Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZEROACCESS Virus


  • This topic is locked This topic is locked
25 replies to this topic

#1 rr1584

rr1584

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 11 July 2014 - 06:11 PM

Hi,

 

I have tried almost all attempts to get this off. I am only in recovery console and cannot log in to computer. The FRST.txt is below.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-11-2013 (ATTENTION: ====> FRST version is 229 days old and could be outdated)
Ran by SYSTEM on MININT-C42KA5F on 11-07-2014 15:58:32
Running from E:\
Windows 7 Enterprise (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet002
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [ConnectionCenter] - C:\Program Files\Citrix\ICA Client\concentr.exe [304568 2010-10-12] (Citrix Systems, Inc.)
HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe [505720 2012-06-27] (Alps Electric Co., Ltd.)
HKLM\...\Run: [NVHotkey] - rundll32.exe C:\WINDOWS\system32\nvHotkey.dll,Start
HKLM\...\Run: [HotKeysCmds] - C:\WINDOWS\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray.exe [536576 2011-06-16] (IDT, Inc.)
HKLM\...\Run: [RemoteControl9] - C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM\...\Run: [PDVD9LanguageShortcut] - C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [997920 2011-06-15] ()
HKLM\...\Run: [RightFAX Print-to-Fax Driver] - C:\Program Files\RightFax\Client\FAXCTRL.exe [128000 2011-05-04] (Open Text Corporation)
HKLM\...\Run: [Communicator] - C:\Program Files\Microsoft Lync\communicator.exe [12117312 2014-05-01] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [SPEnroll] - C:\Windows\System32\SPEnroll.exe [2547536 2013-01-25] (Quest Software, Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-11-01] (Apple Inc.)
HKLM\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] - C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [703888 2013-08-30] (Cisco Systems, Inc.)
HKLM\...\Run: [Fitbit Connect] - C:\Program Files\Fitbit Connect\Fitbit Connect.exe [3264544 2013-10-02] (Fitbit, Inc.)
HKLM\...\Run: [LaptopBackupMonitor] - C:\Program Files\CommVault\Simpana\Base\Laptop2Taskbaricon.exe [2328528 2012-12-15] (CommVault)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Java\jre1.6.0_17\bin\jusched.exe [149280 2012-01-24] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKU\Administrator\...\Run: [OfficeSyncProcess] - C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [ 2013-04-22] (Microsoft Corporation)
HKU\Administrator\...\Run: [swg] - "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
HKU\Administrator\...\Run: [HP Photosmart 5510d series (NET)] - C:\Program Files\HP\HP Photosmart 5510d series\Bin\ScanToPCActivationApp.exe [ 2012-10-17] (Hewlett-Packard Co.)
HKU\Administrator\...\Run: [SUPERAntiSpyware] - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKU\Administrator\...\Run: [Google Update] - C:\Users\nick.bruecken\AppData\Local\Google\Update\GoogleUpdate.exe [ 2013-12-01] (Google Inc.)
HKU\Administrator\...\Run: [Fitbit Connect] - C:\Program Files\Fitbit Connect\Fitbit Connect.exe [ 2013-10-02] (Fitbit, Inc.)
HKU\Administrator\...\RunOnce: [FlashPlayerUpdate] - C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe -update activex
HKU\nick.bruecken\...\Run: [OfficeSyncProcess] - C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [ 2013-04-22] (Microsoft Corporation)
HKU\nick.bruecken\...\Run: [HP Photosmart 5510d series (NET)] - C:\Program Files\HP\HP Photosmart 5510d series\Bin\ScanToPCActivationApp.exe [ 2012-10-17] (Hewlett-Packard Co.)
HKU\nick.bruecken\...\Run: [Google Update] - C:\Users\nick.bruecken\AppData\Local\Google\Update\GoogleUpdate.exe [ 2013-12-01] (Google Inc.)
HKU\nick.bruecken\...\Run: [Fitbit Connect] - C:\Program Files\Fitbit Connect\Fitbit Connect.exe [ 2013-10-02] (Fitbit, Inc.)
AppInit_DLLs: C:\Windows\System32\nvinit.dll [ 2011-06-05] (NVIDIA Corporation)
Startup: C:\Users\nick.bruecken\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\nick.bruecken\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
 
========================== Services (Whitelisted) =================
 
S3 c2wts; C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe [15768 2010-02-02] (Microsoft Corporation)
S2 CcmExec; C:\WINDOWS\CCM\CcmExec.exe [1160888 2013-09-11] (Microsoft Corporation)
S4 CmRcService; C:\WINDOWS\CCM\RemCtrl\CmRcService.exe [465592 2013-09-11] (Microsoft Corporation)
S2 CrmSqlStartupSvc; C:\Program Files\Microsoft Dynamics CRM\Client\bin\CrmSqlStartupSvc.exe [24240 2013-10-02] (Microsoft Corporation)
S2 ctfprocdca; C:\Program Files\Products\Input Processor\ctfprocdca.exe [9468208 2013-04-18] ()
S2 Fitbit Connect; C:\Program Files\Fitbit Connect\FitbitConnectService.exe [1384992 2013-10-02] (Fitbit, Inc.)
S2 FlipShare Service; C:\Program Files\Flip Video\FlipShare\FlipShareService.exe [460144 2011-05-06] ()
S2 FlipShareServer; C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe [1085440 2011-05-06] ()
S2 FwcAgent; C:\Program Files\Forefront TMG Client\FwcAgent.exe [275424 2009-10-14] (Microsoft ® Corporation)
S2 GxCVD(Instance001); C:\Program Files\CommVault\Simpana\Base\cvd.exe [140752 2012-12-15] (CommVault)
S2 GxEvMgrC(Instance001); C:\Program Files\CommVault\Simpana\Base\evmgrc.exe [360912 2012-12-15] (CommVault)
S2 GXHSM Recaller(Instance001); C:\Program Files\CommVault\Simpana\Base\GXHSMService.exe [140240 2012-12-15] (CommVault)
S3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48744 2012-08-02] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48744 2012-08-02] (Microsoft Corporation)
S2 msoidsvc; C:\Program Files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [1577376 2011-04-28] (Microsoft Corp.)
S2 O2FLASH; C:\Windows\system32\DRIVERS\o2flash.exe [72296 2010-02-10] (O2Micro International)
S3 smstsmgr; C:\WINDOWS\CCM\TSManager.exe [217272 2013-09-11] (Microsoft Corporation)
S2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [262144 2011-06-16] (IDT, Inc.)
S2 vpnagent; C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [558480 2013-08-30] (Cisco Systems, Inc.)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] ()
S2 MsMpSvc; "c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe" [x]
S3 NisSrv; "c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" [x]
 
==================== Drivers (Whitelisted) ====================
 
S3 Acceler; C:\Windows\System32\DRIVERS\Accelern.sys [43888 2011-02-21] (ST Microelectronics)
S3 acsock; C:\Windows\System32\DRIVERS\acsock.sys [92112 2013-08-30] (Cisco Systems, Inc.)
S3 BTWAMPFL; C:\Windows\System32\DRIVERS\btwampfl.sys [300584 2012-06-27] (Broadcom Corporation.)
S3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [33832 2011-02-21] (Broadcom Corporation)
S3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [238760 2011-02-21] (Intel Corporation)
S3 Mandiant_Tools; C:\ProgramData\Application Data\Input Processor\mktools.sys [21072 2013-10-21] ()
S3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2011-02-21] (Intel Corporation)
S1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [165648 2011-04-18] (Microsoft Corporation)
S3 MpNWMon; C:\Windows\System32\DRIVERS\MpNWMon.sys [43392 2011-04-18] (Microsoft Corporation)
S3 NETwNs32; C:\Windows\System32\DRIVERS\NETwNs32.sys [7434240 2011-02-21] (Intel Corporation)
S3 nusb3hub; C:\Windows\system32\drivers\nusb3hub.sys [62208 2011-02-21] (Renesas Electronics Corporation)
S3 nusb3xhc; C:\Windows\system32\drivers\nusb3xhc.sys [141568 2011-02-21] (Renesas Electronics Corporation)
S0 nvpciflt; C:\Windows\System32\DRIVERS\nvpciflt.sys [20328 2011-06-05] (NVIDIA Corporation)
S3 O2MDFRDR; C:\Windows\System32\DRIVERS\O2MDFw7.sys [60904 2011-01-04] (O2Micro )
S3 O2MDRRDR; C:\Windows\system32\drivers\O2MDRw7.sys [62440 2011-01-04] (O2Micro )
S3 O2SDJRDR; C:\Windows\System32\DRIVERS\o2sdjw7.sys [63976 2011-03-23] (O2Micro )
S3 prepdrvr; C:\Windows\System32\DRIVERS\prepdrv.sys [20840 2013-09-11] (Microsoft Corporation)
S0 stdcfltn; C:\Windows\System32\DRIVERS\stdcfltn.sys [17648 2010-08-20] (ST Microelectronics)
S3 tcm; C:\Windows\system32\drivers\tcm.sys [12952 2011-02-21] ()
S3 vpnva; C:\Windows\System32\DRIVERS\vpnva-6.sys [43120 2013-08-30] (Cisco Systems, Inc.)
S1 czbhvokw; \??\C:\WINDOWS\system32\drivers\czbhvokw.sys [x]
S3 VGPU; System32\drivers\rdvgkmd.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-07-11 10:01 - 2014-07-11 10:01 - 00000000 ____D C:\FRST
2014-07-11 08:14 - 2014-07-11 08:14 - 00000000 __SHD C:\$$PendingFiles
2014-07-10 19:36 - 2014-07-10 19:36 - 00000000 ____D C:\f0ff4533efcc36f391
2014-07-10 08:11 - 2014-07-10 08:11 - 00000000 ____D C:\552ede25c4f9a0c81555d1f2b9bc
2014-07-10 07:09 - 2014-07-10 07:09 - 00000000 ____D C:\e1815b3be5e0d99b9c22
2014-07-09 13:16 - 2014-07-09 13:16 - 00000000 ____D C:\084ba90cff6bc19d1c
2014-07-09 11:44 - 2014-07-09 11:44 - 00000000 ____D C:\559ad6cb875f6126eb31a1c2626b
2014-07-09 09:41 - 2014-07-09 09:41 - 00762316 _____ C:\Users\nick.bruecken\Downloads\2014 Ormco Level 1 PD Final (1).xlsx
2014-07-09 09:36 - 2014-07-09 09:36 - 00762316 _____ C:\Users\nick.bruecken\Downloads\2014 Ormco Level 1 PD Final.xlsx
2014-07-09 09:27 - 2014-07-09 12:56 - 00054160 _____ C:\Users\nick.bruecken\Desktop\CORE Meeting List.xlsx
2014-07-09 08:49 - 2014-07-09 08:49 - 00000000 ____D C:\14f0685660ffc8bcbe6353e341
2014-07-09 07:31 - 2014-07-09 07:32 - 00000000 ____D C:\2acb2e967304e2f8eaa01d
2014-07-07 15:32 - 2014-07-09 14:26 - 00000000 ____D C:\Users\nick.bruecken\Desktop\Process
2014-07-07 08:29 - 2014-07-07 08:29 - 00020956 _____ C:\Users\nick.bruecken\Downloads\Marketing Daily Management.xlsx
2014-07-05 09:49 - 2014-07-05 09:49 - 00000000 ____D C:\Users\nick.bruecken\AppData\Roaming\Verizon
2014-07-05 09:48 - 2014-07-05 09:48 - 01496976 _____ C:\Users\nick.bruecken\Downloads\VzInHomeAgent.exe
2014-07-05 09:48 - 2014-07-05 09:48 - 00001601 _____ C:\Users\nick.bruecken\Install-VzInHomeAgentLog.log
2014-07-05 09:48 - 2014-07-05 09:48 - 00001050 _____ C:\Users\nick.bruecken\request.xml
2014-07-05 09:48 - 2014-07-05 09:48 - 00000491 _____ C:\Users\nick.bruecken\response.xml
2014-07-05 09:48 - 2014-07-05 09:48 - 00000420 _____ C:\Users\nick.bruecken\Install-VzDownloadManager.log
2014-07-05 09:48 - 2014-07-05 09:48 - 00000000 ____D C:\Program Files\Verizon
2014-07-05 09:47 - 2014-07-05 09:47 - 01974504 _____ C:\Users\nick.bruecken\Downloads\vzdownloadmanager.exe
2014-07-01 09:30 - 2014-07-01 09:30 - 00000000 ____D C:\Users\nick.bruecken\AppData\Local\Adobe
2014-07-01 09:09 - 2014-07-01 09:09 - 00001989 _____ C:\Users\Public\Desktop\Adobe Reader XI.lnk
2014-07-01 09:09 - 2014-07-01 09:09 - 00000000 ____D C:\Program Files\Common Files\Adobe
2014-06-30 06:26 - 2014-06-30 06:26 - 00000000 ____D C:\Program Files\Mozilla Firefox
2014-06-27 13:04 - 2014-05-23 17:27 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-06-27 13:04 - 2014-05-23 17:26 - 14365696 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-06-27 13:04 - 2014-05-23 17:26 - 01766400 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-06-27 13:04 - 2014-05-23 17:26 - 01141248 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-06-27 13:04 - 2014-05-23 17:26 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-06-27 13:04 - 2014-05-23 17:26 - 00163840 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-06-27 13:04 - 2014-05-23 17:26 - 00080896 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 13731328 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 02862080 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 02050560 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 01440768 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2014-06-27 13:04 - 2014-05-23 17:25 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 00391168 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 00357888 _____ (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 00226816 _____ (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-06-27 13:04 - 2014-05-23 17:03 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-06-27 13:04 - 2014-05-23 16:06 - 00071680 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2014-06-27 13:04 - 2014-04-24 18:06 - 00626688 _____ (Microsoft Corporation) C:\Windows\System32\usp10.dll
2014-06-27 13:04 - 2014-03-26 06:27 - 01389056 _____ (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2014-06-27 13:04 - 2014-03-26 06:27 - 01237504 _____ (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2014-06-27 13:04 - 2014-03-26 06:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\msxml6r.dll
2014-06-27 13:04 - 2014-03-26 06:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2014-06-27 13:03 - 2014-05-08 01:06 - 00919040 _____ (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2014-06-27 13:03 - 2014-04-04 18:16 - 01310144 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2014-06-27 13:03 - 2014-04-04 18:16 - 00240576 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2014-06-27 13:03 - 2014-04-04 18:16 - 00187840 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2014-06-27 07:54 - 2014-06-27 07:54 - 02101248 _____ C:\Users\nick.bruecken\Downloads\image.jpeg
2014-06-14 11:23 - 2014-06-14 11:23 - 00315743 ____S C:\Windows\System32\pbvmobd.ujz
2014-06-13 07:22 - 2014-06-13 12:31 - 00000165 ____H C:\Users\nick.bruecken\Desktop\~$Credit Card Details.xlsx
2014-06-13 07:22 - 2014-06-13 07:35 - 00013262 _____ C:\Users\nick.bruecken\Desktop\Credit Card Details.xlsx
2014-06-13 07:20 - 2014-06-13 07:20 - 00021616 _____ C:\Users\nick.bruecken\Downloads\Activity.CSV
2014-06-11 14:33 - 2014-06-11 14:33 - 00000000 ____D C:\Program Files\GUMD962.tmp
2014-06-11 04:07 - 2014-06-11 04:09 - 57527283 _____ C:\Users\nick.bruecken\Downloads\Insignia Lobby Video look and Feel v2.mov
 
==================== One Month Modified Files and Folders =======
 
2014-07-11 15:32 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\winevt
2014-07-11 10:01 - 2014-07-11 10:01 - 00000000 ____D C:\FRST
2014-07-11 09:28 - 2013-10-21 17:14 - 00000000 ____D C:\ProgramData\Input Processor
2014-07-11 08:14 - 2014-07-11 08:14 - 00000000 __SHD C:\$$PendingFiles
2014-07-11 08:01 - 2012-06-27 09:44 - 00000000 ____D C:\users\Administrator
2014-07-11 08:01 - 2012-06-27 09:41 - 00000000 ____D C:\Windows\wlansvc
2014-07-11 08:01 - 2009-07-13 18:37 - 00000000 ___HD C:\Windows\System32\GroupPolicy
2014-07-11 08:01 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\wfp
2014-07-11 08:00 - 2014-04-09 05:36 - 00000000 ____D C:\Windows\CCM
2014-07-11 08:00 - 2013-10-01 05:34 - 00000000 ____D C:\Users\nick.bruecken\Desktop\Ormco
2014-07-11 08:00 - 2013-02-15 07:17 - 00000000 ____D C:\Users\nick.bruecken\Desktop\Villanova
2014-07-11 08:00 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\spool
2014-07-11 08:00 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\registration
2014-07-11 08:00 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\AppCompat
2014-07-11 07:58 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\LogFiles
2014-07-10 19:36 - 2014-07-10 19:36 - 00000000 ____D C:\f0ff4533efcc36f391
2014-07-10 15:24 - 2012-09-19 11:58 - 00000000 ____D C:\Users\nick.bruecken\Documents\Outlook Files
2014-07-10 13:59 - 2012-06-27 09:16 - 00000640 _____ C:\Windows\System32\config\netlogon.ftl
2014-07-10 08:11 - 2014-07-10 08:11 - 00000000 ____D C:\552ede25c4f9a0c81555d1f2b9bc
2014-07-10 07:09 - 2014-07-10 07:09 - 00000000 ____D C:\e1815b3be5e0d99b9c22
2014-07-10 07:08 - 2013-11-14 09:21 - 00000000 ____D C:\Users\nick.bruecken\AppData\Local\3976D20F-58CB-4FA3-8154-C0FE6C4C7D23.aplzod
2014-07-09 17:27 - 2014-04-02 10:07 - 00000000 ____D C:\Users\nick.bruecken\AppData\Roaming\DropboxMaster
2014-07-09 14:26 - 2014-07-07 15:32 - 00000000 ____D C:\Users\nick.bruecken\Desktop\Process
2014-07-09 13:16 - 2014-07-09 13:16 - 00000000 ____D C:\084ba90cff6bc19d1c
2014-07-09 12:56 - 2014-07-09 09:27 - 00054160 _____ C:\Users\nick.bruecken\Desktop\CORE Meeting List.xlsx
2014-07-09 11:44 - 2014-07-09 11:44 - 00000000 ____D C:\559ad6cb875f6126eb31a1c2626b
2014-07-09 09:41 - 2014-07-09 09:41 - 00762316 _____ C:\Users\nick.bruecken\Downloads\2014 Ormco Level 1 PD Final (1).xlsx
2014-07-09 09:36 - 2014-07-09 09:36 - 00762316 _____ C:\Users\nick.bruecken\Downloads\2014 Ormco Level 1 PD Final.xlsx
2014-07-09 08:49 - 2014-07-09 08:49 - 00000000 ____D C:\14f0685660ffc8bcbe6353e341
2014-07-09 08:07 - 2012-06-28 10:06 - 00000000 ____D C:\Users\nick.bruecken\Tracing
2014-07-09 07:32 - 2014-07-09 07:31 - 00000000 ____D C:\2acb2e967304e2f8eaa01d
2014-07-07 09:14 - 2012-06-27 09:16 - 01448893 _____ C:\Windows\WindowsUpdate.log
2014-07-07 08:29 - 2014-07-07 08:29 - 00020956 _____ C:\Users\nick.bruecken\Downloads\Marketing Daily Management.xlsx
2014-07-07 07:57 - 2012-01-24 12:31 - 00000000 ____D C:\ProgramData\Adobe
2014-07-07 07:45 - 2014-04-09 06:08 - 00002306 _____ C:\Windows\epplauncher.mif
2014-07-07 07:29 - 2009-07-13 20:34 - 00012064 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-07-07 07:29 - 2009-07-13 20:34 - 00012064 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-07-05 09:49 - 2014-07-05 09:49 - 00000000 ____D C:\Users\nick.bruecken\AppData\Roaming\Verizon
2014-07-05 09:48 - 2014-07-05 09:48 - 01496976 _____ C:\Users\nick.bruecken\Downloads\VzInHomeAgent.exe
2014-07-05 09:48 - 2014-07-05 09:48 - 00001601 _____ C:\Users\nick.bruecken\Install-VzInHomeAgentLog.log
2014-07-05 09:48 - 2014-07-05 09:48 - 00001050 _____ C:\Users\nick.bruecken\request.xml
2014-07-05 09:48 - 2014-07-05 09:48 - 00000491 _____ C:\Users\nick.bruecken\response.xml
2014-07-05 09:48 - 2014-07-05 09:48 - 00000420 _____ C:\Users\nick.bruecken\Install-VzDownloadManager.log
2014-07-05 09:48 - 2014-07-05 09:48 - 00000000 ____D C:\Program Files\Verizon
2014-07-05 09:47 - 2014-07-05 09:47 - 01974504 _____ C:\Users\nick.bruecken\Downloads\vzdownloadmanager.exe
2014-07-01 12:15 - 2012-07-14 06:33 - 00000000 ____D C:\Users\nick.bruecken\AppData\Roaming\Dropbox
2014-07-01 09:30 - 2014-07-01 09:30 - 00000000 ____D C:\Users\nick.bruecken\AppData\Local\Adobe
2014-07-01 09:09 - 2014-07-01 09:09 - 00001989 _____ C:\Users\Public\Desktop\Adobe Reader XI.lnk
2014-07-01 09:09 - 2014-07-01 09:09 - 00000000 ____D C:\Program Files\Common Files\Adobe
2014-07-01 09:09 - 2012-01-24 12:30 - 00000000 ____D C:\Program Files\Adobe
2014-07-01 07:47 - 2012-07-14 06:35 - 00000000 ___RD C:\Users\nick.bruecken\Dropbox
2014-06-30 06:52 - 2012-06-27 09:41 - 00077694 __RSH C:\ProgramData\ntuser.pol
2014-06-30 06:33 - 2012-01-24 11:51 - 00795422 _____ C:\Windows\System32\PerfStringBackup.INI
2014-06-30 06:32 - 2012-06-27 09:18 - 00000568 _____ C:\Windows\SMSCFG.INI
2014-06-30 06:30 - 2012-01-24 13:02 - 05760054 _____ C:\Windows\BGINFO.BMP
2014-06-30 06:28 - 2009-07-13 20:39 - 00088126 _____ C:\Windows\setupact.log
2014-06-30 06:26 - 2014-06-30 06:26 - 00000000 ____D C:\Program Files\Mozilla Firefox
2014-06-30 06:26 - 2012-08-07 13:44 - 00000000 ____D C:\Program Files\Microsoft Lync
2014-06-30 06:26 - 2012-01-24 12:03 - 00000000 ____D C:\ProgramData\Microsoft Help
2014-06-30 06:24 - 2012-06-28 09:45 - 00010570 __RSH C:\Users\nick.bruecken\ntuser.pol
2014-06-27 12:57 - 2014-04-09 05:36 - 00000000 ____D C:\Windows\ccmcache
2014-06-27 12:33 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\NDF
2014-06-27 08:28 - 2013-10-16 17:45 - 00000000 ____D C:\Users\nick.bruecken\Desktop\NB
2014-06-27 07:54 - 2014-06-27 07:54 - 02101248 _____ C:\Users\nick.bruecken\Downloads\image.jpeg
2014-06-19 06:16 - 2012-01-24 12:13 - 00116538 _____ C:\Windows\PFRO.log
2014-06-14 11:23 - 2014-06-14 11:23 - 00315743 ____S C:\Windows\System32\pbvmobd.ujz
2014-06-13 12:31 - 2014-06-13 07:22 - 00000165 ____H C:\Users\nick.bruecken\Desktop\~$Credit Card Details.xlsx
2014-06-13 07:35 - 2014-06-13 07:22 - 00013262 _____ C:\Users\nick.bruecken\Desktop\Credit Card Details.xlsx
2014-06-13 07:20 - 2014-06-13 07:20 - 00021616 _____ C:\Users\nick.bruecken\Downloads\Activity.CSV
2014-06-11 19:32 - 2014-02-23 10:14 - 00002129 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2014-06-11 14:33 - 2014-06-11 14:33 - 00000000 ____D C:\Program Files\GUMD962.tmp
2014-06-11 04:09 - 2014-06-11 04:07 - 57527283 _____ C:\Users\nick.bruecken\Downloads\Insignia Lobby Video look and Feel v2.mov
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe
[2014-06-04 07:01] - [2014-03-04 01:17] - 0304128 ____A (Microsoft Corporation) 998507B046BA314CE8245364C686FA67
 
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe
[2013-05-02 06:31] - [2012-10-18 09:40] - 0021504 ____A (Microsoft Corporation) FFB38D8AFD6F4FCA1D46D64F1EDE0B9F
 
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2013-05-02 06:31] - [2012-10-18 12:17] - 0246104 ____A (Microsoft Corporation) 4EDEF8AB59B089925CF9A6CFC74A4109
 
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 12%
Total physical RAM: 3977.02 MB
Available physical RAM: 3462.35 MB
Total Pagefile: 3975.29 MB
Available Pagefile: 3474.55 MB
Total Virtual: 2047.88 MB
Available Virtual: 1953.21 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:298.08 GB) (Free:209.58 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: (WDO_MEDIA32) (Removable) (Total:3.8 GB) (Free:3.79 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 48BE9999)
Partition 1: (Active) - (Size=298 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 4 GB) (Disk ID: 302FD142)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)
 
 
LastRegBack: 2014-07-08 09:13
 
==================== End Of Log ============================


BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:17 AM

Posted 15 July 2014 - 01:40 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Get the latest version of this tool.

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Post the logs for my review.

#3 rr1584

rr1584
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 15 July 2014 - 04:39 PM

The only problem with that is that I cannot get into Windows at all. I cannot safe mode into it either. Do you have any other suggestions??



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:17 AM

Posted 16 July 2014 - 07:29 AM

I have reported you problem here:

Please report unbootable computers here
http://www.bleepingcomputer.com/forums/topic298500.html

An expert in that field will be with you shortly.

Stay with us.

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,820 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:17 AM

Posted 16 July 2014 - 10:49 AM

:welcome:
 
Run FRST as you did before.
 
Type the following in the edit box on FRST, after "Search:".
 
winlogon.exe;svchost.exe;volsnap.sys
 
It then should look like:
 
Search: winlogon.exe;svchost.exe;volsnap.sys
 
Click Search Files button and post the log (Search.txt) it makes on the USB drive in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 rr1584

rr1584
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 16 July 2014 - 12:21 PM

Hi JSntgRVr,

 

Here is the search.txt log

 

Farbar Recovery Scan Tool (x86) Version: 24-11-2013
Ran by SYSTEM at 2014-07-16 10:17:29
Running from E:\
Boot Mode: Recovery
 
================== Search: "winlogon.exe;svchost.exe;volsnap.sys" ===================
 
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7601.22137_none_1834fef773825f67\volsnap.sys
[2013-05-02 06:31] - [2012-10-18 12:17] - 0246104 ____A (Microsoft Corporation) 4EDEF8AB59B089925CF9A6CFC74A4109
 
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_17be216c5a5713d8\volsnap.sys
[2012-01-24 13:05] - [2010-11-20 04:30] - 0245632 ____A (Microsoft Corporation) F497F67932C6FA693D7DE2780631CFE7
 
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_158d0da45d68903e\volsnap.sys
[2009-07-13 15:11] - [2009-07-13 17:19] - 0245328 ____A (Microsoft Corporation) 58DF9D2481A56EDDE167E51B334D44FD
 
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.22616_none_7255f1994c4f8119\winlogon.exe
[2014-06-04 07:01] - [2014-03-04 02:39] - 0304640 ____A (Microsoft Corporation) D53972F87D850CD2EB4B29B60CAFDD77
 
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.18409_none_71da23b23327143c\winlogon.exe
[2014-06-04 07:01] - [2014-03-04 01:17] - 0304128 ____A (Microsoft Corporation) 998507B046BA314CE8245364C686FA67
 
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe
[2012-01-24 13:05] - [2010-11-20 04:17] - 0286720 ____A (Microsoft Corporation) 6D13E1406F50C66E2A95D97F22C47560
 
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe
[2009-07-13 15:37] - [2009-07-13 17:14] - 0285696 ____A (Microsoft Corporation) 8EC6A4AB12B8F3759E21F8E3A388F2CF
 
C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7601.22137_none_b839a1177cbb227f\svchost.exe
[2013-05-02 06:31] - [2012-10-18 09:40] - 0021504 ____A (Microsoft Corporation) FFB38D8AFD6F4FCA1D46D64F1EDE0B9F
 
C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
[2009-07-13 15:19] - [2009-07-13 17:14] - 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866
 
C:\Windows\System32\svchost.exe
[2013-05-02 06:31] - [2012-10-18 09:40] - 0021504 ____A (Microsoft Corporation) FFB38D8AFD6F4FCA1D46D64F1EDE0B9F
 
C:\Windows\System32\winlogon.exe
[2014-06-04 07:01] - [2014-03-04 01:17] - 0304128 ____A (Microsoft Corporation) 998507B046BA314CE8245364C686FA67
 
C:\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_6dee0205881d1a1d\volsnap.sys
[2012-01-24 13:05] - [2010-11-20 04:30] - 0245632 ____A (Microsoft Corporation) F497F67932C6FA693D7DE2780631CFE7
 
C:\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_08399c421b3552fe\volsnap.sys
[2013-05-02 06:31] - [2012-10-18 12:17] - 0246104 ____A (Microsoft Corporation) 4EDEF8AB59B089925CF9A6CFC74A4109
 
C:\Windows\System32\drivers\volsnap.sys
[2013-05-02 06:31] - [2012-10-18 12:17] - 0246104 ____A (Microsoft Corporation) 4EDEF8AB59B089925CF9A6CFC74A4109
 
=== End Of Search ===


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,820 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:17 AM

Posted 16 July 2014 - 03:30 PM

Download the enclosed file. [attachment=152452:fixlist.txt]

 

Save it in the same location FRST is saved.

 

Run FRST, except that this time around click on the Fix button and wait.

 

The tool will make a log in the same location FRST is saved (Fixlog.txt), Please post it to your reply.
 
If successful, attempt to boot in Normal Mode and let me know the outcome..
 

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 rr1584

rr1584
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 16 July 2014 - 04:55 PM

Sorry still no luck
 
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 24-11-2013
Ran by SYSTEM at 2014-07-16 14:54:48 Run:10
Running from E:\
Boot Mode: Recovery
 
==============================================
 
Content of fixlist:
*****************
Start
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
End
*****************
 
Error: DeleteJunctionsIndirectory: C:\Program Files\Windows Defender => entry should be fixed outside recovery mode.
Error: DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client => entry should be fixed outside recovery mode.
 
==== End of Fixlog ====


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,820 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:17 AM

Posted 16 July 2014 - 10:37 PM

Lets restore the registry from the backup.

 

Download the enclosed file. [attachment=152472:fixlist.txt]

 

Save it in the same location FRST is saved.

 

Run FRST, except that this time around click on the Fix button and wait.

 

The tool will make a log in the same location FRST is saved (Fixlog.txt), Please post it to your reply.
 
If successful, attempt to boot in Normal Mode and let me know the outcome..
 

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 rr1584

rr1584
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 17 July 2014 - 12:01 PM

Still boots up to a black screen with mouse pointer. Fixlog below:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 24-11-2013
Ran by SYSTEM at 2014-07-17 09:57:44 Run:11
Running from E:\
Boot Mode: Recovery
 
==============================================
 
Content of fixlist:
*****************
Start
LastRegBack: 2014-07-08 09:13
End
*****************
 
DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.
 
==== End of Fixlog ====


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,820 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:17 AM

Posted 17 July 2014 - 12:15 PM

Please download the latest version of Farbar Recovery Scan Tool  and perform another scan. Post the new FRST.txt it will produce.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 rr1584

rr1584
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 17 July 2014 - 12:19 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:15-07-2014 01
Ran by SYSTEM on MININT-CNCNNJ4 on 17-07-2014 10:18:11
Running from E:\
Platform: Windows 7 Enterprise (X86) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [ConnectionCenter] => C:\Program Files\Citrix\ICA Client\concentr.exe [304568 2010-10-12] (Citrix Systems, Inc.)
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [505720 2012-06-27] (Alps Electric Co., Ltd.)
HKLM\...\Run: [NVHotkey] => C:\WINDOWS\system32\nvHotkey.dll [288872 2011-06-05] (NVIDIA Corporation)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray.exe [536576 2011-06-16] (IDT, Inc.)
HKLM\...\Run: [RemoteControl9] => C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM\...\Run: [PDVD9LanguageShortcut] => C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM\...\Run: [MSC] => "c:\Program Files\Microsoft Security Client\Antimalware\mssecex.exe" -hide -runkey <===== ATTENTION (File name is altered)
HKLM\...\Run: [RightFAX Print-to-Fax Driver] => C:\Program Files\RightFax\Client\faxctrl.exe [128000 2011-05-04] (Open Text Corporation)
HKLM\...\Run: [Communicator] => C:\Program Files\Microsoft Lync\communicator.exe [12117312 2014-05-01] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [SPEnroll] => C:\WINDOWS\system32\SPEnroll.exe [2547536 2013-01-25] (Quest Software, Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-11-01] (Apple Inc.)
HKLM\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [703888 2013-08-30] (Cisco Systems, Inc.)
HKLM\...\Run: [Fitbit Connect] => C:\Program Files\Fitbit Connect\Fitbit Connect.exe [3264544 2013-10-02] (Fitbit, Inc.)
HKLM\...\Run: [LaptopBackupMonitor] => C:\Program Files\CommVault\Simpana\Base\Laptop2Taskbaricon.exe [2328528 2012-12-15] (CommVault)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Java\jre1.6.0_17\bin\jusched.exe [149280 2012-01-24] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?
HKU\Administrator\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-22] (Microsoft Corporation)
HKU\Administrator\...\Run: [swg] => "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
HKU\Administrator\...\Run: [HP Photosmart 5510d series (NET)] => C:\Program Files\HP\HP Photosmart 5510d series\Bin\ScanToPCActivationApp.exe [1837672 2012-10-17] (Hewlett-Packard Co.)
HKU\Administrator\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKU\Administrator\...\Run: [Google Update] => C:\Users\nick.bruecken\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2013-12-01] (Google Inc.)
HKU\Administrator\...\Run: [Fitbit Connect] => C:\Program Files\Fitbit Connect\Fitbit Connect.exe [3264544 2013-10-02] (Fitbit, Inc.)
HKU\Administrator\...\RunOnce: [FlashPlayerUpdate] - C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe -update activex
HKU\Administrator\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\Administrator\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\Administrator\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\Administrator\...\Policies\Explorer: [NoLogOff] 0
HKU\Default\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\Default\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\Default User\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\Default User\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\nick.bruecken\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-22] (Microsoft Corporation)
HKU\nick.bruecken\...\Run: [HP Photosmart 5510d series (NET)] => C:\Program Files\HP\HP Photosmart 5510d series\Bin\ScanToPCActivationApp.exe [1837672 2012-10-17] (Hewlett-Packard Co.)
HKU\nick.bruecken\...\Run: [Google Update] => C:\Users\nick.bruecken\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2013-12-01] (Google Inc.)
HKU\nick.bruecken\...\Run: [Fitbit Connect] => C:\Program Files\Fitbit Connect\Fitbit Connect.exe [3264544 2013-10-02] (Fitbit, Inc.)
HKU\nick.bruecken\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\nick.bruecken\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\nick.bruecken\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\nick.bruecken\...\Policies\Explorer: [NoLogOff] 0
AppInit_DLLs: C:\WINDOWS\system32\nvinit.dll => C:\WINDOWS\system32\nvinit.dll [193128 2011-06-05] (NVIDIA Corporation)
Startup: C:\Users\nick.bruecken\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\nick.bruecken\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
 
========================== Services (Whitelisted) =================
 
S3 c2wts; C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe [15768 2010-02-02] (Microsoft Corporation)
S2 CcmExec; C:\WINDOWS\CCM\CcmExec.exe [1160888 2013-09-11] (Microsoft Corporation)
S4 CmRcService; C:\WINDOWS\CCM\RemCtrl\CmRcService.exe [465592 2013-09-11] (Microsoft Corporation)
S2 CrmSqlStartupSvc; C:\Program Files\Microsoft Dynamics CRM\Client\bin\CrmSqlStartupSvc.exe [24240 2013-10-02] (Microsoft Corporation)
S2 ctfprocdca; C:\Program Files\Products\Input Processor\ctfprocdca.exe [9468208 2013-04-18] ()
S2 Fitbit Connect; C:\Program Files\Fitbit Connect\FitbitConnectService.exe [1384992 2013-10-02] (Fitbit, Inc.)
S2 FlipShare Service; C:\Program Files\Flip Video\FlipShare\FlipShareService.exe [460144 2011-05-06] ()
S2 FlipShareServer; C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe [1085440 2011-05-06] ()
S2 FwcAgent; C:\Program Files\Forefront TMG Client\FwcAgent.exe [275424 2009-10-14] (Microsoft ® Corporation)
S2 GxCVD(Instance001); C:\Program Files\CommVault\Simpana\Base\cvd.exe [140752 2012-12-15] (CommVault)
S2 GxEvMgrC(Instance001); C:\Program Files\CommVault\Simpana\Base\evmgrc.exe [360912 2012-12-15] (CommVault)
S2 GXHSM Recaller(Instance001); C:\Program Files\CommVault\Simpana\Base\GXHSMService.exe [140240 2012-12-15] (CommVault)
S2 IHA_MessageCenter; C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [358984 2014-05-21] (Verizon)
S3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48744 2012-08-02] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48744 2012-08-02] (Microsoft Corporation)
S2 msoidsvc; C:\Program Files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [1577376 2011-04-28] (Microsoft Corp.)
S2 O2FLASH; C:\Windows\system32\DRIVERS\o2flash.exe [72296 2010-02-10] (O2Micro International)
S3 smstsmgr; C:\WINDOWS\CCM\TSManager.exe [217272 2013-09-11] (Microsoft Corporation)
S2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [262144 2011-06-16] (IDT, Inc.)
S2 vpnagent; C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [558480 2013-08-30] (Cisco Systems, Inc.)
S2 MsMpSvc; "c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe" [X]
S3 NisSrv; "c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" [X]
S2 WinDefend; %ProgramFiles%\Windows Defender\mpsvc.dll [X]
 
==================== Drivers (Whitelisted) ====================
 
S3 Acceler; C:\Windows\System32\DRIVERS\Accelern.sys [43888 2011-02-21] (ST Microelectronics)
S3 acsock; C:\Windows\System32\DRIVERS\acsock.sys [92112 2013-08-30] (Cisco Systems, Inc.)
S3 BTWAMPFL; C:\Windows\System32\DRIVERS\btwampfl.sys [300584 2012-06-27] (Broadcom Corporation.)
S3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [33832 2011-02-21] (Broadcom Corporation)
S3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [238760 2011-02-21] (Intel Corporation)
S3 Mandiant_Tools; C:\ProgramData\Application Data\Input Processor\mktools.sys [21072 2013-10-21] ()
S3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2011-02-21] (Intel Corporation)
S1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [165648 2011-04-18] (Microsoft Corporation)
S3 MpNWMon; C:\Windows\System32\DRIVERS\MpNWMon.sys [43392 2011-04-18] (Microsoft Corporation)
S3 NETwNs32; C:\Windows\System32\DRIVERS\NETwNs32.sys [7434240 2011-02-21] (Intel Corporation)
S3 nusb3hub; C:\Windows\system32\drivers\nusb3hub.sys [62208 2011-02-21] (Renesas Electronics Corporation)
S3 nusb3xhc; C:\Windows\system32\drivers\nusb3xhc.sys [141568 2011-02-21] (Renesas Electronics Corporation)
S0 nvpciflt; C:\Windows\System32\DRIVERS\nvpciflt.sys [20328 2011-06-05] (NVIDIA Corporation)
S3 O2MDFRDR; C:\Windows\System32\DRIVERS\O2MDFw7.sys [60904 2011-01-04] (O2Micro )
S3 O2MDRRDR; C:\Windows\system32\drivers\O2MDRw7.sys [62440 2011-01-04] (O2Micro )
S3 O2SDJRDR; C:\Windows\System32\DRIVERS\o2sdjw7.sys [63976 2011-03-23] (O2Micro )
S3 prepdrvr; C:\Windows\System32\DRIVERS\prepdrv.sys [20840 2013-09-11] (Microsoft Corporation)
S0 stdcfltn; C:\Windows\System32\DRIVERS\stdcfltn.sys [17648 2010-08-20] (ST Microelectronics)
S3 tcm; C:\Windows\system32\drivers\tcm.sys [12952 2011-02-21] ()
S3 vpnva; C:\Windows\System32\DRIVERS\vpnva-6.sys [43120 2013-08-30] (Cisco Systems, Inc.)
S1 czbhvokw; \??\C:\WINDOWS\system32\drivers\czbhvokw.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-07-17 09:57 - 2014-07-17 09:57 - 00000000 ____D () C:\Windows\System32\config\HiveBackup
2014-07-14 16:15 - 2014-07-14 16:15 - 00000000 _____ () C:\Windows\System32\config\SOFTWARE2a987f58
2014-07-14 14:50 - 2014-07-14 14:50 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-07-11 10:01 - 2014-07-17 10:18 - 00000000 ____D () C:\FRST
2014-07-11 08:14 - 2014-07-11 08:14 - 00000000 __SHD () C:\$$PendingFiles
2014-07-10 19:36 - 2014-07-10 19:36 - 00000000 ____D () C:\f0ff4533efcc36f391
2014-07-10 08:11 - 2014-07-10 08:11 - 00000000 ____D () C:\552ede25c4f9a0c81555d1f2b9bc
2014-07-10 07:09 - 2014-07-10 07:09 - 00000000 ____D () C:\e1815b3be5e0d99b9c22
2014-07-09 13:16 - 2014-07-09 13:16 - 00000000 ____D () C:\084ba90cff6bc19d1c
2014-07-09 11:44 - 2014-07-09 11:44 - 00000000 ____D () C:\559ad6cb875f6126eb31a1c2626b
2014-07-09 09:41 - 2014-07-09 09:41 - 00762316 _____ () C:\Users\nick.bruecken\Downloads\2014 Ormco Level 1 PD Final (1).xlsx
2014-07-09 09:36 - 2014-07-09 09:36 - 00762316 _____ () C:\Users\nick.bruecken\Downloads\2014 Ormco Level 1 PD Final.xlsx
2014-07-09 09:27 - 2014-07-09 12:56 - 00054160 _____ () C:\Users\nick.bruecken\Desktop\CORE Meeting List.xlsx
2014-07-09 08:49 - 2014-07-09 08:49 - 00000000 ____D () C:\14f0685660ffc8bcbe6353e341
2014-07-09 07:31 - 2014-07-09 07:32 - 00000000 ____D () C:\2acb2e967304e2f8eaa01d
2014-07-07 15:32 - 2014-07-09 14:26 - 00000000 ____D () C:\Users\nick.bruecken\Desktop\Process
2014-07-07 08:29 - 2014-07-07 08:29 - 00020956 _____ () C:\Users\nick.bruecken\Downloads\Marketing Daily Management.xlsx
2014-07-05 09:49 - 2014-07-05 09:49 - 00000000 ____D () C:\Users\nick.bruecken\AppData\Roaming\Verizon
2014-07-05 09:48 - 2014-07-05 09:48 - 01496976 _____ () C:\Users\nick.bruecken\Downloads\VzInHomeAgent.exe
2014-07-05 09:48 - 2014-07-05 09:48 - 00001601 _____ () C:\Users\nick.bruecken\Install-VzInHomeAgentLog.log
2014-07-05 09:48 - 2014-07-05 09:48 - 00001050 _____ () C:\Users\nick.bruecken\request.xml
2014-07-05 09:48 - 2014-07-05 09:48 - 00000491 _____ () C:\Users\nick.bruecken\response.xml
2014-07-05 09:48 - 2014-07-05 09:48 - 00000420 _____ () C:\Users\nick.bruecken\Install-VzDownloadManager.log
2014-07-05 09:48 - 2014-07-05 09:48 - 00000000 ____D () C:\Program Files\Verizon
2014-07-05 09:47 - 2014-07-05 09:47 - 01974504 _____ () C:\Users\nick.bruecken\Downloads\vzdownloadmanager.exe
2014-07-01 09:30 - 2014-07-01 09:30 - 00000000 ____D () C:\Users\nick.bruecken\AppData\Local\Adobe
2014-07-01 09:09 - 2014-07-01 09:09 - 00001989 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk
2014-07-01 09:09 - 2014-07-01 09:09 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-06-30 06:26 - 2014-06-30 06:26 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-06-27 13:04 - 2014-05-23 17:27 - 00042496 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-06-27 13:04 - 2014-05-23 17:26 - 14365696 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-06-27 13:04 - 2014-05-23 17:26 - 01766400 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-06-27 13:04 - 2014-05-23 17:26 - 01141248 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-06-27 13:04 - 2014-05-23 17:26 - 00493056 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-06-27 13:04 - 2014-05-23 17:26 - 00163840 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-06-27 13:04 - 2014-05-23 17:26 - 00080896 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 13731328 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 02862080 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 02050560 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 01440768 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2014-06-27 13:04 - 2014-05-23 17:25 - 00690688 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 00391168 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 00357888 _____ (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 00226816 _____ (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 00109056 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 00061440 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-06-27 13:04 - 2014-05-23 17:25 - 00033280 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-06-27 13:04 - 2014-05-23 17:03 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-06-27 13:04 - 2014-05-23 16:06 - 00071680 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2014-06-27 13:04 - 2014-04-24 18:06 - 00626688 _____ (Microsoft Corporation) C:\Windows\System32\usp10.dll
2014-06-27 13:04 - 2014-03-26 06:27 - 01389056 _____ (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2014-06-27 13:04 - 2014-03-26 06:27 - 01237504 _____ (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2014-06-27 13:04 - 2014-03-26 06:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\msxml6r.dll
2014-06-27 13:04 - 2014-03-26 06:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2014-06-27 13:03 - 2014-05-08 01:06 - 00919040 _____ (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2014-06-27 13:03 - 2014-04-04 18:16 - 01310144 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2014-06-27 13:03 - 2014-04-04 18:16 - 00240576 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2014-06-27 13:03 - 2014-04-04 18:16 - 00187840 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2014-06-27 07:54 - 2014-06-27 07:54 - 02101248 _____ () C:\Users\nick.bruecken\Downloads\image.jpeg
 
==================== One Month Modified Files and Folders =======
 
2014-07-17 10:18 - 2014-07-11 10:01 - 00000000 ____D () C:\FRST
2014-07-17 09:57 - 2014-07-17 09:57 - 00000000 ____D () C:\Windows\System32\config\HiveBackup
2014-07-17 08:59 - 2012-01-24 12:13 - 00136814 _____ () C:\Windows\PFRO.log
2014-07-14 16:15 - 2014-07-14 16:15 - 00000000 _____ () C:\Windows\System32\config\SOFTWARE2a987f58
2014-07-14 14:50 - 2014-07-14 14:50 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-07-14 12:34 - 2012-07-14 06:35 - 00000000 ___RD () C:\Users\nick.bruecken\Dropbox
2014-07-11 15:32 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\System32\winevt
2014-07-11 09:28 - 2013-10-21 17:14 - 00000000 ____D () C:\ProgramData\Input Processor
2014-07-11 08:14 - 2014-07-11 08:14 - 00000000 __SHD () C:\$$PendingFiles
2014-07-11 08:01 - 2012-06-27 09:44 - 00000000 ____D () C:\users\Administrator
2014-07-11 08:01 - 2012-06-27 09:41 - 00000000 ____D () C:\Windows\wlansvc
2014-07-11 08:01 - 2009-07-13 18:37 - 00000000 ___HD () C:\Windows\System32\GroupPolicy
2014-07-11 08:01 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\System32\wfp
2014-07-11 08:00 - 2014-04-09 05:36 - 00000000 ____D () C:\Windows\CCM
2014-07-11 08:00 - 2013-10-01 05:34 - 00000000 ____D () C:\Users\nick.bruecken\Desktop\Ormco
2014-07-11 08:00 - 2013-02-15 07:17 - 00000000 ____D () C:\Users\nick.bruecken\Desktop\Villanova
2014-07-11 08:00 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\System32\spool
2014-07-11 08:00 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\registration
2014-07-11 08:00 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\AppCompat
2014-07-11 07:58 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\System32\LogFiles
2014-07-10 19:36 - 2014-07-10 19:36 - 00000000 ____D () C:\f0ff4533efcc36f391
2014-07-10 15:24 - 2012-09-19 11:58 - 00000000 ____D () C:\Users\nick.bruecken\Documents\Outlook Files
2014-07-10 13:59 - 2012-06-27 09:16 - 00000640 _____ () C:\Windows\System32\config\netlogon.ftl
2014-07-10 08:11 - 2014-07-10 08:11 - 00000000 ____D () C:\552ede25c4f9a0c81555d1f2b9bc
2014-07-10 07:09 - 2014-07-10 07:09 - 00000000 ____D () C:\e1815b3be5e0d99b9c22
2014-07-10 07:08 - 2013-11-14 09:21 - 00000000 ____D () C:\Users\nick.bruecken\AppData\Local\3976D20F-58CB-4FA3-8154-C0FE6C4C7D23.aplzod
2014-07-09 17:27 - 2014-04-02 10:07 - 00000000 ____D () C:\Users\nick.bruecken\AppData\Roaming\DropboxMaster
2014-07-09 14:26 - 2014-07-07 15:32 - 00000000 ____D () C:\Users\nick.bruecken\Desktop\Process
2014-07-09 13:16 - 2014-07-09 13:16 - 00000000 ____D () C:\084ba90cff6bc19d1c
2014-07-09 12:56 - 2014-07-09 09:27 - 00054160 _____ () C:\Users\nick.bruecken\Desktop\CORE Meeting List.xlsx
2014-07-09 11:44 - 2014-07-09 11:44 - 00000000 ____D () C:\559ad6cb875f6126eb31a1c2626b
2014-07-09 09:41 - 2014-07-09 09:41 - 00762316 _____ () C:\Users\nick.bruecken\Downloads\2014 Ormco Level 1 PD Final (1).xlsx
2014-07-09 09:36 - 2014-07-09 09:36 - 00762316 _____ () C:\Users\nick.bruecken\Downloads\2014 Ormco Level 1 PD Final.xlsx
2014-07-09 08:49 - 2014-07-09 08:49 - 00000000 ____D () C:\14f0685660ffc8bcbe6353e341
2014-07-09 08:07 - 2012-06-28 10:06 - 00000000 ____D () C:\Users\nick.bruecken\Tracing
2014-07-09 07:32 - 2014-07-09 07:31 - 00000000 ____D () C:\2acb2e967304e2f8eaa01d
2014-07-07 09:14 - 2012-06-27 09:16 - 01448893 _____ () C:\Windows\WindowsUpdate.log
2014-07-07 08:29 - 2014-07-07 08:29 - 00020956 _____ () C:\Users\nick.bruecken\Downloads\Marketing Daily Management.xlsx
2014-07-07 07:57 - 2012-01-24 12:31 - 00000000 ____D () C:\ProgramData\Adobe
2014-07-07 07:45 - 2014-04-09 06:08 - 00002306 _____ () C:\Windows\epplauncher.mif
2014-07-07 07:29 - 2009-07-13 20:34 - 00012064 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-07-07 07:29 - 2009-07-13 20:34 - 00012064 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-07-05 09:49 - 2014-07-05 09:49 - 00000000 ____D () C:\Users\nick.bruecken\AppData\Roaming\Verizon
2014-07-05 09:48 - 2014-07-05 09:48 - 01496976 _____ () C:\Users\nick.bruecken\Downloads\VzInHomeAgent.exe
2014-07-05 09:48 - 2014-07-05 09:48 - 00001601 _____ () C:\Users\nick.bruecken\Install-VzInHomeAgentLog.log
2014-07-05 09:48 - 2014-07-05 09:48 - 00001050 _____ () C:\Users\nick.bruecken\request.xml
2014-07-05 09:48 - 2014-07-05 09:48 - 00000491 _____ () C:\Users\nick.bruecken\response.xml
2014-07-05 09:48 - 2014-07-05 09:48 - 00000420 _____ () C:\Users\nick.bruecken\Install-VzDownloadManager.log
2014-07-05 09:48 - 2014-07-05 09:48 - 00000000 ____D () C:\Program Files\Verizon
2014-07-05 09:47 - 2014-07-05 09:47 - 01974504 _____ () C:\Users\nick.bruecken\Downloads\vzdownloadmanager.exe
2014-07-01 12:15 - 2012-07-14 06:33 - 00000000 ____D () C:\Users\nick.bruecken\AppData\Roaming\Dropbox
2014-07-01 09:30 - 2014-07-01 09:30 - 00000000 ____D () C:\Users\nick.bruecken\AppData\Local\Adobe
2014-07-01 09:09 - 2014-07-01 09:09 - 00001989 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk
2014-07-01 09:09 - 2014-07-01 09:09 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-07-01 09:09 - 2012-01-24 12:30 - 00000000 ____D () C:\Program Files\Adobe
2014-06-30 06:52 - 2012-06-27 09:41 - 00077694 __RSH () C:\ProgramData\ntuser.pol
2014-06-30 06:33 - 2012-01-24 11:51 - 00795422 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-06-30 06:32 - 2012-06-27 09:18 - 00000568 _____ () C:\Windows\SMSCFG.INI
2014-06-30 06:30 - 2012-01-24 13:02 - 05760054 _____ () C:\Windows\BGINFO.BMP
2014-06-30 06:28 - 2009-07-13 20:39 - 00088126 _____ () C:\Windows\setupact.log
2014-06-30 06:26 - 2014-06-30 06:26 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-06-30 06:26 - 2012-08-07 13:44 - 00000000 ____D () C:\Program Files\Microsoft Lync
2014-06-30 06:26 - 2012-01-24 12:03 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-06-30 06:24 - 2012-06-28 09:45 - 00010570 __RSH () C:\Users\nick.bruecken\ntuser.pol
2014-06-27 12:57 - 2014-04-09 05:36 - 00000000 ____D () C:\Windows\ccmcache
2014-06-27 12:33 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\System32\NDF
2014-06-27 08:28 - 2013-10-16 17:45 - 00000000 ____D () C:\Users\nick.bruecken\Desktop\NB
2014-06-27 07:54 - 2014-06-27 07:54 - 02101248 _____ () C:\Users\nick.bruecken\Downloads\image.jpeg
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe
[2013-05-02 06:31] - [2012-10-18 09:40] - 0021504 ____A (Microsoft Corporation) FFB38D8AFD6F4FCA1D46D64F1EDE0B9F
 
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2013-05-02 06:31] - [2012-10-18 11:38] - 0376832 ____A (Microsoft Corporation) 46A8388AB8ED91F1974C556AA4C27CEC
 
 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys
[2013-05-02 06:31] - [2012-10-18 12:17] - 0246104 ____A (Microsoft Corporation) 4EDEF8AB59B089925CF9A6CFC74A4109
 
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 12%
Total physical RAM: 3977.02 MB
Available physical RAM: 3498 MB
Total Pagefile: 3975.29 MB
Available Pagefile: 3498.48 MB
Total Virtual: 2047.88 MB
Available Virtual: 1962.64 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:298.08 GB) (Free:209.41 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: (WDO_MEDIA32) (Removable) (Total:3.8 GB) (Free:3.8 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 48BE9999)
Partition 1: (Active) - (Size=298 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 4 GB) (Disk ID: 302FD142)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)
 
 
LastRegBack: 2014-07-08 09:13
 
==================== End Of Log ============================


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,820 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:17 AM

Posted 17 July 2014 - 05:13 PM

Download the enclosed file. [attachment=152513:fixlist.txt]
 
Save it in the same location FRST is saved.
 
Run FRST, except that this time around click on the Fix button and wait.
 
The tool will make a log in the same location FRST is saved (Fixlog.txt), Please post it to your reply.

 
While on FRST, type the following in the edit box on FRST, after "Search:".
 
rpcss.dll
 
It then should look like:
 
Search: rpcss.dll
 
Click Search Files button and post the log (Search.txt) it makes in the USB drive in your next reply.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 rr1584

rr1584
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:17 PM

Posted 17 July 2014 - 05:26 PM

Fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:15-07-2014 01
Ran by SYSTEM at 2014-07-17 15:16:41 Run:12
Running from E:\
Boot Mode: Recovery
 
==============================================
 
Content of fixlist:
*****************
Start
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?
HKU\Administrator\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\Administrator\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\Administrator\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\Administrator\...\Policies\Explorer: [NoLogOff] 0
HKU\Default\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\Default\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\Default User\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\Default User\...\Policies\Explorer: [NoWindowsUpdate] 0
Startup: C:\Users\nick.bruecken\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
End
*****************
 
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSMConfigurePrograms => value deleted successfully.
HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoWindowsUpdate => value deleted successfully.
HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoChangeStartMenu => value deleted successfully.
HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoLogOff => value deleted successfully.
HKU\Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSMConfigurePrograms => value deleted successfully.
HKU\Default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoWindowsUpdate => value deleted successfully.
HKU\Default User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSMConfigurePrograms => Value not found.
HKU\Default User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoWindowsUpdate => Value not found.
C:\Users\nick.bruecken\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk => Moved successfully.
ShortcutTarget: Dropbox.lnk ->  (No File) not found.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
 
==== End of Fixlog ====
 
 
Search.txt:
 
Farbar Recovery Scan Tool (x86) Version:15-07-2014 01
Ran by SYSTEM at 2014-07-17 15:17:39
Running from E:\
Boot Mode: Recovery
 
================== Search: "rpcss.dll" ===================
 
C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.22137_none_6c492372b54d62d6\rpcss.dll
[2013-05-02 06:31][2012-10-18 11:38] 0376832 ____A (Microsoft Corporation) 46A8388AB8ED91F1974C556AA4C27CEC
 
C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_6bd245e79c221747\rpcss.dll
[2012-01-24 13:05][2010-11-20 04:21] 0376832 ____A (Microsoft Corporation) 7660F01D3B38ACA1747E397D21D790AF
 
C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll
[2009-07-13 15:45][2009-07-13 17:16] 0376320 ____A (Microsoft Corporation) B82CD39E336973359D7C9BF911E8E84F
 
C:\Windows\System32\rpcss.dll
[2013-05-02 06:31][2012-10-18 11:38] 0376832 ____A (Microsoft Corporation) 46A8388AB8ED91F1974C556AA4C27CEC
 
X:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll
[2009-07-13 15:45][2009-07-13 17:16] 0376320 ____A (Microsoft Corporation) B82CD39E336973359D7C9BF911E8E84F
 
X:\Windows\System32\rpcss.dll
[2009-07-13 15:45][2009-07-13 17:16] 0376320 ____A (Microsoft Corporation) B82CD39E336973359D7C9BF911E8E84F
 
=== End Of Search ===


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,820 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:17 AM

Posted 17 July 2014 - 05:37 PM

Any progress?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users