Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
MoneyPak Virus
Message
<blockquote data-quote="BrianS6565" data-source="post: 183616" data-attributes="member: 21075"><p>Thanks for the prompt response. Here is the copy of the log.</p><p></p><p>Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2014 01</p><p>Ran by SYSTEM on MININT-MUOKFIB on 13-04-2014 17:06:32</p><p>Running from H:\</p><p>Windows 7 Home Premium (X64) OS Language: English(US)</p><p>Internet Explorer Version 10</p><p>Boot Mode: Recovery</p><p>The current controlset is ControlSet001</p><p><strong>ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.</strong></p><p></p><p>The only official download link for FRST:</p><p>Download link for 32-Bit version: <a href="http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/" target="_blank">http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/</a> </p><p>Download link for 64-Bit Version: <a href="http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/" target="_blank">http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/</a> </p><p>Download link from any site other than Bleeping Computer is unpermitted or outdated.</p><p>See tutorial for FRST: <a href="http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/" target="_blank">http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/</a></p><p>==================== Registry (Whitelisted) ==================</p><p>HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [170264 2012-01-29] (Intel Corporation)</p><p>HKLM\...\Run: [HotKeysCmds] => C:\Windows\system32\hkcmd.exe [398616 2012-01-29] (Intel Corporation)</p><p>HKLM\...\Run: [Persistence] => C:\Windows\system32\igfxpers.exe [440600 2012-01-29] (Intel Corporation)</p><p>HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-13] (Synaptics Incorporated)</p><p>HKLM\...\Run: [SetDefault] => C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe [44880 2011-12-19] (Hewlett-Packard Development Company, L.P.)</p><p>HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1425408 2013-03-01] (IDT, Inc.)</p><p>HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291096 2011-12-05] (Intel Corporation)</p><p>HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-06-06] (Adobe Systems Incorporated)</p><p>HKLM-x32\...\Run: [HPOSD] => C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)</p><p>HKLM-x32\...\Run: [HP CoolSense] => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [1343904 2012-11-05] (Hewlett-Packard Development Company, L.P.)</p><p>HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)</p><p>HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [578944 2012-03-05] (Hewlett-Packard Development Company, L.P.)</p><p>HKLM-x32\...\Run: [TkBellExe] => C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe [295072 2013-03-10] (RealNetworks, Inc.)</p><p>HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)</p><p>HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)</p><p>HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [300400 2010-03-10] (Citrix Systems, Inc.)</p><p>HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-01] (Apple Inc.)</p><p>HKLM-x32\...\Run: [ApnTBMon] => C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1801168 2014-04-10] (APN)</p><p>Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)</p><p>HKU\Brian Sager\...\Run: [Google Update*] => [X] <===== ATTENTION (ZeroAccess rootkit hidden path)</p><p>HKU\Default\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-20] (Microsoft Corporation)</p><p>HKU\Default User\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-20] (Microsoft Corporation)</p><p>Startup: C:\Users\Brian Sager\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffifr29.lnk</p><p>ShortcutTarget: ffifr29.lnk -> C:\ProgramData\2992199F9A\92rfiff.cpp (Microsoft Corporation)</p><p>Startup: C:\Users\Brian Sager\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NexDef Plug-in.lnk</p><p>ShortcutTarget: NexDef Plug-in.lnk -> (No File)</p><p>==================== Services (Whitelisted) =================</p><p>S2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [166352 2014-04-10] (APN LLC.)</p><p>S2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1363584 2014-03-03] (Microsoft Corporation)</p><p>S2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1748608 2014-03-03] (Microsoft Corporation)</p><p>S2 FPLService; C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe [1641768 2013-06-07] (HP)</p><p>S2 hpsrv; C:\Windows\SysWOW64\Hpservice.exe [0 2013-05-12] ()</p><p>S2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [128280 2011-12-16] ()</p><p>S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2011-12-16] (Intel Corporation)</p><p>S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe [138760 2011-08-10] (Symantec Corporation)</p><p>S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [38608 2012-11-29] ()</p><p>S2 Spooler; C:\Windows\SysWOW64\spoolsv.exe [0 2013-05-12] ()</p><p>S3 TrueService; C:\Program Files\Common Files\AuthenTec\TrueService.exe [401856 2013-01-07] (AuthenTec, Inc.)</p><p>S2 Winmgmt; C:\ProgramData\2992199F9A\ffifr29.faa [332036 2014-04-10] (Microsoft Corporation)</p><p>==================== Drivers (Whitelisted) ====================</p><p>S3 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20130322.001\BHDrvx64.sys [1387608 2013-03-21] (Symantec Corporation)</p><p>S3 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1301000.01C\ccSetx64.sys [167048 2011-08-08] (Symantec Corporation)</p><p>S3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2013-02-07] (Symantec Corporation)</p><p>S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2013-02-07] (Symantec Corporation)</p><p>S3 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20130405.001\IDSvia64.sys [513184 2013-02-07] (Symantec Corporation)</p><p>S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20130408.016\ENG64.SYS [126192 2013-02-07] (Symantec Corporation)</p><p>S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20130408.016\EX64.SYS [2087664 2013-02-07] (Symantec Corporation)</p><p>S3 RSP2STOR; C:\Windows\System32\DRIVERS\RtsP2Stor.sys [259688 2011-10-27] (Realtek Semiconductor Corp.)</p><p>S3 SmbDrv; C:\Windows\system32\drivers\Smb_driver.sys [20016 2011-10-13] (Synaptics Incorporated)</p><p>S3 SRTSP; C:\Windows\system32\drivers\NISx64\1301000.01C\SRTSP64.SYS [729720 2011-08-02] (Symantec Corporation)</p><p>S3 SRTSPX; C:\Windows\system32\drivers\NISx64\1301000.01C\SRTSPX64.SYS [37496 2011-08-02] (Symantec Corporation)</p><p>S3 SymDS; C:\Windows\system32\drivers\NISx64\1301000.01C\SYMDS64.SYS [451192 2011-07-25] (Symantec Corporation)</p><p>S3 SymEFA; C:\Windows\system32\drivers\NISx64\1301000.01C\SYMEFA64.SYS [1084536 2011-07-28] (Symantec Corporation)</p><p>S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2013-02-05] (Symantec Corporation)</p><p>S3 SymIRON; C:\Windows\system32\drivers\NISx64\1301000.01C\Ironx64.SYS [189560 2011-07-25] (Symantec Corporation)</p><p>S3 SymNetS; C:\Windows\system32\drivers\NISx64\1301000.01C\SYMNETS.SYS [401016 2011-07-25] (Symantec Corporation)</p><p>==================== NetSvcs (Whitelisted) ===================</p><p></p><p>==================== One Month Created Files and Folders ========</p><p>2014-04-13 17:06 - 2014-04-13 17:06 - 00000000 ____D () C:\FRST</p><p>2014-04-10 11:30 - 2014-04-13 13:43 - 00000000 ____D () C:\ProgramData\2992199F9A</p><p>2014-04-09 10:59 - 2014-03-12 22:33 - 02238976 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll</p><p>2014-04-09 10:59 - 2014-03-12 22:33 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll</p><p>2014-04-09 10:59 - 2014-03-12 22:33 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe</p><p>2014-04-09 10:59 - 2014-03-12 22:32 - 19273728 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll</p><p>2014-04-09 10:59 - 2014-03-12 22:32 - 03959808 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll</p><p>2014-04-09 10:59 - 2014-03-12 22:32 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll</p><p>2014-04-09 10:59 - 2014-03-12 22:32 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll</p><p>2014-04-09 10:59 - 2014-03-12 22:32 - 00197120 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll</p><p>2014-04-09 10:59 - 2014-03-12 22:32 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll</p><p>2014-04-09 10:59 - 2014-03-12 22:31 - 15404544 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll</p><p>2014-04-09 10:59 - 2014-03-12 22:31 - 02648576 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll</p><p>2014-04-09 10:59 - 2014-03-12 22:31 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll</p><p>2014-04-09 10:59 - 2014-03-12 22:31 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll</p><p>2014-04-09 10:59 - 2014-03-12 22:31 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll</p><p>2014-04-09 10:59 - 2014-03-12 22:31 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll</p><p>2014-04-09 10:59 - 2014-03-12 21:10 - 01766400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll</p><p>2014-04-09 10:59 - 2014-03-12 21:10 - 01140736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll</p><p>2014-04-09 10:59 - 2014-03-12 21:09 - 14358016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll</p><p>2014-04-09 10:59 - 2014-03-12 21:09 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll</p><p>2014-04-09 10:59 - 2014-03-12 21:09 - 02877952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll</p><p>2014-04-09 10:59 - 2014-03-12 21:09 - 02049536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll</p><p>2014-04-09 10:59 - 2014-03-12 21:09 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll</p><p>2014-04-09 10:59 - 2014-03-12 21:09 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll</p><p>2014-04-09 10:59 - 2014-03-12 21:09 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll</p><p>2014-04-09 10:59 - 2014-03-12 21:09 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll</p><p>2014-04-09 10:59 - 2014-03-12 21:09 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll</p><p>2014-04-09 10:59 - 2014-03-12 21:09 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll</p><p>2014-04-09 10:59 - 2014-03-12 21:09 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll</p><p>2014-04-09 10:59 - 2014-03-12 21:09 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll</p><p>2014-04-09 10:59 - 2014-03-12 20:57 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb</p><p>2014-04-09 10:59 - 2014-03-12 20:47 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb</p><p>2014-04-09 10:59 - 2014-03-12 19:59 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe</p><p>2014-04-09 10:59 - 2014-03-12 19:51 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe</p><p>2014-04-09 10:58 - 2014-03-04 01:44 - 01163264 _____ (Microsoft Corporation) C:\Windows\System32\kernel32.dll</p><p>2014-04-09 10:58 - 2014-03-04 01:44 - 00362496 _____ (Microsoft Corporation) C:\Windows\System32\wow64win.dll</p><p>2014-04-09 10:58 - 2014-03-04 01:44 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll</p><p>2014-04-09 10:58 - 2014-03-04 01:44 - 00016384 _____ (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll</p><p>2014-04-09 10:58 - 2014-03-04 01:44 - 00013312 _____ (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll</p><p>2014-04-09 10:58 - 2014-03-04 01:17 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll</p><p>2014-04-09 10:58 - 2014-03-04 01:16 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll</p><p>2014-04-09 10:58 - 2014-03-04 01:16 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe</p><p>2014-04-09 10:58 - 2014-03-04 01:16 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll</p><p>2014-04-09 10:58 - 2014-03-04 00:09 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe</p><p>2014-04-09 10:58 - 2014-03-04 00:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe</p><p>2014-04-09 10:58 - 2014-02-03 18:35 - 00274880 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\msiscsi.sys</p><p>2014-04-09 10:58 - 2014-02-03 18:35 - 00190912 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\storport.sys</p><p>2014-04-09 10:58 - 2014-02-03 18:35 - 00027584 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\Diskdump.sys</p><p>2014-04-09 10:58 - 2014-02-03 18:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\iologmsg.dll</p><p>2014-04-09 10:58 - 2014-02-03 18:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iologmsg.dll</p><p>2014-04-09 10:58 - 2014-01-23 18:37 - 01684928 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys</p><p>2014-04-06 20:17 - 2014-04-06 20:17 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014 (2).xlsx</p><p>2014-04-06 20:16 - 2014-04-06 20:16 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014 (1).xlsx</p><p>2014-04-06 20:13 - 2014-04-13 13:43 - 00000400 _____ () C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Brian Sager.job</p><p>2014-04-06 20:13 - 2014-04-13 08:42 - 00003002 _____ () C:\Windows\System32\Tasks\ReclaimerUpdateXML_Brian Sager</p><p>2014-04-06 20:13 - 2014-04-13 08:42 - 00000390 _____ () C:\Windows\Tasks\ReclaimerUpdateXML_Brian Sager.job</p><p>2014-04-06 20:13 - 2014-04-12 10:42 - 00003006 _____ () C:\Windows\System32\Tasks\ReclaimerUpdateFiles_Brian Sager</p><p>2014-04-06 20:13 - 2014-04-12 10:42 - 00000394 _____ () C:\Windows\Tasks\ReclaimerUpdateFiles_Brian Sager.job</p><p>2014-04-06 20:13 - 2014-04-06 20:13 - 00003646 _____ () C:\Windows\System32\Tasks\RNUpgradeHelperResumePrompt_Brian Sager</p><p>2014-04-06 20:13 - 2014-04-06 20:13 - 00002710 _____ () C:\Windows\System32\Tasks\RNUpgradeHelperLogonPrompt_Brian Sager</p><p>2014-04-04 14:23 - 2014-04-04 14:23 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014.xlsx</p><p>2014-03-30 08:12 - 2014-03-30 15:07 - 00153162 _____ () C:\Users\Brian Sager\Documents\e2list3.30.xlsx</p><p>2014-03-24 13:57 - 2014-03-24 13:57 - 00014058 _____ () C:\Users\Brian Sager\Downloads\Children%27s House Staff Schedule April 2014.xlsx</p><p>2014-03-16 20:07 - 2014-04-13 08:00 - 00003362 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1596818072-1018057494-116439080-1001</p><p>2014-03-14 16:43 - 2014-04-12 12:59 - 00000356 _____ () C:\Windows\Tasks\HPCeeScheduleForBrian Sager.job</p><p>2014-03-14 16:43 - 2014-04-12 08:42 - 00003222 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForBrian Sager</p><p>==================== One Month Modified Files and Folders =======</p><p>2014-04-13 17:06 - 2014-04-13 17:06 - 00000000 ____D () C:\FRST</p><p>2014-04-13 13:47 - 2009-07-13 20:45 - 00031472 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0</p><p>2014-04-13 13:47 - 2009-07-13 20:45 - 00031472 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0</p><p>2014-04-13 13:46 - 2013-02-07 15:10 - 00003970 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{88F222FE-40D9-4533-9708-FEFB116E7767}</p><p>2014-04-13 13:43 - 2014-04-10 11:30 - 00000000 ____D () C:\ProgramData\2992199F9A</p><p>2014-04-13 13:43 - 2014-04-06 20:13 - 00000400 _____ () C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Brian Sager.job</p><p>2014-04-13 13:43 - 2013-03-10 15:24 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job</p><p>2014-04-13 13:42 - 2013-11-04 12:35 - 00003628 _____ () C:\Windows\setupact.log</p><p>2014-04-13 13:42 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT</p><p>2014-04-13 13:41 - 2013-03-10 15:24 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job</p><p>2014-04-13 13:41 - 2012-10-22 16:22 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job</p><p>2014-04-13 11:57 - 2013-02-06 14:24 - 01796070 _____ () C:\Windows\WindowsUpdate.log</p><p>2014-04-13 09:34 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\rescache</p><p>2014-04-13 08:42 - 2014-04-06 20:13 - 00003002 _____ () C:\Windows\System32\Tasks\ReclaimerUpdateXML_Brian Sager</p><p>2014-04-13 08:42 - 2014-04-06 20:13 - 00000390 _____ () C:\Windows\Tasks\ReclaimerUpdateXML_Brian Sager.job</p><p>2014-04-13 08:16 - 2013-12-25 19:00 - 00113260 _____ () C:\Windows\IE11_main.log</p><p>2014-04-13 08:00 - 2014-03-16 20:07 - 00003362 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1596818072-1018057494-116439080-1001</p><p>2014-04-13 08:00 - 2013-11-04 12:37 - 00003240 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1596818072-1018057494-116439080-1001</p><p>2014-04-12 13:44 - 2013-10-10 07:28 - 00003384 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-1596818072-1018057494-116439080-1001</p><p>2014-04-12 13:44 - 2013-10-10 07:28 - 00003262 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1596818072-1018057494-116439080-1001</p><p>2014-04-12 12:59 - 2014-03-14 16:43 - 00000356 _____ () C:\Windows\Tasks\HPCeeScheduleForBrian Sager.job</p><p>2014-04-12 10:42 - 2014-04-06 20:13 - 00003006 _____ () C:\Windows\System32\Tasks\ReclaimerUpdateFiles_Brian Sager</p><p>2014-04-12 10:42 - 2014-04-06 20:13 - 00000394 _____ () C:\Windows\Tasks\ReclaimerUpdateFiles_Brian Sager.job</p><p>2014-04-12 08:42 - 2014-03-14 16:43 - 00003222 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForBrian Sager</p><p>2014-04-12 08:42 - 2013-04-05 13:52 - 00000000 _____ () C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt</p><p>2014-04-12 08:42 - 2013-02-13 05:08 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log</p><p>2014-04-10 11:19 - 2013-02-16 18:17 - 00000000 ____D () C:\ProgramData\Microsoft Help</p><p>2014-04-09 16:00 - 2013-03-10 15:24 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk</p><p>2014-04-09 15:54 - 2013-07-27 17:04 - 00000000 ____D () C:\Users\Brian Sager\Citrix</p><p>2014-04-09 00:57 - 2013-02-17 08:05 - 00000000 ____D () C:\Users\Brian Sager\AppData\Local\CrashDumps</p><p>2014-04-06 20:17 - 2014-04-06 20:17 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014 (2).xlsx</p><p>2014-04-06 20:16 - 2014-04-06 20:16 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014 (1).xlsx</p><p>2014-04-06 20:13 - 2014-04-06 20:13 - 00003646 _____ () C:\Windows\System32\Tasks\RNUpgradeHelperResumePrompt_Brian Sager</p><p>2014-04-06 20:13 - 2014-04-06 20:13 - 00002710 _____ () C:\Windows\System32\Tasks\RNUpgradeHelperLogonPrompt_Brian Sager</p><p>2014-04-04 14:23 - 2014-04-04 14:23 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014.xlsx</p><p>2014-03-30 15:07 - 2014-03-30 08:12 - 00153162 _____ () C:\Users\Brian Sager\Documents\e2list3.30.xlsx</p><p>2014-03-30 07:21 - 2013-03-10 15:24 - 00003904 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA</p><p>2014-03-30 07:21 - 2013-03-10 15:24 - 00003652 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore</p><p>2014-03-28 11:31 - 2014-03-01 20:44 - 00000000 ____D () C:\Bovada</p><p>2014-03-26 16:08 - 2009-07-13 21:13 - 00781298 _____ () C:\Windows\System32\PerfStringBackup.INI</p><p>2014-03-24 13:57 - 2014-03-24 13:57 - 00014058 _____ () C:\Users\Brian Sager\Downloads\Children%27s House Staff Schedule April 2014.xlsx</p><p>2014-03-16 20:06 - 2009-07-13 20:45 - 00414704 _____ () C:\Windows\System32\FNTCACHE.DAT</p><p>2014-03-16 20:05 - 2013-03-18 12:24 - 00000000 ____D () C:\Program Files\Microsoft Silverlight</p><p>2014-03-16 20:05 - 2013-03-18 12:24 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight</p><p>2014-03-16 19:49 - 2013-03-10 11:27 - 00000000 ___RD () C:\Program Files (x86)\Skype</p><p>2014-03-16 19:49 - 2012-10-22 16:34 - 00000000 ____D () C:\ProgramData\Skype</p><p>2014-03-14 16:38 - 2013-02-06 14:24 - 00000000 ____D () C:\users\Brian Sager</p><p>ZeroAccess:</p><p>C:\Users\Brian Sager\AppData\Local\Google\Desktop\Install</p><p>Some content of TEMP:</p><p>====================</p><p>C:\Users\Brian Sager\AppData\Local\Temp\setup.exe</p><p>C:\Users\Brian Sager\AppData\Local\Temp\sp64126.exe</p><p>C:\Users\Brian Sager\AppData\Local\Temp\UninstallHPSA.exe</p><p>C:\Users\Brian Sager\AppData\Local\Temp\~+JF8179645312642104323.dll</p><p></p><p>==================== Known DLLs (Whitelisted) ================</p><p></p><p>==================== Bamital & volsnap Check =================</p><p>C:\Windows\System32\winlogon.exe => MD5 is legit</p><p>C:\Windows\System32\wininit.exe => MD5 is legit</p><p>C:\Windows\SysWOW64\wininit.exe => MD5 is legit</p><p>C:\Windows\explorer.exe => MD5 is legit</p><p>C:\Windows\SysWOW64\explorer.exe => MD5 is legit</p><p>C:\Windows\System32\svchost.exe => MD5 is legit</p><p>C:\Windows\SysWOW64\svchost.exe => MD5 is legit</p><p>C:\Windows\System32\services.exe => MD5 is legit</p><p>C:\Windows\System32\User32.dll => MD5 is legit</p><p>C:\Windows\SysWOW64\User32.dll => MD5 is legit</p><p>C:\Windows\System32\userinit.exe => MD5 is legit</p><p>C:\Windows\SysWOW64\userinit.exe => MD5 is legit</p><p>C:\Windows\System32\rpcss.dll => MD5 is legit</p><p>C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit</p><p>==================== EXE ASSOCIATION =====================</p><p>HKLM\...\.exe: exefile => OK</p><p>HKLM\...\exefile\DefaultIcon: %1 => OK</p><p>HKLM\...\exefile\open\command: "%1" %* => OK</p><p>==================== Restore Points =========================</p><p>Restore point made on: 2014-03-21 13:50:15</p><p>Restore point made on: 2014-03-22 06:15:19</p><p>Restore point made on: 2014-03-25 19:06:46</p><p>Restore point made on: 2014-03-27 13:33:51</p><p>Restore point made on: 2014-03-28 10:53:43</p><p>Restore point made on: 2014-03-31 12:58:44</p><p>Restore point made on: 2014-04-03 06:05:41</p><p>Restore point made on: 2014-04-04 06:14:45</p><p>Restore point made on: 2014-04-05 06:42:31</p><p>Restore point made on: 2014-04-06 08:14:40</p><p>Restore point made on: 2014-04-09 10:54:21</p><p>Restore point made on: 2014-04-10 11:16:51</p><p>Restore point made on: 2014-04-12 13:40:24</p><p>Restore point made on: 2014-04-13 08:12:51</p><p>Restore point made on: 2014-04-13 09:37:14</p><p>Restore point made on: 2014-04-13 09:37:18</p><p>Restore point made on: 2014-04-13 09:37:19</p><p>Restore point made on: 2014-04-13 09:37:20</p><p>Restore point made on: 2014-04-13 09:37:25</p><p>Restore point made on: 2014-04-13 09:37:27</p><p>Restore point made on: 2014-04-13 09:37:27</p><p>==================== Memory info ===========================</p><p>Percentage of memory in use: 11%</p><p>Total physical RAM: 8087.31 MB</p><p>Available physical RAM: 7143.91 MB</p><p>Total Pagefile: 8085.46 MB</p><p>Available Pagefile: 7137.81 MB</p><p>Total Virtual: 8192 MB</p><p>Available Virtual: 8191.88 MB</p><p>==================== Drives ================================</p><p>Drive c: () (Fixed) (Total:910.28 GB) (Free:823.93 GB) NTFS ==>[System with boot components (obtained from reading drive)]</p><p>Drive e: (Recovery) (Fixed) (Total:20.94 GB) (Free:2.26 GB) NTFS ==>[System with boot components (obtained from reading drive)]</p><p>Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.07 GB) FAT32</p><p>Drive h: () (Removable) (Total:0.98 GB) (Free:0.97 GB) FAT</p><p>Drive x: (Boot) (Fixed) (Total:0.25 GB) (Free:0.25 GB) NTFS</p><p>Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]</p><p>==================== MBR & Partition Table ==================</p><p>========================================================</p><p>Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 8A469346)</p><p>Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)</p><p>Partition 2: (Not Active) - (Size=910 GB) - (Type=07 NTFS)</p><p>Partition 3: (Not Active) - (Size=21 GB) - (Type=07 NTFS)</p><p>Partition 4: (Not Active) - (Size=102 MB) - (Type=0C)</p><p>========================================================</p><p>Disk: 1 (Size: 1003 MB) (Disk ID: 003068C2)</p><p>Partition 1: (Active) - (Size=1003 MB) - (Type=06)</p><p></p><p>LastRegBack: 2014-04-13 09:23</p><p>==================== End Of Log ============================</p></blockquote><p></p>
[QUOTE="BrianS6565, post: 183616, member: 21075"] Thanks for the prompt response. Here is the copy of the log. Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2014 01 Ran by SYSTEM on MININT-MUOKFIB on 13-04-2014 17:06:32 Running from H:\ Windows 7 Home Premium (X64) OS Language: English(US) Internet Explorer Version 10 Boot Mode: Recovery The current controlset is ControlSet001 [b]ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.[/b] The only official download link for FRST: Download link for 32-Bit version: [url]http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/[/url] Download link for 64-Bit Version: [url]http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/[/url] Download link from any site other than Bleeping Computer is unpermitted or outdated. See tutorial for FRST: [url]http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/[/url] ==================== Registry (Whitelisted) ================== HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [170264 2012-01-29] (Intel Corporation) HKLM\...\Run: [HotKeysCmds] => C:\Windows\system32\hkcmd.exe [398616 2012-01-29] (Intel Corporation) HKLM\...\Run: [Persistence] => C:\Windows\system32\igfxpers.exe [440600 2012-01-29] (Intel Corporation) HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-13] (Synaptics Incorporated) HKLM\...\Run: [SetDefault] => C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe [44880 2011-12-19] (Hewlett-Packard Development Company, L.P.) HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1425408 2013-03-01] (IDT, Inc.) HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291096 2011-12-05] (Intel Corporation) HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-06-06] (Adobe Systems Incorporated) HKLM-x32\...\Run: [HPOSD] => C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.) HKLM-x32\...\Run: [HP CoolSense] => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [1343904 2012-11-05] (Hewlett-Packard Development Company, L.P.) HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation) HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [578944 2012-03-05] (Hewlett-Packard Development Company, L.P.) HKLM-x32\...\Run: [TkBellExe] => C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe [295072 2013-03-10] (RealNetworks, Inc.) HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.) HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation) HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [300400 2010-03-10] (Citrix Systems, Inc.) HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-01] (Apple Inc.) HKLM-x32\...\Run: [ApnTBMon] => C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1801168 2014-04-10] (APN) Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) HKU\Brian Sager\...\Run: [Google Update*] => [X] <===== ATTENTION (ZeroAccess rootkit hidden path) HKU\Default\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-20] (Microsoft Corporation) HKU\Default User\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\Sidebar.exe [1475584 2010-11-20] (Microsoft Corporation) Startup: C:\Users\Brian Sager\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffifr29.lnk ShortcutTarget: ffifr29.lnk -> C:\ProgramData\2992199F9A\92rfiff.cpp (Microsoft Corporation) Startup: C:\Users\Brian Sager\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NexDef Plug-in.lnk ShortcutTarget: NexDef Plug-in.lnk -> (No File) ==================== Services (Whitelisted) ================= S2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [166352 2014-04-10] (APN LLC.) S2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1363584 2014-03-03] (Microsoft Corporation) S2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1748608 2014-03-03] (Microsoft Corporation) S2 FPLService; C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe [1641768 2013-06-07] (HP) S2 hpsrv; C:\Windows\SysWOW64\Hpservice.exe [0 2013-05-12] () S2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [128280 2011-12-16] () S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2011-12-16] (Intel Corporation) S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe [138760 2011-08-10] (Symantec Corporation) S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [38608 2012-11-29] () S2 Spooler; C:\Windows\SysWOW64\spoolsv.exe [0 2013-05-12] () S3 TrueService; C:\Program Files\Common Files\AuthenTec\TrueService.exe [401856 2013-01-07] (AuthenTec, Inc.) S2 Winmgmt; C:\ProgramData\2992199F9A\ffifr29.faa [332036 2014-04-10] (Microsoft Corporation) ==================== Drivers (Whitelisted) ==================== S3 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20130322.001\BHDrvx64.sys [1387608 2013-03-21] (Symantec Corporation) S3 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1301000.01C\ccSetx64.sys [167048 2011-08-08] (Symantec Corporation) S3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2013-02-07] (Symantec Corporation) S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2013-02-07] (Symantec Corporation) S3 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20130405.001\IDSvia64.sys [513184 2013-02-07] (Symantec Corporation) S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20130408.016\ENG64.SYS [126192 2013-02-07] (Symantec Corporation) S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\VirusDefs\20130408.016\EX64.SYS [2087664 2013-02-07] (Symantec Corporation) S3 RSP2STOR; C:\Windows\System32\DRIVERS\RtsP2Stor.sys [259688 2011-10-27] (Realtek Semiconductor Corp.) S3 SmbDrv; C:\Windows\system32\drivers\Smb_driver.sys [20016 2011-10-13] (Synaptics Incorporated) S3 SRTSP; C:\Windows\system32\drivers\NISx64\1301000.01C\SRTSP64.SYS [729720 2011-08-02] (Symantec Corporation) S3 SRTSPX; C:\Windows\system32\drivers\NISx64\1301000.01C\SRTSPX64.SYS [37496 2011-08-02] (Symantec Corporation) S3 SymDS; C:\Windows\system32\drivers\NISx64\1301000.01C\SYMDS64.SYS [451192 2011-07-25] (Symantec Corporation) S3 SymEFA; C:\Windows\system32\drivers\NISx64\1301000.01C\SYMEFA64.SYS [1084536 2011-07-28] (Symantec Corporation) S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2013-02-05] (Symantec Corporation) S3 SymIRON; C:\Windows\system32\drivers\NISx64\1301000.01C\Ironx64.SYS [189560 2011-07-25] (Symantec Corporation) S3 SymNetS; C:\Windows\system32\drivers\NISx64\1301000.01C\SYMNETS.SYS [401016 2011-07-25] (Symantec Corporation) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2014-04-13 17:06 - 2014-04-13 17:06 - 00000000 ____D () C:\FRST 2014-04-10 11:30 - 2014-04-13 13:43 - 00000000 ____D () C:\ProgramData\2992199F9A 2014-04-09 10:59 - 2014-03-12 22:33 - 02238976 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll 2014-04-09 10:59 - 2014-03-12 22:33 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2014-04-09 10:59 - 2014-03-12 22:33 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe 2014-04-09 10:59 - 2014-03-12 22:32 - 19273728 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2014-04-09 10:59 - 2014-03-12 22:32 - 03959808 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2014-04-09 10:59 - 2014-03-12 22:32 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll 2014-04-09 10:59 - 2014-03-12 22:32 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2014-04-09 10:59 - 2014-03-12 22:32 - 00197120 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll 2014-04-09 10:59 - 2014-03-12 22:32 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2014-04-09 10:59 - 2014-03-12 22:31 - 15404544 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2014-04-09 10:59 - 2014-03-12 22:31 - 02648576 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2014-04-09 10:59 - 2014-03-12 22:31 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll 2014-04-09 10:59 - 2014-03-12 22:31 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll 2014-04-09 10:59 - 2014-03-12 22:31 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll 2014-04-09 10:59 - 2014-03-12 22:31 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll 2014-04-09 10:59 - 2014-03-12 21:10 - 01766400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2014-04-09 10:59 - 2014-03-12 21:10 - 01140736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2014-04-09 10:59 - 2014-03-12 21:09 - 14358016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2014-04-09 10:59 - 2014-03-12 21:09 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2014-04-09 10:59 - 2014-03-12 21:09 - 02877952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2014-04-09 10:59 - 2014-03-12 21:09 - 02049536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2014-04-09 10:59 - 2014-03-12 21:09 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2014-04-09 10:59 - 2014-03-12 21:09 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2014-04-09 10:59 - 2014-03-12 21:09 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2014-04-09 10:59 - 2014-03-12 21:09 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll 2014-04-09 10:59 - 2014-03-12 21:09 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll 2014-04-09 10:59 - 2014-03-12 21:09 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2014-04-09 10:59 - 2014-03-12 21:09 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2014-04-09 10:59 - 2014-03-12 21:09 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2014-04-09 10:59 - 2014-03-12 20:57 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2014-04-09 10:59 - 2014-03-12 20:47 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2014-04-09 10:59 - 2014-03-12 19:59 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe 2014-04-09 10:59 - 2014-03-12 19:51 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe 2014-04-09 10:58 - 2014-03-04 01:44 - 01163264 _____ (Microsoft Corporation) C:\Windows\System32\kernel32.dll 2014-04-09 10:58 - 2014-03-04 01:44 - 00362496 _____ (Microsoft Corporation) C:\Windows\System32\wow64win.dll 2014-04-09 10:58 - 2014-03-04 01:44 - 00243712 _____ (Microsoft Corporation) C:\Windows\System32\wow64.dll 2014-04-09 10:58 - 2014-03-04 01:44 - 00016384 _____ (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll 2014-04-09 10:58 - 2014-03-04 01:44 - 00013312 _____ (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll 2014-04-09 10:58 - 2014-03-04 01:17 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll 2014-04-09 10:58 - 2014-03-04 01:16 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll 2014-04-09 10:58 - 2014-03-04 01:16 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe 2014-04-09 10:58 - 2014-03-04 01:16 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll 2014-04-09 10:58 - 2014-03-04 00:09 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe 2014-04-09 10:58 - 2014-03-04 00:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe 2014-04-09 10:58 - 2014-02-03 18:35 - 00274880 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\msiscsi.sys 2014-04-09 10:58 - 2014-02-03 18:35 - 00190912 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\storport.sys 2014-04-09 10:58 - 2014-02-03 18:35 - 00027584 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\Diskdump.sys 2014-04-09 10:58 - 2014-02-03 18:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\iologmsg.dll 2014-04-09 10:58 - 2014-02-03 18:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iologmsg.dll 2014-04-09 10:58 - 2014-01-23 18:37 - 01684928 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys 2014-04-06 20:17 - 2014-04-06 20:17 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014 (2).xlsx 2014-04-06 20:16 - 2014-04-06 20:16 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014 (1).xlsx 2014-04-06 20:13 - 2014-04-13 13:43 - 00000400 _____ () C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Brian Sager.job 2014-04-06 20:13 - 2014-04-13 08:42 - 00003002 _____ () C:\Windows\System32\Tasks\ReclaimerUpdateXML_Brian Sager 2014-04-06 20:13 - 2014-04-13 08:42 - 00000390 _____ () C:\Windows\Tasks\ReclaimerUpdateXML_Brian Sager.job 2014-04-06 20:13 - 2014-04-12 10:42 - 00003006 _____ () C:\Windows\System32\Tasks\ReclaimerUpdateFiles_Brian Sager 2014-04-06 20:13 - 2014-04-12 10:42 - 00000394 _____ () C:\Windows\Tasks\ReclaimerUpdateFiles_Brian Sager.job 2014-04-06 20:13 - 2014-04-06 20:13 - 00003646 _____ () C:\Windows\System32\Tasks\RNUpgradeHelperResumePrompt_Brian Sager 2014-04-06 20:13 - 2014-04-06 20:13 - 00002710 _____ () C:\Windows\System32\Tasks\RNUpgradeHelperLogonPrompt_Brian Sager 2014-04-04 14:23 - 2014-04-04 14:23 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014.xlsx 2014-03-30 08:12 - 2014-03-30 15:07 - 00153162 _____ () C:\Users\Brian Sager\Documents\e2list3.30.xlsx 2014-03-24 13:57 - 2014-03-24 13:57 - 00014058 _____ () C:\Users\Brian Sager\Downloads\Children%27s House Staff Schedule April 2014.xlsx 2014-03-16 20:07 - 2014-04-13 08:00 - 00003362 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1596818072-1018057494-116439080-1001 2014-03-14 16:43 - 2014-04-12 12:59 - 00000356 _____ () C:\Windows\Tasks\HPCeeScheduleForBrian Sager.job 2014-03-14 16:43 - 2014-04-12 08:42 - 00003222 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForBrian Sager ==================== One Month Modified Files and Folders ======= 2014-04-13 17:06 - 2014-04-13 17:06 - 00000000 ____D () C:\FRST 2014-04-13 13:47 - 2009-07-13 20:45 - 00031472 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-04-13 13:47 - 2009-07-13 20:45 - 00031472 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-04-13 13:46 - 2013-02-07 15:10 - 00003970 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{88F222FE-40D9-4533-9708-FEFB116E7767} 2014-04-13 13:43 - 2014-04-10 11:30 - 00000000 ____D () C:\ProgramData\2992199F9A 2014-04-13 13:43 - 2014-04-06 20:13 - 00000400 _____ () C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Brian Sager.job 2014-04-13 13:43 - 2013-03-10 15:24 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2014-04-13 13:42 - 2013-11-04 12:35 - 00003628 _____ () C:\Windows\setupact.log 2014-04-13 13:42 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-04-13 13:41 - 2013-03-10 15:24 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2014-04-13 13:41 - 2012-10-22 16:22 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-04-13 11:57 - 2013-02-06 14:24 - 01796070 _____ () C:\Windows\WindowsUpdate.log 2014-04-13 09:34 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\rescache 2014-04-13 08:42 - 2014-04-06 20:13 - 00003002 _____ () C:\Windows\System32\Tasks\ReclaimerUpdateXML_Brian Sager 2014-04-13 08:42 - 2014-04-06 20:13 - 00000390 _____ () C:\Windows\Tasks\ReclaimerUpdateXML_Brian Sager.job 2014-04-13 08:16 - 2013-12-25 19:00 - 00113260 _____ () C:\Windows\IE11_main.log 2014-04-13 08:00 - 2014-03-16 20:07 - 00003362 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1596818072-1018057494-116439080-1001 2014-04-13 08:00 - 2013-11-04 12:37 - 00003240 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1596818072-1018057494-116439080-1001 2014-04-12 13:44 - 2013-10-10 07:28 - 00003384 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-1596818072-1018057494-116439080-1001 2014-04-12 13:44 - 2013-10-10 07:28 - 00003262 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1596818072-1018057494-116439080-1001 2014-04-12 12:59 - 2014-03-14 16:43 - 00000356 _____ () C:\Windows\Tasks\HPCeeScheduleForBrian Sager.job 2014-04-12 10:42 - 2014-04-06 20:13 - 00003006 _____ () C:\Windows\System32\Tasks\ReclaimerUpdateFiles_Brian Sager 2014-04-12 10:42 - 2014-04-06 20:13 - 00000394 _____ () C:\Windows\Tasks\ReclaimerUpdateFiles_Brian Sager.job 2014-04-12 08:42 - 2014-03-14 16:43 - 00003222 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForBrian Sager 2014-04-12 08:42 - 2013-04-05 13:52 - 00000000 _____ () C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt 2014-04-12 08:42 - 2013-02-13 05:08 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log 2014-04-10 11:19 - 2013-02-16 18:17 - 00000000 ____D () C:\ProgramData\Microsoft Help 2014-04-09 16:00 - 2013-03-10 15:24 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk 2014-04-09 15:54 - 2013-07-27 17:04 - 00000000 ____D () C:\Users\Brian Sager\Citrix 2014-04-09 00:57 - 2013-02-17 08:05 - 00000000 ____D () C:\Users\Brian Sager\AppData\Local\CrashDumps 2014-04-06 20:17 - 2014-04-06 20:17 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014 (2).xlsx 2014-04-06 20:16 - 2014-04-06 20:16 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014 (1).xlsx 2014-04-06 20:13 - 2014-04-06 20:13 - 00003646 _____ () C:\Windows\System32\Tasks\RNUpgradeHelperResumePrompt_Brian Sager 2014-04-06 20:13 - 2014-04-06 20:13 - 00002710 _____ () C:\Windows\System32\Tasks\RNUpgradeHelperLogonPrompt_Brian Sager 2014-04-04 14:23 - 2014-04-04 14:23 - 00014053 _____ () C:\Users\Brian Sager\Downloads\Call Schedule 4-2014.xlsx 2014-03-30 15:07 - 2014-03-30 08:12 - 00153162 _____ () C:\Users\Brian Sager\Documents\e2list3.30.xlsx 2014-03-30 07:21 - 2013-03-10 15:24 - 00003904 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA 2014-03-30 07:21 - 2013-03-10 15:24 - 00003652 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore 2014-03-28 11:31 - 2014-03-01 20:44 - 00000000 ____D () C:\Bovada 2014-03-26 16:08 - 2009-07-13 21:13 - 00781298 _____ () C:\Windows\System32\PerfStringBackup.INI 2014-03-24 13:57 - 2014-03-24 13:57 - 00014058 _____ () C:\Users\Brian Sager\Downloads\Children%27s House Staff Schedule April 2014.xlsx 2014-03-16 20:06 - 2009-07-13 20:45 - 00414704 _____ () C:\Windows\System32\FNTCACHE.DAT 2014-03-16 20:05 - 2013-03-18 12:24 - 00000000 ____D () C:\Program Files\Microsoft Silverlight 2014-03-16 20:05 - 2013-03-18 12:24 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight 2014-03-16 19:49 - 2013-03-10 11:27 - 00000000 ___RD () C:\Program Files (x86)\Skype 2014-03-16 19:49 - 2012-10-22 16:34 - 00000000 ____D () C:\ProgramData\Skype 2014-03-14 16:38 - 2013-02-06 14:24 - 00000000 ____D () C:\users\Brian Sager ZeroAccess: C:\Users\Brian Sager\AppData\Local\Google\Desktop\Install Some content of TEMP: ==================== C:\Users\Brian Sager\AppData\Local\Temp\setup.exe C:\Users\Brian Sager\AppData\Local\Temp\sp64126.exe C:\Users\Brian Sager\AppData\Local\Temp\UninstallHPSA.exe C:\Users\Brian Sager\AppData\Local\Temp\~+JF8179645312642104323.dll ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2014-03-21 13:50:15 Restore point made on: 2014-03-22 06:15:19 Restore point made on: 2014-03-25 19:06:46 Restore point made on: 2014-03-27 13:33:51 Restore point made on: 2014-03-28 10:53:43 Restore point made on: 2014-03-31 12:58:44 Restore point made on: 2014-04-03 06:05:41 Restore point made on: 2014-04-04 06:14:45 Restore point made on: 2014-04-05 06:42:31 Restore point made on: 2014-04-06 08:14:40 Restore point made on: 2014-04-09 10:54:21 Restore point made on: 2014-04-10 11:16:51 Restore point made on: 2014-04-12 13:40:24 Restore point made on: 2014-04-13 08:12:51 Restore point made on: 2014-04-13 09:37:14 Restore point made on: 2014-04-13 09:37:18 Restore point made on: 2014-04-13 09:37:19 Restore point made on: 2014-04-13 09:37:20 Restore point made on: 2014-04-13 09:37:25 Restore point made on: 2014-04-13 09:37:27 Restore point made on: 2014-04-13 09:37:27 ==================== Memory info =========================== Percentage of memory in use: 11% Total physical RAM: 8087.31 MB Available physical RAM: 7143.91 MB Total Pagefile: 8085.46 MB Available Pagefile: 7137.81 MB Total Virtual: 8192 MB Available Virtual: 8191.88 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:910.28 GB) (Free:823.93 GB) NTFS ==>[System with boot components (obtained from reading drive)] Drive e: (Recovery) (Fixed) (Total:20.94 GB) (Free:2.26 GB) NTFS ==>[System with boot components (obtained from reading drive)] Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.07 GB) FAT32 Drive h: () (Removable) (Total:0.98 GB) (Free:0.97 GB) FAT Drive x: (Boot) (Fixed) (Total:0.25 GB) (Free:0.25 GB) NTFS Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 8A469346) Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=910 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=21 GB) - (Type=07 NTFS) Partition 4: (Not Active) - (Size=102 MB) - (Type=0C) ======================================================== Disk: 1 (Size: 1003 MB) (Disk ID: 003068C2) Partition 1: (Active) - (Size=1003 MB) - (Type=06) LastRegBack: 2014-04-13 09:23 ==================== End Of Log ============================ [/QUOTE]
Insert quotes…
Verification
Post reply
Top