Jump to content

URL redirects occurring. Nothing detected.


Recommended Posts

Hello, I have about 10 machines that generate many URL redirects which are picked  up by our firewall.

The attached files are from a typical example of one of these.  I have run MalwareBytes free version and it only picks up the PUM warnings which are actually intended Windows GPO changes e.g. PUM.Hijack.ControlPanelStyle and PUM.Hijack.HomepageControl

Examples of the redirected sites aree:

p.algovid.com

logger.snackly.co

c.adyield.co

logger.snackly.co

www.247teencash.net

www.oxcash.com

www.coldhardcash.com

beaconsecutiystudies.com

cti.w55c.net

www.ptclassic.com

www.oxcash.com

ads.avocet.com

www.ilovecheating.com

etc. etc.

Can anyone please assist in identifying the Malware that is causing all of these URL redirects ?

Thank you kindly for any help.

 

Here is the FRST file:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-11-2016 01
Ran by courtneyfraser (ATTENTION: The user is not administrator) on 7010-9ZC03W1 (22-11-2016 08:25:00)
Running from P:\Downloads
Loaded Profiles: courtneyfraser (Available Profiles: bpaine & wchettleburgh & AlicePaine & ahollingworth & tdavenport & ea-grahamwright & techsupport & kharley & courtneyfraser & AliceWilkins & ZakKerrigan & RichardWybrow & GraceCabell & NickEstelrich & OllieRitchie & AlanQuach & ea-alanquach & KaseyTrombley & PaulVanDerWerff & cwadmin)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> wininit.exe
Failed to access process -> csrss.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> lsm.exe
Failed to access process -> winlogon.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> SavService.exe
Failed to access process -> svchost.exe
Failed to access process -> spoolsv.exe
Failed to access process -> svchost.exe
Failed to access process -> armsvc.exe
Failed to access process -> DWRCS.exe
Failed to access process -> svchost.exe
Failed to access process -> SAVAdminService.exe
Failed to access process -> SntpService.exe
Failed to access process -> ManagementAgentNT.exe
Failed to access process -> ALsvc.exe
Failed to access process -> RouterNT.exe
Failed to access process -> swc_service.exe
Failed to access process -> ssp.exe
Failed to access process -> swi_service.exe
Failed to access process -> CcmExec.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> WmiPrvSE.exe
Failed to access process -> svchost.exe
Failed to access process -> WmiPrvSE.exe
Failed to access process -> GoogleUpdate.exe
Failed to access process -> SearchIndexer.exe
(SolarWinds) C:\Windows\dwrcs\DWRCST.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Sophos Limited) C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Avid Technology, Inc.) C:\Program Files (x86)\Avid\iNEWS\ANWS.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Failed to access process -> OSPPSVC.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Failed to access process -> DWRCS.exe
Failed to access process -> WmiPrvSE.exe
(Malwarebytes                                                ) \\ITFP-AKL\USERS$\courtneyfraser\Downloads\mbam-setup-2.2.1.1043.exe
() C:\Users\courtneyfraser\AppData\Local\Temp\is-77H1H.tmp\mbam-setup-2.2.1.1043.tmp
(Malwarebytes                                                ) \\ITFP-AKL\USERS$\courtneyfraser\Downloads\mbam-setup-2.2.1.1043.exe
() C:\Users\courtneyfraser\AppData\Local\Temp\is-HJKKI.tmp\mbam-setup-2.2.1.1043.tmp
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) \\itfp-akl\users$\courtneyfraser\downloads\frst64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) \\itfp-akl\users$\courtneyfraser\downloads\frst64.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [DameWare MRC Agent] => C:\WINDOWS\dwrcs\DWRCST.exe [298960 2011-12-12] (SolarWinds)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [926896 2012-09-23] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Sophos AutoUpdate Monitor] => C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe [1531872 2015-10-13] (Sophos Limited)
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKLM\...\Policies\Explorer: [UseDefaultTile] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\system: [NoDispScrSavPage] 1
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\system: [HideLegacyLogonScripts] 1
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\system: [Wallpaper] C:\Windows\System32\oobe\info\backgrounds\mediaworksdesktop.jpg
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\system: [WallpaperStyle] 2
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [NoNetConnectDisconnect] 1
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [NoSharedDocuments] 1
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [NoWindowsUpdate] 1
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [NoSMMyPictures] 1
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [NoStartMenuMyMusic] 1
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [ForceStartMenuLogOff] 1
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [ForceClassicControlPanel] 0
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [NoThemesTab] 1
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [NoWelcomeScreen] 1
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [NoSMBalloonTip] 1
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [NoDrives] 4
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [NoHardwareTab] 1
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [NoStartMenuNetworkPlaces] 1
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [DisallowCpl] 1
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\...\Policies\Explorer: [HideSCAHealth] 1
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured_x64.dll [231936 2016-04-18] (Sophos Limited)
AppInit_DLLs-x32: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL => C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sophos_detoured.dll [289040 2016-04-18] (Sophos Limited)
GroupPolicy: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-3835667965-2047657334-3681693090-65948] => http=proxy:8080;https=proxy:8080
Winsock: Catalog9 01 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [141208 2016-04-18] (Sophos Limited)
Winsock: Catalog9 02 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [141208 2016-04-18] (Sophos Limited)
Winsock: Catalog9 03 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [141208 2016-04-18] (Sophos Limited)
Winsock: Catalog9 04 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [141208 2016-04-18] (Sophos Limited)
Winsock: Catalog9 05 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [141208 2016-04-18] (Sophos Limited)
Winsock: Catalog9 06 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [141208 2016-04-18] (Sophos Limited)
Winsock: Catalog9 07 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [141208 2016-04-18] (Sophos Limited)
Winsock: Catalog9 08 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [141208 2016-04-18] (Sophos Limited)
Winsock: Catalog9 19 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp.dll [141208 2016-04-18] (Sophos Limited)
Winsock: Catalog9-x64 01 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [194152 2016-04-18] (Sophos Limited)
Winsock: Catalog9-x64 02 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [194152 2016-04-18] (Sophos Limited)
Winsock: Catalog9-x64 03 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [194152 2016-04-18] (Sophos Limited)
Winsock: Catalog9-x64 04 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [194152 2016-04-18] (Sophos Limited)
Winsock: Catalog9-x64 05 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [194152 2016-04-18] (Sophos Limited)
Winsock: Catalog9-x64 06 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [194152 2016-04-18] (Sophos Limited)
Winsock: Catalog9-x64 07 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [194152 2016-04-18] (Sophos Limited)
Winsock: Catalog9-x64 08 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [194152 2016-04-18] (Sophos Limited)
Winsock: Catalog9-x64 19 C:\ProgramData\Sophos\Web Intelligence\swi_ifslsp_64.dll [194152 2016-04-18] (Sophos Limited)
Tcpip\Parameters: [DhcpNameServer] 10.5.1.61 10.21.130.30 10.5.1.62 10.21.130.32
Tcpip\..\Interfaces\{D59E38D9-DC75-466A-A28D-57FA7C8066C1}: [DhcpNameServer] 10.5.1.61 10.21.130.30 10.5.1.62 10.21.130.32

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://mymediaworks/desktopmodules/authenticationservices/activedirectory/windowssignin.aspx
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-09-23] (Adobe Systems Incorporated)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-05-02] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-05-02] (Oracle Corporation)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_21_0_0_213.dll [2016-04-18] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41105.0\npctrl.dll [2015-11-05] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_213.dll [2016-04-18] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\WINDOWS\SysWOW64\Adobe\Director\np32dsw.dll [2011-06-10] (Adobe Systems, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-05-02] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-05-02] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41105.0\npctrl.dll [2015-11-05] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-10-19] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-10-19] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2012-09-23] (Adobe Systems Inc.)

Chrome: 
=======
CHR Profile: C:\Users\courtneyfraser\AppData\Local\Google\Chrome\User Data\Default [2016-11-22]
CHR Extension: (Google Slides) - C:\Users\courtneyfraser\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-05-02]
CHR Extension: (Google Docs) - C:\Users\courtneyfraser\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-05-02]
CHR Extension: (Google Drive) - C:\Users\courtneyfraser\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-05-02]
CHR Extension: (YouTube) - C:\Users\courtneyfraser\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-05-02]
CHR Extension: (Google Search) - C:\Users\courtneyfraser\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-05-02]
CHR Extension: (Google Sheets) - C:\Users\courtneyfraser\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-05-02]
CHR Extension: (Google Docs Offline) - C:\Users\courtneyfraser\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-05-03]
CHR Extension: (Avid MOS ActiveX hosting plugin) - C:\Users\courtneyfraser\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmcebpepkojaapaoliodbjagahkpedph [2016-05-02]
CHR Extension: (Chrome Web Store Payments) - C:\Users\courtneyfraser\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-02]
CHR Extension: (Gmail) - C:\Users\courtneyfraser\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-05-02]
CHR Extension: (Chrome Media Router) - C:\Users\courtneyfraser\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-20]
CHR HKLM-x32\...\Chrome\Extension: [lmcebpepkojaapaoliodbjagahkpedph] - C:\Program Files (x86)\Avid\Interplay Central MOS plugin\avidmos.crx [2013-01-30]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 dwmrcs; C:\WINDOWS\dwrcs\dwrcs.exe [701392 2011-12-12] (SolarWinds)
R2 lmhosts; C:\WINDOWS\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 lmhosts; C:\WINDOWS\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2009-05-14] (Hewlett-Packard) [File not signed]
R2 NlaSvc; C:\WINDOWS\System32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 NlaSvc; C:\WINDOWS\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
R2 nsi; C:\WINDOWS\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 nsi; C:\WINDOWS\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2009-05-14] (Hewlett-Packard) [File not signed]
R2 SAVAdminService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [311544 2016-04-18] (Sophos Limited)
R2 SAVService; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [285136 2016-04-18] (Sophos Limited)
S3 smstsmgr; C:\WINDOWS\SysWOW64\CCM\TSManager.exe [246624 2009-09-18] () [File not signed]
R2 SntpService; C:\Program Files\Sophos\Sophos Network Threat Protection\bin\SntpService.exe [901248 2016-04-18] (Sophos Limited)
R2 Sophos AutoUpdate Service; C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe [604000 2015-10-13] (Sophos Limited)
R2 Sophos Web Control Service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [341800 2016-04-18] (Sophos Limited)
R2 sophossps; C:\Program Files (x86)\Sophos\Sophos System Protection\ssp.exe [2455816 2016-04-18] (Sophos Limited)
R2 swi_service; C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [3339736 2016-04-18] (Sophos Limited)
S2 swi_update_64; C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe [2118896 2016-04-18] (Sophos Limited)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2015-11-13] (Microsoft Corporation)
R2 Sophos Agent; "C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent -ORBListenEndpoints iiop://127.0.0.1 [X] <==== ATTENTION
R2 Sophos Message Router; "C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 [X] <==== ATTENTION

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 DwMirror; C:\WINDOWS\System32\DRIVERS\DamewareMini.sys [5632 2008-03-15] (DameWare Development, LLC)
R1 dwvkbd; C:\WINDOWS\System32\DRIVERS\dwvkbd64.sys [30720 2008-03-14] (DameWare)
S3 e1qexpress; C:\WINDOWS\System32\DRIVERS\e1q60x64.sys [244736 2009-06-11] (Intel Corporation)
R3 prepdrvr; C:\WINDOWS\SysWOW64\CCM\prepdrv.sys [26992 2009-09-18] () [File not signed]
R1 SAVOnAccess; C:\WINDOWS\System32\DRIVERS\savonaccess.sys [161024 2016-04-18] (Sophos Limited)
S3 sdcfilter; C:\WINDOWS\System32\DRIVERS\sdcfilter.sys [38144 2016-04-18] (Sophos Limited)
R2 sntp; C:\WINDOWS\System32\DRIVERS\sntp.sys [116144 2016-04-18] (Sophos Limited)
S4 SophosBootDriver; C:\WINDOWS\System32\DRIVERS\SophosBootDriver.sys [27904 2016-04-18] (Sophos Limited)
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-22 08:24 - 2016-11-22 08:25 - 00000000 ____D C:\FRST
2016-11-21 09:22 - 2016-11-21 09:22 - 00000000 ____D C:\WINDOWS\system32\appmgmt
2016-11-21 09:02 - 2016-11-21 09:22 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2016-11-21 09:02 - 2016-11-21 09:22 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
2016-11-21 08:42 - 2016-11-21 08:42 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-11-10 04:20 - 2016-11-10 04:20 - 00000000 ____D C:\Users\ollieritchie
2016-11-02 08:02 - 2016-08-13 05:26 - 00464896 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv.sys
2016-11-02 08:02 - 2016-08-13 05:26 - 00405504 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv2.sys
2016-11-02 08:02 - 2016-08-13 05:26 - 00168960 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srvnet.sys
2016-11-02 08:00 - 2016-09-03 04:40 - 00631176 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.efi
2016-11-02 08:00 - 2016-09-03 04:35 - 05548264 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-11-02 08:00 - 2016-09-03 04:35 - 00706280 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
2016-11-02 08:00 - 2016-09-03 04:35 - 00154856 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2016-11-02 08:00 - 2016-09-03 04:35 - 00095464 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecdd.sys
2016-11-02 08:00 - 2016-09-03 04:34 - 01732864 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2016-11-02 08:00 - 2016-09-03 04:31 - 00503808 _____ (Microsoft Corporation) C:\WINDOWS\system32\srcore.dll
2016-11-02 08:00 - 2016-09-03 04:31 - 00362496 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64win.dll
2016-11-02 08:00 - 2016-09-03 04:31 - 00243712 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64.dll
2016-11-02 08:00 - 2016-09-03 04:31 - 00215552 _____ (Microsoft Corporation) C:\WINDOWS\system32\winsrv.dll
2016-11-02 08:00 - 2016-09-03 04:31 - 00210432 _____ (Microsoft Corporation) C:\WINDOWS\system32\wdigest.dll
2016-11-02 08:00 - 2016-09-03 04:31 - 00135680 _____ (Microsoft Corporation) C:\WINDOWS\system32\sspicli.dll
2016-11-02 08:00 - 2016-09-03 04:31 - 00086528 _____ (Microsoft Corporation) C:\WINDOWS\system32\TSpkg.dll
2016-11-02 08:00 - 2016-09-03 04:31 - 00050176 _____ (Microsoft Corporation) C:\WINDOWS\system32\srclient.dll
2016-11-02 08:00 - 2016-09-03 04:31 - 00028672 _____ (Microsoft Corporation) C:\WINDOWS\system32\sspisrv.dll
2016-11-02 08:00 - 2016-09-03 04:31 - 00013312 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64cpu.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 01464320 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 01212928 _____ (Microsoft Corporation) C:\WINDOWS\system32\rpcrt4.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 01163264 _____ (Microsoft Corporation) C:\WINDOWS\system32\kernel32.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00880640 _____ (Microsoft Corporation) C:\WINDOWS\system32\advapi32.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00730624 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00690688 _____ (Microsoft Corporation) C:\WINDOWS\system32\adtschema.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00463872 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00419840 _____ (Microsoft Corporation) C:\WINDOWS\system32\KernelBase.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00345600 _____ (Microsoft Corporation) C:\WINDOWS\system32\schannel.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00316416 _____ (Microsoft Corporation) C:\WINDOWS\system32\msv1_0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00312320 _____ (Microsoft Corporation) C:\WINDOWS\system32\ncrypt.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00190464 _____ (Microsoft Corporation) C:\WINDOWS\system32\rpchttp.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00146432 _____ (Microsoft Corporation) C:\WINDOWS\system32\msaudite.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00063488 _____ (Microsoft Corporation) C:\WINDOWS\system32\setbcdlocale.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00060416 _____ (Microsoft Corporation) C:\WINDOWS\system32\msobjs.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00059904 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidapi.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00044032 _____ (Microsoft Corporation) C:\WINDOWS\system32\csrsrv.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00043520 _____ (Microsoft Corporation) C:\WINDOWS\system32\cryptbase.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00034816 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidsvc.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00028160 _____ (Microsoft Corporation) C:\WINDOWS\system32\secur32.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00022016 _____ (Microsoft Corporation) C:\WINDOWS\system32\credssp.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00016384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntvdm64.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00006656 _____ (Microsoft Corporation) C:\WINDOWS\system32\apisetschema.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00006144 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-security-base-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00005120 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-file-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00004608 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-threadpool-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00004608 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-processthreads-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00004096 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00004096 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-synch-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00004096 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-localregistry-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00004096 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-localization-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-misc-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-memory-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-heap-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-xstate-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-util-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-string-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-profile-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-io-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-interlocked-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-handle-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-fibers-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-delayload-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-debug-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-datetime-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:30 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\system32\api-ms-win-core-console-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:21 - 04000488 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntkrnlpa.exe
2016-11-02 08:00 - 2016-09-03 04:21 - 03944680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntoskrnl.exe
2016-11-02 08:00 - 2016-09-03 04:18 - 01314112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 01114112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kernel32.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00690688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\adtschema.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00666112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rpcrt4.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00644096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\advapi32.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00553472 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00342528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00275456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KernelBase.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00260608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msv1_0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00254464 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schannel.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00223232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ncrypt.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00172032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wdigest.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00146432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msaudite.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00141312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rpchttp.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00096768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\sspicli.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00065536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TSpkg.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00060416 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msobjs.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00050688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\appidapi.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00043008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\srclient.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00022016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\secur32.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00017408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\credssp.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00006656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\apisetschema.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00005120 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00005120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wow32.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00004608 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00004096 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00004096 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00004096 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00004096 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00004096 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:16 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 04:02 - 00148480 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidpolicyconverter.exe
2016-11-02 08:00 - 2016-09-03 04:02 - 00062464 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\appid.sys
2016-11-02 08:00 - 2016-09-03 04:02 - 00017920 _____ (Microsoft Corporation) C:\WINDOWS\system32\appidcertstorecheck.exe
2016-11-02 08:00 - 2016-09-03 04:01 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\system32\auditpol.exe
2016-11-02 08:00 - 2016-09-03 03:58 - 00338432 _____ (Microsoft Corporation) C:\WINDOWS\system32\conhost.exe
2016-11-02 08:00 - 2016-09-03 03:57 - 00296960 _____ (Microsoft Corporation) C:\WINDOWS\system32\rstrui.exe
2016-11-02 08:00 - 2016-09-03 03:55 - 00159744 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb.sys
2016-11-02 08:00 - 2016-09-03 03:54 - 00291328 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb10.sys
2016-11-02 08:00 - 2016-09-03 03:54 - 00129536 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb20.sys
2016-11-02 08:00 - 2016-09-03 03:53 - 00112640 _____ (Microsoft Corporation) C:\WINDOWS\system32\smss.exe
2016-11-02 08:00 - 2016-09-03 03:53 - 00050176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\auditpol.exe
2016-11-02 08:00 - 2016-09-03 03:53 - 00030720 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsass.exe
2016-11-02 08:00 - 2016-09-03 03:49 - 00036352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\cryptbase.dll
2016-11-02 08:00 - 2016-09-03 03:49 - 00025600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\setup16.exe
2016-11-02 08:00 - 2016-09-03 03:49 - 00014336 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntvdm64.dll
2016-11-02 08:00 - 2016-09-03 03:49 - 00007680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\instnm.exe
2016-11-02 08:00 - 2016-09-03 03:49 - 00002048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\user.exe
2016-11-02 08:00 - 2016-09-03 03:48 - 00006144 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 03:48 - 00004608 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 03:48 - 00003584 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2016-11-02 08:00 - 2016-09-03 03:48 - 00003072 ____H (Microsoft Corporation) C:\WINDOWS\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2016-11-02 08:00 - 2016-08-17 06:36 - 01009152 _____ (Microsoft Corporation) C:\WINDOWS\system32\user32.dll
2016-11-02 08:00 - 2016-08-16 15:48 - 00833024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\user32.dll
2016-11-02 08:00 - 2016-08-16 15:35 - 03218432 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2016-11-02 08:00 - 2016-08-07 04:31 - 00877056 _____ (Microsoft Corporation) C:\WINDOWS\system32\oleaut32.dll
2016-11-02 08:00 - 2016-08-07 04:15 - 00581632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\oleaut32.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-22 07:57 - 2016-04-18 12:02 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-11-22 07:51 - 2016-04-18 17:04 - 00000898 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-11-22 07:35 - 2009-07-14 17:45 - 00019120 ____H C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-11-22 07:35 - 2009-07-14 17:45 - 00019120 ____H C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-11-22 06:13 - 2016-08-02 05:47 - 00000000 ____D C:\Users\courtneyfraser\AppData\Roaming\vlc
2016-11-22 05:35 - 2016-05-02 08:17 - 00000000 ____D C:\Users\courtneyfraser\AppData\Roaming\Vizrt
2016-11-22 02:28 - 2016-04-18 17:04 - 00000894 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-11-22 02:28 - 2013-02-15 15:37 - 00049079 __RSH C:\ProgramData\ntuser.pol
2016-11-22 02:27 - 2016-05-02 03:34 - 00048422 __RSH C:\Users\courtneyfraser\ntuser.pol
2016-11-22 02:27 - 2016-05-02 03:34 - 00000000 ____D C:\Users\courtneyfraser
2016-11-22 02:27 - 2016-04-18 12:47 - 00000542 _____ C:\WINDOWS\Tasks\Weekly Scan.job
2016-11-21 09:23 - 2013-02-15 14:28 - 00000494 _____ C:\WINDOWS\SMSCFG.INI
2016-11-21 09:23 - 2009-07-14 18:08 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-11-21 08:38 - 2009-07-14 17:57 - 00001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-11-18 03:41 - 2016-04-18 11:54 - 00000000 ____D C:\ITDRVS
2016-11-18 03:30 - 2016-04-28 04:43 - 00000000 ____D C:\Users\ahollingworth
2016-11-15 09:13 - 2009-07-14 18:08 - 00032576 _____ C:\WINDOWS\Tasks\SCHEDLGU.TXT
2016-11-15 03:14 - 2016-04-18 11:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2016-11-14 14:07 - 2016-04-18 11:56 - 00000000 ____D C:\Program Files\Microsoft Office
2016-11-14 14:07 - 2009-07-14 15:34 - 00000387 _____ C:\WINDOWS\win.ini
2016-11-09 16:57 - 2016-04-30 09:27 - 00000000 ____D C:\Users\richardwybrow
2016-11-08 02:31 - 2016-05-02 03:34 - 00000000 ____D C:\Users\courtneyfraser\AppData\Local\Google
2016-11-03 18:27 - 2009-07-14 18:13 - 00784842 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-11-03 18:27 - 2009-07-14 16:20 - 00000000 ____D C:\WINDOWS\inf
2016-11-03 11:44 - 2012-10-31 04:00 - 00776964 _____ C:\WINDOWS\SysWOW64\PerfStringBackup.INI
2016-11-02 17:30 - 2009-07-14 16:20 - 00000000 ____D C:\WINDOWS\rescache
2016-11-02 08:35 - 2009-07-14 17:45 - 00409776 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-10-23 15:15 - 2016-07-18 10:11 - 00000000 ____D C:\Users\AliceWilkins

==================== Files in the root of some directories =======

2016-05-02 03:34 - 2016-04-18 12:01 - 0002161 _____ () C:\Users\courtneyfraser\AppData\Local\OfflineVaultPH.log

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


ATTENTION: ==> Could not access BCD. The user is not administrator

==================== End of FRST.txt ============================

 

 

Here is the Action file:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-11-2016 01
Ran by courtneyfraser (22-11-2016 08:25:49)
Running from P:\Downloads
Windows 7 Professional Service Pack 1 (X64) (2016-04-17 22:50:35)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

cwadmin (S-1-5-21-72832567-274823873-1848071354-500 - Administrator - Enabled) => C:\Users\cwadmin
Guest (S-1-5-21-72832567-274823873-1848071354-501 - Limited - Disabled)
SophosSAU7010-9ZCaaa (S-1-5-21-72832567-274823873-1848071354-1002 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Sophos Anti-Virus (Enabled - Up to date) {6BABF8F7-3EB6-BD1D-9167-8C5ECA060A29}
AS: Sophos Anti-Virus (Enabled - Up to date) {D0CA1913-188C-B293-ABD7-B72CB1814094}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

64 Bit HP CIO Components Installer (Version: 6.2.2 - Hewlett-Packard) Hidden
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.4.0.2710 - Adobe Systems Incorporated)
Adobe Flash Player 21 ActiveX (HKLM-x32\...\{5708517C-59A3-45C6-9727-6C06C8595AFD}) (Version: 21.0.0.213 - Adobe Systems Incorporated)
Adobe Flash Player 21 NPAPI (HKLM-x32\...\{8AA0E56A-5F80-413C-863D-67ED1E0DAC55}) (Version: 21.0.0.213 - Adobe Systems Incorporated)
Adobe Reader XI (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.00 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM-x32\...\{D84A070E-2A31-464A-9830-39FAB5761D62}) (Version: 11.6.0.626 - Adobe Systems, Inc)
ADSelfService Plus Client Software (HKLM-x32\...\{E451B224-C4E6-452E-BB61-2EFD4DC79A9C}) (Version: 4.2 - ZOHO Corp)
Adware Runtimes v11.3 (HKLM-x32\...\{33CDE859-5620-48E0-BE40-948F5C4D0C97}) (Version: 11.3.0.0 - GfK Adware)
Avid Interplay Central MOS plugin (HKLM-x32\...\{D6B23B96-2283-47F7-B9D6-47D0E7422512}) (Version: 1.0.1.10 - Avid)
Cisco Jabber (HKLM-x32\...\{422E968A-54F1-418A-8543-E53CD71F2829}) (Version: 11.5.0.26858 - Cisco Systems, Inc)
Configuration Manager Client (x32 Version: 4.00.6487.2000 - Microsoft Corporation) Hidden
CutePDF Writer (HKLM-x32\...\{BD25A0B1-7C12-4709-A369-7BE0F23B879C}) (Version: 8.2 - GPL)
DameWare Mini Remote Control Service (HKLM\...\{D3ACCB2B-41B4-4213-89A7-C5E2DC1847FD}) (Version: 7.5.9.1 - DameWare Development)
DHTML Editing Component (HKLM-x32\...\{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation)
Google Chrome (HKLM-x32\...\{AE46AF84-7112-3905-B1A4-EFCBA8F5EC0E}) (Version: 53.0.2785.116 - Google, Inc.)
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
iNEWS (HKLM-x32\...\{1E4961BA-240E-4BC9-9C54-91043D04A3CC}) (Version: 5.2.3.9 - Avid Technology)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2867 - Intel Corporation)
Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation)
Jupiter Basic XY (HKLM-x32\...\{D91E2316-F19C-455A-B489-E7F6BB8BD9DA}) (Version: 1.1.0072 - Thomson)
Local admin password management solution (HKLM\...\{A0493028-566E-4415-BA77-2E4485D333C4}) (Version: 5.1.0.0 - Microsoft | Services)
Microsoft .NET Framework 4.6.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01590 - Microsoft Corporation)
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM\...\{90140000-0012-0000-1000-0000000FF1CE}_Office14.STANDARD_{7BC9B5EB-125A-4E9B-97E1-8D85B5E960B8}) (Version:  - Microsoft)
Microsoft Office Standard 2010 (HKLM\...\Office14.STANDARD) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41105.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Sophos Anti-Virus (HKLM-x32\...\{09863DA9-7A9B-4430-9561-E04D178D7017}) (Version: 10.6.3.537 - Sophos Limited)
Sophos AutoUpdate (HKLM-x32\...\{BCF53039-A7FC-4C79-A3E3-437AE28FD918}) (Version: 5.2.0.276 - Sophos Limited)
Sophos Network Threat Protection (HKLM\...\{66967E5F-43E8-4402-87A4-04685EE5C2CB}) (Version: 1.2.2.50 - Sophos Limited)
Sophos Remote Management System (HKLM-x32\...\{FED1005D-CBC8-45D5-A288-FFC7BB304121}) (Version: 4.0.6 - Sophos Limited)
Sophos System Protection (HKLM-x32\...\{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6}) (Version: 1.3.0 - Sophos Limited)
Vizrt Viz Content Pilot 5.6.1.13782 (HKLM-x32\...\InstallShield_{02996AE0-3167-4213-8953-930799681FB6}) (Version: 5.6.1.13782 - Vizrt)
Vizrt Viz Content Pilot 5.6.1.13782 (x32 Version: 5.6.1.13782 - Vizrt) Hidden
VLC media player 1.0.1 (HKLM-x32\...\VLC media player) (Version: 1.0.1 - VideoLAN Team)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => 
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\Weekly Scan.job => 

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-04-18 11:53 - 2016-04-18 11:53 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2016-10-19 15:46 - 2016-09-14 13:11 - 02280264 _____ () C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.116\libglesv2.dll
2016-10-19 15:46 - 2016-09-14 13:11 - 00107848 _____ () C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.116\libegl.dll
2016-11-14 02:08 - 2016-11-14 02:08 - 31067840 _____ () C:\Users\courtneyfraser\AppData\Local\Google\Chrome\User Data\PepperFlash\23.0.0.207\pepflashplayer.dll
2011-03-17 01:07 - 2011-03-17 01:07 - 04297568 _____ () C:\Program Files\Common Files\Microsoft Shared\office14\Cultures\office.odf
2016-11-22 08:22 - 2016-11-22 08:22 - 00708608 _____ () C:\Users\courtneyfraser\AppData\Local\Temp\is-77H1H.tmp\mbam-setup-2.2.1.1043.tmp
2016-11-22 08:22 - 2016-11-22 08:22 - 00708608 _____ () C:\Users\courtneyfraser\AppData\Local\Temp\is-HJKKI.tmp\mbam-setup-2.2.1.1043.tmp

==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAVService => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SntpService => ""="service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 15:34 - 2009-06-11 10:00 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3835667965-2047657334-3681693090-65948\Control Panel\Desktop\\Wallpaper -> C:\Users\courtneyfraser\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 10.5.1.61 - 10.21.130.30
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{74C1F088-441F-4901-AEC1-19DF1E53ED4C}] => (Allow) C:\Program Files (x86)\Cisco Systems\Cisco Jabber\CiscoJabber.exe
FirewallRules: [{6C5A9380-DD92-4852-9662-9E1D1D045C0E}] => (Allow) C:\Program Files (x86)\Cisco Systems\Cisco Jabber\wbxcOIEx.exe
FirewallRules: [{7E5A88B6-DA22-4FEE-A911-6D9553BAD5C3}] => (Allow) C:\Program Files (x86)\Cisco Systems\Cisco Jabber\x64\wbxcOIEx64.exe
FirewallRules: [{ABCA0FDD-796A-4EE9-BA13-C48B3A9ADFAA}] => (Allow) C:\Program Files (x86)\Avid\iNEWS\ANWS.exe
FirewallRules: [{2825B0C0-108A-4BF4-80A6-AD9585BC9DC2}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{5440A8AC-1182-47F4-9F02-0B340B235AFB}] => (Allow) C:\WINDOWS\dwrcs\dwrcs.exe

==================== Restore Points =========================

ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (11/21/2016 09:23:38 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (11/21/2016 08:37:54 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (11/18/2016 08:35:00 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (11/18/2016 03:34:55 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 9.0.8112.16737 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 11ac

Start Time: 01d240df7b7bc7d7

Termination Time: 5

Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Report Id: fc9aaec7-acd2-11e6-bb10-90b11c899f5c

Error: (11/17/2016 10:12:08 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (11/17/2016 03:30:31 AM) (Source: dwmrcs) (EventID: 110) (User: )
Description: Error: 
DameWare Mini Remote Control
Error setsockopt (IP_DROP_MEMBERSHIP)

System Error: 10049
System Message: The requested address is not valid in its context.

 (srv 64 bit)

Error: (11/17/2016 03:30:01 AM) (Source: dwmrcs) (EventID: 110) (User: )
Description: Error: 
DameWare Mini Remote Control
Error setsockopt (IP_ADD_MEMBERSHIP)

System Error: 10065
System Message: A socket operation was attempted to an unreachable host.

 (srv 64 bit)

Error: (11/16/2016 08:39:19 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (11/15/2016 09:13:43 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (11/14/2016 07:15:00 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.


System errors:
=============
Error: (11/22/2016 02:27:32 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (11/21/2016 09:24:10 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID 
{24FF4FDC-1D9F-4195-8C79-0DA39248FF48}
 and APPID 
{B292921D-AF50-400C-9B75-0C57A7F29BA1}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Error: (11/21/2016 08:38:26 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID 
{24FF4FDC-1D9F-4195-8C79-0DA39248FF48}
 and APPID 
{B292921D-AF50-400C-9B75-0C57A7F29BA1}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Error: (11/21/2016 02:26:27 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1058) (User: CANWEST)
Description: The processing of Group Policy failed. Windows attempted to read the file \\canwest.co.nz\SysVol\canwest.co.nz\Policies\{8BA757BB-3926-4C33-9D8F-F789A56FA842}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
a) Name Resolution/Network Connectivity to the current domain controller. 
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled.

Error: (11/21/2016 02:25:33 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (11/21/2016 02:25:33 AM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain CANWEST due to the following: 
There are currently no logon servers available to service the logon request.


This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (11/18/2016 08:35:33 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID 
{24FF4FDC-1D9F-4195-8C79-0DA39248FF48}
 and APPID 
{B292921D-AF50-400C-9B75-0C57A7F29BA1}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Error: (11/18/2016 03:30:08 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (11/17/2016 10:12:40 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID 
{24FF4FDC-1D9F-4195-8C79-0DA39248FF48}
 and APPID 
{B292921D-AF50-400C-9B75-0C57A7F29BA1}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Error: (11/17/2016 03:29:56 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.


==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
Percentage of memory in use: 82%
Total physical RAM: 8078.54 MB
Available physical RAM: 1449.91 MB
Total Virtual: 16155.27 MB
Available Virtual: 8560 MB

==================== Drives ================================

Drive c: (OSDisk) (Fixed) (Total:232.4 GB) (Free:164.92 GB) NTFS
Drive g: (APPS) (Network) (Total:199.87 GB) (Free:65.62 GB) NTFS
Drive n: () (Network) (Total:108033.29 GB) (Free:1294.76 GB) 
Drive p: (DATA) (Network) (Total:4 GB) (Free:1.98 GB) NTFS
Drive s: (DATA) (Network) (Total:4 GB) (Free:1.98 GB) NTFS

==================== MBR & Partition Table ==================

==================== End of Addition.txt ============================

 

Link to post
Share on other sites

  • Root Admin

Hello @fran1942 and :welcome:

Generally speaking ,the forums are mainly geared towards helping retail consumers with malware detection and removal. Often business customers don't wish to post logs on an open public forum and seek help from either paid support options or free support via the Helpdesk.

If you'd like me to assist you though please let me know and run the following on one of the affected computers.

 

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

  • Root Admin

Not sure where those came from at this time. Please uninstall all versions of Java. 

You appear to be using a network version of Sophos antivirus that is having trouble accessing some location and is also showing signs of crashing in the logs.

The Windows Search Service may need to have it's index reset or otherwise reset as it's having an issue too which can sometimes affect how other programs run.

 

Application errors:
==================
Error: (11/25/2016 09:37:18 AM) (Source: MsiInstaller) (EventID: 11606) (User: 7010-C0D03W1)
Description: Product: Sophos Virus Removal Tool -- Error 1606.Could not access network location data.

Error: (11/25/2016 09:37:17 AM) (Source: MsiInstaller) (EventID: 11606) (User: 7010-C0D03W1)
Description: Product: Sophos Virus Removal Tool -- Error 1606.Could not access network location data.

Error: (11/25/2016 09:36:49 AM) (Source: MsiInstaller) (EventID: 11606) (User: 7010-C0D03W1)
Description: Product: Sophos Virus Removal Tool -- Error 1606.Could not access network location data.

 

Error: (11/25/2016 09:24:25 AM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Sophos Anti-Virus service, but this action failed with the following error:
An instance of the service is already running.

Error: (11/25/2016 09:24:25 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (11/25/2016 09:24:25 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Sophos Device Control Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 500 milliseconds: Restart the service.

 

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.