Jump to content
srock

Avenger file issues

Recommended Posts

As others I have a machine that has this annoying Avenger file that I can't get rid of yet it keeps growing and I have MULTIPLE instances of dllhost.exe running on the machine. MBAM wasn't able to clean it, hijackthis didn't show it to me either. I've just pulled down MBAR and combo fix but haven't run more than a scan with MBAR yet. Any assistance would be appreciated.

Share this post


Link to post
Share on other sites

Hi :) Don't use ComboFix unless instructed.

 

Minion%20Welcome.jpg

My name's Naathim and I'm a GeekU Minion! Now that we are mates and will be working together to clean your machine out of any junkware, feel free to call me Naat :)

Before we start please note the following:

  • Analysis and research take some time, also sometimes real life gets in the way, please be patient.
  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Paste the logs in your posts, attachments make my work harder and more complicated.
  • Stay with me to the end, the absence of symtoms doesn't mean that your machine is fully operational.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
I can't foresee everything, so if anything unexpected happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

Let's start and enjoy the fight! :)

warning.gif Rules and policies

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.


51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

Please download and install Malwarebytes Anti-Malware, or re-run it if you already have it installed.

  • First of all select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.
Save the file to your desktop and include its content in your next reply.

FRST.gif Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

There will be two versions to download: 32-bit and 64-bit. Please download the one that is designed for your system. If you don't know which one should it be, download both of them and try each other out. Only one will run - this is the right one. Please leave it and delete the other.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    > XP users click run after receipt of Windows Security Warning - Open File.

    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.

  • When the tool opens click Yes to disclaimer.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please include their content in your next reply.

Share this post


Link to post
Share on other sites

Awaiting for MBAM, but you've got Poweliks infection.

DON'T ATTACH LOGS!
Post them directly as a plain text.

Share this post


Link to post
Share on other sites

MBAM keeps crashing when trying to export the log or when trying to copy to clipboard... I can't get the log from it.

 

It found the Poweliks Rootkit each time I've ran it and even though it says it's removing it it keeps coming right back.

Share this post


Link to post
Share on other sites

Delete your copy of ComboFix.


51a5bf3d99e8a-ComboFixlogo16.png Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!


Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.

  • Right-click on 51a5bf3d99e8a-ComboFixlogo16.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the disclaimer and agree if prompted to install Recovery Console.
  • Do not take any actions while ComboFix goes through your System - it may cause it to stall!
  • This scan may take some time!
  • When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.
icon_idea.gif If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
icon_idea.gif If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
icon_idea.gif Don't forget to re-enable your previously switched-off protection software!

Share this post


Link to post
Share on other sites

Pasting ComboFix log... Also noticed that the dllhost.exe files are not restarting and the Avenger file is currently gone.

 

ComboFix 14-08-26.02 - admin 08/26/2014  12:58:28.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3045.2490 [GMT -5:00]
Running from: c:\documents and settings\administrator.MOM\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\LOG9E.tmp
C:\LOG9F.tmp
c:\windows\system32\msxml3.tmp
c:\windows\system32\msxml3a.tmp
c:\windows\system32\msxml3r.tmp
c:\windows\system32\Thumbs.db
.
.
CLSID={73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} - infected with Poweliks and removed.
.
(((((((((((((((((((((((((   Files Created from 2014-07-26 to 2014-08-26  )))))))))))))))))))))))))))))))
.
.
2014-08-26 16:57 . 2014-08-26 17:05 -------- d-----w- C:\FRST
2014-08-26 16:28 . 2014-08-26 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-08-26 16:13 . 2014-08-26 16:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2014-08-26 13:59 . 2014-08-26 17:37 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-08-26 13:58 . 2014-08-26 16:25 54232 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-08-26 13:58 . 2014-08-26 13:58 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-08-26 13:58 . 2014-08-26 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2014-08-26 13:58 . 2014-05-12 12:25 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-08-26 13:50 . 2014-08-26 14:48 -------- d-----w- c:\documents and settings\ashryock
2014-08-21 20:30 . 2014-08-21 20:30 -------- d-----w- c:\windows\system32\cos
2014-08-21 20:29 . 2014-08-21 20:29 -------- d-----w- c:\windows\system32\winrm
2014-08-21 20:28 . 2014-08-21 20:29 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2014-08-03 09:53 . 2014-08-03 09:53 188304 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-09 03:05 . 2012-09-17 13:29 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-07-09 03:05 . 2012-03-01 16:43 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 03:05 . 2014-07-09 03:05 10603008 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2014-07-07 03:40 . 2012-12-05 23:41 174056 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2009-05-08 16:43 . 2012-06-27 13:28 3145728 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2009-05-08 16:43 . 2012-06-27 13:28 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2009-05-08 16:43 . 2012-06-27 13:28 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2009-05-08 16:43 . 2012-06-27 13:28 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-04-22 1040384]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-13 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-13 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-13 135680]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-13 14901248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2012-11-12 115624]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2010-04-07 85528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-13761\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-1786\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-4779\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-6915\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-9789\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-9789\Scripts\Logon\1\0]
"Script"=ncell_login.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AccelerometerSysTrayApplet]
2007-01-24 22:28 124928 ----a-w- c:\windows\system32\accelerometerST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DameWare MRC Agent]
2010-04-07 16:12 85528 ----a-w- c:\windows\system32\DWRCST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2010-02-25 23:19 287800 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 6:00 AM 26624]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 6:00 AM 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2014 2:37 AM 109872]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [8/26/2014 8:59 AM 110296]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [3/1/2012 11:47 AM 17968]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [3/1/2012 10:55 AM 540288]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/12/2012 3:37 PM 23960]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [3/1/2012 10:56 AM 44800]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [3/1/2012 10:53 AM 49152]
S4 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [3/1/2012 11:45 AM 227896]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - mbamchameleon
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2014-08-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-17 03:05]
.
2014-08-26 c:\windows\Tasks\User_Feed_Synchronization-{8C0DC158-52E0-4F19-A6E5-EDCBFC092BB3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 172.16.48.162 172.16.1.202 10.30.16.116 172.16.1.116
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-08-26 13:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1307642725-1888648419-1563503735-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,26,1f,48,a8,d4,4c,ae,58,fc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,26,1f,48,a8,d4,4c,ae,58,fc,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2014-08-26  13:09:50
ComboFix-quarantined-files.txt  2014-08-26 18:09
.
Pre-Run: 41,842,290,688 bytes free
Post-Run: 35,644,215,296 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - C55AFB3097CAC0D09D76E8CF7D871C38
A36C5E4F47E84449FF07ED3517B43A31
 

Share this post


Link to post
Share on other sites

Looks better.


FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

Share this post


Link to post
Share on other sites

Finally back at the location of the machine. Pasting the reports now.

 

FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:26-08-2014
Ran by administrator (administrator) on MOM1393 on 28-08-2014 08:34:09
Running from C:\Documents and Settings\administrator.MOM\Desktop
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(DameWare Development LLC) C:\WINDOWS\system32\DWRCS.EXE
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
(Microsoft Corporation) C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe
(Microsoft Corporation) C:\WINDOWS\system32\CCM\CcmExec.exe
(DameWare Development) C:\WINDOWS\system32\DWRCST.EXE
(Microsoft Corporation) C:\WINDOWS\system32\userinit.exe
(Microsoft Corporation) C:\WINDOWS\system32\userinit.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRSTx32.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [soundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1040384 2009-04-22] (Analog Devices, Inc.)
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [ccApp] => C:\Program Files\Common Files\Symantec Shared\ccApp.exe [115624 2012-11-12] (Symantec Corporation)
HKLM\...\Run: [DameWare MRC Agent] => C:\WINDOWS\system32\DWRCST.exe [85528 2010-04-07] (DameWare Development)
HKLM\...99B7938DA9E4}\LocalServer32: [a] #@~^wH4AAA==n{F+2im'xh,)mDk-+or8%mYvEUmDb2ORUtVsJbIStrVc+e'*+* Y.zPhxlc3XwC NAx\bDKU:xO?DDrUT/ (the data entry has 32372 more characters). <==== ATTENTION!
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <===== ATTENTION
HKU\S-1-5-21-1307642725-1888648419-1563503735-500\...\Policies\Explorer: [NoSMBalloonTip] 1
HKU\S-1-5-21-1307642725-1888648419-1563503735-500\...\Policies\Explorer: [NoAutoTrayNotify] 1
HKU\S-1-5-21-1307642725-1888648419-1563503735-500\...\Policies\Explorer: [NoSMConfigurePrograms] 1

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://deere.webex.com/client/WBXclient-T27L10NSP32EP18-15463/webex/ieatgpc.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\saphtmlp.dll (SAP AG, Walldorf)
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\saphtmlp.dll (SAP AG, Walldorf)
Tcpip\Parameters: [DhcpNameServer] 172.16.48.162 172.16.1.202 10.30.16.116 172.16.1.116

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=1.6.0_35 -> C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-05-31]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2012-09-13]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2012-11-12] (Symantec Corporation)
R2 CcmExec; C:\WINDOWS\system32\CCM\CcmExec.exe [570368 2004-08-04] (Microsoft Corporation) [File not signed]
R2 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2012-11-12] (Symantec Corporation)
R2 DWMRCS; C:\WINDOWS\SYSTEM32\DWRCS.EXE [246120 2010-07-02] (DameWare Development LLC) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153584 2012-09-13] (Sun Microsystems, Inc.)
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093944 2012-03-07] (Symantec Corporation)
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [43520 2006-11-08] (Hewlett-Packard) [File not signed]
S2 nvsvc; C:\WINDOWS\system32\nvsvc32.exe [172100 2010-01-13] (NVIDIA Corporation) [File not signed]
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [53248 2006-11-08] (Hewlett-Packard) [File not signed]
R2 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1935040 2012-11-12] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [357808 2012-11-12] (Symantec Corporation)
R2 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1860000 2012-11-12] (Symantec Corporation)
R2 Wuser32; C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe [241664 2004-07-23] (Microsoft Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 COH_Mon; C:\WINDOWS\system32\Drivers\COH_Mon.sys [23960 2012-11-12] (Symantec Corporation)
R3 DwMirror; C:\WINDOWS\System32\DRIVERS\DamewareMini.sys [3712 2007-02-07] (DameWare Development, LLC)
R1 dwvkbd; C:\WINDOWS\System32\DRIVERS\dwvkbd.sys [26624 2007-02-15] (DameWare)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [377648 2014-06-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [109872 2014-07-06] (Symantec Corporation)
R3 idisw2km; C:\WINDOWS\System32\DRIVERS\idisw2km.sys [2112 2004-06-27] (Microsoft Corporation)
S3 IFXTPM; C:\WINDOWS\System32\DRIVERS\IFXTPM.SYS [44800 2008-07-23] (Infineon Technologies AG)
R3 kbstuff; C:\WINDOWS\System32\DRIVERS\kbstuff5.sys [4864 2004-06-27] (Microsoft Corporation)
R3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20140827.023\NAVENG.SYS [95704 2014-08-21] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20140827.023\NAVEX15.SYS [1636696 2014-08-21] (Symantec Corporation)
S3 NVHDA; C:\WINDOWS\System32\drivers\nvhda32.sys [57248 2009-08-21] (NVIDIA Corporation)
S3 prepdrvr; C:\WINDOWS\system32\CCM\prepdrv.sys [13824 2004-06-27] (Microsoft Corporation) [File not signed]
S3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
S3 rismc32; C:\WINDOWS\System32\DRIVERS\rismc32.sys [49152 2009-07-20] (RICOH Company, Ltd.)
R3 SenFiltService; C:\WINDOWS\System32\drivers\Senfilt.sys [8704 2009-04-22] (Analog Devices, Inc.)
S3 SMCIRDA; C:\WINDOWS\System32\DRIVERS\smcirda.sys [48128 2006-03-12] (SMSC)
R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2012-11-12] (Symantec Corporation)
R1 SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [287352 2012-11-12] (Symantec Corporation)
S3 SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [321016 2012-11-12] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [43768 2012-11-12] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [126584 2012-12-05] (Symantec Corporation)
R0 Symmpi; C:\WINDOWS\System32\DRIVERS\symmpi.sys [39760 2008-06-02] (LSI Logic)
R3 SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [26488 2012-11-12] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [188152 2012-11-12] (Symantec Corporation)
S4 SysPlant; C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys [99232 2012-11-12] (Symantec Corporation)
R3 Teefer2; C:\WINDOWS\System32\DRIVERS\teefer2.sys [67520 2012-11-12] (Symantec Corporation)
R3 tpm; C:\WINDOWS\System32\DRIVERS\tpm.sys [13824 2008-06-20] (Intel Corporation)
R0 vmscsi; C:\WINDOWS\System32\DRIVERS\vmscsi.sys [17968 2009-10-22] (VMware, Inc.)
R1 WPS; C:\WINDOWS\system32\drivers\wpsdrvnt.sys [45472 2012-11-12] (Symantec Corporation)
R3 WpsHelper; C:\WINDOWS\system32\drivers\WpsHelper.sys [174056 2014-07-06] (Symantec Corporation)
S3 catchme; \??\C:\DOCUME~1\admin\LOCALS~1\Temp\catchme.sys [X]
U2 CertPropSvc; No ImagePath
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
U1 RCHelp; No ImagePath
S3 StarOpen; No ImagePath
U4 WinDefend; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-28 03:52 - 2014-08-28 03:52 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\Maint
2014-08-28 03:51 - 2014-08-28 03:51 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\fender travel
2014-08-28 03:50 - 2014-08-28 03:58 - 00000549 _____ () C:\Documents and Settings\jremilla\Desktop\Tool Box Talks.lnk
2014-08-28 03:50 - 2014-04-16 01:18 - 00026624 _____ () C:\Documents and Settings\jremilla\Desktop\Tool Box Talk Meeting Minutes weld.xls
2014-08-28 03:50 - 2010-04-23 04:16 - 00000292 _____ () C:\Documents and Settings\jremilla\Desktop\M drive.lnk
2014-08-28 03:47 - 2014-08-28 03:47 - 00000433 _____ () C:\Documents and Settings\jremilla\Desktop\Outlook Web App.url
2014-08-27 10:26 - 2014-08-27 10:51 - 00006132 _____ () C:\WINDOWS\system32\DWRCSAccess.log
2014-08-27 01:00 - 2014-08-27 01:00 - 00000000 __SHD () C:\Documents and Settings\jremilla\PrivacIE
2014-08-27 00:59 - 2014-08-28 03:59 - 00000278 ___SH () C:\Documents and Settings\jremilla\ntuser.ini
2014-08-27 00:59 - 2014-08-28 03:58 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\Temp
2014-08-27 00:59 - 2014-08-27 01:00 - 00000000 ____D () C:\Documents and Settings\jremilla
2014-08-27 00:59 - 2014-08-27 00:59 - 00004202 __RSH () C:\Documents and Settings\jremilla\ntuser.pol
2014-08-27 00:59 - 2014-08-27 00:59 - 00000810 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Internet Explorer.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000799 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000793 _____ () C:\Documents and Settings\jremilla\Desktop\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000745 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Outlook Express.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 __SHD () C:\Documents and Settings\jremilla\IETldCache
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ___RD () C:\Documents and Settings\jremilla\Start Menu\Programs\Accessories
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\Application Data\Symantec
2014-08-27 00:59 - 2012-03-01 11:45 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\hpqLog
2014-08-27 00:59 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\Application Data\Adobe
2014-08-27 00:59 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\Macromedia
2014-08-27 00:59 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\Adobe
2014-08-27 00:59 - 2012-03-01 11:42 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\Sun
2014-08-27 00:59 - 2012-03-01 11:15 - 00001606 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Remote Assistance.lnk
2014-08-26 13:16 - 2012-06-27 12:42 - 01129472 _____ (Microsoft Corporation) C:\WINDOWS\system32\msxml3.tmp
2014-08-26 13:16 - 2012-06-27 12:42 - 00044032 _____ (Microsoft Corporation) C:\WINDOWS\system32\msxml3r.tmp
2014-08-26 13:16 - 2012-06-27 12:42 - 00024576 _____ (Microsoft Corporation) C:\WINDOWS\system32\msxml3a.tmp
2014-08-26 13:09 - 2014-08-27 15:02 - 00000000 ____D () C:\Documents and Settings\bgiese\Local Settings\temp
2014-08-26 13:09 - 2014-08-27 10:50 - 00000000 ____D () C:\Documents and Settings\admin\Local Settings\temp
2014-08-26 13:09 - 2014-08-26 14:00 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\temp
2014-08-26 13:09 - 2014-08-26 13:09 - 00011064 _____ () C:\ComboFix.txt
2014-08-26 13:09 - 2014-08-26 13:09 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-08-26 13:09 - 2014-08-26 13:09 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-08-26 13:09 - 2014-08-26 13:09 - 00000000 ____D () C:\Documents and Settings\lmoore\Local Settings\temp
2014-08-26 13:09 - 2014-08-26 13:09 - 00000000 ____D () C:\Documents and Settings\dlacy\Local Settings\temp
2014-08-26 13:09 - 2014-08-26 13:09 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-08-26 12:56 - 2014-08-26 12:56 - 00000000 _RSHD () C:\cmdcons
2014-08-26 12:56 - 2014-08-26 10:13 - 00000211 _____ () C:\Boot.bak
2014-08-26 12:56 - 2004-08-03 23:00 - 00260272 __RSH () C:\cmldr
2014-08-26 12:52 - 2011-06-26 01:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2014-08-26 12:52 - 2010-11-07 12:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2014-08-26 12:52 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2014-08-26 12:50 - 2014-08-26 13:09 - 00000000 ____D () C:\Qoobox
2014-08-26 12:49 - 2014-08-26 13:08 - 00000000 ____D () C:\WINDOWS\erdnt
2014-08-26 12:49 - 2014-08-26 12:49 - 05574195 ____R (Swearware) C:\Documents and Settings\administrator.MOM\Desktop\ComboFix.exe
2014-08-26 12:04 - 2014-08-26 12:05 - 00023269 _____ () C:\Documents and Settings\administrator.MOM\Desktop\Addition.txt
2014-08-26 11:58 - 2014-08-26 11:58 - 02103296 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRST64.exe
2014-08-26 11:57 - 2014-08-28 08:34 - 00012140 _____ () C:\Documents and Settings\administrator.MOM\Desktop\FRST.txt
2014-08-26 11:57 - 2014-08-28 08:34 - 00000000 ____D () C:\FRST
2014-08-26 11:56 - 2014-08-26 11:56 - 01095168 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRSTx32.exe
2014-08-26 11:28 - 2014-08-26 11:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-08-26 11:25 - 2014-08-26 11:56 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\mbar
2014-08-26 11:24 - 2014-08-26 11:24 - 14349744 _____ (Malwarebytes Corp.) C:\Documents and Settings\administrator.MOM\Desktop\mbar-1.07.0.1012.exe
2014-08-26 10:24 - 2014-08-26 10:24 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\backups
2014-08-26 10:21 - 2014-08-26 10:21 - 00388608 _____ (Trend Micro Inc.) C:\Documents and Settings\administrator.MOM\Desktop\HijackThis.exe
2014-08-26 08:58 - 2014-08-26 08:58 - 17292760 _____ (Malwarebytes Corporation ) C:\Documents and Settings\ashryock\Desktop\mbam-setup-2.0.2.1012.exe
2014-08-26 08:58 - 2014-08-26 08:58 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-08-26 08:56 - 2014-08-26 08:57 - 00000000 ____D () C:\WINDOWS\pss
2014-08-26 08:51 - 2014-08-26 08:51 - 00004172 __RSH () C:\Documents and Settings\ashryock\ntuser.pol
2014-08-26 08:51 - 2014-08-26 08:51 - 00000810 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Internet Explorer.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000799 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000793 _____ () C:\Documents and Settings\ashryock\Desktop\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 __SHD () C:\Documents and Settings\ashryock\IETldCache
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\Application Data\Symantec
2014-08-26 08:50 - 2014-08-26 14:00 - 00000178 ___SH () C:\Documents and Settings\ashryock\ntuser.ini
2014-08-26 08:50 - 2014-08-26 09:48 - 00000000 ____D () C:\Documents and Settings\ashryock
2014-08-26 08:50 - 2014-08-26 08:51 - 00000745 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Outlook Express.lnk
2014-08-26 08:50 - 2014-08-26 08:51 - 00000000 ___RD () C:\Documents and Settings\ashryock\Start Menu\Programs\Accessories
2014-08-26 08:50 - 2012-03-01 11:45 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\hpqLog
2014-08-26 08:50 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\Application Data\Adobe
2014-08-26 08:50 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\Macromedia
2014-08-26 08:50 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\Adobe
2014-08-26 08:50 - 2012-03-01 11:42 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\Sun
2014-08-26 08:50 - 2012-03-01 11:15 - 00001606 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Remote Assistance.lnk
2014-08-21 15:31 - 2014-08-26 11:15 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-08-21 15:30 - 2014-08-21 15:30 - 00000000 ____D () C:\WINDOWS\system32\cos
2014-08-21 15:29 - 2014-08-26 13:12 - 00720896 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-08-21 15:29 - 2014-08-21 15:39 - 00065536 _____ () C:\WINDOWS\system32\config\EventForwarding-Operational.Evt
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\winrm
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\WindowsPowerShell
2014-08-21 15:28 - 2014-08-21 15:29 - 00000000 __HDC () C:\WINDOWS\$968930Uinstall_KB968930$
2014-08-21 15:28 - 2014-08-21 15:28 - 00000000 ____D () C:\WINDOWS\$NtUninstallKB968930$

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-28 08:34 - 2014-08-26 11:57 - 00012140 _____ () C:\Documents and Settings\administrator.MOM\Desktop\FRST.txt
2014-08-28 08:34 - 2014-08-26 11:57 - 00000000 ____D () C:\FRST
2014-08-28 08:34 - 2013-07-24 21:19 - 00000428 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{8C0DC158-52E0-4F19-A6E5-EDCBFC092BB3}.job
2014-08-28 08:34 - 2012-05-31 11:41 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\Temp
2014-08-28 08:33 - 2012-05-31 11:39 - 00000120 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2014-08-28 08:33 - 2012-03-01 10:23 - 00012598 _____ () C:\WINDOWS\system32\wpa.dbl
2014-08-28 08:01 - 2012-09-17 08:29 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-08-28 06:48 - 2012-03-01 11:14 - 01876168 _____ () C:\WINDOWS\WindowsUpdate.log
2014-08-28 06:01 - 2012-03-01 11:20 - 00032568 _____ () C:\WINDOWS\SchedLgU.Txt
2014-08-28 03:59 - 2014-08-27 00:59 - 00000278 ___SH () C:\Documents and Settings\jremilla\ntuser.ini
2014-08-28 03:58 - 2014-08-28 03:50 - 00000549 _____ () C:\Documents and Settings\jremilla\Desktop\Tool Box Talks.lnk
2014-08-28 03:58 - 2014-08-27 00:59 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\Temp
2014-08-28 03:52 - 2014-08-28 03:52 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\Maint
2014-08-28 03:51 - 2014-08-28 03:51 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\fender travel
2014-08-28 03:47 - 2014-08-28 03:47 - 00000433 _____ () C:\Documents and Settings\jremilla\Desktop\Outlook Web App.url
2014-08-28 01:04 - 2012-03-01 02:57 - 00000000 ____D () C:\WINDOWS\security
2014-08-28 00:58 - 2012-03-01 11:50 - 00000454 _____ () C:\WINDOWS\smscfg.ini
2014-08-28 00:58 - 2012-03-01 03:10 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-08-28 00:58 - 2012-03-01 03:10 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-08-28 00:57 - 2012-03-01 11:21 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-08-27 15:03 - 2012-10-12 06:03 - 00000000 ____D () C:\Documents and Settings\bgiese\SapWorkDir
2014-08-27 15:03 - 2012-10-12 06:01 - 00000278 ___SH () C:\Documents and Settings\bgiese\ntuser.ini
2014-08-27 15:02 - 2014-08-26 13:09 - 00000000 ____D () C:\Documents and Settings\bgiese\Local Settings\temp
2014-08-27 12:25 - 2012-10-12 06:01 - 00004202 __RSH () C:\Documents and Settings\bgiese\ntuser.pol
2014-08-27 12:25 - 2012-10-12 06:01 - 00000000 ____D () C:\Documents and Settings\bgiese
2014-08-27 10:51 - 2014-08-27 10:26 - 00006132 _____ () C:\WINDOWS\system32\DWRCSAccess.log
2014-08-27 10:51 - 2012-07-31 12:27 - 00000000 ___HD () C:\WINDOWS\system32\dwrcssft
2014-08-27 10:50 - 2014-08-26 13:09 - 00000000 ____D () C:\Documents and Settings\admin\Local Settings\temp
2014-08-27 10:50 - 2012-05-31 11:36 - 00000178 ___SH () C:\Documents and Settings\admin\ntuser.ini
2014-08-27 10:34 - 2012-05-31 11:41 - 00000178 ___SH () C:\Documents and Settings\administrator.MOM\ntuser.ini
2014-08-27 01:25 - 2012-05-31 12:57 - 00000376 _____ () C:\WINDOWS\ODBC.INI
2014-08-27 01:00 - 2014-08-27 01:00 - 00000000 __SHD () C:\Documents and Settings\jremilla\PrivacIE
2014-08-27 01:00 - 2014-08-27 00:59 - 00000000 ____D () C:\Documents and Settings\jremilla
2014-08-27 00:59 - 2014-08-27 00:59 - 00004202 __RSH () C:\Documents and Settings\jremilla\ntuser.pol
2014-08-27 00:59 - 2014-08-27 00:59 - 00000810 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Internet Explorer.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000799 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000793 _____ () C:\Documents and Settings\jremilla\Desktop\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000745 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Outlook Express.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 __SHD () C:\Documents and Settings\jremilla\IETldCache
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ___RD () C:\Documents and Settings\jremilla\Start Menu\Programs\Accessories
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\Application Data\Symantec
2014-08-26 15:18 - 2013-08-07 08:44 - 00000345 _____ () C:\Documents and Settings\bgiese\Desktop\SAP xMII Login Page.url
2014-08-26 14:00 - 2014-08-26 13:09 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\temp
2014-08-26 14:00 - 2014-08-26 08:50 - 00000178 ___SH () C:\Documents and Settings\ashryock\ntuser.ini
2014-08-26 13:16 - 2012-06-27 12:42 - 00000000 ____D () C:\WINDOWS\system32\VPCache
2014-08-26 13:12 - 2014-08-21 15:29 - 00720896 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-08-26 13:12 - 2012-05-31 11:36 - 00000000 ____D () C:\Documents and Settings\admin
2014-08-26 13:09 - 2014-08-26 13:09 - 00011064 _____ () C:\ComboFix.txt
2014-08-26 13:09 - 2014-08-26 13:09 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-08-26 13:09 - 2014-08-26 13:09 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-08-26 13:09 - 2014-08-26 13:09 - 00000000 ____D () C:\Documents and Settings\lmoore\Local Settings\temp
2014-08-26 13:09 - 2014-08-26 13:09 - 00000000 ____D () C:\Documents and Settings\dlacy\Local Settings\temp
2014-08-26 13:09 - 2014-08-26 13:09 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-08-26 13:09 - 2014-08-26 12:50 - 00000000 ____D () C:\Qoobox
2014-08-26 13:08 - 2014-08-26 12:49 - 00000000 ____D () C:\WINDOWS\erdnt
2014-08-26 13:07 - 2012-03-01 10:23 - 00000227 _____ () C:\WINDOWS\system.ini
2014-08-26 12:56 - 2014-08-26 12:56 - 00000000 _RSHD () C:\cmdcons
2014-08-26 12:56 - 2012-03-01 10:25 - 00000327 __RSH () C:\boot.ini
2014-08-26 12:49 - 2014-08-26 12:49 - 05574195 ____R (Swearware) C:\Documents and Settings\administrator.MOM\Desktop\ComboFix.exe
2014-08-26 12:26 - 2012-10-10 14:39 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2661254-v2$
2014-08-26 12:25 - 2012-05-31 11:41 - 00000000 ____D () C:\Documents and Settings\administrator.MOM
2014-08-26 12:05 - 2014-08-26 12:04 - 00023269 _____ () C:\Documents and Settings\administrator.MOM\Desktop\Addition.txt
2014-08-26 11:58 - 2014-08-26 11:58 - 02103296 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRST64.exe
2014-08-26 11:56 - 2014-08-26 11:56 - 01095168 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRSTx32.exe
2014-08-26 11:56 - 2014-08-26 11:28 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-08-26 11:56 - 2014-08-26 11:25 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\mbar
2014-08-26 11:24 - 2014-08-26 11:24 - 14349744 _____ (Malwarebytes Corp.) C:\Documents and Settings\administrator.MOM\Desktop\mbar-1.07.0.1012.exe
2014-08-26 11:19 - 2012-09-19 11:29 - 00000000 ____D () C:\temp
2014-08-26 11:15 - 2014-08-21 15:31 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-08-26 10:24 - 2014-08-26 10:24 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\backups
2014-08-26 10:21 - 2014-08-26 10:21 - 00388608 _____ (Trend Micro Inc.) C:\Documents and Settings\administrator.MOM\Desktop\HijackThis.exe
2014-08-26 10:13 - 2014-08-26 12:56 - 00000211 _____ () C:\Boot.bak
2014-08-26 10:13 - 2012-03-01 10:23 - 00000573 _____ () C:\WINDOWS\win.ini
2014-08-26 09:54 - 2012-05-31 11:41 - 00004172 __RSH () C:\Documents and Settings\administrator.MOM\ntuser.pol
2014-08-26 09:49 - 2013-07-11 10:23 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2803821_WM9$
2014-08-26 09:48 - 2014-08-26 08:50 - 00000000 ____D () C:\Documents and Settings\ashryock
2014-08-26 09:14 - 2012-05-03 18:24 - 00338175 _____ () C:\WINDOWS\setupapi.log
2014-08-26 08:58 - 2014-08-26 08:58 - 17292760 _____ (Malwarebytes Corporation ) C:\Documents and Settings\ashryock\Desktop\mbam-setup-2.0.2.1012.exe
2014-08-26 08:58 - 2014-08-26 08:58 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-08-26 08:57 - 2014-08-26 08:56 - 00000000 ____D () C:\WINDOWS\pss
2014-08-26 08:51 - 2014-08-26 08:51 - 00004172 __RSH () C:\Documents and Settings\ashryock\ntuser.pol
2014-08-26 08:51 - 2014-08-26 08:51 - 00000810 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Internet Explorer.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000799 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000793 _____ () C:\Documents and Settings\ashryock\Desktop\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 __SHD () C:\Documents and Settings\ashryock\IETldCache
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\Application Data\Symantec
2014-08-26 08:51 - 2014-08-26 08:50 - 00000745 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Outlook Express.lnk
2014-08-26 08:51 - 2014-08-26 08:50 - 00000000 ___RD () C:\Documents and Settings\ashryock\Start Menu\Programs\Accessories
2014-08-26 08:51 - 2012-03-01 11:12 - 00005374 _____ () C:\WINDOWS\wmsetup.log
2014-08-26 06:13 - 2012-05-31 11:40 - 00000000 __SHD () C:\WINDOWS\CSC
2014-08-21 15:39 - 2014-08-21 15:29 - 00065536 _____ () C:\WINDOWS\system32\config\EventForwarding-Operational.Evt
2014-08-21 15:30 - 2014-08-21 15:30 - 00000000 ____D () C:\WINDOWS\system32\cos
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\winrm
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\WindowsPowerShell
2014-08-21 15:29 - 2014-08-21 15:28 - 00000000 __HDC () C:\WINDOWS\$968930Uinstall_KB968930$
2014-08-21 15:29 - 2012-06-27 08:40 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy
2014-08-21 15:29 - 2012-05-03 17:56 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-08-21 15:29 - 2012-03-01 11:11 - 00000000 ___RD () C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
2014-08-21 15:29 - 2012-03-01 03:02 - 01451750 _____ () C:\WINDOWS\iis6.log
2014-08-21 15:29 - 2012-03-01 03:02 - 01322996 _____ () C:\WINDOWS\FaxSetup.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00644304 _____ () C:\WINDOWS\ocgen.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00614130 _____ () C:\WINDOWS\tsoc.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00447256 _____ () C:\WINDOWS\comsetup.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00410130 _____ () C:\WINDOWS\msmqinst.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00270133 _____ () C:\WINDOWS\ntdtcsetup.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00232895 _____ () C:\WINDOWS\netfxocm.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00091881 _____ () C:\WINDOWS\MedCtrOC.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00072832 _____ () C:\WINDOWS\ocmsn.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00067708 _____ () C:\WINDOWS\tabletoc.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00066537 _____ () C:\WINDOWS\msgsocm.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00001374 _____ () C:\WINDOWS\imsins.log
2014-08-21 15:29 - 2012-03-01 02:57 - 00000000 ____D () C:\WINDOWS\Help
2014-08-21 15:28 - 2014-08-21 15:28 - 00000000 ____D () C:\WINDOWS\$NtUninstallKB968930$
2014-08-21 08:10 - 2012-10-15 08:52 - 00025088 _____ () C:\Documents and Settings\bgiese\Desktop\Shortcut to Form Training 1 Metalcraft Training Form.lnk.xls
2014-08-18 16:17 - 2012-03-01 03:02 - 00272634 _____ () C:\WINDOWS\setupact.log
2014-08-15 23:20 - 2012-12-05 15:53 - 00001716 ____H () C:\Documents and Settings\administrator.MOM\My Documents\Default.rdp
2014-08-15 20:32 - 2012-05-31 11:41 - 00000000 ___RD () C:\Documents and Settings\administrator.MOM\Start Menu\Programs\Accessories

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

Addition.txt:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:26-08-2014
Ran by administrator at 2014-08-28 08:34:43
Running from C:\Documents and Settings\administrator.MOM\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Symantec Endpoint Protection (Disabled - Up to date) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection (Disabled) {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 Bit HP BiDi Channel Components Installer (Version: 1.1.0.2 - Hewlett-Packard) Hidden
7-Zip 4.65 (HKLM\...\7-Zip) (Version:  - )
Adobe AIR (HKLM\...\Adobe AIR) (Version: 2.7.0.19530 - Adobe Systems Incorporated)
Adobe AIR (Version: 2.7.0.19530 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 14 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Reader X (10.1.11) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.11 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM\...\Adobe Shockwave Player) (Version: 11.6.0.626 - Adobe Systems, Inc.)
Adobe SVG Viewer 3.0 (HKLM\...\Adobe SVG Viewer) (Version:  3.0 - Adobe Systems, Inc.)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Combined Community Codec Pack 2009-09-09 (HKLM\...\Combined Community Codec Pack_is1) (Version: 2009.09.09.0 - CCCP Project)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
HP 3D DriveGuard (HKLM\...\{429E92A4-159F-4AEC-85A1-D693E1E4274D}) (Version: 1.00 A4 - )
HP Quick Launch Buttons (HKLM\...\{34D2AB40-150D-475D-AE32-BD23FB5EE355}) (Version: 6.50.17.1 - Hewlett-Packard Company)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 6.14.10.5218 - Intel Corporation)
Java Auto Updater (Version: 2.0.7.1 - Sun Microsystems, Inc.) Hidden
Java 6 Update 35 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216035FF}) (Version: 6.0.350 - Oracle)
LiveUpdate 3.3 (Symantec Corporation) (HKLM\...\LiveUpdate) (Version: 3.3.0.115 - Symantec Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 (Version:  - Microsoft Corporation) Hidden
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 (Version:  - Microsoft Corporation) Hidden
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office Visio Viewer 2003 (English) (HKLM\...\{90520409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.3709.5614 - Microsoft Corporation)
Microsoft redistributable runtime DLLs VS2005 SP1(x86) (HKLM\...\{8E770F99-CF23-4BF9-BF4E-E3A2924FEB27}) (Version: 8.0.50727.762 - SAP)
Microsoft redistributable runtime DLLs VS2005(x86) (HKLM\...\{C0DB380B-97B5-4BB8-AC8D-1835E61439B6}) (Version: 1.0.0.0 - SAP)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML4.0 redistributable (HKLM\...\{44D66AD9-AE19-4AFD-BE7E-A1B44C856697}) (Version: 4.0.0.0 - SAP)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.9 - NVIDIA Corporation)
NVIDIA nView Desktop Manager (HKLM\...\NVIDIA nView Desktop Manager) (Version: 6.14.10.00 - NVIDIA Corporation)
Prizm Viewer 7.1.0 (HKLM\...\InstallShield_{E4ABB278-16B0-40CA-9D04-DF6B41C06527}) (Version: 7.1.0 - TMSSequoia)
Prizm Viewer 7.1.0 (Version: 7.1.0 - TMSSequoia) Hidden
QLBCASL (Version: 6.40.17.2 - Hewlett-Packard) Hidden
RICOH Media Driver (HKLM\...\{F5CC2EF8-20A4-4366-A681-3FE849E65809}) (Version: 2.10.00.04 - RICOH)
SAP GUI 7.10 (HKLM\...\SAPGUI710) (Version: 7.10 Compilation 3 - SAP AG)
SMS Advanced Client (Version: 2.50.3174.1018 - Microsoft Corporation) Hidden
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Symantec Endpoint Protection (HKLM\...\{DE889CC8-F305-4C4C-BAE0-EF626E45CB9D}) (Version: 11.0.7200.1147 - Symantec Corporation)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2541763) (HKLM\...\KB2541763) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2616676-v2) (HKLM\...\KB2616676-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2661254-v2) (HKLM\...\KB2661254-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2718704) (HKLM\...\KB2718704) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB898461) (HKLM\...\KB898461) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (HKLM\...\KB951978) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971737) (HKLM\...\KB971737) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973687) (HKLM\...\KB973687) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
ViewStation 4.0(5) (HKLM\...\{41EBD225-1F12-455F-BC2F-72982FC9FB17}) (Version: 4.00.5000 - COMSA GmbH)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version:  - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{00B7E0AB-817A-44AD-A04B-D1148D524136}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{7C6E29BC-8B8B-4C3D-859E-AF6CD158BE0F}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C0-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C1-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C2-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C3-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C4-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C5-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C8-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C9-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969CA-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969D6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

==================== Restore Points  =========================

31-05-2014 05:03:43 System Checkpoint
01-06-2014 06:24:54 System Checkpoint
02-06-2014 07:03:45 System Checkpoint
03-06-2014 08:03:48 System Checkpoint
04-06-2014 09:03:50 System Checkpoint
05-06-2014 10:03:51 System Checkpoint
06-06-2014 11:25:05 System Checkpoint
07-06-2014 12:33:39 System Checkpoint
08-06-2014 13:25:11 System Checkpoint
09-06-2014 14:25:13 System Checkpoint
10-06-2014 15:32:53 System Checkpoint
11-06-2014 16:26:22 System Checkpoint
12-06-2014 16:37:06 System Checkpoint
13-06-2014 18:03:38 System Checkpoint
14-06-2014 18:25:22 System Checkpoint
15-06-2014 19:25:23 System Checkpoint
16-06-2014 19:46:43 System Checkpoint
17-06-2014 20:26:32 System Checkpoint
18-06-2014 20:33:26 System Checkpoint
19-06-2014 21:24:20 System Checkpoint
20-06-2014 21:25:31 System Checkpoint
21-06-2014 22:25:33 System Checkpoint
22-06-2014 23:25:34 System Checkpoint
24-06-2014 00:25:36 System Checkpoint
25-06-2014 01:24:19 System Checkpoint
26-06-2014 01:25:39 System Checkpoint
27-06-2014 02:25:42 System Checkpoint
28-06-2014 03:25:43 System Checkpoint
29-06-2014 04:25:44 System Checkpoint
30-06-2014 05:25:47 System Checkpoint
01-07-2014 06:26:53 System Checkpoint
02-07-2014 07:25:49 System Checkpoint
07-07-2014 01:15:46 System Checkpoint
08-07-2014 01:59:37 System Checkpoint
09-07-2014 02:59:39 System Checkpoint
10-07-2014 02:59:45 System Checkpoint
11-07-2014 03:59:47 System Checkpoint
12-07-2014 04:59:49 System Checkpoint
13-07-2014 06:25:11 System Checkpoint
14-07-2014 06:25:51 System Checkpoint
15-07-2014 06:59:55 System Checkpoint
16-07-2014 07:59:57 System Checkpoint
17-07-2014 08:59:58 System Checkpoint
18-07-2014 10:00:00 System Checkpoint
19-07-2014 11:00:02 System Checkpoint
20-07-2014 12:00:03 System Checkpoint
21-07-2014 12:14:16 System Checkpoint
22-07-2014 12:27:05 System Checkpoint
23-07-2014 13:00:08 System Checkpoint
24-07-2014 13:01:57 System Checkpoint
25-07-2014 14:00:11 System Checkpoint
26-07-2014 15:00:12 System Checkpoint
27-07-2014 16:00:14 System Checkpoint
28-07-2014 16:34:03 System Checkpoint
29-07-2014 17:53:41 System Checkpoint
30-07-2014 17:56:13 System Checkpoint
31-07-2014 17:57:45 System Checkpoint
01-08-2014 17:57:58 System Checkpoint
02-08-2014 18:00:22 System Checkpoint
03-08-2014 19:00:24 System Checkpoint
04-08-2014 19:05:54 System Checkpoint
05-08-2014 20:00:27 System Checkpoint
06-08-2014 20:12:01 System Checkpoint
07-08-2014 21:00:31 System Checkpoint
08-08-2014 21:08:36 System Checkpoint
09-08-2014 22:00:34 System Checkpoint
10-08-2014 23:00:36 System Checkpoint
12-08-2014 00:00:38 System Checkpoint
13-08-2014 01:03:44 System Checkpoint
14-08-2014 01:59:18 System Checkpoint
15-08-2014 02:00:43 System Checkpoint
16-08-2014 02:01:50 System Checkpoint
17-08-2014 02:59:12 System Checkpoint
18-08-2014 03:09:43 System Checkpoint
19-08-2014 03:20:16 System Checkpoint
20-08-2014 03:34:31 System Checkpoint
21-08-2014 04:34:32 System Checkpoint
21-08-2014 20:28:57 Installed %1 %2.
25-08-2014 07:06:10 System Checkpoint
26-08-2014 08:05:39 System Checkpoint
27-08-2014 09:03:02 System Checkpoint
28-08-2014 09:13:41 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-03-01 10:23 - 2014-08-26 13:07 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{8C0DC158-52E0-4F19-A6E5-EDCBFC092BB3}.job => C:\WINDOWS\system32\msfeedssync.exe

==================== Loaded Modules (whitelisted) =============

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: AccelerometerSysTrayApplet => C:\WINDOWS\system32\AccelerometerSt.exe
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: DameWare MRC Agent => C:\WINDOWS\system32\DWRCST.exe
MSCONFIG\startupreg: QlbCtrl.exe => C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (08/28/2014 00:58:25 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/27/2014 02:59:27 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/27/2014 00:25:25 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/27/2014 05:59:38 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/27/2014 02:08:58 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/26/2014 09:59:37 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/26/2014 01:59:44 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA "ccm_softwaredistribution"" could not be (re)activated in namespace "//./root/ccm/Policy/S_1_5_21_1307642725_1888648419_1563503735_14236"
because of error 0x80041010. Events may not be delivered through this filter until the
problem is corrected.

Error: (08/26/2014 01:59:39 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/26/2014 01:14:39 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/26/2014 00:50:45 PM) (Source: Symantec AntiVirus) (EventID: 45) (User: MOM)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
Event Info:  Terminate Process
Action Taken:  Logged
Actor Process:  C:\WINDOWS\system32\taskmgr.exe (PID 3484)
Time:  Tuesday, August 26, 2014  12:50:45 PM

System errors:
=============
Error: (08/28/2014 00:58:25 AM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/28/2014 00:58:18 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The rimmptsk service failed to start due to the following error:
%%1058

Error: (08/27/2014 02:59:27 PM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/27/2014 02:59:25 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The rimmptsk service failed to start due to the following error:
%%1058

Error: (08/27/2014 00:25:24 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The rimmptsk service failed to start due to the following error:
%%1058

Error: (08/27/2014 00:25:24 PM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/27/2014 00:20:27 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {7E477741-01A6-4C06-9DAC-55F6174C08A3} did not register with DCOM within the required timeout.

Error: (08/27/2014 00:19:57 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {7E477741-01A6-4C06-9DAC-55F6174C08A3} did not register with DCOM within the required timeout.

Error: (08/27/2014 05:59:38 AM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/27/2014 02:08:58 AM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Microsoft Office Sessions:
=========================
Error: (08/28/2014 00:58:25 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/27/2014 02:59:27 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/27/2014 00:25:25 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/27/2014 05:59:38 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/27/2014 02:08:58 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/26/2014 09:59:37 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/26/2014 01:59:44 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/ccm/Policy/S_1_5_21_1307642725_1888648419_1563503735_14236SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA "ccm_softwaredistribution"0x80041010

Error: (08/26/2014 01:59:39 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/26/2014 01:14:39 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/26/2014 00:50:45 PM) (Source: Symantec AntiVirus) (EventID: 45) (User: MOM)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
Event Info:  Terminate Process
Action Taken:  Logged
Actor Process:  C:\WINDOWS\system32\taskmgr.exe (PID 3484)
Time:  Tuesday, August 26, 2014  12:50:45 PM

==================== Memory info ===========================

Processor: Intel® Core2 Duo CPU E6550 @ 2.33GHz
Percentage of memory in use: 23%
Total physical RAM: 3045.23 MB
Available physical RAM: 2324.25 MB
Total Pagefile: 4930.24 MB
Available Pagefile: 4470.75 MB
Total Virtual: 2047.88 MB
Available Virtual: 1940.77 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:74.53 GB) (Free:56.85 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive m: () (Network) (Total:1536 GB) (Free:186.74 GB)
Drive y: () (Network) (Total:200 GB) (Free:118.94 GB)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: B150A7F9)
Partition 1: (Active) - (Size=74.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

 

 

In addition to all this... I was just told this morning about another machine that is having multiple dllhost.exe *32 processes running. I may need to open another thread for that one.

Share this post


Link to post
Share on other sites

Yes, start another thread for the second machine. We have a stubborn one here.



FRST.gif Fix with Farbar Recovery Scan Tool
 

 This fix was created for this user for use on that particular machine.
 Running it on another one may cause damage and render the system unstable. 


Press the WindowsKey.png + R on your keyboard at the same time. Type Notepad and click OK.

  • Copy the entire content of the codebox below and paste into the Notepad document:
    startHKLM\...99B7938DA9E4}\LocalServer32: [a] #@~^wH4AAA==n{F+2im'xh,)mDk-+or8%mYvEUmDb2ORUtVsJbIStrVc+e'*+* Y.zPhxlc3XwC NAx\bDKU:xO?DDrUT/ (the data entry has 32372 more characters). <==== ATTENTION!InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <===== ATTENTIONend
  • Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.


After that delete your copy of ComboFix and obtain a fresh one.


51a5bf3d99e8a-ComboFixlogo16.png Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!


Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.

  • Right-click on 51a5bf3d99e8a-ComboFixlogo16.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the disclaimer and agree if prompted to install Recovery Console.
  • Do not take any actions while ComboFix goes through your System - it may cause it to stall!
  • This scan may take some time!
  • When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.
icon_idea.gif If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
icon_idea.gif If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
icon_idea.gif Don't forget to re-enable your previously switched-off protection software!

Share this post


Link to post
Share on other sites

FIxlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:26-08-2014
Ran by administrator at 2014-08-28 11:11:38 Run:1
Running from C:\Documents and Settings\administrator.MOM\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
HKLM\...99B7938DA9E4}\LocalServer32: [a] #@~^wH4AAA==n{F+2im'xh,)mDk-+or8%mYvEUmDb2ORUtVsJbIStrVc+e'*+* Y.zPhxlc3XwC NAx\bDKU:xO?DDrUT/ (the data entry has 32372 more characters). <==== ATTENTION!
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <===== ATTENTION
end
*****************

HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\\a => value deleted successfully.
[HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] => Could not delete subkey with invalid name.

==== End of Fixlog ====

Share this post


Link to post
Share on other sites

Combofixlog:

 

ComboFix 14-08-28.01 - administrator 08/28/2014  11:22:33.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3045.2321 [GMT -5:00]
Running from: c:\documents and settings\administrator.MOM\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\msxml3.tmp
c:\windows\system32\msxml3a.tmp
c:\windows\system32\msxml3r.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2014-07-28 to 2014-08-28  )))))))))))))))))))))))))))))))
.
.
2014-08-28 16:11 . 2014-08-28 16:11 -------- d-----w- c:\documents and settings\administrator.MOM\Local Settings\Application Data\Temp
2014-08-27 05:59 . 2014-08-27 06:00 -------- d-----w- c:\documents and settings\jremilla
2014-08-26 16:57 . 2014-08-28 16:11 -------- d-----w- C:\FRST
2014-08-26 16:28 . 2014-08-26 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-08-26 16:13 . 2014-08-26 16:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2014-08-26 13:58 . 2014-08-26 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2014-08-26 13:50 . 2014-08-26 14:48 -------- d-----w- c:\documents and settings\ashryock
2014-08-21 20:30 . 2014-08-21 20:30 -------- d-----w- c:\windows\system32\cos
2014-08-21 20:29 . 2014-08-21 20:29 -------- d-----w- c:\windows\system32\winrm
2014-08-21 20:28 . 2014-08-21 20:29 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2014-08-03 09:53 . 2014-08-03 09:53 188304 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-09 03:05 . 2012-09-17 13:29 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-07-09 03:05 . 2012-03-01 16:43 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 03:05 . 2014-07-09 03:05 10603008 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2014-07-07 03:40 . 2012-12-05 23:41 174056 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2009-05-08 16:43 . 2012-06-27 13:28 3145728 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2009-05-08 16:43 . 2012-06-27 13:28 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2009-05-08 16:43 . 2012-06-27 13:28 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2009-05-08 16:43 . 2012-06-27 13:28 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-04-22 1040384]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-13 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-13 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-13 135680]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-13 14901248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2012-11-12 115624]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2010-04-07 85528]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-13761\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-1786\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-4779\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-6915\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-9789\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-9789\Scripts\Logon\1\0]
"Script"=ncell_login.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AccelerometerSysTrayApplet]
2007-01-24 22:28 124928 ----a-w- c:\windows\system32\accelerometerST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DameWare MRC Agent]
2010-04-07 16:12 85528 ----a-w- c:\windows\system32\DWRCST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2010-02-25 23:19 287800 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [3/1/2012 11:47 AM 17968]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 6:00 AM 26624]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 6:00 AM 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2014 2:37 AM 109872]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [3/1/2012 10:55 AM 540288]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/12/2012 3:37 PM 23960]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [3/1/2012 10:56 AM 44800]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\MBAMSwissArmy.sys --> c:\windows\system32\drivers\MBAMSwissArmy.sys [?]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [3/1/2012 10:53 AM 49152]
S4 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [3/1/2012 11:45 AM 227896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2014-08-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-17 03:05]
.
2014-08-28 c:\windows\Tasks\User_Feed_Synchronization-{8C0DC158-52E0-4F19-A6E5-EDCBFC092BB3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 172.16.48.162 172.16.1.202 10.30.16.116 172.16.1.116
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-08-28 11:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1307642725-1888648419-1563503735-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,26,1f,48,a8,d4,4c,ae,58,fc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,26,1f,48,a8,d4,4c,ae,58,fc,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\igfxdev.dll
.
Completion time: 2014-08-28  11:28:10
ComboFix-quarantined-files.txt  2014-08-28 16:28
ComboFix2.txt  2014-08-26 18:09
.
Pre-Run: 61,005,119,488 bytes free
Post-Run: 61,052,588,032 bytes free
.
- - End Of File - - F386FBABBF6E35177501B4CB4518FB9E
A36C5E4F47E84449FF07ED3517B43A31
 

Share this post


Link to post
Share on other sites

This key is quite a stubborn one.



51a5bf3d99e8a-ComboFixlogo16.png Fix with ComboFix

Let's prepare a Script for ComboFix to mark some things for being deleted.

  • Press the WindowsKey.png + R on your keyboard at the same time.
  • A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
  • In the shown window paste in the following script:
    KillAll::RegNull::[HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>]
  • Go to File menu and select Save as.
  • Make sure that the Save as type option is set to Text files (*.txt) and the place to save will be your desktop.
  • Name the file CFScript and select Save.

Your CFScript.txt file should appear on your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Now drag your CFScript file and drop it onto the 51a5bf3d99e8a-ComboFixlogo16.png icon:
    CFScript.gif
  • This will start ComboFix. Let it run uninterrupted!
  • A reboot may be needed during this run. Allow it.
  • When finished, it shall produce a log for you at C:\ComboFix.txt and display it.

Please include that log in your next reply.

icon_idea.gif If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
icon_idea.gif If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
icon_idea.gif Do not forget to turn on your previously switched-off protection software!



FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

Share this post


Link to post
Share on other sites

Here are the results from ComboFix

 

combofix.txt:

 

ComboFix 14-08-28.01 - administrator 08/28/2014  15:51:07.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3045.2309 [GMT -5:00]
Running from: c:\documents and settings\administrator.MOM\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\administrator.MOM\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
(((((((((((((((((((((((((   Files Created from 2014-07-28 to 2014-08-28  )))))))))))))))))))))))))))))))
.
.
2014-08-28 16:11 . 2014-08-28 16:11 -------- d-----w- c:\documents and settings\administrator.MOM\Local Settings\Application Data\Temp
2014-08-27 05:59 . 2014-08-27 06:00 -------- d-----w- c:\documents and settings\jremilla
2014-08-26 16:57 . 2014-08-28 16:11 -------- d-----w- C:\FRST
2014-08-26 16:28 . 2014-08-26 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-08-26 16:13 . 2014-08-26 16:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2014-08-26 13:58 . 2014-08-26 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2014-08-26 13:50 . 2014-08-26 14:48 -------- d-----w- c:\documents and settings\ashryock
2014-08-21 20:30 . 2014-08-21 20:30 -------- d-----w- c:\windows\system32\cos
2014-08-21 20:29 . 2014-08-21 20:29 -------- d-----w- c:\windows\system32\winrm
2014-08-21 20:28 . 2014-08-21 20:29 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2014-08-03 09:53 . 2014-08-03 09:53 188304 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-09 03:05 . 2012-09-17 13:29 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-07-09 03:05 . 2012-03-01 16:43 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 03:05 . 2014-07-09 03:05 10603008 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2014-07-07 03:40 . 2012-12-05 23:41 174056 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2009-05-08 16:43 . 2012-06-27 13:28 3145728 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2009-05-08 16:43 . 2012-06-27 13:28 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2009-05-08 16:43 . 2012-06-27 13:28 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2009-05-08 16:43 . 2012-06-27 13:28 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-04-22 1040384]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-13 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-13 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-13 135680]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-13 14901248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2012-11-12 115624]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2010-04-07 85528]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-13761\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-1786\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-4779\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-6915\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-9789\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-9789\Scripts\Logon\1\0]
"Script"=ncell_login.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AccelerometerSysTrayApplet]
2007-01-24 22:28 124928 ----a-w- c:\windows\system32\accelerometerST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DameWare MRC Agent]
2010-04-07 16:12 85528 ----a-w- c:\windows\system32\DWRCST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2010-02-25 23:19 287800 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [3/1/2012 11:47 AM 17968]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 6:00 AM 26624]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 6:00 AM 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2014 2:37 AM 109872]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [3/1/2012 10:55 AM 540288]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/12/2012 3:37 PM 23960]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [3/1/2012 10:56 AM 44800]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\MBAMSwissArmy.sys --> c:\windows\system32\drivers\MBAMSwissArmy.sys [?]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [3/1/2012 10:53 AM 49152]
S4 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [3/1/2012 11:45 AM 227896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2014-08-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-17 03:05]
.
2014-08-28 c:\windows\Tasks\User_Feed_Synchronization-{8C0DC158-52E0-4F19-A6E5-EDCBFC092BB3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 172.16.48.162 172.16.1.202 10.30.16.116 172.16.1.116
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-08-28 16:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1307642725-1888648419-1563503735-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,26,1f,48,a8,d4,4c,ae,58,fc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,26,1f,48,a8,d4,4c,ae,58,fc,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1184)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\windows\SYSTEM32\DWRCS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
c:\windows\system32\CCM\CcmExec.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2014-08-28  16:10:36 - machine was rebooted
ComboFix-quarantined-files.txt  2014-08-28 21:10
ComboFix2.txt  2014-08-28 16:28
ComboFix3.txt  2014-08-26 18:09
.
Pre-Run: 61,057,540,096 bytes free
Post-Run: 61,057,867,776 bytes free
.
- - End Of File - - D6364220C8A90F095ED91A1B52051152
A36C5E4F47E84449FF07ED3517B43A31
 

 

 

Here are the results from Farbar

 

FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:26-08-2014
Ran by administrator (administrator) on MOM1393 on 28-08-2014 16:13:23
Running from C:\Documents and Settings\administrator.MOM\Desktop
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(DameWare Development LLC) C:\WINDOWS\system32\DWRCS.EXE
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Microsoft Corporation) C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe
(Microsoft Corporation) C:\WINDOWS\system32\CCM\CcmExec.exe
(DameWare Development) C:\WINDOWS\system32\DWRCST.EXE
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRSTx32.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [soundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1040384 2009-04-22] (Analog Devices, Inc.)
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [ccApp] => C:\Program Files\Common Files\Symantec Shared\ccApp.exe [115624 2012-11-12] (Symantec Corporation)
HKLM\...\Run: [DameWare MRC Agent] => C:\WINDOWS\system32\DWRCST.exe [85528 2010-04-07] (DameWare Development)
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <===== ATTENTION
HKU\S-1-5-21-1307642725-1888648419-1563503735-500\...\Policies\Explorer: [NoSMBalloonTip] 1
HKU\S-1-5-21-1307642725-1888648419-1563503735-500\...\Policies\Explorer: [NoAutoTrayNotify] 1
HKU\S-1-5-21-1307642725-1888648419-1563503735-500\...\Policies\Explorer: [NoSMConfigurePrograms] 1

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://deere.webex.com/client/WBXclient-T27L10NSP32EP18-15463/webex/ieatgpc.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\saphtmlp.dll (SAP AG, Walldorf)
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\saphtmlp.dll (SAP AG, Walldorf)
Tcpip\Parameters: [DhcpNameServer] 172.16.48.162 172.16.1.202 10.30.16.116 172.16.1.116

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=1.6.0_35 -> C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-05-31]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2012-09-13]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2012-11-12] (Symantec Corporation)
R2 CcmExec; C:\WINDOWS\system32\CCM\CcmExec.exe [570368 2004-08-04] (Microsoft Corporation) [File not signed]
S4 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2012-11-12] (Symantec Corporation)
R2 DWMRCS; C:\WINDOWS\SYSTEM32\DWRCS.EXE [246120 2010-07-02] (DameWare Development LLC) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153584 2012-09-13] (Sun Microsystems, Inc.)
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093944 2012-03-07] (Symantec Corporation)
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [43520 2006-11-08] (Hewlett-Packard) [File not signed]
S2 nvsvc; C:\WINDOWS\system32\nvsvc32.exe [172100 2010-01-13] (NVIDIA Corporation) [File not signed]
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [53248 2006-11-08] (Hewlett-Packard) [File not signed]
S4 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1935040 2012-11-12] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [357808 2012-11-12] (Symantec Corporation)
S4 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1860000 2012-11-12] (Symantec Corporation)
R2 Wuser32; C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe [241664 2004-07-23] (Microsoft Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 COH_Mon; C:\WINDOWS\system32\Drivers\COH_Mon.sys [23960 2012-11-12] (Symantec Corporation)
R3 DwMirror; C:\WINDOWS\System32\DRIVERS\DamewareMini.sys [3712 2007-02-07] (DameWare Development, LLC)
R1 dwvkbd; C:\WINDOWS\System32\DRIVERS\dwvkbd.sys [26624 2007-02-15] (DameWare)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [377648 2014-06-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [109872 2014-07-06] (Symantec Corporation)
R3 idisw2km; C:\WINDOWS\System32\DRIVERS\idisw2km.sys [2112 2004-06-27] (Microsoft Corporation)
S3 IFXTPM; C:\WINDOWS\System32\DRIVERS\IFXTPM.SYS [44800 2008-07-23] (Infineon Technologies AG)
R3 kbstuff; C:\WINDOWS\System32\DRIVERS\kbstuff5.sys [4864 2004-06-27] (Microsoft Corporation)
R3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20140827.023\NAVENG.SYS [95704 2014-08-21] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20140827.023\NAVEX15.SYS [1636696 2014-08-21] (Symantec Corporation)
S3 NVHDA; C:\WINDOWS\System32\drivers\nvhda32.sys [57248 2009-08-21] (NVIDIA Corporation)
S3 prepdrvr; C:\WINDOWS\system32\CCM\prepdrv.sys [13824 2004-06-27] (Microsoft Corporation) [File not signed]
S3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
S3 rismc32; C:\WINDOWS\System32\DRIVERS\rismc32.sys [49152 2009-07-20] (RICOH Company, Ltd.)
R3 SenFiltService; C:\WINDOWS\System32\drivers\Senfilt.sys [8704 2009-04-22] (Analog Devices, Inc.)
S3 SMCIRDA; C:\WINDOWS\System32\DRIVERS\smcirda.sys [48128 2006-03-12] (SMSC)
R3 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2012-11-12] (Symantec Corporation)
R1 SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [287352 2012-11-12] (Symantec Corporation)
S3 SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [321016 2012-11-12] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [43768 2012-11-12] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [126584 2012-12-05] (Symantec Corporation)
R0 Symmpi; C:\WINDOWS\System32\DRIVERS\symmpi.sys [39760 2008-06-02] (LSI Logic)
S3 SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [26488 2012-11-12] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [188152 2012-11-12] (Symantec Corporation)
S4 SysPlant; C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys [99232 2012-11-12] (Symantec Corporation)
R3 Teefer2; C:\WINDOWS\System32\DRIVERS\teefer2.sys [67520 2012-11-12] (Symantec Corporation)
R3 tpm; C:\WINDOWS\System32\DRIVERS\tpm.sys [13824 2008-06-20] (Intel Corporation)
R0 vmscsi; C:\WINDOWS\System32\DRIVERS\vmscsi.sys [17968 2009-10-22] (VMware, Inc.)
R1 WPS; C:\WINDOWS\system32\drivers\wpsdrvnt.sys [45472 2012-11-12] (Symantec Corporation)
S3 WpsHelper; C:\WINDOWS\system32\drivers\WpsHelper.sys [174056 2014-07-06] (Symantec Corporation)
R3 catchme; \??\C:\ComboFix\catchme.sys [X]
U2 CertPropSvc; No ImagePath
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
U1 RCHelp; No ImagePath
S3 StarOpen; No ImagePath
U4 WinDefend; No ImagePath
U3 mbr; \??\C:\DOCUME~1\ADMINI~1.MOM\LOCALS~1\Temp\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-28 16:10 - 2014-08-28 16:13 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00010933 _____ () C:\ComboFix.txt
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\lmoore\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\dlacy\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\bgiese\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\admin\Local Settings\temp
2014-08-28 11:17 - 2014-08-28 11:17 - 05574834 ____R (Swearware) C:\Documents and Settings\administrator.MOM\Desktop\ComboFix.exe
2014-08-28 11:11 - 2014-08-28 11:11 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\Application Data\Temp
2014-08-28 03:52 - 2014-08-28 03:52 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\Maint
2014-08-28 03:51 - 2014-08-28 03:51 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\fender travel
2014-08-28 03:50 - 2014-08-28 03:58 - 00000549 _____ () C:\Documents and Settings\jremilla\Desktop\Tool Box Talks.lnk
2014-08-28 03:50 - 2014-04-16 01:18 - 00026624 _____ () C:\Documents and Settings\jremilla\Desktop\Tool Box Talk Meeting Minutes weld.xls
2014-08-28 03:50 - 2010-04-23 04:16 - 00000292 _____ () C:\Documents and Settings\jremilla\Desktop\M drive.lnk
2014-08-28 03:47 - 2014-08-28 03:47 - 00000433 _____ () C:\Documents and Settings\jremilla\Desktop\Outlook Web App.url
2014-08-27 10:26 - 2014-08-28 16:07 - 00010965 _____ () C:\WINDOWS\system32\DWRCSAccess.log
2014-08-27 01:00 - 2014-08-27 01:00 - 00000000 __SHD () C:\Documents and Settings\jremilla\PrivacIE
2014-08-27 00:59 - 2014-08-28 03:59 - 00000278 ___SH () C:\Documents and Settings\jremilla\ntuser.ini
2014-08-27 00:59 - 2014-08-27 01:00 - 00000000 ____D () C:\Documents and Settings\jremilla
2014-08-27 00:59 - 2014-08-27 00:59 - 00004202 __RSH () C:\Documents and Settings\jremilla\ntuser.pol
2014-08-27 00:59 - 2014-08-27 00:59 - 00000810 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Internet Explorer.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000799 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000793 _____ () C:\Documents and Settings\jremilla\Desktop\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000745 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Outlook Express.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 __SHD () C:\Documents and Settings\jremilla\IETldCache
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ___RD () C:\Documents and Settings\jremilla\Start Menu\Programs\Accessories
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\Application Data\Symantec
2014-08-27 00:59 - 2012-03-01 11:45 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\hpqLog
2014-08-27 00:59 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\Application Data\Adobe
2014-08-27 00:59 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\Macromedia
2014-08-27 00:59 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\Adobe
2014-08-27 00:59 - 2012-03-01 11:42 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\Sun
2014-08-27 00:59 - 2012-03-01 11:15 - 00001606 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Remote Assistance.lnk
2014-08-26 12:56 - 2014-08-26 12:56 - 00000000 _RSHD () C:\cmdcons
2014-08-26 12:56 - 2014-08-26 10:13 - 00000211 _____ () C:\Boot.bak
2014-08-26 12:56 - 2004-08-03 23:00 - 00260272 __RSH () C:\cmldr
2014-08-26 12:52 - 2011-06-26 01:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2014-08-26 12:52 - 2010-11-07 12:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2014-08-26 12:52 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2014-08-26 12:50 - 2014-08-28 16:10 - 00000000 ____D () C:\Qoobox
2014-08-26 12:49 - 2014-08-26 13:08 - 00000000 ____D () C:\WINDOWS\erdnt
2014-08-26 12:04 - 2014-08-28 08:34 - 00023098 _____ () C:\Documents and Settings\administrator.MOM\Desktop\Addition.txt
2014-08-26 11:58 - 2014-08-26 11:58 - 02103296 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRST64.exe
2014-08-26 11:57 - 2014-08-28 16:13 - 00011709 _____ () C:\Documents and Settings\administrator.MOM\Desktop\FRST.txt
2014-08-26 11:57 - 2014-08-28 16:13 - 00000000 ____D () C:\FRST
2014-08-26 11:56 - 2014-08-26 11:56 - 01095168 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRSTx32.exe
2014-08-26 11:28 - 2014-08-26 11:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-08-26 11:25 - 2014-08-26 11:56 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\mbar
2014-08-26 11:24 - 2014-08-26 11:24 - 14349744 _____ (Malwarebytes Corp.) C:\Documents and Settings\administrator.MOM\Desktop\mbar-1.07.0.1012.exe
2014-08-26 10:24 - 2014-08-26 10:24 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\backups
2014-08-26 10:21 - 2014-08-26 10:21 - 00388608 _____ (Trend Micro Inc.) C:\Documents and Settings\administrator.MOM\Desktop\HijackThis.exe
2014-08-26 08:58 - 2014-08-26 08:58 - 17292760 _____ (Malwarebytes Corporation ) C:\Documents and Settings\ashryock\Desktop\mbam-setup-2.0.2.1012.exe
2014-08-26 08:58 - 2014-08-26 08:58 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-08-26 08:56 - 2014-08-26 08:57 - 00000000 ____D () C:\WINDOWS\pss
2014-08-26 08:51 - 2014-08-26 08:51 - 00004172 __RSH () C:\Documents and Settings\ashryock\ntuser.pol
2014-08-26 08:51 - 2014-08-26 08:51 - 00000810 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Internet Explorer.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000799 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000793 _____ () C:\Documents and Settings\ashryock\Desktop\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 __SHD () C:\Documents and Settings\ashryock\IETldCache
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\Application Data\Symantec
2014-08-26 08:50 - 2014-08-26 14:00 - 00000178 ___SH () C:\Documents and Settings\ashryock\ntuser.ini
2014-08-26 08:50 - 2014-08-26 09:48 - 00000000 ____D () C:\Documents and Settings\ashryock
2014-08-26 08:50 - 2014-08-26 08:51 - 00000745 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Outlook Express.lnk
2014-08-26 08:50 - 2014-08-26 08:51 - 00000000 ___RD () C:\Documents and Settings\ashryock\Start Menu\Programs\Accessories
2014-08-26 08:50 - 2012-03-01 11:45 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\hpqLog
2014-08-26 08:50 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\Application Data\Adobe
2014-08-26 08:50 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\Macromedia
2014-08-26 08:50 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\Adobe
2014-08-26 08:50 - 2012-03-01 11:42 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\Sun
2014-08-26 08:50 - 2012-03-01 11:15 - 00001606 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Remote Assistance.lnk
2014-08-21 15:31 - 2014-08-26 11:15 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-08-21 15:30 - 2014-08-21 15:30 - 00000000 ____D () C:\WINDOWS\system32\cos
2014-08-21 15:29 - 2014-08-26 13:12 - 00720896 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-08-21 15:29 - 2014-08-21 15:39 - 00065536 _____ () C:\WINDOWS\system32\config\EventForwarding-Operational.Evt
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\winrm
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\WindowsPowerShell
2014-08-21 15:28 - 2014-08-21 15:29 - 00000000 __HDC () C:\WINDOWS\$968930Uinstall_KB968930$
2014-08-21 15:28 - 2014-08-21 15:28 - 00000000 ____D () C:\WINDOWS\$NtUninstallKB968930$

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-28 16:13 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\temp
2014-08-28 16:13 - 2014-08-26 11:57 - 00011709 _____ () C:\Documents and Settings\administrator.MOM\Desktop\FRST.txt
2014-08-28 16:13 - 2014-08-26 11:57 - 00000000 ____D () C:\FRST
2014-08-28 16:10 - 2014-08-28 16:10 - 00010933 _____ () C:\ComboFix.txt
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\lmoore\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\dlacy\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\bgiese\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\admin\Local Settings\temp
2014-08-28 16:10 - 2014-08-26 12:50 - 00000000 ____D () C:\Qoobox
2014-08-28 16:10 - 2012-03-01 11:14 - 01882178 _____ () C:\WINDOWS\WindowsUpdate.log
2014-08-28 16:09 - 2013-07-24 21:19 - 00000428 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{8C0DC158-52E0-4F19-A6E5-EDCBFC092BB3}.job
2014-08-28 16:08 - 2012-03-01 10:23 - 00012598 _____ () C:\WINDOWS\system32\wpa.dbl
2014-08-28 16:08 - 2012-03-01 10:23 - 00000227 _____ () C:\WINDOWS\system.ini
2014-08-28 16:07 - 2014-08-27 10:26 - 00010965 _____ () C:\WINDOWS\system32\DWRCSAccess.log
2014-08-28 16:07 - 2012-07-31 12:27 - 00000000 ___HD () C:\WINDOWS\system32\dwrcssft
2014-08-28 16:07 - 2012-05-31 11:39 - 00000120 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2014-08-28 16:01 - 2012-09-17 08:29 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-08-28 15:55 - 2012-03-01 11:50 - 00000454 _____ () C:\WINDOWS\smscfg.ini
2014-08-28 15:55 - 2012-03-01 11:21 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-08-28 15:55 - 2012-03-01 03:10 - 00000157 _____ () C:\WINDOWS\wiadebug.log
2014-08-28 15:55 - 2012-03-01 03:10 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-08-28 15:54 - 2012-05-31 11:41 - 00000178 ___SH () C:\Documents and Settings\administrator.MOM\ntuser.ini
2014-08-28 15:54 - 2012-03-01 02:57 - 00000000 ____D () C:\WINDOWS\security
2014-08-28 15:50 - 2012-03-01 11:20 - 00032568 _____ () C:\WINDOWS\SchedLgU.Txt
2014-08-28 11:28 - 2012-03-01 11:20 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2014-08-28 11:17 - 2014-08-28 11:17 - 05574834 ____R (Swearware) C:\Documents and Settings\administrator.MOM\Desktop\ComboFix.exe
2014-08-28 11:11 - 2014-08-28 11:11 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\Application Data\Temp
2014-08-28 11:11 - 2012-05-31 11:41 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\Application Data\Adobe
2014-08-28 11:11 - 2012-05-31 11:41 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Application Data\Adobe
2014-08-28 08:34 - 2014-08-26 12:04 - 00023098 _____ () C:\Documents and Settings\administrator.MOM\Desktop\Addition.txt
2014-08-28 03:59 - 2014-08-27 00:59 - 00000278 ___SH () C:\Documents and Settings\jremilla\ntuser.ini
2014-08-28 03:58 - 2014-08-28 03:50 - 00000549 _____ () C:\Documents and Settings\jremilla\Desktop\Tool Box Talks.lnk
2014-08-28 03:52 - 2014-08-28 03:52 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\Maint
2014-08-28 03:51 - 2014-08-28 03:51 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\fender travel
2014-08-28 03:47 - 2014-08-28 03:47 - 00000433 _____ () C:\Documents and Settings\jremilla\Desktop\Outlook Web App.url
2014-08-27 15:03 - 2012-10-12 06:03 - 00000000 ____D () C:\Documents and Settings\bgiese\SapWorkDir
2014-08-27 15:03 - 2012-10-12 06:01 - 00000278 ___SH () C:\Documents and Settings\bgiese\ntuser.ini
2014-08-27 12:25 - 2012-10-12 06:01 - 00004202 __RSH () C:\Documents and Settings\bgiese\ntuser.pol
2014-08-27 12:25 - 2012-10-12 06:01 - 00000000 ____D () C:\Documents and Settings\bgiese
2014-08-27 10:50 - 2012-05-31 11:36 - 00000178 ___SH () C:\Documents and Settings\admin\ntuser.ini
2014-08-27 01:25 - 2012-05-31 12:57 - 00000376 _____ () C:\WINDOWS\ODBC.INI
2014-08-27 01:00 - 2014-08-27 01:00 - 00000000 __SHD () C:\Documents and Settings\jremilla\PrivacIE
2014-08-27 01:00 - 2014-08-27 00:59 - 00000000 ____D () C:\Documents and Settings\jremilla
2014-08-27 00:59 - 2014-08-27 00:59 - 00004202 __RSH () C:\Documents and Settings\jremilla\ntuser.pol
2014-08-27 00:59 - 2014-08-27 00:59 - 00000810 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Internet Explorer.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000799 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000793 _____ () C:\Documents and Settings\jremilla\Desktop\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000745 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Outlook Express.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 __SHD () C:\Documents and Settings\jremilla\IETldCache
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ___RD () C:\Documents and Settings\jremilla\Start Menu\Programs\Accessories
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\Application Data\Symantec
2014-08-26 15:18 - 2013-08-07 08:44 - 00000345 _____ () C:\Documents and Settings\bgiese\Desktop\SAP xMII Login Page.url
2014-08-26 14:00 - 2014-08-26 08:50 - 00000178 ___SH () C:\Documents and Settings\ashryock\ntuser.ini
2014-08-26 13:16 - 2012-06-27 12:42 - 00000000 ____D () C:\WINDOWS\system32\VPCache
2014-08-26 13:12 - 2014-08-21 15:29 - 00720896 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-08-26 13:12 - 2012-05-31 11:36 - 00000000 ____D () C:\Documents and Settings\admin
2014-08-26 13:08 - 2014-08-26 12:49 - 00000000 ____D () C:\WINDOWS\erdnt
2014-08-26 12:56 - 2014-08-26 12:56 - 00000000 _RSHD () C:\cmdcons
2014-08-26 12:56 - 2012-03-01 10:25 - 00000327 __RSH () C:\boot.ini
2014-08-26 12:26 - 2012-10-10 14:39 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2661254-v2$
2014-08-26 12:25 - 2012-05-31 11:41 - 00000000 ____D () C:\Documents and Settings\administrator.MOM
2014-08-26 11:58 - 2014-08-26 11:58 - 02103296 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRST64.exe
2014-08-26 11:56 - 2014-08-26 11:56 - 01095168 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRSTx32.exe
2014-08-26 11:56 - 2014-08-26 11:28 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-08-26 11:56 - 2014-08-26 11:25 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\mbar
2014-08-26 11:24 - 2014-08-26 11:24 - 14349744 _____ (Malwarebytes Corp.) C:\Documents and Settings\administrator.MOM\Desktop\mbar-1.07.0.1012.exe
2014-08-26 11:19 - 2012-09-19 11:29 - 00000000 ____D () C:\temp
2014-08-26 11:15 - 2014-08-21 15:31 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-08-26 10:24 - 2014-08-26 10:24 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\backups
2014-08-26 10:21 - 2014-08-26 10:21 - 00388608 _____ (Trend Micro Inc.) C:\Documents and Settings\administrator.MOM\Desktop\HijackThis.exe
2014-08-26 10:13 - 2014-08-26 12:56 - 00000211 _____ () C:\Boot.bak
2014-08-26 10:13 - 2012-03-01 10:23 - 00000573 _____ () C:\WINDOWS\win.ini
2014-08-26 09:54 - 2012-05-31 11:41 - 00004172 __RSH () C:\Documents and Settings\administrator.MOM\ntuser.pol
2014-08-26 09:49 - 2013-07-11 10:23 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2803821_WM9$
2014-08-26 09:48 - 2014-08-26 08:50 - 00000000 ____D () C:\Documents and Settings\ashryock
2014-08-26 09:14 - 2012-05-03 18:24 - 00338175 _____ () C:\WINDOWS\setupapi.log
2014-08-26 08:58 - 2014-08-26 08:58 - 17292760 _____ (Malwarebytes Corporation ) C:\Documents and Settings\ashryock\Desktop\mbam-setup-2.0.2.1012.exe
2014-08-26 08:58 - 2014-08-26 08:58 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-08-26 08:57 - 2014-08-26 08:56 - 00000000 ____D () C:\WINDOWS\pss
2014-08-26 08:51 - 2014-08-26 08:51 - 00004172 __RSH () C:\Documents and Settings\ashryock\ntuser.pol
2014-08-26 08:51 - 2014-08-26 08:51 - 00000810 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Internet Explorer.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000799 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000793 _____ () C:\Documents and Settings\ashryock\Desktop\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 __SHD () C:\Documents and Settings\ashryock\IETldCache
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\Application Data\Symantec
2014-08-26 08:51 - 2014-08-26 08:50 - 00000745 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Outlook Express.lnk
2014-08-26 08:51 - 2014-08-26 08:50 - 00000000 ___RD () C:\Documents and Settings\ashryock\Start Menu\Programs\Accessories
2014-08-26 08:51 - 2012-03-01 11:12 - 00005374 _____ () C:\WINDOWS\wmsetup.log
2014-08-26 06:13 - 2012-05-31 11:40 - 00000000 __SHD () C:\WINDOWS\CSC
2014-08-21 15:39 - 2014-08-21 15:29 - 00065536 _____ () C:\WINDOWS\system32\config\EventForwarding-Operational.Evt
2014-08-21 15:30 - 2014-08-21 15:30 - 00000000 ____D () C:\WINDOWS\system32\cos
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\winrm
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\WindowsPowerShell
2014-08-21 15:29 - 2014-08-21 15:28 - 00000000 __HDC () C:\WINDOWS\$968930Uinstall_KB968930$
2014-08-21 15:29 - 2012-06-27 08:40 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy
2014-08-21 15:29 - 2012-05-03 17:56 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-08-21 15:29 - 2012-03-01 11:11 - 00000000 ___RD () C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
2014-08-21 15:29 - 2012-03-01 03:02 - 01451750 _____ () C:\WINDOWS\iis6.log
2014-08-21 15:29 - 2012-03-01 03:02 - 01322996 _____ () C:\WINDOWS\FaxSetup.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00644304 _____ () C:\WINDOWS\ocgen.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00614130 _____ () C:\WINDOWS\tsoc.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00447256 _____ () C:\WINDOWS\comsetup.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00410130 _____ () C:\WINDOWS\msmqinst.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00270133 _____ () C:\WINDOWS\ntdtcsetup.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00232895 _____ () C:\WINDOWS\netfxocm.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00091881 _____ () C:\WINDOWS\MedCtrOC.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00072832 _____ () C:\WINDOWS\ocmsn.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00067708 _____ () C:\WINDOWS\tabletoc.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00066537 _____ () C:\WINDOWS\msgsocm.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00001374 _____ () C:\WINDOWS\imsins.log
2014-08-21 15:29 - 2012-03-01 02:57 - 00000000 ____D () C:\WINDOWS\Help
2014-08-21 15:28 - 2014-08-21 15:28 - 00000000 ____D () C:\WINDOWS\$NtUninstallKB968930$
2014-08-21 08:10 - 2012-10-15 08:52 - 00025088 _____ () C:\Documents and Settings\bgiese\Desktop\Shortcut to Form Training 1 Metalcraft Training Form.lnk.xls
2014-08-18 16:17 - 2012-03-01 03:02 - 00272634 _____ () C:\WINDOWS\setupact.log
2014-08-15 23:20 - 2012-12-05 15:53 - 00001716 ____H () C:\Documents and Settings\administrator.MOM\My Documents\Default.rdp
2014-08-15 20:32 - 2012-05-31 11:41 - 00000000 ___RD () C:\Documents and Settings\administrator.MOM\Start Menu\Programs\Accessories

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

 

Addition.txt:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:26-08-2014
Ran by administrator at 2014-08-28 16:14:01
Running from C:\Documents and Settings\administrator.MOM\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Symantec Endpoint Protection (Disabled - Up to date) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection (Disabled) {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 Bit HP BiDi Channel Components Installer (Version: 1.1.0.2 - Hewlett-Packard) Hidden
7-Zip 4.65 (HKLM\...\7-Zip) (Version:  - )
Adobe AIR (HKLM\...\Adobe AIR) (Version: 2.7.0.19530 - Adobe Systems Incorporated)
Adobe AIR (Version: 2.7.0.19530 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 14 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Reader X (10.1.11) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.11 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM\...\Adobe Shockwave Player) (Version: 11.6.0.626 - Adobe Systems, Inc.)
Adobe SVG Viewer 3.0 (HKLM\...\Adobe SVG Viewer) (Version:  3.0 - Adobe Systems, Inc.)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Combined Community Codec Pack 2009-09-09 (HKLM\...\Combined Community Codec Pack_is1) (Version: 2009.09.09.0 - CCCP Project)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
HP 3D DriveGuard (HKLM\...\{429E92A4-159F-4AEC-85A1-D693E1E4274D}) (Version: 1.00 A4 - )
HP Quick Launch Buttons (HKLM\...\{34D2AB40-150D-475D-AE32-BD23FB5EE355}) (Version: 6.50.17.1 - Hewlett-Packard Company)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 6.14.10.5218 - Intel Corporation)
Java Auto Updater (Version: 2.0.7.1 - Sun Microsystems, Inc.) Hidden
Java 6 Update 35 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216035FF}) (Version: 6.0.350 - Oracle)
LiveUpdate 3.3 (Symantec Corporation) (HKLM\...\LiveUpdate) (Version: 3.3.0.115 - Symantec Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 (Version:  - Microsoft Corporation) Hidden
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 (Version:  - Microsoft Corporation) Hidden
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office Visio Viewer 2003 (English) (HKLM\...\{90520409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.3709.5614 - Microsoft Corporation)
Microsoft redistributable runtime DLLs VS2005 SP1(x86) (HKLM\...\{8E770F99-CF23-4BF9-BF4E-E3A2924FEB27}) (Version: 8.0.50727.762 - SAP)
Microsoft redistributable runtime DLLs VS2005(x86) (HKLM\...\{C0DB380B-97B5-4BB8-AC8D-1835E61439B6}) (Version: 1.0.0.0 - SAP)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML4.0 redistributable (HKLM\...\{44D66AD9-AE19-4AFD-BE7E-A1B44C856697}) (Version: 4.0.0.0 - SAP)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.9 - NVIDIA Corporation)
NVIDIA nView Desktop Manager (HKLM\...\NVIDIA nView Desktop Manager) (Version: 6.14.10.00 - NVIDIA Corporation)
Prizm Viewer 7.1.0 (HKLM\...\InstallShield_{E4ABB278-16B0-40CA-9D04-DF6B41C06527}) (Version: 7.1.0 - TMSSequoia)
Prizm Viewer 7.1.0 (Version: 7.1.0 - TMSSequoia) Hidden
QLBCASL (Version: 6.40.17.2 - Hewlett-Packard) Hidden
RICOH Media Driver (HKLM\...\{F5CC2EF8-20A4-4366-A681-3FE849E65809}) (Version: 2.10.00.04 - RICOH)
SAP GUI 7.10 (HKLM\...\SAPGUI710) (Version: 7.10 Compilation 3 - SAP AG)
SMS Advanced Client (Version: 2.50.3174.1018 - Microsoft Corporation) Hidden
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Symantec Endpoint Protection (HKLM\...\{DE889CC8-F305-4C4C-BAE0-EF626E45CB9D}) (Version: 11.0.7200.1147 - Symantec Corporation)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2541763) (HKLM\...\KB2541763) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2616676-v2) (HKLM\...\KB2616676-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2661254-v2) (HKLM\...\KB2661254-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2718704) (HKLM\...\KB2718704) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB898461) (HKLM\...\KB898461) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (HKLM\...\KB951978) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971737) (HKLM\...\KB971737) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973687) (HKLM\...\KB973687) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
ViewStation 4.0(5) (HKLM\...\{41EBD225-1F12-455F-BC2F-72982FC9FB17}) (Version: 4.00.5000 - COMSA GmbH)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version:  - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{00B7E0AB-817A-44AD-A04B-D1148D524136}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{7C6E29BC-8B8B-4C3D-859E-AF6CD158BE0F}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C0-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C1-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C2-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C3-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C4-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C5-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C8-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C9-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969CA-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969D6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

==================== Restore Points  =========================

31-05-2014 05:03:43 System Checkpoint
01-06-2014 06:24:54 System Checkpoint
02-06-2014 07:03:45 System Checkpoint
03-06-2014 08:03:48 System Checkpoint
04-06-2014 09:03:50 System Checkpoint
05-06-2014 10:03:51 System Checkpoint
06-06-2014 11:25:05 System Checkpoint
07-06-2014 12:33:39 System Checkpoint
08-06-2014 13:25:11 System Checkpoint
09-06-2014 14:25:13 System Checkpoint
10-06-2014 15:32:53 System Checkpoint
11-06-2014 16:26:22 System Checkpoint
12-06-2014 16:37:06 System Checkpoint
13-06-2014 18:03:38 System Checkpoint
14-06-2014 18:25:22 System Checkpoint
15-06-2014 19:25:23 System Checkpoint
16-06-2014 19:46:43 System Checkpoint
17-06-2014 20:26:32 System Checkpoint
18-06-2014 20:33:26 System Checkpoint
19-06-2014 21:24:20 System Checkpoint
20-06-2014 21:25:31 System Checkpoint
21-06-2014 22:25:33 System Checkpoint
22-06-2014 23:25:34 System Checkpoint
24-06-2014 00:25:36 System Checkpoint
25-06-2014 01:24:19 System Checkpoint
26-06-2014 01:25:39 System Checkpoint
27-06-2014 02:25:42 System Checkpoint
28-06-2014 03:25:43 System Checkpoint
29-06-2014 04:25:44 System Checkpoint
30-06-2014 05:25:47 System Checkpoint
01-07-2014 06:26:53 System Checkpoint
02-07-2014 07:25:49 System Checkpoint
07-07-2014 01:15:46 System Checkpoint
08-07-2014 01:59:37 System Checkpoint
09-07-2014 02:59:39 System Checkpoint
10-07-2014 02:59:45 System Checkpoint
11-07-2014 03:59:47 System Checkpoint
12-07-2014 04:59:49 System Checkpoint
13-07-2014 06:25:11 System Checkpoint
14-07-2014 06:25:51 System Checkpoint
15-07-2014 06:59:55 System Checkpoint
16-07-2014 07:59:57 System Checkpoint
17-07-2014 08:59:58 System Checkpoint
18-07-2014 10:00:00 System Checkpoint
19-07-2014 11:00:02 System Checkpoint
20-07-2014 12:00:03 System Checkpoint
21-07-2014 12:14:16 System Checkpoint
22-07-2014 12:27:05 System Checkpoint
23-07-2014 13:00:08 System Checkpoint
24-07-2014 13:01:57 System Checkpoint
25-07-2014 14:00:11 System Checkpoint
26-07-2014 15:00:12 System Checkpoint
27-07-2014 16:00:14 System Checkpoint
28-07-2014 16:34:03 System Checkpoint
29-07-2014 17:53:41 System Checkpoint
30-07-2014 17:56:13 System Checkpoint
31-07-2014 17:57:45 System Checkpoint
01-08-2014 17:57:58 System Checkpoint
02-08-2014 18:00:22 System Checkpoint
03-08-2014 19:00:24 System Checkpoint
04-08-2014 19:05:54 System Checkpoint
05-08-2014 20:00:27 System Checkpoint
06-08-2014 20:12:01 System Checkpoint
07-08-2014 21:00:31 System Checkpoint
08-08-2014 21:08:36 System Checkpoint
09-08-2014 22:00:34 System Checkpoint
10-08-2014 23:00:36 System Checkpoint
12-08-2014 00:00:38 System Checkpoint
13-08-2014 01:03:44 System Checkpoint
14-08-2014 01:59:18 System Checkpoint
15-08-2014 02:00:43 System Checkpoint
16-08-2014 02:01:50 System Checkpoint
17-08-2014 02:59:12 System Checkpoint
18-08-2014 03:09:43 System Checkpoint
19-08-2014 03:20:16 System Checkpoint
20-08-2014 03:34:31 System Checkpoint
21-08-2014 04:34:32 System Checkpoint
21-08-2014 20:28:57 Installed %1 %2.
25-08-2014 07:06:10 System Checkpoint
26-08-2014 08:05:39 System Checkpoint
27-08-2014 09:03:02 System Checkpoint
28-08-2014 09:13:41 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-03-01 10:23 - 2014-08-28 16:08 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{8C0DC158-52E0-4F19-A6E5-EDCBFC092BB3}.job => C:\WINDOWS\system32\msfeedssync.exe

==================== Loaded Modules (whitelisted) =============

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: AccelerometerSysTrayApplet => C:\WINDOWS\system32\AccelerometerSt.exe
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: DameWare MRC Agent => C:\WINDOWS\system32\DWRCST.exe
MSCONFIG\startupreg: QlbCtrl.exe => C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (08/28/2014 03:55:27 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/28/2014 08:58:24 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/28/2014 00:58:25 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/27/2014 02:59:27 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/27/2014 00:25:25 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/27/2014 05:59:38 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/27/2014 02:08:58 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/26/2014 09:59:37 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/26/2014 01:59:44 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA "ccm_softwaredistribution"" could not be (re)activated in namespace "//./root/ccm/Policy/S_1_5_21_1307642725_1888648419_1563503735_14236"
because of error 0x80041010. Events may not be delivered through this filter until the
problem is corrected.

Error: (08/26/2014 01:59:39 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

System errors:
=============
Error: (08/28/2014 03:55:27 PM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/28/2014 03:55:25 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The rimmptsk service failed to start due to the following error:
%%1058

Error: (08/28/2014 03:54:01 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{7E89FF0B-F649-4F9A-A9C3-F05DFAAA3DA1}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18).  This security permission can be modified using the Component Services administrative tool.

Error: (08/28/2014 03:51:06 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The SMS Agent Host service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

Error: (08/28/2014 03:51:06 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The DameWare Mini Remote Control service terminated unexpectedly.  It has done this 1 time(s).

Error: (08/28/2014 03:51:06 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The SMS Remote Control Agent service terminated unexpectedly.  It has done this 1 time(s).

Error: (08/28/2014 03:51:06 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Application Layer Gateway Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (08/28/2014 03:51:06 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).

Error: (08/28/2014 03:51:06 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Smart Card service terminated unexpectedly.  It has done this 1 time(s).

Error: (08/28/2014 03:51:06 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Java Quick Starter service terminated unexpectedly.  It has done this 1 time(s).

Microsoft Office Sessions:
=========================
Error: (08/28/2014 03:55:27 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/28/2014 08:58:24 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/28/2014 00:58:25 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/27/2014 02:59:27 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/27/2014 00:25:25 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/27/2014 05:59:38 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/27/2014 02:08:58 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/26/2014 09:59:37 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/26/2014 01:59:44 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/ccm/Policy/S_1_5_21_1307642725_1888648419_1563503735_14236SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA "ccm_softwaredistribution"0x80041010

Error: (08/26/2014 01:59:39 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

==================== Memory info ===========================

Processor: Intel® Core2 Duo CPU E6550 @ 2.33GHz
Percentage of memory in use: 21%
Total physical RAM: 3045.23 MB
Available physical RAM: 2404.7 MB
Total Pagefile: 4930.18 MB
Available Pagefile: 4564.04 MB
Total Virtual: 2047.88 MB
Available Virtual: 1942.32 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:74.53 GB) (Free:56.89 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive m: () (Network) (Total:1536 GB) (Free:187.23 GB)
Drive y: () (Network) (Total:200 GB) (Free:116.01 GB)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: B150A7F9)
Partition 1: (Active) - (Size=74.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

 

 

I appreciate all the help with this... sorry it's being such a pain.

Share this post


Link to post
Share on other sites

You are not a pain! The malware is...

Bare with me, I need to have a brainstorm and research this further. Two tools are unable to delete this key that has to go, I need to find out a method to kill it. Note, that it may be tomorrow before I will come back to you.

Share this post


Link to post
Share on other sites

Well... my g/f might disagree with you but I was talking about the Malware in the first place.

 

No problem if it's not till tomorrow. I am about to be leaving the site that the machine is located but I will be back here tomorrow morning.

Share this post


Link to post
Share on other sites

Let's try this one.



FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif


Press the WindowsKey.png + R on your keyboard at the same time. Type Notepad and click OK.

  • Copy the entire content of the codebox below and paste into the Notepad document:
    startDeleteKey: HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>end
  • Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.



FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

Share this post


Link to post
Share on other sites

Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:26-08-2014
Ran by administrator at 2014-08-29 08:45:12 Run:2
Running from C:\Documents and Settings\administrator.MOM\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
DeleteKey: HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>
end
*****************

HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*> => Key not found.

==== End of Fixlog ====

 

 

FRST:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:26-08-2014
Ran by administrator (administrator) on MOM1393 on 29-08-2014 08:45:57
Running from C:\Documents and Settings\administrator.MOM\Desktop
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\WINDOWS\system32\scardsvr.exe
(DameWare Development LLC) C:\WINDOWS\system32\DWRCS.EXE
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Microsoft Corporation) C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe
(Microsoft Corporation) C:\WINDOWS\system32\CCM\CcmExec.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(DameWare Development) C:\WINDOWS\system32\DWRCST.EXE
(Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRSTx32.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [soundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1040384 2009-04-22] (Analog Devices, Inc.)
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [ccApp] => C:\Program Files\Common Files\Symantec Shared\ccApp.exe [115624 2012-11-12] (Symantec Corporation)
HKLM\...\Run: [DameWare MRC Agent] => C:\WINDOWS\system32\DWRCST.exe [85528 2010-04-07] (DameWare Development)
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <===== ATTENTION
HKU\S-1-5-21-1307642725-1888648419-1563503735-500\...\Policies\Explorer: [NoSMBalloonTip] 1
HKU\S-1-5-21-1307642725-1888648419-1563503735-500\...\Policies\Explorer: [NoAutoTrayNotify] 1
HKU\S-1-5-21-1307642725-1888648419-1563503735-500\...\Policies\Explorer: [NoSMConfigurePrograms] 1

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://deere.webex.com/client/WBXclient-T27L10NSP32EP18-15463/webex/ieatgpc.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\saphtmlp.dll (SAP AG, Walldorf)
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\saphtmlp.dll (SAP AG, Walldorf)
Tcpip\Parameters: [DhcpNameServer] 172.16.48.162 172.16.1.202 10.30.16.116 172.16.1.116

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=1.6.0_35 -> C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-05-31]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2012-09-13]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2012-11-12] (Symantec Corporation)
R2 CcmExec; C:\WINDOWS\system32\CCM\CcmExec.exe [570368 2004-08-04] (Microsoft Corporation) [File not signed]
S4 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2012-11-12] (Symantec Corporation)
R2 DWMRCS; C:\WINDOWS\SYSTEM32\DWRCS.EXE [246120 2010-07-02] (DameWare Development LLC) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153584 2012-09-13] (Sun Microsystems, Inc.)
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093944 2012-03-07] (Symantec Corporation)
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [43520 2006-11-08] (Hewlett-Packard) [File not signed]
S2 nvsvc; C:\WINDOWS\system32\nvsvc32.exe [172100 2010-01-13] (NVIDIA Corporation) [File not signed]
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [53248 2006-11-08] (Hewlett-Packard) [File not signed]
S4 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1935040 2012-11-12] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [357808 2012-11-12] (Symantec Corporation)
S4 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1860000 2012-11-12] (Symantec Corporation)
R2 Wuser32; C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe [241664 2004-07-23] (Microsoft Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 COH_Mon; C:\WINDOWS\system32\Drivers\COH_Mon.sys [23960 2012-11-12] (Symantec Corporation)
R3 DwMirror; C:\WINDOWS\System32\DRIVERS\DamewareMini.sys [3712 2007-02-07] (DameWare Development, LLC)
R1 dwvkbd; C:\WINDOWS\System32\DRIVERS\dwvkbd.sys [26624 2007-02-15] (DameWare)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [377648 2014-06-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [109872 2014-07-06] (Symantec Corporation)
R3 idisw2km; C:\WINDOWS\System32\DRIVERS\idisw2km.sys [2112 2004-06-27] (Microsoft Corporation)
S3 IFXTPM; C:\WINDOWS\System32\DRIVERS\IFXTPM.SYS [44800 2008-07-23] (Infineon Technologies AG)
R3 kbstuff; C:\WINDOWS\System32\DRIVERS\kbstuff5.sys [4864 2004-06-27] (Microsoft Corporation)
R3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20140827.023\NAVENG.SYS [95704 2014-08-21] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20140827.023\NAVEX15.SYS [1636696 2014-08-21] (Symantec Corporation)
S3 NVHDA; C:\WINDOWS\System32\drivers\nvhda32.sys [57248 2009-08-21] (NVIDIA Corporation)
S3 prepdrvr; C:\WINDOWS\system32\CCM\prepdrv.sys [13824 2004-06-27] (Microsoft Corporation) [File not signed]
S3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
S3 rismc32; C:\WINDOWS\System32\DRIVERS\rismc32.sys [49152 2009-07-20] (RICOH Company, Ltd.)
R3 SenFiltService; C:\WINDOWS\System32\drivers\Senfilt.sys [8704 2009-04-22] (Analog Devices, Inc.)
S3 SMCIRDA; C:\WINDOWS\System32\DRIVERS\smcirda.sys [48128 2006-03-12] (SMSC)
S3 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2012-11-12] (Symantec Corporation)
R1 SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [287352 2012-11-12] (Symantec Corporation)
S3 SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [321016 2012-11-12] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [43768 2012-11-12] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [126584 2012-12-05] (Symantec Corporation)
R0 Symmpi; C:\WINDOWS\System32\DRIVERS\symmpi.sys [39760 2008-06-02] (LSI Logic)
S3 SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [26488 2012-11-12] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [188152 2012-11-12] (Symantec Corporation)
S4 SysPlant; C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys [99232 2012-11-12] (Symantec Corporation)
R3 Teefer2; C:\WINDOWS\System32\DRIVERS\teefer2.sys [67520 2012-11-12] (Symantec Corporation)
R3 tpm; C:\WINDOWS\System32\DRIVERS\tpm.sys [13824 2008-06-20] (Intel Corporation)
R0 vmscsi; C:\WINDOWS\System32\DRIVERS\vmscsi.sys [17968 2009-10-22] (VMware, Inc.)
R1 WPS; C:\WINDOWS\system32\drivers\wpsdrvnt.sys [45472 2012-11-12] (Symantec Corporation)
S3 WpsHelper; C:\WINDOWS\system32\drivers\WpsHelper.sys [174056 2014-07-06] (Symantec Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
U2 CertPropSvc; No ImagePath
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
U1 RCHelp; No ImagePath
S3 StarOpen; No ImagePath
U4 WinDefend; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-29 00:58 - 2014-08-29 00:58 - 00054360 _____ () C:\Documents and Settings\jremilla\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-08-28 16:10 - 2014-08-29 08:46 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\temp
2014-08-28 16:10 - 2014-08-29 01:24 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00010933 _____ () C:\ComboFix.txt
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\lmoore\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\dlacy\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\bgiese\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\admin\Local Settings\temp
2014-08-28 11:17 - 2014-08-28 11:17 - 05574834 ____R (Swearware) C:\Documents and Settings\administrator.MOM\Desktop\ComboFix.exe
2014-08-28 11:11 - 2014-08-28 11:11 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\Application Data\Temp
2014-08-28 03:52 - 2014-08-28 03:52 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\Maint
2014-08-28 03:51 - 2014-08-28 03:51 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\fender travel
2014-08-28 03:50 - 2014-08-29 01:24 - 00025600 _____ () C:\Documents and Settings\jremilla\Desktop\Tool Box Talk Meeting Minutes weld.xls
2014-08-28 03:50 - 2014-08-28 03:58 - 00000549 _____ () C:\Documents and Settings\jremilla\Desktop\Tool Box Talks.lnk
2014-08-28 03:50 - 2010-04-23 04:16 - 00000292 _____ () C:\Documents and Settings\jremilla\Desktop\M drive.lnk
2014-08-28 03:47 - 2014-08-28 03:47 - 00000433 _____ () C:\Documents and Settings\jremilla\Desktop\Outlook Web App.url
2014-08-27 10:26 - 2014-08-29 08:41 - 00013991 _____ () C:\WINDOWS\system32\DWRCSAccess.log
2014-08-27 01:00 - 2014-08-27 01:00 - 00000000 __SHD () C:\Documents and Settings\jremilla\PrivacIE
2014-08-27 00:59 - 2014-08-29 01:24 - 00000278 ___SH () C:\Documents and Settings\jremilla\ntuser.ini
2014-08-27 00:59 - 2014-08-27 01:00 - 00000000 ____D () C:\Documents and Settings\jremilla
2014-08-27 00:59 - 2014-08-27 00:59 - 00004202 __RSH () C:\Documents and Settings\jremilla\ntuser.pol
2014-08-27 00:59 - 2014-08-27 00:59 - 00000810 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Internet Explorer.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000799 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000793 _____ () C:\Documents and Settings\jremilla\Desktop\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000745 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Outlook Express.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 __SHD () C:\Documents and Settings\jremilla\IETldCache
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ___RD () C:\Documents and Settings\jremilla\Start Menu\Programs\Accessories
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\Application Data\Symantec
2014-08-27 00:59 - 2012-03-01 11:45 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\hpqLog
2014-08-27 00:59 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\Application Data\Adobe
2014-08-27 00:59 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\Macromedia
2014-08-27 00:59 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\Adobe
2014-08-27 00:59 - 2012-03-01 11:42 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\Sun
2014-08-27 00:59 - 2012-03-01 11:15 - 00001606 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Remote Assistance.lnk
2014-08-26 12:56 - 2014-08-26 12:56 - 00000000 _RSHD () C:\cmdcons
2014-08-26 12:56 - 2014-08-26 10:13 - 00000211 _____ () C:\Boot.bak
2014-08-26 12:56 - 2004-08-03 23:00 - 00260272 __RSH () C:\cmldr
2014-08-26 12:52 - 2011-06-26 01:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2014-08-26 12:52 - 2010-11-07 12:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2014-08-26 12:52 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2014-08-26 12:50 - 2014-08-28 16:10 - 00000000 ____D () C:\Qoobox
2014-08-26 12:49 - 2014-08-26 13:08 - 00000000 ____D () C:\WINDOWS\erdnt
2014-08-26 12:04 - 2014-08-28 16:14 - 00022982 _____ () C:\Documents and Settings\administrator.MOM\Desktop\Addition.txt
2014-08-26 11:58 - 2014-08-26 11:58 - 02103296 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRST64.exe
2014-08-26 11:57 - 2014-08-29 08:46 - 00011646 _____ () C:\Documents and Settings\administrator.MOM\Desktop\FRST.txt
2014-08-26 11:57 - 2014-08-29 08:45 - 00000000 ____D () C:\FRST
2014-08-26 11:56 - 2014-08-26 11:56 - 01095168 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRSTx32.exe
2014-08-26 11:28 - 2014-08-26 11:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-08-26 11:25 - 2014-08-26 11:56 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\mbar
2014-08-26 11:24 - 2014-08-26 11:24 - 14349744 _____ (Malwarebytes Corp.) C:\Documents and Settings\administrator.MOM\Desktop\mbar-1.07.0.1012.exe
2014-08-26 10:24 - 2014-08-26 10:24 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\backups
2014-08-26 10:21 - 2014-08-26 10:21 - 00388608 _____ (Trend Micro Inc.) C:\Documents and Settings\administrator.MOM\Desktop\HijackThis.exe
2014-08-26 08:58 - 2014-08-26 08:58 - 17292760 _____ (Malwarebytes Corporation ) C:\Documents and Settings\ashryock\Desktop\mbam-setup-2.0.2.1012.exe
2014-08-26 08:58 - 2014-08-26 08:58 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-08-26 08:56 - 2014-08-26 08:57 - 00000000 ____D () C:\WINDOWS\pss
2014-08-26 08:51 - 2014-08-26 08:51 - 00004172 __RSH () C:\Documents and Settings\ashryock\ntuser.pol
2014-08-26 08:51 - 2014-08-26 08:51 - 00000810 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Internet Explorer.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000799 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000793 _____ () C:\Documents and Settings\ashryock\Desktop\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 __SHD () C:\Documents and Settings\ashryock\IETldCache
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\Application Data\Symantec
2014-08-26 08:50 - 2014-08-26 14:00 - 00000178 ___SH () C:\Documents and Settings\ashryock\ntuser.ini
2014-08-26 08:50 - 2014-08-26 09:48 - 00000000 ____D () C:\Documents and Settings\ashryock
2014-08-26 08:50 - 2014-08-26 08:51 - 00000745 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Outlook Express.lnk
2014-08-26 08:50 - 2014-08-26 08:51 - 00000000 ___RD () C:\Documents and Settings\ashryock\Start Menu\Programs\Accessories
2014-08-26 08:50 - 2012-03-01 11:45 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\hpqLog
2014-08-26 08:50 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\Application Data\Adobe
2014-08-26 08:50 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\Macromedia
2014-08-26 08:50 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\Adobe
2014-08-26 08:50 - 2012-03-01 11:42 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\Sun
2014-08-26 08:50 - 2012-03-01 11:15 - 00001606 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Remote Assistance.lnk
2014-08-21 15:31 - 2014-08-26 11:15 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-08-21 15:30 - 2014-08-21 15:30 - 00000000 ____D () C:\WINDOWS\system32\cos
2014-08-21 15:29 - 2014-08-26 13:12 - 00720896 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-08-21 15:29 - 2014-08-21 15:39 - 00065536 _____ () C:\WINDOWS\system32\config\EventForwarding-Operational.Evt
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\winrm
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\WindowsPowerShell
2014-08-21 15:28 - 2014-08-21 15:29 - 00000000 __HDC () C:\WINDOWS\$968930Uinstall_KB968930$
2014-08-21 15:28 - 2014-08-21 15:28 - 00000000 ____D () C:\WINDOWS\$NtUninstallKB968930$

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-29 08:46 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\temp
2014-08-29 08:46 - 2014-08-26 11:57 - 00011646 _____ () C:\Documents and Settings\administrator.MOM\Desktop\FRST.txt
2014-08-29 08:45 - 2014-08-26 11:57 - 00000000 ____D () C:\FRST
2014-08-29 08:44 - 2013-07-24 21:19 - 00000428 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{8C0DC158-52E0-4F19-A6E5-EDCBFC092BB3}.job
2014-08-29 08:42 - 2012-03-01 10:23 - 00012598 _____ () C:\WINDOWS\system32\wpa.dbl
2014-08-29 08:41 - 2014-08-27 10:26 - 00013991 _____ () C:\WINDOWS\system32\DWRCSAccess.log
2014-08-29 08:41 - 2012-07-31 12:27 - 00000000 ___HD () C:\WINDOWS\system32\dwrcssft
2014-08-29 08:41 - 2012-05-31 11:39 - 00000120 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2014-08-29 08:01 - 2012-09-17 08:29 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-08-29 03:23 - 2012-03-01 11:14 - 01892198 _____ () C:\WINDOWS\WindowsUpdate.log
2014-08-29 01:40 - 2012-03-01 11:20 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2014-08-29 01:24 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\temp
2014-08-29 01:24 - 2014-08-28 03:50 - 00025600 _____ () C:\Documents and Settings\jremilla\Desktop\Tool Box Talk Meeting Minutes weld.xls
2014-08-29 01:24 - 2014-08-27 00:59 - 00000278 ___SH () C:\Documents and Settings\jremilla\ntuser.ini
2014-08-29 00:58 - 2014-08-29 00:58 - 00054360 _____ () C:\Documents and Settings\jremilla\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-08-29 00:49 - 2012-03-01 11:20 - 00032478 _____ () C:\WINDOWS\SchedLgU.Txt
2014-08-28 21:42 - 2012-03-01 11:50 - 00000454 _____ () C:\WINDOWS\smscfg.ini
2014-08-28 21:41 - 2012-05-31 11:40 - 00000000 __SHD () C:\WINDOWS\CSC
2014-08-28 21:41 - 2012-03-01 11:21 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-08-28 21:41 - 2012-03-01 03:10 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-08-28 21:41 - 2012-03-01 03:10 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-08-28 17:33 - 2012-03-01 02:57 - 00000000 ____D () C:\WINDOWS\security
2014-08-28 16:14 - 2014-08-26 12:04 - 00022982 _____ () C:\Documents and Settings\administrator.MOM\Desktop\Addition.txt
2014-08-28 16:10 - 2014-08-28 16:10 - 00010933 _____ () C:\ComboFix.txt
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\lmoore\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\dlacy\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\bgiese\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-08-28 16:10 - 2014-08-28 16:10 - 00000000 ____D () C:\Documents and Settings\admin\Local Settings\temp
2014-08-28 16:10 - 2014-08-26 12:50 - 00000000 ____D () C:\Qoobox
2014-08-28 16:08 - 2012-03-01 10:23 - 00000227 _____ () C:\WINDOWS\system.ini
2014-08-28 15:54 - 2012-05-31 11:41 - 00000178 ___SH () C:\Documents and Settings\administrator.MOM\ntuser.ini
2014-08-28 11:17 - 2014-08-28 11:17 - 05574834 ____R (Swearware) C:\Documents and Settings\administrator.MOM\Desktop\ComboFix.exe
2014-08-28 11:11 - 2014-08-28 11:11 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\Application Data\Temp
2014-08-28 11:11 - 2012-05-31 11:41 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\Application Data\Adobe
2014-08-28 11:11 - 2012-05-31 11:41 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Application Data\Adobe
2014-08-28 03:58 - 2014-08-28 03:50 - 00000549 _____ () C:\Documents and Settings\jremilla\Desktop\Tool Box Talks.lnk
2014-08-28 03:52 - 2014-08-28 03:52 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\Maint
2014-08-28 03:51 - 2014-08-28 03:51 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\fender travel
2014-08-28 03:47 - 2014-08-28 03:47 - 00000433 _____ () C:\Documents and Settings\jremilla\Desktop\Outlook Web App.url
2014-08-27 15:03 - 2012-10-12 06:03 - 00000000 ____D () C:\Documents and Settings\bgiese\SapWorkDir
2014-08-27 15:03 - 2012-10-12 06:01 - 00000278 ___SH () C:\Documents and Settings\bgiese\ntuser.ini
2014-08-27 12:25 - 2012-10-12 06:01 - 00004202 __RSH () C:\Documents and Settings\bgiese\ntuser.pol
2014-08-27 12:25 - 2012-10-12 06:01 - 00000000 ____D () C:\Documents and Settings\bgiese
2014-08-27 10:50 - 2012-05-31 11:36 - 00000178 ___SH () C:\Documents and Settings\admin\ntuser.ini
2014-08-27 01:25 - 2012-05-31 12:57 - 00000376 _____ () C:\WINDOWS\ODBC.INI
2014-08-27 01:00 - 2014-08-27 01:00 - 00000000 __SHD () C:\Documents and Settings\jremilla\PrivacIE
2014-08-27 01:00 - 2014-08-27 00:59 - 00000000 ____D () C:\Documents and Settings\jremilla
2014-08-27 00:59 - 2014-08-27 00:59 - 00004202 __RSH () C:\Documents and Settings\jremilla\ntuser.pol
2014-08-27 00:59 - 2014-08-27 00:59 - 00000810 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Internet Explorer.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000799 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000793 _____ () C:\Documents and Settings\jremilla\Desktop\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000745 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Outlook Express.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 __SHD () C:\Documents and Settings\jremilla\IETldCache
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ___RD () C:\Documents and Settings\jremilla\Start Menu\Programs\Accessories
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\Application Data\Symantec
2014-08-26 15:18 - 2013-08-07 08:44 - 00000345 _____ () C:\Documents and Settings\bgiese\Desktop\SAP xMII Login Page.url
2014-08-26 14:00 - 2014-08-26 08:50 - 00000178 ___SH () C:\Documents and Settings\ashryock\ntuser.ini
2014-08-26 13:16 - 2012-06-27 12:42 - 00000000 ____D () C:\WINDOWS\system32\VPCache
2014-08-26 13:12 - 2014-08-21 15:29 - 00720896 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-08-26 13:12 - 2012-05-31 11:36 - 00000000 ____D () C:\Documents and Settings\admin
2014-08-26 13:08 - 2014-08-26 12:49 - 00000000 ____D () C:\WINDOWS\erdnt
2014-08-26 12:56 - 2014-08-26 12:56 - 00000000 _RSHD () C:\cmdcons
2014-08-26 12:56 - 2012-03-01 10:25 - 00000327 __RSH () C:\boot.ini
2014-08-26 12:26 - 2012-10-10 14:39 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2661254-v2$
2014-08-26 12:25 - 2012-05-31 11:41 - 00000000 ____D () C:\Documents and Settings\administrator.MOM
2014-08-26 11:58 - 2014-08-26 11:58 - 02103296 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRST64.exe
2014-08-26 11:56 - 2014-08-26 11:56 - 01095168 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRSTx32.exe
2014-08-26 11:56 - 2014-08-26 11:28 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-08-26 11:56 - 2014-08-26 11:25 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\mbar
2014-08-26 11:24 - 2014-08-26 11:24 - 14349744 _____ (Malwarebytes Corp.) C:\Documents and Settings\administrator.MOM\Desktop\mbar-1.07.0.1012.exe
2014-08-26 11:19 - 2012-09-19 11:29 - 00000000 ____D () C:\temp
2014-08-26 11:15 - 2014-08-21 15:31 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-08-26 10:24 - 2014-08-26 10:24 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\backups
2014-08-26 10:21 - 2014-08-26 10:21 - 00388608 _____ (Trend Micro Inc.) C:\Documents and Settings\administrator.MOM\Desktop\HijackThis.exe
2014-08-26 10:13 - 2014-08-26 12:56 - 00000211 _____ () C:\Boot.bak
2014-08-26 10:13 - 2012-03-01 10:23 - 00000573 _____ () C:\WINDOWS\win.ini
2014-08-26 09:54 - 2012-05-31 11:41 - 00004172 __RSH () C:\Documents and Settings\administrator.MOM\ntuser.pol
2014-08-26 09:49 - 2013-07-11 10:23 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2803821_WM9$
2014-08-26 09:48 - 2014-08-26 08:50 - 00000000 ____D () C:\Documents and Settings\ashryock
2014-08-26 09:14 - 2012-05-03 18:24 - 00338175 _____ () C:\WINDOWS\setupapi.log
2014-08-26 08:58 - 2014-08-26 08:58 - 17292760 _____ (Malwarebytes Corporation ) C:\Documents and Settings\ashryock\Desktop\mbam-setup-2.0.2.1012.exe
2014-08-26 08:58 - 2014-08-26 08:58 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-08-26 08:57 - 2014-08-26 08:56 - 00000000 ____D () C:\WINDOWS\pss
2014-08-26 08:51 - 2014-08-26 08:51 - 00004172 __RSH () C:\Documents and Settings\ashryock\ntuser.pol
2014-08-26 08:51 - 2014-08-26 08:51 - 00000810 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Internet Explorer.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000799 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000793 _____ () C:\Documents and Settings\ashryock\Desktop\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 __SHD () C:\Documents and Settings\ashryock\IETldCache
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\Application Data\Symantec
2014-08-26 08:51 - 2014-08-26 08:50 - 00000745 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Outlook Express.lnk
2014-08-26 08:51 - 2014-08-26 08:50 - 00000000 ___RD () C:\Documents and Settings\ashryock\Start Menu\Programs\Accessories
2014-08-26 08:51 - 2012-03-01 11:12 - 00005374 _____ () C:\WINDOWS\wmsetup.log
2014-08-21 15:39 - 2014-08-21 15:29 - 00065536 _____ () C:\WINDOWS\system32\config\EventForwarding-Operational.Evt
2014-08-21 15:30 - 2014-08-21 15:30 - 00000000 ____D () C:\WINDOWS\system32\cos
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\winrm
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\WindowsPowerShell
2014-08-21 15:29 - 2014-08-21 15:28 - 00000000 __HDC () C:\WINDOWS\$968930Uinstall_KB968930$
2014-08-21 15:29 - 2012-06-27 08:40 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy
2014-08-21 15:29 - 2012-05-03 17:56 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-08-21 15:29 - 2012-03-01 11:11 - 00000000 ___RD () C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
2014-08-21 15:29 - 2012-03-01 03:02 - 01451750 _____ () C:\WINDOWS\iis6.log
2014-08-21 15:29 - 2012-03-01 03:02 - 01322996 _____ () C:\WINDOWS\FaxSetup.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00644304 _____ () C:\WINDOWS\ocgen.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00614130 _____ () C:\WINDOWS\tsoc.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00447256 _____ () C:\WINDOWS\comsetup.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00410130 _____ () C:\WINDOWS\msmqinst.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00270133 _____ () C:\WINDOWS\ntdtcsetup.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00232895 _____ () C:\WINDOWS\netfxocm.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00091881 _____ () C:\WINDOWS\MedCtrOC.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00072832 _____ () C:\WINDOWS\ocmsn.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00067708 _____ () C:\WINDOWS\tabletoc.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00066537 _____ () C:\WINDOWS\msgsocm.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00001374 _____ () C:\WINDOWS\imsins.log
2014-08-21 15:29 - 2012-03-01 02:57 - 00000000 ____D () C:\WINDOWS\Help
2014-08-21 15:28 - 2014-08-21 15:28 - 00000000 ____D () C:\WINDOWS\$NtUninstallKB968930$
2014-08-21 08:10 - 2012-10-15 08:52 - 00025088 _____ () C:\Documents and Settings\bgiese\Desktop\Shortcut to Form Training 1 Metalcraft Training Form.lnk.xls
2014-08-18 16:17 - 2012-03-01 03:02 - 00272634 _____ () C:\WINDOWS\setupact.log
2014-08-15 23:20 - 2012-12-05 15:53 - 00001716 ____H () C:\Documents and Settings\administrator.MOM\My Documents\Default.rdp
2014-08-15 20:32 - 2012-05-31 11:41 - 00000000 ___RD () C:\Documents and Settings\administrator.MOM\Start Menu\Programs\Accessories

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

 

Addition:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:26-08-2014
Ran by administrator at 2014-08-29 08:46:36
Running from C:\Documents and Settings\administrator.MOM\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Symantec Endpoint Protection (Disabled - Up to date) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection (Disabled) {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 Bit HP BiDi Channel Components Installer (Version: 1.1.0.2 - Hewlett-Packard) Hidden
7-Zip 4.65 (HKLM\...\7-Zip) (Version:  - )
Adobe AIR (HKLM\...\Adobe AIR) (Version: 2.7.0.19530 - Adobe Systems Incorporated)
Adobe AIR (Version: 2.7.0.19530 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 14 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Reader X (10.1.11) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.11 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM\...\Adobe Shockwave Player) (Version: 11.6.0.626 - Adobe Systems, Inc.)
Adobe SVG Viewer 3.0 (HKLM\...\Adobe SVG Viewer) (Version:  3.0 - Adobe Systems, Inc.)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Combined Community Codec Pack 2009-09-09 (HKLM\...\Combined Community Codec Pack_is1) (Version: 2009.09.09.0 - CCCP Project)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
HP 3D DriveGuard (HKLM\...\{429E92A4-159F-4AEC-85A1-D693E1E4274D}) (Version: 1.00 A4 - )
HP Quick Launch Buttons (HKLM\...\{34D2AB40-150D-475D-AE32-BD23FB5EE355}) (Version: 6.50.17.1 - Hewlett-Packard Company)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 6.14.10.5218 - Intel Corporation)
Java Auto Updater (Version: 2.0.7.1 - Sun Microsystems, Inc.) Hidden
Java 6 Update 35 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216035FF}) (Version: 6.0.350 - Oracle)
LiveUpdate 3.3 (Symantec Corporation) (HKLM\...\LiveUpdate) (Version: 3.3.0.115 - Symantec Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 (Version:  - Microsoft Corporation) Hidden
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 (Version:  - Microsoft Corporation) Hidden
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office Visio Viewer 2003 (English) (HKLM\...\{90520409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.3709.5614 - Microsoft Corporation)
Microsoft redistributable runtime DLLs VS2005 SP1(x86) (HKLM\...\{8E770F99-CF23-4BF9-BF4E-E3A2924FEB27}) (Version: 8.0.50727.762 - SAP)
Microsoft redistributable runtime DLLs VS2005(x86) (HKLM\...\{C0DB380B-97B5-4BB8-AC8D-1835E61439B6}) (Version: 1.0.0.0 - SAP)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML4.0 redistributable (HKLM\...\{44D66AD9-AE19-4AFD-BE7E-A1B44C856697}) (Version: 4.0.0.0 - SAP)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.9 - NVIDIA Corporation)
NVIDIA nView Desktop Manager (HKLM\...\NVIDIA nView Desktop Manager) (Version: 6.14.10.00 - NVIDIA Corporation)
Prizm Viewer 7.1.0 (HKLM\...\InstallShield_{E4ABB278-16B0-40CA-9D04-DF6B41C06527}) (Version: 7.1.0 - TMSSequoia)
Prizm Viewer 7.1.0 (Version: 7.1.0 - TMSSequoia) Hidden
QLBCASL (Version: 6.40.17.2 - Hewlett-Packard) Hidden
RICOH Media Driver (HKLM\...\{F5CC2EF8-20A4-4366-A681-3FE849E65809}) (Version: 2.10.00.04 - RICOH)
SAP GUI 7.10 (HKLM\...\SAPGUI710) (Version: 7.10 Compilation 3 - SAP AG)
SMS Advanced Client (Version: 2.50.3174.1018 - Microsoft Corporation) Hidden
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Symantec Endpoint Protection (HKLM\...\{DE889CC8-F305-4C4C-BAE0-EF626E45CB9D}) (Version: 11.0.7200.1147 - Symantec Corporation)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2541763) (HKLM\...\KB2541763) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2616676-v2) (HKLM\...\KB2616676-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2661254-v2) (HKLM\...\KB2661254-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2718704) (HKLM\...\KB2718704) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB898461) (HKLM\...\KB898461) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (HKLM\...\KB951978) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971737) (HKLM\...\KB971737) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973687) (HKLM\...\KB973687) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
ViewStation 4.0(5) (HKLM\...\{41EBD225-1F12-455F-BC2F-72982FC9FB17}) (Version: 4.00.5000 - COMSA GmbH)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version:  - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{00B7E0AB-817A-44AD-A04B-D1148D524136}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{7C6E29BC-8B8B-4C3D-859E-AF6CD158BE0F}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C0-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C1-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C2-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C3-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C4-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C5-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C8-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C9-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969CA-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969D6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

==================== Restore Points  =========================

01-06-2014 06:24:54 System Checkpoint
02-06-2014 07:03:45 System Checkpoint
03-06-2014 08:03:48 System Checkpoint
04-06-2014 09:03:50 System Checkpoint
05-06-2014 10:03:51 System Checkpoint
06-06-2014 11:25:05 System Checkpoint
07-06-2014 12:33:39 System Checkpoint
08-06-2014 13:25:11 System Checkpoint
09-06-2014 14:25:13 System Checkpoint
10-06-2014 15:32:53 System Checkpoint
11-06-2014 16:26:22 System Checkpoint
12-06-2014 16:37:06 System Checkpoint
13-06-2014 18:03:38 System Checkpoint
14-06-2014 18:25:22 System Checkpoint
15-06-2014 19:25:23 System Checkpoint
16-06-2014 19:46:43 System Checkpoint
17-06-2014 20:26:32 System Checkpoint
18-06-2014 20:33:26 System Checkpoint
19-06-2014 21:24:20 System Checkpoint
20-06-2014 21:25:31 System Checkpoint
21-06-2014 22:25:33 System Checkpoint
22-06-2014 23:25:34 System Checkpoint
24-06-2014 00:25:36 System Checkpoint
25-06-2014 01:24:19 System Checkpoint
26-06-2014 01:25:39 System Checkpoint
27-06-2014 02:25:42 System Checkpoint
28-06-2014 03:25:43 System Checkpoint
29-06-2014 04:25:44 System Checkpoint
30-06-2014 05:25:47 System Checkpoint
01-07-2014 06:26:53 System Checkpoint
02-07-2014 07:25:49 System Checkpoint
07-07-2014 01:15:46 System Checkpoint
08-07-2014 01:59:37 System Checkpoint
09-07-2014 02:59:39 System Checkpoint
10-07-2014 02:59:45 System Checkpoint
11-07-2014 03:59:47 System Checkpoint
12-07-2014 04:59:49 System Checkpoint
13-07-2014 06:25:11 System Checkpoint
14-07-2014 06:25:51 System Checkpoint
15-07-2014 06:59:55 System Checkpoint
16-07-2014 07:59:57 System Checkpoint
17-07-2014 08:59:58 System Checkpoint
18-07-2014 10:00:00 System Checkpoint
19-07-2014 11:00:02 System Checkpoint
20-07-2014 12:00:03 System Checkpoint
21-07-2014 12:14:16 System Checkpoint
22-07-2014 12:27:05 System Checkpoint
23-07-2014 13:00:08 System Checkpoint
24-07-2014 13:01:57 System Checkpoint
25-07-2014 14:00:11 System Checkpoint
26-07-2014 15:00:12 System Checkpoint
27-07-2014 16:00:14 System Checkpoint
28-07-2014 16:34:03 System Checkpoint
29-07-2014 17:53:41 System Checkpoint
30-07-2014 17:56:13 System Checkpoint
31-07-2014 17:57:45 System Checkpoint
01-08-2014 17:57:58 System Checkpoint
02-08-2014 18:00:22 System Checkpoint
03-08-2014 19:00:24 System Checkpoint
04-08-2014 19:05:54 System Checkpoint
05-08-2014 20:00:27 System Checkpoint
06-08-2014 20:12:01 System Checkpoint
07-08-2014 21:00:31 System Checkpoint
08-08-2014 21:08:36 System Checkpoint
09-08-2014 22:00:34 System Checkpoint
10-08-2014 23:00:36 System Checkpoint
12-08-2014 00:00:38 System Checkpoint
13-08-2014 01:03:44 System Checkpoint
14-08-2014 01:59:18 System Checkpoint
15-08-2014 02:00:43 System Checkpoint
16-08-2014 02:01:50 System Checkpoint
17-08-2014 02:59:12 System Checkpoint
18-08-2014 03:09:43 System Checkpoint
19-08-2014 03:20:16 System Checkpoint
20-08-2014 03:34:31 System Checkpoint
21-08-2014 04:34:32 System Checkpoint
21-08-2014 20:28:57 Installed %1 %2.
25-08-2014 07:06:10 System Checkpoint
26-08-2014 08:05:39 System Checkpoint
27-08-2014 09:03:02 System Checkpoint
28-08-2014 09:13:41 System Checkpoint
29-08-2014 09:45:24 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-03-01 10:23 - 2014-08-28 16:08 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{8C0DC158-52E0-4F19-A6E5-EDCBFC092BB3}.job => C:\WINDOWS\system32\msfeedssync.exe

==================== Loaded Modules (whitelisted) =============

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: AccelerometerSysTrayApplet => C:\WINDOWS\system32\AccelerometerSt.exe
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: DameWare MRC Agent => C:\WINDOWS\system32\DWRCST.exe
MSCONFIG\startupreg: QlbCtrl.exe => C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (08/29/2014 05:41:58 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/28/2014 09:41:59 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/28/2014 05:27:46 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/28/2014 03:55:27 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/28/2014 08:58:24 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/28/2014 00:58:25 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/27/2014 02:59:27 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/27/2014 00:25:25 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/27/2014 05:59:38 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/27/2014 02:08:58 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

System errors:
=============
Error: (08/29/2014 05:41:58 AM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/28/2014 09:41:59 PM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/28/2014 09:41:57 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The rimmptsk service failed to start due to the following error:
%%1058

Error: (08/28/2014 05:27:46 PM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/28/2014 03:55:27 PM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/28/2014 03:55:25 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The rimmptsk service failed to start due to the following error:
%%1058

Error: (08/28/2014 03:54:01 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{7E89FF0B-F649-4F9A-A9C3-F05DFAAA3DA1}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18).  This security permission can be modified using the Component Services administrative tool.

Error: (08/28/2014 03:51:06 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The SMS Agent Host service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.

Error: (08/28/2014 03:51:06 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The DameWare Mini Remote Control service terminated unexpectedly.  It has done this 1 time(s).

Error: (08/28/2014 03:51:06 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The SMS Remote Control Agent service terminated unexpectedly.  It has done this 1 time(s).

Microsoft Office Sessions:
=========================
Error: (08/29/2014 05:41:58 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/28/2014 09:41:59 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/28/2014 05:27:46 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/28/2014 03:55:27 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/28/2014 08:58:24 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/28/2014 00:58:25 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/27/2014 02:59:27 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/27/2014 00:25:25 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/27/2014 05:59:38 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/27/2014 02:08:58 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

==================== Memory info ===========================

Processor: Intel® Core2 Duo CPU E6550 @ 2.33GHz
Percentage of memory in use: 19%
Total physical RAM: 3045.23 MB
Available physical RAM: 2440.26 MB
Total Pagefile: 4930.24 MB
Available Pagefile: 4566.7 MB
Total Virtual: 2047.88 MB
Available Virtual: 1942.1 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:74.53 GB) (Free:56.9 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive m: () (Network) (Total:1536 GB) (Free:186.56 GB)
Drive y: () (Network) (Total:200 GB) (Free:118.94 GB)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: B150A7F9)
Partition 1: (Active) - (Size=74.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Share this post


Link to post
Share on other sites

Hi :)
 
I'm armed with a couple of new ideas, so let's try to utilize them! Delete your current copy of ComboFix please and obtain a fresh one. This will be a long and multi-step action, but I think you can handle it :)



erunt.png Backing up Registry with ERUnt

Modifying the registry may create unforeseen results, so we always recommend creating a backup prior to doing that.

Please download ERUnt and save the file to the desktop.

  • Install ERUnt by following the prompts, but say no to the portion that asks you to add ERUnt to the start-up folder.
  • Double-click on erunt.png icon to start the tool.
  • Leave the default location (C:\WINDOWS\ERDNT) as a place for your backup.
  • Make sure that System registry and Current user registry are ticked.
  • The third option Other open users registries is optional.
  • Press OK to backup and then press YES to create the folder.

This tool won't generate any report.
You may uninstall it after we're done with the cleaning, but I'd recommend to save it and do a backup once per month. It's better to be safe than sorry.



51a5bf3d99e8a-ComboFixlogo16.png Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!


Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.
Now let's prepare a Script for ComboFix to mark some things for being deleted.

  • Press the WindowsKey.png + R on your keyboard at the same time.
  • A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
  • In the shown window paste in the following script:
    RegNull::[HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>]Registry::[-HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}]
  • Go to File menu and select Save as.
  • Make sure that the Save as type option is set to Text files (*.txt) and the place to save will be your desktop.
  • Name the file CFScript and select Save.

Your CFScript.txt file should appear on your desktop.

  • Now drag your CFScript file and drop it onto the 51a5bf3d99e8a-ComboFixlogo16.png icon:
    CFScript.gif
  • This will start ComboFix. Let it run uninterrupted!
  • A reboot may be needed during this run. Allow it.
  • When finished, it shall produce a log for you at C:\ComboFix.txt and display it.

Please include that log in your next reply.

If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
Do not forget to turn on your previously switched-off protection software!



reg_file_icon.jpg Registry Fix

Modifying the registry may create unforeseen results. Please do not proceed, unless you have created a registry backup prior to doing that!

We need to prepare a fix file first.

  • Press the WindowsKey.png + R on your keyboard at the same time.
  • A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
  • In the shown window paste in the following script. Make sure that all of the codebox content is pasted!
    Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}]"AppId"="{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}"@="Microsoft WMI Provider Subsystem Host"[HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]@="C:\WINDOWS\system32\wbem\wmiprvse.exe""ThreadingModel"="Both"
  • Go to File menu and select Save as.
  • Make sure that the Save as type option is set to All Files (*.*) and the place to save will be your desktop.
  • Name the file fix.reg and select Save.

After that, your prepared fix.reg file should be located on your desktop.

Now we need to import the file into the registry.

  • Locate the fix.reg file on your desktop.
  • Right-click the reg_file_icon.jpg icon of your file and select Merge.
  • You'll be prompted about adding the information to the registry. Please agree.

After this please manually reboot your machine. Any report won't be generated.



FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.


 

Share this post


Link to post
Share on other sites

Combofix:

 

ComboFix 14-08-29.03 - administrator 08/29/2014  10:51:06.4.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3045.2471 [GMT -5:00]
Running from: c:\documents and settings\administrator.MOM\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\administrator.MOM\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
(((((((((((((((((((((((((   Files Created from 2014-07-28 to 2014-08-29  )))))))))))))))))))))))))))))))
.
.
2014-08-29 15:46 . 2014-08-29 15:46 -------- d-----w- c:\program files\ERUNT
2014-08-28 16:11 . 2014-08-28 16:11 -------- d-----w- c:\documents and settings\administrator.MOM\Local Settings\Application Data\Temp
2014-08-27 05:59 . 2014-08-27 06:00 -------- d-----w- c:\documents and settings\jremilla
2014-08-26 16:57 . 2014-08-29 13:46 -------- d-----w- C:\FRST
2014-08-26 16:28 . 2014-08-26 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-08-26 16:13 . 2014-08-26 16:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2014-08-26 13:58 . 2014-08-26 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2014-08-26 13:50 . 2014-08-26 14:48 -------- d-----w- c:\documents and settings\ashryock
2014-08-21 20:30 . 2014-08-21 20:30 -------- d-----w- c:\windows\system32\cos
2014-08-21 20:29 . 2014-08-21 20:29 -------- d-----w- c:\windows\system32\winrm
2014-08-21 20:28 . 2014-08-21 20:29 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2014-08-03 09:53 . 2014-08-03 09:53 188304 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-09 03:05 . 2012-09-17 13:29 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-07-09 03:05 . 2012-03-01 16:43 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 03:05 . 2014-07-09 03:05 10603008 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2014-07-07 03:40 . 2012-12-05 23:41 174056 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2009-05-08 16:43 . 2012-06-27 13:28 3145728 ----a-w- c:\program files\Common Files\sapxlhelper.dll
2009-05-08 16:43 . 2012-06-27 13:28 192512 ----a-w- c:\program files\Common Files\sapconsr3.dll
2009-05-08 16:43 . 2012-06-27 13:28 626688 ----a-w- c:\program files\Common Files\sapconsaccess.dll
2009-05-08 16:43 . 2012-06-27 13:28 40960 ----a-w- c:\program files\Common Files\DigitalSignature.ocx
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-04-22 1040384]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-13 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-13 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-13 135680]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-13 14901248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2012-11-12 115624]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2010-04-07 85528]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-13761\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-1786\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-4779\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-6915\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-9789\Scripts\Logon\0\0]
"Script"=regedit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1307642725-1888648419-1563503735-9789\Scripts\Logon\1\0]
"Script"=ncell_login.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AccelerometerSysTrayApplet]
2007-01-24 22:28 124928 ----a-w- c:\windows\system32\accelerometerST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DameWare MRC Agent]
2010-04-07 16:12 85528 ----a-w- c:\windows\system32\DWRCST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2010-02-25 23:19 287800 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [3/1/2012 11:47 AM 17968]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 6:00 AM 26624]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 6:00 AM 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2014 2:37 AM 109872]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [3/1/2012 10:55 AM 540288]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/12/2012 3:37 PM 23960]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [3/1/2012 10:56 AM 44800]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\MBAMSwissArmy.sys --> c:\windows\system32\drivers\MBAMSwissArmy.sys [?]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [3/1/2012 10:53 AM 49152]
S4 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [3/1/2012 11:45 AM 227896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2014-08-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-17 03:05]
.
2014-08-29 c:\windows\Tasks\User_Feed_Synchronization-{8C0DC158-52E0-4F19-A6E5-EDCBFC092BB3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 172.16.48.162 172.16.1.202 10.30.16.116 172.16.1.116
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-08-29 10:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1307642725-1888648419-1563503735-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,26,1f,48,a8,d4,4c,ae,58,fc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,af,14,26,1f,48,a8,d4,4c,ae,58,fc,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2688)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2014-08-29  10:57:12
ComboFix-quarantined-files.txt  2014-08-29 15:57
ComboFix2.txt  2014-08-28 21:10
ComboFix3.txt  2014-08-28 16:28
ComboFix4.txt  2014-08-26 18:09
.
Pre-Run: 61,015,371,776 bytes free
Post-Run: 61,011,853,312 bytes free
.
- - End Of File - - 114A65152B0F6F179C0FB520FDB17B64
A36C5E4F47E84449FF07ED3517B43A31
 

 

 

FRST:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:26-08-2014
Ran by administrator (administrator) on MOM1393 on 29-08-2014 11:09:29
Running from C:\Documents and Settings\administrator.MOM\Desktop
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\WINDOWS\system32\scardsvr.exe
(DameWare Development LLC) C:\WINDOWS\system32\DWRCS.EXE
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Microsoft Corporation) C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe
(Microsoft Corporation) C:\WINDOWS\system32\CCM\CcmExec.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\WINDOWS\system32\msiexec.exe
(DameWare Development) C:\WINDOWS\system32\DWRCST.EXE
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRSTx32.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [soundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1040384 2009-04-22] (Analog Devices, Inc.)
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [ccApp] => C:\Program Files\Common Files\Symantec Shared\ccApp.exe [115624 2012-11-12] (Symantec Corporation)
HKLM\...\Run: [DameWare MRC Agent] => C:\WINDOWS\system32\DWRCST.exe [85528 2010-04-07] (DameWare Development)
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <===== ATTENTION
HKU\S-1-5-21-1307642725-1888648419-1563503735-500\...\Policies\Explorer: [NoSMBalloonTip] 1
HKU\S-1-5-21-1307642725-1888648419-1563503735-500\...\Policies\Explorer: [NoAutoTrayNotify] 1
HKU\S-1-5-21-1307642725-1888648419-1563503735-500\...\Policies\Explorer: [NoSMConfigurePrograms] 1

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://deere.webex.com/client/WBXclient-T27L10NSP32EP18-15463/webex/ieatgpc.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\saphtmlp.dll (SAP AG, Walldorf)
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\saphtmlp.dll (SAP AG, Walldorf)
Tcpip\Parameters: [DhcpNameServer] 172.16.48.162 172.16.1.202 10.30.16.116 172.16.1.116

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=1.6.0_35 -> C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-05-31]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2012-09-13]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2012-11-12] (Symantec Corporation)
R2 CcmExec; C:\WINDOWS\system32\CCM\CcmExec.exe [570368 2004-08-04] (Microsoft Corporation) [File not signed]
S4 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2012-11-12] (Symantec Corporation)
R2 DWMRCS; C:\WINDOWS\SYSTEM32\DWRCS.EXE [246120 2010-07-02] (DameWare Development LLC) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153584 2012-09-13] (Sun Microsystems, Inc.)
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093944 2012-03-07] (Symantec Corporation)
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [43520 2006-11-08] (Hewlett-Packard) [File not signed]
S2 nvsvc; C:\WINDOWS\system32\nvsvc32.exe [172100 2010-01-13] (NVIDIA Corporation) [File not signed]
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [53248 2006-11-08] (Hewlett-Packard) [File not signed]
S4 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1935040 2012-11-12] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [357808 2012-11-12] (Symantec Corporation)
S4 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1860000 2012-11-12] (Symantec Corporation)
R2 Wuser32; C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe [241664 2004-07-23] (Microsoft Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 COH_Mon; C:\WINDOWS\system32\Drivers\COH_Mon.sys [23960 2012-11-12] (Symantec Corporation)
R3 DwMirror; C:\WINDOWS\System32\DRIVERS\DamewareMini.sys [3712 2007-02-07] (DameWare Development, LLC)
R1 dwvkbd; C:\WINDOWS\System32\DRIVERS\dwvkbd.sys [26624 2007-02-15] (DameWare)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [377648 2014-06-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [109872 2014-07-06] (Symantec Corporation)
R3 idisw2km; C:\WINDOWS\System32\DRIVERS\idisw2km.sys [2112 2004-06-27] (Microsoft Corporation)
S3 IFXTPM; C:\WINDOWS\System32\DRIVERS\IFXTPM.SYS [44800 2008-07-23] (Infineon Technologies AG)
R3 kbstuff; C:\WINDOWS\System32\DRIVERS\kbstuff5.sys [4864 2004-06-27] (Microsoft Corporation)
R3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20140827.023\NAVENG.SYS [95704 2014-08-21] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20140827.023\NAVEX15.SYS [1636696 2014-08-21] (Symantec Corporation)
S3 NVHDA; C:\WINDOWS\System32\drivers\nvhda32.sys [57248 2009-08-21] (NVIDIA Corporation)
S3 prepdrvr; C:\WINDOWS\system32\CCM\prepdrv.sys [13824 2004-06-27] (Microsoft Corporation) [File not signed]
S3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
S3 rismc32; C:\WINDOWS\System32\DRIVERS\rismc32.sys [49152 2009-07-20] (RICOH Company, Ltd.)
R3 SenFiltService; C:\WINDOWS\System32\drivers\Senfilt.sys [8704 2009-04-22] (Analog Devices, Inc.)
S3 SMCIRDA; C:\WINDOWS\System32\DRIVERS\smcirda.sys [48128 2006-03-12] (SMSC)
S3 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2012-11-12] (Symantec Corporation)
R1 SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [287352 2012-11-12] (Symantec Corporation)
S3 SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [321016 2012-11-12] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [43768 2012-11-12] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [126584 2012-12-05] (Symantec Corporation)
R0 Symmpi; C:\WINDOWS\System32\DRIVERS\symmpi.sys [39760 2008-06-02] (LSI Logic)
S3 SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [26488 2012-11-12] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [188152 2012-11-12] (Symantec Corporation)
S4 SysPlant; C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys [99232 2012-11-12] (Symantec Corporation)
R3 Teefer2; C:\WINDOWS\System32\DRIVERS\teefer2.sys [67520 2012-11-12] (Symantec Corporation)
R3 tpm; C:\WINDOWS\System32\DRIVERS\tpm.sys [13824 2008-06-20] (Intel Corporation)
R0 vmscsi; C:\WINDOWS\System32\DRIVERS\vmscsi.sys [17968 2009-10-22] (VMware, Inc.)
R1 WPS; C:\WINDOWS\system32\drivers\wpsdrvnt.sys [45472 2012-11-12] (Symantec Corporation)
S3 WpsHelper; C:\WINDOWS\system32\drivers\WpsHelper.sys [174056 2014-07-06] (Symantec Corporation)
S3 catchme; \??\C:\DOCUME~1\ADMINI~1.MOM\LOCALS~1\Temp\catchme.sys [X]
U2 CertPropSvc; No ImagePath
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
U1 RCHelp; No ImagePath
S3 StarOpen; No ImagePath
U4 WinDefend; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

 

 

 

Addition:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:26-08-2014
Ran by administrator at 2014-08-29 11:09:53
Running from C:\Documents and Settings\administrator.MOM\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Symantec Endpoint Protection (Disabled - Up to date) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection (Disabled) {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 Bit HP BiDi Channel Components Installer (Version: 1.1.0.2 - Hewlett-Packard) Hidden
7-Zip 4.65 (HKLM\...\7-Zip) (Version:  - )
Adobe AIR (HKLM\...\Adobe AIR) (Version: 2.7.0.19530 - Adobe Systems Incorporated)
Adobe AIR (Version: 2.7.0.19530 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 14 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Reader X (10.1.11) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.11 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM\...\Adobe Shockwave Player) (Version: 11.6.0.626 - Adobe Systems, Inc.)
Adobe SVG Viewer 3.0 (HKLM\...\Adobe SVG Viewer) (Version:  3.0 - Adobe Systems, Inc.)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Combined Community Codec Pack 2009-09-09 (HKLM\...\Combined Community Codec Pack_is1) (Version: 2009.09.09.0 - CCCP Project)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
ERUNT 1.1j (HKLM\...\ERUNT_is1) (Version:  - Lars Hederer)
HP 3D DriveGuard (HKLM\...\{429E92A4-159F-4AEC-85A1-D693E1E4274D}) (Version: 1.00 A4 - )
HP Quick Launch Buttons (HKLM\...\{34D2AB40-150D-475D-AE32-BD23FB5EE355}) (Version: 6.50.17.1 - Hewlett-Packard Company)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 6.14.10.5218 - Intel Corporation)
Java Auto Updater (Version: 2.0.7.1 - Sun Microsystems, Inc.) Hidden
Java 6 Update 35 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216035FF}) (Version: 6.0.350 - Oracle)
LiveUpdate 3.3 (Symantec Corporation) (HKLM\...\LiveUpdate) (Version: 3.3.0.115 - Symantec Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 (Version:  - Microsoft Corporation) Hidden
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 (Version:  - Microsoft Corporation) Hidden
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office Visio Viewer 2003 (English) (HKLM\...\{90520409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.3709.5614 - Microsoft Corporation)
Microsoft redistributable runtime DLLs VS2005 SP1(x86) (HKLM\...\{8E770F99-CF23-4BF9-BF4E-E3A2924FEB27}) (Version: 8.0.50727.762 - SAP)
Microsoft redistributable runtime DLLs VS2005(x86) (HKLM\...\{C0DB380B-97B5-4BB8-AC8D-1835E61439B6}) (Version: 1.0.0.0 - SAP)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML4.0 redistributable (HKLM\...\{44D66AD9-AE19-4AFD-BE7E-A1B44C856697}) (Version: 4.0.0.0 - SAP)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.9 - NVIDIA Corporation)
NVIDIA nView Desktop Manager (HKLM\...\NVIDIA nView Desktop Manager) (Version: 6.14.10.00 - NVIDIA Corporation)
Prizm Viewer 7.1.0 (HKLM\...\InstallShield_{E4ABB278-16B0-40CA-9D04-DF6B41C06527}) (Version: 7.1.0 - TMSSequoia)
Prizm Viewer 7.1.0 (Version: 7.1.0 - TMSSequoia) Hidden
QLBCASL (Version: 6.40.17.2 - Hewlett-Packard) Hidden
RICOH Media Driver (HKLM\...\{F5CC2EF8-20A4-4366-A681-3FE849E65809}) (Version: 2.10.00.04 - RICOH)
SAP GUI 7.10 (HKLM\...\SAPGUI710) (Version: 7.10 Compilation 3 - SAP AG)
SMS Advanced Client (Version: 2.50.3174.1018 - Microsoft Corporation) Hidden
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Symantec Endpoint Protection (HKLM\...\{DE889CC8-F305-4C4C-BAE0-EF626E45CB9D}) (Version: 11.0.7200.1147 - Symantec Corporation)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2541763) (HKLM\...\KB2541763) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2616676-v2) (HKLM\...\KB2616676-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2661254-v2) (HKLM\...\KB2661254-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2718704) (HKLM\...\KB2718704) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB898461) (HKLM\...\KB898461) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (HKLM\...\KB951978) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971737) (HKLM\...\KB971737) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973687) (HKLM\...\KB973687) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
ViewStation 4.0(5) (HKLM\...\{41EBD225-1F12-455F-BC2F-72982FC9FB17}) (Version: 4.00.5000 - COMSA GmbH)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version:  - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{00B7E0AB-817A-44AD-A04B-D1148D524136}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{7C6E29BC-8B8B-4C3D-859E-AF6CD158BE0F}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C0-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C1-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C2-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C3-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C4-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C5-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C8-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C9-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969CA-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969D6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

==================== Restore Points  =========================

01-06-2014 06:24:54 System Checkpoint
02-06-2014 07:03:45 System Checkpoint
03-06-2014 08:03:48 System Checkpoint
04-06-2014 09:03:50 System Checkpoint
05-06-2014 10:03:51 System Checkpoint
06-06-2014 11:25:05 System Checkpoint
07-06-2014 12:33:39 System Checkpoint
08-06-2014 13:25:11 System Checkpoint
09-06-2014 14:25:13 System Checkpoint
10-06-2014 15:32:53 System Checkpoint
11-06-2014 16:26:22 System Checkpoint
12-06-2014 16:37:06 System Checkpoint
13-06-2014 18:03:38 System Checkpoint
14-06-2014 18:25:22 System Checkpoint
15-06-2014 19:25:23 System Checkpoint
16-06-2014 19:46:43 System Checkpoint
17-06-2014 20:26:32 System Checkpoint
18-06-2014 20:33:26 System Checkpoint
19-06-2014 21:24:20 System Checkpoint
20-06-2014 21:25:31 System Checkpoint
21-06-2014 22:25:33 System Checkpoint
22-06-2014 23:25:34 System Checkpoint
24-06-2014 00:25:36 System Checkpoint
25-06-2014 01:24:19 System Checkpoint
26-06-2014 01:25:39 System Checkpoint
27-06-2014 02:25:42 System Checkpoint
28-06-2014 03:25:43 System Checkpoint
29-06-2014 04:25:44 System Checkpoint
30-06-2014 05:25:47 System Checkpoint
01-07-2014 06:26:53 System Checkpoint
02-07-2014 07:25:49 System Checkpoint
07-07-2014 01:15:46 System Checkpoint
08-07-2014 01:59:37 System Checkpoint
09-07-2014 02:59:39 System Checkpoint
10-07-2014 02:59:45 System Checkpoint
11-07-2014 03:59:47 System Checkpoint
12-07-2014 04:59:49 System Checkpoint
13-07-2014 06:25:11 System Checkpoint
14-07-2014 06:25:51 System Checkpoint
15-07-2014 06:59:55 System Checkpoint
16-07-2014 07:59:57 System Checkpoint
17-07-2014 08:59:58 System Checkpoint
18-07-2014 10:00:00 System Checkpoint
19-07-2014 11:00:02 System Checkpoint
20-07-2014 12:00:03 System Checkpoint
21-07-2014 12:14:16 System Checkpoint
22-07-2014 12:27:05 System Checkpoint
23-07-2014 13:00:08 System Checkpoint
24-07-2014 13:01:57 System Checkpoint
25-07-2014 14:00:11 System Checkpoint
26-07-2014 15:00:12 System Checkpoint
27-07-2014 16:00:14 System Checkpoint
28-07-2014 16:34:03 System Checkpoint
29-07-2014 17:53:41 System Checkpoint
30-07-2014 17:56:13 System Checkpoint
31-07-2014 17:57:45 System Checkpoint
01-08-2014 17:57:58 System Checkpoint
02-08-2014 18:00:22 System Checkpoint
03-08-2014 19:00:24 System Checkpoint
04-08-2014 19:05:54 System Checkpoint
05-08-2014 20:00:27 System Checkpoint
06-08-2014 20:12:01 System Checkpoint
07-08-2014 21:00:31 System Checkpoint
08-08-2014 21:08:36 System Checkpoint
09-08-2014 22:00:34 System Checkpoint
10-08-2014 23:00:36 System Checkpoint
12-08-2014 00:00:38 System Checkpoint
13-08-2014 01:03:44 System Checkpoint
14-08-2014 01:59:18 System Checkpoint
15-08-2014 02:00:43 System Checkpoint
16-08-2014 02:01:50 System Checkpoint
17-08-2014 02:59:12 System Checkpoint
18-08-2014 03:09:43 System Checkpoint
19-08-2014 03:20:16 System Checkpoint
20-08-2014 03:34:31 System Checkpoint
21-08-2014 04:34:32 System Checkpoint
21-08-2014 20:28:57 Installed %1 %2.
25-08-2014 07:06:10 System Checkpoint
26-08-2014 08:05:39 System Checkpoint
27-08-2014 09:03:02 System Checkpoint
28-08-2014 09:13:41 System Checkpoint
29-08-2014 09:45:24 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-03-01 10:23 - 2014-08-28 16:08 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{8C0DC158-52E0-4F19-A6E5-EDCBFC092BB3}.job => C:\WINDOWS\system32\msfeedssync.exe

==================== Loaded Modules (whitelisted) =============

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: AccelerometerSysTrayApplet => C:\WINDOWS\system32\AccelerometerSt.exe
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: DameWare MRC Agent => C:\WINDOWS\system32\DWRCST.exe
MSCONFIG\startupreg: QlbCtrl.exe => C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (08/29/2014 11:04:29 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/29/2014 10:53:42 AM) (Source: DWMRCS) (EventID: 110) (User: )
Description: Error:
DameWare Mini Remote Control
System Error: 10054
Unable to send on socket, Remote Host: 172.16.12.103 (5.6.0).
Last Error Code: 10054
 (srv)

Error: (08/29/2014 10:52:49 AM) (Source: DWMRCS) (EventID: 110) (User: )
Description: Error:
DameWare Mini Remote Control
System Error: 10054
Unable to send on socket, Remote Host: 172.16.12.103 (5.6.0).
Last Error Code: 10054
 (srv)

Error: (08/29/2014 10:51:56 AM) (Source: DWMRCS) (EventID: 110) (User: )
Description: Error:
DameWare Mini Remote Control
System Error: 10054
Unable to send on socket, Remote Host: 172.16.12.103 (5.6.0).
Last Error Code: 10054
 (srv)

Error: (08/29/2014 10:20:21 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/29/2014 05:41:58 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/28/2014 09:41:59 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/28/2014 05:27:46 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/28/2014 03:55:27 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/28/2014 08:58:24 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

System errors:
=============
Error: (08/29/2014 11:04:29 AM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/29/2014 11:04:27 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The rimmptsk service failed to start due to the following error:
%%1058

Error: (08/29/2014 10:20:21 AM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/29/2014 05:41:58 AM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/28/2014 09:41:59 PM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/28/2014 09:41:57 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The rimmptsk service failed to start due to the following error:
%%1058

Error: (08/28/2014 05:27:46 PM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/28/2014 03:55:27 PM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/28/2014 03:55:25 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The rimmptsk service failed to start due to the following error:
%%1058

Error: (08/28/2014 03:54:01 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{7E89FF0B-F649-4F9A-A9C3-F05DFAAA3DA1}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18).  This security permission can be modified using the Component Services administrative tool.

Microsoft Office Sessions:
=========================
Error: (08/29/2014 11:04:29 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/29/2014 10:53:42 AM) (Source: DWMRCS) (EventID: 110) (User: )
Description: DameWare Mini Remote Control
System Error: 10054
Unable to send on socket, Remote Host: 172.16.12.103 (5.6.0).
Last Error Code: 10054
 (srv)

Error: (08/29/2014 10:52:49 AM) (Source: DWMRCS) (EventID: 110) (User: )
Description: DameWare Mini Remote Control
System Error: 10054
Unable to send on socket, Remote Host: 172.16.12.103 (5.6.0).
Last Error Code: 10054
 (srv)

Error: (08/29/2014 10:51:56 AM) (Source: DWMRCS) (EventID: 110) (User: )
Description: DameWare Mini Remote Control
System Error: 10054
Unable to send on socket, Remote Host: 172.16.12.103 (5.6.0).
Last Error Code: 10054
 (srv)

Error: (08/29/2014 10:20:21 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/29/2014 05:41:58 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/28/2014 09:41:59 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/28/2014 05:27:46 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/28/2014 03:55:27 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/28/2014 08:58:24 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

==================== Memory info ===========================

Processor: Intel® Core2 Duo CPU E6550 @ 2.33GHz
Percentage of memory in use: 22%
Total physical RAM: 3045.23 MB
Available physical RAM: 2345.96 MB
Total Pagefile: 4930.24 MB
Available Pagefile: 4453.22 MB
Total Virtual: 2047.88 MB
Available Virtual: 1938.13 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:74.53 GB) (Free:56.86 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive m: () (Network) (Total:1536 GB) (Free:186.5 GB)
Drive y: () (Network) (Total:200 GB) (Free:118.94 GB)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: B150A7F9)
Partition 1: (Active) - (Size=74.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Share this post


Link to post
Share on other sites

I just love when everythings goes bad  :angry2:


ElevateToSystem.png_FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif


Press the WindowsKey.png + R on your keyboard at the same time. Type Notepad and click OK.

  • Copy the entire content of the codebox below and paste into the Notepad document:
    startInvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <===== ATTENTIONend
  • Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

Now please download ETS by FoolishIT and save the file to your desktop.
It will come as a zipped file, so you'll have to unzip it before use. You may do it by right-clicking on its icon and choosing Extract All. Extract it to your desktop.

Drag the FRST.gif icon and drop it onto the ElevateToSystem.png icon. This should start FRST.
> XP users click run after receipt of Windows Security Warning - Open File.
> 8 users will be prompted about Windows SmartScreen protection - click More information and Run.

  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.

Share this post


Link to post
Share on other sites

Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:26-08-2014
Ran by SYSTEM at 2014-08-29 11:22:06 Run:3
Running from C:\Documents and Settings\administrator.MOM\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <===== ATTENTION
end
*****************

[HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] => Subkey with invalid name deleted successfully.

==== End of Fixlog ====

Share this post


Link to post
Share on other sites

HM. Looks interesting!

 

Post me new report  from FRST from the scan option.

Share this post


Link to post
Share on other sites

FRST:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:26-08-2014
Ran by administrator (administrator) on MOM1393 on 29-08-2014 11:24:23
Running from C:\Documents and Settings\administrator.MOM\Desktop
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(DameWare Development LLC) C:\WINDOWS\system32\DWRCS.EXE
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Microsoft Corporation) C:\WINDOWS\system32\CCM\clicomp\RemCtrl\Wuser32.exe
(Microsoft Corporation) C:\WINDOWS\system32\CCM\CcmExec.exe
(DameWare Development) C:\WINDOWS\system32\DWRCST.EXE
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRSTx32.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [soundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1040384 2009-04-22] (Analog Devices, Inc.)
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [ccApp] => C:\Program Files\Common Files\Symantec Shared\ccApp.exe [115624 2012-11-12] (Symantec Corporation)
HKLM\...\Run: [DameWare MRC Agent] => C:\WINDOWS\system32\DWRCST.exe [85528 2010-04-07] (DameWare Development)
HKU\S-1-5-21-1307642725-1888648419-1563503735-500\...\Policies\Explorer: [NoSMBalloonTip] 1
HKU\S-1-5-21-1307642725-1888648419-1563503735-500\...\Policies\Explorer: [NoAutoTrayNotify] 1
HKU\S-1-5-21-1307642725-1888648419-1563503735-500\...\Policies\Explorer: [NoSMConfigurePrograms] 1

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://deere.webex.com/client/WBXclient-T27L10NSP32EP18-15463/webex/ieatgpc.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\saphtmlp.dll (SAP AG, Walldorf)
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\saphtmlp.dll (SAP AG, Walldorf)
Tcpip\Parameters: [DhcpNameServer] 172.16.48.162 172.16.1.202 10.30.16.116 172.16.1.116

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=1.6.0_35 -> C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-05-31]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2012-09-13]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2012-11-12] (Symantec Corporation)
R2 CcmExec; C:\WINDOWS\system32\CCM\CcmExec.exe [570368 2004-08-04] (Microsoft Corporation) [File not signed]
S4 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2012-11-12] (Symantec Corporation)
R2 DWMRCS; C:\WINDOWS\SYSTEM32\DWRCS.EXE [246120 2010-07-02] (DameWare Development LLC) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153584 2012-09-13] (Sun Microsystems, Inc.)
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093944 2012-03-07] (Symantec Corporation)
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [43520 2006-11-08] (Hewlett-Packard) [File not signed]
S2 nvsvc; C:\WINDOWS\system32\nvsvc32.exe [172100 2010-01-13] (NVIDIA Corporation) [File not signed]
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [53248 2006-11-08] (Hewlett-Packard) [File not signed]
S4 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1935040 2012-11-12] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [357808 2012-11-12] (Symantec Corporation)
S4 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1860000 2012-11-12] (Symantec Corporation)
R2 Wuser32; C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe [241664 2004-07-23] (Microsoft Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 COH_Mon; C:\WINDOWS\system32\Drivers\COH_Mon.sys [23960 2012-11-12] (Symantec Corporation)
R3 DwMirror; C:\WINDOWS\System32\DRIVERS\DamewareMini.sys [3712 2007-02-07] (DameWare Development, LLC)
R1 dwvkbd; C:\WINDOWS\System32\DRIVERS\dwvkbd.sys [26624 2007-02-15] (DameWare)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [377648 2014-06-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [109872 2014-07-06] (Symantec Corporation)
R3 idisw2km; C:\WINDOWS\System32\DRIVERS\idisw2km.sys [2112 2004-06-27] (Microsoft Corporation)
S3 IFXTPM; C:\WINDOWS\System32\DRIVERS\IFXTPM.SYS [44800 2008-07-23] (Infineon Technologies AG)
R3 kbstuff; C:\WINDOWS\System32\DRIVERS\kbstuff5.sys [4864 2004-06-27] (Microsoft Corporation)
R3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20140827.023\NAVENG.SYS [95704 2014-08-21] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20140827.023\NAVEX15.SYS [1636696 2014-08-21] (Symantec Corporation)
S3 NVHDA; C:\WINDOWS\System32\drivers\nvhda32.sys [57248 2009-08-21] (NVIDIA Corporation)
S3 prepdrvr; C:\WINDOWS\system32\CCM\prepdrv.sys [13824 2004-06-27] (Microsoft Corporation) [File not signed]
S3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
S3 rismc32; C:\WINDOWS\System32\DRIVERS\rismc32.sys [49152 2009-07-20] (RICOH Company, Ltd.)
R3 SenFiltService; C:\WINDOWS\System32\drivers\Senfilt.sys [8704 2009-04-22] (Analog Devices, Inc.)
S3 SMCIRDA; C:\WINDOWS\System32\DRIVERS\smcirda.sys [48128 2006-03-12] (SMSC)
S3 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2012-11-12] (Symantec Corporation)
R1 SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [287352 2012-11-12] (Symantec Corporation)
S3 SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [321016 2012-11-12] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [43768 2012-11-12] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [126584 2012-12-05] (Symantec Corporation)
R0 Symmpi; C:\WINDOWS\System32\DRIVERS\symmpi.sys [39760 2008-06-02] (LSI Logic)
S3 SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [26488 2012-11-12] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [188152 2012-11-12] (Symantec Corporation)
S4 SysPlant; C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys [99232 2012-11-12] (Symantec Corporation)
R3 Teefer2; C:\WINDOWS\System32\DRIVERS\teefer2.sys [67520 2012-11-12] (Symantec Corporation)
R3 tpm; C:\WINDOWS\System32\DRIVERS\tpm.sys [13824 2008-06-20] (Intel Corporation)
R0 vmscsi; C:\WINDOWS\System32\DRIVERS\vmscsi.sys [17968 2009-10-22] (VMware, Inc.)
R1 WPS; C:\WINDOWS\system32\drivers\wpsdrvnt.sys [45472 2012-11-12] (Symantec Corporation)
S3 WpsHelper; C:\WINDOWS\system32\drivers\WpsHelper.sys [174056 2014-07-06] (Symantec Corporation)
S3 catchme; \??\C:\DOCUME~1\ADMINI~1.MOM\LOCALS~1\Temp\catchme.sys [X]
U2 CertPropSvc; No ImagePath
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
U1 RCHelp; No ImagePath
S3 StarOpen; No ImagePath
U4 WinDefend; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-29 11:19 - 2014-08-29 11:19 - 00070451 _____ () C:\Documents and Settings\administrator.MOM\Desktop\ETS.zip
2014-08-29 10:57 - 2014-08-29 11:24 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00010632 _____ () C:\ComboFix.txt
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\lmoore\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\dlacy\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\bgiese\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\admin\Local Settings\temp
2014-08-29 10:46 - 2014-08-29 10:46 - 00000618 _____ () C:\Documents and Settings\administrator.MOM\Desktop\NTREGOPT.lnk
2014-08-29 10:46 - 2014-08-29 10:46 - 00000599 _____ () C:\Documents and Settings\administrator.MOM\Desktop\ERUNT.lnk
2014-08-29 10:46 - 2014-08-29 10:46 - 00000000 ____D () C:\Program Files\ERUNT
2014-08-29 10:46 - 2014-08-29 10:46 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
2014-08-29 10:45 - 2014-08-29 10:45 - 05576760 ____R (Swearware) C:\Documents and Settings\administrator.MOM\Desktop\ComboFix.exe
2014-08-29 10:45 - 2014-08-29 10:45 - 00000383 _____ () C:\Documents and Settings\administrator.MOM\Desktop\fix.reg
2014-08-29 10:42 - 2014-08-29 10:42 - 00791393 _____ (Lars Hederer ) C:\Documents and Settings\administrator.MOM\Desktop\erunt_setup.exe
2014-08-29 00:58 - 2014-08-29 00:58 - 00054360 _____ () C:\Documents and Settings\jremilla\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-08-28 11:11 - 2014-08-28 11:11 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\Application Data\Temp
2014-08-28 03:52 - 2014-08-28 03:52 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\Maint
2014-08-28 03:51 - 2014-08-28 03:51 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\fender travel
2014-08-28 03:50 - 2014-08-29 01:24 - 00025600 _____ () C:\Documents and Settings\jremilla\Desktop\Tool Box Talk Meeting Minutes weld.xls
2014-08-28 03:50 - 2014-08-28 03:58 - 00000549 _____ () C:\Documents and Settings\jremilla\Desktop\Tool Box Talks.lnk
2014-08-28 03:50 - 2010-04-23 04:16 - 00000292 _____ () C:\Documents and Settings\jremilla\Desktop\M drive.lnk
2014-08-28 03:47 - 2014-08-28 03:47 - 00000433 _____ () C:\Documents and Settings\jremilla\Desktop\Outlook Web App.url
2014-08-27 10:26 - 2014-08-29 11:04 - 00020314 _____ () C:\WINDOWS\system32\DWRCSAccess.log
2014-08-27 01:00 - 2014-08-27 01:00 - 00000000 __SHD () C:\Documents and Settings\jremilla\PrivacIE
2014-08-27 00:59 - 2014-08-29 01:24 - 00000278 ___SH () C:\Documents and Settings\jremilla\ntuser.ini
2014-08-27 00:59 - 2014-08-27 01:00 - 00000000 ____D () C:\Documents and Settings\jremilla
2014-08-27 00:59 - 2014-08-27 00:59 - 00004202 __RSH () C:\Documents and Settings\jremilla\ntuser.pol
2014-08-27 00:59 - 2014-08-27 00:59 - 00000810 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Internet Explorer.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000799 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000793 _____ () C:\Documents and Settings\jremilla\Desktop\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000745 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Outlook Express.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 __SHD () C:\Documents and Settings\jremilla\IETldCache
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ___RD () C:\Documents and Settings\jremilla\Start Menu\Programs\Accessories
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\Application Data\Symantec
2014-08-27 00:59 - 2012-03-01 11:45 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\hpqLog
2014-08-27 00:59 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\Application Data\Adobe
2014-08-27 00:59 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\Macromedia
2014-08-27 00:59 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\Adobe
2014-08-27 00:59 - 2012-03-01 11:42 - 00000000 ____D () C:\Documents and Settings\jremilla\Application Data\Sun
2014-08-27 00:59 - 2012-03-01 11:15 - 00001606 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Remote Assistance.lnk
2014-08-26 12:56 - 2014-08-26 12:56 - 00000000 _RSHD () C:\cmdcons
2014-08-26 12:56 - 2014-08-26 10:13 - 00000211 _____ () C:\Boot.bak
2014-08-26 12:56 - 2004-08-03 23:00 - 00260272 __RSH () C:\cmldr
2014-08-26 12:52 - 2011-06-26 01:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2014-08-26 12:52 - 2010-11-07 12:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2014-08-26 12:52 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2014-08-26 12:52 - 2000-08-30 19:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2014-08-26 12:50 - 2014-08-29 10:57 - 00000000 ____D () C:\Qoobox
2014-08-26 12:49 - 2014-08-29 10:46 - 00000000 ____D () C:\WINDOWS\erdnt
2014-08-26 11:58 - 2014-08-26 11:58 - 02103296 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRST64.exe
2014-08-26 11:57 - 2014-08-29 11:24 - 00011412 _____ () C:\Documents and Settings\administrator.MOM\Desktop\FRST.txt
2014-08-26 11:57 - 2014-08-29 11:24 - 00000000 ____D () C:\FRST
2014-08-26 11:56 - 2014-08-26 11:56 - 01095168 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRSTx32.exe
2014-08-26 11:28 - 2014-08-26 11:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-08-26 11:25 - 2014-08-26 11:56 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\mbar
2014-08-26 11:24 - 2014-08-26 11:24 - 14349744 _____ (Malwarebytes Corp.) C:\Documents and Settings\administrator.MOM\Desktop\mbar-1.07.0.1012.exe
2014-08-26 10:24 - 2014-08-26 10:24 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\backups
2014-08-26 10:21 - 2014-08-26 10:21 - 00388608 _____ (Trend Micro Inc.) C:\Documents and Settings\administrator.MOM\Desktop\HijackThis.exe
2014-08-26 08:58 - 2014-08-26 08:58 - 17292760 _____ (Malwarebytes Corporation ) C:\Documents and Settings\ashryock\Desktop\mbam-setup-2.0.2.1012.exe
2014-08-26 08:58 - 2014-08-26 08:58 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-08-26 08:56 - 2014-08-26 08:57 - 00000000 ____D () C:\WINDOWS\pss
2014-08-26 08:51 - 2014-08-26 08:51 - 00004172 __RSH () C:\Documents and Settings\ashryock\ntuser.pol
2014-08-26 08:51 - 2014-08-26 08:51 - 00000810 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Internet Explorer.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000799 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000793 _____ () C:\Documents and Settings\ashryock\Desktop\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 __SHD () C:\Documents and Settings\ashryock\IETldCache
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\Application Data\Symantec
2014-08-26 08:50 - 2014-08-26 14:00 - 00000178 ___SH () C:\Documents and Settings\ashryock\ntuser.ini
2014-08-26 08:50 - 2014-08-26 09:48 - 00000000 ____D () C:\Documents and Settings\ashryock
2014-08-26 08:50 - 2014-08-26 08:51 - 00000745 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Outlook Express.lnk
2014-08-26 08:50 - 2014-08-26 08:51 - 00000000 ___RD () C:\Documents and Settings\ashryock\Start Menu\Programs\Accessories
2014-08-26 08:50 - 2012-03-01 11:45 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\hpqLog
2014-08-26 08:50 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\Application Data\Adobe
2014-08-26 08:50 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\Macromedia
2014-08-26 08:50 - 2012-03-01 11:43 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\Adobe
2014-08-26 08:50 - 2012-03-01 11:42 - 00000000 ____D () C:\Documents and Settings\ashryock\Application Data\Sun
2014-08-26 08:50 - 2012-03-01 11:15 - 00001606 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Remote Assistance.lnk
2014-08-21 15:31 - 2014-08-26 11:15 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-08-21 15:30 - 2014-08-21 15:30 - 00000000 ____D () C:\WINDOWS\system32\cos
2014-08-21 15:29 - 2014-08-26 13:12 - 00720896 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-08-21 15:29 - 2014-08-21 15:39 - 00065536 _____ () C:\WINDOWS\system32\config\EventForwarding-Operational.Evt
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\winrm
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\WindowsPowerShell
2014-08-21 15:28 - 2014-08-21 15:29 - 00000000 __HDC () C:\WINDOWS\$968930Uinstall_KB968930$
2014-08-21 15:28 - 2014-08-21 15:28 - 00000000 ____D () C:\WINDOWS\$NtUninstallKB968930$
2014-08-16 14:00 - 2014-08-29 11:20 - 00142464 _____ (Foolish IT, LLC) C:\Documents and Settings\administrator.MOM\Desktop\ets.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-29 11:24 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\temp
2014-08-29 11:24 - 2014-08-26 11:57 - 00011412 _____ () C:\Documents and Settings\administrator.MOM\Desktop\FRST.txt
2014-08-29 11:24 - 2014-08-26 11:57 - 00000000 ____D () C:\FRST
2014-08-29 11:24 - 2013-07-24 21:19 - 00000428 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{8C0DC158-52E0-4F19-A6E5-EDCBFC092BB3}.job
2014-08-29 11:20 - 2014-08-16 14:00 - 00142464 _____ (Foolish IT, LLC) C:\Documents and Settings\administrator.MOM\Desktop\ets.exe
2014-08-29 11:19 - 2014-08-29 11:19 - 00070451 _____ () C:\Documents and Settings\administrator.MOM\Desktop\ETS.zip
2014-08-29 11:17 - 2012-05-31 11:39 - 00000120 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2014-08-29 11:13 - 2012-03-01 11:14 - 01898732 _____ () C:\WINDOWS\WindowsUpdate.log
2014-08-29 11:05 - 2012-03-01 10:23 - 00012598 _____ () C:\WINDOWS\system32\wpa.dbl
2014-08-29 11:04 - 2014-08-27 10:26 - 00020314 _____ () C:\WINDOWS\system32\DWRCSAccess.log
2014-08-29 11:04 - 2012-07-31 12:27 - 00000000 ___HD () C:\WINDOWS\system32\dwrcssft
2014-08-29 11:04 - 2012-03-01 11:50 - 00000454 _____ () C:\WINDOWS\smscfg.ini
2014-08-29 11:04 - 2012-03-01 11:21 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-08-29 11:04 - 2012-03-01 03:10 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-08-29 11:04 - 2012-03-01 03:10 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-08-29 11:02 - 2012-05-31 11:41 - 00000178 ___SH () C:\Documents and Settings\administrator.MOM\ntuser.ini
2014-08-29 11:02 - 2012-03-01 11:20 - 00032478 _____ () C:\WINDOWS\SchedLgU.Txt
2014-08-29 11:01 - 2012-09-17 08:29 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-08-29 10:57 - 2014-08-29 10:57 - 00010632 _____ () C:\ComboFix.txt
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\lmoore\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\dlacy\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\bgiese\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-08-29 10:57 - 2014-08-29 10:57 - 00000000 ____D () C:\Documents and Settings\admin\Local Settings\temp
2014-08-29 10:57 - 2014-08-26 12:50 - 00000000 ____D () C:\Qoobox
2014-08-29 10:57 - 2012-03-01 11:20 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2014-08-29 10:56 - 2012-03-01 10:23 - 00000227 _____ () C:\WINDOWS\system.ini
2014-08-29 10:46 - 2014-08-29 10:46 - 00000618 _____ () C:\Documents and Settings\administrator.MOM\Desktop\NTREGOPT.lnk
2014-08-29 10:46 - 2014-08-29 10:46 - 00000599 _____ () C:\Documents and Settings\administrator.MOM\Desktop\ERUNT.lnk
2014-08-29 10:46 - 2014-08-29 10:46 - 00000000 ____D () C:\Program Files\ERUNT
2014-08-29 10:46 - 2014-08-29 10:46 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
2014-08-29 10:46 - 2014-08-26 12:49 - 00000000 ____D () C:\WINDOWS\erdnt
2014-08-29 10:45 - 2014-08-29 10:45 - 05576760 ____R (Swearware) C:\Documents and Settings\administrator.MOM\Desktop\ComboFix.exe
2014-08-29 10:45 - 2014-08-29 10:45 - 00000383 _____ () C:\Documents and Settings\administrator.MOM\Desktop\fix.reg
2014-08-29 10:42 - 2014-08-29 10:42 - 00791393 _____ (Lars Hederer ) C:\Documents and Settings\administrator.MOM\Desktop\erunt_setup.exe
2014-08-29 10:26 - 2012-03-01 02:57 - 00000000 ____D () C:\WINDOWS\security
2014-08-29 01:24 - 2014-08-28 03:50 - 00025600 _____ () C:\Documents and Settings\jremilla\Desktop\Tool Box Talk Meeting Minutes weld.xls
2014-08-29 01:24 - 2014-08-27 00:59 - 00000278 ___SH () C:\Documents and Settings\jremilla\ntuser.ini
2014-08-29 00:58 - 2014-08-29 00:58 - 00054360 _____ () C:\Documents and Settings\jremilla\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-08-28 21:41 - 2012-05-31 11:40 - 00000000 __SHD () C:\WINDOWS\CSC
2014-08-28 11:11 - 2014-08-28 11:11 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\Application Data\Temp
2014-08-28 11:11 - 2012-05-31 11:41 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Local Settings\Application Data\Adobe
2014-08-28 11:11 - 2012-05-31 11:41 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Application Data\Adobe
2014-08-28 03:58 - 2014-08-28 03:50 - 00000549 _____ () C:\Documents and Settings\jremilla\Desktop\Tool Box Talks.lnk
2014-08-28 03:52 - 2014-08-28 03:52 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\Maint
2014-08-28 03:51 - 2014-08-28 03:51 - 00000000 ____D () C:\Documents and Settings\jremilla\Desktop\fender travel
2014-08-28 03:47 - 2014-08-28 03:47 - 00000433 _____ () C:\Documents and Settings\jremilla\Desktop\Outlook Web App.url
2014-08-27 15:03 - 2012-10-12 06:03 - 00000000 ____D () C:\Documents and Settings\bgiese\SapWorkDir
2014-08-27 15:03 - 2012-10-12 06:01 - 00000278 ___SH () C:\Documents and Settings\bgiese\ntuser.ini
2014-08-27 12:25 - 2012-10-12 06:01 - 00004202 __RSH () C:\Documents and Settings\bgiese\ntuser.pol
2014-08-27 12:25 - 2012-10-12 06:01 - 00000000 ____D () C:\Documents and Settings\bgiese
2014-08-27 10:50 - 2012-05-31 11:36 - 00000178 ___SH () C:\Documents and Settings\admin\ntuser.ini
2014-08-27 01:25 - 2012-05-31 12:57 - 00000376 _____ () C:\WINDOWS\ODBC.INI
2014-08-27 01:00 - 2014-08-27 01:00 - 00000000 __SHD () C:\Documents and Settings\jremilla\PrivacIE
2014-08-27 01:00 - 2014-08-27 00:59 - 00000000 ____D () C:\Documents and Settings\jremilla
2014-08-27 00:59 - 2014-08-27 00:59 - 00004202 __RSH () C:\Documents and Settings\jremilla\ntuser.pol
2014-08-27 00:59 - 2014-08-27 00:59 - 00000810 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Internet Explorer.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000799 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000793 _____ () C:\Documents and Settings\jremilla\Desktop\Windows Media Player.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000745 _____ () C:\Documents and Settings\jremilla\Start Menu\Programs\Outlook Express.lnk
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 __SHD () C:\Documents and Settings\jremilla\IETldCache
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ___RD () C:\Documents and Settings\jremilla\Start Menu\Programs\Accessories
2014-08-27 00:59 - 2014-08-27 00:59 - 00000000 ____D () C:\Documents and Settings\jremilla\Local Settings\Application Data\Symantec
2014-08-26 15:18 - 2013-08-07 08:44 - 00000345 _____ () C:\Documents and Settings\bgiese\Desktop\SAP xMII Login Page.url
2014-08-26 14:00 - 2014-08-26 08:50 - 00000178 ___SH () C:\Documents and Settings\ashryock\ntuser.ini
2014-08-26 13:16 - 2012-06-27 12:42 - 00000000 ____D () C:\WINDOWS\system32\VPCache
2014-08-26 13:12 - 2014-08-21 15:29 - 00720896 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-08-26 13:12 - 2012-05-31 11:36 - 00000000 ____D () C:\Documents and Settings\admin
2014-08-26 12:56 - 2014-08-26 12:56 - 00000000 _RSHD () C:\cmdcons
2014-08-26 12:56 - 2012-03-01 10:25 - 00000327 __RSH () C:\boot.ini
2014-08-26 12:26 - 2012-10-10 14:39 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2661254-v2$
2014-08-26 12:25 - 2012-05-31 11:41 - 00000000 ____D () C:\Documents and Settings\administrator.MOM
2014-08-26 11:58 - 2014-08-26 11:58 - 02103296 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRST64.exe
2014-08-26 11:56 - 2014-08-26 11:56 - 01095168 _____ (Farbar) C:\Documents and Settings\administrator.MOM\Desktop\FRSTx32.exe
2014-08-26 11:56 - 2014-08-26 11:28 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-08-26 11:56 - 2014-08-26 11:25 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\mbar
2014-08-26 11:24 - 2014-08-26 11:24 - 14349744 _____ (Malwarebytes Corp.) C:\Documents and Settings\administrator.MOM\Desktop\mbar-1.07.0.1012.exe
2014-08-26 11:19 - 2012-09-19 11:29 - 00000000 ____D () C:\temp
2014-08-26 11:15 - 2014-08-21 15:31 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-08-26 10:24 - 2014-08-26 10:24 - 00000000 ____D () C:\Documents and Settings\administrator.MOM\Desktop\backups
2014-08-26 10:21 - 2014-08-26 10:21 - 00388608 _____ (Trend Micro Inc.) C:\Documents and Settings\administrator.MOM\Desktop\HijackThis.exe
2014-08-26 10:13 - 2014-08-26 12:56 - 00000211 _____ () C:\Boot.bak
2014-08-26 10:13 - 2012-03-01 10:23 - 00000573 _____ () C:\WINDOWS\win.ini
2014-08-26 09:54 - 2012-05-31 11:41 - 00004172 __RSH () C:\Documents and Settings\administrator.MOM\ntuser.pol
2014-08-26 09:49 - 2013-07-11 10:23 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2803821_WM9$
2014-08-26 09:48 - 2014-08-26 08:50 - 00000000 ____D () C:\Documents and Settings\ashryock
2014-08-26 09:14 - 2012-05-03 18:24 - 00338175 _____ () C:\WINDOWS\setupapi.log
2014-08-26 08:58 - 2014-08-26 08:58 - 17292760 _____ (Malwarebytes Corporation ) C:\Documents and Settings\ashryock\Desktop\mbam-setup-2.0.2.1012.exe
2014-08-26 08:58 - 2014-08-26 08:58 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-08-26 08:57 - 2014-08-26 08:56 - 00000000 ____D () C:\WINDOWS\pss
2014-08-26 08:51 - 2014-08-26 08:51 - 00004172 __RSH () C:\Documents and Settings\ashryock\ntuser.pol
2014-08-26 08:51 - 2014-08-26 08:51 - 00000810 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Internet Explorer.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000799 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000793 _____ () C:\Documents and Settings\ashryock\Desktop\Windows Media Player.lnk
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 __SHD () C:\Documents and Settings\ashryock\IETldCache
2014-08-26 08:51 - 2014-08-26 08:51 - 00000000 ____D () C:\Documents and Settings\ashryock\Local Settings\Application Data\Symantec
2014-08-26 08:51 - 2014-08-26 08:50 - 00000745 _____ () C:\Documents and Settings\ashryock\Start Menu\Programs\Outlook Express.lnk
2014-08-26 08:51 - 2014-08-26 08:50 - 00000000 ___RD () C:\Documents and Settings\ashryock\Start Menu\Programs\Accessories
2014-08-26 08:51 - 2012-03-01 11:12 - 00005374 _____ () C:\WINDOWS\wmsetup.log
2014-08-21 15:39 - 2014-08-21 15:29 - 00065536 _____ () C:\WINDOWS\system32\config\EventForwarding-Operational.Evt
2014-08-21 15:30 - 2014-08-21 15:30 - 00000000 ____D () C:\WINDOWS\system32\cos
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\winrm
2014-08-21 15:29 - 2014-08-21 15:29 - 00000000 ____D () C:\WINDOWS\system32\WindowsPowerShell
2014-08-21 15:29 - 2014-08-21 15:28 - 00000000 __HDC () C:\WINDOWS\$968930Uinstall_KB968930$
2014-08-21 15:29 - 2012-06-27 08:40 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy
2014-08-21 15:29 - 2012-05-03 17:56 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-08-21 15:29 - 2012-03-01 11:11 - 00000000 ___RD () C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
2014-08-21 15:29 - 2012-03-01 03:02 - 01451750 _____ () C:\WINDOWS\iis6.log
2014-08-21 15:29 - 2012-03-01 03:02 - 01322996 _____ () C:\WINDOWS\FaxSetup.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00644304 _____ () C:\WINDOWS\ocgen.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00614130 _____ () C:\WINDOWS\tsoc.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00447256 _____ () C:\WINDOWS\comsetup.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00410130 _____ () C:\WINDOWS\msmqinst.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00270133 _____ () C:\WINDOWS\ntdtcsetup.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00232895 _____ () C:\WINDOWS\netfxocm.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00091881 _____ () C:\WINDOWS\MedCtrOC.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00072832 _____ () C:\WINDOWS\ocmsn.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00067708 _____ () C:\WINDOWS\tabletoc.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00066537 _____ () C:\WINDOWS\msgsocm.log
2014-08-21 15:29 - 2012-03-01 03:02 - 00001374 _____ () C:\WINDOWS\imsins.log
2014-08-21 15:29 - 2012-03-01 02:57 - 00000000 ____D () C:\WINDOWS\Help
2014-08-21 15:28 - 2014-08-21 15:28 - 00000000 ____D () C:\WINDOWS\$NtUninstallKB968930$
2014-08-21 08:10 - 2012-10-15 08:52 - 00025088 _____ () C:\Documents and Settings\bgiese\Desktop\Shortcut to Form Training 1 Metalcraft Training Form.lnk.xls
2014-08-18 16:17 - 2012-03-01 03:02 - 00272634 _____ () C:\WINDOWS\setupact.log
2014-08-15 23:20 - 2012-12-05 15:53 - 00001716 ____H () C:\Documents and Settings\administrator.MOM\My Documents\Default.rdp
2014-08-15 20:32 - 2012-05-31 11:41 - 00000000 ___RD () C:\Documents and Settings\administrator.MOM\Start Menu\Programs\Accessories

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

Addition:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:26-08-2014
Ran by administrator at 2014-08-29 11:24:47
Running from C:\Documents and Settings\administrator.MOM\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Symantec Endpoint Protection (Disabled - Up to date) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection (Disabled) {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 Bit HP BiDi Channel Components Installer (Version: 1.1.0.2 - Hewlett-Packard) Hidden
7-Zip 4.65 (HKLM\...\7-Zip) (Version:  - )
Adobe AIR (HKLM\...\Adobe AIR) (Version: 2.7.0.19530 - Adobe Systems Incorporated)
Adobe AIR (Version: 2.7.0.19530 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 14 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Reader X (10.1.11) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.11 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM\...\Adobe Shockwave Player) (Version: 11.6.0.626 - Adobe Systems, Inc.)
Adobe SVG Viewer 3.0 (HKLM\...\Adobe SVG Viewer) (Version:  3.0 - Adobe Systems, Inc.)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Combined Community Codec Pack 2009-09-09 (HKLM\...\Combined Community Codec Pack_is1) (Version: 2009.09.09.0 - CCCP Project)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
ERUNT 1.1j (HKLM\...\ERUNT_is1) (Version:  - Lars Hederer)
HP 3D DriveGuard (HKLM\...\{429E92A4-159F-4AEC-85A1-D693E1E4274D}) (Version: 1.00 A4 - )
HP Quick Launch Buttons (HKLM\...\{34D2AB40-150D-475D-AE32-BD23FB5EE355}) (Version: 6.50.17.1 - Hewlett-Packard Company)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 6.14.10.5218 - Intel Corporation)
Java Auto Updater (Version: 2.0.7.1 - Sun Microsystems, Inc.) Hidden
Java 6 Update 35 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216035FF}) (Version: 6.0.350 - Oracle)
LiveUpdate 3.3 (Symantec Corporation) (HKLM\...\LiveUpdate) (Version: 3.3.0.115 - Symantec Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 (Version:  - Microsoft Corporation) Hidden
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 (Version:  - Microsoft Corporation) Hidden
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office Visio Viewer 2003 (English) (HKLM\...\{90520409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.3709.5614 - Microsoft Corporation)
Microsoft redistributable runtime DLLs VS2005 SP1(x86) (HKLM\...\{8E770F99-CF23-4BF9-BF4E-E3A2924FEB27}) (Version: 8.0.50727.762 - SAP)
Microsoft redistributable runtime DLLs VS2005(x86) (HKLM\...\{C0DB380B-97B5-4BB8-AC8D-1835E61439B6}) (Version: 1.0.0.0 - SAP)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML4.0 redistributable (HKLM\...\{44D66AD9-AE19-4AFD-BE7E-A1B44C856697}) (Version: 4.0.0.0 - SAP)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.9 - NVIDIA Corporation)
NVIDIA nView Desktop Manager (HKLM\...\NVIDIA nView Desktop Manager) (Version: 6.14.10.00 - NVIDIA Corporation)
Prizm Viewer 7.1.0 (HKLM\...\InstallShield_{E4ABB278-16B0-40CA-9D04-DF6B41C06527}) (Version: 7.1.0 - TMSSequoia)
Prizm Viewer 7.1.0 (Version: 7.1.0 - TMSSequoia) Hidden
QLBCASL (Version: 6.40.17.2 - Hewlett-Packard) Hidden
RICOH Media Driver (HKLM\...\{F5CC2EF8-20A4-4366-A681-3FE849E65809}) (Version: 2.10.00.04 - RICOH)
SAP GUI 7.10 (HKLM\...\SAPGUI710) (Version: 7.10 Compilation 3 - SAP AG)
SMS Advanced Client (Version: 2.50.3174.1018 - Microsoft Corporation) Hidden
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Symantec Endpoint Protection (HKLM\...\{DE889CC8-F305-4C4C-BAE0-EF626E45CB9D}) (Version: 11.0.7200.1147 - Symantec Corporation)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2541763) (HKLM\...\KB2541763) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2616676-v2) (HKLM\...\KB2616676-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2661254-v2) (HKLM\...\KB2661254-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2718704) (HKLM\...\KB2718704) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB898461) (HKLM\...\KB898461) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (HKLM\...\KB951978) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971737) (HKLM\...\KB971737) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973687) (HKLM\...\KB973687) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
ViewStation 4.0(5) (HKLM\...\{41EBD225-1F12-455F-BC2F-72982FC9FB17}) (Version: 4.00.5000 - COMSA GmbH)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version:  - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{00B7E0AB-817A-44AD-A04B-D1148D524136}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{7C6E29BC-8B8B-4C3D-859E-AF6CD158BE0F}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C0-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C1-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C2-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C3-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C4-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C5-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C8-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969C9-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969CA-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1307642725-1888648419-1563503735-500_Classes\CLSID\{88D969D6-F192-11D4-A65F-0040963251E5}\InprocServer32 -> C:\WINDOWS\system32\msxml4.dll (Microsoft Corporation)

==================== Restore Points  =========================

01-06-2014 06:24:54 System Checkpoint
02-06-2014 07:03:45 System Checkpoint
03-06-2014 08:03:48 System Checkpoint
04-06-2014 09:03:50 System Checkpoint
05-06-2014 10:03:51 System Checkpoint
06-06-2014 11:25:05 System Checkpoint
07-06-2014 12:33:39 System Checkpoint
08-06-2014 13:25:11 System Checkpoint
09-06-2014 14:25:13 System Checkpoint
10-06-2014 15:32:53 System Checkpoint
11-06-2014 16:26:22 System Checkpoint
12-06-2014 16:37:06 System Checkpoint
13-06-2014 18:03:38 System Checkpoint
14-06-2014 18:25:22 System Checkpoint
15-06-2014 19:25:23 System Checkpoint
16-06-2014 19:46:43 System Checkpoint
17-06-2014 20:26:32 System Checkpoint
18-06-2014 20:33:26 System Checkpoint
19-06-2014 21:24:20 System Checkpoint
20-06-2014 21:25:31 System Checkpoint
21-06-2014 22:25:33 System Checkpoint
22-06-2014 23:25:34 System Checkpoint
24-06-2014 00:25:36 System Checkpoint
25-06-2014 01:24:19 System Checkpoint
26-06-2014 01:25:39 System Checkpoint
27-06-2014 02:25:42 System Checkpoint
28-06-2014 03:25:43 System Checkpoint
29-06-2014 04:25:44 System Checkpoint
30-06-2014 05:25:47 System Checkpoint
01-07-2014 06:26:53 System Checkpoint
02-07-2014 07:25:49 System Checkpoint
07-07-2014 01:15:46 System Checkpoint
08-07-2014 01:59:37 System Checkpoint
09-07-2014 02:59:39 System Checkpoint
10-07-2014 02:59:45 System Checkpoint
11-07-2014 03:59:47 System Checkpoint
12-07-2014 04:59:49 System Checkpoint
13-07-2014 06:25:11 System Checkpoint
14-07-2014 06:25:51 System Checkpoint
15-07-2014 06:59:55 System Checkpoint
16-07-2014 07:59:57 System Checkpoint
17-07-2014 08:59:58 System Checkpoint
18-07-2014 10:00:00 System Checkpoint
19-07-2014 11:00:02 System Checkpoint
20-07-2014 12:00:03 System Checkpoint
21-07-2014 12:14:16 System Checkpoint
22-07-2014 12:27:05 System Checkpoint
23-07-2014 13:00:08 System Checkpoint
24-07-2014 13:01:57 System Checkpoint
25-07-2014 14:00:11 System Checkpoint
26-07-2014 15:00:12 System Checkpoint
27-07-2014 16:00:14 System Checkpoint
28-07-2014 16:34:03 System Checkpoint
29-07-2014 17:53:41 System Checkpoint
30-07-2014 17:56:13 System Checkpoint
31-07-2014 17:57:45 System Checkpoint
01-08-2014 17:57:58 System Checkpoint
02-08-2014 18:00:22 System Checkpoint
03-08-2014 19:00:24 System Checkpoint
04-08-2014 19:05:54 System Checkpoint
05-08-2014 20:00:27 System Checkpoint
06-08-2014 20:12:01 System Checkpoint
07-08-2014 21:00:31 System Checkpoint
08-08-2014 21:08:36 System Checkpoint
09-08-2014 22:00:34 System Checkpoint
10-08-2014 23:00:36 System Checkpoint
12-08-2014 00:00:38 System Checkpoint
13-08-2014 01:03:44 System Checkpoint
14-08-2014 01:59:18 System Checkpoint
15-08-2014 02:00:43 System Checkpoint
16-08-2014 02:01:50 System Checkpoint
17-08-2014 02:59:12 System Checkpoint
18-08-2014 03:09:43 System Checkpoint
19-08-2014 03:20:16 System Checkpoint
20-08-2014 03:34:31 System Checkpoint
21-08-2014 04:34:32 System Checkpoint
21-08-2014 20:28:57 Installed %1 %2.
25-08-2014 07:06:10 System Checkpoint
26-08-2014 08:05:39 System Checkpoint
27-08-2014 09:03:02 System Checkpoint
28-08-2014 09:13:41 System Checkpoint
29-08-2014 09:45:24 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-03-01 10:23 - 2014-08-28 16:08 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{8C0DC158-52E0-4F19-A6E5-EDCBFC092BB3}.job => C:\WINDOWS\system32\msfeedssync.exe

==================== Loaded Modules (whitelisted) =============

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: AccelerometerSysTrayApplet => C:\WINDOWS\system32\AccelerometerSt.exe
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: DameWare MRC Agent => C:\WINDOWS\system32\DWRCST.exe
MSCONFIG\startupreg: QlbCtrl.exe => C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (08/29/2014 11:04:29 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/29/2014 10:53:42 AM) (Source: DWMRCS) (EventID: 110) (User: )
Description: Error:
DameWare Mini Remote Control
System Error: 10054
Unable to send on socket, Remote Host: 172.16.12.103 (5.6.0).
Last Error Code: 10054
 (srv)

Error: (08/29/2014 10:52:49 AM) (Source: DWMRCS) (EventID: 110) (User: )
Description: Error:
DameWare Mini Remote Control
System Error: 10054
Unable to send on socket, Remote Host: 172.16.12.103 (5.6.0).
Last Error Code: 10054
 (srv)

Error: (08/29/2014 10:51:56 AM) (Source: DWMRCS) (EventID: 110) (User: )
Description: Error:
DameWare Mini Remote Control
System Error: 10054
Unable to send on socket, Remote Host: 172.16.12.103 (5.6.0).
Last Error Code: 10054
 (srv)

Error: (08/29/2014 10:20:21 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/29/2014 05:41:58 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/28/2014 09:41:59 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/28/2014 05:27:46 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/28/2014 03:55:27 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

Error: (08/28/2014 08:58:24 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba).  The RPC server is unavailable.

System errors:
=============
Error: (08/29/2014 11:04:29 AM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/29/2014 11:04:27 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The rimmptsk service failed to start due to the following error:
%%1058

Error: (08/29/2014 10:20:21 AM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/29/2014 05:41:58 AM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/28/2014 09:41:59 PM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/28/2014 09:41:57 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The rimmptsk service failed to start due to the following error:
%%1058

Error: (08/28/2014 05:27:46 PM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/28/2014 03:55:27 PM) (Source: DCOM) (EventID: 10009) (User: NT AUTHORITY)
Description: DCOM was unable to communicate with the computer momemail.mtlcraft.com using any of the configured
protocols.

Error: (08/28/2014 03:55:25 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The rimmptsk service failed to start due to the following error:
%%1058

Error: (08/28/2014 03:54:01 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{7E89FF0B-F649-4F9A-A9C3-F05DFAAA3DA1}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18).  This security permission can be modified using the Component Services administrative tool.

Microsoft Office Sessions:
=========================
Error: (08/29/2014 11:04:29 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/29/2014 10:53:42 AM) (Source: DWMRCS) (EventID: 110) (User: )
Description: DameWare Mini Remote Control
System Error: 10054
Unable to send on socket, Remote Host: 172.16.12.103 (5.6.0).
Last Error Code: 10054
 (srv)

Error: (08/29/2014 10:52:49 AM) (Source: DWMRCS) (EventID: 110) (User: )
Description: DameWare Mini Remote Control
System Error: 10054
Unable to send on socket, Remote Host: 172.16.12.103 (5.6.0).
Last Error Code: 10054
 (srv)

Error: (08/29/2014 10:51:56 AM) (Source: DWMRCS) (EventID: 110) (User: )
Description: DameWare Mini Remote Control
System Error: 10054
Unable to send on socket, Remote Host: 172.16.12.103 (5.6.0).
Last Error Code: 10054
 (srv)

Error: (08/29/2014 10:20:21 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/29/2014 05:41:58 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/28/2014 09:41:59 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/28/2014 05:27:46 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/28/2014 03:55:27 PM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

Error: (08/28/2014 08:58:24 AM) (Source: AutoEnrollment) (EventID: 13) (User: )
Description: local systemComputer0x800706baThe RPC server is unavailable.

==================== Memory info ===========================

Processor: Intel® Core2 Duo CPU E6550 @ 2.33GHz
Percentage of memory in use: 19%
Total physical RAM: 3045.23 MB
Available physical RAM: 2441.13 MB
Total Pagefile: 4930.24 MB
Available Pagefile: 4573.13 MB
Total Virtual: 2047.88 MB
Available Virtual: 1942.25 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:74.53 GB) (Free:56.86 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive m: () (Network) (Total:1536 GB) (Free:186.5 GB)
Drive y: () (Network) (Total:200 GB) (Free:118.94 GB)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: B150A7F9)
Partition 1: (Active) - (Size=74.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Share this post


Link to post
Share on other sites

Hooray, we've killed it :)



51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

Please re-run 51a46ae42d560-malwarebytes_anti_malware. Malwarebytes' Anti-Malware.

  • First of all, select update.
  • Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the newest Scan Log.
  • At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.



ESETOnline.png Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click there Run ESET Online Scanner.

If using Internet Explorer:

  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:

  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.

To perform the scan:

  • Make sure that Enable detecion of potentially unwanted applications is checked.
  • In the Advanced Settings dropdown menu:
    • Make sure that Remove found threats is unchecked.
    • Scan archives is checked.
    • Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
    • Use custom proxy settings is unchecked.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.
Don't forget to re-enable previously switched-off protection software!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.