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 22 October 2015 - 04:05 PM

Thanks for your assistance and you can close this topic.  I ran the Trend Micro Anti-Threat Toolkit http://esupport.trendmicro.com/solution/en-us/1059565.aspx and it found some items.  No C&C warnings since, although it has happened once every few days or so.  If I get another one I will open up a support case with Trend. 



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:23 PM

Posted 22 October 2015 - 04:58 PM

Thanks, if you don't mind sharing the information, what did Trend Micro find? If so, please send me a Personal Message.

Edited by Oh My!, 22 October 2015 - 05:24 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:23 PM

Posted 22 October 2015 - 05:25 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users