Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible worm activity? Help please.


  • This topic is locked This topic is locked
31 replies to this topic

#1 JHBPJF

JHBPJF

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 23 October 2015 - 10:36 AM

I'm getting alerts that this computer as well as others are trying to access 50.63.202.43 over port 135. It's very suspicious, but normal scans with AV/Malwarebytes don't come up with anything and 50.63.202.43 is a very common GoDaddy IP address.

Below are FRSTS.txt and attached is Addition.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:21-10-2015 01
Ran by JasonF (administrator) on ANZL2CE35119Z0 (24-10-2015 02:27:00)
Running from C:\Users\christianh\Downloads
Loaded Profiles: ChristianH & JasonF (Available Profiles: exchadmin & johnra & KevinM & ChristianH & abhis & anuser & Administrator & JasonF & DefaultAppPool)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(DigitalPersona, Inc.) C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
(DigitalPersona, Inc.) C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpCardEngine.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Validity Sensors, Inc.) C:\Windows\System32\vcsFPService.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(CryptoMill Technologies Ltd.) C:\Program Files (x86)\Hewlett-Packard\HP Trust Circles\CreoSvc.exe
() C:\Program Files (x86)\Hewlett-Packard\HP Theft Recovery\CtService.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Proxy Networks, Inc.) C:\Program Files (x86)\Proxy Networks\PROXY Pro Host\PhSvc.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\ccSvcHst.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Hewlett-Packard Development Company) C:\Program Files (x86)\Hewlett-Packard\HP Device Access Manager\HP.ProtectTools.DeviceAccessManager.ServiceHost.exe
(Proxy Networks, Inc.) C:\Program Files (x86)\Proxy Networks\PROXY Pro Host\PhSession.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Microsoft Corporation) C:\Windows\CCM\CcmExec.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(DigitalPersona, Inc.) C:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe
(Proxy Networks, Inc.) C:\Program Files (x86)\Proxy Networks\PROXY Pro Host\PhTray.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\ccSvcHst.exe
(DigitalPersona, Inc.) C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpAgent.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTsysTray8.exe
(WinZip Computing, Inc.) C:\Program Files (x86)\WinZip\WZQKPICK.EXE
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Lync\communicator.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPConnectionManager.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\btplayerctrl.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
(Microsoft Corporation) C:\Windows\CCM\SCNotification.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
() C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Lync\UcMapi.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(Microsoft Corporation) C:\Program Files (x86)\Internet Explorer\ielowutil.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MpCmdRun.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-31] (Intel Corporation)
HKLM\...\Run: [BLEServicesCtrl] => C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe [184112 2012-09-17] (Intel Corporation)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [] => [X]
HKLM\...\Run: [CryptoMill Refresh] => C:\Program Files\Hewlett-Packard\HP Trust Circles\ceflauncher -m refresh
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2804976 2013-10-26] (Synaptics Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500936 2015-05-26] (Adobe Systems Incorporated)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1703424 2013-08-16] (IDT, Inc.)
HKLM-x32\...\Run: [PDF Complete] => C:\Program Files (x86)\PDF Complete\pdfsty.exe [683656 2013-07-19] (PDF Complete Inc)
HKLM-x32\...\Run: [HPConnectionManager] => c:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe [185144 2013-09-19] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [QLBController] => C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe [337184 2013-08-01] (Hewlett-Packard Company)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-08-16] (Intel Corporation)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [134616 2013-09-17] (Intel Corporation)
HKLM-x32\...\Run: [YouCam Mirage] => "c:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe"
HKLM-x32\...\Run: [YouCam Tray] => c:\Program Files (x86)\CyberLink\YouCam\YouCamTray.exe [167488 2013-06-25] (CyberLink Corp.)
HKLM-x32\...\Run: [Communicator] => C:\Program Files (x86)\Microsoft Lync\communicator.exe [12119360 2015-07-01] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [304568 2010-10-12] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1075296 2013-04-25] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3499920 2014-09-12] (Adobe Systems Inc.)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2688920 2014-05-26] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [NCPluginUpdater] => C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe [21720 2014-02-25] (Hewlett-Packard)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe,
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SEP-x32: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll [X]
HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8418584 2015-07-18] (Piriform Ltd)
HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\Run: [GoogleChromeAutoLaunch_AA83E82A8B3E83E3035D6BDE05BAC811] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [811848 2015-10-09] (Google Inc.)
HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\Run: [Adobe Acrobat Synchronizer] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\AdobeCollabSync.exe [759712 2014-09-12] (Adobe Systems Incorporated)
Lsa: [Notification Packages] DPPassFilter scecli
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll [2014-05-23] ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll [2014-05-23] ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll [2014-05-23] ()
ShellIconOverlayIdentifiers: [+1TBIcon] -> {B9C55E85-DED6-4911-82F3-83CF1CAB2898} => C:\Program Files\Hewlett-Packard\HP Trust Circles\tbicon.dll [2013-10-03] (CryptoMill Technologies Ltd.)
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2013-02-08] (Autodesk, Inc.)
ShellIconOverlayIdentifiers-x32: [+1TBIcon] -> {B9C55E85-DED6-4911-82F3-83CF1CAB2898} => C:\Program Files (x86)\Hewlett-Packard\HP Trust Circles\tbicon.dll [2013-10-03] (CryptoMill Technologies Ltd.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <======= ATTENTION (Restriction - ProxySettings)
Tcpip\Parameters: [DhcpNameServer] 172.16.48.38 172.16.2.82
Tcpip\..\Interfaces\{808797AF-45F7-4020-A4D3-C2835FFF98BF}: [DhcpNameServer] 172.16.48.38 172.16.2.82
Tcpip\..\Interfaces\{C93BB6A1-C6CC-46D3-AA41-4EEA275FFC7E}: [DhcpNameServer] 172.16.48.38 172.16.2.82

Internet Explorer:
==================
HKU\S-1-5-21-1644499423-1784174346-914644375-32503\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://
HKU\S-1-5-21-1644499423-1784174346-914644375-32503\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.
HKU\S-1-5-21-2111445166-661200050-125055969-53841\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.jp.msn.com/HPALL14/54
HKU\S-1-5-21-2111445166-661200050-125055969-53841\Software\Microsoft\Internet Explorer\Main,First Home Page = hxxp://g.jp.msn.com/HPALL14/54
HKU\S-1-5-21-2111445166-661200050-125055969-53841\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.jp.msn.com/HPALL14/54
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-09-12] (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-09-12] (Adobe Systems Incorporated)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Lync\OCHelper.dll [2010-10-22] (Microsoft Corporation)
BHO-x32: Symantec Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\bin\IPS\IPSBHO.DLL [2014-10-11] (Symantec Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-08-21] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-09-12] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-08-21] (Oracle Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-09-12] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-09-12] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-09-12] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1644499423-1784174346-914644375-32503 -> Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-09-12] (Adobe Systems Incorporated)
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
Handler-x32: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll [2013-11-22] (SAP, Walldorf)
Handler-x32: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll [2013-11-22] (SAP, Walldorf)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2013-02-27] (Skype Technologies)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: xxxapplication/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_209.dll [2015-07-30] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin: adobe.com/AdobeAAMDetect_x86_64 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2014-05-26] (Adobe Systems)
FF Plugin: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\Win64Plugin\npAdobeExManDetectX64.dll [2013-12-03] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-07-30] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1202122.dll [2013-04-04] (Adobe Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-17] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-17] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.60.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-08-21] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.60.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-08-21] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-21] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-21] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2013-09-23] (VideoLAN)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [2014-09-12] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2013-12-21] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2014-05-26] (Adobe Systems)
FF Plugin-x32: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll [2013-12-03] (Adobe Systems)
FF Plugin-x32: digitalpersona.com/ChromeDPAgent -> c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\BrowserExt\components\npChromeDPAgent.dll [2013-10-04] (DigitalPersona, Inc.)
FF Plugin HKU\S-1-5-21-1644499423-1784174346-914644375-32503: @citrixonline.com/appdetectorplugin -> C:\Users\christianh\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2014-08-26] (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2015-07-01] ()
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2014-09-12] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [dpmaxz_ng@jetpack] - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\BrowserExt\dpchrome
FF Extension: HP Client Security Manager - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\BrowserExt\dpchrome [2013-12-22] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\IPSFF => not found
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2014-10-13] [not signed]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2014-09-12]
CHR HKLM-x32\...\Chrome\Extension: [ncffjdbbodifgldkcbhmiiljfcnbgjab] - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\BrowserExt\dpchrome.crx [2013-10-04]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 CcmExec; C:\Windows\CCM\CcmExec.exe [1773240 2015-04-14] (Microsoft Corporation)
S4 CmRcService; C:\Windows\CCM\RemCtrl\CmRcService.exe [671928 2015-04-14] (Microsoft Corporation)
R2 CreoService; C:\Program Files (x86)\Hewlett-Packard\HP Trust Circles\CreoSvc.exe [1390552 2013-10-03] (CryptoMill Technologies Ltd.)
R2 CtAgentService; C:\Program Files (x86)\Hewlett-Packard\HP Theft Recovery\CtService.exe [7168 2013-08-15] () [File not signed]
R2 DpHost; c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe [500048 2013-10-04] (DigitalPersona, Inc.)
S3 FLCDLOCK; c:\Windows\SysWOW64\flcdlock.exe [567608 2013-09-18] (Hewlett-Packard Company)
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-08-30] (Hewlett-Packard Company) [File not signed]
R2 HpDamServiceHost; c:\Program Files (x86)\Hewlett-Packard\HP Device Access Manager\HP.ProtectTools.DeviceAccessManager.ServiceHost.exe [18232 2013-09-18] (Hewlett-Packard Development Company)
R2 hpHotkeyMonitor; C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe [681760 2013-08-01] (Hewlett-Packard Company)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-31] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-28] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-28] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-09-17] (Intel Corporation)
R2 ISCTAgent; c:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [198120 2013-09-07] ()
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [178312 2015-09-25] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-17] (Intel Corporation)
S3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50280 2012-08-02] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50280 2012-08-02] (Microsoft Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273136 2013-08-29] ()
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1143432 2013-07-19] (PDF Complete Inc)
R2 ProxyHostService; C:\Program Files (x86)\Proxy Networks\PROXY Pro Host\phsvc.exe [821224 2015-01-30] (Proxy Networks, Inc.)
R2 SepMasterService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\ccSvcHst.exe [144496 2014-10-11] (Symantec Corporation)
S3 smstsmgr; C:\Windows\CCM\TSManager.exe [316600 2015-04-14] (Microsoft Corporation)
S3 SNAC; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin64\snac64.exe [394592 2014-10-11] (Symantec Corporation)
R2 STacSV; C:\Program Files\IDT\WDM\STacSV64.exe [339456 2013-08-16] (IDT, Inc.) [File not signed]
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-21] (Microsoft Corporation)
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-11-03] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3378416 2013-08-29] (Intel® Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 BHDrvx64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\BASHDefs\20151015.011\BHDrvx64.sys [1665608 2015-10-23] (Symantec Corporation)
R3 btmaux; C:\Windows\System32\DRIVERS\btmaux.sys [132920 2013-04-24] (Motorola Solutions, Inc.)
R3 btmhsf; C:\Windows\System32\DRIVERS\btmhsf.sys [1385272 2013-08-09] (Motorola Solutions, Inc.)
S3 btmlehid; C:\Windows\system32\drivers\btmlehid.sys [76088 2013-01-22] (Motorola Solutions, Inc.)
R1 ccSettings_{5A2B9522-769B-49C3-9B8E-C708A1FEF279}; C:\Windows\System32\Drivers\SEP\0C0114D9\1388.105\x64\ccSetx64.sys [162392 2014-10-11] (Symantec Corporation)
R3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [306536 2011-03-04] ()
S3 DAMDrv; C:\Windows\System32\DRIVERS\DAMDrv64.sys [65752 2013-09-17] (Hewlett-Packard Company)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [495376 2013-07-13] (Intel Corporation)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [498512 2015-08-28] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [153936 2015-07-29] (Symantec Corporation)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28008 2013-08-31] (Intel Corporation)
R3 ibtusb; C:\Windows\System32\DRIVERS\ibtusb.sys [118216 2013-09-10] (Intel Corporation)
R3 IceKore; C:\Windows\System32\DRIVERS\IceKore.sys [401368 2013-09-30] (CryptoMill Technologies Inc.)
R1 IDSVia64; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\IPSDefs\20151022.011\IDSvia64.sys [671448 2015-07-29] (Symantec Corporation)
R3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [21408 2013-08-09] ()
R3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [21920 2013-08-09] ()
R3 INETMON; C:\Windows\System32\Drivers\INETMON.sys [29088 2013-08-08] ()
R3 ISCT; C:\Windows\system32\drivers\ISCTD64.sys [46568 2013-08-08] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-10-23] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\drivers\TeeDriverx64.sys [99288 2013-09-17] (Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20151022.025\ENG64.SYS [138488 2015-09-22] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20151022.025\EX64.SYS [2146040 2015-09-22] (Symantec Corporation)
R3 NETwNs64; C:\Windows\System32\DRIVERS\NETwsw02.sys [3586016 2013-08-30] (Intel Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
R0 PinFile; C:\Windows\System32\DRIVERS\PinFile.sys [49856 2013-08-23] (WinMagic Inc.)
R3 prepdrvr; C:\Windows\System32\DRIVERS\prepdrv.sys [26984 2013-09-11] (Microsoft Corporation)
R1 ProxyHostDriver; C:\Windows\System32\Drivers\ph64asys.sys [41752 2015-01-30] ()
R3 ProxyHostInputFilter; C:\Windows\System32\Drivers\ph64afil.sys [32024 2015-01-30] (Proxy Networks, Inc.)
R1 ProxyHostMirrorDisplay; C:\Windows\System32\Drivers\ph64amin.sys [17176 2015-01-30] (Proxy Networks, Inc.)
S3 RTSPER; C:\Windows\System32\DRIVERS\RtsPer.sys [429272 2013-08-21] (Realsil Semiconductor Corporation)
R0 SDDisk2K; C:\Windows\System32\DRIVERS\SDDisk2K.sys [228544 2013-08-23] (WinMagic Inc.)
R0 SDDToki; C:\Windows\System32\DRIVERS\SDDToki.sys [131264 2013-08-23] (WinMagic Inc.)
S3 SmbDrv; C:\Windows\system32\drivers\Smb_driver_AMDASF.sys [30448 2013-10-26] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\drivers\Smb_driver_Intel.sys [34544 2013-10-26] (Synaptics Incorporated)
S3 SPUVCbv; C:\Windows\System32\Drivers\SPUVCbv_x64.sys [1512952 2013-08-20] (Sunplus)
R1 SRTSP; C:\Windows\System32\Drivers\SEP\0C0114D9\1388.105\x64\SRTSP64.SYS [880856 2014-10-11] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C0114D9\1388.105\x64\SRTSPX64.SYS [37592 2014-10-11] (Symantec Corporation)
S3 SyDvCtrl; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin64\SyDvCtrl64.sys [36952 2014-10-11] (Symantec Corporation)
R0 SymEFASI; C:\Windows\System32\drivers\symefasi\0500010.01F\symefasi.sys [1611992 2015-03-26] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2015-03-26] (Symantec Corporation)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0C0114D9\1388.105\x64\Ironx64.SYS [266968 2014-10-11] (Symantec Corporation)
R1 SYMNETS; C:\Windows\System32\Drivers\SEP\0C0114D9\1388.105\x64\SYMNETS.SYS [593112 2014-10-11] (Symantec Corporation)
R1 SysPlant; C:\Windows\System32\Drivers\SysPlant.sys [159552 2015-03-26] (Symantec Corporation)
R1 Teefer2; C:\Windows\System32\DRIVERS\Teefer.sys [107504 2014-10-11] (Symantec Corporation)
R3 usb3Hub; C:\Windows\System32\DRIVERS\usb3Hub.sys [206744 2013-06-21] (Windows ® Win 7 DDK provider)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-24 02:27 - 2015-10-24 02:27 - 00036433 _____ C:\Users\christianh\Downloads\FRST.txt
2015-10-24 02:26 - 2015-10-24 02:27 - 00000000 ____D C:\FRST
2015-10-24 02:25 - 2015-10-24 02:25 - 02196480 _____ (Farbar) C:\Users\christianh\Downloads\FRST64.exe
2015-10-24 02:15 - 2015-10-24 02:15 - 00000020 ___SH C:\Users\jasonf\ntuser.ini
2015-10-24 02:15 - 2015-10-24 02:15 - 00000000 ____D C:\Users\jasonf
2015-10-24 02:15 - 2014-05-23 17:42 - 00000000 ____D C:\Users\jasonf\AppData\Local\Microsoft Help
2015-10-24 02:15 - 2014-02-04 13:06 - 00000000 ____D C:\Users\jasonf\AppData\Roaming\Macromedia
2015-10-24 02:15 - 2013-12-22 04:15 - 00000000 ___HD C:\Users\jasonf\Documents\hp.system.package.metadata
2015-10-24 02:15 - 2009-07-14 15:54 - 00000000 ___RD C:\Users\jasonf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-10-24 02:15 - 2009-07-14 15:49 - 00000000 ___RD C:\Users\jasonf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-10-23 16:24 - 2015-10-23 16:31 - 00001078 _____ C:\Windows\system32dbgraw.bmp
2015-10-23 16:16 - 2015-10-23 16:16 - 00000000 _____ C:\SOA936F.tmp
2015-10-23 16:14 - 2015-10-23 16:14 - 00000000 _____ C:\SOA9235.tmp
2015-10-23 15:51 - 2015-10-23 15:51 - 00002644 _____ C:\Users\christianh\Desktop\mbam-log-2015-10-23 (15-38-27).xml
2015-10-23 12:25 - 2015-10-23 12:25 - 44686492 _____ C:\Users\christianh\Downloads\Archive.zip
2015-10-23 12:23 - 2015-10-23 12:23 - 29804366 _____ C:\Users\christianh\Downloads\Tools_animation_PT1_V1.mov
2015-10-21 21:33 - 2015-10-21 21:57 - 957080679 _____ C:\Users\christianh\Downloads\Rushes from Hastings Photo Shoot.zip
2015-10-19 14:41 - 2015-10-19 15:12 - 131054720 _____ C:\Users\christianh\Downloads\James Hardie Lamart St Strathmore_20151017_C100mkII_B Roll Axon, Stria and Matrix.mp4
2015-10-19 12:17 - 2015-10-19 12:26 - 00000000 ____D C:\Users\christianh\Desktop\Develop and Deliver
2015-10-19 11:14 - 2015-10-23 09:46 - 00000000 ____D C:\Users\christianh\Documents\HardieDeck HD
2015-10-14 09:15 - 2015-10-14 09:15 - 00002498 _____ C:\Users\christianh\Desktop\mbam-log-2015-10-14 (09-05-43).xml
2015-10-12 08:15 - 2015-10-12 08:15 - 00003320 _____ C:\aclientuninstall.txt
2015-10-08 16:17 - 2015-10-08 16:22 - 91008009 _____ C:\Users\christianh\Downloads\james hardie penrith.zip
2015-10-06 12:31 - 2015-10-20 11:31 - 00000000 ____D C:\Users\christianh\Desktop\Temporary items to delete
2015-09-25 16:46 - 2015-09-25 16:51 - 70621185 _____ C:\Users\christianh\Downloads\James Hardie DL GOLF COMP Folder.zip

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-24 02:27 - 2014-10-21 07:24 - 00082125 _____ C:\Windows\pfirewall.log
2015-10-24 02:24 - 2014-02-04 12:33 - 01556655 _____ C:\Windows\WindowsUpdate.log
2015-10-24 02:10 - 2014-03-10 15:22 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-24 02:01 - 2014-03-04 07:42 - 00000000 ____D C:\Users\christianh\AppData\Local\Adobe
2015-10-24 01:52 - 2014-08-26 15:03 - 00000592 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-1644499423-1784174346-914644375-32503.job
2015-10-24 01:39 - 2014-10-21 07:24 - 02097165 _____ C:\Windows\pfirewall.log.old
2015-10-24 01:31 - 2014-03-03 09:01 - 00003938 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{329D2A80-7EA2-4D13-92D4-C8FC86203A24}
2015-10-24 01:08 - 2014-03-02 21:29 - 00000968 _____ C:\Windows\system32\config\netlogon.ftl
2015-10-24 00:34 - 2015-06-05 13:48 - 00000688 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-1644499423-1784174346-914644375-32503.job
2015-10-23 16:32 - 2009-07-14 15:45 - 00026832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-23 16:32 - 2009-07-14 15:45 - 00026832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-23 16:30 - 2014-03-03 09:01 - 00000000 ____D C:\Users\christianh\Tracing
2015-10-23 16:29 - 2014-03-10 15:22 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-23 16:29 - 2009-07-14 16:13 - 00865136 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-23 16:27 - 2014-08-21 09:35 - 00000581 _____ C:\Windows\SMSCFG.ini
2015-10-23 16:25 - 2013-11-03 15:24 - 00000000 ____D C:\ProgramData\PDFC
2015-10-23 16:24 - 2013-12-22 04:35 - 00000225 _____ C:\Windows\CryptoMill_CreoService.log
2015-10-23 16:24 - 2009-07-14 16:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-23 16:24 - 2009-07-14 15:51 - 00571239 _____ C:\Windows\setupact.log
2015-10-23 15:37 - 2015-08-28 17:32 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-10-23 15:37 - 2015-08-28 17:30 - 00001139 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-10-23 15:37 - 2015-08-28 17:30 - 00001139 _____ C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2015-10-23 15:37 - 2015-08-28 17:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-23 15:37 - 2015-08-28 17:30 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-10-23 11:46 - 2014-04-24 09:09 - 00000000 ____D C:\Users\christianh\Documents\Scyon Walls and Floors
2015-10-23 10:48 - 2014-08-11 12:17 - 00000132 _____ C:\Users\christianh\AppData\Roaming\Adobe PNG Format CC Prefs
2015-10-23 10:28 - 2015-08-08 08:45 - 00000000 ____D C:\Users\christianh\Documents\Marketing
2015-10-23 08:05 - 2014-03-03 09:01 - 00071357 __RSH C:\ProgramData\ntuser.pol
2015-10-23 08:02 - 2013-12-22 04:35 - 00000225 _____ C:\Windows\CryptoMill_CreoService.001
2015-10-22 21:47 - 2013-12-22 04:35 - 00000225 _____ C:\Windows\CryptoMill_CreoService.002
2015-10-22 18:08 - 2013-12-22 04:35 - 00000225 _____ C:\Windows\CryptoMill_CreoService.003
2015-10-22 16:21 - 2013-12-22 04:35 - 00000225 _____ C:\Windows\CryptoMill_CreoService.004
2015-10-21 22:21 - 2014-03-03 09:01 - 00000000 ____D C:\Users\christianh\AppData\Local\PDFC
2015-10-21 21:36 - 2015-08-08 08:44 - 00000000 ____D C:\Users\christianh\Documents\Administration
2015-10-21 21:29 - 2013-12-22 04:35 - 00000225 _____ C:\Windows\CryptoMill_CreoService.005
2015-10-21 08:32 - 2015-08-11 08:45 - 00000000 ____D C:\Users\christianh\Documents\Adobe
2015-10-21 08:32 - 2014-03-03 09:04 - 00000000 ____D C:\Users\christianh\AppData\Roaming\Adobe
2015-10-20 08:27 - 2014-03-03 09:01 - 00007136 __RSH C:\Users\christianh\ntuser.pol
2015-10-20 08:27 - 2014-03-03 09:01 - 00000000 ____D C:\Users\christianh
2015-10-15 10:19 - 2014-03-25 08:52 - 00000000 ____D C:\Users\christianh\Documents\Christian's Files
2015-10-14 18:12 - 2014-03-10 15:22 - 00002202 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-10-14 18:12 - 2014-03-10 15:22 - 00002202 _____ C:\ProgramData\Desktop\Google Chrome.lnk
2015-10-14 08:59 - 2014-08-22 16:14 - 00000000 ____D C:\Users\christianh\AppData\Local\CrashDumps
2015-10-14 08:59 - 2014-04-22 08:47 - 00000000 ____D C:\Users\christianh\AppData\Roaming\Media Player Classic
2015-10-14 08:38 - 2014-03-07 13:10 - 00000000 ____D C:\Users\christianh\Documents\Reading Material
2015-10-13 17:09 - 2015-07-29 13:35 - 00000000 ____D C:\Users\christianh\Desktop\Work Plan & Time Sheets
2015-10-13 12:15 - 2014-03-07 15:43 - 00000000 ____D C:\Users\christianh\Documents\Presentations
2015-10-12 11:31 - 2014-03-31 16:15 - 00000000 ____D C:\Users\christianh\Documents\Projects
2015-10-12 08:15 - 2014-02-04 12:55 - 00000000 ____D C:\Temp
2015-10-12 08:14 - 2014-08-21 09:35 - 00000000 ____D C:\Windows\ccmcache
2015-10-09 08:38 - 2014-04-04 10:24 - 00003722 _____ C:\Windows\System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473
2015-10-09 08:38 - 2014-04-04 10:24 - 00003476 _____ C:\Windows\System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon
2015-10-07 09:15 - 2014-03-03 09:01 - 00000000 ____D C:\Users\christianh\AppData\Local\VirtualStore
2015-10-06 15:14 - 2014-05-16 17:40 - 00000000 ____D C:\Users\christianh\Documents\Products
2015-10-05 09:50 - 2015-08-28 17:30 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-10-05 09:50 - 2015-08-28 17:30 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-10-05 09:50 - 2015-08-28 17:30 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2015-10-01 08:35 - 2014-03-03 08:32 - 00000000 ____D C:\Users\abhis\Tracing
2015-09-30 09:20 - 2014-03-03 08:32 - 00003918 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{546EE09D-1AAB-46FC-A805-2D9ABF63F61C}
2015-09-30 08:27 - 2014-03-03 08:32 - 00142560 _____ C:\Users\abhis\AppData\Local\GDIPFONTCACHEV1.DAT
2015-09-30 08:27 - 2014-03-03 08:31 - 00007136 __RSH C:\Users\abhis\ntuser.pol
2015-09-30 08:27 - 2014-03-03 08:31 - 00000000 ____D C:\Users\abhis
2015-09-28 08:54 - 2014-08-21 09:34 - 00000000 ____D C:\Windows\ccmsetup
2015-09-25 13:18 - 2015-06-05 13:48 - 00003720 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-1644499423-1784174346-914644375-32503
2015-09-25 13:18 - 2014-08-26 15:03 - 00003624 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-1644499423-1784174346-914644375-32503

Some files in TEMP:
====================
C:\Users\Administrator\AppData\Local\Temp\AcDeltree.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-10-21 14:08

==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version:21-10-2015 01
Ran by JasonF (2015-10-24 02:27:22)
Running from C:\Users\christianh\Downloads
Windows 7 Professional Service Pack 1 (X64) (2014-02-04 01:30:56)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-186700421-3115097087-3575442130-500 - Administrator - Enabled) => C:\Users\Administrator
anuser (S-1-5-21-186700421-3115097087-3575442130-1001 - Limited - Enabled) => C:\Users\anuser
Guest (S-1-5-21-186700421-3115097087-3575442130-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Symantec Endpoint Protection (Enabled - Up to date) {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
AS: Symantec Endpoint Protection (Enabled - Up to date) {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}
FW: Symantec Endpoint Protection (Enabled) {6BFC5632-188D-B806-D13E-C607121B42A0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat XI Pro (HKLM-x32\...\{AC76BA86-1033-FFFF-7760-000000000006}) (Version: 11.0.09 - Adobe Systems)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.7.0.2090 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 2.6.0.393 - Adobe Systems Incorporated)
Adobe Creative Suite 6 Design Standard (HKLM-x32\...\{0327A4BF-62BF-48BB-8928-B971B749E9E1}) (Version: 6 - Adobe Systems Incorporated)
Adobe Flash Player 18 ActiveX (HKLM-x32\...\{B3DADA45-F0ED-48FD-946E-7E82C2229D59}) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM-x32\...\{448D7DEC-36F1-4091-B419-C5487BDEB867}) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Adobe Illustrator CC (HKLM-x32\...\{F2321021-08A2-44D6-B1DF-BDB415F23EC3}) (Version: 17.0 - Adobe Systems Incorporated)
Adobe Photoshop CC (HKLM-x32\...\{2D99B50E-431D-4AA8-85C1-172A6F8BCF09}) (Version: 14.0 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.06) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.06 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.0.2.122 - Adobe Systems, Inc.)
Adobe® Content Viewer (HKLM-x32\...\com.adobe.dmp.contentviewer) (Version: 3.4.3 - Adobe Systems, Incorporated)
Alcor Micro Smart Card Reader Driver (HKLM-x32\...\SZCCID) (Version: 1.7.37.0 - Alcor Micro Corp.)
Alcor Micro Smart Card Reader Driver (x32 Version: 1.7.37.0 - Alcor Micro Corp.) Hidden
Autodesk DWG TrueView 2014 (HKLM\...\DWG TrueView 2014) (Version: 19.1.18.0 - Autodesk)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.08 - Piriform)
Cisco Systems VPN Client 5.0.07.0440 (HKLM\...\{5FDC06BF-3D3D-4367-8FFB-4FAFCB61972D}) (Version: 5.0.7 - Cisco Systems, Inc.)
Cisco WebEx Meeting Center for Internet Explorer (HKLM-x32\...\{FFCF4B8C-D24E-4EDE-9C51-61500B73D4CC}) (Version: 8.17.2100 - Cisco WebEx LLC)
Citrix Online Launcher (HKLM-x32\...\{3D5F07C3-1B93-47F8-9F8A-DE8E47BF1669}) (Version: 1.0.209 - Citrix)
Citrix online plug-in - web (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 12.1.0.30 - Citrix Systems, Inc.)
Configuration Manager Client (Version: 5.00.8239.1000 - Microsoft Corporation) Hidden
CutePDF Writer 2.8 (HKLM\...\CutePDF Writer Installation) (Version: - )
CyberLink PowerDVD 12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.2.3318 - CyberLink Corp.)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 4.2.1.4225 - CyberLink Corp.)
DWG TrueView 2014 (Version: 19.1.18.0 - Autodesk) Hidden
Energy Star (HKLM-x32\...\{FC0ADA4D-8FA5-4452-8AFF-F0A0BAC97EF7}) (Version: 1.0.9 - Hewlett-Packard Company)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 46.0.2490.71 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.28.15 - Google Inc.) Hidden
GoToMeeting 7.3.0.3499 (HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\GoToMeeting) (Version: 7.3.0.3499 - CitrixOnline)
Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HP Client Security Manager (HKLM\...\HPProtectTools) (Version: 8.3.1.1714 - Hewlett-Packard Company)
HP Connection Manager (HKLM-x32\...\{04C23662-CE15-48BE-AF77-7BD9028934E7}) (Version: 4.6.14.1 - Hewlett-Packard Company)
HP Device Access Manager (HKLM\...\{0062BF7E-6EA8-44C6-8E8F-2E8BFA917637}) (Version: 8.3.0.0 - Hewlett-Packard Company)
HP Documentation (HKLM-x32\...\{21B02029-1373-4F77-8C32-20635DB8C9EE}) (Version: 1.1.0.0 - Hewlett-Packard)
HP Drive Encryption (HKLM\...\HPDriveEncryption) (Version: 8.6.2.59 - Hewlett-Packard Company)
HP ESU for Microsoft Windows 7 (HKLM-x32\...\{240B2BF7-E7E6-425C-A2A4-A3149189BF7F}) (Version: 2.3.1 - Hewlett-Packard Company)
HP HD Webcam Driver (HKLM-x32\...\Sunplus SPUVCb) (Version: 3.4.8.32 - SunplusIT)
HP Hotkey Support (HKLM-x32\...\{C807BEFB-0F17-41AC-B307-D7B5E1553040}) (Version: 5.0.20.1 - Hewlett-Packard Company)
HP PageLift (HKLM-x32\...\{708ABF62-5D7A-4550-823A-1F9EFA63645A}) (Version: 1.0.11.1 - Hewlett-Packard Company)
HP Setup (HKLM-x32\...\{438363A8-F486-4C37-834C-4955773CB3D3}) (Version: 9.1.15453.4066 - Hewlett-Packard Company)
HP SoftPaq Download Manager (HKLM-x32\...\{49524B48-4FE9-4A62-A9FD-1F2258DF5489}) (Version: 3.4.12.0 - Hewlett-Packard Company)
HP Software Setup (HKLM-x32\...\{B1AFAD6F-9192-421F-9DFF-60A59571366B}) (Version: 8.7.3 - Hewlett-Packard Company)
HP Support Assistant (HKLM-x32\...\{3AF15EEA-8EDF-4393-BB6C-CF8A9986486A}) (Version: 7.3.35.20 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{B2B7B1C8-7C8B-476C-BE2C-049731C55992}) (Version: 13.00.0000 - Hewlett-Packard)
HP System Default Settings (HKLM-x32\...\{3A61A282-4F08-4D43-920C-DC30ECE528E8}) (Version: 2.6.1 - Hewlett-Packard Company)
HP Theft Recovery (HKLM-x32\...\InstallShield_{BAC712C6-4061-4C9F-AB58-A5C53E76704A}) (Version: 8.3.0.5 - Hewlett-Packard Company)
HP Trust Circles (HKLM-x32\...\HP Trust Circles) (Version: 8.3.6.16976 - Hewlett-Packard Company)
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6491.0 - IDT)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.15.1730 - Intel Corporation)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 18.5 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.18.10.3324 - Intel Corporation)
Intel® PROSet/Wireless Software for Bluetooth® Technology(patch version 3.0.1337.1) (HKLM\...\{302600C1-6BDF-4FD1-1307-148929CC1385}) (Version: 3.1.1307.0366 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.2.1000 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 3.0.0.66956 - Intel Corporation)
Intel® Smart Connect Technology (HKLM\...\{978B5476-EAF9-4EB0-AD34-92689249A016}) (Version: 4.2.41.2499 - Intel Corporation)
Intel® Update Manager (HKLM-x32\...\{B991A1BC-DE0F-41B3-9037-B2F948F706EC}) (Version: 3.1.1228 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 2.5.1.28 - Intel Corporation)
Intel® WiDi (HKLM\...\{201B03D6-FDDA-4C70-8A15-887F5B3CE365}) (Version: 4.2.19.0 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{aaf3655f-6961-4be2-aa4e-6de4dc1dc8f4}) (Version: 16.1.5 - Intel Corporation)
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.36 - Irfan Skiljan)
Java 7 Update 60 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217060FF}) (Version: 7.0.600 - Oracle)
K-Lite Codec Pack 10.0.5 Full (HKLM-x32\...\KLiteCodecPack_is1) (Version: 10.0.5 - )
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
MetaFrame Presentation Server Web Client for Win32 (HKLM-x32\...\MetaFrame Presentation Server Web Client for Win32) (Version: - )
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Lync 2010 (HKLM\...\{81BE0B17-563B-45D4-B198-5721E6C665CD}) (Version: 4.0.7577.4476 - Microsoft Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft redistributable runtime DLLs VS2005 SP1(x86) (HKLM-x32\...\{8E770F99-CF23-4BF9-BF4E-E3A2924FEB27}) (Version: 8.0.50727.762 - SAP)
Microsoft redistributable runtime DLLs VS2005 SP1(x86) (HKLM-x32\...\{CEC7A786-A9C8-4EF7-BB59-6518E3B3C878}) (Version: 8.0.50727.4053 - SAP)
Microsoft redistributable runtime DLLs VS2008 SP1(x86) (HKLM-x32\...\{A47A9101-6EB5-4314-BDA1-297880FBB908}) (Version: 9.0 - SAP AG)
Microsoft redistributable runtime DLLs VS2010 SP1 (x86) (HKLM-x32\...\{2385C070-EC26-4AB9-8718-E605C977C0ED}) (Version: 10.0.40219.1 - SAP)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.4.304.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40728.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{6e8f74e0-43bd-4dce-8477-6ff6828acc07}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.40303 - Microsoft Corporation)
Mozilla Firefox 26.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 26.0 (x86 en-US)) (Version: 26.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 26.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML4.0 redistributable (HKLM-x32\...\{44D66AD9-AE19-4AFD-BE7E-A1B44C856697}) (Version: 4.0.0.0 - SAP)
opensource (x32 Version: 1.0.14960.3876 - Your Company Name) Hidden
PDF Complete Corporate Edition (HKLM-x32\...\PDF Complete) (Version: 4.1.50 - PDF Complete, Inc)
PDF Settings CC (x32 Version: 12.0 - Adobe Systems Incorporated) Hidden
PDF Settings CS6 (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
PROXY Pro Host (HKLM\...\{60A349C7-5091-43D0-AB93-DB74A6CC49C3}) (Version: 8.10.2559 - Proxy Networks, Inc.)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 1.1.9200.23 - Realtek Semiconductor Corp.)
SAP Business Explorer (HKLM-x32\...\SAPBI) (Version: 7.30 - SAP AG)
SAP GUI for Windows 7.30 (HKLM-x32\...\SAPGUI710) (Version: 7.30 Compilation 3 - SAP AG)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Skype™ 6.11 (HKLM-x32\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.11.102 - Skype Technologies S.A.)
Snagit 11 (HKLM-x32\...\{7CA5C4DF-8327-4035-AE2B-CA76336A04FD}) (Version: 11.0.0 - TechSmith Corporation)
Snapshot Viewer (HKLM-x32\...\Snapshot Viewer) (Version: - )
SolarWinds Client Components - x64 (2.1.0.1087) (HKLM-x32\...\SolarWinds Client Components - x64 (2.1.0.1087)) (Version: 2.1.0.1087 - SolarWinds, Inc.)
SolarWinds Client Components (Version: 2.1.0.1087 - SolarWinds, Inc.) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Symantec Endpoint Protection (HKLM\...\{A5DCF955-5D4A-471D-8CB3-DCFDF5C5DEE7}) (Version: 12.1.5337.5000 - Symantec Corporation)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 17.0.18.8 - Synaptics Incorporated)
Validity Fingerprint Sensor Driver (HKLM\...\{ADAA7361-54B8-4FC8-804E-94EC6C11ED68}) (Version: 4.5.133.0 - Validity Sensors, Inc.)
VLC media player 2.1.0 (HKLM-x32\...\VLC media player) (Version: 2.1.0 - VideoLAN)
Windows Movie Maker (HKLM\...\Windows Movie Maker) (Version: 6.0.6002.18005 - Microsoft Corporation)
WinZip (HKLM-x32\...\WinZip) (Version: 9.0 SR-1 (6224) - WinZip Computing, Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1644499423-1784174346-914644375-32503_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\christianh\AppData\Local\Citrix\GoToMeeting\1468\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)

==================== Restore Points =========================

22-10-2015 16:33:06 Windows Update

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 13:34 - 2009-06-11 08:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0C0037E3-7C2A-42C1-8096-909C06C64C2E} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-07-18] (Piriform Ltd)
Task: {30E6D9E4-0CC7-4588-B468-4360B5B8A2C1} - System32\Tasks\Microsoft\Configuration Manager\Configuration Manager Health Evaluation => C:\Windows\CCM\ccmeval.exe [2015-04-14] (Microsoft Corporation)
Task: {349C79AA-C938-4664-9CBC-F7DB097C629C} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
Task: {4592DD58-5CF2-4FA0-8CFE-4E6731207CF4} - System32\Tasks\G2MUpdateTask-S-1-5-21-1644499423-1784174346-914644375-32503 => C:\Users\christianh\AppData\Local\Citrix\GoToMeeting\3499\g2mupdate.exe [2015-09-25] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {751ED45A-23E5-45B2-81AA-031D120F0A0E} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Opt-in For HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF_Utils.exe [2013-08-30] (Hewlett-Packard Company)
Task: {7BD36393-8213-4165-B092-5558BB18F2CD} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2015-09-25] (Intel Corporation)
Task: {998B148A-5CC0-4A28-A8EC-DCD583417848} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2013-12-12] (Hewlett-Packard Company)
Task: {9C22DA5A-16BD-40FA-9992-F650BC5459B7} - System32\Tasks\AdobeAAMUpdater-1.0-BBAUS1-ChristianH => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2015-05-26] (Adobe Systems Incorporated)
Task: {ADB2B0AC-A114-4313-8ECC-AFC68CD399A0} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2013-08-30] (Hewlett-Packard Company)
Task: {C04E6853-41E9-47B0-85C0-526A093C9908} - System32\Tasks\Microsoft\Configuration Manager\Configuration Manager Idle Detection
Task: {D99AEEEC-F313-49BA-9DCE-4FEF3E94BCF7} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
Task: {E6D6B9B0-0ACE-4366-B226-6AB1320663EF} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2015-09-25] (Intel Corporation)
Task: {EB83032B-7AA7-4A10-A7EA-9AA91D3A1342} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2013-08-30] (Hewlett-Packard Company)
Task: {F33882AF-42B8-4EB4-A032-C859F570FC89} - System32\Tasks\G2MUploadTask-S-1-5-21-1644499423-1784174346-914644375-32503 => C:\Users\christianh\AppData\Local\Citrix\GoToMeeting\3499\g2mupload.exe [2015-09-25] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {FEE57378-D9F0-457B-8E73-24328A15C98F} - System32\Tasks\Registration => C:\Program Files (x86)\Hewlett-Packard\HP Setup\Dependencies\RemEngine.exe [2012-03-21] ()

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-1644499423-1784174346-914644375-32503.job => C:\Users\christianh\AppData\Local\Citrix\GoToMeeting\3499\g2mupdate.exe
Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-1644499423-1784174346-914644375-32503.job => C:\Users\christianh\AppData\Local\Citrix\GoToMeeting\3499\g2mupload.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

2013-05-23 08:21 - 2013-05-23 08:21 - 00299832 _____ () c:\Program Files\Hewlett-Packard\Pre-Boot Security for HP ProtectTools\BIOSDomainPlugin.dll
2014-02-04 14:04 - 2009-11-05 07:40 - 00085504 _____ () C:\Windows\System32\cpwmon64.dll
2013-08-15 08:06 - 2013-08-15 08:06 - 00007168 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Theft Recovery\CtService.exe
2013-09-07 12:06 - 2013-09-07 12:06 - 00198120 _____ () c:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
2013-09-07 12:06 - 2013-09-07 12:06 - 00054760 _____ () c:\Program Files\Intel\Intel® Smart Connect Technology Agent\NetworkHeuristic.dll
2013-09-07 12:05 - 2013-09-07 12:05 - 00034792 _____ () c:\Program Files\Intel\Intel® Smart Connect Technology Agent\ISCTNetMon.dll
2014-05-23 03:10 - 2014-05-23 03:10 - 00671904 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll
2013-09-05 00:17 - 2013-09-05 00:17 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\office.odf
2010-10-20 15:23 - 2010-10-20 15:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2014-05-23 03:10 - 2014-05-23 03:10 - 05341856 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
2011-03-04 12:49 - 2011-03-04 12:49 - 00202752 _____ () C:\Program Files (x86)\Cisco Systems\VPN Client\vpnapi.dll
2013-12-22 04:26 - 2013-09-17 09:19 - 01242584 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll
2015-10-14 18:12 - 2015-10-09 11:53 - 01532744 _____ () C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\libglesv2.dll
2015-10-14 18:12 - 2015-10-09 11:53 - 00081224 _____ () C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.71\libegl.dll
2014-05-26 06:52 - 2014-05-26 06:52 - 32733088 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\libcef.dll
2013-06-06 05:35 - 2013-06-06 05:35 - 00514570 _____ () c:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\sqlite3.dll
2014-05-12 23:22 - 2014-05-12 23:22 - 02217128 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\plugins\ExchangePlugin\ExManCoreLib\ExManZxpSign.dll
2014-05-26 06:52 - 2014-05-26 06:52 - 00742816 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\libglesv2.dll
2014-05-26 06:52 - 2014-05-26 06:52 - 00136608 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\libegl.dll
2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{5A2B9522-769B-49C3-9B8E-C708A1FEF279}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ProxyHostService => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\hardie.win -> hxxp://bluecoat01.usa.hardie.win
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\hardie.win -> hxxps://bluecoat01.usa.hardie.win
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\kenexa.com -> *.surveys.kenexa.com
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\live.com -> live.com
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\localhost -> hxxp://localhost
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\mainfreight.co.nz -> hxxps://secure.mainfreight.co.nz
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\MVHAV01:1080 -> MVHAV01:1080
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\MVHAV01:8443 -> MVHAV01:8443
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\mvhiis02 -> hxxp://mvhiis02
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\mvhpassword-vm -> hxxp://mvhpassword-vm
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\salesforce.com -> hxxp://na3.salesforce.com
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\smarterpartner.com.au -> hxxp://smarterpartner.com.au
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\verisign.com -> hxxps://verisign.com


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1644499423-1784174346-914644375-32503\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 172.16.48.38 - 172.16.2.82
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: MSC => "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{04666018-6D81-4CDA-B0EC-926D44B2916F}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{632ED46F-3809-49C2-9BD2-60C28839DC2F}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{A360D393-3E2A-424A-8C0E-255BBB1B30CF}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{F9E16A97-C9FA-440E-9CE7-65CE45E8A816}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{FE40A223-CE8A-48F3-ABCB-82867C108BF8}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{BB70A825-7D36-4D93-8A8C-CAD7FEBBB1AF}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{428BF1BA-15AA-4D53-B6B5-5B5B3329731A}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12.exe
FirewallRules: [{9E3B9DF3-4850-4642-8535-A2D4A7982ADE}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe
FirewallRules: [{DD012B14-CBEB-4837-B20C-CA3CFF4B5014}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
FirewallRules: [{C210E08B-56FE-4E23-A764-EAB5EE5DA066}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12Agent.exe
FirewallRules: [{AC9FC8EE-ABA8-428C-9492-8B7F477AE6BB}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12ML.exe
FirewallRules: [{6AD373FC-341C-4587-AB14-F1BB07149DFD}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDVD12\Movie\PowerDVD.exe
FirewallRules: [{A9FADCDD-22EA-4638-8DBD-2AC64EC9A1A3}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiApp.exe
FirewallRules: [{55149158-3CE2-4ADB-8F62-820BB8C63DF5}] => (Allow) C:\Program Files (x86)\Proxy Networks\PROXY Pro Host\phsvc.exe
FirewallRules: [{F9124DA3-1BBC-4AEE-9AD0-A91DDAE09950}] => (Allow) C:\Program Files (x86)\Proxy Networks\PROXY Pro Host\phsvc.exe
FirewallRules: [{12AB6C78-EFEA-494B-B421-E8847399B91A}] => (Allow) C:\Program Files (x86)\Proxy Networks\PROXY Pro Host\phsvc.exe
FirewallRules: [{C065474C-7827-4C2F-9462-2E72ED8C2800}] => (Allow) C:\Program Files (x86)\Proxy Networks\PROXY Pro Host\phsvc.exe
FirewallRules: [{DA2E41C1-DACB-4A0D-A24D-BB44B6BADDAD}] => (Allow) C:\Program Files (x86)\Microsoft Lync\communicator.exe
FirewallRules: [{6FE69183-AD5A-4177-8511-2A41156DD7E3}] => (Allow) C:\Program Files (x86)\Microsoft Lync\UcMapi.exe
FirewallRules: [{B5D56926-40E5-4FE5-B36C-7D4F73906944}] => (Allow) C:\Program Files\Microsoft Lync\UcMapi64.exe
FirewallRules: [{0F695070-644C-4B5E-B9EF-D5926D2C4294}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\Smc.exe
FirewallRules: [{34A2B1AE-C303-4E51-8071-96206045E014}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\Smc.exe
FirewallRules: [{F8BE06D4-6608-43B3-8939-9DCF8241702E}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\snac64.exe
FirewallRules: [{45B8263D-74A5-4A9E-8C2B-A58405DA5D8B}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin64\snac64.exe
FirewallRules: [{2840C004-9E48-408C-AE7A-6D50DE5A41A5}] => (Allow) C:\Program Files (x86)\Microsoft Lync\communicator.exe
FirewallRules: [{C5525336-ECD1-44FB-9479-75C1F4D66F72}] => (Allow) C:\Program Files (x86)\Microsoft Lync\communicator.exe
FirewallRules: [TCP Query User{B606CE8C-DDDE-4C96-96FD-314BFFA12D9E}C:\program files (x86)\microsoft office\office14\outlook.exe] => (Block) C:\program files (x86)\microsoft office\office14\outlook.exe
FirewallRules: [UDP Query User{9F6414EC-BF37-4370-A1E8-D2E7A81273C5}C:\program files (x86)\microsoft office\office14\outlook.exe] => (Block) C:\program files (x86)\microsoft office\office14\outlook.exe
FirewallRules: [{B7ADC414-D658-4D95-ABB9-7700CCE60E38}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\Smc.exe
FirewallRules: [{7D2C144F-09A1-41E9-B875-C7FA3F19A681}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\Smc.exe
FirewallRules: [{F5E442EF-A6B0-440F-B4D4-3DD9001E21DE}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin64\snac64.exe
FirewallRules: [{68E0498F-5849-4826-AAD1-38644EC9D820}] => (Allow) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin64\snac64.exe
FirewallRules: [{A5602F17-AC4D-4FE7-900D-613F55BF6596}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Faulty Device Manager Devices =============

Name: Cisco Systems VPN Adapter for 64-bit Windows
Description: Cisco Systems VPN Adapter for 64-bit Windows
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Cisco Systems
Service: CVirtA
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (10/23/2015 09:57:07 AM) (Source: MsiInstaller) (EventID: 10005) (User: NT AUTHORITY)
Description: Product: Adobe Shockwave Player 12.0 -- Error 2753.The File 'swdnld.exe' is not marked for installation.

Error: (10/22/2015 10:22:58 PM) (Source: MsiInstaller) (EventID: 10005) (User: NT AUTHORITY)
Description: Product: Adobe Shockwave Player 12.0 -- Error 2753.The File 'swdnld.exe' is not marked for installation.

Error: (10/21/2015 09:17:56 AM) (Source: MsiInstaller) (EventID: 10005) (User: NT AUTHORITY)
Description: Product: Adobe Shockwave Player 12.0 -- Error 2753.The File 'swdnld.exe' is not marked for installation.

Error: (10/20/2015 11:55:54 AM) (Source: MsiInstaller) (EventID: 10005) (User: NT AUTHORITY)
Description: Product: Adobe Shockwave Player 12.0 -- Error 2753.The File 'swdnld.exe' is not marked for installation.

Error: (10/20/2015 10:15:42 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 284110

Error: (10/20/2015 10:15:42 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 284110

Error: (10/20/2015 10:15:42 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (10/20/2015 10:10:59 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1155

Error: (10/20/2015 10:10:59 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1155

Error: (10/20/2015 10:10:59 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second


System errors:
=============
Error: (10/23/2015 04:24:57 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (10/23/2015 04:24:48 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain BBAUS1 due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (10/23/2015 02:07:07 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1054) (User: BBAUS1)
Description: The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

Error: (10/23/2015 02:01:00 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1054) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

Error: (10/23/2015 01:23:32 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1054) (User: BBAUS1)
Description: The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

Error: (10/23/2015 01:23:29 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1054) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

Error: (10/23/2015 12:51:49 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: BBAUS1)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (10/23/2015 12:51:49 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain BBAUS1 due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (10/23/2015 12:43:44 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (10/23/2015 08:02:23 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom


CodeIntegrity:
===================================
Date: 2014-08-21 18:57:33.663
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-08-21 18:36:02.016
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-08-21 18:21:49.203
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-08-21 18:08:43.898
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-08-21 18:00:07.543
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-08-21 17:07:13.502
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-08-21 16:41:12.273
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-08-21 16:18:37.074
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-08-21 15:13:13.305
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-08-21 15:02:30.499
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sysfer.dll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Core™ i5-4300U CPU @ 1.90GHz
Percentage of memory in use: 64%
Total physical RAM: 3993.11 MB
Available physical RAM: 1433.77 MB
Total Virtual: 9982.3 MB
Available Virtual: 6631.89 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:104.47 GB) (Free:13.65 GB) NTFS
Drive d: (HP_RECOVERY) (Fixed) (Total:11.76 GB) (Free:1.3 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (HP_TOOLS) (Fixed) (Total:1.99 GB) (Free:1.88 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 119.2 GB) (Disk ID: 716DFBD8)
Partition 1: (Active) - (Size=1 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=104.5 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11.8 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=2 GB) - (Type=0B)

==================== End of Addition.txt ============================

Attached Files


Edited by Chris Cosgrove, 20 November 2015 - 12:28 PM.
At OP's request - remove URLs


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:16 PM

Posted 26 October 2015 - 07:42 PM

Greetings JHBPJF and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Does this look familiar to you or make sense?

MVHAV0
mvhpassword-vm

Please do this.

===================================================

Multiple Antivirus Programs

-------------------

I do not recommend that you have more than one anti virus product installed on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please remove all but one of the Antivirus programs currently on your computer, even if only one is running. You can do this via Add/Remove Programs, or Programs and Features in the Control Panel.
 

Symantec Endpoint Protection
Microsoft Security Essentials


===================================================

RogueKiller by Tigzy

--------------------
  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • Right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • The program will conduct a prescan and when finished you wlll see Prescan Finished. Please hit the scan button
  • Click Scan
  • If, during the scan, you receive a request to upload a file to Virustotal please click Yes
  • A report should open and a copy of the report will be placed on your desktop. If not, hit the Report button.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
Winlogon\Notify\SEP-x32: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <======= ATTENTION (Restriction - ProxySettings)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\IPSFF => not found
2015-10-23 16:16 - 2015-10-23 16:16 - 00000000 _____ C:\SOA936F.tmp
2015-10-23 16:14 - 2015-10-23 16:14 - 00000000 _____ C:\SOA9235.tmp
C:\Users\Administrator\AppData\Local\Temp\AcDeltree.exe
File: C:\Windows\system32dbgraw.bmp
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Farbar's MiniToolBox

--------------------
  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the icon to launch the program
  • Make sure only the following options are checked:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries

  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Look familiar?
  • Did you uninstall an antivirus program?
  • RogueKiller log
  • Fixlog
  • Result log
  • System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#3 JHBPJF

JHBPJF
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 27 October 2015 - 12:16 PM

Thanks Gary. Unfortunately this machine is in the opposite time zone as me so I'll get back to you within the next 24h with results.

 

  • Look familiar?

My answer is yes/no. MVH is a location, the rest I am unaware of. I can guess vm is virtual machine, password is password, AV0 is antivirus something, but in what context are these names coming from? Are they applications, services?

 

MVHAV0
mvhpassword-vm


Edited by JHBPJF, 27 October 2015 - 09:11 PM.


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:16 PM

Posted 27 October 2015 - 02:07 PM

We will do the best we can but I am usually online quite a bit during the day and evening, my time.

Here is the context:
 

==================== Internet Explorer trusted/restricted ===============

 
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\MVHAV01:1080 -> MVHAV01:1080
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\MVHAV01:8443 -> MVHAV01:8443
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\mvhiis02 -> hxxp://mvhiis02
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\mvhpassword-vm -> hxxp://mvhpassword-vm


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#5 JHBPJF

JHBPJF
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 27 October 2015 - 03:01 PM

We will do the best we can but I am usually online quite a bit during the day and evening, my time.

Here is the context:
 

==================== Internet Explorer trusted/restricted ===============

 
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\MVHAV01:1080 -> MVHAV01:1080
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\MVHAV01:8443 -> MVHAV01:8443
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\mvhiis02 -> hxxp://mvhiis02
IE trusted site: HKU\S-1-5-21-1644499423-1784174346-914644375-32503\...\mvhpassword-vm -> hxxp://mvhpassword-vm

 

 

Those are systems that are no longer around. I'll make sure to update the list and remove them.



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:16 PM

Posted 27 October 2015 - 03:15 PM

Very good, thanks.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#7 JHBPJF

JHBPJF
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 27 October 2015 - 09:24 PM

  • Did you uninstall an antivirus program?

YES

  • RogueKiller log

 

RogueKiller V10.11.3.0 (x64) [Oct 26 2015] (Free) by Adlice Software

 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : JasonF [Administrator]
Started from : C:\Worm Troubleshooting\RogueKillerX64.exe
Mode : Scan -- Date : 10/28/2015 13:14:28
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 15 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1644499423-1784174346-914644375-32503\Software\Microsoft\Internet Explorer\Main | Start Page : http://  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1644499423-1784174346-914644375-32503\Software\Microsoft\Internet Explorer\Main | Start Page : http://  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1644499423-1784174346-914644375-32503\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1644499423-1784174346-914644375-32503\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 172.16.48.38 172.16.2.82 ([(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 172.16.48.38 172.16.2.82 ([(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 172.16.48.38 172.16.2.82 ([(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{808797AF-45F7-4020-A4D3-C2835FFF98BF} | DhcpNameServer : 172.16.48.38 172.16.2.82 ([(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C93BB6A1-C6CC-46D3-AA41-4EEA275FFC7E} | DhcpNameServer : 172.16.48.38 172.16.2.82 ([(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{808797AF-45F7-4020-A4D3-C2835FFF98BF} | DhcpNameServer : 172.16.48.38 172.16.2.82 ([(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C93BB6A1-C6CC-46D3-AA41-4EEA275FFC7E} | DhcpNameServer : 172.16.48.38 172.16.2.82 ([(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{808797AF-45F7-4020-A4D3-C2835FFF98BF} | DhcpNameServer : 172.16.48.38 172.16.2.82 ([(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C93BB6A1-C6CC-46D3-AA41-4EEA275FFC7E} | DhcpNameServer : 172.16.48.38 172.16.2.82 ([(Private Address) (XX)][(Private Address) (XX)])  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1644499423-1784174346-914644375-32503\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1644499423-1784174346-914644375-32503\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 2 ¤¤¤
[PUP][Folder] C:\ProgramData\{618FF9B7-2442-4010-AFCE-0E71D4C31A9F} -> Found
[PUP][Folder] C:\ProgramData\{A5CCDB92-FA53-47D1-89E6-32B82D86621A} -> Found
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] ac5adf203f13b4859e3eebd1cec58ce3
[BSP] 824ce9356b4ff8072c8efea2f08df25a : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1025 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2101248 | Size: 106982 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 221200384 | Size: 12043 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] FAT32 (0xb) [VISIBLE] Offset (sectors): 245864448 | Size: 2048 MB
User = LL1 ... OK
User = LL2 ... OK
 
  • Fixlog

 

Fix result of Farbar Recovery Scan Tool (x64) Version:21-10-2015 01

Ran by JasonF (2015-10-28 13:17:23) Run:1
Running from C:\Users\christianh\Desktop
Loaded Profiles: christianh & JasonF (Available Profiles: exchadmin & johnra & KevinM & christianh & abhis & anuser & Administrator & JasonF & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Winlogon\Notify\SEP-x32: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <======= ATTENTION (Restriction - ProxySettings)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\IPSFF => not found
2015-10-23 16:16 - 2015-10-23 16:16 - 00000000 _____ C:\SOA936F.tmp
2015-10-23 16:14 - 2015-10-23 16:14 - 00000000 _____ C:\SOA9235.tmp
C:\Users\Administrator\AppData\Local\Temp\AcDeltree.exe
File: C:\Windows\system32dbgraw.bmp
*****************
 
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SEP" => key removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => value removed successfully
"HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect" => key removed successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB} => value removed successfully
C:\SOA936F.tmp => moved successfully
C:\SOA9235.tmp => moved successfully
C:\Users\Administrator\AppData\Local\Temp\AcDeltree.exe => moved successfully
 
========================= File: C:\Windows\system32dbgraw.bmp ========================
 
File not signed
MD5: D41D8CD98F00B204E9800998ECF8427E
Creation and modification date: 2015-10-28 07:36 - 2015-10-28 11:05
Size: 0001078
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
 
====== End of File: ======
 
 
==== End of Fixlog 13:17:24 ====
  • Result log

 

MiniToolBox by Farbar  Version: 25-07-2015 01

Ran by JasonF (administrator) on 28-10-2015 at 13:19:29
Running from "C:\Worm Troubleshooting"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Model: HP EliteBook Folio 1040 G1 Manufacturer: Hewlett-Packard
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
 
 
 
========================= IP Configuration: ================================
 
Intel® Ethernet Connection I218-LM = Local Area Connection (Connected)
Cisco Systems VPN Adapter for 64-bit Windows = Local Area Connection 2 (Hardware not present)
Intel® Dual Band Wireless-AC 7260 = Wireless Network Connection 7 (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled taskoffload=disabled
set interface interface="Bluetooth Network Connection" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
set interface interface="Local Area Connection" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
set interface interface="Wireless Network Connection" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
set interface interface="Wireless Network Connection 2" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
set interface interface="Wireless Network Connection 3" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
set interface interface="Bluetooth Network Connection 2" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
set interface interface="Local Area Connection 2" forwarding=disabled advertise=disabled mtu=1300 metric=0 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : ANZL2CE35119Z0
   Primary Dns Suffix  . . . . . . . : jhau.hardie.win
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : jhau.hardie.win
                                       hardie.win
                                       usa.hardie.win
                                       eu.hardie.win
                                       jhph.hardie.win
 
Wireless LAN adapter Wireless Network Connection 7:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : jhau.hardie.win
   Description . . . . . . . . . . . : Intel® Dual Band Wireless-AC 7260 #3
   Physical Address. . . . . . . . . : 5C-51-4F-40-A6-14
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : jhau.hardie.win
   Description . . . . . . . . . . . : Intel® Ethernet Connection I218-LM
   Physical Address. . . . . . . . . : D4-C9-EF-FC-19-02
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 172.16.48.136(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, 28 October 2015 11:17:54 AM
   Lease Expires . . . . . . . . . . : Wednesday, 28 October 2015 5:17:54 PM
   Default Gateway . . . . . . . . . : 172.16.48.1
   DHCP Server . . . . . . . . . . . : 172.16.48.38
   DNS Servers . . . . . . . . . . . : 172.16.48.38
                                       172.16.2.82
   Primary WINS Server . . . . . . . : 172.16.48.38
   Secondary WINS Server . . . . . . : 172.16.48.62
                                       172.16.2.10
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter Local Area Connection* 11:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Local Area Connection* 9:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.jhau.hardie.win:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : jhau.hardie.win
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  rshdomc02.jhau.hardie.win
Address:  172.16.48.38
 
Name:    google.com
Addresses:  2607:f8b0:4000:800::200e
 74.125.227.195
 74.125.227.192
 74.125.227.193
 74.125.227.206
 74.125.227.200
 74.125.227.196
 74.125.227.194
 74.125.227.201
 74.125.227.199
 74.125.227.197
 74.125.227.198
 
 
Pinging google.com [74.125.227.192] with 32 bytes of data:
Request timed out.
Request timed out.
 
Ping statistics for 74.125.227.192:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Server:  rshdomc02.jhau.hardie.win
Address:  172.16.48.38
 
Name:    yahoo.com
Addresses:  2001:4998:58:c02::a9
 2001:4998:c:a06::2:4008
 2001:4998:44:204::a7
 98.139.183.24
 98.138.253.109
 206.190.36.45
 
 
Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Request timed out.
Request timed out.
 
Ping statistics for 98.138.253.109:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 35...5c 51 4f 40 a6 14 ......Intel® Dual Band Wireless-AC 7260 #3
 15...d4 c9 ef fc 19 02 ......Intel® Ethernet Connection I218-LM
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
 12...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
 41...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      172.16.48.1    172.16.48.136     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      172.16.48.0    255.255.255.0         On-link     172.16.48.136    276
    172.16.48.136  255.255.255.255         On-link     172.16.48.136    276
    172.16.48.255  255.255.255.255         On-link     172.16.48.136    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     172.16.48.136    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     172.16.48.136    276
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog5 08 C:\Windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 \Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 \Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 \Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 \Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 \Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 \Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog5 08 \Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
x64-Catalog9 01 \Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 \Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 \Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 \Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 \Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 \Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 \Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 \Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 \Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 \Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 11 \Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
 
**** End of log ****
 
  • System Summary Information

 

Attached

Attached Files


Edited by Chris Cosgrove, 20 November 2015 - 12:33 PM.
At Op's request - remove URLs


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:16 PM

Posted 27 October 2015 - 09:40 PM

Nothing of concern in any of that. Is it always trying to access the IP Address via the same Port?


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#9 JHBPJF

JHBPJF
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 27 October 2015 - 09:51 PM

Nothing of concern in any of that. Is it always trying to access the IP Address via the same Port?

 

That is correct. It's always trying to make an outside connection to 50.63.202.43 on port 135.

 

We can block it, that's no problem. The worry is that we've been intruded by something that is undetectable.


Edited by JHBPJF, 27 October 2015 - 09:52 PM.


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:16 PM

Posted 27 October 2015 - 09:56 PM

Thanks,

Please do this.

===================================================

Identifying Port Information

--------------------
  • Click Start, type cmd, then press the Shift, Ctrl, + Enter keys at the same time
  • An Administrator Command Prompt window should open
  • Type netstat -b -a and hit Enter
  • Identify all information associated with Port 135 (example 127.0.0.1:135)
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Port 135 information

Edited by Oh My!, 27 October 2015 - 09:58 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#11 JHBPJF

JHBPJF
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 28 October 2015 - 12:43 AM

I don't see anything out of the ordinary. I'm starting to think it's perhaps a website related connection where the user goes to a website and perhaps adware triggers it? Is that a possibility? 

 

 

 

 
Active Connections
 
  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:80             ANZL2CE35119Z0:0       LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:135            ANZL2CE35119Z0:0       LISTENING
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            ANZL2CE35119Z0:0       LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:623            ANZL2CE35119Z0:0       LISTENING
 [LMS.exe]
  TCP    0.0.0.0:1505           ANZL2CE35119Z0:0       LISTENING
 [phsvc.exe]
  TCP    0.0.0.0:16992          ANZL2CE35119Z0:0       LISTENING
 [LMS.exe]
  TCP    0.0.0.0:49152          ANZL2CE35119Z0:0       LISTENING
 [wininit.exe]
  TCP    0.0.0.0:49153          ANZL2CE35119Z0:0       LISTENING
  eventlog
 [svchost.exe]
  TCP    0.0.0.0:49154          ANZL2CE35119Z0:0       LISTENING
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49156          ANZL2CE35119Z0:0       LISTENING
 [lsass.exe]
  TCP    0.0.0.0:49158          ANZL2CE35119Z0:0       LISTENING
 [services.exe]
  TCP    0.0.0.0:49198          ANZL2CE35119Z0:0       LISTENING
 [ccSvcHst.exe]
  TCP    0.0.0.0:49199          ANZL2CE35119Z0:0       LISTENING
 [ccSvcHst.exe]
  TCP    0.0.0.0:50816          ANZL2CE35119Z0:0       LISTENING
 [spoolsv.exe]
  TCP    127.0.0.1:5354         ANZL2CE35119Z0:0       LISTENING
 [mDNSResponder.exe]
  TCP    127.0.0.1:16992        ANZL2CE35119Z0:52617   TIME_WAIT
  TCP    127.0.0.1:49341        ANZL2CE35119Z0:0       LISTENING
 [LMS.exe]
  TCP    127.0.0.1:49431        ANZL2CE35119Z0:0       LISTENING
 [SCNotification.exe]
  TCP    127.0.0.1:62514        ANZL2CE35119Z0:0       LISTENING
 [cvpnd.exe]
  TCP    172.16.48.136:52174    rshprint02:49176       ESTABLISHED
 [spoolsv.exe]
  TCP    172.16.53.22:139       ANZL2CE35119Z0:0       LISTENING
 Can not obtain ownership information
  TCP    172.16.53.22:445       IRVDA01:23297          ESTABLISHED
 Can not obtain ownership information
  TCP    172.16.53.22:52320     IRVSCCMPRI01:10123     ESTABLISHED
 [CcmExec.exe]
  TCP    172.16.53.22:52620     rshdomc02:epmap        TIME_WAIT
  TCP    172.16.53.22:52621     rshdomc02:49156        TIME_WAIT
  TCP    172.16.53.22:52626     rshdomc02:netbios-ssn  TIME_WAIT
  TCP    172.16.53.22:52631     rshfile03:microsoft-ds  ESTABLISHED
 Can not obtain ownership information
  TCP    [::]:80                ANZL2CE35119Z0:0       LISTENING
 Can not obtain ownership information
  TCP    [::]:135               ANZL2CE35119Z0:0       LISTENING
  RpcSs
 [svchost.exe]
  TCP    [::]:445               ANZL2CE35119Z0:0       LISTENING
 Can not obtain ownership information
  TCP    [::]:623               ANZL2CE35119Z0:0       LISTENING
 [LMS.exe]
  TCP    [::]:1505              ANZL2CE35119Z0:0       LISTENING
 [phsvc.exe]
  TCP    [::]:16992             ANZL2CE35119Z0:0       LISTENING
 [LMS.exe]
  TCP    [::]:49152             ANZL2CE35119Z0:0       LISTENING
 [wininit.exe]
  TCP    [::]:49153             ANZL2CE35119Z0:0       LISTENING
  eventlog
 [svchost.exe]
  TCP    [::]:49154             ANZL2CE35119Z0:0       LISTENING
  Schedule
 [svchost.exe]
  TCP    [::]:49156             ANZL2CE35119Z0:0       LISTENING
 [lsass.exe]
  TCP    [::]:49158             ANZL2CE35119Z0:0       LISTENING
 [services.exe]
  TCP    [::]:49199             ANZL2CE35119Z0:0       LISTENING
 [ccSvcHst.exe]
  TCP    [::]:50816             ANZL2CE35119Z0:0       LISTENING
 [spoolsv.exe]
  TCP    [::1]:49339            ANZL2CE35119Z0:0       LISTENING
 [jhi_service.exe]
  TCP    [::1]:49344            ANZL2CE35119Z0:49346   ESTABLISHED
 [LMS.exe]
  TCP    [::1]:49346            ANZL2CE35119Z0:49344   ESTABLISHED
 [LMS.exe]
  UDP    0.0.0.0:123            *:*                    
  W32Time
 [svchost.exe]
  UDP    0.0.0.0:500            *:*                    
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:1505           *:*                    
 [phsvc.exe]
  UDP    0.0.0.0:4500           *:*                    
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:5355           *:*                    
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:49152          *:*                    
 [mDNSResponder.exe]
  UDP    127.0.0.1:1900         *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:49367        *:*                    
 [DpHostW.exe]
  UDP    127.0.0.1:49368        *:*                    
  gpsvc
 [svchost.exe]
  UDP    127.0.0.1:50714        *:*                    
 [CcmExec.exe]
  UDP    127.0.0.1:60883        *:*                    
 [phsvc.exe]
  UDP    127.0.0.1:61935        *:*                    
 [lsass.exe]
  UDP    127.0.0.1:61937        *:*                    
  NlaSvc
 [svchost.exe]
  UDP    127.0.0.1:62514        *:*                    
 [cvpnd.exe]
  UDP    127.0.0.1:62984        *:*                    
 [ccSvcHst.exe]
  UDP    127.0.0.1:64900        *:*                    
 [hpConnectionManager.exe]
  UDP    127.0.0.1:64937        *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:65107        *:*                    
 [wmiprvse.exe]
  UDP    172.16.53.22:137       *:*                    
 Can not obtain ownership information
  UDP    172.16.53.22:138       *:*                    
 Can not obtain ownership information
  UDP    172.16.53.22:1900      *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    172.16.53.22:5353      *:*                    
 [mDNSResponder.exe]
  UDP    172.16.53.22:64936     *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    [::]:123               *:*                    
  W32Time
 [svchost.exe]
  UDP    [::]:500               *:*                    
  IKEEXT
 [svchost.exe]
  UDP    [::]:1505              *:*                    
 [phsvc.exe]
  UDP    [::]:4500              *:*                    
  IKEEXT
 [svchost.exe]
  UDP    [::]:5355              *:*                    
  Dnscache
 [svchost.exe]
  UDP    [::]:49153             *:*                    
 [mDNSResponder.exe]
  UDP    [::1]:1900             *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    [::1]:5353             *:*                    
 [mDNSResponder.exe]
  UDP    [::1]:64935            *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::7da4:98c8:8a3c:263f%35]:546  *:*                    
  Dhcp
 [svchost.exe]
  UDP    [fe80::7da4:98c8:8a3c:263f%35]:546  *:*                    
  Dhcp
 [svchost.exe]
  UDP    [fe80::7da4:98c8:8a3c:263f%35]:1900  *:*                    
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::7da4:98c8:8a3c:263f%35]:64934  *:*                    
  SSDPSRV
 [svchost.exe]
 


#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:16 PM

Posted 28 October 2015 - 11:12 AM

Greetings,

I am by no means a network expert but there is something I think we can follow up on.

Port 135 is typically used by rpcss. I would like to see what things are being lauched by svchost as referenced below. Although a running svchost is normal, it seems something in there is attempting to to connect to the IP.
 

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:80 ANZL2CE35119Z0:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:135 ANZL2CE35119Z0:0 LISTENING
RpcSs
[svchost.exe]


Please run this for me.

===================================================

Determining netstat and Services Running Under a svchost.exe

--------------------
  • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type notepad and press Enter
  • Copy and paste the following into the Notepad document

tasklist /svc /fi "imagename eq svchost.exe" >%userprofile%\desktop\svchost.txt
netstat -b -a -o >%userprofile%\desktop\netstat.txt
del %0

  • Click File, then Save As
  • To the far right of Save as type: click the down arrow and select All files
  • Save the file to your desktop as netstat.bat
  • Right click on netstatsvchost.bat and select Run as adminstrator
  • Notepad svchost.txt and netstat.txt documents will appear on your Destop
  • Copy and paste the contents of the documents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • svchost information
  • netstat information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#13 JHBPJF

JHBPJF
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 28 October 2015 - 11:18 AM

  • svchost information

 

 

 
Image Name                     PID Services                                    
========================= ======== ============================================
svchost.exe                    868 DcomLaunch, PlugPlay, Power                 
svchost.exe                    956 RpcEptMapper, RpcSs                         
svchost.exe                    640 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc   
svchost.exe                   1080 AudioEndpointBuilder, CscService, hidserv,  
                                   Netman, PcaSvc, SysMain, TrkWks, UxSms,     
                                   Wlansvc, wudfsvc                            
svchost.exe                   1108 EventSystem, FontCache, netprofm, nsi,      
                                   W32Time, WdiServiceHost, WinHttpAutoProxySv 
svchost.exe                   1152 Appinfo, BITS, Browser, EapHost, IKEEXT,    
                                   iphlpsvc, LanmanServer, MMCSS, ProfSvc,     
                                   Schedule, SENS, ShellHWDetection, Themes,   
                                   Winmgmt, wuauserv                           
svchost.exe                   1528 gpsvc                                       
svchost.exe                   1936 CryptSvc, Dnscache, LanmanWorkstation,      
                                   NlaSvc                                      
svchost.exe                   2060 BFE, DPS, MpsSvc                            
svchost.exe                   2236 AppHostSvc                                  
svchost.exe                   2480 DiagTrack                                   
svchost.exe                   3172 stisvc                                      
svchost.exe                   3212 W3SVC, WAS                                  
svchost.exe                   4272 SCardSvr, SSDPSRV                           
svchost.exe                   4348 bthserv                                     
svchost.exe                   2900 PolicyAgent                                 
 
  • netstat information

 

 

 
Active Connections
 
  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             ANZL2CE35119Z0:0       LISTENING       4
 Can not obtain ownership information
  TCP    0.0.0.0:135            ANZL2CE35119Z0:0       LISTENING       956
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            ANZL2CE35119Z0:0       LISTENING       4
 Can not obtain ownership information
  TCP    0.0.0.0:623            ANZL2CE35119Z0:0       LISTENING       8668
 [LMS.exe]
  TCP    0.0.0.0:1505           ANZL2CE35119Z0:0       LISTENING       3012
 [phsvc.exe]
  TCP    0.0.0.0:16992          ANZL2CE35119Z0:0       LISTENING       8668
 [LMS.exe]
  TCP    0.0.0.0:49152          ANZL2CE35119Z0:0       LISTENING       648
 [wininit.exe]
  TCP    0.0.0.0:49153          ANZL2CE35119Z0:0       LISTENING       640
  eventlog
 [svchost.exe]
  TCP    0.0.0.0:49154          ANZL2CE35119Z0:0       LISTENING       1152
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49156          ANZL2CE35119Z0:0       LISTENING       736
 [lsass.exe]
  TCP    0.0.0.0:49158          ANZL2CE35119Z0:0       LISTENING       716
 [services.exe]
  TCP    0.0.0.0:49198          ANZL2CE35119Z0:0       LISTENING       3108
 [ccSvcHst.exe]
  TCP    0.0.0.0:49199          ANZL2CE35119Z0:0       LISTENING       3108
 [ccSvcHst.exe]
  TCP    0.0.0.0:50816          ANZL2CE35119Z0:0       LISTENING       1792
 [spoolsv.exe]
  TCP    127.0.0.1:5354         ANZL2CE35119Z0:0       LISTENING       2260
 [mDNSResponder.exe]
  TCP    127.0.0.1:49341        ANZL2CE35119Z0:0       LISTENING       8668
 [LMS.exe]
  TCP    127.0.0.1:49431        ANZL2CE35119Z0:0       LISTENING       5068
 [SCNotification.exe]
  TCP    127.0.0.1:62514        ANZL2CE35119Z0:0       LISTENING       2444
 [cvpnd.exe]
  TCP    172.16.53.22:139       ANZL2CE35119Z0:0       LISTENING       4
 Can not obtain ownership information
  TCP    172.16.53.22:52320     IRVSCCMPRI01:10123     ESTABLISHED     7692
 [CcmExec.exe]
  TCP    172.16.53.22:52631     rshfile03:microsoft-ds  ESTABLISHED     4
 Can not obtain ownership information
  TCP    172.16.53.22:54304     dfw25s07-in-f110:https  ESTABLISHED     8436
 [chrome.exe]
  TCP    172.16.53.22:54307     ec2-54-152-180-212:https  ESTABLISHED     8436
 [chrome.exe]
  TCP    172.16.53.22:54309     dfw06s33-in-f7:https   ESTABLISHED     8436
 [chrome.exe]
  TCP    172.16.53.22:54311     rshdomc02:netbios-ssn  TIME_WAIT       0
  TCP    172.16.53.22:54312     rshdomc02:netbios-ssn  TIME_WAIT       0
  TCP    172.16.53.22:54313     rshdomc02:netbios-ssn  TIME_WAIT       0
  TCP    172.16.53.22:54325     rshdomc02:epmap        TIME_WAIT       0
  TCP    172.16.53.22:54326     rshdomc02:49156        TIME_WAIT       0
  TCP    172.16.53.22:54329     ent-shasta-rrs:https   SYN_SENT        3108
 [ccSvcHst.exe]
  TCP    [::]:80                ANZL2CE35119Z0:0       LISTENING       4
 Can not obtain ownership information
  TCP    [::]:135               ANZL2CE35119Z0:0       LISTENING       956
  RpcSs
 [svchost.exe]
  TCP    [::]:445               ANZL2CE35119Z0:0       LISTENING       4
 Can not obtain ownership information
  TCP    [::]:623               ANZL2CE35119Z0:0       LISTENING       8668
 [LMS.exe]
  TCP    [::]:1505              ANZL2CE35119Z0:0       LISTENING       3012
 [phsvc.exe]
  TCP    [::]:16992             ANZL2CE35119Z0:0       LISTENING       8668
 [LMS.exe]
  TCP    [::]:49152             ANZL2CE35119Z0:0       LISTENING       648
 [wininit.exe]
  TCP    [::]:49153             ANZL2CE35119Z0:0       LISTENING       640
  eventlog
 [svchost.exe]
  TCP    [::]:49154             ANZL2CE35119Z0:0       LISTENING       1152
  Schedule
 [svchost.exe]
  TCP    [::]:49156             ANZL2CE35119Z0:0       LISTENING       736
 [lsass.exe]
  TCP    [::]:49158             ANZL2CE35119Z0:0       LISTENING       716
 [services.exe]
  TCP    [::]:49199             ANZL2CE35119Z0:0       LISTENING       3108
 [ccSvcHst.exe]
  TCP    [::]:50816             ANZL2CE35119Z0:0       LISTENING       1792
 [spoolsv.exe]
  TCP    [::1]:49339            ANZL2CE35119Z0:0       LISTENING       8584
 [jhi_service.exe]
  TCP    [::1]:49344            ANZL2CE35119Z0:49346   ESTABLISHED     8668
 [LMS.exe]
  TCP    [::1]:49346            ANZL2CE35119Z0:49344   ESTABLISHED     8668
 [LMS.exe]
  UDP    0.0.0.0:123            *:*                                    1108
  W32Time
 [svchost.exe]
  UDP    0.0.0.0:500            *:*                                    1152
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:1505           *:*                                    3012
 [phsvc.exe]
  UDP    0.0.0.0:4500           *:*                                    1152
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:5355           *:*                                    1936
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:49152          *:*                                    2260
 [mDNSResponder.exe]
  UDP    127.0.0.1:1900         *:*                                    4272
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:49367        *:*                                    800
 [DpHostW.exe]
  UDP    127.0.0.1:49368        *:*                                    1528
  gpsvc
 [svchost.exe]
  UDP    127.0.0.1:50714        *:*                                    7692
 [CcmExec.exe]
  UDP    127.0.0.1:60883        *:*                                    3012
 [phsvc.exe]
  UDP    127.0.0.1:61935        *:*                                    736
 [lsass.exe]
  UDP    127.0.0.1:61937        *:*                                    1936
  NlaSvc
 [svchost.exe]
  UDP    127.0.0.1:62514        *:*                                    2444
 [cvpnd.exe]
  UDP    127.0.0.1:62984        *:*                                    3108
 [ccSvcHst.exe]
  UDP    127.0.0.1:64900        *:*                                    8700
 [hpConnectionManager.exe]
  UDP    127.0.0.1:64937        *:*                                    4272
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:65107        *:*                                    3476
 [wmiprvse.exe]
  UDP    172.16.53.22:137       *:*                                    4
 Can not obtain ownership information
  UDP    172.16.53.22:138       *:*                                    4
 Can not obtain ownership information
  UDP    172.16.53.22:1900      *:*                                    4272
  SSDPSRV
 [svchost.exe]
  UDP    172.16.53.22:5353      *:*                                    2260
 [mDNSResponder.exe]
  UDP    172.16.53.22:64936     *:*                                    4272
  SSDPSRV
 [svchost.exe]
  UDP    [::]:123               *:*                                    1108
  W32Time
 [svchost.exe]
  UDP    [::]:500               *:*                                    1152
  IKEEXT
 [svchost.exe]
  UDP    [::]:1505              *:*                                    3012
 [phsvc.exe]
  UDP    [::]:4500              *:*                                    1152
  IKEEXT
 [svchost.exe]
  UDP    [::]:5355              *:*                                    1936
  Dnscache
 [svchost.exe]
  UDP    [::]:49153             *:*                                    2260
 [mDNSResponder.exe]
  UDP    [::1]:1900             *:*                                    4272
  SSDPSRV
 [svchost.exe]
  UDP    [::1]:5353             *:*                                    2260
 [mDNSResponder.exe]
  UDP    [::1]:64935            *:*                                    4272
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::7da4:98c8:8a3c:263f%35]:1900  *:*                                    4272
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::7da4:98c8:8a3c:263f%35]:64934  *:*                                    4272
  SSDPSRV
 [svchost.exe]
 

Edited by JHBPJF, 28 October 2015 - 11:20 AM.


#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:16 PM

Posted 28 October 2015 - 12:17 PM

Thank you for your patience while I try to make sense of this. It is a bit of a Detective who done it.

The additional process being launched by svchost under Port 135 is RpcEptMapper. As you have already seen, they are under the same Process ID (PID) 956. RPC Endpoint Mapper service (RpcEptMapper) is a part of the Remote Procedure Call function and it is a means by which client and server software can communicate. It appears a program (common to many computers since they show the same warning) may be attempting to connect to the IP. If I had to take a guess, and it is certainly a guess, I would say it has something to do with a program(s) running under Scheduled Tasks. I don't see anything malicious tasks that stand in the Scheculed Task section of the Addition.txt report nor do I know why a legitimate program would request to connect to that IP. Like I said, just a guess.

The tracing of RPC is far more complicated than I can handle and my learning curve would be quite steep. However, we may be able to strike pay dirt with the below step. Please do this.

===================================================

SystemLook by jpshortstuff

--------------------
  • Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:service
50.63.202.43
:process
50.63.202.43
:filefind
50.63.202.43
:folderfind
50.63.202.43
:regfind
50.63.202.43
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply or, if necessary zip and attach the file.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • SystemLook report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#15 JHBPJF

JHBPJF
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 28 October 2015 - 12:25 PM

Unfortunately no results.

 

 

SystemLook 30.07.11 by jpshortstuff

Log created at 04:23 on 29/10/2015 by JasonF
 (Limited User)
 
========== service ==========
 
50.63.202.43 - Unable to open Service Handle.
 
========== process ==========
 
50.63.202.43 - Unable to open process handle.
 
========== filefind ==========
 
Searching for "50.63.202.43"
No files found.
 
========== folderfind ==========
 
Searching for "50.63.202.43"
No folders found.
 
========== regfind ==========
 
Searching for "50.63.202.43"
No data found.
 
-= EOF =-





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users