Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Invaders in my Server AD


  • This topic is locked This topic is locked
24 replies to this topic

#1 txbigden1

txbigden1

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 09 February 2016 - 09:22 PM

I am running a Server 2003 that when I went into the server there were a dozen additional users in the AD and they had logged into my server (there were files under the documents and settings directory).  I've deleted the users, I've deleted the files.  I wasn't going to send in anything until I ran Malwarebytes and it came up with so many findings.  I've run the FRST and am attaching the logs now.  This happened 1 other time about 2 years ago and until recently I haven't had any other issues.  So i'm not sure how long the problem has been in my system.  I have changed passwords for ALL users (the real ones).  I just want to make sure my home server is ok for my family and that I'm not causing someone else to get spammed/fed a virus because of my server.

Thanks!!!!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:07-02-2016
Ran by administrator (administrator) on SHELDON (09-02-2016 19:57:57)
Running from C:\Documents and Settings\Administrator.BIGBANG\Desktop
Loaded Profiles: QBDataServiceUser24 & administrator (Available Profiles: dennis & QBDataServiceUser24 & administrator)
Platform: Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> spoolsv.exe
Failed to access process -> msdtc.exe
Failed to access process -> dfssvc.exe
Failed to access process -> dns.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> inetinfo.exe
Failed to access process -> ismserv.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> ducservice.exe
Failed to access process -> ntfrs.exe
Failed to access process -> svchost.exe
Failed to access process -> QBCFMonitorService.exe
Failed to access process -> QBIDPService.exe
Failed to access process -> svchost.exe
Failed to access process -> snmp.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> wdfmgr.exe
Failed to access process -> svchost.exe
Failed to access process -> dfsr.exe
Failed to access process -> tcpsvcs.exe
Failed to access process -> exmgmt.exe
Failed to access process -> mad.exe
Failed to access process -> mssearch.exe
Failed to access process -> svchost.exe
Failed to access process -> CodeMeter.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> store.exe
Failed to access process -> emsmta.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> QBDBMgrN.exe
Failed to access process -> w3wp.exe
Failed to access process -> logon.scr
Failed to access process -> w3wp.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> rdpclip.exe
Failed to access process -> explorer.exe
Failed to access process -> ctfmon.exe
Failed to access process -> qbupdate.exe
Failed to access process -> QBW32.EXE
Failed to access process -> DUC40.exe
Failed to access process -> firefox.exe
Failed to access process -> FRST.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Intuit SyncManager] => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2829624 2013-12-02] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [Malwarebytes Anti-Malware] => D:\Program Files\Malwarebytes Anti-Malware\BusinessMessaging.exe [3213824 2016-02-09] (Malwarebytes)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2015-10-05] (Malwarebytes)
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Command Processor:  <======= ATTENTION
HKU\S-1-5-19\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
HKU\S-1-5-21-273214551-2702688601-832094456-1144\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
IFEO\sethc.exe: [Debugger] cmd.exe
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnk [2015-01-04]
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2015-01-04]
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk [2015-01-04]
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2014\QBW32.EXE (Intuit Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 03 C:\WINDOWS\system32\mswsock.dll [256000 2008-06-20] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Tcpip\..\Interfaces\{CAD52BD2-E364-4B17-8496-D3D6284E7A48}: [NameServer] 192.168.9.254,8.8.8.8

Internet Explorer:
==================
HKU\S-1-5-21-273214551-2702688601-832094456-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
HKU\S-1-5-21-273214551-2702688601-832094456-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: [S-1-5-21-273214551-2702688601-832094456-1144] ATTENTION => Default URLSearchHook is missing
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1420147654453
Handler: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - C:\Program Files\Intuit\QuickBooks 2014\HelpAsyncPluggableProtocol.dll [2013-12-02] (Intuit, Inc.)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\WINDOWS\system32\mscoree.dll [2010-03-18] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator.BIGBANG\Application Data\Mozilla\Firefox\Profiles\6xpobqh0.default
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.2\npGoogleUpdate3.dll [2016-01-29] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.2\npGoogleUpdate3.dll [2016-01-29] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-01-05] [not signed]

Chrome:
=======
CHR Profile: C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-08-19]
CHR Extension: (Google Docs) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-08-19]
CHR Extension: (Google Drive) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-01-23]
CHR Extension: (YouTube) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-01-23]
CHR Extension: (Google Search) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-01-23]
CHR Extension: (Google Sheets) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-08-19]
CHR Extension: (Google Docs Offline) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-01-23]
CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-19]
CHR Extension: (Gmail) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-19]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 CodeMeter.exe; C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe [2568120 2012-07-19] (WIBU-SYSTEMS AG)
R2 Dfs; C:\WINDOWS\system32\Dfssvc.exe [164864 2007-02-17] (Microsoft Corporation)
R2 DHCPServer; C:\WINDOWS\system32\tcpsvcs.exe [21504 2006-03-22] (Microsoft Corporation)
R2 DNS; C:\WINDOWS\System32\dns.exe [450560 2012-01-30] (Microsoft Corporation)
R3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [225280 2007-01-02] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [131072 2006-12-10] (Hewlett-Packard Co.) [File not signed]
R2 IISADMIN; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
S4 IMAP4Svc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 IsmServ; C:\WINDOWS\System32\ismserv.exe [40448 2007-02-17] (Microsoft Corporation)
R2 kdc; C:\WINDOWS\System32\lsass.exe [13312 2006-03-22] (Microsoft Corporation)
S4 LicenseService; C:\WINDOWS\System32\llssrv.exe [94720 2007-02-18] (Microsoft Corporation)
S2 MBAMService; d:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 MSExchangeES; C:\Program Files\Exchsrvr\bin\events.exe [94720 2003-06-24] (Microsoft Corporation) [File not signed]
R2 MSExchangeIS; C:\Program Files\Exchsrvr\bin\store.exe [5227520 2005-10-04] (Microsoft Corporation) [File not signed]
R2 MSExchangeMGMT; C:\Program Files\Exchsrvr\bin\exmgmt.exe [3217408 2005-08-25] (Microsoft Corporation) [File not signed]
R2 MSExchangeMTA; C:\Program Files\Exchsrvr\bin\emsmta.exe [3592704 2005-08-25] (Microsoft Corporation) [File not signed]
R2 MSExchangeSA; C:\Program Files\Exchsrvr\bin\mad.exe [8920064 2005-08-25] (Microsoft Corporation) [File not signed]
S4 MSExchangeSRS; C:\Program Files\Exchsrvr\bin\srsmain.exe [339456 2005-08-25] (Microsoft Corporation) [File not signed]
R2 MSFtpsvc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 MSSEARCH; C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe [69632 2005-08-17] (Microsoft Corporation) [File not signed]
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [45568 2014-04-28] (Hewlett-Packard) [File not signed]
R2 netupdate; C:\Program Files\Common Files\System\ado\msrtm.dll [22743040 2016-01-28] () [File not signed]
S4 NntpSvc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 NoIPDUCService4; C:\Program Files\No-IP\ducservice.exe [12288 2015-07-20] () [File not signed]
R2 NtFrs; C:\WINDOWS\system32\ntfrs.exe [792064 2007-02-17] (Microsoft Corporation)
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [55808 2014-04-28] (Hewlett-Packard) [File not signed]
S4 POP3Svc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2013-12-02] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [65536 2013-12-02] (Intuit Inc.) [File not signed]
R2 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2013-12-02] (Intuit Inc.) [File not signed]
R3 QuickBooksDB24; C:\Program Files\Intuit\QuickBooks 2014\QBDBMgrN.exe [679936 2013-12-02] (Intuit, Inc.) [File not signed]
R2 RESvc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
S3 RSoPProv; C:\WINDOWS\system32\RSoPProv.exe [67072 2007-02-17] (Microsoft Corporation)
S3 sacsvr; C:\WINDOWS\system32\sacsvr.dll [12288 2006-03-22] (Microsoft Corporation)
R2 SMTPSVC; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
S3 SrmReports; C:\WINDOWS\system32\srmhost.exe [10752 2005-11-23] (Microsoft Corporation) [File not signed]
R2 SrmSvc; C:\WINDOWS\system32\srmsvc.dll [1593344 2007-02-17] (Microsoft Corporation)
R2 SystemPluginService; C:\Documents and Settings\All Users\Application Data\systempluginservice\sysplusrv.dll [104906752 2016-01-28] () [File not signed]
S4 TrkSvr; C:\WINDOWS\system32\trksvr.dll [50688 2006-03-22] (Microsoft Corporation)
S4 Tssdis; C:\WINDOWS\System32\tssdis.exe [71168 2007-02-17] (Microsoft Corporation)
R2 VMware Dns Service; C:\WINDOWS\VMdns [1053184 2007-02-17] (Microsoft Corporation)
S2 Rasmans; C:\WINDOWS\system32\Rasmans.exe [X]
S3 WinHttpAutoProxySvc; winhttp.dll [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 ClusDisk; C:\WINDOWS\System32\DRIVERS\ClusDisk.sys [69120 2007-02-17] (Microsoft Corporation)
R0 Datascrn; C:\WINDOWS\System32\DRIVERS\datascrn.sys [48640 2007-02-17] (Microsoft Corporation)
R0 DfsDriver; C:\WINDOWS\System32\drivers\Dfs.sys [34816 2007-02-17] (Microsoft Corporation)
R2 EXIFS; C:\WINDOWS\system32\drivers\exifs.sys [196192 2005-08-25] (Microsoft Corporation) [File not signed]
U0 fogmurn; C:\WINDOWS\System32\drivers\taflxjy.sys [52440 2016-02-09] (Malwarebytes)
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2005-10-21] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2005-10-21] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2005-10-21] (HP)
R3 l2nd; C:\WINDOWS\System32\DRIVERS\bxnd52x.sys [50176 2007-10-18] (Broadcom Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
R0 percsas; C:\WINDOWS\System32\drivers\percsas.sys [20992 2007-10-18] (LSI Corporation)
R0 Quota; C:\WINDOWS\System32\DRIVERS\quota.sys [88064 2007-02-17] (Microsoft Corporation)
S3 WLBS; C:\WINDOWS\System32\DRIVERS\wlbs.sys [169984 2007-02-17] (Microsoft Corporation)
S4 afcnt; no ImagePath
S4 cpqarry2; no ImagePath
S4 cpqcissm; no ImagePath
S4 cpqfcalm; no ImagePath
S4 dellcerc; no ImagePath
S4 elxstor; no ImagePath
S4 hpt3xx; no ImagePath
S4 iirsp; no ImagePath
S4 IntelIde; no ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S4 ipsraidn; no ImagePath
U3 LicenseInfo; no ImagePath
S4 lp6nds35; no ImagePath
S4 nfrd960; no ImagePath
S4 ql2100; no ImagePath
S4 ql2200; no ImagePath
S4 ql2300; no ImagePath
U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [72704 2007-02-17] (Microsoft Corporation)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [105472 2007-02-17] (Microsoft Corporation)
S4 symmpi; no ImagePath
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: Sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
NETSVC: TrkSvr -> C:\Windows\system32\trksvr.dll (Microsoft Corporation)
NETSVC: VMware Dns Service -> C:\WINDOWS\VMdns (Microsoft Corporation)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-09 19:57 - 2016-02-09 19:57 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG\Desktop\FRST-OlderVersion
2016-02-09 19:46 - 2016-02-09 19:47 - 00122970 _____ C:\TDSSKiller.3.1.0.9_09.02.2016_19.46.27_log.txt
2016-02-09 19:39 - 2016-02-09 19:39 - 00052440 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\taflxjy.sys
2016-02-09 19:17 - 2016-02-09 19:21 - 00000000 ____D C:\WINDOWS\system32\NtmsData
2016-02-09 19:07 - 2016-02-09 19:58 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Temp\1
2016-02-07 13:31 - 2016-02-07 13:31 - 00000000 ____H C:\Documents and Settings\All Users\Application Data\cm-lock
2016-02-07 10:59 - 2016-02-09 19:24 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-02-07 10:59 - 2016-02-07 10:59 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2016-02-07 10:59 - 2015-10-05 09:50 - 00121560 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-02-07 10:59 - 2015-10-05 09:50 - 00023256 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-02-06 15:54 - 2016-02-06 15:54 - 00000000 ____D C:\WINDOWS\system32\netmon
2016-02-06 15:34 - 2016-02-06 15:34 - 00000000 ____D C:\Documents and Settings\dennis\Application Data\Macromedia
2016-02-06 15:34 - 2016-02-06 15:34 - 00000000 ____D C:\Documents and Settings\dennis\Application Data\Adobe
2016-01-28 02:05 - 2016-01-28 02:05 - 00006638 _____ C:\WINDOWS\TEMPcoral.vbs
2016-01-28 02:05 - 2016-01-28 02:05 - 00000000 ____D C:\Program Files\check
2016-01-28 02:04 - 2016-01-28 02:04 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\systempluginservice
2016-01-24 04:38 - 2016-01-31 13:46 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-01-23 10:25 - 2016-01-23 10:25 - 00002394 _____ C:\WINDOWS\system32\.crusader
2016-01-23 10:17 - 2016-01-23 10:25 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2016-01-23 05:52 - 2016-01-25 03:10 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-01-23 05:52 - 2016-01-25 03:00 - 00000730 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2016-01-19 02:53 - 2016-01-19 02:53 - 00062699 _____ C:\WINDOWS\dnsp
2016-01-19 02:53 - 2016-01-19 02:53 - 00017408 _____ (PremiumSoft CyberTech Ltd.) C:\WINDOWS\vmdns.dll
2016-01-19 02:53 - 2007-02-17 02:58 - 01053184 _____ (Microsoft Corporation) C:\WINDOWS\VMdns

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-09 19:57 - 2015-09-20 12:57 - 00016937 _____ C:\Documents and Settings\Administrator.BIGBANG\Desktop\FRST.txt
2016-02-09 19:57 - 2015-09-20 12:57 - 00000000 ____D C:\FRST
2016-02-09 19:57 - 2015-09-20 12:56 - 01721344 _____ (Farbar) C:\Documents and Settings\Administrator.BIGBANG\Desktop\FRST.exe
2016-02-09 19:55 - 2015-01-01 04:46 - 00000000 ____D C:\WINDOWS\system32\inetsrv
2016-02-09 19:53 - 2015-01-03 10:39 - 00000438 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{97A271E6-CF4F-4DEE-BA1F-93138D7B20BD}.job
2016-02-09 19:39 - 2015-01-01 04:46 - 00000000 ____D C:\WINDOWS\system32\dhcp
2016-02-09 19:39 - 2015-01-01 04:46 - 00000000 ____D C:\WINDOWS\inf
2016-02-09 19:23 - 2015-01-04 07:33 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-02-09 19:17 - 2015-07-02 12:40 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-02-09 19:09 - 2015-01-01 12:07 - 00065536 _____ C:\WINDOWS\NETLOGON.CHG
2016-02-09 11:00 - 2015-01-01 04:46 - 00000000 ____D C:\WINDOWS\security
2016-02-09 00:23 - 2015-01-01 10:59 - 00032472 _____ C:\WINDOWS\Tasks\SchedLgU.Txt
2016-02-08 22:17 - 2015-07-02 12:40 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-02-08 01:52 - 2015-01-01 12:04 - 00524288 _____ C:\WINDOWS\system32\config\NTDS.Evt
2016-02-07 13:43 - 2015-01-01 12:07 - 00002368 _____ C:\WINDOWS\system32\config\netlogon.dnb
2016-02-07 13:43 - 2015-01-01 12:07 - 00002235 _____ C:\WINDOWS\system32\config\netlogon.dns
2016-02-07 13:42 - 2015-01-01 04:51 - 01491898 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-02-07 13:37 - 2015-01-01 12:03 - 00000000 ____D C:\WINDOWS\NTDS
2016-02-07 13:37 - 2015-01-01 10:59 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-02-07 13:31 - 2015-03-12 02:02 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB3002657$
2016-02-07 13:24 - 2015-01-01 12:08 - 00065536 _____ C:\WINDOWS\system32\config\DnsEvent.Evt
2016-02-07 13:24 - 2015-01-01 12:04 - 00065536 _____ C:\WINDOWS\system32\config\NtFrs.Evt
2016-02-07 13:24 - 2015-01-01 11:44 - 00065536 _____ C:\WINDOWS\system32\config\dfsr.evt
2016-02-07 13:22 - 2015-05-18 04:29 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2016-02-07 10:45 - 2015-01-01 04:51 - 00000000 ____D C:\Documents and Settings
2016-02-07 10:38 - 2015-01-01 15:03 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG\My Documents\Exchange Task Wizard Logs
2016-02-07 10:32 - 2015-01-01 11:16 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG
2016-02-06 15:48 - 2015-09-20 11:29 - 00000000 ____D C:\AdwCleaner
2016-02-06 15:48 - 2015-01-04 07:38 - 00000178 ___SH C:\Documents and Settings\QBDataServiceUser24\ntuser.ini
2016-02-06 15:46 - 2015-10-23 15:26 - 00000000 ___RD C:\Documents and Settings\dennis\My Documents
2016-02-06 15:32 - 2015-10-23 15:26 - 00000000 ____D C:\Documents and Settings\dennis
2016-02-06 15:31 - 2015-01-01 04:40 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2016-02-04 18:18 - 2015-07-02 12:41 - 00001819 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome.lnk
2016-01-28 08:59 - 2015-01-21 07:01 - 00032510 _____ C:\Documents and Settings\QBDataServiceUser24\Local Settings\Temp\QBSearchIndexerError.txt
2016-01-28 02:03 - 2015-01-01 10:55 - 00014288 _____ C:\WINDOWS\OEWABLog.txt
2016-01-27 12:00 - 2015-01-07 09:01 - 00000000 ____D C:\Documents and Settings\QBDataServiceUser24\Local Settings\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1
2016-01-23 10:26 - 2015-01-01 11:16 - 00000178 ___SH C:\Documents and Settings\Administrator.BIGBANG\ntuser.ini
2016-01-19 12:23 - 2015-01-04 08:23 - 03886784 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerInstaller.exe
2016-01-19 12:23 - 2015-01-04 07:33 - 00796864 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2016-01-19 12:23 - 2015-01-04 07:33 - 00142528 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2016-01-14 03:04 - 2015-01-03 10:08 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-01-14 03:00 - 2015-01-03 10:08 - 141317472 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe

==================== Files in the root of some directories =======

2015-01-01 14:36 - 2015-01-01 14:36 - 0000144 _____ () C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\fusioncache.dat

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION


ATTENTION: ==> Could not access BCD.

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:48 AM

Posted 11 February 2016 - 04:30 PM

Greetings txbigden1 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. I am not very familiar with your Operating System but I will see what I can do.

We need to run FRST again. Please delete the existing copy and download a new copy as detailed below.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop <<< Important
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Right click on the icon and select Run as administrator
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

Please attempt to upload the below file here. If it is prohibited then zip the file and try the upload again.

C:\WINDOWS\TEMPcoral.vbs

===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log
  • System Summary Information

Edited by Oh My!, 12 February 2016 - 01:00 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:48 AM

Posted 14 February 2016 - 09:56 AM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 txbigden1

txbigden1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 15 February 2016 - 05:37 PM

I'm sorry I missed this, didn't get notified like i expected.  Will update directly



#5 txbigden1

txbigden1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 15 February 2016 - 05:52 PM

Thanks for responding.  I have tried to run the msinfo32 but it tells me that a service isn't running but I can't find that service listed.  I have no "Help and Support" listed on my services list.
 
And yes, please call me Dennis
 
Thanks
Dennis
 
FRST.TXT
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:07-02-2016
Ran by administrator (administrator) on SHELDON (15-02-2016 16:41:48)
Running from C:\Documents and Settings\Administrator.BIGBANG\Desktop
Loaded Profiles: QBDataServiceUser24 & administrator (Available Profiles: dennis & QBDataServiceUser24 & administrator)
Platform: Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> spoolsv.exe
Failed to access process -> msdtc.exe
Failed to access process -> dfssvc.exe
Failed to access process -> dns.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> inetinfo.exe
Failed to access process -> ismserv.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> ducservice.exe
Failed to access process -> ntfrs.exe
Failed to access process -> svchost.exe
Failed to access process -> QBCFMonitorService.exe
Failed to access process -> QBIDPService.exe
Failed to access process -> svchost.exe
Failed to access process -> snmp.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> wdfmgr.exe
Failed to access process -> svchost.exe
Failed to access process -> dfsr.exe
Failed to access process -> tcpsvcs.exe
Failed to access process -> exmgmt.exe
Failed to access process -> mad.exe
Failed to access process -> mssearch.exe
Failed to access process -> svchost.exe
Failed to access process -> CodeMeter.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> store.exe
Failed to access process -> emsmta.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> QBDBMgrN.exe
Failed to access process -> w3wp.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> logon.scr
Failed to access process -> w3wp.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> rdpclip.exe
Failed to access process -> explorer.exe
Failed to access process -> BusinessMessaging.exe
Failed to access process -> ctfmon.exe
Failed to access process -> qbupdate.exe
Failed to access process -> QBW32.EXE
Failed to access process -> firefox.exe
Failed to access process -> FRST(1).exe
Failed to access process -> updater.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Intuit SyncManager] => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2829624 2013-12-02] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [Malwarebytes Anti-Malware] => D:\Program Files\Malwarebytes Anti-Malware\BusinessMessaging.exe [3213824 2016-02-09] (Malwarebytes)
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Command Processor:  <======= ATTENTION
HKU\S-1-5-19\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
HKU\S-1-5-21-273214551-2702688601-832094456-1144\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
IFEO\sethc.exe: [Debugger] cmd.exe
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnk [2015-01-04]
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2015-01-04]
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk [2015-01-04]
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2014\QBW32.EXE (Intuit Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 03 C:\WINDOWS\system32\mswsock.dll [256000 2008-06-20] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Tcpip\..\Interfaces\{CAD52BD2-E364-4B17-8496-D3D6284E7A48}: [NameServer] 192.168.9.254,8.8.8.8

Internet Explorer:
==================
HKU\S-1-5-21-273214551-2702688601-832094456-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
HKU\S-1-5-21-273214551-2702688601-832094456-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: [S-1-5-21-273214551-2702688601-832094456-1144] ATTENTION => Default URLSearchHook is missing
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1420147654453
Handler: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - C:\Program Files\Intuit\QuickBooks 2014\HelpAsyncPluggableProtocol.dll [2013-12-02] (Intuit, Inc.)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\WINDOWS\system32\mscoree.dll [2010-03-18] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator.BIGBANG\Application Data\Mozilla\Firefox\Profiles\6xpobqh0.default
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-09] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-09] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-01-05] [not signed]

Chrome:
=======
CHR Profile: C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-08-19]
CHR Extension: (Google Docs) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-08-19]
CHR Extension: (Google Drive) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-01-23]
CHR Extension: (YouTube) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-01-23]
CHR Extension: (Google Search) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-01-23]
CHR Extension: (Google Sheets) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-08-19]
CHR Extension: (Google Docs Offline) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-01-23]
CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-19]
CHR Extension: (Gmail) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-19]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 CodeMeter.exe; C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe [2568120 2012-07-19] (WIBU-SYSTEMS AG)
R2 Dfs; C:\WINDOWS\system32\Dfssvc.exe [164864 2007-02-17] (Microsoft Corporation)
R2 DHCPServer; C:\WINDOWS\system32\tcpsvcs.exe [21504 2006-03-22] (Microsoft Corporation)
R2 DNS; C:\WINDOWS\System32\dns.exe [450560 2012-01-30] (Microsoft Corporation)
R3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [225280 2007-01-02] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [131072 2006-12-10] (Hewlett-Packard Co.) [File not signed]
R2 IISADMIN; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
S4 IMAP4Svc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 IsmServ; C:\WINDOWS\System32\ismserv.exe [40448 2007-02-17] (Microsoft Corporation)
R2 kdc; C:\WINDOWS\System32\lsass.exe [13312 2006-03-22] (Microsoft Corporation)
S4 LicenseService; C:\WINDOWS\System32\llssrv.exe [94720 2007-02-18] (Microsoft Corporation)
S2 MBAMService; d:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 MSExchangeES; C:\Program Files\Exchsrvr\bin\events.exe [94720 2003-06-24] (Microsoft Corporation) [File not signed]
R2 MSExchangeIS; C:\Program Files\Exchsrvr\bin\store.exe [5227520 2005-10-04] (Microsoft Corporation) [File not signed]
R2 MSExchangeMGMT; C:\Program Files\Exchsrvr\bin\exmgmt.exe [3217408 2005-08-25] (Microsoft Corporation) [File not signed]
R2 MSExchangeMTA; C:\Program Files\Exchsrvr\bin\emsmta.exe [3592704 2005-08-25] (Microsoft Corporation) [File not signed]
R2 MSExchangeSA; C:\Program Files\Exchsrvr\bin\mad.exe [8920064 2005-08-25] (Microsoft Corporation) [File not signed]
S4 MSExchangeSRS; C:\Program Files\Exchsrvr\bin\srsmain.exe [339456 2005-08-25] (Microsoft Corporation) [File not signed]
R2 MSFtpsvc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 MSSEARCH; C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe [69632 2005-08-17] (Microsoft Corporation) [File not signed]
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [45568 2014-04-28] (Hewlett-Packard) [File not signed]
R2 netupdate; C:\Program Files\Common Files\System\ado\msrtm.dll [22743040 2016-01-28] () [File not signed]
S4 NntpSvc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 NoIPDUCService4; C:\Program Files\No-IP\ducservice.exe [12288 2015-07-20] () [File not signed]
R2 NtFrs; C:\WINDOWS\system32\ntfrs.exe [792064 2007-02-17] (Microsoft Corporation)
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [55808 2014-04-28] (Hewlett-Packard) [File not signed]
S4 POP3Svc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
R2 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2013-12-02] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [65536 2013-12-02] (Intuit Inc.) [File not signed]
R2 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2013-12-02] (Intuit Inc.) [File not signed]
R3 QuickBooksDB24; C:\Program Files\Intuit\QuickBooks 2014\QBDBMgrN.exe [679936 2013-12-02] (Intuit, Inc.) [File not signed]
R2 RESvc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
S3 RSoPProv; C:\WINDOWS\system32\RSoPProv.exe [67072 2007-02-17] (Microsoft Corporation)
S3 sacsvr; C:\WINDOWS\system32\sacsvr.dll [12288 2006-03-22] (Microsoft Corporation)
R2 SMTPSVC; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
S3 SrmReports; C:\WINDOWS\system32\srmhost.exe [10752 2005-11-23] (Microsoft Corporation) [File not signed]
R2 SrmSvc; C:\WINDOWS\system32\srmsvc.dll [1593344 2007-02-17] (Microsoft Corporation)
R2 SystemPluginService; C:\Documents and Settings\All Users\Application Data\systempluginservice\sysplusrv.dll [104906752 2016-01-28] () [File not signed]
S4 TrkSvr; C:\WINDOWS\system32\trksvr.dll [50688 2006-03-22] (Microsoft Corporation)
S4 Tssdis; C:\WINDOWS\System32\tssdis.exe [71168 2007-02-17] (Microsoft Corporation)
R2 VMware Dns Service; C:\WINDOWS\VMdns [1053184 2007-02-17] (Microsoft Corporation)
S2 Rasmans; C:\WINDOWS\system32\Rasmans.exe [X]
S3 WinHttpAutoProxySvc; winhttp.dll [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 ClusDisk; C:\WINDOWS\System32\DRIVERS\ClusDisk.sys [69120 2007-02-17] (Microsoft Corporation)
R0 Datascrn; C:\WINDOWS\System32\DRIVERS\datascrn.sys [48640 2007-02-17] (Microsoft Corporation)
R0 DfsDriver; C:\WINDOWS\System32\drivers\Dfs.sys [34816 2007-02-17] (Microsoft Corporation)
R2 EXIFS; C:\WINDOWS\system32\drivers\exifs.sys [196192 2005-08-25] (Microsoft Corporation) [File not signed]
U0 fogmurn; C:\WINDOWS\System32\drivers\taflxjy.sys [52440 2016-02-09] (Malwarebytes)
R3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2005-10-21] (HP)
R3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2005-10-21] (HP)
R3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2005-10-21] (HP)
R3 l2nd; C:\WINDOWS\System32\DRIVERS\bxnd52x.sys [50176 2007-10-18] (Broadcom Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
R0 percsas; C:\WINDOWS\System32\drivers\percsas.sys [20992 2007-10-18] (LSI Corporation)
R0 Quota; C:\WINDOWS\System32\DRIVERS\quota.sys [88064 2007-02-17] (Microsoft Corporation)
S3 WLBS; C:\WINDOWS\System32\DRIVERS\wlbs.sys [169984 2007-02-17] (Microsoft Corporation)
S4 afcnt; no ImagePath
S4 cpqarry2; no ImagePath
S4 cpqcissm; no ImagePath
S4 cpqfcalm; no ImagePath
S4 dellcerc; no ImagePath
S4 elxstor; no ImagePath
S4 hpt3xx; no ImagePath
S4 iirsp; no ImagePath
S4 IntelIde; no ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S4 ipsraidn; no ImagePath
U3 LicenseInfo; no ImagePath
S4 lp6nds35; no ImagePath
S4 nfrd960; no ImagePath
S4 ql2100; no ImagePath
S4 ql2200; no ImagePath
S4 ql2300; no ImagePath
U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [72704 2007-02-17] (Microsoft Corporation)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [105472 2007-02-17] (Microsoft Corporation)
S4 symmpi; no ImagePath
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: Sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
NETSVC: TrkSvr -> C:\Windows\system32\trksvr.dll (Microsoft Corporation)
NETSVC: VMware Dns Service -> C:\WINDOWS\VMdns (Microsoft Corporation)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-15 16:40 - 2016-02-15 16:40 - 01721344 _____ (Farbar) C:\Documents and Settings\Administrator.BIGBANG\Desktop\FRST(1).exe
2016-02-15 16:39 - 2016-02-15 16:42 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Temp\2
2016-02-11 20:39 - 2016-02-11 20:39 - 00000000 ___HD C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip
2016-02-09 20:12 - 2016-02-09 20:12 - 00034381 _____ C:\Documents and Settings\Administrator.BIGBANG\Desktop\MalwareBytes.txt
2016-02-09 19:57 - 2016-02-09 19:57 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG\Desktop\FRST-OlderVersion
2016-02-09 19:46 - 2016-02-09 19:47 - 00122970 _____ C:\TDSSKiller.3.1.0.9_09.02.2016_19.46.27_log.txt
2016-02-09 19:39 - 2016-02-09 19:39 - 00052440 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\taflxjy.sys
2016-02-09 19:17 - 2016-02-09 19:21 - 00000000 ____D C:\WINDOWS\system32\NtmsData
2016-02-07 13:31 - 2016-02-07 13:31 - 00000000 ____H C:\Documents and Settings\All Users\Application Data\cm-lock
2016-02-07 10:59 - 2016-02-09 20:11 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-02-07 10:59 - 2016-02-07 10:59 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2016-02-07 10:59 - 2015-10-05 09:50 - 00121560 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-02-07 10:59 - 2015-10-05 09:50 - 00023256 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-02-06 15:54 - 2016-02-06 15:54 - 00000000 ____D C:\WINDOWS\system32\netmon
2016-02-06 15:34 - 2016-02-06 15:34 - 00000000 ____D C:\Documents and Settings\dennis\Application Data\Macromedia
2016-02-06 15:34 - 2016-02-06 15:34 - 00000000 ____D C:\Documents and Settings\dennis\Application Data\Adobe
2016-01-28 02:05 - 2016-01-28 02:05 - 00006638 _____ C:\WINDOWS\TEMPcoral.vbs
2016-01-28 02:05 - 2016-01-28 02:05 - 00000000 ____D C:\Program Files\check
2016-01-28 02:04 - 2016-01-28 02:04 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\systempluginservice
2016-01-24 04:38 - 2016-02-15 16:41 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-01-23 10:25 - 2016-01-23 10:25 - 00002394 _____ C:\WINDOWS\system32\.crusader
2016-01-23 10:17 - 2016-01-23 10:25 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2016-01-23 05:52 - 2016-01-25 03:10 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-01-23 05:52 - 2016-01-25 03:00 - 00000730 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2016-01-19 02:53 - 2016-01-19 02:53 - 00062699 _____ C:\WINDOWS\dnsp
2016-01-19 02:53 - 2016-01-19 02:53 - 00017408 _____ (PremiumSoft CyberTech Ltd.) C:\WINDOWS\vmdns.dll
2016-01-19 02:53 - 2007-02-17 02:58 - 01053184 _____ (Microsoft Corporation) C:\WINDOWS\VMdns

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-15 16:41 - 2015-09-20 12:57 - 00016876 _____ C:\Documents and Settings\Administrator.BIGBANG\Desktop\FRST.txt
2016-02-15 16:41 - 2015-09-20 12:57 - 00000000 ____D C:\FRST
2016-02-15 16:41 - 2015-01-01 04:46 - 00000000 ____D C:\WINDOWS\system32\dhcp
2016-02-15 16:40 - 2015-01-03 10:39 - 00000438 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{97A271E6-CF4F-4DEE-BA1F-93138D7B20BD}.job
2016-02-15 16:35 - 2015-01-01 11:16 - 00000178 ___SH C:\Documents and Settings\Administrator.BIGBANG\ntuser.ini
2016-02-15 16:35 - 2015-01-01 11:16 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG
2016-02-15 16:28 - 2015-01-01 04:46 - 00000000 ____D C:\WINDOWS\system32\inetsrv
2016-02-15 16:23 - 2015-07-02 12:40 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-02-15 16:23 - 2015-01-04 07:33 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-02-15 14:50 - 2015-01-01 10:59 - 00032364 _____ C:\WINDOWS\Tasks\SchedLgU.Txt
2016-02-15 11:41 - 2015-01-01 04:46 - 00000000 ____D C:\WINDOWS\security
2016-02-14 22:23 - 2015-07-02 12:40 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-02-11 20:41 - 2015-10-23 15:26 - 00000178 ___SH C:\Documents and Settings\dennis\ntuser.ini
2016-02-11 03:02 - 2015-01-03 10:08 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-02-11 03:00 - 2015-01-03 10:08 - 144254680 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-02-10 13:24 - 2015-07-02 12:41 - 00001819 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome.lnk
2016-02-10 09:23 - 2015-01-04 08:23 - 08230080 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerInstaller.exe
2016-02-10 09:23 - 2015-01-04 07:33 - 00796864 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2016-02-10 09:23 - 2015-01-04 07:33 - 00142528 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2016-02-09 20:04 - 2015-09-20 12:58 - 00033131 _____ C:\Documents and Settings\Administrator.BIGBANG\Desktop\Addition.txt
2016-02-09 19:39 - 2015-01-01 04:46 - 00000000 ____D C:\WINDOWS\inf
2016-02-09 19:09 - 2015-01-01 12:07 - 00065536 _____ C:\WINDOWS\NETLOGON.CHG
2016-02-08 01:52 - 2015-01-01 12:04 - 00524288 _____ C:\WINDOWS\system32\config\NTDS.Evt
2016-02-07 13:43 - 2015-01-01 12:07 - 00002368 _____ C:\WINDOWS\system32\config\netlogon.dnb
2016-02-07 13:43 - 2015-01-01 12:07 - 00002235 _____ C:\WINDOWS\system32\config\netlogon.dns
2016-02-07 13:42 - 2015-01-01 04:51 - 01491898 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-02-07 13:37 - 2015-01-01 12:03 - 00000000 ____D C:\WINDOWS\NTDS
2016-02-07 13:37 - 2015-01-01 10:59 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-02-07 13:31 - 2015-03-12 02:02 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB3002657$
2016-02-07 13:24 - 2015-01-01 12:08 - 00065536 _____ C:\WINDOWS\system32\config\DnsEvent.Evt
2016-02-07 13:24 - 2015-01-01 12:04 - 00065536 _____ C:\WINDOWS\system32\config\NtFrs.Evt
2016-02-07 13:24 - 2015-01-01 11:44 - 00065536 _____ C:\WINDOWS\system32\config\dfsr.evt
2016-02-07 13:22 - 2015-05-18 04:29 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2016-02-07 10:45 - 2015-01-01 04:51 - 00000000 ____D C:\Documents and Settings
2016-02-07 10:38 - 2015-01-01 15:03 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG\My Documents\Exchange Task Wizard Logs
2016-02-06 15:48 - 2015-09-20 11:29 - 00000000 ____D C:\AdwCleaner
2016-02-06 15:48 - 2015-01-04 07:38 - 00000178 ___SH C:\Documents and Settings\QBDataServiceUser24\ntuser.ini
2016-02-06 15:46 - 2015-10-23 15:26 - 00000000 ___RD C:\Documents and Settings\dennis\My Documents
2016-02-06 15:32 - 2015-10-23 15:26 - 00000000 ____D C:\Documents and Settings\dennis
2016-02-06 15:31 - 2015-01-01 04:40 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2016-01-28 08:59 - 2015-01-21 07:01 - 00032510 _____ C:\Documents and Settings\QBDataServiceUser24\Local Settings\Temp\QBSearchIndexerError.txt
2016-01-28 02:03 - 2015-01-01 10:55 - 00014288 _____ C:\WINDOWS\OEWABLog.txt
2016-01-27 12:00 - 2015-01-07 09:01 - 00000000 ____D C:\Documents and Settings\QBDataServiceUser24\Local Settings\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1

==================== Files in the root of some directories =======

2015-01-01 14:36 - 2015-01-01 14:36 - 0000144 _____ () C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\fusioncache.dat

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION


ATTENTION: ==> Could not access BCD.

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version:07-02-2016
Ran by administrator (2016-02-15 16:42:13)
Running from C:\Documents and Settings\Administrator.BIGBANG\Desktop
Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86) (2015-01-01 16:57:33)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile
Guest (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
krbtgt (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
dennis (0 - Administrator - Enabled) => %systemroot%\system32\config\systemprofile
jenny (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
wyatt (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
lynn (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dw (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
dalton (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
QBDataServiceUser24 (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IUSR_SHELDON (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IWAM_SHELDON (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
42D5F5AF-862A-4EE6-A (0 - Limited - Disabled) => %systemroot%\system32\config\systemprofile
baskets (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
PENNY$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
J630$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
DENNIS-PC$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
D630$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IT2RESCUE-W8$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IT2RESCUEW8$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
D7YTKCG1$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IT2RESCUEW8-2$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
JENNYW8$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
DENNISP8$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
JENNYP8$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IT2RESCUEG-W81$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
SHELDON$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
IT2RESCUE$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile
DESKTOP-BPNIIOP$ (0 - Limited - Enabled) => %systemroot%\system32\config\systemprofile

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 Bit HP CIO Components Installer (Version: 17.1.1 - Hewlett-Packard) Hidden
Adobe Flash Player 20 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 20.0.0.306 - Adobe Systems Incorporated)
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.24.3-060405a-041210C-Dell - )
BPD_Scan (Version: 3.00.0000 - Hewlett-Packard) Hidden
BPDSoftware (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Enterprise (Version: 50.0.165.000 - Hewlett-Packard) Hidden
Foxit Creator (HKLM\...\Foxit Creator) (Version: 3,1,0,1210 - Foxit Corporation)
Google Chrome (HKLM\...\Google Chrome) (Version: 48.0.2564.109 - Google Inc.)
Google Update Helper (Version: 1.3.26.9 - Google Inc.) Hidden
HP Officejet J5700 AiO Series Corporate Edition 8.0 (HKLM\...\{8AFE6E90-060E-4774-861B-2408299A357C}) (Version: 1.0 - HP)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft .NET Framework 1.1 -- Device Update 4.0 (HKLM\...\{A34AC564-B4A3-4D45-B969-403BC39F0E6A}) (Version: 1.1.4322 - Microsoft Corporation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Exchange (HKLM\...\9161A261-6ABE-4668-BBFA-AD06B3F642CF) (Version:  - Microsoft Corporation)
Mozilla Firefox 26.0 (x86 en-US) (HKLM\...\Mozilla Firefox 26.0 (x86 en-US)) (Version: 26.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 26.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6 Service Pack 2 (KB2957482) (HKLM\...\{87741E76-9D88-49FD-9C7C-14E2B37EB065}) (Version: 6.20.2017.0 - Microsoft Corporation)
No-IP DUC (HKLM\...\NoIPDUC) (Version: 4.1.1 - Vitalwerks Internet Solutions LLC)
QuickBooks (Version: 24.0.4004.2403 - Intuit Inc.) Hidden
QuickBooks Pro 2014 (HKLM\...\{4A21D17E-2FE8-42CD-88B7-ACF8E8860834}) (Version: 24.0.4004.2403 - Intuit Inc.)
Recover My Files (HKLM\...\Recover My Files v5_is1) (Version: 5.2.1.1903 - GetData Pty Ltd)
Scan (Version: 8.1.0.0 - Hewlett-Packard) Hidden
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Server 2003 Service Pack 2 (HKLM\...\Windows Server 2003 Service Pack) (Version: 20070217.021455 - Microsoft Corporation)
Windows Support Tools (HKLM\...\{F07F0BCD-5C6D-4499-9F05-6ED747078A72}) (Version: 5.2.3790.1830 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-19_Classes\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}\InprocServer32 -> C:\Documents and Settings\moat\Local Settings\Application Data\temp\svchost\install32.dll => No File
CustomCLSID: HKU\S-1-5-20_Classes\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}\InprocServer32 -> C:\Documents and Settings\moat\Local Settings\Application Data\temp\svchost\install32.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-1144_Classes\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}\InprocServer32 -> C:\Documents and Settings\moat\Local Settings\Application Data\temp\svchost\install32.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{05EC5C13-D255-4592-9CCB-98615172F0D6}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{0ADF9C35-0D5E-4B75-88DD-B64868907E17}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{123FAF7F-3FB1-4B8F-AD18-0047401D436A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{37A2FC00-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{37A2FC02-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{4716D3CE-55DB-4D2A-818C-87D912895890}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{4844F3F7-2161-4AC4-B219-B3B4311782AA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{4A56F19E-9F50-4F43-93C8-050E44AA83A9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{4E5E74B5-8EB5-4859-A335-837EED412620}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{5428A9ED-6CD8-11D6-9C8A-0001023DCAA2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{547C8F00-5567-4AE3-8BB0-CC3CE2AB9070}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{57D590F1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{596801D8-2C9D-4627-9C67-195CB81B655A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{5B7331FA-8910-4748-A8A4-60B445041F28}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{5ED8AC89-B2DE-476D-8EEA-E170B2FCB058}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{7694F1CD-A55B-4B7C-8820-A90892EB4E9E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{7DBF8260-30AD-4D1B-876A-8032B87B809F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{828E5386-74CF-4019-B356-C857CD028A7D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{82CC31B3-53B4-4161-A4E9-6B4F1290A6C8}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{8572570D-12D9-4F2C-8BB8-EB8848178B94}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{8E590317-1329-11D1-B70B-00805F29CD16}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2014\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{8FEDE364-AB37-4551-80C9-6D468E222AB2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F2-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F3-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F4-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F5-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F6-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F7-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{A63E42D0-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{A63E42D2-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{AF5E0A13-CEAB-47CE-991D-77E82CD1BF3F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{B10BFAC3-EFF1-40D9-ADA0-BEBE037C24CA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{B66F2BF1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{CBEF1FB5-78FF-4B14-9B0F-275493FB589C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D14FD6B3-6A9F-4537-9460-07B836707127}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D4A12AAF-E15E-470B-A6B6-63032186F91F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9B9C060-0954-11D3-9E07-00104BD2BE34}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSource.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6F81-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6F84-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6F87-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6FA1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6FA6-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6FB2-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\StorageClasses.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{DA654E0C-E75D-4507-8AC2-71698C5B5C93}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2014\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{DCB2B478-EFF6-48F6-B718-13E98876854E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{DFD0AF10-B86C-4AF3-B609-1348D513E565}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E1A173E1-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E1A173E3-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{EADA914E-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{EAEF733D-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{F2C593CC-74B2-4F71-8556-DD4D426D0409}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{FAC93D42-FFC2-11d1-9DEB-0008C7A08EBA}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2014\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{FB17915F-06D1-4214-A902-CC5EE05186E9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{FB359C2A-6927-4AD7-8F1B-B6472CA7CDE7}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{97A271E6-CF4F-4DEE-BA1F-93138D7B20BD}.job => C:\WINDOWS\system32\msfeedssync.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2015-01-01 04:37 - 2006-03-22 01:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-273214551-2702688601-832094456-1144\Control Panel\Desktop\\Wallpaper -> (None)
HKU\S-1-5-21-273214551-2702688601-832094456-500\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.9.254 - 8.8.8.8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: ) (ConsentPromptBehaviorUser: ) (EnableLUA: )
mpsdrv => Firewall Service is not running.
MpsSvc => Firewall Service is not running.
bfe => Firewall Service is not running.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.


==================== Faulty Device Manager Devices =============

Name: Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
Description: Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Broadcom Corporation
Service: l2nd
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (02/15/2016 04:23:00 PM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (02/15/2016 03:23:00 PM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (02/15/2016 02:23:00 PM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (02/15/2016 01:23:00 PM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (02/15/2016 12:23:00 PM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (02/15/2016 11:23:00 AM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (02/15/2016 10:23:00 AM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (02/15/2016 09:23:00 AM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (02/15/2016 08:23:00 AM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)

Error: (02/15/2016 07:23:00 AM) (Source: MsiInstaller) (EventID: 11260) (User: NT AUTHORITY)
Description: Product: Google Update Helper -- Error 1260. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
(NULL)(NULL)(NULL)(NULL)


System errors:
=============
Error: (02/15/2016 04:39:28 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver TOSHIBA e-STUDIO Color PCL6 V4 required for printer TOSHIBA e-STUDIO3555C-07757133 is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/15/2016 04:39:27 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/15/2016 04:39:27 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver HP Officejet J5700 Series fax required for printer HP Officejet J5700 Series fax is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/15/2016 04:39:27 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver Microsoft Print To PDF required for printer Microsoft Print to PDF is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/15/2016 04:39:27 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver Microsoft Shared Fax Driver required for printer Fax is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/15/2016 04:39:27 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver Brother Generic Jpeg Type1 Class Driver required for printer Brother MFC-J4620DW Printer is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/15/2016 04:39:11 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver HP Universal Printing PCL 6 required for printer HP8100DN is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/15/2016 04:35:17 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver TOSHIBA e-STUDIO Color PCL6 V4 required for printer TOSHIBA e-STUDIO3555C-07757133 is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/15/2016 04:35:17 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver Microsoft Print To PDF required for printer Microsoft Print to PDF is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/15/2016 04:35:16 PM) (Source: TermServDevices) (EventID: 1111) (User: )
Description: Driver HP Officejet J5700 Series fax required for printer HP Officejet J5700 Series fax is unknown. Contact the administrator to install the driver before you log in again.


==================== Memory info ===========================

Processor: Intel® Xeon® CPU 5160 @ 3.00GHz
Percentage of memory in use: 39%
Total physical RAM: 4094.98 MB
Available physical RAM: 2489.96 MB
Total Virtual: 5973.68 MB
Available Virtual: 4432.35 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:278.82 GB) (Free:258.08 GB) NTFS
Drive d: (DATA) (Fixed) (Total:836.62 GB) (Free:541.39 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 278.9 GB) (Disk ID: 54A39D80)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=278.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 836.6 GB) (Disk ID: 7934D7D9)
Partition 1: (Not Active) - (Size=836.6 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Edited by Oh My!, 15 February 2016 - 09:01 PM.


#6 txbigden1

txbigden1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 15 February 2016 - 06:10 PM

Ok, I figured out the missing service and have the system file (attached)

Attached Files



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:48 AM

Posted 15 February 2016 - 09:27 PM

Before taking any steps could you tell me if you recognize this? It is a means by which you can deal with a forgotten Windows password.

IFEO\sethc.exe: [Debugger] cmd.exe


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 txbigden1

txbigden1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 15 February 2016 - 09:53 PM

I know what sethc.exe is, but I've only seen it on Windows 7 machines.  And to the best of my knowledge It would not be in that directory, but in the windows\system32 directory. So no, I don't recognize THAT sethc.exe



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:48 AM

Posted 15 February 2016 - 10:16 PM

Thanks Dennis,

Well the file is most likely in the correct directory. That entry is designed to circumvent the normal process to free the computer up to create a new password when the original password has been forgotten. If those circumstances don't sound familiar to you I am going to delete that entry. If it does make sense just delete the line from the fixlist.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
CreateRestorePoint:
CloseProcesses:
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
HKLM\...\Command Processor:  <======= ATTENTION
IFEO\sethc.exe: [Debugger] cmd.exe
Winsock: Catalog5 03 C:\WINDOWS\system32\mswsock.dll [256000 2008-06-20] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
/redir.dll?prd=ie&ar=iesearch
URLSearchHook: [S-1-5-21-273214551-2702688601-832094456-1144] ATTENTION => Default URLSearchHook is missing
S2 Rasmans; C:\WINDOWS\system32\Rasmans.exe [X]
S3 WinHttpAutoProxySvc; winhttp.dll [X]Folde
2016-01-28 02:05 - 2016-01-28 02:05 - 00006638 _____ C:\WINDOWS\TEMPcoral.vbs
CustomCLSID: HKU\S-1-5-19_Classes\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}\InprocServer32 -> C:\Documents and Settings\moat\Local Settings\Application Data\temp\svchost\install32.dll => No File
CustomCLSID: HKU\S-1-5-20_Classes\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}\InprocServer32 -> C:\Documents and Settings\moat\Local Settings\Application Data\temp\svchost\install32.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-1144_Classes\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}\InprocServer32 -> C:\Documents and Settings\moat\Local Settings\Application Data\temp\svchost\install32.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
Folder: C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Temp\2
Folder: C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • Rerun a FRST scan, making sure to check Addition.txt
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • FRST reports (2)
  • Update on computer performane

Edited by Oh My!, 15 February 2016 - 10:59 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 txbigden1

txbigden1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 16 February 2016 - 04:28 PM

The 'moat' user was one of the users created by the invader.  I checked yesterday and didn't see any new names in my AD, just my wife, my sons and myself are currently in there (the way it should be), but originally there were 20 additional names, moat being just one of them. 

I hope I understood you correctly that you wanted me to rerun FRST and post the 2 files again. So they are also pasted in here.

 

The computer actually just rebooted faster than I've seen in a long time.  And really I hadn't noticed any performance issues prior, but obviuosly not wanting my server to be used by unauthorized evil people.

 

Fix result of Farbar Recovery Scan Tool (x86) Version:07-02-2016
Ran by administrator (2016-02-16 08:29:01) Run:1
Running from C:\Documents and Settings\Administrator.BIGBANG\Desktop
Loaded Profiles: QBDataServiceUser24 & administrator (Available Profiles: dennis & QBDataServiceUser24 & administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
HKLM\...\Command Processor:  <======= ATTENTION
IFEO\sethc.exe: [Debugger] cmd.exe
Winsock: Catalog5 03 C:\WINDOWS\system32\mswsock.dll [256000 2008-06-20] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
/redir.dll?prd=ie&ar=iesearch
URLSearchHook: [S-1-5-21-273214551-2702688601-832094456-1144] ATTENTION => Default URLSearchHook is missing
S2 Rasmans; C:\WINDOWS\system32\Rasmans.exe [X]
S3 WinHttpAutoProxySvc; winhttp.dll [X]Folde
2016-01-28 02:05 - 2016-01-28 02:05 - 00006638 _____ C:\WINDOWS\TEMPcoral.vbs
CustomCLSID: HKU\S-1-5-19_Classes\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}\InprocServer32 -> C:\Documents and Settings\moat\Local Settings\Application Data\temp\svchost\install32.dll => No File
CustomCLSID: HKU\S-1-5-20_Classes\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}\InprocServer32 -> C:\Documents and Settings\moat\Local Settings\Application Data\temp\svchost\install32.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-1144_Classes\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}\InprocServer32 -> C:\Documents and Settings\moat\Local Settings\Application Data\temp\svchost\install32.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
Folder: C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Temp\2
Folder: C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip
*****************

Error: (0) Failed to create a restore point.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent" => key removed successfully.
HKLM\Software\Microsoft\Command Processor\\AutoRun => value removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\sethc.exe" => key removed successfully.
Winsock: Catalog5 000000000003\\LibraryPath => restored successfully (%SystemRoot%\system32\NLAapi.dll)
/redir.dll?prd=ie&ar=iesearch => Error: No automatic fix found for this entry.
Could not restore Default URLSearchHook.
Rasmans => service removed successfully.
WinHttpAutoProxySvc => service removed successfully.
C:\WINDOWS\TEMPcoral.vbs => moved successfully
"HKU\S-1-5-19_Classes\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}" => key removed successfully.
"HKU\S-1-5-20_Classes\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-1144_Classes\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}" => key removed successfully.
"HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}" => key removed successfully.

========================= Folder: C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Temp\2 ========================

not found.

====== End of Folder: ======


========================= Folder: C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip ========================

2016-02-11 20:39 - 2016-02-11 20:39 - 0000000 ____D () C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip\x32
2015-07-21 16:04 - 2016-02-11 20:39 - 0000077 ____R () C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip\x32\m.bat
2013-07-19 23:11 - 2016-02-11 20:39 - 0030080 ____R (gentilkiwi (Benjamin DELPY)) C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip\x32\mimidrv.sys
2015-07-19 23:11 - 2016-02-11 20:39 - 0263168 ____R (gentilkiwi (Benjamin DELPY)) C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip\x32\mimikatz.exe
2015-07-19 23:10 - 2016-02-11 20:39 - 0024576 ____R (gentilkiwi (Benjamin DELPY)) C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip\x32\mimilib.dll
2015-07-19 23:10 - 2016-02-11 20:39 - 0024064 ____R (gentilkiwi (Benjamin DELPY)) C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip\x32\mimilove.exe

====== End of Folder: ======



The system needed a reboot.

==== End of Fixlog 08:29:01 ====

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:07-02-2016
Ran by  (administrator) on SHELDON (16-02-2016 08:32:53)
Running from C:\Documents and Settings\Administrator.BIGBANG\Desktop
Loaded Profiles:  (Available Profiles: ) <==== ATTENTION (Temporary Profile?)
Platform: Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> dfssvc.exe
Failed to access process -> svchost.exe
Failed to access process -> inetinfo.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> snmp.exe
Failed to access process -> svchost.exe
Failed to access process -> exmgmt.exe
Failed to access process -> mad.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> logon.scr
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> rdpclip.exe
Failed to access process -> explorer.exe
Failed to access process -> BusinessMessaging.exe
Failed to access process -> ctfmon.exe
Failed to access process -> qbupdate.exe
Failed to access process -> QBW32.EXE
Failed to access process -> FRST(1).exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Intuit SyncManager] => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2829624 2013-12-02] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [Malwarebytes Anti-Malware] => D:\Program Files\Malwarebytes Anti-Malware\BusinessMessaging.exe [3213824 2016-02-09] (Malwarebytes)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-19\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
HKU\S-1-5-21-273214551-2702688601-832094456-1144\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2006-03-22] (Microsoft Corporation)
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Intuit Data Protect.lnk [2015-01-04]
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2015-01-04]
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk [2015-01-04]
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2014\QBW32.EXE (Intuit Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 03 %SystemRoot%\system32\NLAapi.dll No File
Tcpip\..\Interfaces\{CAD52BD2-E364-4B17-8496-D3D6284E7A48}: [NameServer] 192.168.9.254,8.8.8.8

Internet Explorer:
==================
HKU\S-1-5-21-273214551-2702688601-832094456-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
HKU\S-1-5-21-273214551-2702688601-832094456-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: [S-1-5-21-273214551-2702688601-832094456-1144] ATTENTION => Default URLSearchHook is missing
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1420147654453
Handler: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - C:\Program Files\Intuit\QuickBooks 2014\HelpAsyncPluggableProtocol.dll [2013-12-02] (Intuit, Inc.)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\WINDOWS\system32\mscoree.dll [2010-03-18] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator.BIGBANG\Application Data\Mozilla\Firefox\Profiles\6xpobqh0.default
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-09] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-09] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-01-05] [not signed]

Chrome:
=======
CHR Profile: C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-08-19]
CHR Extension: (Google Docs) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-08-19]
CHR Extension: (Google Drive) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-01-23]
CHR Extension: (YouTube) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-01-23]
CHR Extension: (Google Search) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-01-23]
CHR Extension: (Google Sheets) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-08-19]
CHR Extension: (Google Docs Offline) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-01-23]
CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-19]
CHR Extension: (Gmail) - C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-19]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ATTENTION: => Could not perform signature verification. Cryptographic Service is not running.

U2 CodeMeter.exe; C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe [2568120 2012-07-19] (WIBU-SYSTEMS AG)
U2 Dfs; C:\WINDOWS\system32\Dfssvc.exe [164864 2007-02-17] (Microsoft Corporation)
U2 DHCPServer; C:\WINDOWS\system32\tcpsvcs.exe [21504 2006-03-22] (Microsoft Corporation)
U2 DNS; C:\WINDOWS\System32\dns.exe [450560 2012-01-30] (Microsoft Corporation)
U2 IISADMIN; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
U4 IMAP4Svc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
U2 IsmServ; C:\WINDOWS\System32\ismserv.exe [40448 2007-02-17] (Microsoft Corporation)
U2 kdc; C:\WINDOWS\System32\lsass.exe [13312 2006-03-22] (Microsoft Corporation)
U4 LicenseService; C:\WINDOWS\System32\llssrv.exe [94720 2007-02-18] (Microsoft Corporation)
U2 MBAMService; d:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
U3 MSExchangeES; C:\Program Files\Exchsrvr\bin\events.exe [94720 2003-06-24] (Microsoft Corporation)
U2 MSExchangeIS; C:\Program Files\Exchsrvr\bin\store.exe [5227520 2005-10-04] (Microsoft Corporation)
U2 MSExchangeMGMT; C:\Program Files\Exchsrvr\bin\exmgmt.exe [3217408 2005-08-25] (Microsoft Corporation)
U2 MSExchangeMTA; C:\Program Files\Exchsrvr\bin\emsmta.exe [3592704 2005-08-25] (Microsoft Corporation)
U2 MSExchangeSA; C:\Program Files\Exchsrvr\bin\mad.exe [8920064 2005-08-25] (Microsoft Corporation)
U4 MSExchangeSRS; C:\Program Files\Exchsrvr\bin\srsmain.exe [339456 2005-08-25] (Microsoft Corporation)
U2 MSFtpsvc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
U2 MSSEARCH; C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe [69632 2005-08-17] (Microsoft Corporation)
U2 netupdate; C:\Program Files\Common Files\System\ado\msrtm.dll [22743040 2016-01-28] ()
U4 NntpSvc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
U2 NoIPDUCService4; C:\Program Files\No-IP\ducservice.exe [12288 2015-07-20] ()
U2 NtFrs; C:\WINDOWS\system32\ntfrs.exe [792064 2007-02-17] (Microsoft Corporation)
U4 POP3Svc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
U2 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2013-12-02] (Intuit Inc.)
U3 QuickBooksDB24; C:\Program Files\Intuit\QuickBooks 2014\QBDBMgrN.exe [679936 2013-12-02] (Intuit, Inc.)
U2 RESvc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
U3 RSoPProv; C:\WINDOWS\system32\RSoPProv.exe [67072 2007-02-17] (Microsoft Corporation)
U3 sacsvr; C:\WINDOWS\system32\sacsvr.dll [12288 2006-03-22] (Microsoft Corporation)
U2 SMTPSVC; C:\WINDOWS\system32\inetsrv\inetinfo.exe [14336 2007-02-17] (Microsoft Corporation)
U3 SrmReports; C:\WINDOWS\system32\srmhost.exe [10752 2005-11-23] (Microsoft Corporation)
U2 SrmSvc; C:\WINDOWS\system32\srmsvc.dll [1593344 2007-02-17] (Microsoft Corporation)
U2 SystemPluginService; C:\Documents and Settings\All Users\Application Data\systempluginservice\sysplusrv.dll [104906752 2016-01-28] ()
U4 TrkSvr; C:\WINDOWS\system32\trksvr.dll [50688 2006-03-22] (Microsoft Corporation)
U4 Tssdis; C:\WINDOWS\System32\tssdis.exe [71168 2007-02-17] (Microsoft Corporation)
U2 VMware Dns Service; C:\WINDOWS\VMdns [1053184 2007-02-17] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U4 ClusDisk; C:\WINDOWS\System32\DRIVERS\ClusDisk.sys [69120 2007-02-17] (Microsoft Corporation)
U0 Datascrn; C:\WINDOWS\System32\DRIVERS\datascrn.sys [48640 2007-02-17] (Microsoft Corporation)
U0 DfsDriver; C:\WINDOWS\System32\drivers\Dfs.sys [34816 2007-02-17] (Microsoft Corporation)
U2 EXIFS; C:\WINDOWS\system32\drivers\exifs.sys [196192 2005-08-25] (Microsoft Corporation)
U0 fogmurn; C:\WINDOWS\System32\drivers\taflxjy.sys [52440 2016-02-09] (Malwarebytes)
U3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2005-10-21] (HP)
U3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2005-10-21] (HP)
U3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2005-10-21] (HP)
U3 l2nd; C:\WINDOWS\System32\DRIVERS\bxnd52x.sys [50176 2007-10-18] (Broadcom Corporation)
U3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
U0 percsas; C:\WINDOWS\System32\drivers\percsas.sys [20992 2007-10-18] (LSI Corporation)
U0 Quota; C:\WINDOWS\System32\DRIVERS\quota.sys [88064 2007-02-17] (Microsoft Corporation)
U3 WLBS; C:\WINDOWS\System32\DRIVERS\wlbs.sys [169984 2007-02-17] (Microsoft Corporation)
U4 afcnt; no ImagePath
U4 cpqarry2; no ImagePath
U4 cpqcissm; no ImagePath
U4 cpqfcalm; no ImagePath
U4 dellcerc; no ImagePath
U4 elxstor; no ImagePath
U4 hpt3xx; no ImagePath
U4 iirsp; no ImagePath
U4 IntelIde; no ImagePath
U3 IpInIp; system32\DRIVERS\ipinip.sys [X]
U4 ipsraidn; no ImagePath
U3 LicenseInfo; no ImagePath
U4 lp6nds35; no ImagePath
U4 nfrd960; no ImagePath
U4 ql2100; no ImagePath
U4 ql2200; no ImagePath
U4 ql2300; no ImagePath
U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [72704 2007-02-17] (Microsoft Corporation)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [105472 2007-02-17] (Microsoft Corporation)
U4 symmpi; no ImagePath
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: Sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
NETSVC: TrkSvr -> C:\Windows\system32\trksvr.dll (Microsoft Corporation)
NETSVC: VMware Dns Service -> C:\WINDOWS\VMdns (Microsoft Corporation)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-16 08:29 - 2016-02-16 08:29 - 00010604 _____ C:\Documents and Settings\Administrator.BIGBANG\Desktop\Fixlog.txt
2016-02-16 08:27 - 2016-02-16 08:32 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Temp\1
2016-02-15 17:09 - 2016-02-15 17:09 - 00066280 _____ C:\Documents and Settings\Administrator.BIGBANG\Desktop\system.zip
2016-02-15 17:07 - 2016-02-15 17:09 - 01269326 _____ C:\Documents and Settings\Administrator.BIGBANG\Desktop\system.nfo
2016-02-15 16:44 - 2016-02-15 16:44 - 00000989 _____ C:\WINDOWS\TEMPcoral.zip
2016-02-15 16:40 - 2016-02-15 16:40 - 01721344 _____ (Farbar) C:\Documents and Settings\Administrator.BIGBANG\Desktop\FRST(1).exe
2016-02-11 20:39 - 2016-02-11 20:39 - 00000000 ___HD C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip
2016-02-09 20:12 - 2016-02-09 20:12 - 00034381 _____ C:\Documents and Settings\Administrator.BIGBANG\Desktop\MalwareBytes.txt
2016-02-09 19:57 - 2016-02-09 19:57 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG\Desktop\FRST-OlderVersion
2016-02-09 19:46 - 2016-02-09 19:47 - 00122970 _____ C:\TDSSKiller.3.1.0.9_09.02.2016_19.46.27_log.txt
2016-02-09 19:39 - 2016-02-09 19:39 - 00052440 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\taflxjy.sys
2016-02-09 19:17 - 2016-02-09 19:21 - 00000000 ____D C:\WINDOWS\system32\NtmsData
2016-02-07 10:59 - 2016-02-09 20:11 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-02-07 10:59 - 2016-02-07 10:59 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2016-02-07 10:59 - 2015-10-05 09:50 - 00121560 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-02-07 10:59 - 2015-10-05 09:50 - 00023256 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-02-06 15:54 - 2016-02-06 15:54 - 00000000 ____D C:\WINDOWS\system32\netmon
2016-02-06 15:34 - 2016-02-06 15:34 - 00000000 ____D C:\Documents and Settings\dennis\Application Data\Macromedia
2016-02-06 15:34 - 2016-02-06 15:34 - 00000000 ____D C:\Documents and Settings\dennis\Application Data\Adobe
2016-01-28 02:05 - 2016-01-28 02:05 - 00000000 ____D C:\Program Files\check
2016-01-28 02:04 - 2016-01-28 02:04 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\systempluginservice
2016-01-24 04:38 - 2016-02-15 16:42 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-01-23 10:25 - 2016-01-23 10:25 - 00002394 _____ C:\WINDOWS\system32\.crusader
2016-01-23 10:17 - 2016-01-23 10:25 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro
2016-01-23 05:52 - 2016-01-25 03:10 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-01-23 05:52 - 2016-01-25 03:00 - 00000730 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2016-01-19 02:53 - 2016-01-19 02:53 - 00062699 _____ C:\WINDOWS\dnsp
2016-01-19 02:53 - 2016-01-19 02:53 - 00017408 _____ (PremiumSoft CyberTech Ltd.) C:\WINDOWS\vmdns.dll
2016-01-19 02:53 - 2007-02-17 02:58 - 01053184 _____ (Microsoft Corporation) C:\WINDOWS\VMdns

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-16 08:32 - 2015-09-20 12:57 - 00014514 _____ C:\Documents and Settings\Administrator.BIGBANG\Desktop\FRST.txt
2016-02-16 08:32 - 2015-09-20 12:57 - 00000000 ____D C:\FRST
2016-02-16 08:31 - 2015-01-01 04:46 - 00000000 ____D C:\WINDOWS\system32\inetsrv
2016-02-16 08:30 - 2015-01-01 10:59 - 00032364 _____ C:\WINDOWS\Tasks\SchedLgU.Txt
2016-02-16 08:29 - 2015-01-01 12:08 - 00065536 _____ C:\WINDOWS\system32\config\DnsEvent.Evt
2016-02-16 08:29 - 2015-01-01 12:04 - 00524288 _____ C:\WINDOWS\system32\config\NTDS.Evt
2016-02-16 08:29 - 2015-01-01 12:04 - 00065536 _____ C:\WINDOWS\system32\config\NtFrs.Evt
2016-02-16 08:29 - 2015-01-01 12:03 - 00000000 ____D C:\WINDOWS\NTDS
2016-02-16 08:29 - 2015-01-01 11:44 - 00065536 _____ C:\WINDOWS\system32\config\dfsr.evt
2016-02-16 08:29 - 2015-01-01 10:59 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-02-16 08:29 - 2015-01-01 04:46 - 00000000 ____D C:\WINDOWS\system32\dhcp
2016-02-16 08:26 - 2015-01-03 10:39 - 00000438 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{97A271E6-CF4F-4DEE-BA1F-93138D7B20BD}.job
2016-02-16 08:23 - 2015-07-02 12:40 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-02-16 08:23 - 2015-01-04 07:33 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-02-16 03:46 - 2015-01-01 04:46 - 00000000 ____D C:\WINDOWS\security
2016-02-15 22:23 - 2015-07-02 12:40 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-02-15 20:58 - 2015-01-01 11:16 - 00000178 ___SH C:\Documents and Settings\Administrator.BIGBANG\ntuser.ini
2016-02-15 20:58 - 2015-01-01 11:16 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG
2016-02-15 17:07 - 2015-01-01 04:40 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2016-02-11 20:41 - 2015-10-23 15:26 - 00000178 ___SH C:\Documents and Settings\dennis\ntuser.ini
2016-02-11 03:02 - 2015-01-03 10:08 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-02-11 03:00 - 2015-01-03 10:08 - 144254680 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-02-10 13:24 - 2015-07-02 12:41 - 00001819 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome.lnk
2016-02-10 09:23 - 2015-01-04 08:23 - 08230080 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerInstaller.exe
2016-02-10 09:23 - 2015-01-04 07:33 - 00796864 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2016-02-10 09:23 - 2015-01-04 07:33 - 00142528 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2016-02-09 19:39 - 2015-01-01 04:46 - 00000000 ____D C:\WINDOWS\inf
2016-02-09 19:09 - 2015-01-01 12:07 - 00065536 _____ C:\WINDOWS\NETLOGON.CHG
2016-02-07 13:43 - 2015-01-01 12:07 - 00002368 _____ C:\WINDOWS\system32\config\netlogon.dnb
2016-02-07 13:43 - 2015-01-01 12:07 - 00002235 _____ C:\WINDOWS\system32\config\netlogon.dns
2016-02-07 13:42 - 2015-01-01 04:51 - 01491898 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-02-07 13:31 - 2015-03-12 02:02 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB3002657$
2016-02-07 13:22 - 2015-05-18 04:29 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2016-02-07 10:45 - 2015-01-01 04:51 - 00000000 ____D C:\Documents and Settings
2016-02-07 10:38 - 2015-01-01 15:03 - 00000000 ____D C:\Documents and Settings\Administrator.BIGBANG\My Documents\Exchange Task Wizard Logs
2016-02-06 15:48 - 2015-09-20 11:29 - 00000000 ____D C:\AdwCleaner
2016-02-06 15:48 - 2015-01-04 07:38 - 00000178 ___SH C:\Documents and Settings\QBDataServiceUser24\ntuser.ini
2016-02-06 15:46 - 2015-10-23 15:26 - 00000000 ___RD C:\Documents and Settings\dennis\My Documents
2016-02-06 15:32 - 2015-10-23 15:26 - 00000000 ____D C:\Documents and Settings\dennis
2016-01-28 08:59 - 2015-01-21 07:01 - 00032510 _____ C:\Documents and Settings\QBDataServiceUser24\Local Settings\Temp\QBSearchIndexerError.txt
2016-01-28 02:03 - 2015-01-01 10:55 - 00014288 _____ C:\WINDOWS\OEWABLog.txt
2016-01-27 12:00 - 2015-01-07 09:01 - 00000000 ____D C:\Documents and Settings\QBDataServiceUser24\Local Settings\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1

==================== Files in the root of some directories =======

2015-01-01 14:36 - 2015-01-01 14:36 - 0000144 _____ () C:\Documents and Settings\Administrator.BIGBANG\Local Settings\Application Data\fusioncache.dat

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe
[2015-01-01 15:45] - [2007-02-17 02:58] - 1053184 ____A (Microsoft Corporation) A26C39540F8BE3729846E360E2C57344

C:\WINDOWS\system32\winlogon.exe
[2015-01-01 15:45] - [2007-02-17 04:09] - 0528384 ____A (Microsoft Corporation) B4AA8AE0F18E5DFCF99A671A181D3EDC

C:\WINDOWS\system32\svchost.exe
[2015-01-01 15:45] - [2007-02-17 04:04] - 0014848 ____A (Microsoft Corporation) C09CCFE81DEC9B162533D7184D705682

C:\WINDOWS\system32\services.exe
[2015-01-01 04:38] - [2009-02-03 05:07] - 0113152 ____A (Microsoft Corporation) CF500580CDD83B145646A4DCFCE1CF3C

C:\WINDOWS\system32\User32.dll
[2015-01-03 09:55] - [2007-03-02 00:38] - 0583680 ____A (Microsoft Corporation) 1959150096B010BA953A78B0D6B0B4E4

C:\WINDOWS\system32\userinit.exe
[2015-01-01 04:39] - [2007-02-17 04:07] - 0026112 ____A (Microsoft Corporation) B5FEB3B971A8B8C81CE9DE65031A87E5

C:\WINDOWS\system32\rpcss.dll
[2015-01-03 09:53] - [2009-02-09 05:02] - 0486912 ____A (Microsoft Corporation) 305A8757D66B5D416B47C497C27A01FE

C:\WINDOWS\system32\dnsapi.dll
[2011-03-03 01:06] - [2011-03-03 01:06] - 0161792 ____A (Microsoft Corporation) 91D67B7EA55438518AACA99B89DA8D78

C:\WINDOWS\system32\Drivers\volsnap.sys
[2015-01-01 04:39] - [2012-08-21 06:56] - 0153600 ____A (Microsoft Corporation) 701D86EC9D221F68C8528CC47D3958E6

C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION


ATTENTION: ==> Could not access BCD.

==================== End of FRST.txt ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:07-02-2016
Ran by  (2016-02-16 08:33:05)
Running from C:\Documents and Settings\Administrator.BIGBANG\Desktop
Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86) (2015-01-01 16:57:33)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 Bit HP CIO Components Installer (Version: 17.1.1 - Hewlett-Packard) Hidden
Adobe Flash Player 20 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 20.0.0.306 - Adobe Systems Incorporated)
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.24.3-060405a-041210C-Dell - )
BPD_Scan (Version: 3.00.0000 - Hewlett-Packard) Hidden
BPDSoftware (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Enterprise (Version: 50.0.165.000 - Hewlett-Packard) Hidden
Foxit Creator (HKLM\...\Foxit Creator) (Version: 3,1,0,1210 - Foxit Corporation)
Google Chrome (HKLM\...\Google Chrome) (Version: 48.0.2564.109 - Google Inc.)
Google Update Helper (Version: 1.3.26.9 - Google Inc.) Hidden
HP Officejet J5700 AiO Series Corporate Edition 8.0 (HKLM\...\{8AFE6E90-060E-4774-861B-2408299A357C}) (Version: 1.0 - HP)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft .NET Framework 1.1 -- Device Update 4.0 (HKLM\...\{A34AC564-B4A3-4D45-B969-403BC39F0E6A}) (Version: 1.1.4322 - Microsoft Corporation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Exchange (HKLM\...\9161A261-6ABE-4668-BBFA-AD06B3F642CF) (Version:  - Microsoft Corporation)
Mozilla Firefox 26.0 (x86 en-US) (HKLM\...\Mozilla Firefox 26.0 (x86 en-US)) (Version: 26.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 26.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6 Service Pack 2 (KB2957482) (HKLM\...\{87741E76-9D88-49FD-9C7C-14E2B37EB065}) (Version: 6.20.2017.0 - Microsoft Corporation)
No-IP DUC (HKLM\...\NoIPDUC) (Version: 4.1.1 - Vitalwerks Internet Solutions LLC)
QuickBooks (Version: 24.0.4004.2403 - Intuit Inc.) Hidden
QuickBooks Pro 2014 (HKLM\...\{4A21D17E-2FE8-42CD-88B7-ACF8E8860834}) (Version: 24.0.4004.2403 - Intuit Inc.)
Recover My Files (HKLM\...\Recover My Files v5_is1) (Version: 5.2.1.1903 - GetData Pty Ltd)
Scan (Version: 8.1.0.0 - Hewlett-Packard) Hidden
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Server 2003 Service Pack 2 (HKLM\...\Windows Server 2003 Service Pack) (Version: 20070217.021455 - Microsoft Corporation)
Windows Support Tools (HKLM\...\{F07F0BCD-5C6D-4499-9F05-6ED747078A72}) (Version: 5.2.3790.1830 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{05EC5C13-D255-4592-9CCB-98615172F0D6}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{0ADF9C35-0D5E-4B75-88DD-B64868907E17}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{123FAF7F-3FB1-4B8F-AD18-0047401D436A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{37A2FC00-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{37A2FC02-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{4716D3CE-55DB-4D2A-818C-87D912895890}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{4844F3F7-2161-4AC4-B219-B3B4311782AA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{4A56F19E-9F50-4F43-93C8-050E44AA83A9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{4E5E74B5-8EB5-4859-A335-837EED412620}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{5428A9ED-6CD8-11D6-9C8A-0001023DCAA2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{547C8F00-5567-4AE3-8BB0-CC3CE2AB9070}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{57D590F1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{596801D8-2C9D-4627-9C67-195CB81B655A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{5B7331FA-8910-4748-A8A4-60B445041F28}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{5ED8AC89-B2DE-476D-8EEA-E170B2FCB058}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{7694F1CD-A55B-4B7C-8820-A90892EB4E9E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{7DBF8260-30AD-4D1B-876A-8032B87B809F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{828E5386-74CF-4019-B356-C857CD028A7D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{82CC31B3-53B4-4161-A4E9-6B4F1290A6C8}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{8572570D-12D9-4F2C-8BB8-EB8848178B94}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{8E590317-1329-11D1-B70B-00805F29CD16}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2014\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{8FEDE364-AB37-4551-80C9-6D468E222AB2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F2-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F3-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F4-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F5-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F6-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{9D9B61F7-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{A63E42D0-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{A63E42D2-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{AF5E0A13-CEAB-47CE-991D-77E82CD1BF3F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{B10BFAC3-EFF1-40D9-ADA0-BEBE037C24CA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{B66F2BF1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{CBEF1FB5-78FF-4B14-9B0F-275493FB589C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D14FD6B3-6A9F-4537-9460-07B836707127}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D4A12AAF-E15E-470B-A6B6-63032186F91F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9B9C060-0954-11D3-9E07-00104BD2BE34}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSource.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6F81-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6F84-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6F87-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6FA1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6FA6-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{D9BC6FB2-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\StorageClasses.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{DA654E0C-E75D-4507-8AC2-71698C5B5C93}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2014\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{DCB2B478-EFF6-48F6-B718-13E98876854E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{DFD0AF10-B86C-4AF3-B609-1348D513E565}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E1A173E1-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{E1A173E3-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{EADA914E-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{EAEF733D-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{F2C593CC-74B2-4F71-8556-DD4D426D0409}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{FAC93D42-FFC2-11d1-9DEB-0008C7A08EBA}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2014\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{FB17915F-06D1-4214-A902-CC5EE05186E9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-273214551-2702688601-832094456-500_Classes\CLSID\{FB359C2A-6927-4AD7-8F1B-B6472CA7CDE7}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{97A271E6-CF4F-4DEE-BA1F-93138D7B20BD}.job => C:\WINDOWS\system32\msfeedssync.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2015-01-01 04:37 - 2006-03-22 01:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-273214551-2702688601-832094456-1144\Control Panel\Desktop\\Wallpaper -> (None)
HKU\S-1-5-21-273214551-2702688601-832094456-500\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.9.254 - 8.8.8.8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: ) (ConsentPromptBehaviorUser: ) (EnableLUA: )
mpsdrv => Firewall Service is not running.
MpsSvc => Firewall Service is not running.
bfe => Firewall Service is not running.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

ATTENTION: System Restore is disabled
Could not list restore points
Check "winmgmt" service or repair WMI.


==================== Faulty Device Manager Devices =============

Could not list Devices. Check "winmgmt" service or repair WMI.


==================== Event log errors: =========================

Could not start eventlog service, could not read events.

System error 1115 has occurred.

A system shutdown is in progress.


==================== Memory info ===========================

Processor: Intel® Xeon® CPU 5160 @ 3.00GHz
Percentage of memory in use: 17%
Total physical RAM: 4094.98 MB
Available physical RAM: 3388.52 MB
Total Virtual: 5973.68 MB
Available Virtual: 5551.74 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:278.82 GB) (Free:258.11 GB) NTFS
Drive d: (DATA) (Fixed) (Total:836.62 GB) (Free:541.39 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 278.9 GB) (Disk ID: 54A39D80)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=278.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 836.6 GB) (Disk ID: 7934D7D9)
Partition 1: (Not Active) - (Size=836.6 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:48 AM

Posted 16 February 2016 - 04:41 PM

Can you tell me if you have used any tool or taken any non-traditional steps to either recover or reset any passwords?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 txbigden1

txbigden1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 16 February 2016 - 07:13 PM

No I absolutely haven't.  I have only used AD Users and Computers or ctrl-alt-delete on my laptop to change passwords. 



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:48 AM

Posted 16 February 2016 - 07:39 PM

OK, let me explain.

There are some abnormalities causing me concern. Not panic at this point but it should make us very uncomfortable.

When I asked about the below entry it was because this is a means by which you can reset a forgotten password. It could also be used to reset an unknown password:

IFEO\sethc.exe: [Debugger] cmd.exe

-----

Another entry that caught my attention was included in the "Fixlist" but rather than fixing that particular item I wanted to see the contents of the folder. The contents are as described below:
 

========================= Folder: C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip ========================

2016-02-11 20:39 - 2016-02-11 20:39 - 0000000 ____D () C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip\x32
2015-07-21 16:04 - 2016-02-11 20:39 - 0000077 ____R () C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip\x32\m.bat
2013-07-19 23:11 - 2016-02-11 20:39 - 0030080 ____R (gentilkiwi (Benjamin DELPY)) C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip\x32\mimidrv.sys
2015-07-19 23:11 - 2016-02-11 20:39 - 0263168 ____R (gentilkiwi (Benjamin DELPY)) C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip\x32\mimikatz.exe
2015-07-19 23:10 - 2016-02-11 20:39 - 0024576 ____R (gentilkiwi (Benjamin DELPY)) C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip\x32\mimilib.dll
2015-07-19 23:10 - 2016-02-11 20:39 - 0024064 ____R (gentilkiwi (Benjamin DELPY)) C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip\x32\mimilove.exe


Part of what really concerns me is mimidrv.sys. Below are 2 links to malware analysis of the file.

https://www.herdprotect.com/mimidrv.sys-cf9baf57e16b73d7a4a99dd0c092870deba1a997.aspx
https://www.virustotal.com/en/file/f26c43ebc7c710855c5ea2c659f5ffdd028d2e27f11a398c2603b751e7214b36/analysis/

-----

Finally, I had initially requested that you upload a suspicious file (you attached it and that is why I wanted to delete it). That was a particular file of interest that is currently being evaluated.

-----

As a result of all of this I would recommend you disconnect from the internet immediately and check for abnormalities in banking accounts, social media accounts, or an other activities that require a password. Whether or not you detect any I think it would be prudent to change all of your passwords from a clean computer.

-----

I am going to send you a Personal Message with additional information. Please let me know if you detect any password related abnormalities.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 txbigden1

txbigden1
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 16 February 2016 - 08:00 PM

Should I clear off all those temp files?



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,996 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:48 AM

Posted 16 February 2016 - 09:28 PM

These are our next steps please.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
closeprocesses:
C:\Documents and Settings\dennis\Local Settings\Temp\Temporary Directory 1 for x32.zip
URLSearchHook: [S-1-5-21-273214551-2702688601-832094456-1144] ATTENTION => Default URLSearchHook is missing
Winsock: Catalog5 03 %SystemRoot%\system32\NLAapi.dll No File
2016-02-15 16:44 - 2016-02-15 16:44 - 00000989 _____ C:\WINDOWS\TEMPcoral.zip
2016-01-19 02:53 - 2016-01-19 02:53 - 00017408 _____ (PremiumSoft CyberTech Ltd.) C:\WINDOWS\vmdns.dll
2016-01-19 02:53 - 2007-02-17 02:58 - 01053184 _____ (Microsoft Corporation) C:\WINDOWS\VMdns
emptytemp:
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Farbar's Service Scanner

--------------------
  • Please download Farbar Service Scanner, save it to your desktop, and run it.
  • Make sure the following options are checked:

Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services

  • Press Scan
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • FSS.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users