Jump to content

TNRC51

Members
  • Posts

    10
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Well here is the postmortum. We found that the original "Administrator" account was both enabled and still using the default Dell password. I saw that account RDP into the machine from a PC i certainly did not know. Whereupon i terminated the session and closed the firewall. I believe that when I enabled the RDP port originally last week, the public IP was spotted and exploited. I'll be using a nonstandard port from here on. The admin password is changed and i am restoring the VM ware image from before the attack. I tried many tools over the last few days to remove the code but nothing worked. The good news is that the MBEE was at least controlling the obvious part of our issue. Other than time I have not lost anything that I am aware of. There was obvious ties to Chinese servers which does not help my paranoid mind at all. I will also be searching our other machines for any evidence that it was spread. I hope there is a special place in the afterlife for these scumbags. Hope this helps someone avoid our mistakes.
  2. Here is the log from yesterday MBEE. protection-log-2015-02-25.txt
  3. Here is a log file from RogueKiller RKreport_SCN_02262015_095912.log
  4. Update.... As I reviewed the logs I saw references to Yandex browser. It was hidden from my system uninstall search. From what little I know about it, this is a Russian product not used in my part of the world. I was able to find the .exe for it and tried running it to see if there was an uninstaller option. There wasn't but that did register it for the system uninstall. After then running that uninstall, I did a complete registry search and deleted all references to Yandex. I'm not sure if this is part of the Bitcoin miner infection for sure but it is unwanted nonetheless.
  5. I killed the process for nvnc.exe and it stopped. But whatever it was was trying IP addresses one after another to try and connect.
  6. Also, a new issue for this morning. Here is the log from Malwarebytes. 2015/02/25 00:29:16 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/25 01:27:17 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/25 02:24:27 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/25 03:24:32 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/25 04:22:13 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/25 05:20:29 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/25 06:16:50 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/25 07:12:01 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/25 08:06:31 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/25 09:01:14 -0500 SERVER02 (null) IP-BLOCK 222.84.227.72 (Type: outgoing, Port: 63921, Process: nvnc.exe)2015/02/25 09:01:14 -0500 SERVER02 (null) IP-BLOCK 60.173.11.13 (Type: outgoing, Port: 64089, Process: nvnc.exe)2015/02/25 09:01:14 -0500 SERVER02 (null) IP-BLOCK 117.21.225.78 (Type: outgoing, Port: 64174, Process: nvnc.exe)2015/02/25 09:01:21 -0500 SERVER02 (null) DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/25 09:01:22 -0500 SERVER02 tc-admin IP-BLOCK 91.217.91.102 (Type: outgoing, Port: 64889, Process: nvnc.exe)2015/02/25 09:01:30 -0500 SERVER02 tc-admin IP-BLOCK 61.139.126.44 (Type: outgoing, Port: 50454, Process: nvnc.exe)2015/02/25 09:01:30 -0500 SERVER02 tc-admin IP-BLOCK 117.21.224.61 (Type: outgoing, Port: 51679, Process: nvnc.exe)2015/02/25 09:01:46 -0500 SERVER02 tc-admin IP-BLOCK 222.84.227.54 (Type: outgoing, Port: 56352, Process: nvnc.exe)2015/02/25 09:01:54 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.5 (Type: outgoing, Port: 56874, Process: nvnc.exe)2015/02/25 09:01:54 -0500 SERVER02 tc-admin IP-BLOCK 60.173.11.114 (Type: outgoing, Port: 57692, Process: nvnc.exe)2015/02/25 09:01:54 -0500 SERVER02 tc-admin IP-BLOCK 118.244.171.51 (Type: outgoing, Port: 57748, Process: nvnc.exe)2015/02/25 09:02:02 -0500 SERVER02 tc-admin IP-BLOCK 61.139.126.27 (Type: outgoing, Port: 58712, Process: nvnc.exe)2015/02/25 09:02:02 -0500 SERVER02 tc-admin IP-BLOCK 122.228.200.75 (Type: outgoing, Port: 59818, Process: nvnc.exe)2015/02/25 09:02:02 -0500 SERVER02 tc-admin IP-BLOCK 125.65.111.84 (Type: outgoing, Port: 59961, Process: nvnc.exe)2015/02/25 09:02:10 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.120 (Type: outgoing, Port: 60847, Process: nvnc.exe)2015/02/25 09:02:10 -0500 SERVER02 tc-admin IP-BLOCK 125.65.112.44 (Type: outgoing, Port: 61962, Process: nvnc.exe)2015/02/25 09:02:18 -0500 SERVER02 tc-admin IP-BLOCK 115.239.229.83 (Type: outgoing, Port: 62552, Process: nvnc.exe)2015/02/25 09:02:18 -0500 SERVER02 tc-admin IP-BLOCK 121.10.142.108 (Type: outgoing, Port: 62708, Process: nvnc.exe)2015/02/25 09:02:18 -0500 SERVER02 tc-admin IP-BLOCK 61.139.126.119 (Type: outgoing, Port: 63007, Process: nvnc.exe)2015/02/25 09:02:18 -0500 SERVER02 tc-admin IP-BLOCK 77.222.132.41 (Type: outgoing, Port: 63034, Process: nvnc.exe)2015/02/25 09:02:18 -0500 SERVER02 tc-admin IP-BLOCK 61.134.65.55 (Type: outgoing, Port: 63041, Process: nvnc.exe)2015/02/25 09:02:18 -0500 SERVER02 tc-admin IP-BLOCK 125.65.112.86 (Type: outgoing, Port: 63611, Process: nvnc.exe)2015/02/25 09:02:26 -0500 SERVER02 tc-admin IP-BLOCK 213.226.192.28 (Type: outgoing, Port: 64813, Process: nvnc.exe)2015/02/25 09:02:26 -0500 SERVER02 tc-admin IP-BLOCK 118.244.171.3 (Type: outgoing, Port: 49774, Process: nvnc.exe)2015/02/25 09:02:34 -0500 SERVER02 tc-admin IP-BLOCK 61.139.126.11 (Type: outgoing, Port: 51944, Process: nvnc.exe)2015/02/25 09:02:34 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.42 (Type: outgoing, Port: 52098, Process: nvnc.exe)2015/02/25 09:02:34 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.8 (Type: outgoing, Port: 52193, Process: nvnc.exe)2015/02/25 09:02:42 -0500 SERVER02 tc-admin IP-BLOCK 114.80.67.46 (Type: outgoing, Port: 52862, Process: nvnc.exe)2015/02/25 09:02:42 -0500 SERVER02 tc-admin IP-BLOCK 218.93.210.10 (Type: outgoing, Port: 53853, Process: nvnc.exe)2015/02/25 09:02:42 -0500 SERVER02 tc-admin IP-BLOCK 46.182.27.93 (Type: outgoing, Port: 54825, Process: nvnc.exe)2015/02/25 09:02:50 -0500 SERVER02 tc-admin IP-BLOCK 125.65.111.28 (Type: outgoing, Port: 55752, Process: nvnc.exe)2015/02/25 09:02:50 -0500 SERVER02 tc-admin IP-BLOCK 109.235.48.47 (Type: outgoing, Port: 55810, Process: nvnc.exe)2015/02/25 09:02:50 -0500 SERVER02 tc-admin IP-BLOCK 61.158.219.7 (Type: outgoing, Port: 56887, Process: nvnc.exe)2015/02/25 09:02:51 -0500 SERVER02 tc-admin IP-BLOCK 122.228.200.32 (Type: outgoing, Port: 56960, Process: nvnc.exe)2015/02/25 09:03:15 -0500 SERVER02 tc-admin IP-BLOCK 60.173.8.88 (Type: outgoing, Port: 62953, Process: nvnc.exe)2015/02/25 09:03:15 -0500 SERVER02 tc-admin IP-BLOCK 58.218.200.8 (Type: outgoing, Port: 64194, Process: nvnc.exe)2015/02/25 09:03:15 -0500 SERVER02 tc-admin IP-BLOCK 122.228.198.51 (Type: outgoing, Port: 64422, Process: nvnc.exe)2015/02/25 09:03:15 -0500 SERVER02 tc-admin IP-BLOCK 211.71.102.5 (Type: outgoing, Port: 64870, Process: nvnc.exe)2015/02/25 09:03:23 -0500 SERVER02 tc-admin IP-BLOCK 210.83.80.61 (Type: outgoing, Port: 65119, Process: nvnc.exe)2015/02/25 09:03:23 -0500 SERVER02 tc-admin IP-BLOCK 88.85.80.102 (Type: outgoing, Port: 49408, Process: nvnc.exe)2015/02/25 09:03:23 -0500 SERVER02 tc-admin IP-BLOCK 82.208.40.33 (Type: outgoing, Port: 50063, Process: nvnc.exe)2015/02/25 09:03:31 -0500 SERVER02 tc-admin IP-BLOCK 121.10.68.67 (Type: outgoing, Port: 52201, Process: nvnc.exe)2015/02/25 09:03:31 -0500 SERVER02 tc-admin IP-BLOCK 91.209.12.19 (Type: outgoing, Port: 53082, Process: nvnc.exe)2015/02/25 09:03:31 -0500 SERVER02 tc-admin IP-BLOCK 114.80.67.37 (Type: outgoing, Port: 54008, Process: nvnc.exe)2015/02/25 09:03:31 -0500 SERVER02 tc-admin IP-BLOCK 61.139.126.119 (Type: outgoing, Port: 54277, Process: nvnc.exe)2015/02/25 09:03:39 -0500 SERVER02 tc-admin IP-BLOCK 222.216.28.24 (Type: outgoing, Port: 55851, Process: nvnc.exe)2015/02/25 09:03:47 -0500 SERVER02 tc-admin IP-BLOCK 66.85.151.50 (Type: outgoing, Port: 57552, Process: nvnc.exe)2015/02/25 09:03:47 -0500 SERVER02 tc-admin IP-BLOCK 222.216.28.26 (Type: outgoing, Port: 58048, Process: nvnc.exe)2015/02/25 09:03:47 -0500 SERVER02 tc-admin IP-BLOCK 193.169.244.75 (Type: outgoing, Port: 58389, Process: nvnc.exe)2015/02/25 09:04:03 -0500 SERVER02 tc-admin IP-BLOCK 61.139.126.94 (Type: outgoing, Port: 63784, Process: nvnc.exe)2015/02/25 09:04:03 -0500 SERVER02 tc-admin IP-BLOCK 114.80.67.63 (Type: outgoing, Port: 64870, Process: nvnc.exe)2015/02/25 09:04:03 -0500 SERVER02 tc-admin IP-BLOCK 58.218.200.115 (Type: outgoing, Port: 49721, Process: nvnc.exe)2015/02/25 09:04:11 -0500 SERVER02 tc-admin IP-BLOCK 122.228.198.0 (Type: outgoing, Port: 50987, Process: nvnc.exe)2015/02/25 09:04:11 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.27 (Type: outgoing, Port: 51123, Process: nvnc.exe)2015/02/25 09:04:11 -0500 SERVER02 tc-admin IP-BLOCK 122.228.198.9 (Type: outgoing, Port: 51137, Process: nvnc.exe)2015/02/25 09:04:11 -0500 SERVER02 tc-admin IP-BLOCK 125.65.112.105 (Type: outgoing, Port: 52239, Process: nvnc.exe)2015/02/25 09:04:11 -0500 SERVER02 tc-admin IP-BLOCK 122.228.198.55 (Type: outgoing, Port: 52598, Process: nvnc.exe)2015/02/25 09:04:11 -0500 SERVER02 tc-admin IP-BLOCK 118.244.171.77 (Type: outgoing, Port: 52705, Process: nvnc.exe)2015/02/25 09:04:19 -0500 SERVER02 tc-admin IP-BLOCK 122.224.9.26 (Type: outgoing, Port: 53487, Process: nvnc.exe)2015/02/25 09:04:19 -0500 SERVER02 tc-admin IP-BLOCK 118.244.171.119 (Type: outgoing, Port: 54887, Process: nvnc.exe)2015/02/25 09:04:19 -0500 SERVER02 tc-admin IP-BLOCK 121.10.68.67 (Type: outgoing, Port: 55194, Process: nvnc.exe)2015/02/25 09:04:27 -0500 SERVER02 tc-admin IP-BLOCK 121.10.172.87 (Type: outgoing, Port: 55982, Process: nvnc.exe)2015/02/25 09:04:27 -0500 SERVER02 tc-admin IP-BLOCK 114.80.67.46 (Type: outgoing, Port: 56816, Process: nvnc.exe)2015/02/25 09:04:27 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.23 (Type: outgoing, Port: 56884, Process: nvnc.exe)2015/02/25 09:04:27 -0500 SERVER02 tc-admin IP-BLOCK 61.139.126.47 (Type: outgoing, Port: 57536, Process: nvnc.exe)2015/02/25 09:04:27 -0500 SERVER02 tc-admin IP-BLOCK 122.224.8.88 (Type: outgoing, Port: 57610, Process: nvnc.exe)2015/02/25 09:04:35 -0500 SERVER02 tc-admin IP-BLOCK 58.218.200.120 (Type: outgoing, Port: 60029, Process: nvnc.exe)2015/02/25 09:04:35 -0500 SERVER02 tc-admin IP-BLOCK 46.21.148.108 (Type: outgoing, Port: 60496, Process: nvnc.exe)2015/02/25 09:04:35 -0500 SERVER02 tc-admin IP-BLOCK 210.83.80.72 (Type: outgoing, Port: 61347, Process: nvnc.exe)2015/02/25 09:04:43 -0500 SERVER02 tc-admin IP-BLOCK 118.244.171.65 (Type: outgoing, Port: 61704, Process: nvnc.exe)2015/02/25 09:04:43 -0500 SERVER02 tc-admin IP-BLOCK 146.0.72.114 (Type: outgoing, Port: 62015, Process: nvnc.exe)2015/02/25 09:04:51 -0500 SERVER02 tc-admin IP-BLOCK 218.93.202.121 (Type: outgoing, Port: 64860, Process: nvnc.exe)2015/02/25 09:04:51 -0500 SERVER02 tc-admin IP-BLOCK 88.85.80.104 (Type: outgoing, Port: 49707, Process: nvnc.exe)2015/02/25 09:05:07 -0500 SERVER02 tc-admin IP-BLOCK 121.10.142.1 (Type: outgoing, Port: 55815, Process: nvnc.exe)2015/02/25 09:05:15 -0500 SERVER02 tc-admin IP-BLOCK 117.21.224.57 (Type: outgoing, Port: 58621, Process: nvnc.exe)2015/02/25 09:05:23 -0500 SERVER02 tc-admin IP-BLOCK 60.173.12.75 (Type: outgoing, Port: 59971, Process: nvnc.exe)2015/02/25 09:05:40 -0500 SERVER02 tc-admin IP-BLOCK 195.234.4.39 (Type: outgoing, Port: 64831, Process: nvnc.exe)2015/02/25 09:05:40 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.3 (Type: outgoing, Port: 64842, Process: nvnc.exe)2015/02/25 09:05:40 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.33 (Type: outgoing, Port: 65118, Process: nvnc.exe)2015/02/25 09:05:40 -0500 SERVER02 tc-admin IP-BLOCK 210.83.80.57 (Type: outgoing, Port: 65428, Process: nvnc.exe)2015/02/25 09:05:40 -0500 SERVER02 tc-admin IP-BLOCK 60.173.8.50 (Type: outgoing, Port: 49176, Process: nvnc.exe)2015/02/25 09:05:48 -0500 SERVER02 tc-admin IP-BLOCK 218.93.210.12 (Type: outgoing, Port: 50616, Process: nvnc.exe)2015/02/25 09:05:48 -0500 SERVER02 tc-admin IP-BLOCK 122.228.198.27 (Type: outgoing, Port: 51180, Process: nvnc.exe)2015/02/25 09:05:48 -0500 SERVER02 tc-admin IP-BLOCK 174.139.244.86 (Type: outgoing, Port: 52538, Process: nvnc.exe)2015/02/25 09:05:48 -0500 SERVER02 tc-admin IP-BLOCK 122.226.240.50 (Type: outgoing, Port: 52807, Process: nvnc.exe)2015/02/25 09:05:48 -0500 SERVER02 tc-admin IP-BLOCK 118.244.171.69 (Type: outgoing, Port: 52840, Process: nvnc.exe)2015/02/25 09:05:56 -0500 SERVER02 tc-admin IP-BLOCK 61.134.65.49 (Type: outgoing, Port: 53458, Process: nvnc.exe)2015/02/25 09:05:56 -0500 SERVER02 tc-admin IP-BLOCK 61.134.65.49 (Type: outgoing, Port: 53636, Process: nvnc.exe)2015/02/25 09:05:56 -0500 SERVER02 tc-admin IP-BLOCK 122.228.200.64 (Type: outgoing, Port: 54481, Process: nvnc.exe)2015/02/25 09:05:56 -0500 SERVER02 tc-admin IP-BLOCK 121.10.21.71 (Type: outgoing, Port: 54877, Process: nvnc.exe)2015/02/25 09:05:56 -0500 SERVER02 tc-admin IP-BLOCK 118.244.171.64 (Type: outgoing, Port: 55706, Process: nvnc.exe)2015/02/25 09:05:56 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.104 (Type: outgoing, Port: 56180, Process: nvnc.exe)2015/02/25 09:06:04 -0500 SERVER02 tc-admin IP-BLOCK 61.139.126.26 (Type: outgoing, Port: 58214, Process: nvnc.exe)2015/02/25 09:06:12 -0500 SERVER02 tc-admin IP-BLOCK 114.80.67.19 (Type: outgoing, Port: 59145, Process: nvnc.exe)2015/02/25 09:06:12 -0500 SERVER02 tc-admin IP-BLOCK 58.218.200.14 (Type: outgoing, Port: 59848, Process: nvnc.exe)2015/02/25 09:06:12 -0500 SERVER02 tc-admin IP-BLOCK 46.161.41.27 (Type: outgoing, Port: 61880, Process: nvnc.exe)2015/02/25 09:06:20 -0500 SERVER02 tc-admin IP-BLOCK 121.10.172.34 (Type: outgoing, Port: 62618, Process: nvnc.exe)2015/02/25 09:06:20 -0500 SERVER02 tc-admin IP-BLOCK 60.173.8.23 (Type: outgoing, Port: 62747, Process: nvnc.exe)2015/02/25 09:06:28 -0500 SERVER02 tc-admin IP-BLOCK 58.218.200.122 (Type: outgoing, Port: 65056, Process: nvnc.exe)2015/02/25 09:06:28 -0500 SERVER02 tc-admin IP-BLOCK 117.21.224.87 (Type: outgoing, Port: 49911, Process: nvnc.exe)2015/02/25 09:06:36 -0500 SERVER02 tc-admin IP-BLOCK 195.191.24.20 (Type: outgoing, Port: 51372, Process: nvnc.exe)2015/02/25 09:06:36 -0500 SERVER02 tc-admin IP-BLOCK 121.10.172.90 (Type: outgoing, Port: 52575, Process: nvnc.exe)2015/02/25 09:06:36 -0500 SERVER02 tc-admin IP-BLOCK 125.65.111.3 (Type: outgoing, Port: 52678, Process: nvnc.exe)2015/02/25 09:06:36 -0500 SERVER02 tc-admin IP-BLOCK 60.173.12.93 (Type: outgoing, Port: 53464, Process: nvnc.exe)2015/02/25 09:06:44 -0500 SERVER02 tc-admin IP-BLOCK 193.169.244.10 (Type: outgoing, Port: 55428, Process: nvnc.exe)2015/02/25 09:06:44 -0500 SERVER02 tc-admin IP-BLOCK 193.169.244.44 (Type: outgoing, Port: 55485, Process: nvnc.exe)2015/02/25 09:06:44 -0500 SERVER02 tc-admin IP-BLOCK 125.65.111.106 (Type: outgoing, Port: 55900, Process: nvnc.exe)2015/02/25 09:06:44 -0500 SERVER02 tc-admin IP-BLOCK 118.244.171.105 (Type: outgoing, Port: 56287, Process: nvnc.exe)2015/02/25 09:06:44 -0500 SERVER02 tc-admin IP-BLOCK 122.228.198.73 (Type: outgoing, Port: 56697, Process: nvnc.exe)2015/02/25 09:06:44 -0500 SERVER02 tc-admin IP-BLOCK 122.228.200.66 (Type: outgoing, Port: 56838, Process: nvnc.exe)2015/02/25 09:06:52 -0500 SERVER02 tc-admin IP-BLOCK 122.228.198.49 (Type: outgoing, Port: 57631, Process: nvnc.exe)2015/02/25 09:06:52 -0500 SERVER02 tc-admin IP-BLOCK 222.216.28.12 (Type: outgoing, Port: 58857, Process: nvnc.exe)2015/02/25 09:07:08 -0500 SERVER02 tc-admin IP-BLOCK 60.173.8.73 (Type: outgoing, Port: 63637, Process: nvnc.exe)2015/02/25 09:07:08 -0500 SERVER02 tc-admin IP-BLOCK 91.209.12.19 (Type: outgoing, Port: 63831, Process: nvnc.exe)2015/02/25 09:07:08 -0500 SERVER02 tc-admin IP-BLOCK 46.21.148.99 (Type: outgoing, Port: 63978, Process: nvnc.exe)2015/02/25 09:07:08 -0500 SERVER02 tc-admin IP-BLOCK 46.16.170.5 (Type: outgoing, Port: 64528, Process: nvnc.exe)2015/02/25 09:07:16 -0500 SERVER02 tc-admin IP-BLOCK 122.228.200.13 (Type: outgoing, Port: 49937, Process: nvnc.exe)2015/02/25 09:07:16 -0500 SERVER02 tc-admin IP-BLOCK 194.28.112.13 (Type: outgoing, Port: 50441, Process: nvnc.exe)2015/02/25 09:07:16 -0500 SERVER02 tc-admin IP-BLOCK 117.21.224.85 (Type: outgoing, Port: 50971, Process: nvnc.exe)2015/02/25 09:07:16 -0500 SERVER02 tc-admin IP-BLOCK 210.83.80.28 (Type: outgoing, Port: 51398, Process: nvnc.exe)2015/02/25 09:07:24 -0500 SERVER02 tc-admin IP-BLOCK 61.139.126.75 (Type: outgoing, Port: 52102, Process: nvnc.exe)2015/02/25 09:07:24 -0500 SERVER02 tc-admin IP-BLOCK 185.11.145.95 (Type: outgoing, Port: 52565, Process: nvnc.exe)2015/02/25 09:07:24 -0500 SERVER02 tc-admin IP-BLOCK 122.226.240.56 (Type: outgoing, Port: 52953, Process: nvnc.exe)2015/02/25 09:07:24 -0500 SERVER02 tc-admin IP-BLOCK 61.139.126.125 (Type: outgoing, Port: 53435, Process: nvnc.exe)2015/02/25 09:07:24 -0500 SERVER02 tc-admin IP-BLOCK 218.93.210.9 (Type: outgoing, Port: 54084, Process: nvnc.exe)2015/02/25 09:07:24 -0500 SERVER02 tc-admin IP-BLOCK 58.218.200.75 (Type: outgoing, Port: 54813, Process: nvnc.exe)2015/02/25 09:07:57 -0500 SERVER02 tc-admin IP-BLOCK 117.21.225.34 (Type: outgoing, Port: 63905, Process: nvnc.exe)2015/02/25 09:07:57 -0500 SERVER02 tc-admin IP-BLOCK 58.218.200.24 (Type: outgoing, Port: 63991, Process: nvnc.exe)2015/02/25 09:07:57 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.83 (Type: outgoing, Port: 64900, Process: nvnc.exe)2015/02/25 09:08:05 -0500 SERVER02 tc-admin IP-BLOCK 61.139.126.16 (Type: outgoing, Port: 53070, Process: nvnc.exe)2015/02/25 09:08:13 -0500 SERVER02 tc-admin IP-BLOCK 222.84.227.18 (Type: outgoing, Port: 55782, Process: nvnc.exe)2015/02/25 09:08:21 -0500 SERVER02 tc-admin IP-BLOCK 46.4.238.45 (Type: outgoing, Port: 57231, Process: nvnc.exe)2015/02/25 09:08:21 -0500 SERVER02 tc-admin IP-BLOCK 122.228.198.38 (Type: outgoing, Port: 57923, Process: nvnc.exe)2015/02/25 09:08:21 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.89 (Type: outgoing, Port: 58427, Process: nvnc.exe)2015/02/25 09:08:21 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.3 (Type: outgoing, Port: 58820, Process: nvnc.exe)2015/02/25 09:08:29 -0500 SERVER02 tc-admin IP-BLOCK 122.228.198.34 (Type: outgoing, Port: 59208, Process: nvnc.exe)2015/02/25 09:08:29 -0500 SERVER02 tc-admin IP-BLOCK 195.234.4.33 (Type: outgoing, Port: 60677, Process: nvnc.exe)2015/02/25 09:08:29 -0500 SERVER02 tc-admin IP-BLOCK 61.152.108.58 (Type: outgoing, Port: 61665, Process: nvnc.exe)2015/02/25 09:08:37 -0500 SERVER02 tc-admin IP-BLOCK 61.152.108.58 (Type: outgoing, Port: 61709, Process: nvnc.exe)2015/02/25 09:08:37 -0500 SERVER02 tc-admin IP-BLOCK 109.235.48.21 (Type: outgoing, Port: 63194, Process: nvnc.exe)2015/02/25 09:08:45 -0500 SERVER02 tc-admin IP-BLOCK 60.173.12.93 (Type: outgoing, Port: 49420, Process: nvnc.exe)2015/02/25 09:08:53 -0500 SERVER02 tc-admin IP-BLOCK 122.228.198.56 (Type: outgoing, Port: 52042, Process: nvnc.exe)2015/02/25 09:08:53 -0500 SERVER02 tc-admin IP-BLOCK 121.10.172.86 (Type: outgoing, Port: 53137, Process: nvnc.exe)2015/02/25 09:08:53 -0500 SERVER02 tc-admin IP-BLOCK 118.244.171.21 (Type: outgoing, Port: 53633, Process: nvnc.exe)2015/02/25 09:09:01 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.35 (Type: outgoing, Port: 54895, Process: nvnc.exe)2015/02/25 09:09:01 -0500 SERVER02 tc-admin IP-BLOCK 125.65.111.115 (Type: outgoing, Port: 55322, Process: nvnc.exe)2015/02/25 09:09:01 -0500 SERVER02 tc-admin IP-BLOCK 146.0.72.96 (Type: outgoing, Port: 56745, Process: nvnc.exe)2015/02/25 09:09:09 -0500 SERVER02 tc-admin IP-BLOCK 122.226.240.46 (Type: outgoing, Port: 57584, Process: nvnc.exe)2015/02/25 09:09:09 -0500 SERVER02 tc-admin IP-BLOCK 58.218.200.60 (Type: outgoing, Port: 58089, Process: nvnc.exe)2015/02/25 09:09:09 -0500 SERVER02 tc-admin IP-BLOCK 61.139.126.95 (Type: outgoing, Port: 58560, Process: nvnc.exe)2015/02/25 09:09:09 -0500 SERVER02 tc-admin IP-BLOCK 121.10.142.11 (Type: outgoing, Port: 59213, Process: nvnc.exe)2015/02/25 09:09:09 -0500 SERVER02 tc-admin IP-BLOCK 121.101.216.50 (Type: outgoing, Port: 59218, Process: nvnc.exe)2015/02/25 09:09:17 -0500 SERVER02 tc-admin IP-BLOCK 118.244.171.63 (Type: outgoing, Port: 60358, Process: nvnc.exe)2015/02/25 09:09:17 -0500 SERVER02 tc-admin IP-BLOCK 122.228.198.105 (Type: outgoing, Port: 60448, Process: nvnc.exe)2015/02/25 09:09:17 -0500 SERVER02 tc-admin IP-BLOCK 80.93.57.27 (Type: outgoing, Port: 62417, Process: nvnc.exe)2015/02/25 09:09:17 -0500 SERVER02 tc-admin IP-BLOCK 114.80.67.106 (Type: outgoing, Port: 62599, Process: nvnc.exe)2015/02/25 09:09:33 -0500 SERVER02 tc-admin IP-BLOCK 61.139.126.103 (Type: outgoing, Port: 51664, Process: nvnc.exe)2015/02/25 09:09:33 -0500 SERVER02 tc-admin IP-BLOCK 106.3.45.81 (Type: outgoing, Port: 51668, Process: nvnc.exe)2015/02/25 09:09:49 -0500 SERVER02 tc-admin IP-BLOCK 121.10.250.97 (Type: outgoing, Port: 56744, Process: nvnc.exe)2015/02/25 09:09:49 -0500 SERVER02 tc-admin IP-BLOCK 125.65.111.86 (Type: outgoing, Port: 57047, Process: nvnc.exe)2015/02/25 09:09:49 -0500 SERVER02 tc-admin IP-BLOCK 122.228.200.89 (Type: outgoing, Port: 57646, Process: nvnc.exe)2015/02/25 09:09:57 -0500 SERVER02 tc-admin IP-BLOCK 92.63.88.56 (Type: outgoing, Port: 58760, Process: nvnc.exe)2015/02/25 09:09:57 -0500 SERVER02 tc-admin IP-BLOCK 210.83.80.100 (Type: outgoing, Port: 58935, Process: nvnc.exe)2015/02/25 09:09:57 -0500 SERVER02 tc-admin IP-BLOCK 125.65.112.93 (Type: outgoing, Port: 59990, Process: nvnc.exe)2015/02/25 09:10:05 -0500 SERVER02 tc-admin IP-BLOCK 122.228.198.119 (Type: outgoing, Port: 61113, Process: nvnc.exe)2015/02/25 09:10:05 -0500 SERVER02 tc-admin IP-BLOCK 106.3.45.23 (Type: outgoing, Port: 61545, Process: nvnc.exe)2015/02/25 09:10:05 -0500 SERVER02 tc-admin IP-BLOCK 125.65.112.11 (Type: outgoing, Port: 61857, Process: nvnc.exe)2015/02/25 09:10:05 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.75 (Type: outgoing, Port: 62480, Process: nvnc.exe)2015/02/25 09:10:05 -0500 SERVER02 tc-admin IP-BLOCK 109.235.48.47 (Type: outgoing, Port: 62599, Process: nvnc.exe)2015/02/25 09:10:13 -0500 SERVER02 tc-admin IP-BLOCK 118.244.171.35 (Type: outgoing, Port: 65250, Process: nvnc.exe)2015/02/25 09:10:21 -0500 SERVER02 tc-admin IP-BLOCK 106.3.45.53 (Type: outgoing, Port: 50739, Process: nvnc.exe)2015/02/25 09:10:22 -0500 SERVER02 tc-admin IP-BLOCK 122.228.198.31 (Type: outgoing, Port: 52180, Process: nvnc.exe)2015/02/25 09:10:30 -0500 SERVER02 tc-admin IP-BLOCK 195.191.24.82 (Type: outgoing, Port: 55085, Process: nvnc.exe)2015/02/25 09:10:30 -0500 SERVER02 tc-admin IP-BLOCK 58.218.200.86 (Type: outgoing, Port: 55383, Process: nvnc.exe)2015/02/25 09:10:38 -0500 SERVER02 tc-admin IP-BLOCK 122.228.198.57 (Type: outgoing, Port: 57589, Process: nvnc.exe)2015/02/25 09:10:38 -0500 SERVER02 tc-admin IP-BLOCK 122.228.200.83 (Type: outgoing, Port: 58083, Process: nvnc.exe)2015/02/25 09:10:46 -0500 SERVER02 tc-admin IP-BLOCK 88.85.80.113 (Type: outgoing, Port: 59030, Process: nvnc.exe)2015/02/25 09:10:46 -0500 SERVER02 tc-admin IP-BLOCK 58.218.200.75 (Type: outgoing, Port: 59317, Process: nvnc.exe)2015/02/25 09:10:46 -0500 SERVER02 tc-admin IP-BLOCK 222.216.28.39 (Type: outgoing, Port: 59868, Process: nvnc.exe)2015/02/25 09:10:46 -0500 SERVER02 tc-admin IP-BLOCK 117.21.224.18 (Type: outgoing, Port: 60994, Process: nvnc.exe)2015/02/25 09:10:46 -0500 SERVER02 tc-admin IP-BLOCK 210.83.80.113 (Type: outgoing, Port: 61457, Process: nvnc.exe)2015/02/25 09:10:54 -0500 SERVER02 tc-admin IP-BLOCK 193.169.244.50 (Type: outgoing, Port: 61714, Process: nvnc.exe)2015/02/25 09:10:54 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.116 (Type: outgoing, Port: 61971, Process: nvnc.exe)2015/02/25 09:10:54 -0500 SERVER02 tc-admin IP-BLOCK 114.80.67.115 (Type: outgoing, Port: 62946, Process: nvnc.exe)2015/02/25 09:10:54 -0500 SERVER02 tc-admin IP-BLOCK 60.173.8.117 (Type: outgoing, Port: 63060, Process: nvnc.exe)2015/02/25 09:11:02 -0500 SERVER02 tc-admin IP-BLOCK 195.234.4.35 (Type: outgoing, Port: 64910, Process: nvnc.exe)2015/02/25 09:11:02 -0500 SERVER02 tc-admin IP-BLOCK 210.83.80.15 (Type: outgoing, Port: 49554, Process: nvnc.exe)2015/02/25 09:11:02 -0500 SERVER02 tc-admin IP-BLOCK 193.104.41.27 (Type: outgoing, Port: 49829, Process: nvnc.exe)2015/02/25 09:11:02 -0500 SERVER02 tc-admin IP-BLOCK 122.228.198.79 (Type: outgoing, Port: 49954, Process: nvnc.exe)2015/02/25 09:11:02 -0500 SERVER02 tc-admin IP-BLOCK 60.173.11.122 (Type: outgoing, Port: 50087, Process: nvnc.exe)2015/02/25 09:11:02 -0500 SERVER02 tc-admin IP-BLOCK 60.173.8.4 (Type: outgoing, Port: 50501, Process: nvnc.exe)2015/02/25 09:11:02 -0500 SERVER02 tc-admin IP-BLOCK 117.21.225.42 (Type: outgoing, Port: 51037, Process: nvnc.exe)2015/02/25 09:11:10 -0500 SERVER02 tc-admin IP-BLOCK 58.218.200.14 (Type: outgoing, Port: 51809, Process: nvnc.exe)2015/02/25 09:11:10 -0500 SERVER02 tc-admin IP-BLOCK 125.65.111.51 (Type: outgoing, Port: 52986, Process: nvnc.exe)2015/02/25 09:11:10 -0500 SERVER02 tc-admin IP-BLOCK 106.3.45.125 (Type: outgoing, Port: 53570, Process: nvnc.exe)2015/02/25 09:11:10 -0500 SERVER02 tc-admin IP-BLOCK 118.244.171.126 (Type: outgoing, Port: 53754, Process: nvnc.exe)2015/02/25 09:11:10 -0500 SERVER02 tc-admin IP-BLOCK 125.65.112.53 (Type: outgoing, Port: 54037, Process: nvnc.exe)2015/02/25 09:11:10 -0500 SERVER02 tc-admin IP-BLOCK 58.218.200.65 (Type: outgoing, Port: 54044, Process: nvnc.exe)2015/02/25 09:11:18 -0500 SERVER02 tc-admin IP-BLOCK 114.80.67.10 (Type: outgoing, Port: 55646, Process: nvnc.exe)2015/02/25 09:11:18 -0500 SERVER02 tc-admin IP-BLOCK 61.158.219.89 (Type: outgoing, Port: 56064, Process: nvnc.exe)2015/02/25 09:11:18 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.74 (Type: outgoing, Port: 56634, Process: nvnc.exe)2015/02/25 09:11:18 -0500 SERVER02 tc-admin IP-BLOCK 121.10.142.10 (Type: outgoing, Port: 56643, Process: nvnc.exe)2015/02/25 09:11:26 -0500 SERVER02 tc-admin IP-BLOCK 125.65.112.42 (Type: outgoing, Port: 58005, Process: nvnc.exe)2015/02/25 09:11:26 -0500 SERVER02 tc-admin IP-BLOCK 117.21.224.81 (Type: outgoing, Port: 58132, Process: nvnc.exe)2015/02/25 09:11:26 -0500 SERVER02 tc-admin IP-BLOCK 114.80.67.17 (Type: outgoing, Port: 58796, Process: nvnc.exe)2015/02/25 09:11:34 -0500 SERVER02 tc-admin IP-BLOCK 195.2.252.96 (Type: outgoing, Port: 60156, Process: nvnc.exe)2015/02/25 09:11:34 -0500 SERVER02 tc-admin IP-BLOCK 125.65.112.97 (Type: outgoing, Port: 60379, Process: nvnc.exe)2015/02/25 09:11:34 -0500 SERVER02 tc-admin IP-BLOCK 115.230.126.91 (Type: outgoing, Port: 60955, Process: nvnc.exe)2015/02/25 09:11:50 -0500 SERVER02 tc-admin IP-BLOCK 125.65.112.96 (Type: outgoing, Port: 49563, Process: nvnc.exe)2015/02/25 09:11:50 -0500 SERVER02 tc-admin IP-BLOCK 195.234.4.36 (Type: outgoing, Port: 49611, Process: nvnc.exe)2015/02/25 09:11:58 -0500 SERVER02 tc-admin IP-BLOCK 60.173.11.15 (Type: outgoing, Port: 52474, Process: nvnc.exe)2015/02/25 09:11:58 -0500 SERVER02 tc-admin IP-BLOCK 121.10.172.23 (Type: outgoing, Port: 53083, Process: nvnc.exe)2015/02/25 09:11:58 -0500 SERVER02 tc-admin IP-BLOCK 210.83.80.43 (Type: outgoing, Port: 53123, Process: nvnc.exe)2015/02/25 09:11:58 -0500 SERVER02 tc-admin IP-BLOCK 210.83.80.21 (Type: outgoing, Port: 54771, Process: nvnc.exe)2015/02/25 09:11:58 -0500 SERVER02 tc-admin IP-BLOCK 114.80.67.11 (Type: outgoing, Port: 54870, Process: nvnc.exe)2015/02/25 09:12:06 -0500 SERVER02 tc-admin IP-BLOCK 106.3.45.80 (Type: outgoing, Port: 55238, Process: nvnc.exe)2015/02/25 09:12:06 -0500 SERVER02 tc-admin IP-BLOCK 114.80.67.29 (Type: outgoing, Port: 55754, Process: nvnc.exe)2015/02/25 09:12:06 -0500 SERVER02 tc-admin IP-BLOCK 46.21.148.108 (Type: outgoing, Port: 56478, Process: nvnc.exe)2015/02/25 09:12:06 -0500 SERVER02 tc-admin IP-BLOCK 114.80.67.92 (Type: outgoing, Port: 56492, Process: nvnc.exe)2015/02/25 09:12:06 -0500 SERVER02 tc-admin IP-BLOCK 61.158.219.21 (Type: outgoing, Port: 56782, Process: nvnc.exe)2015/02/25 09:12:14 -0500 SERVER02 tc-admin IP-BLOCK 37.1.192.32 (Type: outgoing, Port: 59002, Process: nvnc.exe)2015/02/25 09:12:14 -0500 SERVER02 tc-admin IP-BLOCK 61.139.126.62 (Type: outgoing, Port: 60646, Process: nvnc.exe)2015/02/25 09:12:22 -0500 SERVER02 tc-admin IP-BLOCK 117.21.173.106 (Type: outgoing, Port: 61403, Process: nvnc.exe)2015/02/25 09:12:22 -0500 SERVER02 tc-admin IP-BLOCK 46.21.148.75 (Type: outgoing, Port: 62974, Process: nvnc.exe)2015/02/25 09:12:22 -0500 SERVER02 tc-admin IP-BLOCK 125.65.112.98 (Type: outgoing, Port: 62983, Process: nvnc.exe)2015/02/25 09:12:22 -0500 SERVER02 tc-admin IP-BLOCK 58.218.200.79 (Type: outgoing, Port: 63461, Process: nvnc.exe)2015/02/25 09:12:31 -0500 SERVER02 tc-admin IP-BLOCK 61.152.108.111 (Type: outgoing, Port: 64434, Process: nvnc.exe)2015/02/25 09:12:31 -0500 SERVER02 tc-admin IP-BLOCK 89.248.174.54 (Type: outgoing, Port: 65186, Process: nvnc.exe)2015/02/25 09:12:31 -0500 SERVER02 tc-admin IP-BLOCK 122.226.240.40 (Type: outgoing, Port: 49996, Process: nvnc.exe)2015/02/25 09:12:39 -0500 SERVER02 tc-admin IP-BLOCK 117.21.225.11 (Type: outgoing, Port: 50338, Process: nvnc.exe)2015/02/25 09:12:39 -0500 SERVER02 tc-admin IP-BLOCK 91.209.12.31 (Type: outgoing, Port: 50429, Process: nvnc.exe)2015/02/25 09:12:39 -0500 SERVER02 tc-admin IP-BLOCK 58.221.28.109 (Type: outgoing, Port: 51360, Process: nvnc.exe)2015/02/25 09:12:39 -0500 SERVER02 tc-admin IP-BLOCK 117.21.225.11 (Type: outgoing, Port: 51555, Process: nvnc.exe)2015/02/25 09:13:03 -0500 SERVER02 tc-admin IP-BLOCK 60.173.8.89 (Type: outgoing, Port: 59642, Process: nvnc.exe)2015/02/25 09:13:03 -0500 SERVER02 tc-admin IP-BLOCK 195.234.4.30 (Type: outgoing, Port: 59878, Process: nvnc.exe)2015/02/25 09:13:03 -0500 SERVER02 tc-admin IP-BLOCK 117.21.224.99 (Type: outgoing, Port: 60417, Process: nvnc.exe)2015/02/25 09:58:57 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/25 10:37:08 -0500 SERVER02 tc-admin MESSAGE Executing scheduled update: Daily2015/02/25 10:37:34 -0500 SERVER02 tc-admin MESSAGE Scheduled update executed successfully: database updated from version v2015.02.24.04 to version v2015.02.25.052015/02/25 10:37:34 -0500 SERVER02 tc-admin MESSAGE Starting database refresh2015/02/25 10:37:35 -0500 SERVER02 tc-admin MESSAGE Stopping IP protection2015/02/25 10:37:38 -0500 SERVER02 tc-admin MESSAGE IP Protection stopped successfully2015/02/25 10:37:51 -0500 SERVER02 tc-admin MESSAGE Database refreshed successfully2015/02/25 10:37:51 -0500 SERVER02 tc-admin MESSAGE Starting IP protection2015/02/25 10:37:58 -0500 SERVER02 tc-admin MESSAGE IP Protection started successfully2015/02/25 10:52:46 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE
  7. OK, here are the files.... Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-02-2015 01Ran by tc-admin (administrator) on SERVER02 on 25-02-2015 11:11:45Running from C:\Users\tc-admin\DesktopLoaded Profiles: scriptlogic & tc-admin & Administrator (Available profiles: scriptlogic & Mark Mealey & kfields & tc-admin & cquick & dhampton & khackney & mvaught & tmeyers & sql & Administrator & Classic .NET AppPool)Platform: Windows Server 2008 R2 Standard Service Pack 1 (X64) OS Language: English (United States)Internet Explorer Version 11 (Default browser: IE)Boot Mode: NormalTutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (HP) C:\Windows\AppCompat\hpagent.exe(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Central\Control\jfservic.exe(KYOCERA Document Solutions Inc.) C:\Program Files\KDService\bin\KDService.exe(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Central\Bin\JfServer.exe(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Central\Bin\PipeMgr.exe(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\Client Server Security Agent\NTRTScan.exe(ScriptLogic Software Corporation) C:\Windows\System32\slClient.exe(StorageCraft Technology Corporation) C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\raw_agent_svc.exe() C:\Program Files (x86)\StorageCraft\ShadowProtect\ImageReady.exe(StorageCraft Technology Corporation) C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\raw_agent_svc.exe() C:\Program Files (x86)\StorageCraft\ShadowProtect\ImageReady.exe(Microsoft Corporation) C:\Windows\System32\vds.exe(VMware, Inc.) C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe(VMware, Inc.) C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe(VMware, Inc.) C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe(StorageCraft Technology Corporation) C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowProtectSvc.exe(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmListen.exe(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmtoolsd.exe(StorageCraft Technology Corporation) C:\Program Files (x86)\StorageCraft\ShadowProtect\vsnapvss.exe(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\Client Server Security Agent\CCSF\TmCCSF.exe(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe(Microsoft Corporation) C:\Windows\System32\rdpclip.exe() C:\Windows\System32\MtxHotPlugService.exe(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe(Dell Inc.) C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\dlupdr.exe(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\Client Server Security Agent\PccNTMon.exe(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe(Shahrabani & Assoc., LLC) C:\Program Files (x86)\rePORTAL\bin\rePORTALServices.exe(Microsoft Corporation) C:\Windows\System32\rdpclip.exe(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe() C:\Windows\System32\MtxHotPlugService.exe(VMware, Inc.) C:\Program Files\VMware\VMware Tools\VMwareTray.exe(VMware, Inc.) C:\Program Files\VMware\VMware Tools\vmtoolsd.exe(Dell Inc.) C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe(Dell Inc.) C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\dlupdr.exe(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\Client Server Security Agent\PccNTMon.exe(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [MtxHotPlugService] => C:\Windows\system32\MtxHotPlugService.exe [38656 2011-01-11] ()HKLM\...\Run: [VMware Tools] => C:\Program Files\VMware\VMware Tools\VMwareTray.exe [60016 2012-02-15] (VMware, Inc.)HKLM\...\Run: [VMware User Process] => C:\Program Files\VMware\VMware Tools\vmtoolsd.exe [65648 2012-02-15] (VMware, Inc.)HKLM\...\Run: [DLPSP] => C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE [942952 2012-09-26] (Dell Inc.)HKLM\...\Run: [DLUPDR] => C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE [1604456 2012-09-26] (Dell Inc.)HKLM\...\Run: [DLQLU] => C:\Program Files\Dell Printers\Additional Color Laser Software\Launcher\DLQLU.EXE [1241408 2012-04-11] (Dell Inc.)HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [44128 2013-05-08] (Adobe Systems Incorporated)HKLM-x32\...\Run: [] => [X]HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [642664 2013-05-08] (Adobe Systems Inc.)HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)HKLM-x32\...\Run: [OfficeScanNT Monitor] => C:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe [1989040 2014-02-17] (Trend Micro Inc.)HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe [2552632 2014-11-24] (Malwarebytes Corporation)HKLM\...\Policies\Explorer: [showSuperHidden] 1HKU\S-1-5-21-1919044603-303022522-201583920-1604\...\Run: [GUDelayStartup] => C:\Program Files (x86)\Glary Utilities 5\StartupManager.exe [37152 2014-12-08] (Glarysoft Ltd)HKU\S-1-5-21-1919044603-303022522-201583920-1604\...\MountPoints2: D - D:\setup64.exeIFEO\sethc.exe: [Debugger] C:\windows\system32\cmd.exeLsa: [Notification Packages] scecli rassfmBootExecute: autocheck autochk * ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankHKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blankHKU\S-1-5-21-1919044603-303022522-201583920-1604\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankHKU\S-1-5-21-4043360042-4227766030-1340141203-500\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankBHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmIEPlg.dll (Trend Micro Inc.)BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmIEPlg32.dll (Trend Micro Inc.)BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmIEPlg.dll (Trend Micro Inc.)Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmIEPlg32.dll (Trend Micro Inc.)Winsock: Catalog9 11 C:\Program Files\VMware\VMware Tools\VSock SDK\bin\win32\vsocklib.dll [63088] (VMware, Inc.)Winsock: Catalog9 12 C:\Program Files\VMware\VMware Tools\VSock SDK\bin\win32\vsocklib.dll [63088] (VMware, Inc.)Winsock: Catalog9-x64 11 C:\Program Files\VMware\VMware Tools\VSock SDK\bin\win64\vsocklib.dll [66672] (VMware, Inc.)Winsock: Catalog9-x64 12 C:\Program Files\VMware\VMware Tools\VSock SDK\bin\win64\vsocklib.dll [66672] (VMware, Inc.)Tcpip\..\Interfaces\{251CE3A9-D4F4-49AF-9AAE-50E2C2D8E281}: [NameServer] 192.168.100.10,192.168.100.11 FireFox:========FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\FirefoxExtensionFF Extension: Trend Micro NSC Firefox Extension - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\FirefoxExtension [2014-10-23] ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 CqLMgServ; C:\Windows\AppCompat\hpagent.exe [888832 2015-01-23] (HP) [File not signed]S4 DLPWD; C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE [155496 2012-09-26] (Dell Inc.)S4 DLSDB; C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [343400 2012-09-26] (Dell Inc.)S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-13] (Microsoft Corporation)S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2011-01-31] (Macrovision Europe Ltd.) [File not signed]S2 helpsvc; C:\Program Files (x86)\Windows Defender\MSASCui.ini [634880 2015-02-21] (Opera Software) [File not signed]R2 JetFormCentral; C:\Program Files (x86)\Adobe\Central\Control\jfservic.exe [24576 2002-11-04] (Adobe Systems Incorporated) [File not signed]R2 KDService; C:\Program Files\KDService\bin\KDService.exe [441856 2013-10-24] (KYOCERA Document Solutions Inc.) [File not signed]R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [537400 2014-11-24] (Malwarebytes Corporation)R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)R2 ntrtscan; C:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrtscan.exe [3747816 2014-02-17] (Trend Micro Inc.)R2 rePORTALServices; C:\Program Files (x86)\rePORTAL\bin\reportalservices.exe [18944 2014-03-27] (Shahrabani & Assoc., LLC) [File not signed]S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-13] (Microsoft Corporation)S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-13] (Microsoft Corporation)R2 ShadowProtectSvc; C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [4701448 2013-12-30] (StorageCraft Technology Corporation)R2 SLClient; C:\Windows\system32\slClient.exe [534528 2006-09-12] (ScriptLogic Software Corporation) [File not signed]R2 stc_raw_agent; C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\raw_agent_svc.exe [4072464 2013-10-01] (StorageCraft Technology Corporation)R2 StorageCraft ImageReady; C:\Program Files (x86)\StorageCraft\ShadowProtect\ImageReady.exe [4408008 2013-12-30] ()R2 TermServLicensing; C:\Windows\System32\lserver.dll [694784 2010-11-20] (Microsoft Corporation)R3 TMBMServer; C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe [573488 2014-01-23] (Trend Micro Inc.)R3 TmCCSF; C:\Program Files (x86)\Trend Micro\Client Server Security Agent\CCSF\TmCCSF.exe [661912 2014-02-17] (Trend Micro Inc.)R2 tmlisten; C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe [4041088 2014-02-17] (Trend Micro Inc.)R3 TmProxy; C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe [929328 2014-01-22] (Trend Micro Inc.)R2 vmware-converter-agent; C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [423536 2011-08-19] (VMware, Inc.)R2 vmware-converter-server; C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [423536 2011-08-19] (VMware, Inc.)R2 vmware-converter-worker; C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [423536 2011-08-19] (VMware, Inc.)R2 VSNAPVSS; C:\Program Files (x86)\StorageCraft\ShadowProtect\vsnapvss.exe [94984 2013-12-30] (StorageCraft Technology Corporation)R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation) ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S3 b06diag; C:\Windows\system32\DRIVERS\bxdiaga.sys [88104 2011-01-11] (Broadcom Corporation)S3 bccfg; C:\Windows\System32\DRIVERS\bccfg.sys [20488 2009-10-27] (Dell Inc.)R0 bcraid; C:\Windows\System32\DRIVERS\bcraid.sys [547336 2009-10-27] (Dell Inc.)S3 bmdrvr; C:\Windows\SysWow64\drivers\bmdrvr.sys [74352 2011-03-15] (VMware, Inc.)R0 BXOIS; C:\Windows\System32\DRIVERS\bxois.sys [533544 2011-01-11] (Broadcom Corporation)R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [63064 2014-11-24] ()S3 G200ew; C:\Windows\System32\DRIVERS\g200ewm.sys [242176 2011-01-11] (Matrox Graphics Inc.)S1 GUBootStartup; C:\Windows\System32\drivers\GUBootStartup.sys [20160 2015-02-24] (Glarysoft Ltd)S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)S3 l2nd; C:\Windows\System32\DRIVERS\bxnd60a.sys [103464 2011-01-11] (Broadcom Corporation)R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)S3 percsas2; C:\Windows\system32\DRIVERS\percsas2.sys [51280 2011-01-11] (LSI Corporation)S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-13] (Microsoft Corporation)R1 sbmount; C:\Windows\System32\Drivers\sbmount.sys [117000 2013-12-30] (StorageCraft Technology Corporation)R0 stcvsm; C:\Windows\System32\DRIVERS\stcvsm.sys [283400 2013-12-30] (StorageCraft Technology Corporation)R2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [85912 2014-01-23] (Trend Micro Inc.)R1 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [286232 2013-10-31] (Trend Micro Inc.)R2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [66896 2014-01-23] (Trend Micro Inc.)R2 TmFilter; C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys [351032 2014-08-30] (Trend Micro Inc.)R2 TmPreFilter; C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys [44856 2014-08-30] (Trend Micro Inc.)R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [108624 2013-09-26] (Trend Micro Inc.)R2 VSApiNt; C:\Program Files (x86)\Trend Micro\Client Server Security Agent\VSApiNt.sys [2316600 2014-08-30] (Trend Micro Inc.)U3 tmpfw; No ImagePath ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2015-02-25 11:11 - 2015-02-25 11:12 - 00016582 _____ () C:\Users\tc-admin\Desktop\FRST.txt2015-02-25 11:11 - 2015-02-25 11:11 - 00000000 ____D () C:\FRST2015-02-25 11:11 - 2015-02-25 11:09 - 02087936 _____ (Farbar) C:\Users\tc-admin\Desktop\FRST64.exe2015-02-25 09:15 - 2015-02-25 09:16 - 00000017 _____ () C:\Users\tc-admin\AppData\Roaming\mbam.context.scan2015-02-24 15:49 - 2015-02-23 11:24 - 18687064 _____ () C:\Users\tc-admin\Desktop\RogueKillerX64.exe2015-02-24 13:54 - 2015-02-24 13:54 - 00000020 ___SH () C:\Users\sql\ntuser.ini2015-02-24 13:54 - 2015-02-24 13:54 - 00000000 ____D () C:\Users\sql2015-02-24 13:54 - 2009-07-13 23:58 - 00000000 ___RD () C:\Users\sql\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories2015-02-24 13:54 - 2009-07-13 23:53 - 00000000 ___RD () C:\Users\sql\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance2015-02-24 11:18 - 2015-02-24 11:18 - 00000020 ___SH () C:\Users\Classic .NET AppPool\ntuser.ini2015-02-24 11:18 - 2015-02-24 11:18 - 00000000 ____D () C:\Users\Classic .NET AppPool2015-02-24 11:18 - 2009-07-13 23:58 - 00000000 ___RD () C:\Users\Classic .NET AppPool\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories2015-02-24 11:18 - 2009-07-13 23:53 - 00000000 ___RD () C:\Users\Classic .NET AppPool\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance2015-02-24 11:17 - 2015-02-24 11:18 - 00041150 _____ () C:\Windows\iis7.log2015-02-24 11:17 - 2015-02-24 11:17 - 00000000 ____D () C:\Windows\SysWOW64\BestPractices2015-02-24 11:06 - 2015-02-24 11:38 - 00000000 ____D () C:\Reportal Reports2015-02-24 11:02 - 2015-02-24 11:17 - 00000000 ____D () C:\inetpub2015-02-24 11:02 - 2015-02-24 11:02 - 00000000 ____D () C:\Program Files (x86)\SAP BusinessObjects2015-02-24 11:01 - 2015-02-24 11:01 - 00000000 ____D () C:\Users\tc-admin\Desktop\CRforVS_redist_install_32bit_13_0_132015-02-24 11:01 - 2015-02-24 11:00 - 74689311 _____ () C:\Users\tc-admin\Desktop\CRforVS_redist_install_32bit_13_0_13.zip2015-02-24 10:57 - 2015-02-24 10:57 - 00000036 _____ () C:\Users\tc-admin\Desktop\rePORTAL.ProductKey.txt2015-02-24 10:53 - 2015-02-24 10:53 - 00000000 ____D () C:\Users\tc-admin\AppData\Roaming\rePORTAL Software2015-02-24 10:31 - 2015-02-24 11:13 - 00003636 _____ () C:\Windows\SysWOW64\InstallUtil.InstallLog2015-02-24 10:30 - 2015-02-24 11:13 - 00000000 ____D () C:\Program Files (x86)\rePORTAL2015-02-24 10:28 - 2015-02-24 10:29 - 00000000 ____D () C:\Users\tc-admin\Desktop\reportal2015-02-24 08:29 - 2015-02-24 10:02 - 00000000 ____D () C:\ProgramData\Malwarebytes Anti-Exploit2015-02-24 08:29 - 2015-02-24 09:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit2015-02-24 08:29 - 2015-02-24 09:50 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Exploit2015-02-24 08:14 - 2015-02-24 08:14 - 00000000 ____D () C:\Users\tc-admin\AppData\Roaming\Malwarebytes2015-02-24 08:14 - 2015-02-24 08:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware2015-02-24 08:13 - 2015-02-24 08:14 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware2015-02-24 08:12 - 2015-02-24 08:28 - 00000000 ____D () C:\Malwarebytes2015-02-24 07:40 - 2015-02-24 09:54 - 00000000 ____D () C:\Program Files (x86)\Glary Utilities 52015-02-24 07:40 - 2015-02-24 07:43 - 00000334 _____ () C:\Windows\Tasks\GlaryInitialize 5.job2015-02-24 07:40 - 2015-02-24 07:40 - 00020160 _____ (Glarysoft Ltd) C:\Windows\system32\Drivers\GUBootStartup.sys2015-02-24 07:40 - 2015-02-24 07:40 - 00002978 _____ () C:\Windows\System32\Tasks\GU5SkipUAC2015-02-24 07:40 - 2015-02-24 07:40 - 00001092 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Glary Utilities 5.lnk2015-02-24 07:40 - 2015-02-24 07:40 - 00001080 _____ () C:\Users\Public\Desktop\Glary Utilities 5.lnk2015-02-24 07:40 - 2015-02-24 07:40 - 00000000 ____D () C:\Users\tc-admin\AppData\Roaming\GlarySoft2015-02-24 07:40 - 2015-02-24 07:40 - 00000000 ____D () C:\Users\tc-admin\AppData\Roaming\DiskDefrag2015-02-24 07:40 - 2015-02-24 07:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Glary Utilities 52015-02-24 07:36 - 2015-02-24 07:36 - 00000000 ____D () C:\Users\tc-admin\AppData\Roaming\WinRAR2015-02-23 18:51 - 2015-02-23 18:51 - 00000000 ____D () C:\Users\Administrator\Downloads\fresh leads2015-02-23 18:44 - 2015-02-23 18:44 - 00000000 ____D () C:\Users\Administrator\Downloads\flw2015-02-23 18:40 - 2015-02-23 18:41 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Mozilla2015-02-23 18:40 - 2015-02-23 18:41 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Mozilla2015-02-23 18:40 - 2015-02-23 18:40 - 00001159 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk2015-02-23 18:40 - 2015-02-23 18:40 - 00001147 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk2015-02-23 18:40 - 2015-02-23 18:40 - 00000000 ____D () C:\ProgramData\Mozilla2015-02-23 18:40 - 2015-02-23 18:40 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service2015-02-23 18:40 - 2015-02-23 18:40 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox2015-02-23 18:38 - 2015-02-23 18:38 - 00000000 __SHD () C:\Users\Administrator\AppData\Local\EmieBrowserModeList2015-02-23 15:29 - 2015-01-22 23:42 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll2015-02-23 15:29 - 2015-01-22 23:41 - 06041600 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll2015-02-23 15:29 - 2015-01-22 22:43 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll2015-02-23 15:29 - 2015-01-22 22:17 - 04300800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll2015-02-23 13:07 - 2015-02-23 15:27 - 00052374 _____ () C:\Users\tc-admin\Desktop\Nmc_2015-02-23_13-07-15.log2015-02-23 12:53 - 2015-02-23 12:58 - 00000000 ____D () C:\ProgramData\HitmanPro2015-02-23 11:23 - 2015-02-23 11:23 - 00000000 __SHD () C:\Users\tc-admin\AppData\Local\EmieBrowserModeList2015-02-23 11:21 - 2015-02-24 15:49 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys2015-02-23 11:21 - 2015-02-23 11:21 - 00000000 ____D () C:\ProgramData\RogueKiller2015-02-23 10:10 - 2014-06-26 21:08 - 02777088 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll2015-02-23 10:10 - 2014-06-26 20:45 - 02285056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll2015-02-23 09:46 - 2015-01-06 22:15 - 00104896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mup.sys2015-02-23 09:46 - 2015-01-06 22:10 - 00782848 _____ (Microsoft Corporation) C:\Windows\system32\gpsvc.dll2015-02-23 09:46 - 2015-01-06 21:44 - 00079872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpapi.dll2015-02-23 09:46 - 2015-01-06 20:49 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdbss.sys2015-02-23 09:46 - 2015-01-06 20:49 - 00159232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys2015-02-23 09:46 - 2015-01-06 20:48 - 00290816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys2015-02-23 09:46 - 2015-01-06 20:48 - 00129024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys2015-02-23 09:46 - 2015-01-06 20:48 - 00105984 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dfsc.sys2015-02-23 09:46 - 2014-10-24 20:57 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll2015-02-23 09:46 - 2014-10-24 20:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll2015-02-23 09:46 - 2014-06-23 22:29 - 02565120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll2015-02-23 09:46 - 2014-06-23 21:59 - 01987584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll2015-02-23 09:45 - 2014-12-18 22:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll2015-02-23 09:45 - 2014-11-07 22:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll2015-02-23 09:45 - 2014-11-07 21:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll2015-02-23 09:45 - 2014-10-02 21:12 - 00500224 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll2015-02-23 09:45 - 2014-10-02 21:11 - 00680960 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll2015-02-23 09:45 - 2014-10-02 21:11 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll2015-02-23 09:45 - 2014-10-02 21:11 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll2015-02-23 09:45 - 2014-10-02 21:11 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll2015-02-23 09:45 - 2014-10-02 20:44 - 00442880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll2015-02-23 09:45 - 2014-10-02 20:44 - 00374784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll2015-02-23 09:45 - 2014-10-02 20:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll2015-02-23 09:45 - 2014-06-18 17:23 - 01943696 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll2015-02-23 09:45 - 2014-06-18 17:23 - 01131664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dfshim.dll2015-02-23 09:45 - 2014-06-18 17:23 - 00156824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscorier.dll2015-02-23 09:45 - 2014-06-18 17:23 - 00156312 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll2015-02-23 09:45 - 2014-06-18 17:23 - 00081560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscories.dll2015-02-23 09:45 - 2014-06-18 17:23 - 00073880 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll2015-02-23 09:44 - 2015-01-15 03:14 - 00155072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys2015-02-23 09:44 - 2015-01-15 03:14 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys2015-02-23 09:44 - 2015-01-15 03:09 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll2015-02-23 09:44 - 2015-01-15 03:09 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll2015-02-23 09:44 - 2015-01-15 03:09 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe2015-02-23 09:44 - 2015-01-15 03:09 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll2015-02-23 09:44 - 2015-01-15 03:09 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll2015-02-23 09:44 - 2015-01-15 03:08 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe2015-02-23 09:44 - 2015-01-15 03:06 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll2015-02-23 09:44 - 2015-01-15 03:06 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll2015-02-23 09:44 - 2015-01-15 03:04 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll2015-02-23 09:44 - 2015-01-15 02:42 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe2015-02-23 09:44 - 2015-01-15 02:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll2015-02-23 09:44 - 2015-01-15 02:41 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll2015-02-23 09:44 - 2015-01-15 02:39 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll2015-02-23 09:44 - 2015-01-15 02:39 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll2015-02-23 09:44 - 2015-01-15 02:37 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll2015-02-23 09:44 - 2015-01-14 23:22 - 00458824 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys2015-02-23 09:44 - 2015-01-12 22:10 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll2015-02-23 09:44 - 2015-01-12 21:49 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll2015-02-23 09:44 - 2014-12-07 22:09 - 00406528 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll2015-02-23 09:44 - 2014-12-07 21:46 - 00308224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scesrv.dll2015-02-23 09:44 - 2014-12-05 23:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll2015-02-23 09:44 - 2014-12-05 23:17 - 00254976 _____ (Microsoft Corporation) C:\Windows\system32\iassam.dll2015-02-23 09:44 - 2014-12-05 22:50 - 00193024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iassam.dll2015-02-23 09:44 - 2014-12-05 22:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll2015-02-23 09:44 - 2014-12-05 22:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll2015-02-23 09:44 - 2014-11-25 22:53 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll2015-02-23 09:44 - 2014-11-25 22:32 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll2015-02-23 09:44 - 2014-11-10 20:46 - 00119296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys2015-02-23 09:44 - 2014-09-04 00:23 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\rastls.dll2015-02-23 09:44 - 2014-09-04 00:04 - 00372736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rastls.dll2015-02-23 09:44 - 2014-08-22 21:07 - 00404480 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll2015-02-23 09:44 - 2014-08-22 20:45 - 00311808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll2015-02-23 09:43 - 2014-12-12 00:31 - 01480192 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll2015-02-23 09:43 - 2014-12-12 00:07 - 01174528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll2015-02-23 09:43 - 2014-11-10 22:08 - 00241152 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll2015-02-23 09:43 - 2014-11-10 21:44 - 00186880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll2015-02-23 09:43 - 2014-10-13 21:13 - 03241984 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll2015-02-23 09:43 - 2014-10-13 20:50 - 02363904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll2015-02-23 09:43 - 2014-10-02 21:12 - 02020352 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll2015-02-23 09:43 - 2014-10-02 21:12 - 00346624 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll2015-02-23 09:43 - 2014-10-02 21:12 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll2015-02-23 09:43 - 2014-10-02 21:12 - 00181248 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll2015-02-23 09:43 - 2014-10-02 21:11 - 00266240 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe2015-02-23 09:43 - 2014-10-02 20:45 - 01177088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll2015-02-23 09:43 - 2014-10-02 20:45 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManMigrationPlugin.dll2015-02-23 09:43 - 2014-10-02 20:45 - 00214016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll2015-02-23 09:43 - 2014-10-02 20:45 - 00145920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll2015-02-23 09:43 - 2014-10-02 20:44 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManHTTPConfig.exe2015-02-23 09:43 - 2014-08-11 21:02 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL2015-02-23 09:43 - 2014-08-11 20:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10K.DLL2015-02-23 09:43 - 2014-07-16 21:07 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe2015-02-23 09:43 - 2014-07-16 21:07 - 00235520 _____ (Microsoft Corporation) C:\Windows\system32\winsta.dll2015-02-23 09:43 - 2014-07-16 21:07 - 00150528 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorekmts.dll2015-02-23 09:43 - 2014-07-16 20:40 - 00157696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winsta.dll2015-02-23 09:43 - 2014-07-16 20:21 - 00212480 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpwd.sys2015-02-23 09:43 - 2014-07-16 20:21 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys2015-02-23 09:43 - 2014-07-06 21:07 - 00229376 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll2015-02-23 09:43 - 2014-07-06 21:06 - 00187904 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll2015-02-23 09:43 - 2014-07-06 20:40 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll2015-02-23 09:43 - 2014-07-06 20:40 - 00143872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll2015-02-23 09:42 - 2015-01-14 01:09 - 05554112 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe2015-02-23 09:42 - 2015-01-14 00:44 - 03972544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe2015-02-23 09:42 - 2015-01-14 00:44 - 03917760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe2015-02-23 09:42 - 2015-01-10 01:48 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll2015-02-23 09:42 - 2015-01-10 01:48 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll2015-02-23 09:42 - 2015-01-10 01:48 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll2015-02-23 09:42 - 2015-01-10 01:48 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll2015-02-23 09:42 - 2015-01-10 01:48 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll2015-02-23 09:42 - 2015-01-10 01:48 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll2015-02-23 09:42 - 2015-01-10 01:48 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll2015-02-23 09:42 - 2015-01-10 01:27 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll2015-02-23 09:42 - 2015-01-10 01:27 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll2015-02-23 09:42 - 2015-01-10 01:27 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll2015-02-23 09:42 - 2015-01-10 01:27 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll2015-02-23 09:42 - 2015-01-10 01:27 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll2015-02-23 09:42 - 2015-01-10 01:27 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll2015-02-23 09:42 - 2015-01-10 01:27 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll2015-02-23 09:41 - 2015-01-14 00:47 - 00389808 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll2015-02-23 09:41 - 2015-01-14 00:09 - 00342712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll2015-02-23 09:41 - 2015-01-11 22:09 - 25056256 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll2015-02-23 09:41 - 2015-01-11 22:05 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb2015-02-23 09:41 - 2015-01-11 22:05 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll2015-02-23 09:41 - 2015-01-11 21:49 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll2015-02-23 09:41 - 2015-01-11 21:48 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll2015-02-23 09:41 - 2015-01-11 21:48 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll2015-02-23 09:41 - 2015-01-11 21:48 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll2015-02-23 09:41 - 2015-01-11 21:47 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll2015-02-23 09:41 - 2015-01-11 21:40 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll2015-02-23 09:41 - 2015-01-11 21:39 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll2015-02-23 09:41 - 2015-01-11 21:36 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll2015-02-23 09:41 - 2015-01-11 21:34 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe2015-02-23 09:41 - 2015-01-11 21:34 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe2015-02-23 09:41 - 2015-01-11 21:25 - 19740160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll2015-02-23 09:41 - 2015-01-11 21:25 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe2015-02-23 09:41 - 2015-01-11 21:21 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb2015-02-23 09:41 - 2015-01-11 21:21 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll2015-02-23 09:41 - 2015-01-11 21:13 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll2015-02-23 09:41 - 2015-01-11 21:08 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll2015-02-23 09:41 - 2015-01-11 21:08 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll2015-02-23 09:41 - 2015-01-11 21:07 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll2015-02-23 09:41 - 2015-01-11 21:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll2015-02-23 09:41 - 2015-01-11 21:07 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll2015-02-23 09:41 - 2015-01-11 21:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll2015-02-23 09:41 - 2015-01-11 21:04 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll2015-02-23 09:41 - 2015-01-11 21:02 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll2015-02-23 09:41 - 2015-01-11 21:00 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll2015-02-23 09:41 - 2015-01-11 20:59 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll2015-02-23 09:41 - 2015-01-11 20:57 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll2015-02-23 09:41 - 2015-01-11 20:55 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe2015-02-23 09:41 - 2015-01-11 20:48 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll2015-02-23 09:41 - 2015-01-11 20:48 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe2015-02-23 09:41 - 2015-01-11 20:46 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl2015-02-23 09:41 - 2015-01-11 20:46 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll2015-02-23 09:41 - 2015-01-11 20:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll2015-02-23 09:41 - 2015-01-11 20:43 - 14401024 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll2015-02-23 09:41 - 2015-01-11 20:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll2015-02-23 09:41 - 2015-01-11 20:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll2015-02-23 09:41 - 2015-01-11 20:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll2015-02-23 09:41 - 2015-01-11 20:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll2015-02-23 09:41 - 2015-01-11 20:27 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll2015-02-23 09:41 - 2015-01-11 20:23 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl2015-02-23 09:41 - 2015-01-11 20:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll2015-02-23 09:41 - 2015-01-11 20:22 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll2015-02-23 09:41 - 2015-01-11 20:14 - 12829184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll2015-02-23 09:41 - 2015-01-11 20:14 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll2015-02-23 09:41 - 2015-01-11 20:02 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll2015-02-23 09:41 - 2015-01-11 20:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll2015-02-23 09:41 - 2015-01-11 19:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll2015-02-23 09:41 - 2015-01-11 19:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll2015-02-23 09:40 - 2015-01-08 21:03 - 03201536 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys2015-02-23 09:40 - 2014-12-11 12:47 - 00062976 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe2015-02-23 09:40 - 2014-08-28 21:07 - 05780480 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll2015-02-23 09:40 - 2014-08-28 21:07 - 00322560 _____ (Microsoft Corporation) C:\Windows\system32\aaclient.dll2015-02-23 09:40 - 2014-08-28 21:07 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll2015-02-23 09:40 - 2014-08-28 21:06 - 01125888 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe2015-02-23 09:40 - 2014-08-28 20:44 - 04922368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll2015-02-23 09:40 - 2014-08-28 20:44 - 01050112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe2015-02-23 09:40 - 2014-08-28 20:44 - 00269312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll2015-02-23 09:40 - 2014-08-28 20:44 - 00037376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll2015-02-23 09:40 - 2014-08-01 06:53 - 01031168 _____ (Microsoft Corporation) C:\Windows\system32\TSWorkspace.dll2015-02-23 09:40 - 2014-08-01 06:35 - 00793600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSWorkspace.dll2015-02-23 09:39 - 2014-10-13 21:13 - 00683520 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll2015-02-23 09:39 - 2014-08-21 01:43 - 01882624 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll2015-02-23 09:39 - 2014-08-21 01:40 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll2015-02-23 09:39 - 2014-08-21 01:26 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll2015-02-23 09:39 - 2014-08-21 01:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll2015-02-23 09:33 - 2015-02-24 08:14 - 00001037 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk2015-02-23 09:33 - 2015-02-24 08:13 - 00000000 ____D () C:\ProgramData\Malwarebytes2015-02-23 09:33 - 2015-02-23 09:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware2015-02-23 09:33 - 2015-02-23 09:33 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware2015-02-23 09:33 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys2015-02-23 09:33 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys2015-02-23 09:33 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys2015-02-23 09:27 - 2015-02-23 09:27 - 00000000 __SHD () C:\Users\tc-admin\AppData\Local\EmieUserList2015-02-23 09:27 - 2015-02-23 09:27 - 00000000 __SHD () C:\Users\tc-admin\AppData\Local\EmieSiteList2015-02-21 20:05 - 2015-02-21 20:05 - 00000000 ____D () C:\hp2015-02-21 20:01 - 2015-02-21 20:01 - 00000000 ____D () C:\Program Files (x86)\Windows Defender2015-02-21 20:00 - 2015-02-23 18:51 - 00240176 _____ (Trend Micro Inc.) C:\Windows\RegBootClean64.exe2015-02-18 18:28 - 2015-02-18 18:28 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\WinRAR2015-02-18 18:28 - 2015-02-18 18:28 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR2015-02-18 18:28 - 2015-02-18 18:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR2015-02-18 18:28 - 2015-02-18 18:28 - 00000000 ____D () C:\Program Files (x86)\WinRAR2015-02-17 08:31 - 2015-02-17 08:43 - 00002450 _____ () C:\Users\Administrator\Desktop\Yandex.lnk2015-02-17 08:31 - 2015-02-17 08:31 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Yandex2015-02-17 08:31 - 2015-02-17 08:31 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yandex2015-02-17 08:31 - 2015-02-17 08:31 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Macromedia2015-02-17 08:31 - 2015-02-17 08:31 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Yandex2015-02-17 08:21 - 2015-02-17 08:21 - 00000000 __SHD () C:\Users\Administrator\AppData\Local\EmieUserList2015-02-17 08:21 - 2015-02-17 08:21 - 00000000 __SHD () C:\Users\Administrator\AppData\Local\EmieSiteList2015-02-17 08:21 - 2015-02-17 08:21 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Adobe2015-02-17 08:20 - 2015-02-17 08:21 - 00000000 ____D () C:\Users\Administrator\WINDOWS2015-02-17 08:20 - 2015-02-17 08:21 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Adobe2015-01-30 16:06 - 2015-01-30 16:06 - 00000000 ____D () C:\P21Logos ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2015-02-25 11:08 - 2011-03-22 14:17 - 00000000 ____D () C:\jfsrvr2015-02-25 09:58 - 2011-01-14 10:51 - 00000128 _____ () C:\Windows\system32\config\netlogon.ftl2015-02-25 09:46 - 2009-07-13 23:49 - 00022112 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A02015-02-25 09:46 - 2009-07-13 23:49 - 00022112 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A02015-02-25 09:18 - 2011-01-14 14:06 - 00011834 _____ () C:\Windows\cfgall.ini2015-02-25 06:16 - 2011-01-12 11:33 - 01355293 _____ () C:\Windows\WindowsUpdate.log2015-02-25 05:51 - 2011-01-12 11:44 - 00000000 ____D () C:\Users\Administrator2015-02-24 22:00 - 2011-01-14 11:02 - 00000000 ____D () C:\Windows\system32\lserver2015-02-24 13:38 - 2011-01-12 11:45 - 00142744 _____ () C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT2015-02-24 11:20 - 2011-04-26 15:33 - 00894226 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI2015-02-24 11:19 - 2011-01-14 10:57 - 00142744 _____ () C:\Users\tc-admin\AppData\Local\GDIPFONTCACHEV1.DAT2015-02-24 11:19 - 2009-07-14 00:07 - 00000000 ____D () C:\Windows\system32\ServerManager2015-02-24 11:18 - 2009-07-14 00:10 - 00918278 _____ () C:\Windows\system32\PerfStringBackup.INI2015-02-24 11:17 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\SysWOW64\inetsrv2015-02-24 11:17 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\inetsrv2015-02-24 11:13 - 2011-01-14 10:56 - 00000000 ____D () C:\Users\tc-admin2015-02-24 10:50 - 2011-03-21 14:19 - 00001186 _____ () C:\Windows\ODBC.INI2015-02-24 10:30 - 2011-01-14 14:03 - 00000000 ____D () C:\Users\tc-admin\WINDOWS2015-02-24 07:26 - 2015-01-21 15:49 - 00000000 ____D () C:\ProgramData\KDService2015-02-23 16:51 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache2015-02-23 15:36 - 2013-04-17 16:05 - 00366374 _____ () C:\Windows\SysWOW64\TmInstall.log2015-02-23 15:34 - 2011-01-14 14:05 - 00233776 _____ () C:\Windows\system32\TmInstall.log2015-02-23 15:32 - 2009-07-14 00:06 - 00000006 ____H () C:\Windows\Tasks\SA.DAT2015-02-23 10:46 - 2009-07-13 22:20 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories2015-02-23 10:45 - 2009-07-13 23:49 - 00524992 _____ () C:\Windows\system32\FNTCACHE.DAT2015-02-23 10:42 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\PolicyDefinitions2015-02-23 10:21 - 2014-10-23 16:27 - 00000000 ____D () C:\ProgramData\Package Cache2015-02-23 10:09 - 2013-12-13 09:03 - 00000000 ____D () C:\Windows\system32\MRT2015-02-23 08:54 - 2011-01-26 08:08 - 00000000 ____D () C:\Users\scriptlogic2015-02-21 09:28 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\AppCompat2015-02-17 08:20 - 2011-01-12 11:44 - 00001413 _____ () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk2015-02-12 15:04 - 2011-01-26 08:23 - 00142744 _____ () C:\Users\mvaught\AppData\Local\GDIPFONTCACHEV1.DAT2015-02-05 15:00 - 2011-01-26 08:22 - 00142744 _____ () C:\Users\khackney\AppData\Local\GDIPFONTCACHEV1.DAT2015-01-29 17:49 - 2011-01-12 12:04 - 116773704 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe ==================== Files in the root of some directories ======= 2015-02-25 09:15 - 2015-02-25 09:16 - 0000017 _____ () C:\Users\tc-admin\AppData\Roaming\mbam.context.scan2013-07-11 12:57 - 2013-07-11 12:57 - 0425508 _____ () C:\Users\tc-admin\AppData\Local\dd_vcredistMSI18D8.txt2013-07-11 12:57 - 2013-07-11 12:58 - 0438414 _____ () C:\Users\tc-admin\AppData\Local\dd_vcredistMSI191C.txt2012-06-28 12:51 - 2012-06-28 12:51 - 0409996 _____ () C:\Users\tc-admin\AppData\Local\dd_vcredistMSI3602.txt2012-06-28 12:51 - 2012-06-28 12:51 - 0396706 _____ () C:\Users\tc-admin\AppData\Local\dd_vcredistMSI3660.txt2013-07-11 12:57 - 2013-07-11 12:57 - 0011706 _____ () C:\Users\tc-admin\AppData\Local\dd_vcredistUI18D8.txt2013-07-11 12:57 - 2013-07-11 12:58 - 0011722 _____ () C:\Users\tc-admin\AppData\Local\dd_vcredistUI191C.txt2012-06-28 12:51 - 2012-06-28 12:51 - 0011722 _____ () C:\Users\tc-admin\AppData\Local\dd_vcredistUI3602.txt2012-06-28 12:51 - 2012-06-28 12:51 - 0011690 _____ () C:\Users\tc-admin\AppData\Local\dd_vcredistUI3660.txt2012-07-27 14:44 - 2003-10-17 13:44 - 0499712 ____R (Microsoft Corporation) C:\Users\tc-admin\AppData\Local\msvcp71.dll2011-04-26 15:08 - 2014-08-14 10:30 - 0007627 _____ () C:\Users\tc-admin\AppData\Local\resmon.resmoncfg2013-12-30 11:55 - 2013-12-30 11:55 - 0005091 _____ () C:\ProgramData\hthunbrl.six Some content of TEMP:====================C:\Users\Administrator\AppData\Local\Temp\Setup-yabrowser.exeC:\Users\Administrator\AppData\Local\Temp\yupdate-exec-yabrowser.exeC:\Users\khackney\AppData\Local\Temp\H2Reg.exeC:\Users\mvaught\AppData\Local\Temp\H2Reg.exeC:\Users\tc-admin\AppData\Local\Temp\dllnt_dump.dll ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signedC:\Windows\System32\wininit.exe => File is digitally signedC:\Windows\explorer.exe => File is digitally signedC:\Windows\SysWOW64\explorer.exe => File is digitally signedC:\Windows\System32\svchost.exe => File is digitally signedC:\Windows\SysWOW64\svchost.exe => File is digitally signedC:\Windows\System32\services.exe => File is digitally signedC:\Windows\System32\User32.dll => File is digitally signedC:\Windows\SysWOW64\User32.dll => File is digitally signedC:\Windows\System32\userinit.exe => File is digitally signedC:\Windows\SysWOW64\userinit.exe => File is digitally signedC:\Windows\System32\rpcss.dll => File is digitally signedC:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2015-02-23 00:24 ==================== End Of Log ============================ Additional scan result of Farbar Recovery Scan Tool (x64) Version: 25-02-2015 01Ran by tc-admin at 2015-02-25 11:12:45Running from C:\Users\tc-admin\DesktopBoot Mode: Normal========================================================== ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) ==================== Installed Programs ====================== (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Activant Prophet 21 12.1 (HKLM-x32\...\InstallShield_{FFA7FFAB-EEFA-4FA3-BDE9-28A478ED027C}) (Version: 12.1.261.0 - Activant)Adobe Acrobat 9 Pro (HKLM-x32\...\{AC76BA86-1033-0000-7760-000000000004}{AC76BA86-1033-0000-7760-000000000004}) (Version: 9.5.5 - Adobe Systems)Adobe Acrobat 9.5.5 - CPSID_83708 (HKLM-x32\...\{AC76BA86-1033-0000-7760-000000000004}_955) (Version: - Adobe Systems Incorporated)Crystal Reports 2008 (HKLM-x32\...\{068857D8-FDD1-4F29-8F74-E9DE91E8A587}) (Version: 12.0.0.683 - Business Objects)Dell Printer Software (HKLM-x32\...\{105F3CE5-FE55-408E-BF30-E78F85BA0B12}) (Version: 1.00.000 - Dell Inc.)Glary Utilities 5.14 (HKLM-x32\...\Glary Utilities 5) (Version: 5.14.0.27 - Glarysoft Ltd)InfoMaker (x32 Version: 11.5 - Sybase) HiddenKyocera Product Library (HKLM\...\Kyocera Product Library) (Version: 4.2.1909 - KYOCERA Document Solutions Inc.)Malwarebytes Anti-Exploit (HKLM-x32\...\{9F3C1CCE-056F-40AB-999D-46139C4CE9F3}) (Version: 1.5.2.1014 - Malwarebytes Corp.)Malwarebytes Anti-Exploit version 1.05.2.1014 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.05.2.1014 - Malwarebytes)Malwarebytes Anti-Malware MSI (HKLM-x32\...\{FBC350D5-10D0-4B9B-A9AC-5F2EA07770D5}) (Version: 1.60.2 - Malwarebytes Corporation)Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)Matrox Graphics Software (remove only) (HKLM-x32\...\Matrox Graphics Uninstaller) (Version: - )Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)Mozilla Firefox 36.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 36.0 (x86 en-US)) (Version: 36.0 - Mozilla)Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 36.0 - Mozilla)MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)Prophet 21 (x32 Version: 12.1.261.0 - Activant) HiddenProphet 21 Forms Package (HKLM-x32\...\{6A07134C-B9B6-4509-ABBD-CA832D906869}) (Version: 11.0.000 - Activant)Prophet 21 Portal Designer (HKLM-x32\...\{5E807A79-C90D-4D8E-85A5-4C104C2D6389}) (Version: 1.0.1 - Activant)rePORTAL CR v5.8 32-bit (HKLM-x32\...\{62324F4A-CBDA-44D9-9370-25E15A58028F}) (Version: 5.8.0 - rePORTAL Software)SAP Crystal Reports runtime engine for .NET Framework (32-bit) (HKLM-x32\...\{8810BCB0-A5AD-4C32-83DB-50CAFCC78F70}) (Version: 13.0.13.1597 - SAP)ShadowSnap (HKLM\...\ShadowSnap) (Version: 1.1..17 - )SQL Anywhere 11 (HKLM\...\{ECE263B0-6C8B-404C-B4AC-8FAB1C87AB4A}) (Version: 11.0.1264 - iAnywhere Solutions, Inc.)StorageCraft ShadowProtect (HKLM-x32\...\ShadowProtect) (Version: 5.0.1.23057 - StorageCraft Technology Corporation (STC))Sybase InfoMaker 11.5 (HKLM-x32\...\{7555CD94-285C-4618-AAAC-95F7772DBFE0}) (Version: 11.5.0.2506 - Sybase)Trend Micro Worry-Free Business Security Agent (HKLM\...\Wofie) (Version: 19.0.1240 - Trend Micro Inc.)Trend Micro Worry-Free Business Security Agent (Version: 7.0 - Trend Micro Incorporated) HiddenTrend Micro Worry-Free Business Security Agent (Version: 9.0 - Trend Micro Inc.) HiddenVMware Tools (HKLM\...\{A2CC6F0B-E888-4485-82F5-587699B3CDB7}) (Version: 8.6.5.11214 - VMware, Inc.)VMware vCenter Converter Standalone (HKLM-x32\...\{EDF0C1D5-D980-48F9-BA19-0ECEDEF8C5D4}) (Version: 5.0.0.470252 - VMware, Inc.)WinRAR 5.21 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.21.0 - win.rar GmbH)Yandex (HKU\S-1-5-21-4043360042-4227766030-1340141203-500\...\YandexBrowser) (Version: 38.0.2125.10034 - YANDEX) ==================== Custom CLSID (selected items): ========================== (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.) CustomCLSID: HKU\S-1-5-21-1919044603-303022522-201583920-1604_Classes\CLSID\{02A5BF86-9650-4AE5-902D-02C0DA7E231D}\InprocServer32 -> C:\Windows\system32\shdocvw.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-1919044603-303022522-201583920-1604_Classes\CLSID\{0C0BF373-1C15-4114-88DD-68E01A068FF2}\InprocServer32 -> C:\Windows\system32\shdocvw.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-1919044603-303022522-201583920-1604_Classes\CLSID\{285304D0-C66D-40EC-9F19-6D76AAEDEB12}\InprocServer32 -> C:\Windows\system32\shdocvw.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-1919044603-303022522-201583920-1604_Classes\CLSID\{345BA14E-E677-4798-AFF7-DCD7EEDFA262}\InprocServer32 -> C:\Windows\system32\shdocvw.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-1919044603-303022522-201583920-1604_Classes\CLSID\{37D5F329-6613-4A7F-A1B0-5BAA8EF16C0E}\InprocServer32 -> C:\Windows\system32\shdocvw.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-1919044603-303022522-201583920-1604_Classes\CLSID\{3D8274EF-8505-45D3-8043-ACE071F9BFE1}\InprocServer32 -> C:\Windows\system32\shdocvw.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-1919044603-303022522-201583920-1604_Classes\CLSID\{540A4B10-81A1-441F-8D12-34D414124945}\InprocServer32 -> C:\Windows\system32\shdocvw.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-1919044603-303022522-201583920-1604_Classes\CLSID\{70B3E473-918D-4E39-BADE-F68FC49AD533}\InprocServer32 -> C:\Windows\system32\shdocvw.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-1919044603-303022522-201583920-1604_Classes\CLSID\{8C17862A-623C-4DEA-B129-38B3431EBBF5}\InprocServer32 -> C:\Windows\system32\shdocvw.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-1919044603-303022522-201583920-1604_Classes\CLSID\{923A69CE-B9ED-4975-B56A-FC5B29AAE2DB}\InprocServer32 -> C:\Windows\system32\shdocvw.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-1919044603-303022522-201583920-1604_Classes\CLSID\{92E7AD0F-5626-4FDA-AE10-5C44F88D9E33}\InprocServer32 -> C:\Windows\system32\shdocvw.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-1919044603-303022522-201583920-1604_Classes\CLSID\{933CE806-3D35-4491-930F-A242CB3D4775}\InprocServer32 -> C:\Windows\system32\shdocvw.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-1919044603-303022522-201583920-1604_Classes\CLSID\{AD3F5B33-65A8-4C16-9805-03BB7615BBDF}\InprocServer32 -> C:\Windows\system32\shdocvw.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-1919044603-303022522-201583920-1604_Classes\CLSID\{BBCF2B9A-2398-41CE-9B71-734477065ADA}\InprocServer32 -> C:\Windows\system32\shdocvw.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-1919044603-303022522-201583920-1604_Classes\CLSID\{EA803008-A64B-441D-8E80-F2C1D179F0A4}\InprocServer32 -> C:\Windows\system32\shdocvw.dll (Microsoft Corporation) ==================== Restore Points ========================= ATTENTION: System Restore is disabled.Check "winmgmt" service or repair WMI. ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 21:34 - 2011-01-15 06:58 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts ==================== Scheduled Tasks (whitelisted) ============= (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.) Task: {290D9A59-C54F-4876-9A95-A31359796532} - System32\Tasks\GU5SkipUAC => C:\Program Files (x86)\Glary Utilities 5\Integrator.exe [2014-12-08] (Glarysoft Ltd)Task: {464BE01D-B2F2-4B56-A312-CD703EB86F39} - System32\Tasks\Microsoft\Windows\termsrv\licensing\TlsWarning => C:\Windows\system32\tlsbln.exe [2010-11-20] (Microsoft Corporation)Task: {63EE8552-A444-4BA2-8E1E-C8350D6D412A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2009-07-13] (Microsoft Corporation)Task: {69110D7B-41DC-4E9D-BDD3-C826C7DB613B} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleUsageCollector => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)Task: {AFECE848-8DA2-461B-B5E6-CBEF57A4DF7D} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2010-11-20] (Microsoft Corporation)Task: {D49A10DA-0F70-4779-BD96-B2D976A4F2E3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2010-11-20] (Microsoft Corporation)Task: C:\Windows\Tasks\GlaryInitialize 5.job => C:\Program Files (x86)\Glary Utilities 5\Initialize.exe ==================== Loaded Modules (whitelisted) ============== 2014-01-02 08:05 - 2012-09-18 15:27 - 00192512 _____ () C:\Windows\System32\zlhp1020.dll2014-01-02 08:07 - 2012-09-18 15:27 - 00065024 _____ () C:\Windows\system32\spool\PRTPROCS\x64\pphp1020.dll2013-07-11 15:04 - 2012-12-04 19:33 - 00065024 _____ () C:\Windows\system32\spool\PRTPROCS\x64\HP2030PP.DLL2013-07-11 14:42 - 2012-12-04 19:33 - 02672128 _____ () C:\Windows\system32\spool\DRIVERS\x64\3\HP2030SU.DLL2013-07-11 14:42 - 2012-12-04 19:33 - 01236992 _____ () C:\Windows\system32\spool\DRIVERS\x64\3\HP2030GC.dll2014-01-02 08:05 - 2012-09-18 15:27 - 03162624 _____ () C:\Windows\system32\spool\DRIVERS\x64\3\suhp1020.dll2014-01-02 08:05 - 2012-09-18 15:27 - 01236992 _____ () C:\Windows\system32\spool\DRIVERS\x64\3\gchp1020.dll2011-08-31 12:55 - 2011-08-31 12:55 - 00801792 _____ () C:\Program Files (x86)\Trend Micro\Client Server Security Agent\sqlite3.dll2013-12-30 11:55 - 2013-12-30 11:55 - 04408008 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ImageReady.exe2009-07-02 15:32 - 2009-07-02 15:32 - 00089088 _____ () C:\Program Files (x86)\Trend Micro\Client Server Security Agent\zlibwapi.dll2013-01-16 09:19 - 2013-01-16 09:19 - 00048128 _____ () C:\Program Files (x86)\Trend Micro\Client Server Security Agent\CCSF\boost_date_time-vc110-mt-1_49.dll2013-04-02 11:25 - 2013-04-02 11:25 - 00675840 _____ () C:\Program Files (x86)\Trend Micro\Client Server Security Agent\CCSF\sqlite3.dll2013-01-16 09:23 - 2013-01-16 09:23 - 00058368 _____ () C:\Program Files (x86)\Trend Micro\Client Server Security Agent\CCSF\boost_thread-vc110-mt-1_49.dll2011-01-11 20:05 - 2011-01-11 19:59 - 00038656 _____ () C:\Windows\System32\MtxHotPlugService.exe2012-02-15 08:05 - 2012-02-15 08:05 - 00077824 _____ () C:\Program Files\VMware\VMware Tools\sigc-2.0.dll2012-02-15 08:05 - 2012-02-15 08:05 - 00780400 _____ () C:\Program Files\VMware\VMware Tools\glibmm-2.4.dll2013-10-01 11:44 - 2013-10-01 11:44 - 00098816 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\win32api.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00110080 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\pywintypes27.dll2013-10-01 11:44 - 2013-10-01 11:44 - 00358912 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\pythoncom27.dll2013-10-01 11:44 - 2013-10-01 11:44 - 00042496 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\win32service.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00027648 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\servicemanager.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00040960 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\_socket.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00721920 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\_ssl.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00285184 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\_hashlib.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00031232 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\_psutil_mswindows.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00074240 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\_ctypes.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00103424 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\pyexpat.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00033792 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\win32evtlog.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00108544 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\win32security.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00018432 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\win32event.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00023552 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\_multiprocessing.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00010240 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\sqlalchemy.cprocessors.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00011776 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\sqlalchemy.cresultproxy.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00041984 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\_sqlite3.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00337920 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\sqlite3.dll2013-10-01 11:44 - 2013-10-01 11:44 - 00111616 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\win32file.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00009728 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\select.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00056320 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\OpenSSL.crypto.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00010752 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\OpenSSL.rand.pyd2013-10-01 11:44 - 2013-10-01 11:44 - 00043520 _____ () C:\Program Files (x86)\StorageCraft\ShadowProtect\ShadowSnap\OpenSSL.SSL.pyd2015-02-23 15:33 - 2015-02-23 15:33 - 00098816 _____ () C:\Windows\TEMP\_MEI25882\win32api.pyd2015-02-23 15:33 - 2015-02-23 15:33 - 00110080 _____ () C:\Windows\TEMP\_MEI25882\pywintypes27.dll2015-02-23 15:33 - 2015-02-23 15:33 - 00358912 _____ () C:\Windows\TEMP\_MEI25882\pythoncom27.dll2015-02-23 15:33 - 2015-02-23 15:33 - 00042496 _____ () C:\Windows\TEMP\_MEI25882\win32service.pyd2015-02-23 15:33 - 2015-02-23 15:33 - 00027648 _____ () C:\Windows\TEMP\_MEI25882\servicemanager.pyd2015-02-23 15:33 - 2015-02-23 15:33 - 00018432 _____ () C:\Windows\TEMP\_MEI25882\win32event.pyd2015-02-23 15:33 - 2015-02-23 15:33 - 00040960 _____ () C:\Windows\TEMP\_MEI25882\_socket.pyd2015-02-23 15:33 - 2015-02-23 15:33 - 00721920 _____ () C:\Windows\TEMP\_MEI25882\_ssl.pyd2015-02-23 15:33 - 2015-02-23 15:33 - 00009728 _____ () C:\Windows\TEMP\_MEI25882\select.pyd2015-02-23 15:33 - 2015-02-23 15:33 - 00074240 _____ () C:\Windows\TEMP\_MEI25882\_ctypes.pyd2015-02-23 15:33 - 2015-02-23 15:33 - 00285184 _____ () C:\Windows\TEMP\_MEI25882\_hashlib.pyd2015-02-23 15:33 - 2015-02-23 15:33 - 00103424 _____ () C:\Windows\TEMP\_MEI25882\pyexpat.pyd2011-08-19 19:53 - 2011-08-19 19:53 - 00085616 _____ () C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\mspack.dll2011-08-19 19:52 - 2011-08-19 19:52 - 01234544 _____ () C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\libxml2.dll2011-08-19 19:51 - 2011-08-19 19:51 - 00541808 _____ () C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\sqlite3.dll2014-03-27 13:11 - 2014-03-27 13:11 - 00371200 _____ () C:\Program Files (x86)\rePORTAL\bin\rePORTALLibC.dll2015-01-27 07:21 - 2015-01-27 07:21 - 00782336 _____ () C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\fssl-1-2-1-6.dll2015-01-27 07:21 - 2015-01-27 07:21 - 01617920 _____ () C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\ebus-3-3-2-7.dll2015-01-27 07:21 - 2015-01-27 07:21 - 00098304 _____ () C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\etc-1-0-12-6.dll2015-01-27 07:21 - 2015-01-27 07:21 - 00083968 _____ () C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\boezlib.dll ==================== Alternate Data Streams (whitelisted) ========= (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.) ==================== Safe Mode (whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) ==================== EXE Association (whitelisted) =============== (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.) ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-1919044603-303022522-201583920-1604\Control Panel\Desktop\\Wallpaper -> HKU\S-1-5-21-4043360042-4227766030-1340141203-500\Control Panel\Desktop\\Wallpaper -> DNS Servers: 192.168.100.10 - 192.168.100.11 ==================== MSCONFIG/TASK MANAGER disabled items == (Currently there is no automatic fix for this section.) ==================== Accounts: ============================= Administrator (S-1-5-21-4043360042-4227766030-1340141203-500 - Administrator - Enabled) => C:\Users\AdministratorGuest (S-1-5-21-4043360042-4227766030-1340141203-501 - Limited - Disabled)sql (S-1-5-21-4043360042-4227766030-1340141203-1004 - Administrator - Enabled) => C:\Users\sqlsys (S-1-5-21-4043360042-4227766030-1340141203-1003 - Administrator - Enabled)___VMware_Conv_SA___ (S-1-5-21-4043360042-4227766030-1340141203-1002 - Limited - Enabled) ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors:==================Error: (02/25/2015 00:38:30 AM) (Source: SideBySide) (EventID: 80) (User: )Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.A component version required by the application conflicts with another component version already active.Conflicting components are:.Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. System errors:=============Error: (02/25/2015 07:47:05 AM) (Source: UmrdpService) (EventID: 1111) (User: )Description: Driver RICOH Aficio MP C2051 PCL 6 required for printer RICOH Aficio MP C2051 PCL 6 is unknown. Contact the administrator to install the driver before you log in again. Error: (02/25/2015 07:47:04 AM) (Source: UmrdpService) (EventID: 1111) (User: )Description: Driver RICOH MP C401 PCL 6 required for printer RICOH MP C401 PCL 6 is unknown. Contact the administrator to install the driver before you log in again. Error: (02/25/2015 07:47:02 AM) (Source: UmrdpService) (EventID: 1111) (User: )Description: Driver PDFCreator required for printer PDFCreator is unknown. Contact the administrator to install the driver before you log in again. Error: (02/25/2015 07:46:57 AM) (Source: UmrdpService) (EventID: 1111) (User: )Description: Driver RICOH Aficio MP C2051 PCL 5c required for printer PABLITO ALBORAN is unknown. Contact the administrator to install the driver before you log in again. Error: (02/25/2015 07:46:55 AM) (Source: UmrdpService) (EventID: 1111) (User: )Description: Driver HP Universal Printing PCL 6 required for printer HP Universal Printing PCL 6 is unknown. Contact the administrator to install the driver before you log in again. Error: (02/25/2015 07:46:54 AM) (Source: UmrdpService) (EventID: 1111) (User: )Description: Driver HP LJ300-400 color M351-M451 PCL 6 required for printer HP LJ 400 Maria is unknown. Contact the administrator to install the driver before you log in again. Error: (02/25/2015 07:46:52 AM) (Source: UmrdpService) (EventID: 1111) (User: )Description: Driver RICOH Aficio MP C2051 PCL 6 required for printer Folios is unknown. Contact the administrator to install the driver before you log in again. Error: (02/25/2015 07:46:43 AM) (Source: UmrdpService) (EventID: 1111) (User: )Description: Driver RICOH Aficio MP C2051 PCL 6 required for printer Carpeta is unknown. Contact the administrator to install the driver before you log in again. Error: (02/24/2015 03:03:12 PM) (Source: UmrdpService) (EventID: 1111) (User: )Description: Driver TP Output Gateway required for printer Fax#:1 is unknown. Contact the administrator to install the driver before you log in again. Microsoft Office Sessions:=========================Error: (02/25/2015 00:38:30 AM) (Source: SideBySide) (EventID: 80) (User: )Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Program Files (x86)\Adobe\Acrobat 9.0\Designer 8.2\FormDesigner.exe ==================== Memory info =========================== Processor: Intel® Xeon® CPU X5660 @ 2.80GHzPercentage of memory in use: 24%Total physical RAM: 29999.49 MBAvailable physical RAM: 22635.48 MBTotal Pagefile: 59997.17 MBAvailable Pagefile: 53060.78 MBTotal Virtual: 8192 MBAvailable Virtual: 8191.84 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:136.02 GB) (Free:72.81 GB) NTFS ==================== MBR & Partition Table ================== ========================================================Disk: 0 (MBR Code: Windows XP) (Size: 136.1 GB) (Disk ID: 00000080)Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)Partition 2: (Not Active) - (Size=136 GB) - (Type=07 NTFS) ==================== End Of Log ============================
  8. I have a application server running Server2008 R2. Beginning last Saturday the CPU utilization began going to 90-100% and choking the machine. After investigating the processes running I found that loginUI.exe was the culprit. It appears to be a part of RDP that offers the users the login screen but was not terminating normally. But after digging I found a Bitcoin Miner malware present that points to that executable. Oddly, that was also the day that a support consultant for our ERP logged in for the first time using our public IP address mapped to that machine. The result is that I've installed Malwarebytes Enterprise along with Anti-exploit. The server is now usable and stable, but every 50 minutes it intercepts an attempt by the bitcoin miner to launch. I've run RogueKiller but it didn't find anything. I'm happy that Malwarebytes is killing it but would feel better if I could get it off the machine. I'm not sure if this is a fake loginui file on the machine or what to try next. Any help would be appreciated. Here is the log. 15/02/24 08:19:21 -0500 SERVER02 tc-admin MESSAGE Starting protection2015/02/24 08:19:21 -0500 SERVER02 tc-admin MESSAGE Protection started successfully2015/02/24 08:19:21 -0500 SERVER02 tc-admin MESSAGE Starting IP protection2015/02/24 08:19:28 -0500 SERVER02 tc-admin MESSAGE IP Protection started successfully2015/02/24 08:22:25 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/24 09:18:34 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/24 10:17:06 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/24 10:37:08 -0500 SERVER02 tc-admin MESSAGE Executing scheduled update: Daily2015/02/24 10:37:21 -0500 SERVER02 tc-admin MESSAGE Scheduled update executed successfully: database updated from version v2015.02.24.03 to version v2015.02.24.042015/02/24 10:37:21 -0500 SERVER02 tc-admin MESSAGE Starting database refresh2015/02/24 10:37:22 -0500 SERVER02 tc-admin MESSAGE Stopping IP protection2015/02/24 10:37:24 -0500 SERVER02 tc-admin MESSAGE IP Protection stopped successfully2015/02/24 10:37:38 -0500 SERVER02 tc-admin MESSAGE Database refreshed successfully2015/02/24 10:37:38 -0500 SERVER02 tc-admin MESSAGE Starting IP protection2015/02/24 10:37:45 -0500 SERVER02 tc-admin MESSAGE IP Protection started successfully2015/02/24 11:15:15 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/24 12:12:16 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/24 13:10:14 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/24 14:05:05 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/24 15:00:07 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE2015/02/24 15:57:15 -0500 SERVER02 tc-admin DETECTION C:\Windows\Logs\LogonUI.exe Riskware.BitCoinMiner QUARANTINE
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.