Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Google Redirect Issue after removal of malware [Solved]

Started by kawasmi247 , Apr 16 2013 02:28 PM

This topic is locked

#1
kawasmi247

Posted 16 April 2013 - 02:28 PM

New Member

Member
9 posts

Howdy,

Last Friday I was browsing the internet and I end up getting infected with some fake antivirus program. Constantly running fake "scans". I have McAfee Enterprise + AntiSpyware Enterprise 8.8 installed and the on access scanner begins to go crazy stating that it found multiple files and deleted them. I immediately shut down my computer and boot into safe mode with networking, download the latest edition of malwarebytes and do a full scan. Malwarebytes came up with between 3-7 infected files, quarantined said files, and subsequently deleted them. I then run a full scan with McAfee and it yielded no threats or malicious files.

Since then, however, any search item I click through google.com gets redirected first to www.pronetfeed.com and then another randomly selected advertisment site. I've tried running kasperky's TDSS removal tool, with no results. I've tried ADWcleaner by Xplode, with no results. I've tried running malwarebytes using chameleon, with no results.

This has become really frustrating and I have yet to figure out if this Google redirect issue is the only remnant of the fake antivirus program. Any help would greatly be appreciated.

Moe

This post has been edited to include the OTL Quick Scan Log:

OTL logfile created on: 4/16/2013 3:33:31 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\mkawasmi\Desktop
64bit- Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.96 Gb Total Physical Memory | 0.87 Gb Available Physical Memory | 44.23% Memory free
3.91 Gb Paging File | 2.26 Gb Available in Paging File | 57.67% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 74.24 Gb Total Space | 35.79 Gb Free Space | 48.21% Space Free | Partition Type: NTFS

Computer Name: PC048453 | User Name: MKawasmi | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/04/16 15:32:07 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\mkawasmi\Desktop\OTL.exe
PRC - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2013/04/04 14:50:32 | 000,532,040 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2013/02/26 16:12:56 | 001,516,496 | ---- | M] (TrueCrypt Foundation) -- C:\Program Files\TrueCrypt\TrueCrypt.exe
PRC - [2012/08/14 20:08:00 | 000,215,656 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2012/08/14 20:08:00 | 000,033,944 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2012/07/27 15:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/04/04 00:53:56 | 000,815,512 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
PRC - [2011/09/14 21:08:00 | 000,209,760 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
PRC - [2011/02/01 17:48:50 | 000,604,408 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
PRC - [2011/01/12 17:05:00 | 000,185,664 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
PRC - [2011/01/12 17:05:00 | 000,161,088 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
PRC - [2011/01/12 17:05:00 | 000,120,128 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
PRC - [2011/01/12 17:05:00 | 000,075,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
PRC - [2010/11/20 22:24:27 | 000,257,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
PRC - [2009/10/22 10:27:28 | 000,053,248 | ---- | M] (HP) -- C:\Program Files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe
PRC - [2009/09/18 05:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\CCM\CcmExec.exe
PRC - [2009/06/01 10:26:34 | 000,136,192 | ---- | M] (HP) -- C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe
PRC - [2005/12/27 13:44:06 | 000,172,098 | ---- | M] () -- C:\Windows\SysWOW64\UTLite33.exe

========== Modules (No Company Name) ==========

MOD - [2013/02/26 14:00:31 | 001,051,136 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\302207b4fa3083899fd8ab4db98cecc5\System.Management.ni.dll
MOD - [2013/02/26 13:37:51 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\7ff638de44686eab4afaa8b3c8a9cfca\System.ServiceProcess.ni.dll
MOD - [2013/02/26 13:37:35 | 011,833,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\5ecf01964c70e453d71e5d7653912ff9\System.Web.ni.dll
MOD - [2013/02/26 13:37:24 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll
MOD - [2013/02/26 13:36:38 | 000,310,784 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\eb4fa29ea9ab56d453b36696edbe6423\System.Runtime.Serialization.Formatters.Soap.ni.dll
MOD - [2013/02/26 13:36:37 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\cb562e2e4f74ae607f1186f6ec50cec7\System.Windows.Forms.ni.dll
MOD - [2013/02/26 13:36:28 | 001,592,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll
MOD - [2013/02/26 13:36:27 | 001,806,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\4976e150a5d096db3981d4d56dda5a8e\System.Deployment.ni.dll
MOD - [2013/02/26 13:36:04 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll
MOD - [2013/02/26 13:36:00 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll
MOD - [2013/02/26 13:35:59 | 007,989,760 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll
MOD - [2013/02/26 13:35:41 | 011,493,376 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll
MOD - [2009/10/22 10:26:28 | 000,086,016 | ---- | M] () -- C:\Program Files (x86)\HP\ToolboxFX\bin\HPFaxUtilities.dll
MOD - [2009/10/22 10:26:26 | 000,835,584 | ---- | M] () -- C:\Program Files (x86)\HP\ToolboxFX\bin\Alerts.dll
MOD - [2009/10/22 10:26:14 | 000,840,192 | ---- | M] () -- C:\Program Files (x86)\HP\ToolboxFX\bin\PLSDMXMLObjects.dll
MOD - [2009/10/22 10:26:14 | 000,516,096 | ---- | M] () -- C:\Program Files (x86)\HP\ToolboxFX\bin\HPAppTools.dll
MOD - [2009/10/22 10:26:12 | 000,674,816 | ---- | M] () -- C:\Program Files (x86)\HP\ToolboxFX\bin\LEDMXMLObjects.dll
MOD - [2009/10/22 10:26:12 | 000,069,632 | ---- | M] () -- C:\Program Files (x86)\HP\ToolboxFX\bin\AppConstants.dll
MOD - [2009/10/22 10:26:10 | 000,130,560 | ---- | M] () -- C:\Program Files (x86)\HP\ToolboxFX\bin\DMBaseObjects.dll
MOD - [2009/10/22 10:26:08 | 000,069,632 | ---- | M] () -- C:\Program Files (x86)\HP\ToolboxFX\bin\HPToolkit.dll
MOD - [2009/10/22 10:26:08 | 000,061,440 | ---- | M] () -- C:\Program Files (x86)\HP\ToolboxFX\bin\HPTools.dll
MOD - [2009/10/15 09:25:30 | 000,364,544 | ---- | M] () -- C:\Program Files (x86)\HP\ToolboxFX\bin\NativeUtils.dll
MOD - [2007/04/18 20:30:46 | 000,471,040 | ---- | M] () -- C:\Program Files (x86)\McAfee\Common Framework\ccme_base.dll
MOD - [2007/04/18 20:30:46 | 000,393,216 | ---- | M] () -- C:\Program Files (x86)\McAfee\Common Framework\cryptocme2.dll
MOD - [2005/12/27 13:44:06 | 000,172,098 | ---- | M] () -- C:\Windows\SysWOW64\UTLite33.exe

========== Services (SafeList) ==========

SRV:64bit: - [2013/04/02 12:31:58 | 000,170,440 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Windows\SysNative\mfevtps.exe -- (mfevtp)
SRV:64bit: - [2013/04/02 12:31:55 | 000,201,864 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV:64bit: - [2012/07/13 17:49:04 | 002,457,728 | ---- | M] () [Auto | Running] -- C:\Windows\SysNative\noveap.dll -- (NovEAP)
SRV:64bit: - [2012/07/13 17:49:04 | 000,020,096 | ---- | M] (Novell, Inc.) [Auto | Running] -- C:\Program Files\Novell\Client\XTier\Services\xtsvcmgr.exe -- (XTSvcMgr)
SRV:64bit: - [2012/04/25 15:55:12 | 000,055,296 | ---- | M] (Novell, Inc.) [Auto | Running] -- C:\Windows\SysNative\iprntsrv.exe -- (iprntsrv)
SRV:64bit: - [2012/01/16 15:45:52 | 000,222,144 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr64.exe -- (dcevt64)
SRV:64bit: - [2012/01/16 15:45:34 | 000,293,824 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr64.exe -- (dcstor64)
SRV:64bit: - [2009/10/23 15:13:00 | 000,240,640 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\stacsv64.exe -- (STacSV)
SRV:64bit: - [2009/10/23 15:12:58 | 000,089,600 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\AESTSr64.exe -- (AESTFilters)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2013/02/22 13:45:36 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/07/27 15:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/07/13 17:49:06 | 001,832,576 | ---- | M] () [Auto | Running] -- C:\Windows\SysWow64\noveap.dll -- (NovEAP)
SRV - [2011/09/14 21:08:00 | 000,209,760 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2011/02/01 17:48:50 | 000,604,408 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe -- (vpnagent)
SRV - [2011/01/12 17:05:00 | 000,120,128 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/10/23 15:13:00 | 000,240,640 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\STacSV64.exe -- (STacSV)
SRV - [2009/10/23 15:12:58 | 000,089,600 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\AESTSr64.exe -- (AESTFilters)
SRV - [2009/09/18 05:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\CCM\CcmExec.exe -- (CcmExec)
SRV - [2009/09/18 05:00:00 | 000,246,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\CCM\TSManager.exe -- (smstsmgr)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/06/01 10:26:34 | 000,136,192 | ---- | M] (HP) [Auto | Running] -- C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe -- (HP LaserJet Service)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2013/04/04 14:50:32 | 000,025,928 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2013/04/02 12:31:58 | 000,303,464 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfewfpk.sys -- (mfewfpk)
DRV:64bit: - [2013/04/02 12:31:58 | 000,101,200 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mferkdet.sys -- (mferkdet)
DRV:64bit: - [2013/04/02 12:31:57 | 000,665,768 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfehidk.sys -- (mfehidk)
DRV:64bit: - [2013/04/02 12:31:57 | 000,274,880 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeavfk.sys -- (mfeavfk)
DRV:64bit: - [2013/04/02 12:31:56 | 000,160,952 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeapfk.sys -- (mfeapfk)
DRV:64bit: - [2013/02/26 16:12:56 | 000,231,376 | ---- | M] (TrueCrypt Foundation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\truecrypt.sys -- (truecrypt)
DRV:64bit: - [2012/07/13 17:49:04 | 000,119,936 | ---- | M] () [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\ncrecognizer.sys -- (NCRecognizer)
DRV:64bit: - [2012/07/13 17:49:04 | 000,112,256 | ---- | M] () [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\ncfilter.sys -- (NCFilter)
DRV:64bit: - [2012/07/13 17:49:04 | 000,108,672 | ---- | M] () [File_System | Auto | Running] -- C:\Program Files\Novell\Client\XTier\Drivers\ncfsd.sys -- (NCFSD)
DRV:64bit: - [2012/07/13 17:49:04 | 000,090,240 | ---- | M] () [Kernel | Auto | Running] -- C:\Program Files\Novell\Client\XTier\Drivers\ncioctl.sys -- (NCIOCTL)
DRV:64bit: - [2012/07/13 17:49:04 | 000,083,584 | ---- | M] (Novell, Inc.) [Kernel | On_Demand | Unknown] -- C:\Program Files\Novell\Client\XTier\Drivers\ndmndap.sys -- (ndmndap)
DRV:64bit: - [2012/07/13 17:49:04 | 000,080,000 | ---- | M] (Novell, Inc.) [Kernel | On_Demand | Unknown] -- C:\Program Files\Novell\Client\XTier\Drivers\nciom.sys -- (nciom)
DRV:64bit: - [2012/07/13 17:49:04 | 000,078,976 | ---- | M] (Novell, Inc.) [Kernel | On_Demand | Unknown] -- C:\Program Files\Novell\Client\XTier\Drivers\ncp.sys -- (ncp)
DRV:64bit: - [2012/07/13 17:49:04 | 000,059,520 | ---- | M] (Novell, Inc.) [Kernel | On_Demand | Unknown] -- C:\Program Files\Novell\Client\XTier\Drivers\xtxplat.sys -- (xtxplat)
DRV:64bit: - [2012/07/13 17:49:04 | 000,055,936 | ---- | M] (Novell, Inc.) [Kernel | On_Demand | Unknown] -- C:\Program Files\Novell\Client\XTier\Drivers\nipctl.sys -- (nipctl)
DRV:64bit: - [2012/07/13 17:49:04 | 000,049,280 | ---- | M] (Novell, Inc.) [Kernel | On_Demand | Unknown] -- C:\Program Files\Novell\Client\XTier\Drivers\ncpl.sys -- (ncpl)
DRV:64bit: - [2012/07/13 17:49:04 | 000,039,040 | ---- | M] (Novell, Inc.) [Kernel | On_Demand | Unknown] -- C:\Program Files\Novell\Client\XTier\Drivers\niam.sys -- (niam)
DRV:64bit: - [2012/07/13 17:49:04 | 000,036,992 | ---- | M] (Novell, Inc.) [Kernel | On_Demand | Unknown] -- C:\Program Files\Novell\Client\XTier\Drivers\nscm.sys -- (nscm)
DRV:64bit: - [2012/07/13 17:49:04 | 000,035,968 | ---- | M] (Novell, Inc.) [Kernel | On_Demand | Unknown] -- C:\Program Files\Novell\Client\XTier\Drivers\nsvccost.sys -- (nsvccost)
DRV:64bit: - [2012/07/13 17:49:04 | 000,031,360 | ---- | M] (Novell, Inc.) [Kernel | System | Running] -- C:\Program Files\Novell\Client\XTier\Drivers\nicm.sys -- (NICM)
DRV:64bit: - [2012/07/13 17:49:04 | 000,026,240 | ---- | M] () [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\ncuncfilter.sys -- (NCUncFilter)
DRV:64bit: - [2012/07/13 17:49:04 | 000,025,216 | ---- | M] (Novell, Inc.) [Kernel | On_Demand | Unknown] -- C:\Program Files\Novell\Client\XTier\Drivers\nsns.sys -- (nsns)
DRV:64bit: - [2012/07/13 17:49:04 | 000,019,584 | ---- | M] (Novell, Inc.) [Kernel | On_Demand | Unknown] -- C:\Program Files\Novell\Client\XTier\Drivers\ndm.sys -- (ndm)
DRV:64bit: - [2012/05/15 07:55:40 | 000,398,656 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nvstusb.sys -- (NvStUSB)
DRV:64bit: - [2012/03/01 01:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/02/01 17:33:39 | 000,022,752 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vpnva64.sys -- (vpnva)
DRV:64bit: - [2010/11/20 22:24:43 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2010/11/20 22:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 22:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub)
DRV:64bit: - [2010/11/20 22:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc)
DRV:64bit: - [2010/11/20 22:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/20 22:23:48 | 000,034,816 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt)
DRV:64bit: - [2010/11/20 22:23:47 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2010/11/20 22:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 22:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/10/21 07:33:38 | 000,038,472 | ---- | M] (Dell Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dcdbas64.sys -- (dcdbas)
DRV:64bit: - [2009/10/23 15:13:14 | 000,138,752 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcHdmi.sys -- (IntcHdmiAddService)
DRV:64bit: - [2009/10/23 15:13:12 | 007,342,432 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009/10/23 15:13:10 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/10/23 15:13:10 | 000,017,048 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tcm.sys -- (tcm)
DRV:64bit: - [2009/10/23 15:13:08 | 005,435,904 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETw5v64.sys -- (NETw5v64)
DRV:64bit: - [2009/10/23 15:13:06 | 000,305,192 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/10/23 15:13:06 | 000,285,240 | ---- | M] (WiQuest Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WQ_hwa.sys -- (WQ_USBHWA)
DRV:64bit: - [2009/10/23 15:13:06 | 000,186,936 | ---- | M] (WiQuest Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WQ_dwa.sys -- (WQ_USBDWA)
DRV:64bit: - [2009/10/23 15:13:06 | 000,136,248 | ---- | M] (WiQuest Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WQ_rci.sys -- (WQ_USBRCI)
DRV:64bit: - [2009/10/23 15:13:06 | 000,055,352 | ---- | M] (WiQuest Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WQ_ldr.sys -- (WQ_USBLOAD)
DRV:64bit: - [2009/10/23 15:13:06 | 000,055,352 | ---- | M] (WiQuest Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WQ_cba.sys -- (WQ_USBCBAF)
DRV:64bit: - [2009/10/23 15:13:04 | 000,250,928 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Apfiltr.sys -- (ApfiltrService)
DRV:64bit: - [2009/10/23 15:13:02 | 000,080,896 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\risdpe64.sys -- (risdpcie)
DRV:64bit: - [2009/10/23 15:13:02 | 000,067,584 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimmpx64.sys -- (rimmptsk)
DRV:64bit: - [2009/10/23 15:13:02 | 000,060,416 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rimspe64.sys -- (rimspci)
DRV:64bit: - [2009/10/23 15:13:02 | 000,057,856 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rixdpx64.sys -- (rismxdp)
DRV:64bit: - [2009/10/23 15:13:02 | 000,055,808 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rixdpe64.sys -- (rixdpcie)
DRV:64bit: - [2009/10/23 15:13:02 | 000,055,296 | ---- | M] (REDC) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rimspx64.sys -- (rimsptsk)
DRV:64bit: - [2009/10/23 15:13:00 | 000,487,936 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\stwrt64.sys -- (STHDA)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 19:35:32 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\serscan.sys -- (StillCam)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/06/03 22:27:26 | 000,026,112 | ---- | M] (Dell Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\omci.sys -- (omci)
DRV - [2009/09/18 05:00:00 | 000,026,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope =
IE:64bit: - HKLM\..\SearchScopes\{7140B5DF-DD07-4F68-BC14-7F64F692F0F4}: "URL" = http://www.google.co...age={startPage}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{7140B5DF-DD07-4F68-BC14-7F64F692F0F4}: "URL" = http://www.google.co...age={startPage}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.tceq.state.tx.us/internal
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.tceq.state.tx.us/internal
IE - HKCU\..\SearchScopes,DefaultScope = {7140B5DF-DD07-4F68-BC14-7F64F692F0F4}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.11.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.11.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.17.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@novell.com/iPrint: C:\Windows\SysWOW64 [2013/04/16 10:05:29 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.3012: C:\Program Files (x86)\Real\RealPlayer Enterprise\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.2.3070: C:\Program Files (x86)\Real\RealPlayer Enterprise\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1830: C:\Program Files (x86)\Real\RealPlayer Enterprise\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2013/02/27 09:08:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files (x86)\Common Files\McAfee\SystemCore [2013/04/03 06:52:34 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2013/03/05 14:14:44 | 000,000,851 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 172.21.60.26 TCEQLASERJET
O2:64bit: - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20130402123258.dll (McAfee, Inc.)
O2:64bit: - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20130402123258.dll (McAfee, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [Apoint] T.EXE File not found
O4:64bit: - HKLM..\Run: [HotKeysCmds] DOWS\SYSTEM32\HKCMD.EXE File not found
O4:64bit: - HKLM..\Run: [HP Color LaserJet CM2320 MFP Series Fax] TERSRV.EXE "HP COLOR LASERJET CM2320 MFP SERIES FAX" File not found
O4:64bit: - HKLM..\Run: [IgfxTray] DOWS\SYSTEM32\IGFXTRAY.EXE File not found
O4:64bit: - HKLM..\Run: [iPrint Event Monitor] .EXE File not found
O4:64bit: - HKLM..\Run: [iPrint Tray] TCTL.EXE TRAY_ICON File not found
O4:64bit: - HKLM..\Run: [NWTRAY] WTRAY.EXE File not found
O4:64bit: - HKLM..\Run: [Persistence] DOWS\SYSTEM32\IGFXPERS.EXE File not found
O4:64bit: - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Cisco User Tracking] C:\Windows\SysWOW64\UTLite33.exe ()
O4 - HKLM..\Run: [HPPQVideo] "C:\Program Files (x86)\HP\ScheduledLaunch\HP Color LaserJet CM2320 MFP Series\bin\hppschlnch.exe" -r SOFTWARE\Hewlett-Packard\ScheduledLaunch\CLJ_CM2320_MFP_Series -f PQOptimizerVideo.xml -o remindLater File not found
O4 - HKLM..\Run: [HPUsageTracking] C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [ToolBoxFX] C:\Program Files (x86)\HP\ToolBoxFX\bin\HPTLBXFX.exe (HP)
O4 - HKCU..\Run: [logiosk] rundll32 "C:\Windows\regikmgr.dll",CreateProcessNotify File not found
O4 - HKCU..\Run: [MRINonce] rundll32 "C:\Windows\system32\regikmgr64.dll",CreateProcessNotify File not found
O4 - HKCU..\Run: [TrueCrypt] C:\Program Files\TrueCrypt\TrueCrypt.exe (TrueCrypt Foundation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Download present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\New Windows present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Security present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\SQM present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Suggested Sites present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: PreXPSP2ShellProtocolBehavior = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWebServices = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoOnlinePrintsWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoPublishingWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetOpenWith = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\WAU: Disabled = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ReportControllerMissing = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowCpl = 1
O8:64bit: - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 File not found
O8:64bit: - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\SysWow64\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKLM\..Trusted Domains: state.tx.us ([reportsprd.tceq] http in Trusted sites)
O15 - HKCU\..Trusted Domains: state.tx.us ([*.tceq] http in Trusted sites)
O15 - HKCU\..Trusted Domains: state.tx.us ([*.tnrcc] http in Trusted sites)
O15 - HKCU\..Trusted Domains: state.tx.us ([mx7prd.tceq] http in Trusted sites)
O15 - HKCU\..Trusted Domains: state.tx.us ([tceq-aav-mpegp1.tceq] * in Trusted sites)
O15 - HKCU\..Trusted Domains: texas.gov ([bodev.tceq] * in Local intranet)
O15 - HKCU\..Trusted Domains: texas.gov ([boprd.tceq] * in Local intranet)
O15 - HKCU\..Trusted Domains: texas.gov ([botst.tceq] * in Local intranet)
O15 - HKCU\..Trusted Domains: texas.gov ([tceq-aav-mpegp1.tceq] * in Trusted sites)
O15 - HKCU\..Trusted Domains: texas.gov ([vpn.tceq] https in Trusted sites)
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} http://reportsprd.tc...tiveXViewer.cab (Crystal ActiveX Report Viewer Control 11.5)
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} http://mscesys1/crys...tiveXViewer.cab (Crystal ActiveX Report Viewer Control 10.0)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ms.tnrcc.state.tx.us
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C09ACFBD-A651-4852-86B2-593172DB76AA}: DhcpNameServer = 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EBF47AD1-D080-4114-AB83-A98F4A5752B4}: DhcpNameServer = 163.234.36.253 163.234.36.254
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\NovEapLogn: DllName - (Noveap.dll) - C:\Windows\SysNative\noveap.dll ()
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O30:64bit: - LSA: Authentication Packages - (ncv1_0) - C:\Windows\SysNative\ncv1_0.dll ()
O30 - LSA: Authentication Packages - (ncv1_0) - File not found
O30:64bit: - LSA: Security Packages - (msoidssp) - C:\Windows\SysNative\msoidssp.dll (Microsoft Corp.)
O30 - LSA: Security Packages - (msoidssp) - C:\Windows\SysWow64\msoidssp.dll (Microsoft Corp.)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/04/16 15:32:01 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\mkawasmi\Desktop\OTL.exe
[2013/04/12 15:43:17 | 000,000,000 | ---D | C] -- C:\Users\mkawasmi\AppData\Roaming\Malwarebytes
[2013/04/12 15:42:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/04/12 15:42:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/04/12 15:42:50 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013/04/12 15:42:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013/04/12 14:51:37 | 000,000,000 | ---D | C] -- C:\Users\mkawasmi\AppData\Local\Programs
[2013/04/12 13:28:49 | 000,000,000 | ---D | C] -- C:\Quarantine
[2013/04/12 13:28:23 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2013/04/02 16:19:32 | 000,000,000 | ---D | C] -- C:\Users\mkawasmi\AppData\Local\CutePDF Writer
[2013/04/01 12:55:54 | 000,000,000 | ---D | C] -- C:\Users\mkawasmi\AppData\Roaming\vlc
[2013/03/28 10:28:11 | 000,000,000 | ---D | C] -- C:\Users\mkawasmi\Desktop\Housing
[2013/03/19 16:53:46 | 000,000,000 | ---D | C] -- C:\Users\mkawasmi\AppData\Roaming\HpUpdate
[2013/03/19 16:53:40 | 000,000,000 | ---D | C] -- C:\Windows\Hewlett-Packard
[2013/03/19 08:31:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Yahoo! Companion
[2013/03/19 08:31:30 | 000,000,000 | ---D | C] -- C:\Users\mkawasmi\AppData\Roaming\Yahoo!

========== Files - Modified Within 30 Days ==========

[2013/04/16 15:32:07 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\mkawasmi\Desktop\OTL.exe
[2013/04/16 15:11:20 | 000,019,104 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/04/16 15:11:20 | 000,019,104 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/04/16 15:07:01 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/04/16 15:02:00 | 000,000,392 | ---- | M] () -- C:\Windows\SMSCFG.INI
[2013/04/16 14:56:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/04/16 14:56:45 | 1575,333,888 | -HS- | M] () -- C:\hiberfil.sys
[2013/04/16 10:05:29 | 000,799,444 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2013/04/16 10:05:29 | 000,665,218 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/04/16 10:05:29 | 000,122,908 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/04/12 17:19:25 | 000,026,683 | ---- | M] () -- C:\Users\mkawasmi\Desktop\a3.pdf
[2013/04/12 17:19:02 | 000,026,658 | ---- | M] () -- C:\Users\mkawasmi\Desktop\a2.pdf
[2013/04/12 13:29:17 | 000,071,168 | -H-- | M] () -- C:\Windows\SysNative\regikmgr64.dll
[2013/04/05 08:48:18 | 000,676,287 | ---- | M] () -- C:\Users\mkawasmi\Documents\License_R04100 Amendment 19.pdf
[2013/04/04 14:50:32 | 000,025,928 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013/04/03 14:43:15 | 000,781,858 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/04/03 11:27:52 | 000,954,444 | ---- | M] () -- C:\Users\mkawasmi\Desktop\Sample.pdf
[2013/04/02 12:31:58 | 000,303,464 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfewfpk.sys
[2013/04/02 12:31:58 | 000,170,440 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\mfevtps.exe
[2013/04/02 12:31:58 | 000,101,200 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mferkdet.sys
[2013/04/02 12:31:58 | 000,099,352 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\MfeOtlkAddin.dll
[2013/04/02 12:31:57 | 000,665,768 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfehidk.sys
[2013/04/02 12:31:57 | 000,274,880 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeavfk.sys
[2013/04/02 12:31:57 | 000,010,288 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeclnk.sys
[2013/04/02 12:31:56 | 000,160,952 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysNative\drivers\mfeapfk.sys
[2013/04/02 12:31:50 | 000,075,656 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysWow64\MfeOtlkAddin.dll
[2013/04/02 12:31:50 | 000,023,112 | ---- | M] (McAfee, Inc.) -- C:\Windows\SysWow64\MFEOtlk.dll
[2013/04/02 12:26:48 | 000,344,454 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2013/03/22 09:26:49 | 000,436,125 | ---- | M] () -- C:\Users\mkawasmi\Desktop\Waste Shipment RW-13-001.pdf
[2013/03/20 11:35:31 | 000,173,362 | ---- | M] () -- C:\Users\mkawasmi\Desktop\Attendance Form.pdf
[2013/03/19 10:42:24 | 000,168,791 | ---- | M] () -- C:\Users\mkawasmi\Desktop\Receipt.pdf

========== Files Created - No Company Name ==========

[2013/04/12 17:19:25 | 000,026,683 | ---- | C] () -- C:\Users\mkawasmi\Desktop\a3.pdf
[2013/04/12 17:19:02 | 000,026,658 | ---- | C] () -- C:\Users\mkawasmi\Desktop\a2.pdf
[2013/04/12 13:29:17 | 000,071,168 | -H-- | C] () -- C:\Windows\SysNative\regikmgr64.dll
[2013/04/05 08:48:18 | 000,676,287 | ---- | C] () -- C:\Users\mkawasmi\Documents\License_R04100 Amendment 19.pdf
[2013/04/03 11:28:26 | 000,954,444 | ---- | C] () -- C:\Users\mkawasmi\Desktop\Sample.pdf
[2013/03/22 09:27:13 | 000,436,125 | ---- | C] () -- C:\Users\mkawasmi\Desktop\Waste Shipment RW-13-001.pdf
[2013/03/20 11:35:44 | 000,173,362 | ---- | C] () -- C:\Users\mkawasmi\Desktop\Attendance Form.pdf
[2013/03/19 10:42:44 | 000,168,791 | ---- | C] () -- C:\Users\mkawasmi\Desktop\Receipt.pdf
[2013/03/05 15:27:47 | 000,177,010 | ---- | C] () -- C:\Windows\hppins12.dat.temp
[2013/03/05 14:13:53 | 000,000,794 | ---- | C] () -- C:\Windows\hpntwksetup.ini
[2013/03/05 14:06:48 | 000,172,379 | ---- | C] () -- C:\Windows\hppins12.dat
[2013/03/05 14:06:47 | 000,007,855 | ---- | C] () -- C:\Windows\hppmdl12.dat
[2013/02/22 14:23:35 | 000,019,732 | RHS- | C] () -- C:\Users\mkawasmi\ntuser.pol
[2013/02/22 14:22:18 | 000,344,454 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2013/02/22 13:49:56 | 000,254,352 | ---- | C] () -- C:\Windows\SysWow64\npnipp.dll
[2013/02/22 13:39:17 | 000,004,764 | ---- | C] () -- C:\Windows\SysWow64\CcmFramework.ini
[2012/10/01 20:11:52 | 001,832,576 | ---- | C] () -- C:\Windows\SysWow64\noveap.dll
[2012/10/01 20:11:52 | 000,909,440 | ---- | C] () -- C:\Windows\SysWow64\ncnetprovider.dll
[2012/10/01 20:11:52 | 000,230,528 | ---- | C] () -- C:\Windows\SysWow64\nwshlxnt.dll
[2012/10/01 20:11:52 | 000,156,800 | ---- | C] () -- C:\Windows\SysWow64\mapbase.dll
[2012/10/01 20:11:52 | 000,066,176 | ---- | C] () -- C:\Windows\SysWow64\slpinfo.exe
[2012/10/01 20:11:50 | 000,666,752 | ---- | C] () -- C:\Windows\SysWow64\ncloginui.dll
[2012/10/01 20:11:50 | 000,187,520 | ---- | C] () -- C:\Windows\SysWow64\lgnwnt32.dll
[2012/10/01 20:11:50 | 000,092,800 | ---- | C] () -- C:\Windows\SysWow64\nclangid.dll
[2012/10/01 20:11:50 | 000,026,240 | ---- | C] () -- C:\Windows\SysWow64\loginw32.exe
[2012/08/29 22:34:37 | 000,982,220 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin
[2012/08/29 22:34:36 | 000,134,592 | ---- | C] () -- C:\Windows\SysWow64\igfcg500.bin
[2012/08/29 22:34:36 | 000,092,216 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin
[2012/08/29 22:34:34 | 000,439,300 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin
[2012/08/01 09:01:25 | 000,799,444 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/08/01 08:59:34 | 000,000,392 | ---- | C] () -- C:\Windows\SMSCFG.INI

========== ZeroAccess Check ==========

[2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
"ThreadingModel" = Both
"" = C:\$Recycle.Bin\S-1-5-21-734690479-1344892132-312552118-34155\$5315fe5ab433554d17e13e2f34f1edf9\n.

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 00:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 23:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 22:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2013/02/27 11:15:13 | 000,000,000 | ---D | M] -- C:\Users\mkawasmi\AppData\Roaming\TrueCrypt

========== Purity Check ==========

< End of report >

Edited yet again to include the Extras text file:

OTL Extras logfile created on: 4/16/2013 3:33:32 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\mkawasmi\Desktop
64bit- Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.96 Gb Total Physical Memory | 0.87 Gb Available Physical Memory | 44.23% Memory free
3.91 Gb Paging File | 2.26 Gb Available in Paging File | 57.67% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 74.24 Gb Total Space | 35.79 Gb Free Space | 48.21% Space Free | Partition Type: NTFS

Computer Name: PC048453 | User Name: MKawasmi | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [rCmdHere] -- C:\Windows\system32\cmd.exe /k cd /d "%1" (Microsoft Corporation)
Directory [runas] -- C:\Windows\system32\cmd.exe /k cd /d "%1" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [rCmdHere] -- C:\Windows\system32\cmd.exe /k cd /d "%1" (Microsoft Corporation)
Directory [runas] -- C:\Windows\system32\cmd.exe /k cd /d "%1" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
"PolicyVersion" = 532

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"DisableUnicastResponsesToMulticastBroadcast" = 1
"DisableNotifications" = 0
"EnableFirewall" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"Enabled" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List]
"Sharp AutoConfiguration Module" = C:\Windows\system32\spool\drivers\w32x86\3\SH2EACFM.exe:*:Enabled:Sharp AutoConfiguration Module
"Sharp AutoConfiguration Module M453N" = C:\Windows\system32\spool\drivers\w32x86\3\SR0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M453N
"Sharp AutoConfiguration Module M455" = C:\Windows\system32\spool\drivers\w32x86\3\SH5EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M455
"Sharp AutoConfiguration Module M550" = C:\Windows\system32\spool\drivers\w32x86\3\SJ0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M550
"Sharp AutoConfiguration Module M620" = C:\Windows\system32\spool\drivers\w32x86\3\SN0HACFM.exe:*:Enabled:Sharp AutoConfiguration Module M620
"Sharp AutoConfiguration Module M700" = C:\Windows\system32\spool\drivers\w32x86\3\SJ1EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M700
"Sharp AutoConfiguration Module M850" = C:\Windows\system32\spool\drivers\w32x86\3\SP0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M850
"%windir%\system32\spool\drivers\w32x86\3\SH2EACFM.exe:*:Enabled:Sharp AutoConfiguration Module" = %windir%\system32\spool\drivers\w32x86\3\SH2EACFM.exe:*:Enabled:Sharp AutoConfiguration Module
"%windir%\system32\spool\drivers\w32x86\3\SR0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M453N" = %windir%\system32\spool\drivers\w32x86\3\SR0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M453N
"%windir%\system32\spool\drivers\w32x86\3\SH5EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M455" = %windir%\system32\spool\drivers\w32x86\3\SH5EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M455
"%windir%\system32\spool\drivers\w32x86\3\SJ0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M550" = %windir%\system32\spool\drivers\w32x86\3\SJ0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M550
"%windir%\system32\spool\drivers\w32x86\3\SN0HACFM.exe:*:Enabled:Sharp AutoConfiguration Module M620" = %windir%\system32\spool\drivers\w32x86\3\SN0HACFM.exe:*:Enabled:Sharp AutoConfiguration Module M620
"%windir%\system32\spool\drivers\w32x86\3\SJ1EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M700" = %windir%\system32\spool\drivers\w32x86\3\SJ1EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M700
"%windir%\system32\spool\drivers\w32x86\3\SP0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M850" = %windir%\system32\spool\drivers\w32x86\3\SP0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M850
"%windir%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Windows Remote Assistance" = %windir%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Windows Remote Assistance
"%ProgramFiles(x86)%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer" = %ProgramFiles(x86)%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer
"%ProgramFiles%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer" = %ProgramFiles%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer
"%ProgramFiles(x86)%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise" = %ProgramFiles(x86)%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise -- (RealNetworks, Inc.)
"%ProgramFiles%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise" = %ProgramFiles%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise
"%ProgramFiles(x86)%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles(x86)%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles(x86)%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment
"%ProgramFiles(x86)%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment
"%ProgramFiles%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment
"%ProgramFiles%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
"Enabled" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
"135:TCP:*:Enabled:SCCM Remote Tools" = 135:TCP:*:Enabled:SCCM Remote Tools
"2701:TCP:*:Enabled:SCCM Remote Tools" = 2701:TCP:*:Enabled:SCCM Remote Tools
"2702:TCP:*:Enabled:SCCM Remote Tools" = 2702:TCP:*:Enabled:SCCM Remote Tools
"161:UDP:*:Enabled:Dell OMCI" = 161:UDP:*:Enabled:Dell OMCI
"162:UDP:*:Enabled:Dell OMCI" = 162:UDP:*:Enabled:Dell OMCI
"6389:TCP:*:Enabled:Dell OMCI" = 6389:TCP:*:Enabled:Dell OMCI
"443:TCP:*:Enabled:Dell OMCI" = 443:TCP:*:Enabled:Dell OMCI
"3389:TCP:*:Enabled:Remote Assistance" = 3389:TCP:*:Enabled:Remote Assistance
"8081:TCP:*:Enabled:McAfee Agent Logging" = 8081:TCP:*:Enabled:McAfee Agent Logging

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings]
"AllowOutboundDestinationUnreachable" = 0
"AllowOutboundSourceQuench" = 0
"AllowRedirect" = 0
"AllowInboundEchoRequest" = 1
"AllowInboundRouterRequest" = 0
"AllowOutboundTimeExceeded" = 0
"AllowOutboundParameterProblem" = 0
"AllowInboundTimestampRequest" = 0
"AllowInboundMaskRequest" = 0
"AllowOutboundPacketTooBig" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging]
"LogDroppedPackets" = 1
"LogSuccessfulConnections" = 0
"LogFilePath" = %systemroot%\system32\LogFiles\Firewall\pfirewall.log -- ()
"LogFileSize" = 16384

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" = 163.234.31.1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = 163.234.31.1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = *

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules]
"CoreNet-DHCP-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=68|RPort=67|App=%SystemRoot%\system32\svchost.exe|Svc=dhcp|[email protected],-25301|[email protected],-25303|[email protected],-25000|
"CoreNet-DHCPV6-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=546|RPort=547|App=%SystemRoot%\system32\svchost.exe|Svc=dhcp|[email protected],-25304|[email protected],-25306|[email protected],-25000|
"FPS-LLMNR-In-UDP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=dnscache|[email protected],-28548|[email protected],-28549|[email protected],-28502|
"FPS-ICMP6-ERQ-In" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=58|Profile=Private|Profile=Public|ICMP6=128:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-28545|[email protected],-28547|[email protected],-28502|
"FPS-ICMP4-ERQ-In" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|Profile=Private|Profile=Public|ICMP4=8:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-28543|[email protected],-28547|[email protected],-28502|
"FPS-RPCSS-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=RPC-EPMap|RA4=LocalSubnet|RA6=LocalSubnet|Svc=Rpcss|[email protected],-28539|[email protected],-28542|[email protected],-28502|
"FPS-SpoolSvc-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=RPC|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|[email protected],-28535|[email protected],-28538|[email protected],-28502|
"FPS-NB_Datagram-In-UDP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|LPort=138|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28527|[email protected],-28530|[email protected],-28502|
"FPS-NB_Name-In-UDP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|LPort=137|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28519|[email protected],-28522|[email protected],-28502|
"FPS-SMB-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=445|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28511|[email protected],-28514|[email protected],-28502|
"FPS-NB_Session-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=139|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28503|[email protected],-28506|[email protected],-28502|
"FPS-ICMP6-ERQ-In-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=58|Profile=Domain|ICMP6=128:*|[email protected],-28545|[email protected],-28547|[email protected],-28502|
"FPS-ICMP4-ERQ-In-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|Profile=Domain|ICMP4=8:*|[email protected],-28543|[email protected],-28547|[email protected],-28502|
"FPS-RPCSS-In-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC-EPMap|Svc=Rpcss|[email protected],-28539|[email protected],-28542|[email protected],-28502|
"FPS-SpoolSvc-In-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|[email protected],-28535|[email protected],-28538|[email protected],-28502|
"FPS-NB_Datagram-In-UDP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|LPort=138|App=System|[email protected],-28527|[email protected],-28530|[email protected],-28502|
"FPS-NB_Name-In-UDP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|LPort=137|App=System|[email protected],-28519|[email protected],-28522|[email protected],-28502|
"FPS-SMB-In-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=445|App=System|[email protected],-28511|[email protected],-28514|[email protected],-28502|
"FPS-NB_Session-In-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=139|App=System|[email protected],-28503|[email protected],-28506|[email protected],-28502|
"WMI-ASYNC-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\wbem\unsecapp.exe|[email protected],-34256|[email protected],-34257|[email protected],-34251|
"WMI-WINMGMT-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=winmgmt|[email protected],-34254|[email protected],-34255|[email protected],-34251|
"WMI-RPCSS-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=135|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=rpcss|[email protected],-34252|[email protected],-34253|[email protected],-34251|
"WMI-ASYNC-In-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=%systemroot%\system32\wbem\unsecapp.exe|[email protected],-34256|[email protected],-34257|[email protected],-34251|
"WMI-WINMGMT-In-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=%SystemRoot%\system32\svchost.exe|Svc=winmgmt|[email protected],-34254|[email protected],-34255|[email protected],-34251|
"WMI-RPCSS-In-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=135|App=%SystemRoot%\system32\svchost.exe|Svc=rpcss|[email protected],-34252|[email protected],-34253|[email protected],-34251|
"RemoteAssistance-PnrpSvc-UDP-In-EdgeScope-Active" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|Profile=Private|LPort=3540|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|[email protected],-33039|[email protected],-33040|[email protected],-33002|Edge=TRUE|Defer=App|
"RemoteAssistance-SSDPSrv-In-TCP-Active" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|LPort=2869|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=Ssdpsrv|[email protected],-33027|[email protected],-33030|[email protected],-33002|
"RemoteAssistance-SSDPSrv-In-UDP-Active" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|Profile=Private|LPort=1900|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=Ssdpsrv|[email protected],-33019|[email protected],-33022|[email protected],-33002|
"RemoteAssistance-In-TCP-EdgeScope-Active" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|App=%SystemRoot%\system32\msra.exe|[email protected],-33003|[email protected],-33006|[email protected],-33002|Edge=TRUE|Defer=App|
"RemoteAssistance-DCOM-In-TCP-NoScope-Active" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=135|App=%SystemRoot%\system32\svchost.exe|Svc=rpcss|[email protected],-33035|[email protected],-33036|[email protected],-33002|
"RemoteAssistance-RAServer-In-TCP-NoScope-Active" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=%SystemRoot%\system32\raserver.exe|[email protected],-33011|[email protected],-33014|[email protected],-33002|
"RemoteAssistance-PnrpSvc-UDP-In-EdgeScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|LPort=3540|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|[email protected],-33039|[email protected],-33040|[email protected],-33002|Edge=TRUE|Defer=App|
"RemoteAssistance-In-TCP-EdgeScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=%SystemRoot%\system32\msra.exe|[email protected],-33003|[email protected],-33006|[email protected],-33002|Edge=TRUE|Defer=App|
"RemoteDesktop-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=System|[email protected],-28753|[email protected],-28756|[email protected],-28752|
"WMI-WINMGMT-Out-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Private|Profile=Public|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=winmgmt|[email protected],-34258|[email protected],-34259|[email protected],-34251|
"WMI-WINMGMT-Out-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|App=%SystemRoot%\system32\svchost.exe|Svc=winmgmt|[email protected],-34258|[email protected],-34259|[email protected],-34251|
"RemoteAssistance-PnrpSvc-UDP-OUT-Active" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Domain|Profile=Private|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|[email protected],-33037|[email protected],-33038|[email protected],-33002|
"RemoteAssistance-SSDPSrv-Out-TCP-Active" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|Profile=Private|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-33031|[email protected],-33034|[email protected],-33002|
"RemoteAssistance-SSDPSrv-Out-UDP-Active" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Domain|Profile=Private|RPort=1900|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=Ssdpsrv|[email protected],-33023|[email protected],-33026|[email protected],-33002|
"RemoteAssistance-Out-TCP-Active" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|Profile=Private|App=%SystemRoot%\system32\msra.exe|[email protected],-33007|[email protected],-33010|[email protected],-33002|
"RemoteAssistance-RAServer-Out-TCP-NoScope-Active" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|App=%SystemRoot%\system32\raserver.exe|[email protected],-33015|[email protected],-33018|[email protected],-33002|
"RemoteAssistance-PnrpSvc-UDP-OUT" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Public|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|[email protected],-33037|[email protected],-33038|[email protected],-33002|
"RemoteAssistance-Out-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|App=%SystemRoot%\system32\msra.exe|[email protected],-33007|[email protected],-33010|[email protected],-33002|
"RemoteDesktop-UserMode-In-UDP" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|[email protected],-28776|[email protected],-28777|[email protected],-28752|
"RemoteDesktop-UserMode-In-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|[email protected],-28775|[email protected],-28756|[email protected],-28752|
"FPS-LLMNR-Out-UDP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=dnscache|[email protected],-28550|[email protected],-28551|[email protected],-28502|
"FPS-ICMP6-ERQ-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|Profile=Private|Profile=Public|ICMP6=128:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-28546|[email protected],-28547|[email protected],-28502|
"FPS-ICMP4-ERQ-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=1|Profile=Private|Profile=Public|ICMP4=8:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-28544|[email protected],-28547|[email protected],-28502|
"FPS-NB_Datagram-Out-UDP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Private|Profile=Public|RPort=138|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28531|[email protected],-28534|[email protected],-28502|
"FPS-NB_Name-Out-UDP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Private|Profile=Public|RPort=137|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28523|[email protected],-28526|[email protected],-28502|
"FPS-SMB-Out-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Private|Profile=Public|RPort=445|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28515|[email protected],-28518|[email protected],-28502|
"FPS-NB_Session-Out-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Private|Profile=Public|RPort=139|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28507|[email protected],-28510|[email protected],-28502|
"FPS-ICMP6-ERQ-Out-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|Profile=Domain|ICMP6=128:*|[email protected],-28546|[email protected],-28547|[email protected],-28502|
"FPS-ICMP4-ERQ-Out-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=1|Profile=Domain|ICMP4=8:*|[email protected],-28544|[email protected],-28547|[email protected],-28502|
"FPS-NB_Datagram-Out-UDP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Domain|RPort=138|App=System|[email protected],-28531|[email protected],-28534|[email protected],-28502|
"FPS-NB_Name-Out-UDP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Domain|RPort=137|App=System|[email protected],-28523|[email protected],-28526|[email protected],-28502|
"FPS-SMB-Out-TCP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|RPort=445|App=System|[email protected],-28515|[email protected],-28518|[email protected],-28502|
"FPS-NB_Session-Out-TCP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|RPort=139|App=System|[email protected],-28507|[email protected],-28510|[email protected],-28502|
"{ED2BFF76-380D-4A47-A73D-75A172E6DAD8}" = v2.20|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|App=%ProgramFiles% (x86)\Internet Explorer\iexplore.exe|Name=Internet Explorer|
"{1C5A8952-AEC5-4356-B516-B7FD6DD12E60}" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|Profile=Private|RPort=8081|Name=McAfee Agent Logging|
"{B264B256-BCBA-4DDE-A687-C60A8101484A}" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|LPort=8081|Name=McAfee Agent Logging|
"CoreNet-IPv6-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=41|App=System|[email protected],-25351|[email protected],-25357|[email protected],-25000|
"CoreNet-IPHTTPS-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort2_10=IPTLSIn|LPort2_10=IPHTTPSIn|App=System|[email protected],-25426|[email protected],-25428|[email protected],-25000|
"CoreNet-Teredo-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=Teredo|App=%SystemRoot%\system32\svchost.exe|Svc=iphlpsvc|[email protected],-25326|[email protected],-25332|[email protected],-25000|
"CoreNet-IGMP-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=2|App=System|[email protected],-25376|[email protected],-25382|[email protected],-25000|
"CoreNet-ICMP4-DUFRAG-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=3:4|App=System|[email protected],-25251|[email protected],-25257|[email protected],-25000|
"CoreNet-ICMP6-LD-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=132:*|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-25082|[email protected],-25088|[email protected],-25000|
"CoreNet-ICMP6-LR2-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=143:*|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-25075|[email protected],-25081|[email protected],-25000|
"CoreNet-ICMP6-LR-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=131:*|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-25068|[email protected],-25074|[email protected],-25000|
"CoreNet-ICMP6-LQ-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=130:*|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-25061|[email protected],-25067|[email protected],-25000|
"CoreNet-ICMP6-RS-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=133:*|App=System|[email protected],-25009|[email protected],-25011|[email protected],-25000|
"CoreNet-ICMP6-RA-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=134:*|RA6=fe80::/64|App=System|[email protected],-25012|[email protected],-25018|[email protected],-25000|
"CoreNet-ICMP6-NDA-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=136:*|App=System|[email protected],-25026|[email protected],-25032|[email protected],-25000|Edge=TRUE|
"CoreNet-ICMP6-NDS-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=135:*|App=System|[email protected],-25019|[email protected],-25025|[email protected],-25000|Edge=TRUE|
"CoreNet-ICMP6-PP-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=4:*|App=System|[email protected],-25116|[email protected],-25118|[email protected],-25000|Edge=TRUE|
"CoreNet-ICMP6-TE-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=3:*|App=System|[email protected],-25113|[email protected],-25115|[email protected],-25000|Edge=TRUE|
"CoreNet-ICMP6-PTB-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=2:*|[email protected],-25001|[email protected],-25007|[email protected],-25000|Edge=TRUE|
"CoreNet-ICMP6-DU-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=1:*|App=System|[email protected],-25110|[email protected],-25112|[email protected],-25000|Edge=TRUE|
"CoreNet-GP-LSASS-Out-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|App=%SystemRoot%\system32\lsass.exe|[email protected],-25407|[email protected],-25408|[email protected],-25000|
"CoreNet-DNS-Out-UDP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=53|App=%SystemRoot%\system32\svchost.exe|Svc=dnscache|[email protected],-25405|[email protected],-25406|[email protected],-25000|
"CoreNet-GP-Out-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|App=%SystemRoot%\system32\svchost.exe|[email protected],-25403|[email protected],-25404|[email protected],-25000|
"CoreNet-GP-NP-Out-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|RPort=445|App=System|[email protected],-25401|[email protected],-25401|[email protected],-25000|
"CoreNet-IPv6-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=41|App=System|[email protected],-25352|[email protected],-25358|[email protected],-25000|
"CoreNet-IPHTTPS-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort2_10=IPTLSOut|RPort2_10=IPHTTPSOut|App=%SystemRoot%\system32\svchost.exe|Svc=iphlpsvc|[email protected],-25427|[email protected],-25429|[email protected],-25000|
"CoreNet-Teredo-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|App=%SystemRoot%\system32\svchost.exe|Svc=iphlpsvc|[email protected],-25327|[email protected],-25333|[email protected],-25000|
"CoreNet-DHCPV6-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|LPort=546|RPort=547|App=%SystemRoot%\system32\svchost.exe|Svc=dhcp|[email protected],-25305|[email protected],-25306|[email protected],-25000|
"CoreNet-DHCP-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|LPort=68|RPort=67|App=%SystemRoot%\system32\svchost.exe|Svc=dhcp|[email protected],-25302|[email protected],-25303|[email protected],-25000|
"CoreNet-IGMP-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=2|App=System|[email protected],-25377|[email protected],-25382|[email protected],-25000|
"CoreNet-ICMP6-LD-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=132:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-25083|[email protected],-25088|[email protected],-25000|
"CoreNet-ICMP6-LR2-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=143:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-25076|[email protected],-25081|[email protected],-25000|
"CoreNet-ICMP6-LR-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=131:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-25069|[email protected],-25074|[email protected],-25000|
"CoreNet-ICMP6-LQ-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=130:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-25062|[email protected],-25067|[email protected],-25000|
"CoreNet-ICMP6-RS-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=133:*|RA4=LocalSubnet|RA6=LocalSubnet|RA6=ff02::2|RA6=fe80::/64|[email protected],-25008|[email protected],-25011|[email protected],-25000|
"CoreNet-ICMP6-RA-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=134:*|LA6=fe80::/64|RA4=LocalSubnet|RA6=LocalSubnet|RA6=ff02::1|RA6=fe80::/64|[email protected],-25013|[email protected],-25018|[email protected],-25000|
"CoreNet-ICMP6-NDA-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=136:*|[email protected],-25027|[email protected],-25032|[email protected],-25000|
"CoreNet-ICMP6-NDS-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=135:*|[email protected],-25020|[email protected],-25025|[email protected],-25000|
"CoreNet-ICMP6-PP-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=4:*|[email protected],-25117|[email protected],-25118|[email protected],-25000|
"CoreNet-ICMP6-TE-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=3:*|[email protected],-25114|[email protected],-25115|[email protected],-25000|
"CoreNet-ICMP6-PTB-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=2:*|[email protected],-25002|[email protected],-25007|[email protected],-25000|
"RemoteEventLogSvc-RPCSS-In-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=RPC-EPMap|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=RPCSS|[email protected],-29265|[email protected],-29268|[email protected],-29252|
"RemoteEventLogSvc-NP-In-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=445|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-29257|[email protected],-29260|[email protected],-29252|
"RemoteEventLogSvc-In-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=RPC|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=Eventlog|[email protected],-29253|[email protected],-29256|[email protected],-29252|
"RemoteEventLogSvc-RPCSS-In-TCP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC-EPMap|App=%SystemRoot%\system32\svchost.exe|Svc=RPCSS|[email protected],-29265|[email protected],-29268|[email protected],-29252|
"RemoteEventLogSvc-NP-In-TCP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=445|App=System|[email protected],-29257|[email protected],-29260|[email protected],-29252|
"RemoteEventLogSvc-In-TCP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC|App=%SystemRoot%\system32\svchost.exe|Svc=Eventlog|[email protected],-29253|[email protected],-29256|[email protected],-29252|
"WINRM-HTTP-In-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|LPort=5985|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-30253|[email protected],-30256|[email protected],-30267|
"WINRM-HTTP-In-TCP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|LPort=5985|App=System|[email protected],-30253|[email protected],-30256|[email protected],-30267|
"WINRM-HTTP-Compat-In-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=80|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-35001|[email protected],-35002|[email protected],-30252|
"WINRM-HTTP-Compat-In-TCP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=80|App=System|[email protected],-35001|[email protected],-35002|[email protected],-30252|

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile]
"DisableUnicastResponsesToMulticastBroadcast" = 1
"DisableNotifications" = 0
"EnableFirewall" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging]
"LogDroppedPackets" = 1
"LogFilePath" = C:\Windows\system32\logfiles\firewall\pfirewall.log -- ()
"LogFileSize" = 16384

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile]
"DisableUnicastResponsesToMulticastBroadcast" = 1
"DisableNotifications" = 0
"EnableFirewall" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging]
"LogDroppedPackets" = 1
"LogFilePath" = C:\Windows\system32\logfiles\firewall\pfirewall.log -- ()
"LogFileSize" = 16384

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"DisableUnicastResponsesToMulticastBroadcast" = 1
"DisableNotifications" = 0
"EnableFirewall" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
"Enabled" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\List]
"Sharp AutoConfiguration Module" = C:\Windows\system32\spool\drivers\w32x86\3\SH2EACFM.exe:*:Enabled:Sharp AutoConfiguration Module
"Sharp AutoConfiguration Module M453N" = C:\Windows\system32\spool\drivers\w32x86\3\SR0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M453N
"Sharp AutoConfiguration Module M455" = C:\Windows\system32\spool\drivers\w32x86\3\SH5EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M455
"Sharp AutoConfiguration Module M550" = C:\Windows\system32\spool\drivers\w32x86\3\SJ0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M550
"Sharp AutoConfiguration Module M620" = C:\Windows\system32\spool\drivers\w32x86\3\SN0HACFM.exe:*:Enabled:Sharp AutoConfiguration Module M620
"Sharp AutoConfiguration Module M700" = C:\Windows\system32\spool\drivers\w32x86\3\SJ1EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M700
"Sharp AutoConfiguration Module M850" = C:\Windows\system32\spool\drivers\w32x86\3\SP0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M850
"%windir%\system32\spool\drivers\w32x86\3\SH2EACFM.exe:*:Enabled:Sharp AutoConfiguration Module" = %windir%\system32\spool\drivers\w32x86\3\SH2EACFM.exe:*:Enabled:Sharp AutoConfiguration Module
"%windir%\system32\spool\drivers\w32x86\3\SR0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M453N" = %windir%\system32\spool\drivers\w32x86\3\SR0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M453N
"%windir%\system32\spool\drivers\w32x86\3\SH5EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M455" = %windir%\system32\spool\drivers\w32x86\3\SH5EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M455
"%windir%\system32\spool\drivers\w32x86\3\SJ0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M550" = %windir%\system32\spool\drivers\w32x86\3\SJ0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M550
"%windir%\system32\spool\drivers\w32x86\3\SN0HACFM.exe:*:Enabled:Sharp AutoConfiguration Module M620" = %windir%\system32\spool\drivers\w32x86\3\SN0HACFM.exe:*:Enabled:Sharp AutoConfiguration Module M620
"%windir%\system32\spool\drivers\w32x86\3\SJ1EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M700" = %windir%\system32\spool\drivers\w32x86\3\SJ1EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M700
"%windir%\system32\spool\drivers\w32x86\3\SP0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M850" = %windir%\system32\spool\drivers\w32x86\3\SP0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M850
"%windir%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Windows Remote Assistance" = %windir%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Windows Remote Assistance
"%ProgramFiles(x86)%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer" = %ProgramFiles(x86)%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer
"%ProgramFiles%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer" = %ProgramFiles%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer
"%ProgramFiles(x86)%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise" = %ProgramFiles(x86)%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise -- (RealNetworks, Inc.)
"%ProgramFiles%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise" = %ProgramFiles%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise
"%ProgramFiles(x86)%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles(x86)%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles(x86)%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment
"%ProgramFiles(x86)%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment
"%ProgramFiles%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment
"%ProgramFiles%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts]
"Enabled" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts\List]
"135:TCP:*:Enabled:SCCM Remote Tools" = 135:TCP:*:Enabled:SCCM Remote Tools
"2701:TCP:*:Enabled:SCCM Remote Tools" = 2701:TCP:*:Enabled:SCCM Remote Tools
"2702:TCP:*:Enabled:SCCM Remote Tools" = 2702:TCP:*:Enabled:SCCM Remote Tools
"3389:TCP:*:Enabled:Remote Assistance" = 3389:TCP:*:Enabled:Remote Assistance
"8081:TCP:*:Enabled:McAfee Agent Logging" = 8081:TCP:*:Enabled:McAfee Agent Logging

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings]
"AllowOutboundDestinationUnreachable" = 0
"AllowOutboundSourceQuench" = 0
"AllowRedirect" = 0
"AllowInboundEchoRequest" = 1
"AllowInboundRouterRequest" = 0
"AllowOutboundTimeExceeded" = 0
"AllowOutboundParameterProblem" = 0
"AllowInboundTimestampRequest" = 0
"AllowInboundMaskRequest" = 0
"AllowOutboundPacketTooBig" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging]
"LogDroppedPackets" = 1
"LogSuccessfulConnections" = 0
"LogFilePath" = %systemroot%\system32\LogFiles\Firewall\pfirewall.log -- ()
"LogFileSize" = 16384

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" = 163.234.31.1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = 163.234.31.1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = *

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
"PolicyVersion" = 532

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"DisableUnicastResponsesToMulticastBroadcast" = 1
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications]
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\List]
"Sharp AutoConfiguration Module" = C:\Windows\system32\spool\drivers\w32x86\3\SH2EACFM.exe:*:Enabled:Sharp AutoConfiguration Module
"Sharp AutoConfiguration Module M453N" = C:\Windows\system32\spool\drivers\w32x86\3\SR0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M453N
"Sharp AutoConfiguration Module M455" = C:\Windows\system32\spool\drivers\w32x86\3\SH5EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M455
"Sharp AutoConfiguration Module M550" = C:\Windows\system32\spool\drivers\w32x86\3\SJ0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M550
"Sharp AutoConfiguration Module M620" = C:\Windows\system32\spool\drivers\w32x86\3\SN0HACFM.exe:*:Enabled:Sharp AutoConfiguration Module M620
"Sharp AutoConfiguration Module M700" = C:\Windows\system32\spool\drivers\w32x86\3\SJ1EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M700
"Sharp AutoConfiguration Module M850" = C:\Windows\system32\spool\drivers\w32x86\3\SP0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M850
"%windir%\system32\spool\drivers\w32x86\3\SH2EACFM.exe:*:Enabled:Sharp AutoConfiguration Module" = %windir%\system32\spool\drivers\w32x86\3\SH2EACFM.exe:*:Enabled:Sharp AutoConfiguration Module
"%windir%\system32\spool\drivers\w32x86\3\SR0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M453N" = %windir%\system32\spool\drivers\w32x86\3\SR0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M453N
"%windir%\system32\spool\drivers\w32x86\3\SH5EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M455" = %windir%\system32\spool\drivers\w32x86\3\SH5EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M455
"%windir%\system32\spool\drivers\w32x86\3\SJ0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M550" = %windir%\system32\spool\drivers\w32x86\3\SJ0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M550
"%windir%\system32\spool\drivers\w32x86\3\SN0HACFM.exe:*:Enabled:Sharp AutoConfiguration Module M620" = %windir%\system32\spool\drivers\w32x86\3\SN0HACFM.exe:*:Enabled:Sharp AutoConfiguration Module M620
"%windir%\system32\spool\drivers\w32x86\3\SJ1EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M700" = %windir%\system32\spool\drivers\w32x86\3\SJ1EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M700
"%windir%\system32\spool\drivers\w32x86\3\SP0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M850" = %windir%\system32\spool\drivers\w32x86\3\SP0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M850
"%windir%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Windows Remote Assistance" = %windir%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Windows Remote Assistance
"%ProgramFiles(x86)%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer" = %ProgramFiles(x86)%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer
"%ProgramFiles%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer" = %ProgramFiles%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer
"%ProgramFiles(x86)%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise" = %ProgramFiles(x86)%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise -- (RealNetworks, Inc.)
"%ProgramFiles%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise" = %ProgramFiles%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise -- (RealNetworks, Inc.)
"%ProgramFiles(x86)%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles(x86)%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles(x86)%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment
"%ProgramFiles(x86)%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment
"%ProgramFiles%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment
"%ProgramFiles%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts]
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List]
"135:TCP:*:Enabled:SCCM Remote Tools" = 135:TCP:*:Enabled:SCCM Remote Tools
"2701:TCP:*:Enabled:SCCM Remote Tools" = 2701:TCP:*:Enabled:SCCM Remote Tools
"2702:TCP:*:Enabled:SCCM Remote Tools" = 2702:TCP:*:Enabled:SCCM Remote Tools
"161:UDP:*:Enabled:Dell OMCI" = 161:UDP:*:Enabled:Dell OMCI
"162:UDP:*:Enabled:Dell OMCI" = 162:UDP:*:Enabled:Dell OMCI
"6389:TCP:*:Enabled:Dell OMCI" = 6389:TCP:*:Enabled:Dell OMCI
"443:TCP:*:Enabled:Dell OMCI" = 443:TCP:*:Enabled:Dell OMCI
"3389:TCP:*:Enabled:Remote Assistance" = 3389:TCP:*:Enabled:Remote Assistance
"8081:TCP:*:Enabled:McAfee Agent Logging" = 8081:TCP:*:Enabled:McAfee Agent Logging

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings]
"AllowOutboundDestinationUnreachable" = 0
"AllowOutboundSourceQuench" = 0
"AllowRedirect" = 0
"AllowInboundEchoRequest" = 1
"AllowInboundRouterRequest" = 0
"AllowOutboundTimeExceeded" = 0
"AllowOutboundParameterProblem" = 0
"AllowInboundTimestampRequest" = 0
"AllowInboundMaskRequest" = 0
"AllowOutboundPacketTooBig" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging]
"LogDroppedPackets" = 1
"LogSuccessfulConnections" = 0
"LogFilePath" = %systemroot%\system32\LogFiles\Firewall\pfirewall.log
"LogFileSize" = 16384

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" = 163.234.31.1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = 163.234.31.1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = *

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules]
"CoreNet-DHCP-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=68|RPort=67|App=%SystemRoot%\system32\svchost.exe|Svc=dhcp|[email protected],-25301|[email protected],-25303|[email protected],-25000|
"CoreNet-DHCPV6-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=546|RPort=547|App=%SystemRoot%\system32\svchost.exe|Svc=dhcp|[email protected],-25304|[email protected],-25306|[email protected],-25000|
"FPS-LLMNR-In-UDP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=dnscache|[email protected],-28548|[email protected],-28549|[email protected],-28502|
"FPS-ICMP6-ERQ-In" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=58|Profile=Private|Profile=Public|ICMP6=128:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-28545|[email protected],-28547|[email protected],-28502|
"FPS-ICMP4-ERQ-In" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|Profile=Private|Profile=Public|ICMP4=8:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-28543|[email protected],-28547|[email protected],-28502|
"FPS-RPCSS-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=RPC-EPMap|RA4=LocalSubnet|RA6=LocalSubnet|Svc=Rpcss|[email protected],-28539|[email protected],-28542|[email protected],-28502|
"FPS-SpoolSvc-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=RPC|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|[email protected],-28535|[email protected],-28538|[email protected],-28502|
"FPS-NB_Datagram-In-UDP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|LPort=138|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28527|[email protected],-28530|[email protected],-28502|
"FPS-NB_Name-In-UDP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|LPort=137|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28519|[email protected],-28522|[email protected],-28502|
"FPS-SMB-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=445|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28511|[email protected],-28514|[email protected],-28502|
"FPS-NB_Session-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=139|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28503|[email protected],-28506|[email protected],-28502|
"FPS-ICMP6-ERQ-In-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=58|Profile=Domain|ICMP6=128:*|[email protected],-28545|[email protected],-28547|[email protected],-28502|
"FPS-ICMP4-ERQ-In-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=1|Profile=Domain|ICMP4=8:*|[email protected],-28543|[email protected],-28547|[email protected],-28502|
"FPS-RPCSS-In-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC-EPMap|Svc=Rpcss|[email protected],-28539|[email protected],-28542|[email protected],-28502|
"FPS-SpoolSvc-In-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|[email protected],-28535|[email protected],-28538|[email protected],-28502|
"FPS-NB_Datagram-In-UDP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|LPort=138|App=System|[email protected],-28527|[email protected],-28530|[email protected],-28502|
"FPS-NB_Name-In-UDP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|LPort=137|App=System|[email protected],-28519|[email protected],-28522|[email protected],-28502|
"FPS-SMB-In-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=445|App=System|[email protected],-28511|[email protected],-28514|[email protected],-28502|
"FPS-NB_Session-In-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=139|App=System|[email protected],-28503|[email protected],-28506|[email protected],-28502|
"WMI-ASYNC-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\wbem\unsecapp.exe|[email protected],-34256|[email protected],-34257|[email protected],-34251|
"WMI-WINMGMT-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=winmgmt|[email protected],-34254|[email protected],-34255|[email protected],-34251|
"WMI-RPCSS-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=135|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=rpcss|[email protected],-34252|[email protected],-34253|[email protected],-34251|
"WMI-ASYNC-In-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=%systemroot%\system32\wbem\unsecapp.exe|[email protected],-34256|[email protected],-34257|[email protected],-34251|
"WMI-WINMGMT-In-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=%SystemRoot%\system32\svchost.exe|Svc=winmgmt|[email protected],-34254|[email protected],-34255|[email protected],-34251|
"WMI-RPCSS-In-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=135|App=%SystemRoot%\system32\svchost.exe|Svc=rpcss|[email protected],-34252|[email protected],-34253|[email protected],-34251|
"RemoteAssistance-PnrpSvc-UDP-In-EdgeScope-Active" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|Profile=Private|LPort=3540|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|[email protected],-33039|[email protected],-33040|[email protected],-33002|Edge=TRUE|Defer=App|
"RemoteAssistance-SSDPSrv-In-TCP-Active" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|LPort=2869|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=Ssdpsrv|[email protected],-33027|[email protected],-33030|[email protected],-33002|
"RemoteAssistance-SSDPSrv-In-UDP-Active" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|Profile=Private|LPort=1900|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=Ssdpsrv|[email protected],-33019|[email protected],-33022|[email protected],-33002|
"RemoteAssistance-In-TCP-EdgeScope-Active" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|App=%SystemRoot%\system32\msra.exe|[email protected],-33003|[email protected],-33006|[email protected],-33002|Edge=TRUE|Defer=App|
"RemoteAssistance-DCOM-In-TCP-NoScope-Active" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=135|App=%SystemRoot%\system32\svchost.exe|Svc=rpcss|[email protected],-33035|[email protected],-33036|[email protected],-33002|
"RemoteAssistance-RAServer-In-TCP-NoScope-Active" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=%SystemRoot%\system32\raserver.exe|[email protected],-33011|[email protected],-33014|[email protected],-33002|
"RemoteAssistance-PnrpSvc-UDP-In-EdgeScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|LPort=3540|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|[email protected],-33039|[email protected],-33040|[email protected],-33002|Edge=TRUE|Defer=App|
"RemoteAssistance-In-TCP-EdgeScope" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=%SystemRoot%\system32\msra.exe|[email protected],-33003|[email protected],-33006|[email protected],-33002|Edge=TRUE|Defer=App|
"RemoteDesktop-In-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=System|[email protected],-28753|[email protected],-28756|[email protected],-28752|
"WMI-WINMGMT-Out-TCP" = v2.10|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Private|Profile=Public|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=winmgmt|[email protected],-34258|[email protected],-34259|[email protected],-34251|
"WMI-WINMGMT-Out-TCP-NoScope" = v2.10|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|App=%SystemRoot%\system32\svchost.exe|Svc=winmgmt|[email protected],-34258|[email protected],-34259|[email protected],-34251|
"RemoteAssistance-PnrpSvc-UDP-OUT-Active" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Domain|Profile=Private|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|[email protected],-33037|[email protected],-33038|[email protected],-33002|
"RemoteAssistance-SSDPSrv-Out-TCP-Active" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|Profile=Private|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-33031|[email protected],-33034|[email protected],-33002|
"RemoteAssistance-SSDPSrv-Out-UDP-Active" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Domain|Profile=Private|RPort=1900|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=Ssdpsrv|[email protected],-33023|[email protected],-33026|[email protected],-33002|
"RemoteAssistance-Out-TCP-Active" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|Profile=Private|App=%SystemRoot%\system32\msra.exe|[email protected],-33007|[email protected],-33010|[email protected],-33002|
"RemoteAssistance-RAServer-Out-TCP-NoScope-Active" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|App=%SystemRoot%\system32\raserver.exe|[email protected],-33015|[email protected],-33018|[email protected],-33002|
"RemoteAssistance-PnrpSvc-UDP-OUT" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Public|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|[email protected],-33037|[email protected],-33038|[email protected],-33002|
"RemoteAssistance-Out-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Public|App=%SystemRoot%\system32\msra.exe|[email protected],-33007|[email protected],-33010|[email protected],-33002|
"RemoteDesktop-UserMode-In-UDP" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|[email protected],-28776|[email protected],-28777|[email protected],-28752|
"RemoteDesktop-UserMode-In-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|[email protected],-28775|[email protected],-28756|[email protected],-28752|
"FPS-LLMNR-Out-UDP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=5355|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=dnscache|[email protected],-28550|[email protected],-28551|[email protected],-28502|
"FPS-ICMP6-ERQ-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|Profile=Private|Profile=Public|ICMP6=128:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-28546|[email protected],-28547|[email protected],-28502|
"FPS-ICMP4-ERQ-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=1|Profile=Private|Profile=Public|ICMP4=8:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-28544|[email protected],-28547|[email protected],-28502|
"FPS-NB_Datagram-Out-UDP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Private|Profile=Public|RPort=138|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28531|[email protected],-28534|[email protected],-28502|
"FPS-NB_Name-Out-UDP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Private|Profile=Public|RPort=137|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28523|[email protected],-28526|[email protected],-28502|
"FPS-SMB-Out-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Private|Profile=Public|RPort=445|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28515|[email protected],-28518|[email protected],-28502|
"FPS-NB_Session-Out-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Private|Profile=Public|RPort=139|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-28507|[email protected],-28510|[email protected],-28502|
"FPS-ICMP6-ERQ-Out-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|Profile=Domain|ICMP6=128:*|[email protected],-28546|[email protected],-28547|[email protected],-28502|
"FPS-ICMP4-ERQ-Out-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=1|Profile=Domain|ICMP4=8:*|[email protected],-28544|[email protected],-28547|[email protected],-28502|
"FPS-NB_Datagram-Out-UDP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Domain|RPort=138|App=System|[email protected],-28531|[email protected],-28534|[email protected],-28502|
"FPS-NB_Name-Out-UDP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Domain|RPort=137|App=System|[email protected],-28523|[email protected],-28526|[email protected],-28502|
"FPS-SMB-Out-TCP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|RPort=445|App=System|[email protected],-28515|[email protected],-28518|[email protected],-28502|
"FPS-NB_Session-Out-TCP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|RPort=139|App=System|[email protected],-28507|[email protected],-28510|[email protected],-28502|
"{ED2BFF76-380D-4A47-A73D-75A172E6DAD8}" = v2.20|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|App=%ProgramFiles% (x86)\Internet Explorer\iexplore.exe|Name=Internet Explorer|
"{1C5A8952-AEC5-4356-B516-B7FD6DD12E60}" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|Profile=Private|RPort=8081|Name=McAfee Agent Logging|
"{B264B256-BCBA-4DDE-A687-C60A8101484A}" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|LPort=8081|Name=McAfee Agent Logging|
"CoreNet-IPv6-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=41|App=System|[email protected],-25351|[email protected],-25357|[email protected],-25000|
"CoreNet-IPHTTPS-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort2_10=IPTLSIn|LPort2_10=IPHTTPSIn|App=System|[email protected],-25426|[email protected],-25428|[email protected],-25000|
"CoreNet-Teredo-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=Teredo|App=%SystemRoot%\system32\svchost.exe|Svc=iphlpsvc|[email protected],-25326|[email protected],-25332|[email protected],-25000|
"CoreNet-IGMP-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=2|App=System|[email protected],-25376|[email protected],-25382|[email protected],-25000|
"CoreNet-ICMP4-DUFRAG-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=3:4|App=System|[email protected],-25251|[email protected],-25257|[email protected],-25000|
"CoreNet-ICMP6-LD-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=132:*|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-25082|[email protected],-25088|[email protected],-25000|
"CoreNet-ICMP6-LR2-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=143:*|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-25075|[email protected],-25081|[email protected],-25000|
"CoreNet-ICMP6-LR-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=131:*|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-25068|[email protected],-25074|[email protected],-25000|
"CoreNet-ICMP6-LQ-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=130:*|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-25061|[email protected],-25067|[email protected],-25000|
"CoreNet-ICMP6-RS-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=133:*|App=System|[email protected],-25009|[email protected],-25011|[email protected],-25000|
"CoreNet-ICMP6-RA-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=134:*|RA6=fe80::/64|App=System|[email protected],-25012|[email protected],-25018|[email protected],-25000|
"CoreNet-ICMP6-NDA-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=136:*|App=System|[email protected],-25026|[email protected],-25032|[email protected],-25000|Edge=TRUE|
"CoreNet-ICMP6-NDS-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=135:*|App=System|[email protected],-25019|[email protected],-25025|[email protected],-25000|Edge=TRUE|
"CoreNet-ICMP6-PP-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=4:*|App=System|[email protected],-25116|[email protected],-25118|[email protected],-25000|Edge=TRUE|
"CoreNet-ICMP6-TE-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=3:*|App=System|[email protected],-25113|[email protected],-25115|[email protected],-25000|Edge=TRUE|
"CoreNet-ICMP6-PTB-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=2:*|[email protected],-25001|[email protected],-25007|[email protected],-25000|Edge=TRUE|
"CoreNet-ICMP6-DU-In" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=1:*|App=System|[email protected],-25110|[email protected],-25112|[email protected],-25000|Edge=TRUE|
"CoreNet-GP-LSASS-Out-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|App=%SystemRoot%\system32\lsass.exe|[email protected],-25407|[email protected],-25408|[email protected],-25000|
"CoreNet-DNS-Out-UDP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|RPort=53|App=%SystemRoot%\system32\svchost.exe|Svc=dnscache|[email protected],-25405|[email protected],-25406|[email protected],-25000|
"CoreNet-GP-Out-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|App=%SystemRoot%\system32\svchost.exe|[email protected],-25403|[email protected],-25404|[email protected],-25000|
"CoreNet-GP-NP-Out-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|RPort=445|App=System|[email protected],-25401|[email protected],-25401|[email protected],-25000|
"CoreNet-IPv6-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=41|App=System|[email protected],-25352|[email protected],-25358|[email protected],-25000|
"CoreNet-IPHTTPS-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|RPort2_10=IPTLSOut|RPort2_10=IPHTTPSOut|App=%SystemRoot%\system32\svchost.exe|Svc=iphlpsvc|[email protected],-25427|[email protected],-25429|[email protected],-25000|
"CoreNet-Teredo-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|App=%SystemRoot%\system32\svchost.exe|Svc=iphlpsvc|[email protected],-25327|[email protected],-25333|[email protected],-25000|
"CoreNet-DHCPV6-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|LPort=546|RPort=547|App=%SystemRoot%\system32\svchost.exe|Svc=dhcp|[email protected],-25305|[email protected],-25306|[email protected],-25000|
"CoreNet-DHCP-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|LPort=68|RPort=67|App=%SystemRoot%\system32\svchost.exe|Svc=dhcp|[email protected],-25302|[email protected],-25303|[email protected],-25000|
"CoreNet-IGMP-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=2|App=System|[email protected],-25377|[email protected],-25382|[email protected],-25000|
"CoreNet-ICMP6-LD-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=132:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-25083|[email protected],-25088|[email protected],-25000|
"CoreNet-ICMP6-LR2-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=143:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-25076|[email protected],-25081|[email protected],-25000|
"CoreNet-ICMP6-LR-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=131:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-25069|[email protected],-25074|[email protected],-25000|
"CoreNet-ICMP6-LQ-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=130:*|RA4=LocalSubnet|RA6=LocalSubnet|[email protected],-25062|[email protected],-25067|[email protected],-25000|
"CoreNet-ICMP6-RS-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=133:*|RA4=LocalSubnet|RA6=LocalSubnet|RA6=ff02::2|RA6=fe80::/64|[email protected],-25008|[email protected],-25011|[email protected],-25000|
"CoreNet-ICMP6-RA-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=134:*|LA6=fe80::/64|RA4=LocalSubnet|RA6=LocalSubnet|RA6=ff02::1|RA6=fe80::/64|[email protected],-25013|[email protected],-25018|[email protected],-25000|
"CoreNet-ICMP6-NDA-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=136:*|[email protected],-25027|[email protected],-25032|[email protected],-25000|
"CoreNet-ICMP6-NDS-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=135:*|[email protected],-25020|[email protected],-25025|[email protected],-25000|
"CoreNet-ICMP6-PP-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=4:*|[email protected],-25117|[email protected],-25118|[email protected],-25000|
"CoreNet-ICMP6-TE-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=3:*|[email protected],-25114|[email protected],-25115|[email protected],-25000|
"CoreNet-ICMP6-PTB-Out" = v2.20|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=2:*|[email protected],-25002|[email protected],-25007|[email protected],-25000|
"RemoteEventLogSvc-RPCSS-In-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=RPC-EPMap|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=RPCSS|[email protected],-29265|[email protected],-29268|[email protected],-29252|
"RemoteEventLogSvc-NP-In-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=445|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-29257|[email protected],-29260|[email protected],-29252|
"RemoteEventLogSvc-In-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=RPC|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\svchost.exe|Svc=Eventlog|[email protected],-29253|[email protected],-29256|[email protected],-29252|
"RemoteEventLogSvc-RPCSS-In-TCP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC-EPMap|App=%SystemRoot%\system32\svchost.exe|Svc=RPCSS|[email protected],-29265|[email protected],-29268|[email protected],-29252|
"RemoteEventLogSvc-NP-In-TCP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=445|App=System|[email protected],-29257|[email protected],-29260|[email protected],-29252|
"RemoteEventLogSvc-In-TCP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC|App=%SystemRoot%\system32\svchost.exe|Svc=Eventlog|[email protected],-29253|[email protected],-29256|[email protected],-29252|
"WINRM-HTTP-In-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|LPort=5985|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-30253|[email protected],-30256|[email protected],-30267|
"WINRM-HTTP-In-TCP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|LPort=5985|App=System|[email protected],-30253|[email protected],-30256|[email protected],-30267|
"WINRM-HTTP-Compat-In-TCP" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=80|RA4=LocalSubnet|RA6=LocalSubnet|App=System|[email protected],-35001|[email protected],-35002|[email protected],-30252|
"WINRM-HTTP-Compat-In-TCP-NoScope" = v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|LPort=80|App=System|[email protected],-35001|[email protected],-35002|[email protected],-30252|

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile]
"DisableUnicastResponsesToMulticastBroadcast" = 1
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging]
"LogDroppedPackets" = 1
"LogFilePath" = C:\Windows\system32\logfiles\firewall\pfirewall.log
"LogFileSize" = 16384

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile]
"DisableUnicastResponsesToMulticastBroadcast" = 1
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging]
"LogDroppedPackets" = 1
"LogFilePath" = C:\Windows\system32\logfiles\firewall\pfirewall.log
"LogFileSize" = 16384

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"DisableUnicastResponsesToMulticastBroadcast" = 1
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications]
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\List]
"Sharp AutoConfiguration Module" = C:\Windows\system32\spool\drivers\w32x86\3\SH2EACFM.exe:*:Enabled:Sharp AutoConfiguration Module
"Sharp AutoConfiguration Module M453N" = C:\Windows\system32\spool\drivers\w32x86\3\SR0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M453N
"Sharp AutoConfiguration Module M455" = C:\Windows\system32\spool\drivers\w32x86\3\SH5EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M455
"Sharp AutoConfiguration Module M550" = C:\Windows\system32\spool\drivers\w32x86\3\SJ0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M550
"Sharp AutoConfiguration Module M620" = C:\Windows\system32\spool\drivers\w32x86\3\SN0HACFM.exe:*:Enabled:Sharp AutoConfiguration Module M620
"Sharp AutoConfiguration Module M700" = C:\Windows\system32\spool\drivers\w32x86\3\SJ1EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M700
"Sharp AutoConfiguration Module M850" = C:\Windows\system32\spool\drivers\w32x86\3\SP0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M850
"%windir%\system32\spool\drivers\w32x86\3\SH2EACFM.exe:*:Enabled:Sharp AutoConfiguration Module" = %windir%\system32\spool\drivers\w32x86\3\SH2EACFM.exe:*:Enabled:Sharp AutoConfiguration Module
"%windir%\system32\spool\drivers\w32x86\3\SR0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M453N" = %windir%\system32\spool\drivers\w32x86\3\SR0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M453N
"%windir%\system32\spool\drivers\w32x86\3\SH5EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M455" = %windir%\system32\spool\drivers\w32x86\3\SH5EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M455
"%windir%\system32\spool\drivers\w32x86\3\SJ0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M550" = %windir%\system32\spool\drivers\w32x86\3\SJ0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M550
"%windir%\system32\spool\drivers\w32x86\3\SN0HACFM.exe:*:Enabled:Sharp AutoConfiguration Module M620" = %windir%\system32\spool\drivers\w32x86\3\SN0HACFM.exe:*:Enabled:Sharp AutoConfiguration Module M620
"%windir%\system32\spool\drivers\w32x86\3\SJ1EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M700" = %windir%\system32\spool\drivers\w32x86\3\SJ1EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M700
"%windir%\system32\spool\drivers\w32x86\3\SP0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M850" = %windir%\system32\spool\drivers\w32x86\3\SP0EACFM.exe:*:Enabled:Sharp AutoConfiguration Module M850
"%windir%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Windows Remote Assistance" = %windir%\PCHealth\HelpCtr\Binaries\Helpsvc.exe:*:Enabled:Windows Remote Assistance
"%ProgramFiles(x86)%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer" = %ProgramFiles(x86)%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer
"%ProgramFiles%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer" = %ProgramFiles%\Configuration Manager 2007\AdminUI\bin\i386\statview.exe:*:Enabled:ConfigMgr Utility - Status Message Viewer
"%ProgramFiles(x86)%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise" = %ProgramFiles(x86)%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise -- (RealNetworks, Inc.)
"%ProgramFiles%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise" = %ProgramFiles%\Real\Realplayer Enterprise\realplay.exe:*:Enabled:RealPlayer Enterprise -- (RealNetworks, Inc.)
"%ProgramFiles(x86)%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles(x86)%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre7\bin\java.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre7\bin\javaw.exe:*:Enabled:Java Runtime Environment -- (Oracle Corporation)
"%ProgramFiles(x86)%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment
"%ProgramFiles(x86)%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles(x86)%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment
"%ProgramFiles%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre6\bin\java.exe:*:Enabled:Java Runtime Environment
"%ProgramFiles%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment" = %ProgramFiles%\Java\jre6\bin\javaw.exe:*:Enabled:Java Runtime Environment

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts]
"Enabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts\List]
"135:TCP:*:Enabled:SCCM Remote Tools" = 135:TCP:*:Enabled:SCCM Remote Tools
"2701:TCP:*:Enabled:SCCM Remote Tools" = 2701:TCP:*:Enabled:SCCM Remote Tools
"2702:TCP:*:Enabled:SCCM Remote Tools" = 2702:TCP:*:Enabled:SCCM Remote Tools
"3389:TCP:*:Enabled:Remote Assistance" = 3389:TCP:*:Enabled:Remote Assistance
"8081:TCP:*:Enabled:McAfee Agent Logging" = 8081:TCP:*:Enabled:McAfee Agent Logging

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings]
"AllowOutboundDestinationUnreachable" = 0
"AllowOutboundSourceQuench" = 0
"AllowRedirect" = 0
"AllowInboundEchoRequest" = 1
"AllowInboundRouterRequest" = 0
"AllowOutboundTimeExceeded" = 0
"AllowOutboundParameterProblem" = 0
"AllowInboundTimestampRequest" = 0
"AllowInboundMaskRequest" = 0
"AllowOutboundPacketTooBig" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging]
"LogDroppedPackets" = 1
"LogSuccessfulConnections" = 0
"LogFilePath" = %systemroot%\system32\LogFiles\Firewall\pfirewall.log
"LogFileSize" = 16384

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings]
"Enabled" = 1
"RemoteAddresses" = 163.234.31.1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint]
"Enabled" = 1
"RemoteAddresses" = 163.234.31.1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop]
"Enabled" = 1
"RemoteAddresses" = *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2AABB83A-C572-4FCC-A482-2BB9C322A91F}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\outlook.exe |
"{FE0E2202-6C9B-40E8-A849-8A209A6E0F66}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework64\v4.0.30319\smsvchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{06C7E377-8A36-40DF-8090-7C6B1B209259}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe |
"{1180BE89-849C-4375-93D3-09F367204D29}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office14\groove.exe |
"{284CFFD0-30C0-4546-86F8-6F38DF9D4133}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe |
"{5B129B27-D469-4BB2-BE84-6A884C533229}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\live meeting 8\console\pwconsole.exe |
"{8978D80E-547B-4F20-95A7-1EA97D1F7287}" = protocol=17 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
"{8FD1F39F-F6EC-4D38-AC20-671DDCEF8744}" = protocol=6 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
"{9564810C-44E1-418C-AD0F-D061A49D8A12}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\live meeting 8\console\pwconsole.exe |
"{B302BD73-522A-4B55-9B2B-EA58CAD0D4B9}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\groove.exe |
"{B4AF1D53-220A-47CD-8CE0-CD1F21F0F453}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\live meeting 8\console\pwconsole.exe |
"{B9A9F625-8B4C-40D6-8926-916BEB292659}" = protocol=17 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
"{EA7F0A00-3015-49AA-8E40-4E7738209012}" = protocol=6 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |
"{FF4FC7AB-D416-484B-BF24-AEBFCF08A62F}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\live meeting 8\console\pwconsole.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{129C5584-DB98-4A98-B28F-299C45E1E355}" = Microsoft Camera Codec Pack
"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
"{22859902-78CE-40B0-9429-6FE7A00BBF85}" = NMAS Client
"{23170F69-40C1-2702-0920-000001000000}" = 7-Zip 9.20 (x64 edition)
"{26A24AE4-039D-4CA4-87B4-2F86417011FF}" = Java 7 Update 11 (64-bit)
"{54031C8D-F80D-47BB-B3CA-5E9BD7750C27}" = NMAS Challenge Response Method
"{559D2B32-5066-4762-A2F2-52831AC6F67B}" = NICI (64 bit)
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
"{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{D390C5DD-9312-4F70-B3B1-4EAE635CDA17}" = Dell OpenManage Client Instrumentation
"{E20B2752-0909-4B28-B8A9-A9BE519CA1A1}" = Microsoft Online Services Sign-in Assistant
"{ECF3E482-9188-4e29-9C31-E02FD8DC74C0}" = HP Color LaserJet CM2320 MFP Series 3.1
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{FF21C3E6-97FD-474F-9518-8DCBE94C2854}" = 64 Bit HP CIO Components Installer
"CutePDF Writer Installation" = CutePDF Writer 2.8
"HP Imaging Device Functions" = HP Imaging Device Functions 10.0
"HPExtendedCapabilities" = HP Customer Participation Program 10.0
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Novell Client for Windows" = Novell Client for Windows
"Novell iPrint Client" = Novell iPrint Client v05.82.00
"Shop for HP Supplies" = Shop for HP Supplies
"VLC media player" = VLC media player 2.0.1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0B8FA866-D2B9-45EA-928D-61CF32735427}" = hppPQVideoCM2320
"{0E218077-0341-4C54-AA23-6D06F3F6C416}" = Gen8 Runtime
"{1FC42DB5-92A2-4A9B-9A11-226F3E5AA241}" = Crystal Reports ActiveX Viewer XI
"{24495227-1B47-4D55-AC27-167B6BC3FF73}" = hppScanToCM2320
"{25F2AB39-E3DD-4CD7-8697-E98CF27BA1F1}" = Adobe Flash Player 11 ActiveX
"{2609EDF1-34C4-4B03-B634-55F3B3BC4931}" = Configuration Manager Client
"{26A24AE4-039D-4CA4-87B4-2F83217017FF}" = Java 7 Update 17
"{2AAB21C2-4CDA-4189-A0EC-5ED666113F84}" = McAfee Agent
"{339A691B-3DBE-4310-B3D2-1192863CF4C4}" = Central Registry 8_0 - Prod - Main Menu - Regions
"{501E4F62-257C-4FCE-960C-ABA85DC60AB0}" = hppTLBXFXCM2320
"{511CA535-9CB1-4128-A30C-5F4C5D4AB848}" = hppFaxUtilityCM2320
"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
"{5A2133A0-D9F3-49EA-ADB5-41634F6DB9E9}" = CCEDS 8_0 - Prod - Main Menu
"{5A6A811B-87D8-4156-B58E-25FB59587BA4}" = Crystal ActiveX Report Viewer Control
"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{6883DDA6-867E-4F63-9D5E-8F53FD40CDF4}" = Adobe Shockwave Player 11.6
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{77697747-7567-428D-8394-2287586F6974}" = hppusgCM2320
"{80B70B4B-C90C-4938-A956-76F5021DE412}" = Cisco DART
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{E47453AD-3CD6-40D0-A78B-AE906C8EE127}" =
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUS_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUS_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUS_{967EF02C-5C7E-4718-8FCB-BDC050190CCF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002A-0409-1000-0000000FF1CE}_Office14.PROPLUS_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUS_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0116-0409-1000-0000000FF1CE}_Office14.PROPLUS_{D6C6B46A-6CE1-4561-84A0-EFD58B8AB979}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{97486FBE-A3FC-4783-8D55-EA37E9D171CC}" = HP Update
"{995F2783-8311-49BF-833E-DB659774B4F6}" = hppFonts
"{99EE30D2-A7EA-486C-9AD4-57C8583375BF}" = hppSendFaxCM2320
"{A7285D92-27EE-4D91-AB57-5EF326B572C6}" = hpzTLBXFX
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-1033-F400-7760-000000000005}" = Adobe Acrobat X Pro - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.4)
"{AE7C40B6-9C6D-4022-B017-A41A6B7FA4D3}" = hppManualsCM2320
"{B226235F-51A4-4090-B5DB-5482A28D1B0F}" = hppFaxDrvCM2320
"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF}" = McAfee VirusScan Enterprise
"{CE6ED5AE-4F78-4B50-ADA5-A8F24DBDC673}" = Cisco AnyConnect VPN Client
"{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch
"{D32B674B-9168-47F7-814B-DD8EC52F0453}" = CID 8_0 - Prod - Main Menu
"{D371F551-0DB9-4CEC-844B-4C90CE91EA0B}" = hppLaserJetService
"{D8FA588E-7CDC-43B0-ABAC-48F0EF736734}" = UTLite33
"{DD7D788B-D6C2-4CB1-AACC-8614D6C21D7C}" = hppCLJCM2320
"{E19011A1-7833-4027-B201-EC1BD8979742}" = AllFusionGen 8_0 - Prod - Change Password
"{E30E7561-A466-4393-B8BF-FD93E733EF3C}" = Microsoft Office Live Meeting 2007
"{F02DBC5D-33E3-45E9-B0F8-B7745229ED1C}" = NICI (Shared) U.S./Worldwide (128 bit) (2.7.6-1)
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{FF841249-0D6B-41D7-8013-953EE3A33263}" = hppQFolderCM2320
"FileZilla Client" = FileZilla Client 3.5.3
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"Picasa 3" = Picasa 3
"RealPlayer 6.0" = RealPlayer Enterprise
"TrueCrypt" = TrueCrypt
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 2/22/2013 2:38:13 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = WinMgmt | ID = 10
Description =

Error - 2/22/2013 2:39:08 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = WinMgmt | ID = 10
Description =

Error - 2/22/2013 2:43:15 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = WinMgmt | ID = 10
Description =

Error - 2/22/2013 2:44:43 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = WinMgmt | ID = 10
Description =

Error - 2/22/2013 2:45:02 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = MsiInstaller | ID = 1013
Description =

Error - 2/22/2013 3:18:53 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = WinMgmt | ID = 10
Description =

Error - 2/22/2013 3:55:34 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = Microsoft-Windows-CAPI2 | ID = 4101
Description = Failed auto update retrieval of third-party root certificate from:
<http://ctldl.windows...CD2EFC6666.crt>
with error: This operation returned because the timeout period expired. .

Error - 2/26/2013 12:22:53 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = WinMgmt | ID = 10
Description =

Error - 2/26/2013 2:35:06 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = WinMgmt | ID = 10
Description =

Error - 2/26/2013 2:43:45 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = WinMgmt | ID = 10
Description =

[ Cisco AnyConnect VPN Client Events ]
Error - 4/16/2013 12:09:29 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = vpnagent | ID = 67108866
Description = Function: CMainThread::internalCallbackHandler File: .\MainThread.cpp
Line:
5077 Invoked Function: CMainThread::noticeHandler Return Code: -33095647 (0xFE070021)
Description:
ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 4/16/2013 12:09:29 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = vpnagent | ID = 67108866
Description = Function: CMainThread::callbackHandler File: .\MainThread.cpp Line:
5003 Invoked Function: internalCallbackHandler Return Code: -33095647 (0xFE070021)
Description:
ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 4/16/2013 3:27:34 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = vpnagent | ID = 67108866
Description = Function: CIPv4ChangeRouteHelper::FindBestRoute File: .\IPv4ChangeRouteHelper.cpp
Line:
2484 Invoked Function: CIPv4RouteTable::FindMatchingRoute Return Code: -33095647
(0xFE070021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 4/16/2013 3:27:34 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = vpnagent | ID = 67108866
Description = Function: CRouteMgr::UpdatePublicAddress File: .\RouteMgr.cpp Line:
2188 Invoked Function: CChangeRouteTable::FindBestRouteInterface Return Code: -33095647
(0xFE070021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 4/16/2013 3:27:34 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = vpnagent | ID = 67108866
Description = Function: CMainThread::applyHostConfigForNoVpn File: .\MainThread.cpp
Line:
7578 Invoked Function: CHostConfigMgr::DeterminePublicInterface Return Code: -33095647
(0xFE070021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 4/16/2013 3:27:34 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = vpnagent | ID = 67108866
Description = Function: CMainThread::MainLoop File: .\MainThread.cpp Line: 325 Invoked
Function: CMainThread::applyHostConfigForNoVpn Return Code: -33095647 (0xFE070021)
Description:
ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 4/16/2013 3:57:03 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = vpnagent | ID = 67108866
Description = Function: CIPv4ChangeRouteHelper::FindBestRoute File: .\IPv4ChangeRouteHelper.cpp
Line:
2484 Invoked Function: CIPv4RouteTable::FindMatchingRoute Return Code: -33095647
(0xFE070021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 4/16/2013 3:57:03 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = vpnagent | ID = 67108866
Description = Function: CRouteMgr::UpdatePublicAddress File: .\RouteMgr.cpp Line:
2188 Invoked Function: CChangeRouteTable::FindBestRouteInterface Return Code: -33095647
(0xFE070021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 4/16/2013 3:57:03 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = vpnagent | ID = 67108866
Description = Function: CMainThread::applyHostConfigForNoVpn File: .\MainThread.cpp
Line:
7578 Invoked Function: CHostConfigMgr::DeterminePublicInterface Return Code: -33095647
(0xFE070021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED

Error - 4/16/2013 3:57:03 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = vpnagent | ID = 67108866
Description = Function: CMainThread::MainLoop File: .\MainThread.cpp Line: 325 Invoked
Function: CMainThread::applyHostConfigForNoVpn Return Code: -33095647 (0xFE070021)
Description:
ROUTETABLE_ERROR_GETBESTROUTE_FAILED

[ System Events ]
Error - 4/15/2013 5:28:05 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 4/15/2013 5:28:05 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 4/15/2013 5:30:13 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 4/15/2013 5:30:13 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 4/15/2013 5:30:13 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 4/15/2013 5:35:13 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 4/15/2013 5:35:13 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 4/15/2013 5:35:13 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 4/15/2013 5:37:19 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

Error - 4/15/2013 5:37:19 PM | Computer Name = PC048453.ms.tnrcc.state.tx.us | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1068

< End of report >

Edited by kawasmi247, 16 April 2013 - 03:06 PM.

#2
gringo_pr

Posted 16 April 2013 - 03:52 PM

Trusted Helper

Malware Removal
7,268 posts

Hello kawasmi247

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

Please do not run any tools unless instructed to do so.
- We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
Please do not attach logs or use code boxes, just copy and paste the text.
- Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
Please read every post completely before doing anything.
- Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
Please provide feedback about your experience as we go.
- A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

Download Security Check by screen317 from here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
Quit all programs that you may have started.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Exit/Close RogueKiller+

Gringo

#3
kawasmi247

Posted 16 April 2013 - 04:30 PM

New Member

Topic Starter
Member
9 posts

Thank you Gringo for helping me get through this. I followed your instructions and the problem of the google redirect still persists.

Also, I want to note that during the RogueKillerX64 scan an internet explorer window popped up to downlood some rootkit and requested to download adobe flash player. Also, on the actual RogueKillerX64 program, an exclamation mark inside a red triangle followed by the word ZeroAccess kept flashing under the roguekiller triangle symbol. The RogueKillerX64 program spat out 2 reports so I included both in this reply.

Here are the logs/reports:

Results of screen317's Security Check version 0.99.62
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
McAfee VirusScan Enterprise
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.75.0.1300
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
McAfee VirusScan Enterprise vstskmgr.exe
McAfee VirusScan Enterprise mfeann.exe
McAfee VirusScan Enterprise SHSTAT.EXE
Malwarebytes' Anti-Malware mbamscheduler.exe
Common Files Microsoft Shared Microsoft Online Services smss.exe -?-
Common Files Microsoft Shared Microsoft Online Services MSOIDSVC.EXE
Common Files Microsoft Shared Microsoft Online Services MSOIDSvcm.exe
Common Files Microsoft Shared Microsoft Online Services -?-
Common Files Microsoft Shared Microsoft Online Services audiodg.exe -?-
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 10%
````````````````````End of Log``````````````````````

# AdwCleaner v2.200 - Logfile created 04/16/2013 at 17:08:21
# Updated 02/04/2013 by Xplode
# Operating system : Windows 7 Enterprise Service Pack 1 (64 bits)
# User : MKawasmi - PC048453
# Boot Mode : Normal
# Running from : C:\Users\mkawasmi\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16464

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [646 octets] - [16/04/2013 17:07:33]
AdwCleaner[S1].txt - [578 octets] - [16/04/2013 17:08:21]

########## EOF - C:\AdwCleaner[S1].txt - [637 octets] ##########

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : MKawasmi [Admin rights]
Mode : Scan -- Date : 04/16/2013 17:19:54
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : logiosk (rundll32 "C:\Windows\regikmgr.dll",CreateProcessNotify) [x] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-734690479-1344892132-312552118-34155[...]\Run : logiosk (rundll32 "C:\Windows\regikmgr.dll",CreateProcessNotify) [x] -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-734690479-1344892132-312552118-34155\$5315fe5ab433554d17e13e2f34f1edf9\n.) [x] -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST980313AS +++++
--- User ---
[MBR] ff6c802b2b080c1f3155854f866035f4
[BSP] 4c9fd1fd61e69ec9fabbe18b82943873 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 300 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 616448 | Size: 76017 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_04162013_02d1719.txt >>
RKreport[1]_S_04162013_02d1719.txt

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo...13-roguekiller/
Website : http://tigzy.geeksto...roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : MKawasmi [Admin rights]
Mode : Remove -- Date : 04/16/2013 17:21:24
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : logiosk (rundll32 "C:\Windows\regikmgr.dll",CreateProcessNotify) [x] -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-734690479-1344892132-312552118-34155\$5315fe5ab433554d17e13e2f34f1edf9\n.) [x] -> REPLACED (C:\Windows\system32\shell32.dll)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST980313AS +++++
--- User ---
[MBR] ff6c802b2b080c1f3155854f866035f4
[BSP] 4c9fd1fd61e69ec9fabbe18b82943873 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 300 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 616448 | Size: 76017 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_04162013_02d1721.txt >>
RKreport[1]_S_04162013_02d1719.txt ; RKreport[2]_D_04162013_02d1721.txt

#4
gringo_pr

Posted 16 April 2013 - 07:21 PM

Trusted Helper

Malware Removal
7,268 posts

Hello kawasmi247

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following
Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

#5
kawasmi247

Posted 17 April 2013 - 08:00 AM

New Member

Topic Starter
Member
9 posts

I am unable to disable the McAfee antivirus due to the user interface being locked down and it requires a password that I don't have to unlock it. I attempted to run combofix in safe mode thinking that the antivirus software would not load if I booted in safemode. Combofix alerted me that it was still running. Is there an alternative route we can take or a way to bypass or prevent the antivirus from loading? I'm attempting to get the password but there are no guarantees that this will happen.

Moe

#6
kawasmi247

Posted 17 April 2013 - 08:22 AM

New Member

Topic Starter
Member
9 posts

Ok I got the password and I am going to run Combofix now. I will repost with the log as soon as this task is completed.

#7
kawasmi247

Posted 17 April 2013 - 09:55 AM

New Member

Topic Starter
Member
9 posts

Gringo,

I finally got combofix to run after disabling my antivirus software. It took waaaaaay longer than the approximate 10 minutes it suggested and I had to restart because I was getting that error message of registry value marked for deletion after it completed. However, after I restarted the computer, I accessed google search and did not get redirected! So as far as I can tell, everything is now back to normal. The combofix log is provided below. I will still monitor this thread in the event you determine there is still malware present from the log results.

ComboFix 13-04-17.01 - MKawasmi 04/17/2013 9:30.1.2 - x64
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2003.1032 [GMT -5:00]
Running from: c:\users\mkawasmi\Desktop\Combofix.exe
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-03-17 to 2013-04-17 )))))))))))))))))))))))))))))))
.
.
2013-04-17 15:10 . 2013-04-17 15:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-16 21:41 . 2013-04-16 21:41 -------- d-----w- C:\_OTM
2013-04-16 21:16 . 2013-04-16 21:20 -------- d-----w- c:\windows\system32\appmgmt
2013-04-12 20:43 . 2013-04-12 20:43 -------- d-----w- c:\users\mkawasmi\AppData\Roaming\Malwarebytes
2013-04-12 20:42 . 2013-04-12 20:42 -------- d-----w- c:\programdata\Malwarebytes
2013-04-12 20:42 . 2013-04-04 19:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-12 20:42 . 2013-04-12 20:43 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-04-12 19:51 . 2013-04-12 19:51 -------- d-----w- c:\users\mkawasmi\AppData\Local\Programs
2013-04-12 18:29 . 2013-04-12 18:29 71168 ---ha-w- c:\windows\system32\regikmgr64.dll
2013-04-12 18:28 . 2013-04-16 16:14 -------- d-----w- C:\Quarantine
2013-04-12 18:28 . 2013-04-12 18:28 -------- d-----w- c:\windows\Sun
2013-04-02 21:19 . 2013-04-02 21:19 -------- d-----w- c:\users\mkawasmi\AppData\Local\CutePDF Writer
2013-04-01 17:55 . 2013-04-01 18:00 -------- d-----w- c:\users\mkawasmi\AppData\Roaming\vlc
2013-03-19 21:53 . 2013-03-26 22:04 -------- d-----w- c:\users\mkawasmi\AppData\Roaming\HpUpdate
2013-03-19 21:53 . 2013-03-19 21:53 -------- d-----w- c:\windows\Hewlett-Packard
2013-03-19 13:31 . 2013-03-19 13:31 -------- d-----w- c:\users\mkawasmi\AppData\Roaming\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-02 17:31 . 2013-02-22 18:52 99352 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
2013-04-02 17:31 . 2013-02-22 18:52 101200 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2013-04-02 17:31 . 2013-02-22 18:52 303464 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2013-04-02 17:31 . 2013-02-22 18:52 170440 ----a-w- c:\windows\system32\mfevtps.exe
2013-04-02 17:31 . 2013-02-22 18:52 274880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-04-02 17:31 . 2013-02-22 18:52 10288 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2013-04-02 17:31 . 2013-02-22 18:52 665768 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-04-02 17:31 . 2013-02-22 18:52 160952 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-04-02 17:31 . 2013-02-22 18:52 75656 ----a-w- c:\windows\SysWow64\MfeOtlkAddin.dll
2013-04-02 17:31 . 2013-02-22 18:52 23112 ----a-w- c:\windows\SysWow64\MFEOtlk.dll
2013-03-20 14:02 . 2013-02-22 18:50 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-20 14:02 . 2013-02-22 18:50 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-05 19:17 . 2013-03-05 19:17 608 --sha-w- c:\windows\system32\winzvprt5.sys
2013-02-26 21:12 . 2013-02-26 21:12 231376 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2013-02-22 19:24 . 2011-08-01 16:58 18160 ----a-w- c:\programdata\Microsoft\MSOIdentityCRL\production\msoidconfig.dll
2013-02-22 18:50 . 2013-02-22 18:50 960416 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-22 18:50 . 2013-02-22 18:50 308640 ----a-w- c:\windows\system32\javaws.exe
2013-02-22 18:50 . 2013-02-22 18:50 1081760 ----a-w- c:\windows\system32\npDeployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueCrypt"="c:\program files\TrueCrypt\TrueCrypt.exe" [2013-02-26 1516496]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Cisco User Tracking"="c:\windows\SysWOW64\UTLite33.exe" [2005-12-27 172098]
"TkBellExe"="c:\program files (x86)\Common Files\Real\Update_OB\realsched.exe" [2013-02-22 180224]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"McAfeeUpdaterUI"="c:\program files (x86)\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
"ShStatEXE"="c:\program files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2012-08-15 215656]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-04-04 36760]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-04-04 815512]
"HPUsageTracking"="c:\program files (x86)\HP\HP UT\bin\hppusg.exe" [2009-05-11 24576]
"ToolBoxFX"="c:\program files (x86)\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2009-10-22 53248]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 1 (0x1)
"ReportControllerMissing"= 1 (0x1)
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
"PreXPSP2ShellProtocolBehavior"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli iPrntWinCredMan
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u msoidssp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 25928]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2013-04-02 101200]
R3 NvStUSB;NVIDIA Stereoscopic 3D USB driver;c:\windows\system32\drivers\nvstusb.sys [2012-05-15 398656]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 rimspci;rimspci;c:\windows\system32\drivers\rimspe64.sys [2009-10-23 60416]
R3 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe64.sys [2009-10-23 80896]
R3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe64.sys [2009-10-23 55808]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-21 88960]
R3 tcm;tcm;c:\windows\system32\drivers\tcm.sys [2009-10-23 17048]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-08-01 1255736]
R3 WQ_USBCBAF;WiQuest Class Cable Association driver;c:\windows\system32\drivers\WQ_cba.sys [2009-10-23 55352]
R3 WQ_USBDWA;WiQuest Device Wire Adapter driver;c:\windows\system32\drivers\WQ_dwa.sys [2009-10-23 186936]
R3 WQ_USBHWA;WiQuest Host Wire Adapter driver;c:\windows\system32\drivers\WQ_hwa.sys [2009-10-23 285240]
R3 WQ_USBLOAD;WiQuest WUSB Loader driver;c:\windows\system32\drivers\WQ_ldr.sys [2009-10-23 55352]
R3 WQ_USBRCI;WiQuest UltraWideBand driver;c:\windows\system32\drivers\WQ_rci.sys [2009-10-23 136248]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2013-04-02 303464]
S0 NCFilter;Novell UNC Filter - Filter;c:\windows\system32\DRIVERS\NCFilter.sys [2012-07-13 112256]
S0 NCRecognizer;Novell UNC Filter - Recognizer;c:\windows\system32\DRIVERS\NCRecognizer.sys [2012-07-13 119936]
S0 NCUncFilter;Novell UNC Filter - UNC Filter;c:\windows\system32\DRIVERS\NCUncFilter.sys [2012-07-13 26240]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\AESTSr64.exe [2009-10-23 89600]
S2 dcevt64;DSM SA Event Manager;c:\program files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr64.exe [2012-01-16 222144]
S2 dcstor64;DSM SA Data Manager;c:\program files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr64.exe [2012-01-16 293824]
S2 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [2009-06-01 136192]
S2 iprntsrv;Novell iPrint Service;c:\windows\system32\iprntsrv.exe [2012-04-25 55296]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2013-04-02 170440]
S2 msoidsvc;Microsoft Online Services Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [2011-09-28 2078112]
S2 NCFSD;Novell Client File System Redirector;c:\program files\Novell\Client\XTier\Drivers\ncfsd.sys [2012-07-13 108672]
S2 NCIOCTL;Novell Xplat IoCtl Driver;c:\program files\Novell\Client\XTier\Drivers\ncioctl.sys [2012-07-13 90240]
S2 NovEAP;NovEAP;c:\windows\System32\svchost.exe [2011-03-01 27648]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2011-02-01 604408]
S2 XTSvcMgr;Novell XTier Service Manager;c:\program files\Novell\Client\XTier\Services\XTSvcMgr.exe [2012-07-13 20096]
S3 dcdbas;System Management Driver;c:\windows\system32\DRIVERS\dcdbas64.sys [2010-10-21 38472]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-10-23 138752]
S3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw5v64.sys [2009-10-23 5435904]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
*Deregistered* - nciom
*Deregistered* - ncp
*Deregistered* - ncpl
*Deregistered* - ndm
*Deregistered* - ndmndap
*Deregistered* - niam
*Deregistered* - nipctl
*Deregistered* - nscm
*Deregistered* - nsns
*Deregistered* - nsvccost
*Deregistered* - xtxplat
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iPrint Tray"="TCTL.EXE TRAY_ICON" [X]
"HP Color LaserJet CM2320 MFP Series Fax"="TERSRV.EXE HP COLOR LASERJET CM2320 MFP SERIES FAX" [X]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-10-23 450048]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NovEAP
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://home.tceq.state.tx.us/internal
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: state.tx.us\*.tceq
Trusted Zone: state.tx.us\*.tnrcc
Trusted Zone: state.tx.us\mx7prd.tceq
Trusted Zone: state.tx.us\tceq-aav-mpegp1.tceq
Trusted Zone: texas.gov\tceq-aav-mpegp1.tceq
Trusted Zone: texas.gov\vpn.tceq
Trusted Zone: state.tx.us\reportsprd.tceq
TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} - hxxp://reportsprd.tceq.state.tx.us/crystalreportviewers115/ActiveXControls/ActiveXViewer.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-MRINonce - c:\windows\system32\regikmgr64.dll
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-HPPQVideo - c:\program files (x86)\HP\ScheduledLaunch\HP Color LaserJet CM2320 MFP Series\bin\hppschlnch.exe -r SOFTWARE\Hewlett-Packard\ScheduledLaunch\CLJ_CM2320_MFP_Series -f PQOptimizerVideo.xml
SafeBoot-14545645.sys
Toolbar-Locked - (no file)
HKLM-Run-Apoint - T.EXE
HKLM-Run-IgfxTray - DOWS\SYSTEM32\IGFXTRAY.EXE
HKLM-Run-HotKeysCmds - DOWS\SYSTEM32\HKCMD.EXE
HKLM-Run-Persistence - DOWS\SYSTEM32\IGFXPERS.EXE
HKLM-Run-NWTRAY - WTRAY.EXE
HKLM-Run-iPrint Event Monitor - .EXE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-734690479-1344892132-312552118-34155\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%*µ]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-734690479-1344892132-312552118-34155\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%*µ\OpenWithList]
@Class="Shell"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\McAfee\Common Framework\FrameworkService.exe
c:\program files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files (x86)\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files (x86)\McAfee\Common Framework\naPrdMgr.exe
c:\windows\SysWOW64\CCM\CcmExec.exe
.
**************************************************************************
.
Completion time: 2013-04-17 10:36:32 - machine was rebooted
ComboFix-quarantined-files.txt 2013-04-17 15:36
.
Pre-Run: 40,868,962,304 bytes free
Post-Run: 40,197,787,648 bytes free
.
- - End Of File - - 5B3FE3B97AC2A3F5B37FAAA6676C2AD9

#8
gringo_pr

Posted 17 April 2013 - 11:54 AM

Trusted Helper

Malware Removal
7,268 posts

Hello kawasmi247

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\system32\regikmgr64.dll

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

#9
kawasmi247

Posted 17 April 2013 - 04:02 PM

New Member

Topic Starter
Member
9 posts

I did not encounter any problems running combofix this time. The computer did not need to restart. I am not experiencing any of the symptoms that I have been previously since the first time combofix was successfully ran. It appears, at this time, that everything is in order and working as it has previously. Thank you for your continued efforts to resolve my google redirect issues. Below is the report:

ComboFix 13-04-17.01 - MKawasmi 04/17/2013 16:09:09.2.2 - x64
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2003.873 [GMT -5:00]
Running from: c:\users\mkawasmi\Desktop\Combofix.exe
Command switches used :: c:\users\mkawasmi\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\regikmgr64.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\regikmgr64.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-03-17 to 2013-04-17 )))))))))))))))))))))))))))))))
.
.
2013-04-17 21:53 . 2013-04-17 21:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-04-17 21:53 . 2013-04-17 21:53 -------- d-----w- c:\users\bischy\AppData\Local\temp
2013-04-17 17:33 . 2013-04-17 17:33 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-04-17 17:33 . 2013-04-17 17:33 691592 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-04-17 13:42 . 2013-04-17 13:42 -------- d-----w- C:\gfsdg
2013-04-16 21:41 . 2013-04-16 21:41 -------- d-----w- C:\_OTM
2013-04-16 21:16 . 2013-04-16 21:20 -------- d-----w- c:\windows\system32\appmgmt
2013-04-12 20:43 . 2013-04-12 20:43 -------- d-----w- c:\users\mkawasmi\AppData\Roaming\Malwarebytes
2013-04-12 20:42 . 2013-04-12 20:42 -------- d-----w- c:\programdata\Malwarebytes
2013-04-12 20:42 . 2013-04-04 19:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-04-12 20:42 . 2013-04-12 20:43 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-04-12 19:51 . 2013-04-12 19:51 -------- d-----w- c:\users\mkawasmi\AppData\Local\Programs
2013-04-12 18:28 . 2013-04-16 16:14 -------- d-----w- C:\Quarantine
2013-04-12 18:28 . 2013-04-12 18:28 -------- d-----w- c:\windows\Sun
2013-04-02 21:19 . 2013-04-02 21:19 -------- d-----w- c:\users\mkawasmi\AppData\Local\CutePDF Writer
2013-04-01 17:55 . 2013-04-01 18:00 -------- d-----w- c:\users\mkawasmi\AppData\Roaming\vlc
2013-03-19 21:53 . 2013-03-26 22:04 -------- d-----w- c:\users\mkawasmi\AppData\Roaming\HpUpdate
2013-03-19 21:53 . 2013-03-19 21:53 -------- d-----w- c:\windows\Hewlett-Packard
2013-03-19 13:31 . 2013-03-19 13:31 -------- d-----w- c:\users\mkawasmi\AppData\Roaming\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-02 17:31 . 2013-02-22 18:52 99352 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
2013-04-02 17:31 . 2013-02-22 18:52 101200 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2013-04-02 17:31 . 2013-02-22 18:52 303464 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2013-04-02 17:31 . 2013-02-22 18:52 170440 ----a-w- c:\windows\system32\mfevtps.exe
2013-04-02 17:31 . 2013-02-22 18:52 274880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2013-04-02 17:31 . 2013-02-22 18:52 10288 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2013-04-02 17:31 . 2013-02-22 18:52 665768 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2013-04-02 17:31 . 2013-02-22 18:52 160952 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2013-04-02 17:31 . 2013-02-22 18:52 75656 ----a-w- c:\windows\SysWow64\MfeOtlkAddin.dll
2013-04-02 17:31 . 2013-02-22 18:52 23112 ----a-w- c:\windows\SysWow64\MFEOtlk.dll
2013-03-20 14:02 . 2013-02-22 18:50 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-20 14:02 . 2013-02-22 18:50 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-05 19:17 . 2013-03-05 19:17 608 --sha-w- c:\windows\system32\winzvprt5.sys
2013-02-26 21:12 . 2013-02-26 21:12 231376 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2013-02-22 19:24 . 2011-08-01 16:58 18160 ----a-w- c:\programdata\Microsoft\MSOIdentityCRL\production\msoidconfig.dll
2013-02-22 18:50 . 2013-02-22 18:50 960416 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-22 18:50 . 2013-02-22 18:50 308640 ----a-w- c:\windows\system32\javaws.exe
2013-02-22 18:50 . 2013-02-22 18:50 1081760 ----a-w- c:\windows\system32\npDeployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueCrypt"="c:\program files\TrueCrypt\TrueCrypt.exe" [2013-02-26 1516496]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Cisco User Tracking"="c:\windows\SysWOW64\UTLite33.exe" [2005-12-27 172098]
"TkBellExe"="c:\program files (x86)\Common Files\Real\Update_OB\realsched.exe" [2013-02-22 180224]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"McAfeeUpdaterUI"="c:\program files (x86)\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
"ShStatEXE"="c:\program files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2012-08-15 215656]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-04-04 36760]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-04-04 815512]
"HPUsageTracking"="c:\program files (x86)\HP\HP UT\bin\hppusg.exe" [2009-05-11 24576]
"ToolBoxFX"="c:\program files (x86)\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2009-10-22 53248]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 1 (0x1)
"ReportControllerMissing"= 1 (0x1)
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
"PreXPSP2ShellProtocolBehavior"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"DisallowCpl"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli iPrntWinCredMan
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u msoidssp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 25928]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2013-04-02 101200]
R3 NvStUSB;NVIDIA Stereoscopic 3D USB driver;c:\windows\system32\drivers\nvstusb.sys [2012-05-15 398656]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 rimspci;rimspci;c:\windows\system32\drivers\rimspe64.sys [2009-10-23 60416]
R3 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe64.sys [2009-10-23 80896]
R3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe64.sys [2009-10-23 55808]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-21 88960]
R3 tcm;tcm;c:\windows\system32\drivers\tcm.sys [2009-10-23 17048]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-08-01 1255736]
R3 WQ_USBCBAF;WiQuest Class Cable Association driver;c:\windows\system32\drivers\WQ_cba.sys [2009-10-23 55352]
R3 WQ_USBDWA;WiQuest Device Wire Adapter driver;c:\windows\system32\drivers\WQ_dwa.sys [2009-10-23 186936]
R3 WQ_USBHWA;WiQuest Host Wire Adapter driver;c:\windows\system32\drivers\WQ_hwa.sys [2009-10-23 285240]
R3 WQ_USBLOAD;WiQuest WUSB Loader driver;c:\windows\system32\drivers\WQ_ldr.sys [2009-10-23 55352]
R3 WQ_USBRCI;WiQuest UltraWideBand driver;c:\windows\system32\drivers\WQ_rci.sys [2009-10-23 136248]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2013-04-02 303464]
S0 NCFilter;Novell UNC Filter - Filter;c:\windows\system32\DRIVERS\NCFilter.sys [2012-07-13 112256]
S0 NCRecognizer;Novell UNC Filter - Recognizer;c:\windows\system32\DRIVERS\NCRecognizer.sys [2012-07-13 119936]
S0 NCUncFilter;Novell UNC Filter - UNC Filter;c:\windows\system32\DRIVERS\NCUncFilter.sys [2012-07-13 26240]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\AESTSr64.exe [2009-10-23 89600]
S2 dcevt64;DSM SA Event Manager;c:\program files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr64.exe [2012-01-16 222144]
S2 dcstor64;DSM SA Data Manager;c:\program files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr64.exe [2012-01-16 293824]
S2 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [2009-06-01 136192]
S2 iprntsrv;Novell iPrint Service;c:\windows\system32\iprntsrv.exe [2012-04-25 55296]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2013-04-02 170440]
S2 msoidsvc;Microsoft Online Services Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [2011-09-28 2078112]
S2 NCFSD;Novell Client File System Redirector;c:\program files\Novell\Client\XTier\Drivers\ncfsd.sys [2012-07-13 108672]
S2 NCIOCTL;Novell Xplat IoCtl Driver;c:\program files\Novell\Client\XTier\Drivers\ncioctl.sys [2012-07-13 90240]
S2 NovEAP;NovEAP;c:\windows\System32\svchost.exe [2011-03-01 27648]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2011-02-01 604408]
S2 XTSvcMgr;Novell XTier Service Manager;c:\program files\Novell\Client\XTier\Services\XTSvcMgr.exe [2012-07-13 20096]
S3 dcdbas;System Management Driver;c:\windows\system32\DRIVERS\dcdbas64.sys [2010-10-21 38472]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-10-23 138752]
S3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw5v64.sys [2009-10-23 5435904]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
*Deregistered* - nciom
*Deregistered* - ncp
*Deregistered* - ncpl
*Deregistered* - ndm
*Deregistered* - ndmndap
*Deregistered* - ndslpp
*Deregistered* - niam
*Deregistered* - nipctl
*Deregistered* - nscm
*Deregistered* - nsns
*Deregistered* - nsvccost
*Deregistered* - xtxplat
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-17 17:33]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iPrint Tray"="TCTL.EXE TRAY_ICON" [X]
"HP Color LaserJet CM2320 MFP Series Fax"="TERSRV.EXE HP COLOR LASERJET CM2320 MFP SERIES FAX" [X]
"Apoint"="T.EXE" [BU]
"IgfxTray"="DOWS\SYSTEM32\IGFXTRAY.EXE" [BU]
"HotKeysCmds"="DOWS\SYSTEM32\HKCMD.EXE" [BU]
"Persistence"="DOWS\SYSTEM32\IGFXPERS.EXE" [BU]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-10-23 450048]
"NWTRAY"="WTRAY.EXE" [BU]
"iPrint Event Monitor"=".EXE" [BU]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
NovEAP
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://home.tceq.state.tx.us/internal
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: state.tx.us\*.tceq
Trusted Zone: state.tx.us\*.tnrcc
Trusted Zone: state.tx.us\mx7prd.tceq
Trusted Zone: state.tx.us\tceq-aav-mpegp1.tceq
Trusted Zone: texas.gov\tceq-aav-mpegp1.tceq
Trusted Zone: texas.gov\vpn.tceq
Trusted Zone: state.tx.us\reportsprd.tceq
TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} - hxxp://reportsprd.tceq.state.tx.us/crystalreportviewers115/ActiveXControls/ActiveXViewer.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-734690479-1344892132-312552118-34155\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%*µ]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-734690479-1344892132-312552118-34155\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*<%*µ\OpenWithList]
@Class="Shell"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_169.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-04-17 16:57:34
ComboFix-quarantined-files.txt 2013-04-17 21:57
ComboFix2.txt 2013-04-17 15:36
.
Pre-Run: 39,880,757,248 bytes free
Post-Run: 39,590,739,968 bytes free
.
- - End Of File - - 3B3C3285ED83F64B882C2FECABF30A8B

#10
gringo_pr

Posted 17 April 2013 - 04:41 PM

Trusted Helper

Malware Removal
7,268 posts

Hello kawasmi247

I would like to see a report that combofix makes.

extra combofix report

push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
please copy and past the following into the box

C:\Qoobox\Add-Remove Programs.txt

click ok

copy and paste the report into this topic for me to review

Gringo

#11
kawasmi247

Posted 18 April 2013 - 06:40 AM

New Member

Topic Starter
Member
9 posts

Everything so far is running well and I have not encountered any issues or symptoms since combofix was executed. Here is the log you requested:

Adobe Acrobat X Pro - English, Français, Deutsch
Adobe Flash Player 11 ActiveX
AllFusionGen 8_0 - Prod - Change Password
BufferChm
CCEDS 8_0 - Prod - Main Menu
Central Registry 8_0 - Prod - Main Menu - Regions
CID 8_0 - Prod - Main Menu
Cisco AnyConnect VPN Client
Cisco DART
Configuration Manager Client
Crystal ActiveX Report Viewer Control
Crystal Reports ActiveX Viewer XI
CustomerResearchQFolder
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DeviceDiscovery
DeviceManagementQFolder
FileZilla Client 3.5.3
Gen8 Runtime
HP Update
hppCLJCM2320
hppFaxDrvCM2320
hppFaxUtilityCM2320
hppFonts
hppLaserJetService
hppManualsCM2320
hppPQVideoCM2320
hppQFolderCM2320
hppScanToCM2320
hppSendFaxCM2320
hppTLBXFXCM2320
hppusgCM2320
HPSSupply
hpzTLBXFX
Malwarebytes Anti-Malware version 1.75.0.1300
MarketResearch
McAfee Agent
McAfee VirusScan Enterprise
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office Live Meeting 2007
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
NICI (Shared) U.S./Worldwide (128 bit) (2.7.6-1)
Picasa 3
RealPlayer Enterprise
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2687436) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589337) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
Security Update for Microsoft Visio 2010 (KB2687508) 32-Bit Edition
Security Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition
TrayApp
TrueCrypt
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2687277) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
UTLite33
WebReg

#12
gringo_pr

Posted 18 April 2013 - 12:06 PM

Trusted Helper

Malware Removal
7,268 posts

Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

Clean Out Temp Files

This small application you may want to keep and use once a week to keep the computer clean.

Download CCleaner from here http://www.ccleaner.com/
Run the installer to install the application.
When it gives you the option to install Yahoo toolbar uncheck the box next to it.
Run CCleaner. default settings are fine
Click Run Cleaner.
Close CCleaner.

: Malwarebytes' Anti-Malware :

I see that you have MBAM installed - That is great!! and at this time I would like you to update it and run me a quick scan

Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If you accidentally close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

Go Here to download HijackThis program
Save HijackThis to your desktop.
Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
copy and paste hijackthis report into the topic

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

#13
kawasmi247

Posted 18 April 2013 - 12:32 PM

New Member

Topic Starter
Member
9 posts

Everything so far is running well and I have not encountered any issues or additional symptoms. One thing I would like to note while running HijackThis is that during the scan I received a popup saying that writing to hosts was denied and I had to manually delete them if something was found there. Here are the logs you requested:

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.18.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
MKawasmi :: PC048453 [administrator]

Protection: Enabled

4/18/2013 1:17:13 PM
mbam-log-2013-04-18 (13-17-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 242548
Time elapsed: 6 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:26:42 PM, on 4/18/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16464)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\SysWOW64\UTLite33.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files (x86)\HP\ToolboxFX\bin\HPTLBXFX.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
C:\Users\mkawasmi\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.tceq.state.tx.us/internal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20130402123258.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [Cisco User Tracking] C:\Windows\SysWOW64\UTLite33.exe -domain tceq.texas.gov -host 10.10.220.5 -port 16236 -nds
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files (x86)\HP\HP UT\bin\hppusg.exe" "C:\Program Files (x86)\HP\HP UT\"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files (x86)\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a logon
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://*.tceq.state.tx.us
O15 - Trusted Zone: http://*.tnrcc.state.tx.us
O15 - Trusted Zone: http://mx7prd.tceq.state.tx.us
O15 - Trusted Zone: tceq-aav-mpegp1.tceq.state.tx.us
O15 - Trusted Zone: tceq-aav-mpegp1.tceq.texas.gov
O15 - Trusted Zone: http://reportsprd.tceq.state.tx.us (HKLM)
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (Crystal ActiveX Report Viewer Control 11.5) - http://reportsprd.tc...tiveXViewer.cab
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - http://mscesys1/crys...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ms.tnrcc.state.tx.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ms.tnrcc.state.tx.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ms.tnrcc.state.tx.us
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\AESTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: DSM SA Event Manager (dcevt64) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr64.exe
O23 - Service: DSM SA Data Manager (dcstor64) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr64.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP LaserJet Service - HP - C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe
O23 - Service: Novell iPrint Service (iprntsrv) - Unknown owner - C:\Windows\system32\iprntsrv.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - Unknown owner - C:\Windows\system32\mfevtps.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SMS Task Sequence Agent (smstsmgr) - Unknown owner - C:\Windows\SysWOW64\CCM\TSManager.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_44a8c6ff8211f2d4\STacSV64.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Novell XTier Service Manager (XTSvcMgr) - Unknown owner - C:\Program Files (x86)\Novell\Client\XTier\Services\XTSvcMgr.exe (file missing)

--
End of file - 12156 bytes

#14
gringo_pr

Posted 18 April 2013 - 03:17 PM

Trusted Helper

Malware Removal
7,268 posts

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

Run HijackThis (rightclick and run as admin)
Click on the Scan button
Put a check beside all of the items listed below (if present):
- O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
  O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
  O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
  O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

NOTE**You can research each of those lines >here< and see if you want to keep them or not
just copy the name between the brackets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
- Click Start
When asked, allow the add/on to be installed
- Click Start
Make sure that the option Remove found threats is unticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

When the scan is complete

If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

If threats were found
click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish
close program
copy and paste the report here

Gringo

#15
kawasmi247

Posted 18 April 2013 - 04:24 PM

New Member

Topic Starter
Member
9 posts

I removed the unnecessary startup entries. I then ran the Eset online scanner. This was probably the most nerve racking 52 minutes of my week by the way. I am elated to inform you that no threats were found!