# help with fbi lockout screen virus Please



## pjoseph

Yesterday i got that screen looking for money to unlock my computer, I was able to reboot into safemode and run malwarebytes which removed some things.

I worked well for the rest of the day and now this morning it came back how do i get rid of this thing?!


I keep noticing a pop up at the bottom from Malwarebytes saying 
"successfully blocked access to a potentially malicious website: 95.211.194.79
Type: Outgoing 
Port:60277, Process:svhost.exe"

here is my log:
malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.31.05

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
pamato :: ENPUSREML0278 [administrator]

Protection: Enabled

5/31/2013 8:23:04 AM
mbam-log-2013-05-31 (08-23-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 273230
Time elapsed: 9 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\pamato\rundll32.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\pamato\winlogon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

(end)


Thanks


----------



## pjoseph

ran adwcleaner but when i try to delet it freezes up my computer everytime so never finishes

# AdwCleaner v2.301 - Logfile created 05/31/2013 at 09:26:36
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : pamato - ENPUSREML0278
# Boot Mode : Normal
# Running from : C:\Users\pamato\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Program Files\adawaretb
Folder Found : C:\ProgramData\adawaretb
Folder Found : C:\ProgramData\blekko toolbars

***** [Registry] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\Software\adawaretb
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Google Chrome v27.0.1453.94

File : C:\Users\pamato\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2229 octets] - [31/05/2013 08:54:19]
AdwCleaner[R2].txt - [2275 octets] - [31/05/2013 09:10:33]
AdwCleaner[R3].txt - [2147 octets] - [31/05/2013 09:26:36]
AdwCleaner[S1].txt - [398 octets] - [31/05/2013 08:55:42]
AdwCleaner[S2].txt - [325 octets] - [31/05/2013 09:11:59]
AdwCleaner[S3].txt - [325 octets] - [31/05/2013 09:26:26]

########## EOF - C:\AdwCleaner[R3].txt - [2384 octets] ##########


----------



## Punk

Hello!


*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

*Combofix*


When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
Save the file to your windows desktop.  The combofix icon will look like this when it has downloaded to your desktop.





We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:


Close all open Windows including this one. 

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found *here*.
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Please click on I agree on the disclaimer window.
ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.





ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.





Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:





At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.

Please click on yes in the next window to continue scanning for malware.

ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.





When ComboFix has finished running, you will see a screen stating that it is preparing the log report.

This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.  

Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy.  Then come to the forum in your reply and right click on your mouse and click on paste.  



In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## johnb35

Yes, please follow what Punk has suggested to do.  It seems you may have a service that is still infecting you.

I would also suggest running tdsskiller as sometimes the Zero access rootkit is involved with the ransomware infection.

Please download and run TDSSkiller

When the program opens, click on the start scan button.






TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.






To remove the infections simply click on the Continue button and TDSSKiller will attempt to clean them or remove them.

After trying to clean them it will pop up with the results of the scan and its actions.






Please reboot the system if asked to do so. 

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it example,  C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt  

Please open the log and copy and paste it back here.


----------



## pjoseph

well i ran combo fix and now i can not open any program or file or get on the internet ect....
"
"anything I try and open says "illegal operation attempted on a registry key that has been marked for deletion"


----------



## johnb35

Reboot the pc and you'll be fine.  Then post the logfile.


----------



## voyagerfan99

Hey John, you should edit your instructions so they say to reboot the computer


----------



## pjoseph

Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3241.1674 [GMT -7:00]
Running from: c:\users\pamato\Desktop\ComboFix.exe
AV: Lavasoft Ad-Aware *Disabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Lavasoft Ad-Aware *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Lavasoft Ad-Aware *Disabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\MS
c:\programdata\Roaming
c:\users\pamato\acrobatreader.exe
c:\users\pamato\alg.exe
c:\users\pamato\AppData\Local\d6a229c4-3b65-43a8-ab14-a6e1f19addf4ad
c:\users\pamato\AppData\Local\d6a229c4-3b65-43a8-ab14-a6e1f19addf4ad\dacbaabaefaddfad.exe
c:\users\pamato\chrome.exe
c:\users\pamato\flashplayer.exe
c:\users\pamato\googleupdate.exe
c:\users\pamato\GoToAssistDownloadHelper.exe
c:\users\pamato\icq.exe
c:\users\pamato\java.exe
c:\users\pamato\jucheck.exe
c:\users\pamato\msconfig.exe
c:\users\pamato\mstsc.exe
c:\users\pamato\opera.exe
c:\users\pamato\skype.exe
c:\users\pamato\teamviewer.exe
c:\users\pamato\windowsupdate.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-28 to 2013-05-31  )))))))))))))))))))))))))))))))
.
.
2013-05-31 19:02 . 2013-05-31 19:02	--------	d-----w-	c:\users\tcyberey\AppData\Local\temp
2013-05-31 16:02 . 2013-05-31 16:02	--------	d-----w-	C:\found.001
2013-05-31 15:21 . 2013-05-31 15:21	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2013-05-31 15:21 . 2013-04-04 21:50	22856	----a-w-	c:\windows\system32\drivers\mbam.sys
2013-05-31 14:55 . 2013-05-31 14:55	--------	d-----w-	C:\found.000
2013-05-31 00:57 . 2013-05-31 01:00	--------	d-----w-	c:\programdata\Ad-Aware Antivirus
2013-05-31 00:51 . 2013-05-31 00:51	--------	d-----w-	c:\programdata\Lavasoft
2013-05-31 00:51 . 2013-05-31 00:57	--------	d-----w-	c:\program files\Ad-Aware Antivirus
2013-05-31 00:50 . 2013-05-31 00:50	--------	d-----w-	c:\users\pamato\AppData\Local\adawarebp
2013-05-31 00:50 . 2013-05-31 00:50	--------	d-----w-	c:\programdata\adawaretb
2013-05-31 00:50 . 2013-05-31 00:50	--------	d-----w-	c:\programdata\Ad-Aware Browsing Protection
2013-05-31 00:49 . 2013-05-31 05:57	--------	d-----w-	c:\users\pamato\AppData\Roaming\Ad-Aware Antivirus
2013-05-31 00:17 . 2013-05-31 00:17	30464	----a-w-	c:\windows\system32\drivers\hitmanpro37.sys
2013-05-31 00:07 . 2013-05-31 00:15	--------	d-----w-	c:\programdata\HitmanPro
2013-05-30 23:46 . 2013-05-30 23:46	--------	d-----w-	c:\users\pamato\AppData\Roaming\Malwarebytes
2013-05-30 23:46 . 2013-05-30 23:46	--------	d-----w-	c:\programdata\Malwarebytes
2013-05-30 23:46 . 2013-05-30 23:46	--------	d-----w-	c:\users\pamato\AppData\Local\Programs
2013-05-30 23:37 . 2013-05-30 23:37	--------	d-----w-	c:\programdata\Anvisoft
2013-05-30 23:37 . 2013-05-30 23:37	--------	d-----w-	c:\program files\Anvisoft
2013-05-30 21:13 . 2013-05-30 21:13	--------	d-----w-	c:\users\pamato\AppData\Roaming\wabEventSupport16
2013-05-24 03:47 . 2013-05-24 03:47	--------	d-----w-	c:\programdata\Downloaded Installations
2013-05-22 06:03 . 2013-05-31 15:12	--------	d-----w-	c:\users\pamato\AppData\Local\Widcomm
2013-05-13 14:17 . 2013-05-13 14:17	--------	d-----w-	c:\users\Default\AppData\Local\Symantec
2013-05-11 10:37 . 2013-05-11 10:37	209472	----a-w-	c:\program files\Internet Explorer\Plugins\nppdf32.dll
2013-05-10 07:57 . 2013-05-10 07:57	49728	----a-w-	c:\windows\system32\AdobePDF.dll
2013-05-10 07:57 . 2013-05-10 07:57	25160	----a-w-	c:\windows\system32\AdobePDFUI.dll
2013-05-06 07:00 . 2013-05-06 07:00	--------	d-----w-	c:\program files\Common Files\Intel Corporation
2013-05-05 07:30 . 2013-05-05 07:30	--------	d-----w-	c:\users\pamato\AppData\Roaming\Intel Corporation
2013-05-04 11:06 . 2011-04-16 14:00	53248	----a-w-	c:\windows\system32\CSVer.dll
2013-05-04 11:05 . 2013-05-04 11:05	--------	d-----w-	c:\users\pamato\AppData\Roaming\InstallShield
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-31 00:49 . 2013-01-17 07:24	44424	----a-w-	c:\windows\system32\sbbd.exe
2013-05-31 00:49 . 2013-01-17 07:24	13560	----a-w-	c:\windows\system32\drivers\gfibto.sys
2013-05-24 15:19 . 2012-04-18 15:58	692104	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2013-05-24 15:19 . 2011-10-19 15:22	71048	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-13 19:53 . 2013-03-20 22:20	16400	----a-w-	c:\windows\system32\drivers\LNonPnP.sys
2013-03-20 22:20 . 2013-03-20 22:20	53248	----a-r-	c:\users\pamato\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2013-03-19 05:04 . 2013-04-17 19:42	3968856	----a-w-	c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-17 19:42	3913560	----a-w-	c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48 . 2013-04-17 19:42	38912	----a-w-	c:\windows\system32\csrsrv.dll
2013-03-19 02:49 . 2013-04-17 19:42	69632	----a-w-	c:\windows\system32\smss.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2010-05-21 324976]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
"Widcomm"="c:\users\pamato\AppData\Local\Widcomm\vwhsfohz.dll" [2013-05-31 821248]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Antivirus"="c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
"Check Point Endpoint Tray Application"="c:\program files\Common Files\Check Point\UIFramework\cptray.exe" [2010-06-02 70144]
"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2010-11-17 858792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2012-07-16 115624]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2011-09-09 523216]
"Nuance PDF Converter Professional 7-reminder"="c:\program files\Nuance\PDF Professional 7\Ereg\Ereg.exe" [2011-09-06 333672]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\\isuspm.exe" [2010-05-21 324976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2013-05-10 38984]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2013-05-10 840768]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-07-20 505720]
"IntelPROSet"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2012-03-29 3421456]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2013-02-21 2238704]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-11-07 145464]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-11-07 180792]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-11-07 189496]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2013-05-15 554408]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2011-10-27 840992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
"DefaultLogonDomain"= EMRSN
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-10-17 17:43	13672	----a-w-	c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2013-02-08 18:30	66800	----a-w-	c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-08-28 04:32	59280	----a-w-	c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R280 Series]
2007-04-13 14:00	182272	----a-w-	c:\windows\System32\spool\drivers\w32x86\3\E_FATICKA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 06:30	421776	----a-w-	E:\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nuance PDF Converter Professional 7-reminder]
2011-09-06 21:47	333672	----a-w-	c:\program files\Nuance\PDF Professional 7\Ereg\Ereg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF7 Registry Controller]
2012-02-17 20:01	141160	----a-w-	c:\program files\Nuance\PDF Professional 7\RegistryController.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDFProHook]
2012-02-17 20:02	1828712	----a-w-	c:\program files\Nuance\PDF Professional 7\PdfPro7Hook.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-11-08 01:21	421888	----a-w-	c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wabEventSupport16]
2013-05-30 21:13	30208	----a-w-	c:\users\pamato\AppData\Roaming\wabEventSupport16\wabEventSupport16.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R0 xwxn;xwxn;c:\windows\System32\drivers\ihpjs.sys [x]
R3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\DRIVERS\ldblank.sys [x]
R3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\DRIVERS\NETwNx32.sys [x]
R3 NewMisc;Panasonic Misc Driver;c:\windows\system32\drivers\newmisc.sys [x]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Ser2plx86;Prolific Serial port WDF driver;c:\windows\system32\DRIVERS\ser2pl.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [x]
S0 prot_2k;prot_2k; [x]
S1 Teefer3;Symantec Endpoint Protection Firewall;c:\windows\system32\DRIVERS\Teefer3.sys [x]
S2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [x]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [x]
S2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentagent.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 IRA;IRA;c:\program files\MANDIANT\MANDIANT Intelligent Response Agent\miragent.exe [x]
S2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 7\PDFProFiltSrv.exe [x]
S2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [x]
S2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [x]
S2 SBAMSvc;Ad-Aware;c:\program files\Ad-Aware Antivirus\SBAMSvc.exe [x]
S2 Softmon;LANDesk(R) Software Monitoring Service;c:\program files\LANDesk\LDCLient\softmon.exe [x]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [x]
S2 ZeroConfigService;Intel(R) PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S3 acsock;acsock;c:\windows\system32\DRIVERS\acsock.sys [x]
S3 BTWAMPFL;btwampfl Bluetooth filter driver;c:\windows\system32\drivers\btwampfl.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 ldmirror;ldmirror;c:\windows\system32\DRIVERS\ldmirror.sys [x]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [x]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [x]
S3 Mandiant_Tools;Mandiant_Tools;c:\program files\MANDIANT\MANDIANT Intelligent Response Agent\mktools.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x]
S3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\DRIVERS\mirrorflt.sys [x]
S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\Netwsn00.sys [x]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\DRIVERS\O2MDRw7.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
GPSvcGroup	REG_MULTI_SZ   	GPSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 15:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = enpusfpkinf01:8080
uInternet Settings,ProxyOverride = 169.254.1.1;*.ascopower.*;*.ascoswitch.com;*.enps.com;*.liebert.com;*.emrsn.org;*.learninglogin.com;155.104.*;10.*;192.168.*;*.emerson.*;*.msftncsi.com;*.careermap.net;<local>
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Create PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Open with Nuance PDF Converter 7 - c:\program files\Nuance\PDF Professional 7\cnvres_eng.dll /100
IE: Open with PDF Professional 7 - c:\program files\Nuance\PDF Professional 7\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 71.9.127.107 68.190.192.35 24.205.224.36
TCP: Interfaces: NameServer = 10.16.64.11,10.20.64.11
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
HKCU-Run-Adobe CSS5.1 Manager - c:\users\pamato\AppData\Local\d6a229c4-3b65-43a8-ab14-a6e1f19addf4ad\dacbaabaefaddfad.exe
SafeBoot-Wdf01000.sys
SafeBoot-Symantec Antvirus
MSConfigStartUp-ADBlocker - c:\program files\Anvisoft\Anvi Smart Defender\toolbox\adblocker\ADBlockerTray.exe
MSConfigStartUp-ATI Remote Control - c:\program files\ATI Multimedia\RemCtrl\ATIRW.EXE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2420)
c:\programdata\Ad-Aware Browsing Protection\adawarebp.dll
c:\users\pamato\AppData\Local\Widcomm\vwhsfohz.dll
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
c:\program files\WallData\dba\dbashlex.dll
c:\program files\WallData\system\Nls32.DLL
c:\program files\WallData\dba\MRI2924\NLSDBSHL.Dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\CBA\pds.exe
c:\program files\LANDesk\LDCLient\tmcsvc.exe
c:\progra~1\LANDesk\LDCLient\issuser.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\DRIVERS\o2flash.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\windows\system32\conhost.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\taskhost.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\conhost.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\windows\System32\regsvr32.exe
c:\program files\DellTPad\HidFind.exe
c:\progra~1\AD-AWA~1\AdAware.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\conhost.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\windows\system32\sppsvc.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2013-05-31  12:10:46 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-31 19:10
.
Pre-Run: 55,911,739,392 bytes free
Post-Run: 56,035,725,312 bytes free
.
- - End Of File - - B6E63C4838B3C90C880C311648337152


----------



## pjoseph

Still gettign teh Mawarebytes message 
"successfully blocked access to a potentially malicious website 109.236.82.107
type outgoing 
port:49294, process iexlore.exe"

and regarding TDssKiller

When i click on the link i have the following options "do you want to save this file or find a program to open online"

If i save it i cant open it. 

not sure what the issue is


----------



## johnb35

You are downloading the exe file correct?  You are still somewhat infected.  Can you try booting into safe mode and try running tdsskiller for me and see if ti will run.

I also need you to post a log that combofix produces but doesn't show you.  Looks like we need to uninstall some software as well.  Please navigate to c:\Qoobox and in that folder will be a file named add-remove programs.txt.  Open the notepad file and copy and paste the contents back here.  Meanwhile I will go through the combofix log you posted.


----------



## pjoseph

i am clicking on the link you provided which automatically goes to file download.

Name tdsskiller
Type Unknown file type
from support.kaspersky.com


2007 Microsoft Office Suite Service Pack 3 (SP3)
32 Bit HP CIO Components Installer
Active Models
Ad-Aware Antivirus
Ad-Aware Browsing Protection
Adobe Acrobat X Standard
Adobe AIR
Adobe Digital Editions
Adobe Flash Player 11 ActiveX
Adobe Reader XI (11.0.03)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 2.0
AutoCAD LT 2012 - English
AutoCAD LT 2012 Language Pack - English
Autodesk Content Service
Autodesk Material Library 2012
Autodesk Material Library Base Resolution Image Library 2012
Bonjour
Canon DIGITAL CAMERA Solution Disk Software Guide
CANON iMAGE GATEWAY MyCamera Download Plugin
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon PowerShot ELPH 100 HS_IXUS 115 HS Camera User Guide
Canon Utilities CameraWindow DC 8
Canon Utilities CameraWindow Launcher
Canon Utilities Movie Uploader for YouTube
Canon Utilities MyCamera
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
Check Point Endpoint Security - Full Disk Encryption
Cisco AnyConnect Diagnostics and Reporting Tool
Cisco AnyConnect Secure Mobility Client
Cisco AnyConnect Secure Mobility Client 
Compatibility Pack for the 2007 Office system
Dell Client System Update
Dell Touchpad
DWG TrueView 2008
ENP messaging screen saver
EPSON Printer Software
eReg
foobar2000 v1.1.15
Google SketchUp 8
GoToAssist Corporate
Intel PROSet Wireless
Intel(R) Network Connections Drivers
Intel(R) Processor Graphics
Intel(R) Rapid Storage Technology
Intel(R) SDK for OpenCL - CPU Only Runtime Package
Intel® PROSet/Wireless WiFi Software
IrfanView (remove only)
iTunes
Java Auto Updater
Java(TM) 7 Update 4
JavaFX 2.1.0
LAME v3.99.3 (for Windows)
LANDesk Advance Agent
LANDesk(R) Common Base Agent 8
LiveUpdate 3.3 (Symantec Corporation)
Logitech SetPoint 6.52
Malwarebytes Anti-Malware version 1.75.0.1300
MANDIANT Intelligent Response Agent
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft AntiXSS v4.2.1
Microsoft Application Error Reporting
Microsoft IntelliPoint 8.2
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Meeting 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visio Professional 2002 [English]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Modem Diagnostic Tool
Multi-Targeting Pack for Microsoft .NET Framework 4 Platform Update 1 (KB2495638)
Multi-Targeting Pack for the Microsoft .NET Framework 4.0.2
Multi-Targeting Pack for the Microsoft .NET Framework 4.0.2 (KB2544526)
Nuance PDF Converter Professional 7
QuickTime
RUMBA 2000
Scansoft PDF Professional
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition 
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition 
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition 
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition 
Security Update for Microsoft Visual Basic for Applications 6.5 (KB2688865)
Symantec Endpoint Protection
System Requirements Lab for Intel
Update 4.0.2 for Microsoft .NET Framework 4 Client Profile (KB2544514)
Update 4.0.2 for Microsoft .NET Framework 4 Extended (KB2544514)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VLC media player 1.1.11
WIDCOMM Bluetooth Software
WinZip 15.0
X10 Hardware(TM)


----------



## johnb35

Try this link.

http://www.bleepingcomputer.com/download/tdsskiller/dl/4/

Please uninstall the following programs.

Ad-Aware Antivirus
Ad-Aware Browsing Protection
Java Auto Updater
Java(TM) 7 Update 4
JavaFX 2.1.0


----------



## pjoseph

Ok I was able to run tdsskiller with new link, and it found 0 threats.

I removed all of the programs you listed except Java Auto Updater
because i am not finding it in the list.


----------



## johnb35

Ok, then give me a while to go through your log and I'll give you your next procedure.


----------



## johnb35

Ok next step.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

Driver::

xwxn

File::

c:\windows\System32\drivers\ihpjs.sys 

Reglock::

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!







ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Then finally please run an online scan using Eset.

Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats 
Accept any security warnings from your browser. 
Check Scan archives 
Click Start 
ESET will then download updates, install and then start scanning your system. 
When the scan is done, push list of found threats 
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply. 
If no threats are found then it won't produce a log.


----------



## pjoseph

I am unable to disable Symantec Enpoint Protection since this is a company laptop, should I proceed anyway Combofix giving me a warning.

thanks again


----------



## johnb35

Yes, continue.


----------



## pjoseph

Really appreciate the help so far, here is the log

ComboFix 13-05-31.02 - pamato 05/31/2013  17:19:34.2.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3241.1280 [GMT -7:00]
Running from: c:\users\pamato\Desktop\ComboFix.exe
Command switches used :: c:\users\pamato\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
FILE ::
"c:\windows\System32\drivers\ihpjs.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat
c:\users\pamato\AppData\Roaming\skype.ini
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_xwxn
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-01 to 2013-06-01  )))))))))))))))))))))))))))))))
.
.
2013-06-01 00:29 . 2013-06-01 00:29	--------	d-----w-	c:\users\tcyberey\AppData\Local\temp
2013-06-01 00:29 . 2013-06-01 00:29	--------	d-----w-	c:\users\tcyberey.EMRSN\AppData\Local\temp
2013-06-01 00:29 . 2013-06-01 00:29	--------	d-----w-	c:\users\Default\AppData\Local\temp
2013-05-31 20:46 . 2013-06-01 00:32	56200	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{3545A5C2-324F-408F-AC97-05397BD0C750}\offreg.dll
2013-05-31 16:02 . 2013-05-31 16:02	--------	d-----w-	C:\found.001
2013-05-31 15:21 . 2013-05-31 15:21	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2013-05-31 15:21 . 2013-04-04 21:50	22856	----a-w-	c:\windows\system32\drivers\mbam.sys
2013-05-31 14:55 . 2013-05-31 14:55	--------	d-----w-	C:\found.000
2013-05-31 00:50 . 2013-05-31 00:50	--------	d-----w-	c:\users\pamato\AppData\Local\adawarebp
2013-05-31 00:50 . 2013-05-31 00:50	--------	d-----w-	c:\programdata\adawaretb
2013-05-31 00:50 . 2013-05-31 00:50	--------	d-----w-	c:\programdata\Ad-Aware Browsing Protection
2013-05-31 00:17 . 2013-05-31 00:17	30464	----a-w-	c:\windows\system32\drivers\hitmanpro37.sys
2013-05-31 00:07 . 2013-05-31 00:15	--------	d-----w-	c:\programdata\HitmanPro
2013-05-30 23:46 . 2013-05-30 23:46	--------	d-----w-	c:\users\pamato\AppData\Roaming\Malwarebytes
2013-05-30 23:46 . 2013-05-30 23:46	--------	d-----w-	c:\programdata\Malwarebytes
2013-05-30 23:46 . 2013-05-30 23:46	--------	d-----w-	c:\users\pamato\AppData\Local\Programs
2013-05-30 23:37 . 2013-05-30 23:37	--------	d-----w-	c:\programdata\Anvisoft
2013-05-30 23:37 . 2013-05-30 23:37	--------	d-----w-	c:\program files\Anvisoft
2013-05-30 21:13 . 2013-05-30 21:13	--------	d-----w-	c:\users\pamato\AppData\Roaming\wabEventSupport16
2013-05-24 03:47 . 2013-05-24 03:47	--------	d-----w-	c:\programdata\Downloaded Installations
2013-05-22 06:03 . 2013-05-31 15:12	--------	d-----w-	c:\users\pamato\AppData\Local\Widcomm
2013-05-13 14:17 . 2013-05-13 14:17	--------	d-----w-	c:\users\Default\AppData\Local\Symantec
2013-05-11 10:37 . 2013-05-11 10:37	209472	----a-w-	c:\program files\Internet Explorer\Plugins\nppdf32.dll
2013-05-10 07:57 . 2013-05-10 07:57	49728	----a-w-	c:\windows\system32\AdobePDF.dll
2013-05-10 07:57 . 2013-05-10 07:57	25160	----a-w-	c:\windows\system32\AdobePDFUI.dll
2013-05-06 07:00 . 2013-05-06 07:00	--------	d-----w-	c:\program files\Common Files\Intel Corporation
2013-05-05 07:30 . 2013-05-05 07:30	--------	d-----w-	c:\users\pamato\AppData\Roaming\Intel Corporation
2013-05-04 11:06 . 2011-04-16 14:00	53248	----a-w-	c:\windows\system32\CSVer.dll
2013-05-04 11:05 . 2013-05-04 11:05	--------	d-----w-	c:\users\pamato\AppData\Roaming\InstallShield
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-31 00:49 . 2013-01-17 07:24	44424	----a-w-	c:\windows\system32\sbbd.exe
2013-05-31 00:49 . 2013-01-17 07:24	13560	----a-w-	c:\windows\system32\drivers\gfibto.sys
2013-05-24 15:19 . 2012-04-18 15:58	692104	----a-w-	c:\windows\system32\FlashPlayerApp.exe
2013-05-24 15:19 . 2011-10-19 15:22	71048	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-13 19:53 . 2013-03-20 22:20	16400	----a-w-	c:\windows\system32\drivers\LNonPnP.sys
2013-03-20 22:20 . 2013-03-20 22:20	53248	----a-r-	c:\users\pamato\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2013-03-19 05:04 . 2013-04-17 19:42	3968856	----a-w-	c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-17 19:42	3913560	----a-w-	c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48 . 2013-04-17 19:42	38912	----a-w-	c:\windows\system32\csrsrv.dll
2013-03-19 02:49 . 2013-04-17 19:42	69632	----a-w-	c:\windows\system32\smss.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2010-05-21 324976]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
"Widcomm"="c:\users\pamato\AppData\Local\Widcomm\vwhsfohz.dll" [2013-05-31 821248]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Check Point Endpoint Tray Application"="c:\program files\Common Files\Check Point\UIFramework\cptray.exe" [2010-06-02 70144]
"Pointsec Tray"="c:\program files\Pointsec\Pointsec for PC\P95Tray.exe" [2010-11-17 858792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2012-07-16 115624]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2011-09-09 523216]
"Nuance PDF Converter Professional 7-reminder"="c:\program files\Nuance\PDF Professional 7\Ereg\Ereg.exe" [2011-09-06 333672]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\\isuspm.exe" [2010-05-21 324976]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2013-05-10 38984]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2013-05-10 840768]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-07-20 505720]
"IntelPROSet"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2012-03-29 3421456]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2013-02-21 2238704]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-11-07 145464]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-11-07 180792]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-11-07 189496]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2011-10-27 840992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
"DefaultLogonDomain"= EMRSN
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-10-17 17:43	13672	----a-w-	c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2013-02-08 18:30	66800	----a-w-	c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-08-28 04:32	59280	----a-w-	c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R280 Series]
2007-04-13 14:00	182272	----a-w-	c:\windows\System32\spool\drivers\w32x86\3\E_FATICKA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 06:30	421776	----a-w-	E:\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nuance PDF Converter Professional 7-reminder]
2011-09-06 21:47	333672	----a-w-	c:\program files\Nuance\PDF Professional 7\Ereg\Ereg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF7 Registry Controller]
2012-02-17 20:01	141160	----a-w-	c:\program files\Nuance\PDF Professional 7\RegistryController.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDFProHook]
2012-02-17 20:02	1828712	----a-w-	c:\program files\Nuance\PDF Professional 7\PdfPro7Hook.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-11-08 01:21	421888	----a-w-	c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wabEventSupport16]
2013-05-30 21:13	30208	----a-w-	c:\users\pamato\AppData\Roaming\wabEventSupport16\wabEventSupport16.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [x]
R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\DRIVERS\ldblank.sys [x]
R3 NETwNx32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\DRIVERS\NETwNx32.sys [x]
R3 NewMisc;Panasonic Misc Driver;c:\windows\system32\drivers\newmisc.sys [x]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Ser2plx86;Prolific Serial port WDF driver;c:\windows\system32\DRIVERS\ser2pl.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [x]
S0 prot_2k;prot_2k; [x]
S1 Teefer3;Symantec Endpoint Protection Firewall;c:\windows\system32\DRIVERS\Teefer3.sys [x]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [x]
S2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentagent.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 IRA;IRA;c:\program files\MANDIANT\MANDIANT Intelligent Response Agent\miragent.exe [x]
S2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 7\PDFProFiltSrv.exe [x]
S2 Pointsec;Pointsec;c:\windows\system32\Prot_srv.exe [x]
S2 Pointsec_start;Pointsec Service Start;c:\windows\system32\pstartSr.exe [x]
S2 Softmon;LANDesk(R) Software Monitoring Service;c:\program files\LANDesk\LDCLient\softmon.exe [x]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [x]
S2 ZeroConfigService;Intel(R) PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S3 acsock;acsock;c:\windows\system32\DRIVERS\acsock.sys [x]
S3 BTWAMPFL;btwampfl Bluetooth filter driver;c:\windows\system32\drivers\btwampfl.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 ldmirror;ldmirror;c:\windows\system32\DRIVERS\ldmirror.sys [x]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [x]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [x]
S3 Mandiant_Tools;Mandiant_Tools;c:\program files\MANDIANT\MANDIANT Intelligent Response Agent\mktools.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x]
S3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\DRIVERS\mirrorflt.sys [x]
S3 NETwNs32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\Netwsn00.sys [x]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\DRIVERS\O2MDRw7.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
GPSvcGroup	REG_MULTI_SZ   	GPSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 15:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = enpusfpkinf01:8080
uInternet Settings,ProxyOverride = 169.254.1.1;*.ascopower.*;*.ascoswitch.com;*.enps.com;*.liebert.com;*.emrsn.org;*.learninglogin.com;155.104.*;10.*;192.168.*;*.emerson.*;*.msftncsi.com;*.careermap.net;<local>
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Create PDF file - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML
IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Open with Nuance PDF Converter 7 - c:\program files\Nuance\PDF Professional 7\cnvres_eng.dll /100
IE: Open with PDF Professional 7 - c:\program files\Nuance\PDF Professional 7\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 71.9.127.107 68.190.192.35 24.205.224.36
TCP: Interfaces: NameServer = 10.16.64.11,10.20.64.11
TCP: Interfaces\{F39B21CE-17BD-4563-BC8F-26C93DDA032C}: NameServer = 10.16.64.11,10.20.64.11
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5080)
c:\users\pamato\AppData\Local\Widcomm\vwhsfohz.dll
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
c:\program files\WallData\dba\dbashlex.dll
c:\program files\WallData\system\Nls32.DLL
c:\program files\WallData\dba\MRI2924\NLSDBSHL.Dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\CBA\pds.exe
c:\program files\LANDesk\LDCLient\tmcsvc.exe
c:\progra~1\LANDesk\LDCLient\issuser.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\DRIVERS\o2flash.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\conhost.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\taskhost.exe
c:\progra~1\LANDesk\LDCLient\rcgui.exe
c:\windows\system32\conhost.exe
c:\windows\System32\regsvr32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\conhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
.
**************************************************************************
.
Completion time: 2013-05-31  17:50:29 - machine was rebooted
ComboFix-quarantined-files.txt  2013-06-01 00:50
ComboFix2.txt  2013-05-31 19:10
.
Pre-Run: 56,917,889,024 bytes free
Post-Run: 56,722,034,688 bytes free
.
- - End Of File - - F5AE29F1CE28DE3822D84AF320223281


----------



## johnb35

Go ahead and run the eset scan and post the results.  

How is the system acting now?


----------



## pjoseph

i am at 50% scanning ESET

So far found 2 infected files,

Threats found
Win/32/trojandownloader.tracur.V trojan
a variant of Win32/Injector.AHJT trojan

I am still getting that popup that i mention in post#9, but malewarebytes keeps blocking it, it happens at least once a min.  Any idea on what it is?

thanks again


----------



## pjoseph

just finished, found total of 3, does it automatically delete these? still seeing that popup

C:\Qoobox\Quarantine\C\Users\pamato\flashplayer.exe.vir	
a variant of Win32/Injector.AHJT trojan
C:\Users\pamato\AppData\Local\Apple Computer\Temp\epgeofp.dll	
Win32/TrojanDownloader.Tracur.V trojan
Operating memory	a variant of Win32/Boaxxe.AW trojan


----------



## pjoseph

Ran AdwCleaner again and this time i was able to delete without it freezing
log below


# AdwCleaner v2.301 - Logfile created 05/31/2013 at 21:03:34
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : pamato - ENPUSREML0278
# Boot Mode : Normal
# Running from : C:\Users\pamato\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files\adawaretb
Folder Deleted : C:\ProgramData\adawaretb
Folder Deleted : C:\ProgramData\blekko toolbars

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\adawaretb
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

[OK] Registry is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Users\pamato\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2229 octets] - [31/05/2013 08:54:19]
AdwCleaner[R2].txt - [2275 octets] - [31/05/2013 09:10:33]
AdwCleaner[R3].txt - [2453 octets] - [31/05/2013 09:26:36]
AdwCleaner[R4].txt - [2303 octets] - [31/05/2013 21:02:34]
AdwCleaner[S1].txt - [398 octets] - [31/05/2013 08:55:42]
AdwCleaner[S2].txt - [325 octets] - [31/05/2013 09:11:59]
AdwCleaner[S3].txt - [325 octets] - [31/05/2013 09:26:26]
AdwCleaner[S4].txt - [2260 octets] - [31/05/2013 21:03:34]

########## EOF - C:\AdwCleaner[S4].txt - [2320 octets] ##########


----------



## pjoseph

Still getting that popup from malwarebytes,


----------



## voyagerfan99

It's late. You'll probably get another response from John in the morning.


----------



## johnb35

pjoseph said:


> just finished, found total of 3, does it automatically delete these? still seeing that popup
> 
> C:\Qoobox\Quarantine\C\Users\pamato\flashplayer.exe.vir
> a variant of Win32/Injector.AHJT trojan
> C:\Users\pamato\AppData\Local\Apple Computer\Temp\epgeofp.dll
> Win32/TrojanDownloader.Tracur.V trojan
> Operating memory	a variant of Win32/Boaxxe.AW trojan



Thats only 2 files, you must have missd copying the last one.  

Please delete this file.

C:\Users\pamato\AppData\Local\Apple Computer\Temp\epgeofp.dll

You may have to rerun the Eset scanner to get a new log.


----------



## pjoseph

Ok my mistake I will run it again now 
thanks


----------



## pjoseph

Same results as before with the third one listed like this:

Target: Operating Memory 
Threat: A variant of Win32/Boaxxe. AW Trojan

I can post a screen shot if that helps any let me know


----------



## johnb35

yes post a screen shot.


----------



## pjoseph

http://www.flickr.com/photos/[email protected]/8926316723/in/photostream/


----------



## johnb35

Never seen that before.  However, have you shut the system down lately?  When the system is off, everything is erased out of the memory.


----------



## pjoseph

I will restart if that is what you are talking about, not sure im clear on your last post

thanks again


----------



## johnb35

The log said it was in your operating memory.  Anything in memory is erased when the pc is shut down.


----------



## voyagerfan99

pjoseph said:


> I will restart if that is what you are talking about, not sure im clear on your last post
> 
> thanks again





johnb35 said:


> The log said it was in your operating memory.  Anything in memory is erased when the pc is shut down.



Which means shut down completely, don't just restart.


----------



## pjoseph

will do thank you


----------



## pjoseph

ok, i deleted the file last mentioned and shutdown the laptop.
everything seems fine but still getting that popup.

How come when i rean eset the second time it found the same threats it found the first time around, i thought it would have deleted them the first time i ran it?

thanks again


----------



## johnb35

Because I had you uncheck the option to remove found threats.  Since you are still getting the popup, can you provide some up addresses that its displaying?  Have you installed any new software lately?


----------



## pjoseph

o ok,

website: 109.236.82.107
Port:50824, process: iexplore.exe


----------



## pjoseph

another just came up same info as previous post but port changed to 50857


----------



## pjoseph

seems like it just keeps trying different ports 
another with same info as above but with port 50866


----------



## pjoseph

looking at add remove programs looks like the following was installed on 5/24/13
adobe reader XI (11.0.03)
Adobe Acrobat X Standard
Adobe Flash player 11 Active X
Adobe AIR

not sure if these are installed automatically or not because I do not recall installing them


----------



## johnb35

OK, what I want you to do is do a full scan with malwarebytes, make sure its updated before you run it and post the log.


----------



## pjoseph

Ok will do

just curious why would we want to uncheck the option to remove found threats?

thanks again


----------



## johnb35

Because it might find something that actually isn't a threat.


----------



## pjoseph

ok 


Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.03.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
pamato :: ENPUSREML0278 [administrator]

Protection: Enabled

6/2/2013 7:30:05 PM
MBAM-log-2013-06-02 (20-24-25).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 404107
Time elapsed: 52 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Qoobox\Quarantine\C\Users\pamato\flashplayer.exe.vir (Trojan.Inject.RRE) -> No action taken.

(end)


----------



## johnb35

Ok.  I will look more into depth on this in the morning when I have a fresh mind.  Going to bed now.  You might have a program installed that trying to call home or vice versa.


----------



## pjoseph

should i remove the oTrojan that malwarebytes found?


----------



## johnb35

You can, even though its already in quarantine.  Sorry, haven't looked at your logs again.  Had to fix my gf's computer this morning.


----------



## johnb35

Are you using a proxy to access the internet?  Also, providing you have actually shut down your computer instead of restarting it, can you rerun the eset scanner to make sure that trojan in the operating memory is gone?  The only other thing I can think of is what I said before, you have some program installed that is calling home.  I've made a list of programs I'm not familiar with so if you aren't familiar with them then try uninstalling them.

X10 Hardware
Scansoft PDF Professional
RUMBA 2000
Nuance PDF Converter Professional 7
MANDIANT Intelligent Response Agent
LAME v3.99.3 (for Windows)
LANDesk Advance Agent
LANDesk(R) Common Base Agent 8
eReg
foobar2000 v1.1.15
32 Bit HP CIO Components Installer
Active Models


----------



## pjoseph

no problem at all,

should i still uncheck the option to remove found threats ?


----------



## johnb35

Yes


----------



## pjoseph

when im in the office on the network yes a proxy is used to access internet.


----------



## johnb35

Anything stand out with those programs I listed?


----------



## pjoseph

Found 5 this time, 

C:\Qoobox\Quarantine\C\Users\pamato\msconfig.exe.vir	
a variant of Win32/Injector.AHLQ trojan

C:\Qoobox\Quarantine\C\Users\pamato\AppData\Local\d6a229c4-3b65-43a8-ab14-a6e1f19addf4ad\dacbaabaefaddfad.exe.vir	
a variant of Win32/Injector.AHLQ trojan

C:\Qoobox\Quarantine\C\Users\pamato\AppData\Local\d6a229c4-3b65-43a8-ab14-a6e1f19addf4ad\_dacbaabaefaddfad_.exe.zip	
a variant of Win32/Injector.AHLQ trojan

C:\Users\pamato\AppData\Roaming\wabEventSupport16\{9a0cc1ab-a1bd-57af-3bb1-96043bca195a}.exe	a variant of Win32/Kryptik.BCOR trojan

Operating memory	a variant of Win32/Boaxxe.AW trojan


----------



## pjoseph

Any updates on what i should do next?

Also should i avoid connecting to a network not sure if this can spread to other computers on the network


----------



## johnb35

Well, that trojan in the operating memory is still there.  I don't understand this if you have totally shut the system down.


----------



## johnb35

Download *OTL* to your Desktop

Click on the green download box on that page to download OTL.

•Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

•Click on Minimal Output at the top

•Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

◦When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.


----------



## pjoseph

OTL logfile created on: 6/4/2013 6:56:58 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\pamato\Desktop
 Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.16 Gb Total Physical Memory | 1.98 Gb Available Physical Memory | 62.60% Memory free
6.33 Gb Paging File | 4.47 Gb Available in Paging File | 70.59% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 117.19 Gb Total Space | 52.40 Gb Free Space | 44.72% Space Free | Partition Type: NTFS
Drive E: | 115.70 Gb Total Space | 113.99 Gb Free Space | 98.52% Space Free | Partition Type: NTFS

Computer Name: ENPUSREML0278 | User Name: pamato | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\pamato\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe (Adobe Systems Inc.)
PRC - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
PRC - C:\Program Files\Logitech\SetPointP\LogiAppBroker.exe (Logitech, Inc.)
PRC - C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe (Logitech, Inc.)
PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel(R) Corporation)
PRC - C:\Program Files\Nuance\PDF Professional 7\PDFProFiltSrv.exe (Nuance Communications, Inc.)
PRC - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
PRC - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe (Broadcom Corporation.)
PRC - C:\Program Files\MANDIANT\MANDIANT Intelligent Response Agent\miragent.exe ()
PRC - c:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe (Cisco Systems, Inc.)
PRC - C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\ApMsgFwd.exe (Alps Electric Co., Ltd.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe ()
PRC - C:\Program Files\Pointsec\Pointsec for PC\P95tray.exe (Check Point Software Tech Ltd)
PRC - C:\Windows\System32\Prot_srv.exe (Check Point Software Tech Ltd)
PRC - C:\Windows\System32\pstartSr.exe (Check Point Software Tech Ltd)
PRC - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
PRC - C:\Program Files\DellTPad\hidfind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\LANDesk\LDClient\rcgui.exe (LANDesk Software, Ltd.)
PRC - C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe (Check Point Software Technologies LTD)
PRC - C:\Program Files\DellTPad\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe (Flexera Software, Inc.)
PRC - C:\ProgramData\FLEXnet\Connect\11\agent.exe (Flexera Software, Inc.)
PRC - C:\Program Files\LANDesk\LDClient\SoftMon.exe (LANDesk Software, Ltd.)
PRC - C:\Program Files\LANDesk\LDClient\tmcsvc.exe (LANDesk Software, Ltd.)
PRC - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe (LANDesk Software, Ltd.)
PRC - C:\Program Files\LANDesk\LDClient\issuser.exe (LANDesk Software, Ltd.)
PRC - C:\Program Files\LANDesk\LDClient\LocalSch.EXE (LANDesk Software, Ltd.)
PRC - C:\Program Files\LANDesk\LDClient\collector.exe (LANDesk Software, Ltd.)
PRC - C:\Windows\System32\drivers\o2flash.exe (O2Micro International)
PRC - C:\Program Files\LANDesk\Shared Files\residentAgent.exe (LANDesk Software, Ltd.)
PRC - C:\Windows\System32\StikyNot.exe (Microsoft Corporation)
PRC - C:\Windows\System32\regsvr32.exe (Microsoft Corporation)
PRC - C:\Windows\System32\cba\pds.exe (LANDesk Software Ltd.)


========== Modules (No Company Name) ==========

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\30e3a21202000677d0a9270572251477\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\716959df79685a1eae0fc14275a32b0f\WindowsBase.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\764f15e86c82662e977bd418bd6318c1\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\4d6518ef6ae8d6f005c49ab1c86de7fe\IAStorCommon.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\ab54c04b3df40416205883b4049fe273\IAStorUtil.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll ()
MOD - C:\Windows\System32\IccLibDll.dll ()


========== Services (SafeList) ==========

SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (LBTServ) -- C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe (Logitech, Inc.)
SRV - (cphs) -- C:\Windows\System32\IntelCpHeciSvc.exe (Intel Corporation)
SRV - (SmcService) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
SRV - (SNAC) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE (Symantec Corporation)
SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (ZeroConfigService) -- C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe (Intel® Corporation)
SRV - (EvtEng) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel(R) Corporation)
SRV - (RegSrvc) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel(R) Corporation)
SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
SRV - (PDFProFiltSrv) -- C:\Program Files\Nuance\PDF Professional 7\PDFProFiltSrv.exe (Nuance Communications, Inc.)
SRV - (btwdins) -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe (Broadcom Corporation.)
SRV - (GoToAssist) -- C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Flexera Software, Inc.)
SRV - (IRA) -- C:\Program Files\MANDIANT\MANDIANT Intelligent Response Agent\miragent.exe ()
SRV - (vpnagent) -- c:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe (Cisco Systems, Inc.)
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (Autodesk Content Service) -- C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe ()
SRV - (Pointsec) -- C:\Windows\System32\Prot_srv.exe (Check Point Software Tech Ltd)
SRV - (Pointsec_start) -- C:\Windows\System32\pstartSr.exe (Check Point Software Tech Ltd)
SRV - (IAStorDataMgrSvc) -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
SRV - (Softmon) -- C:\Program Files\LANDesk\LDClient\SoftMon.exe (LANDesk Software, Ltd.)
SRV - (Intel Targeted Multicast) -- C:\Program Files\LANDesk\LDClient\tmcsvc.exe (LANDesk Software, Ltd.)
SRV - (LANDesk Policy Invoker) -- C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe (LANDesk Software, Ltd.)
SRV - (ISSUSER) -- C:\Program Files\LANDesk\LDClient\issuser.exe (LANDesk Software, Ltd.)
SRV - (Intel Local Scheduler Service) -- C:\Program Files\LANDesk\LDClient\LocalSch.EXE (LANDesk Software, Ltd.)
SRV - (O2FLASH) -- C:\Windows\System32\drivers\o2flash.exe (O2Micro International)
SRV - (CBA8) -- C:\Program Files\LANDesk\Shared Files\residentAgent.exe (LANDesk Software, Ltd.)
SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (Intel PDS) -- C:\Windows\System32\cba\pds.exe (LANDesk Software Ltd.)


========== Driver Services (SafeList) ==========

DRV - (catchme) -- C:\Users\pamato\AppData\Local\Temp\catchme.sys File not found
DRV - (Acceler) -- system32\DRIVERS\Accelern.sys File not found
DRV - (Mandiant_Tools) -- C:\Program Files\MANDIANT\MANDIANT Intelligent Response Agent\mktools.sys ()
DRV - (gfibto) -- C:\Windows\System32\drivers\gfibto.sys (GFI Software)
DRV - (NAVEX15) -- C:\ProgramData\Symantec\Definitions\VirusDefs\20130604.003\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\ProgramData\Symantec\Definitions\VirusDefs\20130604.003\NAVENG.SYS (Symantec Corporation)
DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (SymEvent) -- C:\Windows\System32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (LMouFilt) -- C:\Windows\System32\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV - (LHidFilt) -- C:\Windows\System32\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV - (LEqdUsb) -- C:\Windows\System32\drivers\LEqdUsb.sys (Logitech, Inc.)
DRV - (LHidEqd) -- C:\Windows\System32\drivers\LHidEqd.sys (Logitech, Inc.)
DRV - (WpsHelper) -- C:\Windows\System32\drivers\wpshelper.sys (Symantec Corporation)
DRV - (RdpVideoMiniport) -- C:\Windows\System32\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV - (TsUsbGD) -- C:\Windows\System32\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (e1cexpress) -- C:\Windows\System32\drivers\e1c6232.sys (Intel Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (Ser2plx86) -- C:\Windows\System32\drivers\ser2pl.sys (Prolific Technology Inc.)
DRV - (SRTSPL) -- C:\Windows\System32\drivers\srtspl.sys (Symantec Corporation)
DRV - (SRTSP) -- C:\Windows\System32\drivers\srtsp.sys (Symantec Corporation)
DRV - (SysPlant) -- C:\Windows\System32\drivers\SysPlant.sys (Symantec Corporation)
DRV - (WPS) -- C:\Windows\System32\drivers\WPSDRVnt.sys (Symantec Corporation)
DRV - (Teefer3) -- C:\Windows\System32\drivers\Teefer3.sys (Symantec Corporation)
DRV - (SRTSPX) -- C:\Windows\System32\drivers\srtspx.sys (Symantec Corporation)
DRV - (IntcDAud) -- C:\Windows\System32\drivers\IntcDAud.sys (Intel(R) Corporation)
DRV - (dc3d) -- C:\Windows\System32\drivers\dc3d.sys (Microsoft Corporation)
DRV - (NETwNs32) -- C:\Windows\System32\drivers\Netwsn00.sys (Intel Corporation)
DRV - (vpnva) -- C:\Windows\System32\drivers\vpnva.sys (Cisco Systems, Inc.)
DRV - (acsock) -- C:\Windows\System32\drivers\acsock.sys (Cisco Systems, Inc.)
DRV - (Netaapl) -- C:\Windows\System32\drivers\netaapl.sys (Apple Inc.)
DRV - (cpudrv) -- C:\Program Files\SystemRequirementsLab\cpudrv.sys ()
DRV - (AX88772) -- C:\Windows\System32\drivers\ax88772.sys (ASIX Electronics Corp.)
DRV - (ApfiltrService) -- C:\Windows\System32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (O2MDRRDR) -- C:\Windows\System32\drivers\O2MDRw7.sys (O2Micro )
DRV - (NETwNx32) -- C:\Windows\System32\drivers\NETwNx32.sys (Intel Corporation)
DRV - (nusb3xhc) -- C:\Windows\System32\drivers\nusb3xhc.sys (Renesas Electronics Corporation)
DRV - (nusb3hub) -- C:\Windows\System32\drivers\nusb3hub.sys (Renesas Electronics Corporation)
DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (dmvsc) -- C:\Windows\System32\drivers\dmvsc.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (prot_2k) -- C:\Windows\System32\drivers\prot_2k.sys (Check Point Software Tech Ltd)
DRV - (NewMisc) -- C:\Windows\System32\drivers\newmisc.sys (Panasonic Corporation)
DRV - (MEI) -- C:\Windows\System32\drivers\HECI.sys (Intel Corporation)
DRV - (cvusbdrv) -- C:\Windows\System32\drivers\cvusbdrv.sys (Broadcom Corporation)
DRV - (ldblank) -- C:\Windows\System32\drivers\ldblank.sys (Avocent Corporation)
DRV - (mirrorflt) -- C:\Windows\System32\drivers\mirrorflt.sys (Avocent Corporation)
DRV - (ldmirror) -- C:\Windows\System32\drivers\ldmirror.sys (Avocent Corporation)
DRV - (vwifimp) -- C:\Windows\System32\drivers\vwifimp.sys (Microsoft Corporation)
DRV - (TPM) -- C:\Windows\System32\drivers\tpm.sys (Microsoft Corporation)
DRV - (HOTKEY) -- C:\Windows\System32\drivers\hotkey.sys (Panasonic Corporation)
DRV - (WDC_SAM) -- C:\Windows\System32\drivers\wdcsam.sys (Western Digital Technologies)
DRV - (CVirtA) -- C:\Windows\System32\drivers\CVirtA.sys (Cisco Systems, Inc.)
DRV - (XUIF) -- C:\Windows\System32\drivers\x10ufx2.sys (X10 Wireless Technology, Inc.)
DRV - (avpnnic) -- C:\Windows\System32\drivers\avpnnic.sys (AT&T)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 37 82 64 33 D4 8C CC 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 169.254.1.1;*.ascopower.*;*.ascoswitch.com;*.enps.com;*.liebert.com;*.emrsn.org;*.learninglogin.com;155.104.*;10.*;192.168.*;*.emerson.*;*.msftncsi.com;*.careermap.net;<local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = enpusfpkinf01:8080


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: E:\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files\Canon\MyCamera Download Plugin\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\ZEON/PDF,version=2.0: C:\Program Files\Nuance\PDF Professional 7\bin\nppdf.dll (Zeon Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2013/05/24 08:17:43 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F003DA68-8256-4b37-A6C4-350FA04494DF}: C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2013/03/20 15:19:51 | 000,000,000 | ---D | M]


========== Chrome  ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{googleriginalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.94\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.94\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\27.0.1453.94\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: NPCIG.dll (Enabled) = C:\Program Files\Canon\MyCamera Download Plugin\NPCIG.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - plugin: DocuCom PDF Plus (Enabled) = C:\Program Files\Nuance\PDF Professional 7\bin\nppdf.dll
CHR - plugin: Java(TM) Platform SE 7 U4 (Enabled) = C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 7.0.40.255 (Enabled) = C:\Windows\system32\npDeployJava1.dll
CHR - plugin: iTunes Application Detector (Enabled) = E:\Mozilla Plugins\npitunes.dll
CHR - Extension: Google Docs = C:\Users\pamato\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0\
CHR - Extension: Google Drive = C:\Users\pamato\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Users\pamato\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Users\pamato\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: Logitech SetPoint = C:\Users\pamato\AppData\Local\Google\Chrome\User Data\Default\Extensions\edaibbiobngpbmeonadpbfafbkimjbdd\6.52.74_0\
CHR - Extension: Lavasoft NewTab = C:\Users\pamato\AppData\Local\Google\Chrome\User Data\Default\Extensions\oejkcgajlodefenbbjdnaiahmbnnoole\0.8_0\
CHR - Extension: Ad-Aware Security Add-on = C:\Users\pamato\AppData\Local\Google\Chrome\User Data\Default\Extensions\phegaokedjdajgnfphbnpkcfdgjbidko\1.0.0.6_0\
CHR - Extension: Gmail = C:\Users\pamato\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2013/05/31 17:37:35 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (PlusIEEventHelper Class) - {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files\Nuance\PDF Professional 7\bin\PlusIEContextMenu.dll (Zeon Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Logitech SetPoint) - {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll (Logitech, Inc.)
O2 - BHO: (ZeonIEEventHelper Class) - {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} - C:\Program Files\Nuance\PDF Professional 7\bin\ZeonIEFavClient.dll (Zeon Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (DocuCom PDF) - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:\Program Files\Nuance\PDF Professional 7\bin\ZeonIEFavClient.dll (Zeon Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Check Point Endpoint Tray Application] C:\Program Files\Common Files\Check Point\UIFramework\cptray.exe (Check Point Software Technologies LTD)
O4 - HKLM..\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] c:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelPROSet] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel(R) Corporation)
O4 - HKLM..\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\isuspm.exe (Flexera Software, Inc.)
O4 - HKLM..\Run: [Nuance PDF Converter Professional 7-reminder] C:\Program Files\Nuance\PDF Professional 7\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [Pointsec Tray] C:\Program Files\Pointsec\Pointsec for PC\P95tray.exe (Check Point Software Tech Ltd)
O4 - HKCU..\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe (Flexera Software, Inc.)
O4 - HKCU..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Widcomm] C:\Windows\System32\regsvr32.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SoftwareSASGeneration = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DefaultLogonDomain = EMRSN
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\kerberos\parameters: supportedencryptiontypes = 2147483647
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 181
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append the content of the link to existing PDF file - C:\Program Files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll (Zeon Corporation)
O8 - Extra context menu item: Append the content of the selected links to existing PDF file - C:\Program Files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll (Zeon Corporation)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to existing PDF file - C:\Program Files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll (Zeon Corporation)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Create PDF file - C:\Program Files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll (Zeon Corporation)
O8 - Extra context menu item: Create PDF file from the content of the link - C:\Program Files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll (Zeon Corporation)
O8 - Extra context menu item: Create PDF files from the selected links - C:\Program Files\Nuance\PDF Professional 7\Bin\ZeonIEFavClient.dll (Zeon Corporation)
O8 - Extra context menu item: Open with Nuance PDF Converter 7 - C:\Program Files\Nuance\PDF Professional 7\cnvres_eng.dll (Nuance Communications, Inc.)
O8 - Extra context menu item: Open with PDF Professional 7 - C:\Program Files\Nuance\PDF Professional 7\Bin\PlusIEContextMenu.dll (Zeon Corporation)
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.48.146.16 10.48.146.81
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emrsn.org
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CE19E7CD-0036-42B8-947B-2A33D51CC9B3}: DhcpNameServer = 10.48.146.16 10.48.146.81
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F39B21CE-17BD-4563-BC8F-26C93DDA032C}: Domain = emrsn.org
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F39B21CE-17BD-4563-BC8F-26C93DDA032C}: NameServer = 10.16.64.11,10.20.64.11
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (pssogina.dll) -  File not found
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\615\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Program Files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/06/04 17:40:52 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\pamato\Desktop\OTL.exe
[2013/06/04 08:23:51 | 000,000,000 | ---D | C] -- C:\Users\pamato\Desktop\Malwarebytes Anti-Malware Pro v1.75.0.1300 Incl Keygen-BRD [TorDigger]
[2013/06/02 16:15:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2013/06/02 16:13:15 | 000,000,000 | ---D | C] -- C:\Users\pamato\Desktop\mbar
[2013/05/31 18:04:39 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2013/05/31 17:37:37 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2013/05/31 17:29:45 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/05/31 17:18:03 | 000,000,000 | ---D | C] -- C:\ComboFix
[2013/05/31 16:41:09 | 000,000,000 | ---D | C] -- C:\Users\pamato\Desktop\LAX 5-31-13
[2013/05/31 16:39:37 | 000,000,000 | ---D | C] -- C:\Users\pamato\Desktop\Centinela Pics
[2013/05/31 15:32:50 | 000,000,000 | ---D | C] -- C:\Users\pamato\Desktop\Vanguard
[2013/05/31 13:50:56 | 002,237,968 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\pamato\Desktop\tdsskiller.exe
[2013/05/31 13:48:17 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2013/05/31 11:54:19 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/05/31 11:54:18 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/05/31 11:54:18 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/05/31 11:52:45 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/05/31 11:52:05 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/05/31 10:24:39 | 000,000,000 | ---D | C] -- C:\Users\pamato\Desktop\600 Wilshire
[2013/05/31 10:22:00 | 005,076,038 | R--- | C] (Swearware) -- C:\Users\pamato\Desktop\ComboFix.exe
[2013/05/31 09:02:24 | 000,000,000 | ---D | C] -- C:\found.001
[2013/05/31 08:21:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/05/31 08:21:54 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013/05/31 08:21:54 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/05/31 07:55:26 | 000,000,000 | ---D | C] -- C:\found.000
[2013/05/30 17:50:45 | 000,000,000 | ---D | C] -- C:\Users\pamato\AppData\Local\adawarebp
[2013/05/30 17:50:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Ad-Aware Browsing Protection
[2013/05/30 17:07:45 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2013/05/30 16:46:56 | 000,000,000 | ---D | C] -- C:\Users\pamato\AppData\Roaming\Malwarebytes
[2013/05/30 16:46:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/05/30 16:46:31 | 000,000,000 | ---D | C] -- C:\Users\pamato\AppData\Local\Programs
[2013/05/30 16:37:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\anvisoft
[2013/05/30 16:37:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Anvisoft
[2013/05/30 16:37:43 | 000,000,000 | ---D | C] -- C:\Program Files\Anvisoft
[2013/05/30 14:13:04 | 000,000,000 | ---D | C] -- C:\Users\pamato\AppData\Roaming\wabEventSupport16
[2013/05/30 13:59:41 | 000,000,000 | ---D | C] -- C:\Users\pamato\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bluetooth Devices
[2013/05/29 06:37:50 | 000,000,000 | ---D | C] -- C:\Users\pamato\Desktop\May 2013
[2013/05/25 01:46:17 | 000,000,000 | ---D | C] -- C:\Users\pamato\Desktop\car
[2013/05/23 20:47:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Downloaded Installations
[2013/05/22 21:06:03 | 000,000,000 | ---D | C] -- C:\Users\pamato\Desktop\IS628
[2013/05/21 23:03:00 | 000,000,000 | ---D | C] -- C:\Users\pamato\AppData\Local\Widcomm
[2013/05/06 00:00:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Intel Corporation
[2011/12/28 11:34:53 | 054,579,096 | ---- | C] (Dell Inc.) -- C:\Users\pamato\AppData\Roaming\NIC_DRVR_WIN_R292653.EXE
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/06/04 18:53:08 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/06/04 18:23:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/06/04 17:40:57 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\pamato\Desktop\OTL.exe
[2013/06/04 11:55:40 | 000,663,222 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/06/04 11:55:40 | 000,122,058 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/06/04 11:20:58 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_netaapl_01009.Wdf
[2013/06/04 08:25:08 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/06/03 18:20:43 | 000,036,656 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/06/03 18:20:43 | 000,036,656 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/06/03 18:13:06 | 2548,711,424 | -HS- | M] () -- C:\hiberfil.sys
[2013/05/31 17:37:35 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2013/05/31 17:02:56 | 000,108,786 | ---- | M] () -- C:\Users\pamato\Desktop\754578-051_C.pdf
[2013/05/31 14:42:32 | 000,066,816 | ---- | M] () -- C:\Users\pamato\Desktop\VA livermore invoice.pdf
[2013/05/31 13:51:06 | 002,237,968 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\pamato\Desktop\tdsskiller.exe
[2013/05/31 10:22:03 | 005,076,038 | R--- | M] (Swearware) -- C:\Users\pamato\Desktop\ComboFix.exe
[2013/05/31 09:10:24 | 000,632,031 | ---- | M] () -- C:\Users\pamato\Desktop\adwcleaner.exe
[2013/05/30 17:49:43 | 000,044,424 | ---- | M] (GFI Software) -- C:\Windows\System32\sbbd.exe
[2013/05/30 17:49:43 | 000,013,560 | ---- | M] (GFI Software) -- C:\Windows\System32\drivers\gfibto.sys
[2013/05/30 17:17:18 | 000,030,464 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro37.sys
[2013/05/28 10:37:19 | 001,069,415 | ---- | M] () -- C:\Users\pamato\Desktop\617421-036_-.pdf
[2013/05/24 08:17:45 | 000,002,014 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Acrobat X Standard.lnk
[2013/05/23 17:47:39 | 000,047,402 | RHS- | M] () -- C:\Users\pamato\ntuser.pol
[2013/05/23 17:45:13 | 000,000,198 | ---- | M] () -- C:\adinfo.ldf
[2013/05/23 17:44:59 | 000,038,178 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2013/05/16 18:50:50 | 000,008,192 | ---- | M] () -- C:\Users\pamato\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/05/15 15:37:30 | 000,004,096 | -H-- | M] () -- C:\Users\pamato\AppData\Local\keyfile3.drm
[2013/05/14 22:00:51 | 000,487,736 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/06/04 11:20:58 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_netaapl_01009.Wdf
[2013/05/31 17:02:58 | 000,108,786 | ---- | C] () -- C:\Users\pamato\Desktop\754578-051_C.pdf
[2013/05/31 14:42:31 | 000,066,816 | ---- | C] () -- C:\Users\pamato\Desktop\VA livermore invoice.pdf
[2013/05/31 11:54:19 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/05/31 11:54:18 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/05/31 11:54:18 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/05/31 11:54:18 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/05/31 11:54:18 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/05/31 09:10:19 | 000,632,031 | ---- | C] () -- C:\Users\pamato\Desktop\adwcleaner.exe
[2013/05/31 08:21:56 | 000,001,071 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/05/30 17:17:18 | 000,030,464 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro37.sys
[2013/05/28 10:37:09 | 001,069,415 | ---- | C] () -- C:\Users\pamato\Desktop\617421-036_-.pdf
[2013/05/24 08:17:45 | 000,002,014 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Acrobat X Standard.lnk
[2013/05/15 15:37:30 | 000,004,096 | -H-- | C] () -- C:\Users\pamato\AppData\Local\keyfile3.drm
[2013/04/04 04:33:39 | 000,272,928 | ---- | C] () -- C:\Windows\System32\igvpkrng600.bin
[2013/04/04 04:33:37 | 000,963,452 | ---- | C] () -- C:\Windows\System32\igcodeckrng600.bin
[2013/04/04 04:33:37 | 000,064,512 | ---- | C] () -- C:\Windows\System32\igdde32.dll
[2013/04/04 04:33:37 | 000,009,728 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
[2013/04/04 04:33:37 | 000,000,259 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2013/02/13 22:25:17 | 000,000,702 | ---- | C] () -- C:\Users\pamato\.jscreenfix.licence
[2012/10/23 22:36:58 | 000,017,776 | ---- | C] () -- C:\Windows\EvtMessage.dll
[2012/06/27 11:51:10 | 000,008,192 | ---- | C] () -- C:\Users\pamato\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/23 08:04:44 | 000,010,009 | ---- | C] () -- C:\Windows\agnslang.ini
[2011/11/30 00:12:43 | 000,233,612 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2011/11/17 07:43:45 | 000,094,208 | ---- | C] () -- C:\Windows\System32\ldcred.dll
[2011/11/16 01:14:12 | 000,127,184 | ---- | C] () -- C:\Windows\Unwise.exe
[2011/10/21 19:02:47 | 000,000,000 | ---- | C] () -- C:\Windows\HPMProp.INI
[2011/10/21 07:24:20 | 000,012,288 | ---- | C] () -- C:\Windows\impborl.dll
[2011/10/17 11:11:13 | 000,963,116 | ---- | C] () -- C:\Windows\System32\igkrng600.bin
[2011/10/17 11:11:12 | 000,218,304 | ---- | C] () -- C:\Windows\System32\igfcg600m.bin
[2011/10/17 11:11:11 | 000,145,804 | ---- | C] () -- C:\Windows\System32\igcompkrng600.bin
[2011/10/17 11:11:11 | 000,094,208 | ---- | C] () -- C:\Windows\System32\IccLibDll.dll
[2011/10/17 10:47:22 | 000,000,017 | -H-- | C] () -- C:\Users\pamato\AppData\Local\resmon.resmoncfg
[2011/10/17 06:44:27 | 000,047,402 | RHS- | C] () -- C:\Users\pamato\ntuser.pol
[2011/10/13 07:06:35 | 000,000,147 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
[2011/06/09 09:09:04 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2011/06/09 08:59:24 | 000,038,178 | RHS- | C] () -- C:\ProgramData\ntuser.pol

========== ZeroAccess Check ==========

[2009/07/13 21:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
"" = %SystemRoot%\system32\SHELL32.dll -- [2013/02/26 21:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/02/26 21:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 14:29:20 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 18:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/03/31 21:37:38 | 000,000,000 | ---D | M] -- C:\Users\pamato\AppData\Roaming\Audacity
[2011/10/27 15:34:52 | 000,000,000 | ---D | M] -- C:\Users\pamato\AppData\Roaming\Autodesk
[2012/10/22 20:16:51 | 000,000,000 | ---D | M] -- C:\Users\pamato\AppData\Roaming\foobar2000
[2012/03/02 13:58:07 | 000,000,000 | ---D | M] -- C:\Users\pamato\AppData\Roaming\IrfanView
[2013/03/20 15:20:48 | 000,000,000 | ---D | M] -- C:\Users\pamato\AppData\Roaming\Leadertech
[2012/05/14 13:09:29 | 000,000,000 | ---D | M] -- C:\Users\pamato\AppData\Roaming\Nuance
[2011/12/04 13:27:31 | 000,000,000 | ---D | M] -- C:\Users\pamato\AppData\Roaming\OverDrive
[2012/04/02 08:19:52 | 000,000,000 | ---D | M] -- C:\Users\pamato\AppData\Roaming\TeamViewer
[2013/05/30 14:13:04 | 000,000,000 | ---D | M] -- C:\Users\pamato\AppData\Roaming\wabEventSupport16
[2011/10/19 22:14:13 | 000,000,000 | ---D | M] -- C:\Users\pamato\AppData\Roaming\www.shadowexplorer.com
[2012/05/09 14:35:45 | 000,000,000 | ---D | M] -- C:\Users\pamato\AppData\Roaming\Zeon

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 242 bytes -> C:\ProgramData\TEMP:0574215C
@Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP95ACC7D

< End of report >


----------



## pjoseph

OTL Extras logfile created on: 6/4/2013 6:56:59 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\pamato\Desktop
 Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.16 Gb Total Physical Memory | 1.98 Gb Available Physical Memory | 62.60% Memory free
6.33 Gb Paging File | 4.47 Gb Available in Paging File | 70.59% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 117.19 Gb Total Space | 52.40 Gb Free Space | 44.72% Space Free | Partition Type: NTFS
Drive E: | 115.70 Gb Total Space | 113.99 Gb Free Space | 98.52% Space Free | Partition Type: NTFS

Computer Name: ENPUSREML0278 | User Name: pamato | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.wsf [@ = WallData.FileAS400DisplayDocument.2] -- C:\Program Files\WallData\System\Wddsppag.Bin (Wall Data Incorporated)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Browse with &IrfanView] -- "C:\Program Files\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings]
"AllowOutboundDestinationUnreachable" = 1
"AllowOutboundSourceQuench" = 1
"AllowRedirect" = 1
"AllowInboundEchoRequest" = 1
"AllowInboundRouterRequest" = 1
"AllowOutboundTimeExceeded" = 1
"AllowOutboundParameterProblem" = 1
"AllowInboundTimestampRequest" = 1
"AllowInboundMaskRequest" = 1
"AllowOutboundPacketTooBig" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{085D1112-53EE-47C4-A0CF-AF1CFD08287C}" = lport=67 | protocol=6 | dir=in | name=landesk(r) pxe tcp port | 
"{19BAA253-08BF-44B1-AFAA-298A476889FE}" = lport=67 | protocol=17 | dir=in | name=landesk(r) pxe udp port | 
"{39B09B1D-01AE-448C-B55F-409FDD790FE1}" = lport=445 | protocol=6 | dir=in | name=smb over tcp | 
"{9B27CB0F-6715-4755-915E-05FA6F9B3139}" = lport=9535 | protocol=17 | dir=in | name=landesk(r) remote control agent udp port | 
"{AFACEA94-BA6C-4203-B50B-F8552FCB864C}" = lport=139 | protocol=6 | dir=in | name=netbios session service | 
"{BDD72772-EF74-47AA-81F7-1A7A38E35F91}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework\v4.0.30319\smsvchost.exe | 
"{C031518E-3400-4B15-A447-119EF36F09EC}" = lport=9535 | protocol=6 | dir=in | name=landesk(r) remote control agent tcp port | 
"{CD18A6CA-31DD-44DA-9693-558408E21746}" = lport=137 | protocol=17 | dir=in | name=netbios name service | 
"{D1AB47EB-3956-4BBA-8CF2-6A3DFD8F589F}" = lport=138 | protocol=17 | dir=in | name=netbios datagram service | 
"{E913FEC8-5A2F-4F42-9053-9DE975A0C0A7}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe | 

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{026870B0-8FC5-497A-81BE-9CEBE7D60EEC}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{02CDAB34-5CCC-4E9E-AE12-FE1D4B6E7D0D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0351DA6D-8DEA-4C11-92B9-B898BEA49D46}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{04D91897-1452-4697-AB22-6A587604A6E9}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0575B5AF-44B4-420F-A42A-0DA20FB40DBE}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{05E51F21-B82C-45E6-BB5E-6B487FEEC425}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{05FD0B9C-BD2D-47FA-A160-5CD9D8D7DEAF}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{05FD9CC8-3E51-4E79-902B-8C27A1688152}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{06ACB08F-B9A1-4FC3-A0C9-ABFAF78A3CC9}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{06F2E047-82C8-4F40-801B-28AF6CFD3EE0}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{076C5727-FFEC-4CE0-9908-CCAFF0021B2E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{07AE27F7-F576-4B78-B17F-E3469E26F0F5}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{08E6D8A6-FE3E-40C6-9D11-97DB1F4BE0A5}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0919A952-5D5D-42A3-9E15-F640BDD72988}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{09807C93-DAF1-4944-A345-F12996E8FB9B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{09A57EC5-8202-488C-8824-FDD1F5345FAB}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{09FBB067-C8FE-4A7C-A162-F2564D173256}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0A083B85-84EE-459F-84F1-6641EDF03D18}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0A0FCEFC-B379-4317-BC70-F1716A00B687}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0A0FFE88-81D6-404B-8F32-F5E80F965948}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0A3DC1CB-B036-490C-9EAF-C75F7035B1FD}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0A5BF8EA-CCEC-4D9D-851A-8F01A414EF28}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0B0B33E4-5945-4241-BF36-C1055D9D1C7B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0BC4275B-9A06-49BB-A2FE-179B80226EDC}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0BCE2CF3-E4A9-4F9A-A67C-7370E49446F0}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0C01B680-5765-4609-B0EF-372626A90CBC}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0C8C74FA-F1E8-414C-8305-7C4F211C04F3}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0CCBB9B7-9C38-4AB0-BF8B-9286AFECA831}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0E9E05A2-BC08-426C-8514-906C3F3D4547}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{0EB24E60-C1D0-42A6-B353-B34736F0A5AC}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{103359D8-7DCE-4C06-A2FB-266F81CFE2BF}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1217B658-799A-4901-8A34-8706E0C61509}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{12CCAD39-84BB-4451-87C4-203CB3F76D31}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1376F090-C2C5-49FF-AFF0-3E0E962458C4}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{13DE8279-4E47-470F-BC3A-517576213520}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{147F8BB8-0B88-4FFE-8E29-418C34A8A296}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{15A31F2C-E1D2-498F-BEDF-5CFBECA607F1}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{15EED567-4311-44C4-9562-241AE4B5C3A3}" = protocol=17 | dir=in | app=c:\windows\system32\cba\pds.exe | 
"{1666070E-3A4D-4370-B1BA-24223FD3A36C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1682BF4F-CBB6-4118-BA77-09912E8A6ABE}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{16F81737-64A9-4061-9D1D-DD8E5E3AD312}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{18B72364-A0BA-4E99-ADBD-C40DBE645CB7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{18C45E78-D124-41DE-8EB1-F27E8AD057F0}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{19220ACE-570D-4A43-92EF-A495B0CA3808}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{19CEF96B-9C4D-4E62-AA90-664B10AC2E3F}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1A60B8B9-F056-4FB7-AF7C-CB0739E2D532}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1A84F960-A146-4C46-A07D-D0F0B0F728D9}" = protocol=6 | dir=in | app=c:\program files\landesk\ldclient\issuser.exe | 
"{1AED4130-E271-4D1B-9686-22AC37F55EA7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1B28ED4E-45A6-4ADF-A93F-56E2742BA68C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1B452002-3F32-417C-B012-090BE693CB27}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1B780FD2-6CC5-4638-891A-36962E80EAF7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1BBC903B-5979-40D5-AAF2-ED362302105D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1BBCADB1-F744-421D-832F-537AA55F77A3}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1C06CE01-F47B-406F-858E-F8936E816A7C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1D53714A-BADB-481C-BFBB-342CCAF8C664}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1DADDDC6-F8BB-46D5-8C81-2FFC093E0563}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1E645E91-3369-4A73-BA3A-E5C65C8698BB}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1E64A43E-BD7D-42EA-9AE1-4B60A404AC8B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1ED10A20-688C-41E4-BCAD-290F9B3AA294}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1EE68F66-B584-4D6B-805D-E533FA3E086E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{1FA9E574-D8D2-4FED-9D2C-072764C18B5F}" = protocol=17 | dir=in | app=c:\windows\system32\msgsys.exe | 
"{203EC748-1439-4E72-9319-9988100E5DF3}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{222A146C-9E37-4F5D-BE31-16EC7BD810E7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{22928DAB-9D96-421C-8DE2-697CC23A0330}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{236B7502-9E4A-4556-90CF-AA710AC2D1E8}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{23917408-B06E-45FC-93E5-15697EF2296A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{2411EF18-D2EF-456D-BC45-49670B7507AD}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{243EB383-1E2D-4371-BA21-1AF2C74C3138}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{25576CEA-5711-44A9-9792-426F21026966}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{2576CACB-0537-47B9-AB1E-6435236120A1}" = protocol=6 | dir=in | app=c:\program files\symantec\symantec endpoint protection\snac.exe | 
"{259B1CB2-75C8-4F34-A9D9-B8445B0711C7}" = protocol=17 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe | 
"{2681000B-CA32-4CE2-A1CD-BC28FE331B31}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{273D6B8A-FE12-4544-8F4E-2FD1946FBC0C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{2816A314-EDF6-474F-A55A-74032B4B1943}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{28B2CFFE-BE3C-45D4-9278-2C40A10AED44}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{298C3505-312A-4DEE-BC57-A52F1F4D107A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{2A90316E-2827-42F1-A113-A96A05803315}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{2B7036D2-8D12-49CF-95FF-0FBD2BC8392E}" = protocol=6 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe | 
"{2BE87CAC-7A30-4295-ACB1-A38AB7176E3F}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{2CD94AAE-FDAF-45FE-AFBA-EBF994865A03}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{2D0026F7-B773-4587-B519-D15EFB575AF7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{2DD053F9-C2CC-412F-8C3F-2FEA095A055C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{2E3B3226-F7D2-4EDA-B019-C0360148F3DC}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{302B2C73-5051-4710-B7D3-EAFB62E3F87A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{3046FC95-C155-4BF9-980A-874BADC5AC06}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{31033A34-D6FD-48B2-B597-911EF7F998CA}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{31A21A92-A2F2-4640-985D-3CC29BF820F6}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{31D8AEC1-49D4-40CA-B641-DFCECFC83DDB}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{323363EC-98E1-4D0C-A1D4-D7E2F478901C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{324ABA80-47E5-4A32-A70E-BF5256891B0C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{32BDE517-CD2A-4FAB-A444-FD1DB58A19C5}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{32C9F9A4-19F1-4463-9DE1-DD6ACDF5361C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{342144D2-9B56-44A3-8B91-3E4B4EE48C33}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{34B941D0-29B8-4D01-9336-3041293E1AB7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{34BC581F-0C28-4594-83C0-011AA505070B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{3573E6A8-9244-4DDA-B596-292A3A6560C8}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{36089193-15E1-4FB6-814C-DB857D544E64}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{3651D324-4194-4E28-AE67-7F2C1F29D14B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{3663F82B-1C17-436D-8D45-439303B5C25B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{36703031-6799-40E6-844E-B7AEEA3E578A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{372E794E-555A-40EA-BD65-0BEEC913BBB0}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{385D179F-BC50-4680-8E15-A24821E171EC}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{385E317C-6890-4F73-B3C7-351E81A73266}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{391644BF-003D-413A-A50A-315C9894C85C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{391CCA34-77AC-4A2F-8A7C-1717634E51A6}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{39DC77BC-FA39-40C9-8095-09C5E4775089}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{3A006B37-C580-4254-AB5C-32DE3FEFEC4E}" = protocol=6 | dir=in | app=c:\program files\landesk\ldclient\tmcsvc.exe | 
"{3A050BFF-3F43-4792-BC75-97F799F3A91D}" = protocol=6 | dir=in | app=c:\program files\landesk\shared files\residentagent.exe | 
"{3B250D1B-F785-4FD6-B50A-1694CC264A3E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{3BA3A810-1742-4C41-8136-BA3E21F104F8}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{3C39450F-BD2D-4465-B074-7374C0294ABA}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{3E37DC28-071F-4782-8D7F-2555CCA1AB7A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{3EE8FE1D-41EF-418C-A578-9D9311D12F70}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{3FBD40F4-D5CE-458C-9CB4-2FBBA8E50BE8}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{407E7C8E-9094-475D-83C1-3ECC8AF32664}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{40FB1E66-FA06-4E3D-B96A-AFF6C9F3D180}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{4128BAB1-C536-4C66-A950-63187620A356}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{414D3BD2-F486-47A7-8F53-C0436E3972AA}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{42074181-AF9B-4C02-AC2B-28A57E9B054D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{421F0C56-F7EC-460A-AA56-582F6DD96172}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{432A8198-E41A-46C2-997B-F6EDCA228688}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{433E1A4C-2ACC-4BDE-B00D-A4D088EC7514}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{4370759A-1DA0-426C-A536-2F09A5DF496E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{44535615-0097-44B0-933F-4699F3AFA7F4}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{46A24E88-DE53-4100-9F44-D0985A322764}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{46EDB4B9-CF98-48A5-8795-3DA9B93EF9C8}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{4708CB53-42AF-4473-B3F6-766272462C4D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{47D26B16-B080-49C8-9758-7EFE69E88151}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{484FEB38-C3FD-4051-9C63-FD4CB761DADA}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{48A53C61-9D8D-4355-9768-AF201B956296}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{49B237C3-0692-4F8E-93EF-4DDC6177147B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{4AC213AF-B2EF-4795-8A6C-A91F0CB73267}" = protocol=6 | dir=in | app=c:\windows\system32\cba\pds.exe | 
"{4AC61F87-240F-468E-858E-C0C3E9E25B11}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{4AC63256-D679-4D2A-988C-5331655DC547}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{4ADE98B7-36D2-4253-B35C-48008987E188}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{4B1DC7F8-41EC-4825-8ACA-65A307EE05BA}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{4CCB4125-CAC6-4901-BA49-3183A2559EC9}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{4D06076B-EA2C-4132-ACE6-8B46E18F5722}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{4DB8274D-F2D1-4B97-AE3D-BC8BC70B1E0C}" = protocol=6 | dir=in | app=c:\windows\system32\msgsys.exe | 
"{4F058045-7172-4A12-AA82-4C0B9AF54A5D}" = protocol=17 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe | 
"{4FB23A22-374C-49FE-B172-EC220020296E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{5021819F-CAA9-48F1-8BC6-795E2A867679}" = protocol=6 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe | 
"{5171E725-0C6C-4462-B194-BA88E9B8EF9B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{52047BFD-8EBF-46AD-9983-35FF45B00E27}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{527E2D3E-93A4-46F4-92B4-CD67201851FF}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{53D44585-0457-4B93-A071-4F8CE8D7954B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{53E90769-9DE5-4158-900F-5F9F8621F319}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{5406F03D-5F4E-4401-9D95-3E31E1878308}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{555F0E87-36F2-49D2-9108-01174A0AB715}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{56444E1A-BD7A-4390-BA8E-79D471F8825D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{5693F038-CF89-41EE-BF69-2CFD56778397}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{57209553-13D1-43A8-BBE1-C0915D552149}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{578E132E-A5CF-4247-98F9-774BECF233C7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{5824C284-246C-4642-8798-DADDEEFA022C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{5939E220-A70B-4B08-8C56-31B65BE3CAAA}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{5B8CA405-B8F6-49A0-8251-D2F9F518B506}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{5DBA7EB5-4826-427A-8658-32032454EF47}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{5E9494FC-C8B0-45AA-82E8-0B23CA39CF60}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{5EFBA0E1-0D77-4E7E-A00B-86BD37FED16D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{5F8A3FDF-09B5-4898-BA31-9440198B4CA7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{600FD429-47AB-4FA5-AA27-4A2F734139A3}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6014F392-CF8B-4D52-957E-52B424605075}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{60544D6E-56FD-4E89-9D12-8E5CDA9888E6}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6131B2DF-F8B6-4E57-8BD3-29360B9E028E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{61D173AC-C0A1-40C4-B7CC-475BB4CF8752}" = protocol=6 | dir=in | app=c:\program files\symantec\symantec endpoint protection\smc.exe | 
"{620C52CA-265B-4702-B9CB-E8D31A285CC0}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{624E075C-C35D-4003-ADF1-92CB5124CBA5}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{626D7E23-857B-46F5-845E-AD88E667E5A6}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{62A723F5-C92D-4FCA-8C22-E68D22890911}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{632EB03B-ABF8-4DE3-ACF7-FB5D08001F8C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{635EB91B-9555-4AFC-8CBF-02EB5D970ABA}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{64C4E59F-4AAB-424D-B5D9-CC07EAC15DC6}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{64D13915-0721-4C22-B9F7-8A0E9D762DEA}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{64E91B32-368F-429A-BED0-06686EA24319}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{65597E87-1304-4350-B328-7DDBA2940995}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{657357C3-839D-4654-B2EA-09E1F9FBD44E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{65D6E6D8-3410-414A-AE4E-89294B947442}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{67341DE7-010C-4878-A8E8-5FAD6F4AED1A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6755BD26-588B-4CE0-B285-5C680AF886F7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{695F49F9-107F-41E9-9D22-2954C230543E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6987998F-4C06-48C0-96B2-5860ED31F81E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6998E659-1C24-408F-8CEA-6E3C0D99C078}" = protocol=6 | dir=in | app=c:\windows\system32\msgsys.exe | 
"{69E460B0-3469-41C4-9195-2F2B0D6AADEF}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{69F0F088-30C4-433D-B2C5-0DC4E8DA1380}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{69FA7A80-F9FA-4C09-B9C4-B99CD9E179DF}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6A59F132-359D-405C-B7D5-8045757C1988}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6AA26F87-E902-4738-BD72-4E8F517D2ABD}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6B638D4A-19F6-4B77-9F10-AB9F544FFF44}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6B7D6030-94D5-4AA0-90E1-7C9BD2043FF0}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6BE25A95-E0C6-445E-8E46-BA6956E7043D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6C599704-91F4-468D-8C74-6BAB979F5054}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6CE810A9-51AE-4E84-ACB9-2CB93F124F31}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6E39AA87-33F7-4DDD-8109-8020322D7188}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6E78BDE8-A3C1-44CB-9039-273D7692C2D6}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6EAF004D-BBD8-4ABA-B750-87245A81B4CB}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6F235C6A-F41B-4943-A16C-968B75A23E70}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6F509C56-76CC-4604-9419-25CBB92F9D15}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{6FE7E978-9882-4C39-A79D-DAEC57C87736}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{70E9527D-D838-491A-B52B-AE0342A2FE6F}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{712E60BA-7A2B-4304-BC4B-9F462C06E359}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{74805F4B-E3A0-41D2-9A67-09A60F87201C}" = protocol=6 | dir=in | app=c:\windows\system32\cba\pds.exe | 
"{74CCE1A0-3CFE-4485-AF17-52BB3E57F0C7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{757B56CB-1C8E-454F-B52D-C6685F291BB5}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{76F2A84A-B4D4-41A4-88E6-8B893D20172F}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{770373BD-7488-49B1-BF4D-F21289C1D579}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{77199567-ADD1-4CE4-934C-4C982FB41C83}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{773D8D0E-9773-42F4-B3BC-1F2F08A4D0F6}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{774B44D3-09DA-46B4-A0DE-AD3C6CCD430A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{777773B1-CEEC-4460-9C96-DFD80954DA8C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{77AAAEEB-DC13-4AD6-B513-A95D5A2C6EF3}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{78199E43-19A8-4368-B06B-2C8E36499BA2}" = protocol=17 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe | 
"{7948E235-0CD4-4143-8274-7D7E7B5985B7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{7AC27FA8-C36F-43F2-9AFE-C594E0C31551}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{7B240ACC-4AC3-4814-8E97-7EC2494BC705}" = protocol=17 | dir=in | app=c:\program files\landesk\ldclient\issuser.exe | 
"{7CAFFE7F-6112-46A8-B74B-DA74309AF341}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{7CB630AE-1693-426B-A046-42D0196FC3CB}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{7D13A7E1-EBED-467B-AE86-2CA534BFF81D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{7D14F6C2-0A1A-4224-9225-2394000521C2}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{7D3E26AC-674C-4968-A7A1-BC4954BD5E27}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{7D706A1A-9D16-4683-B502-659A91EF151A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{7D9D9641-49BC-4BC8-9695-6324EA4A3B10}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{7E65E41F-5FF3-41ED-BC03-6DA9651BA734}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{7FCA139E-38F2-4DF9-B880-09D0BAA51F5E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{802B27EC-E428-46BD-8AF4-052A75CF8BDD}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{807119CE-282F-4102-B196-80297BF3B456}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{80D39B9D-AA25-4785-AF7A-FF05A6C3F063}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8146CCA0-B091-41E5-8BD7-98A96F8B2AD1}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{81953DCD-B4C9-4400-A806-DFA3A52C2232}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{81BCBB00-31B4-4146-A119-569C33AF00ED}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe | 
"{81BFBAFB-10DC-4B20-84B0-A9C4787FDC5C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{820C0FB6-A4BF-427B-8962-261E17415F70}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8227E9A4-0840-4258-9EF6-F4B9F7DB5B98}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{82474D09-4EBD-468B-A250-B41D26BBD17C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8281EEB1-C70D-4E6E-B5F3-48EC859D4541}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{829DCCC4-1ED8-4804-9603-F7FCCFB558F6}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{830F9BA3-63EF-4AFE-9889-4BE36800CB6D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8353C738-C3C3-43C5-8C0E-ABA352208053}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{83CDB63C-22AF-447D-B837-8B655DB1A9B4}" = protocol=17 | dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{852298C9-C701-45BD-99F7-8BF58F7D0EC6}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{85E97207-FCF0-489D-B77C-0DAE8B5EECBB}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8601EE85-39D2-4308-9353-F6810A2455EB}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{860931FA-9F32-48B7-B3C2-CB416C55FB8A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{87D7C2B8-D73B-4E68-A65B-F1B1E6D364DB}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{88483B4C-5DD4-429B-90C7-DC5424C1A218}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{886CFAE2-4525-4B51-A346-814957C02174}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{887591DC-8177-46BD-BB9E-DF6D8F140547}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe |


----------



## pjoseph

"{89683D50-01B5-4FC8-A7F0-203518DD5772}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{89CDFE1A-3A5F-4834-AEC0-7AE367DB6BE1}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8A23B706-D0A8-47B2-B0CB-D916EC4DAA73}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8A5A16D0-37B6-4521-97BE-238F4BDE6D94}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8A6253BE-4E41-4749-AE92-9F0C881D2AD7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8A7FCDA4-B72A-4ED3-81F7-CCC6FFDCB072}" = protocol=17 | dir=in | app=c:\program files\landesk\ldclient\tmcsvc.exe | 
"{8ADDBD49-F1FC-41D8-B409-D3C69A27EF3C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8B67F362-AC5B-4E56-9E5D-4E2248244A4E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8BAD463B-5A1B-4ECB-B1EB-70804630CD1B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8BAE3830-02D2-43AB-AF5E-4B2239744253}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8BE49284-2E3A-4D2B-A9E8-D187DE20374E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8C1DF1FC-12B2-49E6-9D3D-E773630C295D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8C374EBE-D2E6-44F7-A500-DFAA3F1CAF5B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8C7B55D2-20A4-4F64-9465-58EEFF201D42}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8CC11961-04E0-47B4-87ED-7A0CA4F2A324}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8DB9E59E-5456-448F-AE96-F9B8C812CDA1}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8DBA2B59-50A8-4AD1-9024-719ED6BFB7A0}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8DCF4509-7EF9-4351-85EA-01DCE6746B7F}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8DDA5BB6-5039-4A1C-95E5-2B6AF3738CBD}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8E696B0D-7ED4-4F6D-8DAB-54C4AB53AC74}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{8E6C93FB-0DDD-4867-B177-D9FB16EDA1CC}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{90AF31F2-A205-4858-98B7-F2D7C4C6535E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{90CCBA6D-F1BE-4CFE-B994-B182CEA69774}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{90E40ABF-76ED-4138-9835-30F407BEA4FE}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{91F3399E-12A7-4EE0-AE1B-53CD42ECC119}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{92A8A811-98A5-4168-B03B-B1C0AACF6BC2}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{930EC1D1-68A1-434C-8FCF-CD9C73785D0D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{93458E25-F57D-4ECE-8E6E-E309218F9CFF}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{93C0EFB7-388C-4F3A-B2B8-BE8ABF754D0B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{94130B0E-1618-44BF-A5B9-264EF8DEBEE4}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{942BDFB8-98A4-43F2-B895-A68CBECA3FB1}" = protocol=6 | dir=in | app=c:\program files\landesk\ldclient\issuser.exe | 
"{9462FF36-82B7-4022-8085-3E86D02FD601}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{949CE9EA-211E-4697-A791-19973F7A30A1}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{94B9D449-D1F2-44EA-A3F0-AC82B555CB9D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{94CF61B9-1778-456E-9417-03763392DD66}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{9610BF29-16EB-4102-A73C-788824F51C52}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{961AB7D4-3217-457B-91F1-D94E4137D81A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{9629EEE5-49B8-425F-BEBF-534B2DD5D408}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{9761DC5B-0171-402B-89A4-CCC9B32BF79B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{97FFC9AD-A033-4434-A996-A7C9C4E593ED}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{981B89EB-B33A-49AC-BEC0-38123EBA369E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{993398D2-746C-4985-BFB1-58477D976AEB}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{99AA6265-DC75-4A5F-B481-94F5E5C41791}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{9ABAB18C-BE00-427A-9D7D-4E7A5A456D5B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{9AE273FB-F322-4B19-8392-5C8EA38726FE}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{9B371E2F-BEDF-4DE7-96A0-0DD7D9083865}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{9B42C3E8-7DA4-42AB-B363-AA66C5BFB7DF}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{9B606B4C-F770-4F8B-BFDF-8640EFFFEA3D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{9BF13A90-A16F-44F5-8B5D-0B42BD128E3D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{9C0FB3B6-BD8A-4E50-9E3C-8679072E5F4A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{9C874F97-7668-4580-BEB7-D970E5A1FA46}" = protocol=17 | dir=in | app=c:\program files\landesk\shared files\residentagent.exe | 
"{9DEE79AF-A3DA-4318-B10A-EAB72BA97FE3}" = protocol=17 | dir=in | app=c:\program files\landesk\shared files\residentagent.exe | 
"{9FA539E7-DD43-4AD1-BFB7-37E4EF43D0DB}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{A0CA18C7-02EC-4EE1-89F8-5AFCDB15A898}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{A0CD777B-63A3-40C2-BB0C-3D757425A907}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{A13B8025-16F1-41B0-828C-51917C0DD446}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{A2CC60DE-9045-4BF0-9902-9E8C35777440}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{A3B6CF9F-E8F0-4EA7-9E0B-58C9DED3F291}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{A40CE7D8-9447-446B-B461-7E0EFB259E38}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{A438D6E2-EBA1-40C9-8C34-31FB77AA4D11}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{A453D269-1A72-49E3-B551-C76B9E3E8470}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{A67F707C-B6E9-43BE-AB98-79005C1C31E4}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{A691667B-D1F1-4E1E-A8D9-64EE34B31E80}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{A8CCA27C-7ECD-402D-AE8D-0603F4FA8BEB}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{A8E458E8-21B3-4431-8093-4F5DCB655B32}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{AAF36821-7889-4549-95DE-9ECF371409D5}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{AB9AF333-F395-4A8C-84E0-DC8B870A4AFD}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{AC6A4045-7CEF-4E13-A96C-40EBED150B13}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{ACC5FF04-73B0-4CCB-BCB2-4D3BF0BC26A3}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{AD81B575-4C77-4BA1-9850-7118257D35E2}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{AE4F958E-28D4-470C-93EE-EE9F1124949E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{AE80E7B8-A095-45F3-9E52-B01C897C118B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{AE8E9D89-1A08-4CA6-BB2B-AE997ECEA5CC}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{AE927CBA-243C-4446-A06B-8C4936E43803}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B0B81B11-F831-4DE6-9580-546A41681AEF}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B0F645BA-D524-470C-B3EF-6194C1AA50F7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B1CD5204-BF6C-46AD-A859-C5FF65391AB3}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B24CF060-08C7-4723-82C0-1B57818DDFF0}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B34ACB97-9071-4E66-8009-A97FFDC0D596}" = protocol=6 | dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B3DB6F80-1AE1-4B40-B0F3-62B12E3698E5}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B419F1E8-CD44-4B96-925E-A850D6CD58F4}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B4414C2E-316A-4C74-BDE0-44091907A7B9}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B4CE53E6-A80C-4115-A4B1-9B95586A42C7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B559281A-0A95-4BD3-9EC8-90F83DDB86B4}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B58808EF-E854-472C-A45A-21D7DD7E9796}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B5C3D4DF-F453-4784-BEEA-B059D53862CC}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B74E7C50-B780-4870-988D-FA1EC04D1151}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B86617E2-BE30-427D-BAB8-96C1F3A75BD7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B8EC37F3-3EBA-4015-B2CE-E35325A6F1F2}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B9CFC2E5-9A5C-4CAF-BCB7-83DBC2C484AC}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B9D2C737-CAEA-4F86-A775-DC38CD8400C3}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{B9D635E9-B79F-4F5B-AC56-B3A5E4E5F9C5}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{BA42C20B-7B1B-4757-BB04-28236018054B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{BA8A467C-1A63-4FE9-AACF-935842389B6F}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{BB145C99-2285-4FED-A3A6-33E7F5CAC365}" = protocol=6 | dir=in | app=c:\program files\microsoft office\live meeting 8\console\pwconsole.exe | 
"{BB73182F-5689-403F-9D9A-59C5E48DB33F}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{BB8748D1-4CEE-4850-8E5B-122F0FD66520}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{BB934299-F504-471D-8C95-D151F63B6653}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{BBDEB19D-121D-4CC9-9B09-9AFD3073538A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{BC2BC886-B27A-48E1-88B2-AA02029AF299}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{BCFD4DCF-A7A0-49B5-A44B-69AC41EF1157}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{BDD29D8F-4C4B-46EC-A74B-6E226CAF2CEA}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{BE37322F-7BE2-4A0C-BDDC-F664FD362186}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{BEE72BB1-322F-473D-B70E-C303837601C4}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{BF49403C-E227-4CD1-82A7-E1066C45FE68}" = protocol=17 | dir=in | app=c:\windows\system32\cba\pds.exe | 
"{C003FD06-148B-4682-AFD5-D3DD43BC1853}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C033FDFD-0C6C-4E36-88A2-3EB76A942470}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C207033C-52CA-4AB3-825B-278823A2D6DC}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C2296429-44BE-4EE4-B002-C06088712CF7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C22D1637-FD30-4AC1-9F76-220842B4C636}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C316696F-678B-42EB-9E17-FC01020BDDC9}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C35C4E62-EBC9-4A03-B9DB-2B8DF53B1C24}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C3672D3D-7C64-4ECE-B2C9-4D0B8467BC9E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C48423A4-4687-4B38-890B-D9BC12F7B6E6}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C49A035A-026B-437E-9D7B-92361464E60B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C4FCBF96-1895-45CE-853F-0C9E423E690A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C5911570-6375-4835-975B-5BE583C8C6BE}" = protocol=17 | dir=in | app=c:\program files\symantec\symantec endpoint protection\snac.exe | 
"{C5F7BA32-A43D-4ECB-A5BF-7F53625593E4}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C5F93183-4CFC-43D4-9074-41492BF80F3C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C644E8DF-0A93-47ED-B57F-FC1CC21C423D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C65B95B3-3085-49F4-9E52-97AAE1AF63F4}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C688E02F-15D9-4C28-A6F2-69E79F2AD6A7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C6E90432-B88C-4B08-A884-F2422342AB68}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C6EEEE89-45FE-4C05-A9C2-B493462FA6D7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C7B09878-7B1E-4315-9E96-DF05DC70B33B}" = protocol=6 | dir=in | app=%windir%\system32\msgsys.exe | 
"{C86B1424-E968-4DFA-802B-7E7910907AEA}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C9406863-5113-4980-B17B-BF52A5A92E1F}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C9555B6D-B4C8-40AA-B214-89529619C1C8}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C977F309-F252-44AA-9397-0703FCCF6D3A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{C9A5BF5C-4D71-4530-9639-4F58B13DBEE5}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{CA17DF26-D3D2-4FB8-9EE7-5949DEF3932C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{CA2E89B4-5C5B-42F9-AE50-F6C9AA9EAED8}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{CA416FA4-5C60-4BC3-BE0C-1DE59ECA2660}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{CA4DA257-6873-457F-895E-EAFBBB160F22}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{CACBDECB-3729-416F-84CE-DF250C3C8903}" = protocol=1 | dir=in | name=icmp echo request | 
"{CBA76533-CDD6-4CD9-961E-69AF2EAC8AE3}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{CCC87E54-980D-40EE-A1D9-4E64DF8445BE}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{CDF398BD-37C0-4CE9-AFF5-D35482F470E8}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{CE257A63-8845-47E6-B150-5126D2C2508B}" = protocol=6 | dir=in | app=c:\program files\landesk\ldclient\tmcsvc.exe | 
"{CEA6767B-5C89-46F9-BD87-F54848C32DF9}" = protocol=17 | dir=in | app=c:\program files\landesk\ldclient\tmcsvc.exe | 
"{CF599B9D-71E6-49CF-BD84-09122A9679A2}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{CF71772C-9F64-403A-B4FC-086B9455C1D7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{CFFCA174-5FD7-4C7F-9B58-41B788E828D8}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{D01F15AF-64D6-447F-AFB9-DE782EDC480A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{D02C207D-F452-4867-B3E7-0D6521D29692}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{D0F1322C-C1CA-4B0F-8D1D-794FE4FA2A9F}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{D179A736-8925-4DC6-8E27-0821FCFEFE9E}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{D1B2CB97-521C-4FAF-AABC-7D9BFA643FCD}" = protocol=6 | dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{D30B980F-5068-4C08-8782-BF29BFA3AF8F}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{D3C4DCCD-ED95-4F0F-8278-6DF84ADAF1D3}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{D44CB58E-F11B-4290-914B-D5954950C1FC}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{D523574D-50DC-4A9D-9D34-A323968F0F4C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{D76B1D81-0401-4A63-91D5-D1FE52CC8190}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{D7F2AA57-DDAB-4C93-8583-2F298FBBA023}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{D8A121F0-ED33-4D94-AFA1-6461BBB26510}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{DB1B3CE5-15D1-411C-B1F3-EC575B00F0F7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{DBB6EDC6-A44D-4CA1-B1AC-5FF96D9629B8}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{DD97F9CE-4062-4A4D-809B-86FC64801DCA}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{DEAECCC4-72F4-4575-8FA1-85CEFD656B41}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{DEB0F798-0494-4568-B41B-2EA2E7EC09BE}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{DEF60C17-EF03-46A7-8348-E9B51E9CE192}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{E2D4D387-1730-4FB2-B476-BE3554416A24}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{E31A1187-7DED-4FD8-B440-624F5B303488}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{E3DA1C61-A643-4DF2-9C0F-29B9B6BB8B1C}" = protocol=6 | dir=in | app=c:\program files\landesk\shared files\residentagent.exe | 
"{E3F75B6E-DEED-49F0-AEDC-9F634E1A1ABE}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{E41D766A-9EAF-49EE-ACFC-C46612F6288F}" = protocol=17 | dir=in | app=c:\program files\landesk\ldclient\issuser.exe | 
"{E424D753-60AA-4D9B-9FDC-71F02E7A892C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{E461790A-3802-4850-B4C9-B8BA6F396872}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{E4FA25A9-AC55-4ADC-8F7C-279BEE4B7267}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{E577512A-B004-4121-9E33-E3E165C9974C}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{E63BE4D4-FBBC-416D-88A8-0AC7727C4299}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{E6B5B714-E756-46E1-9460-7CC6DC0978AC}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{E6D963AF-F15D-4500-AF26-F5DB19F175DB}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{E6F6F28F-5511-411D-B98C-204C92109D89}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{E7227DBC-EB00-4912-8453-B42D56BC38D7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{E8D60069-9F9C-4A47-8520-85148221CFA5}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{E9A55880-7235-476A-A96F-AF0CC1A59B97}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{E9F87649-7774-4DDA-9F6C-C3F1AB076EEE}" = protocol=17 | dir=in | app=c:\program files\symantec\symantec endpoint protection\smc.exe | 
"{EA823494-FC3B-459A-A95E-70B6E619E5D7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{EB6B4300-7710-46CF-81B4-842DA209C53A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{EC01DEA2-ACF9-49BE-B071-DBDA66DC1731}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{ECD4EACD-6056-44AC-98FE-DF454E90D20E}" = protocol=6 | dir=in | app=c:\windows\system32\cba\pds.exe | 
"{ECE8E0CA-E30F-4F68-9EDE-693F958630CD}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{ED629F5E-CC40-4B1D-9B84-C7EDDC5FBD81}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{EDABC246-A740-45F3-A7F6-5E7A6C5100CB}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{EDC3E70F-3E83-4C62-9CE6-AC04A0DFA59F}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{EE8BB662-5A80-4503-8E92-82E057ABDB2D}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{EEA38EE0-B71C-45E7-9022-801AF4C47C0D}" = protocol=6 | dir=in | app=c:\program files\landesk\shared files\residentagent.exe | 
"{EEC2E2AE-9B41-4C0C-BE39-CDB735DD200F}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{EF18F855-EC93-42E3-88BD-B6E5A1E509EF}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{F00E8A0D-742C-4D78-AB78-3C53478D61AE}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{F0A2501F-D947-4EF0-8EEC-2BCF2EE3E2BD}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{F0B0B034-9A2B-47F3-93F2-03ABF9211619}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{F29FD20F-4F4D-4C08-9C91-91171EDB791B}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{F2A95492-E44D-4884-B727-519FE2718162}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{F4C5D60B-5D41-4D7C-AF99-3E0AF479284A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{F4D2484F-3134-43FF-A055-FC9669E38DCF}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{F5ED899B-CBA7-4C05-9053-736FEC936916}" = protocol=17 | dir=in | app=c:\windows\system32\msgsys.exe | 
"{F5FF6E5D-DF38-421F-B172-04386C13EF0A}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{F7CAB5DB-95B1-46D2-AA08-03442881B626}" = protocol=17 | dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{F8168023-8816-493C-909E-AF0E2B2D599F}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{F8ADE412-87E9-40BD-9A28-37308496CEC5}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{F933E038-F6F7-4B8F-B14B-D3B6E07842E7}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{F954A079-3DA1-4483-9A4E-B34FEA600E96}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{FAE2F2F2-26D7-4161-874F-4791D4060091}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{FB96F776-E070-4BAC-8040-77BAFB962E21}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{FC2FB216-6426-4AE2-A018-07C89A277554}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{FE0292AB-25C5-4718-96E4-69DE928464BD}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{FE6C2B83-48E2-443B-A5D3-D235373049EB}" = protocol=6 | dir=in | app=c:\program files\landesk\ldclient\tmcsvc.exe | 
"{FF7ADD4C-477B-48F2-9046-59B8306F26D9}" = dir=in | app=e:\itunes.exe | 
"{FF7B0AD3-D367-4766-B5BA-6108F4D573E8}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 
"{FFA470F2-749F-44C9-9B6B-4862D04D1835}" = dir=in | app=c:\program files\mandiant\mandiant intelligent response agent\miragent.exe | 

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{068724F8-D8BE-4B43-8DDD-B9FE9E49FD76}" = Scansoft PDF Professional
"{086F9A69-CD39-4893-A9FB-D3A0634CE3F7}" = Autodesk Content Service
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0F6F6876-6334-4977-B5DD-CFC12E193420}" = iTunes
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{294EAADF-E50F-4DD8-AD8D-19587EA10512}" = Modem Diagnostic Tool
"{2B2B45B1-3CA0-4F8D-BBB3-AC77ED46A0FE}" = Dell Client System Update
"{2D2675BF-358D-44B3-AAB6-72D069B305B9}" = LANDesk Advance Agent
"{31B33270-24D7-4307-84F2-A3288636B83A}" = Check Point Endpoint Security - Full Disk Encryption
"{35CC2635-60EB-451F-BECB-4F5B25FABE6D}" = Nuance PDF Converter Professional 7
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
"{436E0B79-2CFB-4E5F-9380-E17C1B25D0C5}" = WIDCOMM Bluetooth Software
"{45734758-4041-4EA8-8E62-DE661FC3879C}" = LANDesk(R) Common Base Agent 8
"{54EB8041-1115-4406-AA4B-44D236E84B3B}" = Intel® PROSet/Wireless WiFi Software
"{5783F2D7-A009-0409-0002-0060B0CE6BBA}" = AutoCAD LT 2012 - English
"{5783F2D7-A009-0409-1002-0060B0CE6BBA}" = AutoCAD LT 2012 Language Pack - English
"{63EC2120-1742-4625-AA47-C6A8AEC9C64C}" = Apple Application Support
"{65420DC9-306E-4371-905F-F4DC3B418E52}" = Autodesk Material Library Base Resolution Image Library 2012
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{7E8833A1-AF24-4CAE-82DF-CFE14C14B94D}" = LANDesk Advance Agent
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8F0837C2-EE09-4903-88F3-1976FE7FFF4E}" = Autodesk Material Library 2012
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{98333358-268C-4164-B6D4-C96DF5153727}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{98333358-268C-4164-B6D4-C96DF5153727}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90510409-6D54-11D4-BEE3-00C04F990354}" = Microsoft Visio Professional 2002 [English]
"{942E5031-2BD6-4C1B-918C-C8A1CBAE7B8C}" = Microsoft IntelliPoint 8.2
"{945F844A-769E-37E3-A945-FEF421298C60}" = Multi-Targeting Pack for the Microsoft .NET Framework 4.0.2
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A0087DDE-69D0-11E2-AD57-43CA6188709B}" = Adobe AIR
"{AC76BA86-1033-0000-BA7E-000000000005}" = Adobe Acrobat X Standard
"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI (11.0.03)
"{ADB1DE83-FC42-4C3F-B64B-2AF2215EF88B}" = Cisco AnyConnect Secure Mobility Client
"{B1A9CD45-A702-4E3B-91ED-8CD562869901}" = DWG TrueView 2008
"{B700113B-24A8-4D4C-8484-0CC944F764C8}" = Google SketchUp 8
"{C5DA59CF-2BB8-48D5-8E5B-17F2E0F0FEE4}" = System Requirements Lab for Intel
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240C0}" = WinZip 15.0
"{D36B4583-E804-406B-9D56-F97931286C5B}" = 32 Bit HP CIO Components Installer
"{D4DDFAA1-EC37-4529-AD5B-A433ADE68662}" = Apple Mobile Device Support
"{DE889CC8-F305-4C4C-BAE0-EF626E45CB9D}" = Symantec Endpoint Protection
"{E30E7561-A466-4393-B8BF-FD93E733EF3C}" = Microsoft Office Live Meeting 2007
"{EBDEC0A3-B98A-4BBE-96F4-6669869E66DC}" = MANDIANT Intelligent Response Agent
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Processor Graphics
"{F7D011B7-EF6B-4FCF-9571-44D60282329A}" = Microsoft AntiXSS v4.2.1
"{FA8FCCB3-0BFC-4730-9C7F-68270287C968}" = Cisco AnyConnect Diagnostics and Reporting Tool
"{FCB3772C-B7D0-4933-B1A9-3707EBACC573}" = Intel(R) SDK for OpenCL - CPU Only Runtime Package
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Audacity_is1" = Audacity 2.0
"AutoCAD LT 2012 - English" = AutoCAD LT 2012 - English
"CameraUserGuide-PSELPH100HS_IXUS115HS" = Canon PowerShot ELPH 100 HS_IXUS 115 HS Camera User Guide
"CameraWindowDC8" = Canon Utilities CameraWindow DC 8
"CameraWindowLauncher" = Canon Utilities CameraWindow Launcher
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon MOV Decoder" = Canon MOV Decoder
"Canon MOV Encoder" = Canon MOV Encoder
"CCleaner" = CCleaner
"Cisco AnyConnect Secure Mobility Client" = Cisco AnyConnect Secure Mobility Client 
"Digital Editions" = Adobe Digital Editions
"DWG TrueView 2008" = DWG TrueView 2008
"ENP messaging screen saver" = ENP messaging screen saver
"EPSON Printer and Utilities" = EPSON Printer Software
"ESET Online Scanner" = ESET Online Scanner v3
"foobar2000" = foobar2000 v1.1.15
"GoToAssist" = GoToAssist Corporate
"IrfanView" = IrfanView (remove only)
"LAME_is1" = LAME v3.99.3 (for Windows)
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft IntelliPoint 8.2" = Microsoft IntelliPoint 8.2
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MovieUploaderForYouTube" = Canon Utilities Movie Uploader for YouTube
"MyCamera" = Canon Utilities MyCamera
"MyCamera Download Plugin" = CANON iMAGE GATEWAY MyCamera Download Plugin
"PhotoStitch" = Canon Utilities PhotoStitch
"ProInst" = Intel PROSet Wireless
"PROPLUS" = Microsoft Office Professional Plus 2007
"PROSet" = Intel(R) Network Connections Drivers
"RUMBA 95 NT DeinstKey" = RUMBA 2000
"Software Guide" = Canon DIGITAL CAMERA Solution Disk Software Guide
"sp6" = Logitech SetPoint 6.52
"VLC media player" = VLC media player 1.1.11
"X10Hardware" = X10 Hardware(TM)
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 6/4/2013 2:28:41 PM | Computer Name = enpusreml0278.emrsn.org | Source = SceCli | ID = 1001
Description = Security policy cannot be propagated.  Cannot access the template. Error
 code = 3.   \\emrsn.org\SysVol\emrsn.org\Policies\{CAC32F26-2360-4B1C-802D-20F0D835C771}\Machine\Microsoft\Windows
 NT\SecEdit\GptTmpl.inf.

Error - 6/4/2013 2:28:41 PM | Computer Name = enpusreml0278.emrsn.org | Source = SceCli | ID = 1001
Description = Security policy cannot be propagated.  Cannot access the template. Error
 code = 3.   \\emrsn.org\sysvol\emrsn.org\Policies\{A851EDAB-8798-4358-A4DB-9BF020E1CF6F}\Machine\Microsoft\Windows
 NT\SecEdit\GptTmpl.inf.

Error - 6/4/2013 2:28:41 PM | Computer Name = enpusreml0278.emrsn.org | Source = Group Policy Registry | ID = 100737026
Description = The client-side extension could not apply computer policy settings
 for 'NPAMRAP_Workstation General Settings {CAC32F26-2360-4B1C-802D-20F0D835C771}'
 because it failed with error code '0x80070035 The network path was not found.'%100790275

Error - 6/4/2013 5:24:10 PM | Computer Name = enpusreml0278.emrsn.org | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 6/4/2013 5:24:10 PM | Computer Name = enpusreml0278.emrsn.org | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 2370888

Error - 6/4/2013 5:24:10 PM | Computer Name = enpusreml0278.emrsn.org | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2370888

Error - 6/4/2013 9:39:11 PM | Computer Name = enpusreml0278.emrsn.org | Source = Application Error | ID = 1000
Description = Faulting application name: ZeroConfigService.exe, version: 15.1.1.2,
 time stamp: 0x4f7468fc  Faulting module name: PfMgrApi.dll, version: 15.1.1.0, time
 stamp: 0x4f7467bf  Exception code: 0xc0000005  Fault offset: 0x000709a4  Faulting process
 id: 0x25cc  Faulting application start time: 0x01ce614e87a82b56  Faulting application
 path: C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe  Faulting module path:
 C:\Program Files\Intel\WiFi\bin\PfMgrApi.dll  Report Id: b8233334-cd80-11e2-901b-5c260a8047d6

Error - 6/4/2013 9:53:10 PM | Computer Name = enpusreml0278.emrsn.org | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 6/4/2013 9:53:10 PM | Computer Name = enpusreml0278.emrsn.org | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 76503

Error - 6/4/2013 9:53:10 PM | Computer Name = enpusreml0278.emrsn.org | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 76503

[ Cisco AnyConnect Secure Mobility Client Events ]
Error - 6/4/2013 2:09:27 PM | Computer Name = enpusreml0278.emrsn.org | Source = acvpnagent | ID = 67108866
Description = Function: CHttpProbeAsync::OnOpenRequestComplete File: .\IP\HttpProbeAsync.cpp
Line:
 254 Invoked Function: CHttpSessionAsync::OnOpenRequestComplete Return Code: -31522780
 (0xFE1F0024) Description: SOCKETTRANSPORT_ERROR_CONNECT_TIMEOUT 

Error - 6/4/2013 2:09:27 PM | Computer Name = enpusreml0278.emrsn.org | Source = acvpnagent | ID = 67108866
Description = Function: CSocketTransport::OnTimerExpired File: .\IPC\SocketTransport.cpp
Line:
 1194 Invoked Function: CSocketTransport:ostConnectProcessing Return Code: -31522780
 (0xFE1F0024) Description: SOCKETTRANSPORT_ERROR_CONNECT_TIMEOUT 

Error - 6/4/2013 2:28:30 PM | Computer Name = enpusreml0278.emrsn.org | Source = acvpnagent | ID = 67108866
Description = Function: CTlsTransport::OnTransportInitiateComplete File: .\IP\TlsTransport.cpp
Line:
 357 Invoked Function: ISocketTransportCB::OnTransportInitiateComplete Return Code:
 -31522780 (0xFE1F0024) Description: SOCKETTRANSPORT_ERROR_CONNECT_TIMEOUT 

Error - 6/4/2013 2:28:30 PM | Computer Name = enpusreml0278.emrsn.org | Source = acvpnagent | ID = 67108866
Description = Function: CHttpProbeAsync::OnOpenRequestComplete File: .\IP\HttpProbeAsync.cpp
Line:
 254 Invoked Function: CHttpSessionAsync::OnOpenRequestComplete Return Code: -31522780
 (0xFE1F0024) Description: SOCKETTRANSPORT_ERROR_CONNECT_TIMEOUT 

Error - 6/4/2013 2:28:30 PM | Computer Name = enpusreml0278.emrsn.org | Source = acvpnagent | ID = 67108866
Description = Function: CSocketTransport::OnTimerExpired File: .\IPC\SocketTransport.cpp
Line:
 1194 Invoked Function: CSocketTransport:ostConnectProcessing Return Code: -31522780
 (0xFE1F0024) Description: SOCKETTRANSPORT_ERROR_CONNECT_TIMEOUT 

Error - 6/4/2013 2:28:38 PM | Computer Name = enpusreml0278.emrsn.org | Source = acvpnagent | ID = 67108866
Description = Function: CHttpProbeAsync::OnOpenRequestComplete File: .\IP\HttpProbeAsync.cpp
Line:
 254 Invoked Function: CHttpSessionAsync::OnOpenRequestComplete Return Code: -31522780
 (0xFE1F0024) Description: SOCKETTRANSPORT_ERROR_CONNECT_TIMEOUT 

Error - 6/4/2013 2:28:38 PM | Computer Name = enpusreml0278.emrsn.org | Source = acvpnagent | ID = 67108866
Description = Function: CSocketTransport::OnTimerExpired File: .\IPC\SocketTransport.cpp
Line:
 1194 Invoked Function: CSocketTransport:ostConnectProcessing Return Code: -31522780
 (0xFE1F0024) Description: SOCKETTRANSPORT_ERROR_CONNECT_TIMEOUT 

Error - 6/4/2013 2:28:38 PM | Computer Name = enpusreml0278.emrsn.org | Source = acvpnagent | ID = 67108866
Description = Function: CNetEnvironment::TestAccessToSG File: .\NetEnvironment.cpp
Line:
 1023 Invoked Function: CNetEnvironment::analyzeHttpResponse Return Code: -28901363
 (0xFE47000D) Description: NETENVIRONMENT_ERROR_PROBE_INCOMPLETE:Network Probe could
 not contact target 

Error - 6/4/2013 2:28:38 PM | Computer Name = enpusreml0278.emrsn.org | Source = acvpnagent | ID = 67108866
Description = Function: CNetEnvironment::testNetwork File: .\NetEnvironment.cpp Line:
 859 Invoked Function: CNetEnvironment::TestAccessToSG Return Code: -28901363 (0xFE47000D)
Description:
 NETENVIRONMENT_ERROR_PROBE_INCOMPLETE:Network Probe could not contact target 

Error - 6/4/2013 2:28:38 PM | Computer Name = enpusreml0278.emrsn.org | Source = acvpnagent | ID = 67108866
Description = Function: CNetEnvironment::TestNetEnv File: .\NetEnvironment.cpp Line:
 192 Invoked Function: CNetEnvironment::testNetwork Return Code: -28901363 (0xFE47000D)
Description:
 NETENVIRONMENT_ERROR_PROBE_INCOMPLETE:Network Probe could not contact target 

[ Media Center Events ]
Error - 11/23/2011 11:47:42 AM | Computer Name = enpusreml0278.emrsn.org | Source = MCUpdate | ID = 0
Description = 7:47:42 AM - Error connecting to the internet.  7:47:42 AM -     Unable
 to contact server..  

Error - 11/23/2011 11:48:03 AM | Computer Name = enpusreml0278.emrsn.org | Source = MCUpdate | ID = 0
Description = 7:47:47 AM - Error connecting to the internet.  7:47:47 AM -     Unable
 to contact server..  

Error - 12/23/2011 1:41:01 AM | Computer Name = enpusreml0278.emrsn.org | Source = MCUpdate | ID = 0
Description = 9:40:49 PM - Error connecting to the internet.  9:40:49 PM -     Unable
 to contact server..  

Error - 1/4/2012 12:47:59 PM | Computer Name = enpusreml0278.emrsn.org | Source = MCUpdate | ID = 0
Description = 8:47:59 AM - Error connecting to the internet.  8:47:59 AM -     Unable
 to contact server..  

Error - 1/4/2012 12:48:08 PM | Computer Name = enpusreml0278.emrsn.org | Source = MCUpdate | ID = 0
Description = 8:48:04 AM - Error connecting to the internet.  8:48:04 AM -     Unable
 to contact server..  

Error - 1/13/2012 4:17:16 AM | Computer Name = enpusreml0278.emrsn.org | Source = MCUpdate | ID = 0
Description = 12:17:16 AM - Error connecting to the internet.  12:17:16 AM -     Unable
 to contact server..  

Error - 1/13/2012 4:17:26 AM | Computer Name = enpusreml0278.emrsn.org | Source = MCUpdate | ID = 0
Description = 12:17:21 AM - Error connecting to the internet.  12:17:21 AM -     Unable
 to contact server..  

Error - 1/16/2012 3:02:24 PM | Computer Name = enpusreml0278.emrsn.org | Source = MCUpdate | ID = 0
Description = 11:02:24 AM - Failed to retrieve MCEClientUX (Error: Unable to connect
 to the remote server)  

Error - 1/17/2012 11:27:37 AM | Computer Name = enpusreml0278.emrsn.org | Source = MCUpdate | ID = 0
Description = 7:27:37 AM - Error connecting to the internet.  7:27:37 AM -     Unable
 to contact server..  

Error - 1/17/2012 11:27:47 AM | Computer Name = enpusreml0278.emrsn.org | Source = MCUpdate | ID = 0
Description = 7:27:42 AM - Error connecting to the internet.  7:27:42 AM -     Unable
 to contact server..  

[ OSession Events ]
Error - 5/3/2012 10:20:59 AM | Computer Name = enpusreml0278.emrsn.org | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
 12.0.6611.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 9
 seconds with 0 seconds of active time.  This session ended with a crash.

Error - 5/3/2012 10:21:12 AM | Computer Name = enpusreml0278.emrsn.org | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
 12.0.6611.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 5
 seconds with 0 seconds of active time.  This session ended with a crash.

Error - 5/3/2012 10:21:31 AM | Computer Name = enpusreml0278.emrsn.org | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
 12.0.6611.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 5
 seconds with 0 seconds of active time.  This session ended with a crash.

Error - 7/13/2012 10:59:00 AM | Computer Name = enpusreml0278.emrsn.org | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
 12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 2549
 seconds with 420 seconds of active time.  This session ended with a crash.

Error - 8/11/2012 4:49:17 PM | Computer Name = enpusreml0278.emrsn.org | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
 12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 84909
 seconds with 840 seconds of active time.  This session ended with a crash.

Error - 11/10/2012 4:45:47 AM | Computer Name = enpusreml0278.emrsn.org | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
 12.0.6662.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 23592
 seconds with 9480 seconds of active time.  This session ended with a crash.

Error - 4/30/2013 10:54:24 PM | Computer Name = enpusreml0278.emrsn.org | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 286
 seconds with 180 seconds of active time.  This session ended with a crash.

Error - 5/1/2013 12:14:26 PM | Computer Name = enpusreml0278.emrsn.org | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 2452
 seconds with 300 seconds of active time.  This session ended with a crash.

Error - 5/6/2013 12:43:34 PM | Computer Name = enpusreml0278.emrsn.org | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
 12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 238
 seconds with 180 seconds of active time.  This session ended with a crash.

Error - 5/7/2013 12:05:29 AM | Computer Name = enpusreml0278.emrsn.org | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
 12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 40898
 seconds with 10680 seconds of active time.  This session ended with a crash.

[ System Events ]
Error - 6/4/2013 4:31:15 PM | Computer Name = enpusreml0278.emrsn.org | Source = Microsoft-Windows-GroupPolicy | ID = 1055
Description = The processing of Group Policy failed. Windows could not resolve the
 computer name. This could be caused by one of more of the following:   a) Name Resolution
 failure on the current domain controller.   b) Active Directory Replication Latency
 (an account created on another domain controller has not replicated to the current
 domain controller).

Error - 6/4/2013 5:25:46 PM | Computer Name = enpusreml0278.emrsn.org | Source = TermService | ID = 1067
Description = 

Error - 6/4/2013 5:28:08 PM | Computer Name = enpusreml0278.emrsn.org | Source = TermService | ID = 1067
Description = 

Error - 6/4/2013 6:06:17 PM | Computer Name = enpusreml0278.emrsn.org | Source = Microsoft-Windows-GroupPolicy | ID = 1055
Description = The processing of Group Policy failed. Windows could not resolve the
 computer name. This could be caused by one of more of the following:   a) Name Resolution
 failure on the current domain controller.   b) Active Directory Replication Latency
 (an account created on another domain controller has not replicated to the current
 domain controller).

Error - 6/4/2013 7:42:19 PM | Computer Name = enpusreml0278.emrsn.org | Source = NETLOGON | ID = 5719
Description = This computer was not able to set up a secure session with a domain
controller
 in domain EMRSN due to the following:   %%1311    This may lead to authentication problems.
 Make sure that this  computer is connected to the network. If the problem persists,
please
 contact your domain administrator.        ADDITIONAL INFO    If this computer is a domain controller
 for the specified domain, it  sets up the secure session to the primary domain controller
 emulator in the specified  domain. Otherwise, this computer sets up the secure session
 to any domain controller  in the specified domain.

Error - 6/4/2013 7:42:20 PM | Computer Name = enpusreml0278.emrsn.org | Source = Microsoft-Windows-GroupPolicy | ID = 1055
Description = The processing of Group Policy failed. Windows could not resolve the
 computer name. This could be caused by one of more of the following:   a) Name Resolution
 failure on the current domain controller.   b) Active Directory Replication Latency
 (an account created on another domain controller has not replicated to the current
 domain controller).

Error - 6/4/2013 9:29:20 PM | Computer Name = enpusreml0278.emrsn.org | Source = Microsoft-Windows-GroupPolicy | ID = 1055
Description = The processing of Group Policy failed. Windows could not resolve the
 computer name. This could be caused by one of more of the following:   a) Name Resolution
 failure on the current domain controller.   b) Active Directory Replication Latency
 (an account created on another domain controller has not replicated to the current
 domain controller).

Error - 6/4/2013 9:39:15 PM | Computer Name = enpusreml0278.emrsn.org | Source = Service Control Manager | ID = 7034
Description = The Intel(R) PROSet/Wireless Zero Configuration Service service terminated
 unexpectedly.  It has done this 1 time(s).

Error - 6/4/2013 9:55:02 PM | Computer Name = enpusreml0278.emrsn.org | Source = TermService | ID = 1067
Description = 

Error - 6/4/2013 9:57:37 PM | Computer Name = enpusreml0278.emrsn.org | Source = TermService | ID = 1067
Description = 


< End of report >


----------



## pjoseph

no idea, i did do a complete shutdown when you previously told me to, 
should i remove any of the 5 threats the program found?

thanks again


----------



## johnb35

Wait, according to this entry you have installed malwarebytes with a keygen...

[2013/06/04 08:23:51 | 000,000,000 | ---D | C] -- C:\Users\pamato\Desktop\Malwarebytes Anti-Malware Pro v1.75.0.1300 Incl Keygen-BRD [TorDigger]

Thats a no no big time.  

Please download and run *RogueKiller*.
Click Scan to scan the system (don't run any other options)

Post the log that it gives you.


----------



## pjoseph

My mistake, my buddy gave me that today which was the first time i ran it.

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : pamato [Admin rights]
Mode : Scan -- Date : 06/04/2013 21:58:38
| ARK || FAK || MBR |

¤¤¤ Bad processes : 3 ¤¤¤
[DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\pamato\AppData\Local\Widcomm\vwhsfohz.dll [x] -> UNLOADED
[SUSP PATH] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe [7] -> KILLED [TermProc]
[DLL] explorer.exe -- C:\Windows\explorer.exe : C:\Users\pamato\AppData\Local\Widcomm\vwhsfohz.dll [x] -> UNLOADED

¤¤¤ Registry Entries : 11 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Widcomm (REGSVR32.EXE C:\Users\pamato\AppData\Local\Widcomm\vwhsfohz.dll) [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1417001333-1682526488-839522115-249927[...]\Run : Widcomm (REGSVR32.EXE C:\Users\pamato\AppData\Local\Widcomm\vwhsfohz.dll) [-] -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (enpusfpkinf01:8080) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{F39B21CE-17BD-4563-BC8F-26C93DDA032C} : NameServer (10.16.64.11,10.20.64.11) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{F39B21CE-17BD-4563-BC8F-26C93DDA032C} : NameServer (10.16.64.11,10.20.64.11) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x82333DA5 -> HOOKED (Unknown @ 0x875EB9D8)
SSDT[14] : NtAlertThread @ 0x82286CC7 -> HOOKED (Unknown @ 0x875E96C0)
SSDT[19] : NtAllocateVirtualMemory @ 0x8227FCBC -> HOOKED (Unknown @ 0x875E7828)
SSDT[74] : NtCreateMutant @ 0x8226634C -> HOOKED (Unknown @ 0x875EB728)
SSDT[87] : NtCreateThread @ 0x82331FE2 -> HOOKED (Unknown @ 0x875E79B8)
SSDT[131] : NtFreeVirtualMemory @ 0x8210E81C -> HOOKED (Unknown @ 0x875E7688)
SSDT[145] : NtImpersonateAnonymousToken @ 0x8224B962 -> HOOKED (Unknown @ 0x875EB818)
SSDT[147] : NtImpersonateThread @ 0x822CF962 -> HOOKED (Unknown @ 0x875EB8F8)
SSDT[168] : NtMapViewOfSection @ 0x8229C5F1 -> HOOKED (Unknown @ 0x875E89B8)
SSDT[177] : NtOpenEvent @ 0x82265D48 -> HOOKED (Unknown @ 0x875EB648)
SSDT[191] : NtOpenProcessToken @ 0x822BA36F -> HOOKED (Unknown @ 0x875E78F8)
SSDT[199] : NtOpenThreadToken @ 0x822CE64B -> HOOKED (Unknown @ 0x875E8758)
SSDT[304] : NtResumeThread @ 0x822C66C2 -> HOOKED (Unknown @ 0x872C9B38)
SSDT[316] : NtSetContextThread @ 0x82333851 -> HOOKED (Unknown @ 0x875E8698)
SSDT[333] : NtSetInformationProcess @ 0x8228E875 -> HOOKED (Unknown @ 0x875E8828)
SSDT[335] : NtSetInformationThread @ 0x822BFE26 -> HOOKED (Unknown @ 0x875E99C8)
SSDT[366] : NtSuspendProcess @ 0x82333CDF -> HOOKED (Unknown @ 0x875ED978)
SSDT[367] : NtSuspendThread @ 0x822EB19B -> HOOKED (Unknown @ 0x875E9808)
SSDT[370] : NtTerminateProcess @ 0x822B0D86 -> HOOKED (Unknown @ 0x875EA6B8)
SSDT[371] : NtTerminateThread @ 0x822CE69B -> HOOKED (Unknown @ 0x875E98E8)
SSDT[385] : NtUnmapViewOfSection @ 0x822BA9AA -> HOOKED (Unknown @ 0x875E88F8)
SSDT[399] : NtWriteVirtualMemory @ 0x822B5A83 -> HOOKED (Unknown @ 0x875E7758)

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEKT-75PVMT0 +++++
--- User ---
[MBR] 4cd91750ce87a9415415c8b7bc2671ad
[BSP] 942f3df21fcddc7c67a0dc58e20f1548 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 119999 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 245760000 | Size: 118473 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_06042013_02d2158.txt >>
RKreport[1]_S_06042013_02d2158.txt


----------



## johnb35

Are you still getting the popups?


----------



## johnb35

Please do a full scan with your symantec endpoint software to see if it detects anything.


----------



## pjoseph

actually no, no more popup

I still have RogueKller open becuase when i close it asks me if I want to delete what it found, should I delete them?


----------



## johnb35

Yes delete.


----------



## pjoseph

Ok, thanks again

Would you say im good now? just realized you said to scan with symantec I will start that tonight since it takes a while

Also what about the items ESET found which i never deleted?


----------



## johnb35

Yes, I would say you are good now.  You can delete this one. 

C:\Users\pamato\AppData\Roaming\wabEventSupport16\ {9a0cc1ab-a1bd-57af-3bb1-96043bca195a}.exe	

The other items are in quarantine and can't harm you.

Now uninstall combofix by typing this in the search box in start menu.


Combofix /uninstall and press enter.  There is a space between the x and the /.

Let me know if Symantec finds anything.


----------



## pjoseph

got it, i will follow up in the morning will run symantec overnight

Thanks again for all you help thus far appreciate it!


----------



## pjoseph

symantec found one tracking cookie

Cookie[email protected]/	Tracking Cookies


----------



## johnb35

Good to know.  It seems you are ready to roll.  Let me know if you have any more issues.


----------



## pjoseph

Thanks again for all your help, I really appreciate it!

Have a great weekend


----------

