Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 03-09-2014 02 Ran by msdadmin (administrator) on SPHYRA-MX on 03-09-2014 10:54:11 Running from \\MSDFILESERVER\Installs\Utilities\FarBar Service Scanner Platform: Windows Server 2012 Standard (X64) OS Language: English (United States) Internet Explorer Version 10 Boot Mode: Normal The only official download link for FRST: Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ Download link from any site other than Bleeping Computer is unpermitted or outdated. See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Microsoft Corporation) C:\Windows\System32\rundll32.exe (Microsoft Corporation) C:\Windows\System32\certsrv.exe (DameWare Development LLC) C:\Windows\dwrcs\DWRCS.EXE (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\fms.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\updateservice.exe (Microsoft Corporation) C:\Windows\System32\mqsvc.exe (Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Microsoft Online Services\MSOIDSVC.EXE (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL11.MSONLINE\MSSQL\Binn\sqlservr.exe (Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Microsoft Online Services\MSOIDSVCM.EXE (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe (PC Tools) C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\ForefrontActiveDirectoryConnector.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\noderunner.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Search.Service.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Service.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\ResourceProfile\contentengine\noderunner.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\noderunner.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\noderunner.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.ServiceHost.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe (Microsoft Corporation) C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\Bin\miiserver.exe () C:\Program Files\Windows Azure Active Directory Sync\Microsoft.Online.DirSync.Scheduler.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Worker.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Worker.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Worker.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Worker.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.ContentFilter.Wrapper.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe (PC Tools) C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Store.Worker.exe (DameWare Development) C:\Windows\dwrcs\DWRCST.EXE (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\msexchangerepl.exe (Microsoft Corporation) C:\Windows\System32\rdpclip.exe (Microsoft Corporation) C:\Windows\System32\LogonUI.exe (Microsoft Corporation) C:\Windows\System32\WWAHost.exe (Microsoft Corporation) C:\Windows\WinStore\WSHost.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\UMWorkerProcess.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.RpcClientAccess.Service.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe (Microsoft Corporation) C:\Windows\System32\rundll32.exe (Microsoft Corporation) C:\Windows\System32\rundll32.exe (Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\EdgeTransport.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe (Microsoft Corporation) C:\Windows\System32\ServerManager.exe (Microsoft Corporation) C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\ParserServer\ParserServer.exe (Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.2.9200.16683_none_62280e15510f8e79\TiWorker.exe (Farbar) \\MSDFILESERVER\Installs\Utilities\FarBar Service Scanner\FRST64.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM-x32\...\Run: [SSDMonitor] => C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe [105120 2012-08-21] (PC Tools) HKLM\...\Policies\Explorer: [ShowSuperHidden] 1 HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1 HKU\S-1-5-21-3310774822-2600404569-3618726309-1535\...\Policies\system: [Wallpaper] \\MSD-DC1\Desktop Background\Sphyra.jpg HKU\S-1-5-21-3310774822-2600404569-3618726309-1535\...\Policies\system: [WallpaperStyle] 4 HKU\S-1-5-21-3310774822-2600404569-3618726309-1535\...\Policies\Explorer: [ForceActiveDesktopOn] 1 Lsa: [Notification Packages] scecli rassfm SecurityProviders: credssp.dll, pwdssp.dll BootExecute: autocheck autochk /q /v * ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm Tcpip\..\Interfaces\{D3D63290-9A0F-4394-8AC4-1108F09D02FA}: [NameServer] 10.0.0.4,10.0.0.9 FireFox: ======== FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) Chrome: ======= CHR HomePage: Default -> https://sphyra-mx/ecp/ CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter} CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\PepperFlash\pepflashplayer.dll No File CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ppGoogleNaClPluginChrome.dll No File CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\pdf.dll No File CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll No File CHR Profile: C:\Users\msdadmin\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (Google Docs) - C:\Users\msdadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-07-05] CHR Extension: (Google Drive) - C:\Users\msdadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-07-05] CHR Extension: (YouTube) - C:\Users\msdadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-07-05] CHR Extension: (Google Search) - C:\Users\msdadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-07-05] CHR Extension: (Google Wallet) - C:\Users\msdadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-29] CHR Extension: (Gmail) - C:\Users\msdadmin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-07-05] ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S3 c2wts; C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe [5632 2012-07-25] (Microsoft Corporation) R2 CertSvc; C:\Windows\system32\certsrv.exe [721920 2012-07-25] (Microsoft Corporation) R2 dwmrcs; C:\Windows\dwrcs\DWRCS.EXE [701304 2011-09-06] (DameWare Development LLC) R2 FIMSynchronizationService; C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\Bin\miiserver.exe [3298456 2013-05-28] (Microsoft Corporation) R2 FMS; C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\FMS.exe [1338856 2013-03-29] (Microsoft Corporation) R2 HostControllerService; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe [24672 2013-03-29] (Microsoft Corporation) R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [16384 2012-07-25] (Microsoft Corporation) R3 KeyIso; C:\Windows\SysWOW64\keyiso.dll [43520 2012-07-25] (Microsoft Corporation) S3 KPSSVC; C:\Windows\system32\kpssvc.dll [171520 2012-07-25] (Microsoft Corporation) R2 MSExchangeADTopology; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe [183016 2013-03-29] (Microsoft Corporation) R2 MSExchangeAntispamUpdate; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe [34400 2013-03-29] (Microsoft Corporation) R2 MSExchangeDelivery; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeDelivery.exe [36376 2013-03-29] (Microsoft Corporation) R2 MSExchangeDiagnostics; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Diagnostics.Service.exe [121960 2013-03-29] (Microsoft Corporation) R2 MSExchangeEdgeSync; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.EdgeSyncSvc.exe [104600 2013-03-29] (Microsoft Corporation) R2 MSExchangeFastSearch; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Search.Service.exe [30808 2013-03-29] (Microsoft Corporation) R2 MSExchangeFrontEndTransport; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe [29240 2013-03-29] (Microsoft Corporation) R2 MSExchangeHM; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMHost.exe [29200 2013-03-29] (Microsoft Corporation) S3 MSExchangeImap4; C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4Service.exe [30880 2013-03-29] (Microsoft Corporation) S3 MSExchangeIMAP4BE; C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Imap4Service.exe [30880 2013-03-29] (Microsoft Corporation) R2 MSExchangeIS; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.Store.Service.exe [31312 2013-03-29] (Microsoft Corporation) R2 MSExchangeMailboxAssistants; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe [1263256 2013-03-29] (Microsoft Corporation) R2 MSExchangeMailboxReplication; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxReplication.exe [27216 2013-03-29] (Microsoft Corporation) S3 MSExchangePop3; C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Pop3Service.exe [30872 2013-03-29] (Microsoft Corporation) S3 MSExchangePOP3BE; C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\PopImap\Microsoft.Exchange.Pop3Service.exe [30872 2013-03-29] (Microsoft Corporation) R2 MSExchangeRepl; C:\Program Files\Microsoft\Exchange Server\V15\bin\msexchangerepl.exe [70664 2013-03-29] (Microsoft Corporation) R2 MSExchangeRPC; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.RpcClientAccess.Service.exe [36992 2013-03-29] (Microsoft Corporation) R2 MSExchangeServiceHost; C:\Program Files\Microsoft\Exchange Server\V15\bin\Microsoft.Exchange.ServiceHost.exe [39064 2013-03-29] (Microsoft Corporation) R2 MSExchangeSubmission; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeSubmission.exe [60448 2013-03-29] (Microsoft Corporation) R2 MSExchangeThrottling; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeThrottling.exe [46624 2013-03-29] (Microsoft Corporation) R2 MSExchangeTransport; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransport.exe [79464 2013-03-29] (Microsoft Corporation) R2 MSExchangeTransportLogSearch; C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeTransportLogSearch.exe [170048 2013-03-29] (Microsoft Corporation) R2 MSExchangeUM; C:\Program Files\Microsoft\Exchange Server\V15\Bin\umservice.exe [106992 2013-03-29] (Microsoft Corporation) R2 MSExchangeUMCR; C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\CallRouter\Microsoft.Exchange.UM.CallRouter.exe [30288 2013-03-29] (Microsoft Corporation) R2 MSMQ; C:\Windows\system32\mqsvc.exe [25088 2012-07-25] (Microsoft Corporation) R2 msoidsvc; C:\Program Files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [1380592 2013-04-29] (Microsoft Corp.) R2 MSOnlineSyncScheduler; C:\Program Files\Windows Azure Active Directory Sync\Microsoft.Online.DirSync.Scheduler.exe [22712 2013-06-21] () R2 MSSQL$MSONLINE; C:\Program Files\Microsoft SQL Server\MSSQL11.MSONLINE\MSSQL\Binn\sqlservr.exe [192000 2012-12-29] (Microsoft Corporation) R2 Netlogon; C:\Windows\SysWOW64\netlogon.dll [634368 2012-07-25] (Microsoft Corporation) R2 PCToolsSSDMonitorSvc; C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [794272 2012-08-21] (PC Tools) S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-02-28] (Riverbed Technology, Inc.) S3 RPCHTTPLBS; C:\Windows\System32\RpcProxy\LBService.dll [25088 2012-07-25] (Microsoft Corporation) S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [95232 2012-07-25] (Microsoft Corporation) S3 RSoPProv; C:\Windows\SysWOW64\RSoPProv.exe [83456 2012-07-25] (Microsoft Corporation) S3 sacsvr; C:\Windows\system32\sacsvr.dll [15872 2012-07-25] (Microsoft Corporation) R2 SearchExchangeTracing; C:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Diagnostics\TraceService\sftracing.exe [116808 2013-03-29] (Microsoft Corporation) S4 SQLAgent$MSONLINE; C:\Program Files\Microsoft SQL Server\MSSQL11.MSONLINE\MSSQL\Binn\SQLAGENT.EXE [612864 2012-12-29] (Microsoft Corporation) R2 UALSVC; C:\Windows\System32\ualsvc.dll [241664 2012-07-25] (Microsoft Corporation) R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [471552 2012-07-25] (Microsoft Corporation) S2 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [10752 2012-07-25] (Microsoft Corporation) S3 wsbexchange; C:\Program Files\Microsoft\Exchange Server\V15\bin\wsbexchange.exe [131576 2013-03-29] (Microsoft Corporation) S3 MSExchangeMonitoring; "C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Monitoring.exe" [X] ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S0 bfad; C:\Windows\System32\drivers\bfad.sys [1963760 2012-07-25] (Brocade Communications Systems, Inc.) S0 bfadfcoe; C:\Windows\System32\drivers\bfadfcoe.sys [1964272 2012-07-25] (Brocade Communications Systems, Inc.) S0 bxfcoe; C:\Windows\System32\drivers\bxfcoe.sys [186096 2012-07-25] (Broadcom Corporation) S0 bxois; C:\Windows\System32\drivers\bxois.sys [564976 2012-07-25] (Broadcom Corporation) R1 DwMirror; C:\Windows\system32\DRIVERS\DamewareMini.sys [5632 2008-03-13] (DameWare Development, LLC) R1 dwvkbd; C:\Windows\system32\DRIVERS\dwvkbd64.sys [30720 2008-03-12] (DameWare) S0 elxfcoe; C:\Windows\System32\drivers\elxfcoe.sys [699632 2012-07-25] (Emulex) S3 fcvsc; C:\Windows\System32\drivers\fcvsc.sys [27648 2012-07-25] (Microsoft Corporation) S0 ibbus; C:\Windows\System32\drivers\ibbus.sys [434928 2012-07-25] (Mellanox) S0 mlx4_bus; C:\Windows\System32\drivers\mlx4_bus.sys [382704 2012-07-25] (Mellanox) R3 MQAC; C:\Windows\System32\drivers\mqac.sys [185856 2012-07-25] (Microsoft Corporation) S3 MsLbfoProvider; C:\Windows\system32\DRIVERS\MsLbfoProvider.sys [99840 2013-07-01] (Microsoft Corporation) R3 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.) S4 RsFx0201; C:\Windows\System32\DRIVERS\RsFx0201.sys [336880 2012-10-20] (Microsoft Corporation) S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [94448 2012-07-25] (Microsoft Corporation) S3 smbdirect; C:\Windows\System32\DRIVERS\smbdirect.sys [131072 2014-02-26] (Microsoft Corporation) S0 WinMad; C:\Windows\System32\drivers\winmad.sys [27888 2012-07-25] (Mellanox) S3 WinNat; C:\Windows\System32\drivers\winnat.sys [109056 2013-06-28] (Microsoft Corporation) S0 WinVerbs; C:\Windows\System32\drivers\winverbs.sys [62192 2012-07-25] (Mellanox) S3 wtlmdrv; C:\Windows\System32\drivers\wtlmdrv.sys [31232 2012-07-25] (Microsoft Corporation) ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2014-09-03 10:53 - 2014-09-03 10:54 - 00000000 ____D () C:\FRST 2014-09-03 08:53 - 2014-09-03 08:53 - 00000000 ____D () C:\Users\msdadmin\ExchangeLanguagePack 2014-08-28 08:51 - 2014-08-28 08:51 - 00000000 ____D () C:\Users\msdadmin\AppData\Roaming\Wireshark 2014-08-27 14:13 - 2014-08-27 14:13 - 00001549 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk 2014-08-27 14:13 - 2014-08-27 14:13 - 00001537 _____ () C:\Users\Public\Desktop\Wireshark.lnk 2014-08-27 14:13 - 2014-08-27 14:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap 2014-08-27 14:13 - 2014-08-27 14:13 - 00000000 ____D () C:\Program Files\Wireshark 2014-08-27 14:13 - 2014-08-27 14:13 - 00000000 ____D () C:\Program Files (x86)\WinPcap 2014-08-18 10:39 - 2014-08-18 10:39 - 00001062 __RSH () C:\Users\msdadmin\ntuser.pol 2014-08-16 02:27 - 2014-08-01 17:15 - 00704480 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe 2014-08-16 02:27 - 2014-08-01 17:15 - 00105440 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl 2014-08-16 02:01 - 2014-07-15 15:51 - 00071168 _____ (Microsoft Corporation) C:\windows\system32\Drivers\hdaudbus.sys 2014-08-16 02:01 - 2014-06-10 15:44 - 00035480 _____ (Microsoft Corporation) C:\windows\system32\TsWpfWrp.exe 2014-08-16 02:01 - 2014-06-10 15:43 - 00035480 _____ (Microsoft Corporation) C:\windows\SysWOW64\TsWpfWrp.exe 2014-08-15 11:25 - 2014-06-17 16:27 - 01440256 _____ (Microsoft Corporation) C:\windows\SysWOW64\osk.exe 2014-08-15 11:25 - 2014-06-17 16:24 - 01557504 _____ (Microsoft Corporation) C:\windows\system32\osk.exe 2014-08-15 11:25 - 2014-06-06 07:06 - 00596480 _____ (Microsoft Corporation) C:\windows\system32\qedit.dll 2014-08-15 11:25 - 2014-06-06 03:17 - 00497152 _____ (Microsoft Corporation) C:\windows\SysWOW64\qedit.dll 2014-08-15 11:25 - 2014-05-29 15:24 - 00576512 _____ (Microsoft Corporation) C:\windows\system32\Drivers\afd.sys 2014-08-15 11:24 - 2014-07-24 05:11 - 00051712 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe 2014-08-15 11:24 - 2014-07-24 05:10 - 02240000 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll 2014-08-15 11:24 - 2014-07-24 05:10 - 01407488 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll 2014-08-15 11:24 - 2014-07-24 05:10 - 00915968 _____ (Microsoft Corporation) C:\windows\system32\uxtheme.dll 2014-08-15 11:24 - 2014-07-24 05:10 - 00053760 _____ (Microsoft Corporation) C:\windows\system32\UXInit.dll 2014-08-15 11:24 - 2014-07-24 05:09 - 19279872 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll 2014-08-15 11:24 - 2014-07-24 05:09 - 15399936 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll 2014-08-15 11:24 - 2014-07-24 05:09 - 03959296 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll 2014-08-15 11:24 - 2014-07-24 05:09 - 02655232 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll 2014-08-15 11:24 - 2014-07-24 05:09 - 01508864 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl 2014-08-15 11:24 - 2014-07-24 05:09 - 00855552 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll 2014-08-15 11:24 - 2014-07-24 05:09 - 00603136 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll 2014-08-15 11:24 - 2014-07-24 05:09 - 00451584 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll 2014-08-15 11:24 - 2014-07-24 05:09 - 00281600 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll 2014-08-15 11:24 - 2014-07-24 05:09 - 00255488 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll 2014-08-15 11:24 - 2014-07-24 05:09 - 00197120 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll 2014-08-15 11:24 - 2014-07-24 05:09 - 00136704 _____ (Microsoft Corporation) C:\windows\system32\iesysprep.dll 2014-08-15 11:24 - 2014-07-24 05:09 - 00097280 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll 2014-08-15 11:24 - 2014-07-24 05:09 - 00067072 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll 2014-08-15 11:24 - 2014-07-24 05:09 - 00053760 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll 2014-08-15 11:24 - 2014-07-24 05:09 - 00039936 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll 2014-08-15 11:24 - 2014-07-24 03:52 - 01766400 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll 2014-08-15 11:24 - 2014-07-24 03:52 - 01180672 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll 2014-08-15 11:24 - 2014-07-24 03:52 - 00044032 _____ (Microsoft Corporation) C:\windows\SysWOW64\UXInit.dll 2014-08-15 11:24 - 2014-07-24 03:51 - 14371328 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll 2014-08-15 11:24 - 2014-07-24 03:51 - 13757440 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll 2014-08-15 11:24 - 2014-07-24 03:51 - 02861568 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll 2014-08-15 11:24 - 2014-07-24 03:51 - 02054656 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll 2014-08-15 11:24 - 2014-07-24 03:51 - 01440768 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl 2014-08-15 11:24 - 2014-07-24 03:51 - 00690688 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll 2014-08-15 11:24 - 2014-07-24 03:51 - 00493056 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll 2014-08-15 11:24 - 2014-07-24 03:51 - 00357888 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll 2014-08-15 11:24 - 2014-07-24 03:51 - 00226816 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll 2014-08-15 11:24 - 2014-07-24 03:51 - 00226816 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll 2014-08-15 11:24 - 2014-07-24 03:51 - 00163840 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll 2014-08-15 11:24 - 2014-07-24 03:51 - 00109056 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesysprep.dll 2014-08-15 11:24 - 2014-07-24 03:51 - 00080384 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll 2014-08-15 11:24 - 2014-07-24 03:51 - 00061440 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll 2014-08-15 11:24 - 2014-07-24 03:51 - 00039936 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll 2014-08-15 11:24 - 2014-07-24 03:51 - 00033280 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll 2014-08-15 11:24 - 2014-07-24 03:33 - 02706432 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb 2014-08-15 11:24 - 2014-07-24 03:29 - 02706432 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb 2014-08-15 11:24 - 2014-07-24 01:03 - 00534528 _____ (Microsoft Corporation) C:\windows\SysWOW64\uxtheme.dll 2014-08-15 11:24 - 2014-07-15 16:03 - 01300992 _____ (Microsoft Corporation) C:\windows\system32\gdi32.dll 2014-08-15 11:24 - 2014-07-15 15:55 - 04035072 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys 2014-08-15 11:24 - 2014-07-11 19:36 - 01023488 _____ (Microsoft Corporation) C:\windows\SysWOW64\gdi32.dll 2014-08-15 11:24 - 2014-06-19 16:35 - 01312768 _____ (Microsoft Corporation) C:\windows\system32\rpcrt4.dll 2014-08-15 11:24 - 2014-06-19 15:24 - 00694272 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpcrt4.dll 2014-08-15 11:24 - 2014-06-12 18:57 - 01453400 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgkrnl.sys 2014-08-15 11:24 - 2014-06-12 18:55 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\cdd.dll 2014-08-15 11:24 - 2014-06-05 10:56 - 00112984 _____ (Microsoft Corporation) C:\windows\system32\consent.exe 2014-08-15 11:24 - 2014-06-05 10:30 - 10116608 _____ (Microsoft Corporation) C:\windows\system32\twinui.dll 2014-08-15 11:24 - 2014-06-05 10:29 - 02885632 _____ (Microsoft Corporation) C:\windows\system32\msi.dll 2014-08-15 11:24 - 2014-06-05 10:29 - 00393216 _____ (Microsoft Corporation) C:\windows\system32\msihnd.dll 2014-08-15 11:24 - 2014-06-05 10:28 - 02306560 _____ (Microsoft Corporation) C:\windows\system32\authui.dll 2014-08-15 11:24 - 2014-06-05 10:28 - 02146304 _____ (Microsoft Corporation) C:\windows\system32\actxprxy.dll 2014-08-15 11:24 - 2014-06-05 06:12 - 08857600 _____ (Microsoft Corporation) C:\windows\SysWOW64\twinui.dll 2014-08-15 11:24 - 2014-06-05 06:11 - 02416128 _____ (Microsoft Corporation) C:\windows\SysWOW64\msi.dll 2014-08-15 11:24 - 2014-06-05 06:11 - 00295424 _____ (Microsoft Corporation) C:\windows\SysWOW64\msihnd.dll 2014-08-15 11:24 - 2014-06-05 06:10 - 02037760 _____ (Microsoft Corporation) C:\windows\SysWOW64\authui.dll 2014-08-15 11:24 - 2014-06-05 06:10 - 00754176 _____ (Microsoft Corporation) C:\windows\SysWOW64\actxprxy.dll 2014-08-15 11:24 - 2014-06-02 15:33 - 00265216 _____ (Microsoft Corporation) C:\windows\system32\InkEd.dll 2014-08-15 11:24 - 2014-05-28 21:04 - 00094552 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mountmgr.sys 2014-08-15 11:24 - 2014-05-07 18:34 - 00328024 _____ (Microsoft Corporation) C:\windows\system32\Drivers\Classpnp.sys 2014-08-15 11:23 - 2014-05-29 16:31 - 00452608 _____ (Microsoft Corporation) C:\windows\SysWOW64\SHCore.dll 2014-08-15 11:23 - 2014-05-29 16:03 - 00588288 _____ (Microsoft Corporation) C:\windows\system32\SHCore.dll 2014-08-15 11:23 - 2014-05-29 16:02 - 01281536 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll 2014-08-15 11:23 - 2014-05-29 16:02 - 00439808 _____ (Microsoft Corporation) C:\windows\system32\lsm.dll 2014-08-06 09:09 - 2014-08-06 09:09 - 00012578 __RSH () C:\ProgramData\ntuser.pol ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2014-09-03 10:54 - 2014-09-03 10:53 - 00000000 ____D () C:\FRST 2014-09-03 10:36 - 2013-07-05 15:52 - 00000910 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job 2014-09-03 10:05 - 2013-06-24 11:21 - 00000152 _____ () C:\windows\system32\config\netlogon.ftl 2014-09-03 09:18 - 2013-06-21 10:22 - 01203978 _____ () C:\windows\WindowsUpdate.log 2014-09-03 08:53 - 2014-09-03 08:53 - 00000000 ____D () C:\Users\msdadmin\ExchangeLanguagePack 2014-09-03 08:53 - 2013-06-24 11:28 - 00000000 ____D () C:\Users\msdadmin 2014-09-03 07:00 - 2014-01-24 10:56 - 00000492 _____ () C:\windows\Tasks\ShadowCopyVolume{2847f04f-3537-11e3-942d-806e6f6e6963}.job 2014-09-03 07:00 - 2014-01-24 10:55 - 00000492 _____ () C:\windows\Tasks\ShadowCopyVolume{2847f051-3537-11e3-942d-806e6f6e6963}.job 2014-09-03 06:43 - 2013-07-11 09:17 - 00007635 _____ () C:\Users\msdadmin\AppData\Local\Resmon.ResmonCfg 2014-09-02 22:36 - 2013-07-05 15:52 - 00000906 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job 2014-09-02 18:13 - 2012-07-26 00:21 - 03347626 _____ () C:\windows\system32\PerfStringBackup.INI 2014-09-02 18:00 - 2013-07-08 06:53 - 00000000 ____D () C:\windows\system32\CertLog 2014-09-02 18:00 - 2013-06-21 10:30 - 00000000 ____D () C:\windows\system32\msmq 2014-09-02 18:00 - 2012-07-26 01:04 - 00000000 ____D () C:\windows\system32\inetsrv 2014-08-31 08:39 - 2013-07-05 15:53 - 00002145 _____ () C:\Users\Public\Desktop\Google Chrome.lnk 2014-08-28 08:51 - 2014-08-28 08:51 - 00000000 ____D () C:\Users\msdadmin\AppData\Roaming\Wireshark 2014-08-28 02:00 - 2012-07-26 00:50 - 00000000 ____D () C:\windows\CbsTemp 2014-08-27 14:13 - 2014-08-27 14:13 - 00001549 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk 2014-08-27 14:13 - 2014-08-27 14:13 - 00001537 _____ () C:\Users\Public\Desktop\Wireshark.lnk 2014-08-27 14:13 - 2014-08-27 14:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap 2014-08-27 14:13 - 2014-08-27 14:13 - 00000000 ____D () C:\Program Files\Wireshark 2014-08-27 14:13 - 2014-08-27 14:13 - 00000000 ____D () C:\Program Files (x86)\WinPcap 2014-08-27 14:05 - 2013-07-08 09:54 - 00000000 ____D () C:\Users\msdadmin\Desktop\Certificates 2014-08-18 10:44 - 2013-07-05 18:41 - 00003598 _____ () C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3310774822-2600404569-3618726309-1535 2014-08-18 10:39 - 2014-08-18 10:39 - 00001062 __RSH () C:\Users\msdadmin\ntuser.pol 2014-08-18 10:39 - 2013-07-14 19:34 - 00000316 _____ () C:\windows\Tasks\RMAutoUpdate.job 2014-08-18 10:39 - 2013-07-02 11:06 - 00000000 ____D () C:\ProgramData\TEMP 2014-08-16 02:51 - 2012-07-26 01:04 - 00000000 ____D () C:\windows\rescache 2014-08-16 02:25 - 2012-07-26 00:14 - 00000006 ____H () C:\windows\Tasks\SA.DAT 2014-08-16 02:22 - 2012-07-26 01:04 - 00000000 ___RD () C:\windows\ToastData 2014-08-16 02:22 - 2012-07-26 01:04 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility 2014-08-16 02:22 - 2012-07-26 01:04 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility 2014-08-16 02:22 - 2012-07-25 22:26 - 00008192 ___SH () C:\windows\system32\config\BBI 2014-08-16 02:11 - 2013-07-13 13:24 - 00000000 ____D () C:\windows\system32\MRT 2014-08-06 09:09 - 2014-08-06 09:09 - 00012578 __RSH () C:\ProgramData\ntuser.pol Some content of TEMP: ==================== C:\Users\msdadmin\AppData\Local\Temp\sfamcc00001.dll C:\Users\msdadmin\AppData\Local\Temp\sfamcc00002.dll C:\Users\msdadmin\AppData\Local\Temp\sfareca00001.dll C:\Users\msdadmin\AppData\Local\Temp\sfareca00002.dll C:\Users\msdadmin\AppData\Local\Temp\sfextra.dll ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!. C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2014-08-28 03:00 ==================== End Of Log ============================