Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Services.exe shows infected by ComboFix


  • This topic is locked This topic is locked
12 replies to this topic

#1 george_d

george_d

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 25 June 2012 - 11:55 PM

Lenovo Laptop running Windows 7 Home Premium.

DHCP services were disabled because of missing dependencies. Worked through blogs to correct that problem. DHCP services now working. In running Combofix, services.exe shows infected. Combofix shows that it's restored. But running ComboFix again shows it as infected, restored, etc.

Any assistance would be appreciated.

George_d

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:21 PM

Posted 29 June 2012 - 04:18 AM

Hello George_d,

Welcome to the forum.

Please let me know if you still need assistance. In that case please give me a short description of the current condition of your computer.

#3 george_d

george_d
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 01 July 2012 - 08:34 AM

Yes, I do assistance.

After multiple bouts with infections which included a virus that corrupted and turned off the DHCP client. The laptop now boots, leases an IP address, and appeared to operate OK.

However, after I thought everything was OK, I decided to run combofix one last time to insure that everything reported clean. When I ran Combofix it showed that services.exe continued to be infected and it had successfully replaced it. I decided to run it again to get a clean report. The next time I ran Combofix it said a different component was infected (userinit?) and that it had been successfully replaced. The third time I ran combofix (hoping again for a clean scan) it said that services.exe was infected (again) and that it had correected that (again). It appears that the laptop is infected at a level then what Combofix can resolve. What should I do next to insure that my machine is clean?

Thanks for your help.

George_d

Edited by george_d, 01 July 2012 - 08:42 AM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:21 PM

Posted 01 July 2012 - 11:01 AM

Good description.

Please refrain from running any tool or making any change to the system from now on unless you decide you can do it on your own. I will inform you when we are done.

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

#5 george_d

george_d
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 01 July 2012 - 03:08 PM

Here is the frst.txt...

Scan result of Farbar Recovery Scan Tool Version: 01-07-2012
Ran by SYSTEM at 01-07-2012 15:02:46
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet003

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11772520 2011-01-04] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2538280 2010-12-22] (Synaptics Incorporated)
HKLM\...\Run: [Energy Management] C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [9769888 2011-09-15] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [5908928 2011-09-15] (Lenovo(beijing) Limited)
HKLM\...\Run: [Lenovo EE Boot Optimizer] C:\Program Files (x86)\Lenovo\Boot Optimizer\PopWnd.exe [114688 2011-09-15] (Lenovo)
HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [170264 2012-03-19] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [398616 2012-03-19] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [439064 2012-03-19] (Intel Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [332BigDog] C:\Program Files (x86)\USB Camera2\VM332_STI.EXE [536576 2010-01-19] (Vimicro)
HKLM-x32\...\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [407920 2010-11-05] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d [202096 2010-11-05] (Egis Technology Inc.)
HKLM-x32\...\Run: [VitaKeyTSR] C:\Program Files (x86)\EgisTec BioExcess\EgisTSR.exe /run [383344 2010-12-13] (Egis Technology Inc. )
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35760 2010-09-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [932288 2010-09-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PLTSR] "C:\Program Files (x86)\EgisTec Port Locker\EgisPLTSR.exe" [364400 2010-10-22] (Egis Technology Inc. )
HKLM-x32\...\Run: [VeriFaceManager] C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe [329056 2011-09-15] (Lenovo)
HKLM-x32\...\Run: [YouCam Mirage] "C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe" [136488 2010-12-24] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] "C:\Program Files (x86)\Lenovo\YouCam\YouCam.exe" /s [224352 2010-12-24] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\5.0" [222504 2010-07-26] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\OneKey Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\OneKey Recovery" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery" [222504 2009-05-13] (CyberLink Corp.)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [979328 2010-10-12] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXRCV] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe" [495616 2011-03-08] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [856064 2011-03-08] (SEIKO EPSON CORPORATION)
HKU\Ken Fischer\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-09-15] (Google Inc.)
HKU\Ken Fischer\...\Run: [EPLTarget\P0000000000000000] C:\windows\system32\spool\DRIVERS\x64\3\E_YATIHWA.EXE /EPT "EPLTarget\P0000000000000000" /M "WorkForce 545" [239488 2011-04-24] (SEIKO EPSON CORPORATION)
HKU\Ken Fischer\...\Run: [EPLTarget\P0000000000000001] C:\windows\system32\spool\DRIVERS\x64\3\E_YATIHWA.EXE /EPT "EPLTarget\P0000000000000001" /M "WorkForce 545" [239488 2011-04-24] (SEIKO EPSON CORPORATION)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Ken Fischer\Start Menu\Programs\Startup\Epson all-in-one Registration.lnk
ShortcutTarget: Epson all-in-one Registration.lnk -> (No File)

==================== Services (Whitelisted) ======

3 cphs; C:\Windows\SysWow64\IntelCpHeciSvc.exe [276248 2012-03-19] (Intel Corporation)
2 EgisTec Service; "C:\Program Files (x86)\EgisTec BioExcess\EgisService.exe" [703856 2010-12-13] (Egis Technology Inc. )
2 EgisTec Service Help; "C:\Program Files (x86)\EgisTec Port Locker\Egishlpsvc.exe" [327024 2010-10-22] (Egis Technology Inc. )
2 EgisTec Ticket Service; "C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe" [650096 2010-12-13] (Egis Technology Inc. )
2 EpsonCustomerParticipation; "C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe" [555392 2011-06-09] (SEIKO EPSON CORPORATION)
2 EPSON_PM_RPCV4_05; C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE [136576 2011-04-24] (SEIKO EPSON CORPORATION)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2010-12-20] (Intel Corporation)

========================== Drivers (Whitelisted) =============

3 ACPIVPC; C:\Windows\System32\Drivers\ACPIVPC.sys [29792 2011-09-15] (Lenovo Corporation)
1 BPntDrv; C:\Windows\System32\Drivers\BPntDrv.sys [13408 2011-09-15] (Lenovo)
3 clwvd; C:\Windows\System32\Drivers\clwvd.sys [31088 2010-12-24] (CyberLink Corporation)
1 EgisTecFF; C:\Windows\System32\Drivers\EgisTecFF.sys [55880 2011-09-15] (Egis Technology Inc.)
0 fbfmon; C:\Windows\System32\Drivers\fbfmon.sys [57952 2011-09-15] (Lenovo)
2 FPSensor; C:\Windows\System32\Drivers\FPSensor.sys [35952 2010-10-31] (Egis Technology Inc.)
0 LHDmgr; C:\Windows\System32\DRIVERS\LhdX64.sys [39008 2011-09-15] (Lenovo.)
3 RSUSBVSTOR; C:\Windows\System32\Drivers\RtsUVStor.sys [307304 2010-11-29] (Realtek Semiconductor Corp.)
3 vm2uvcflt; C:\Windows\System32\Drivers\vm2uvcflt.sys [15056 2010-09-21] (Vimicro Corporation)
3 vm332avs; C:\Windows\System32\Drivers\vm332avs.sys [234960 2011-02-14] (Vimicro Corporation)
3 wsvd; C:\Windows\System32\Drivers\wsvd.sys [121840 2009-07-21] (CyberLink)
3 BcmSqlStartupSvc; [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
2 CLKMSVC10_3A60B698; [x]
2 CLKMSVC10_C3B3B687; [x]
2 DriverService; [x]
2 IAStorDataMgrSvc; [x]
2 iATAgentService; [x]
2 idealife Update Service; [x]
3 IGRS; [x]
2 IviRegMgr; [x]
2 nvUpdatusService; [x]
2 Oasis2Service; [x]
2 PCCarerService; [x]
2 ReadyComm.DirectRouter; [x]
2 RichVideo; [x]
2 RtLedService; [x]
2 SeaPort; [x]
2 SoftwareService; [x]
3 SQLWriter; [x]
2 Stereo Service; [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-25 21:18 - 2012-06-25 21:18 - 00019861 ____A C:\ComboFix.txt
2012-06-25 19:51 - 2012-06-25 19:52 - 00000000 ____D C:\Users\Ken Fischer\Downloads\TDSS
2012-06-25 19:34 - 2012-07-01 11:55 - 00001410 ____A C:\Windows\setupact.log
2012-06-25 19:34 - 2012-06-25 21:14 - 00003354 ____A C:\Windows\PFRO.log
2012-06-25 19:34 - 2012-06-25 19:34 - 00000000 ____A C:\Windows\setuperr.log
2012-06-25 19:27 - 2012-06-25 21:18 - 00000000 ____D C:\Qoobox
2012-06-25 19:27 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-06-25 19:27 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-06-25 19:27 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-06-25 19:27 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-06-25 19:27 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-06-25 19:27 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-06-25 19:27 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-06-25 19:27 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-06-25 16:43 - 2012-06-25 16:43 - 00000822 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-06-25 16:43 - 2012-06-25 16:43 - 00000000 ____D C:\Program Files\CCleaner
2012-06-25 13:51 - 2012-06-25 13:51 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-25 13:48 - 2012-06-25 13:48 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-06-25 13:48 - 2012-06-25 13:48 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-06-24 23:29 - 2010-10-28 07:16 - 03900416 ____A (Broadcom Corporation) C:\Windows\System32\bcmihvsrv64.dll
2012-06-24 23:29 - 2010-10-28 07:16 - 03566080 ____A (Broadcom Corporation) C:\Windows\System32\bcmihvui64.dll
2012-06-22 08:10 - 2012-06-22 08:10 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{6E3A1284-B3F4-4792-BCF0-5C9A37C7BF6B}
2012-06-22 07:57 - 2012-06-22 07:57 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{17CBF33C-B3C0-4BD0-A478-40A068AF88E5}
2012-06-22 07:40 - 2012-06-22 07:40 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{EF7134FB-A41C-4506-B989-2371ECE51B56}
2012-06-22 07:13 - 2012-06-22 07:13 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{58E05641-A655-4782-AA34-01FBA577798E}
2012-06-22 06:51 - 2012-06-22 06:51 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{6113824C-839B-4949-8BEA-48DE5210AC43}
2012-06-22 05:40 - 2012-06-22 05:40 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{02A0E769-E3B8-4616-A2AE-714A6D22DFCB}
2012-06-22 04:55 - 2012-06-22 05:30 - 00026624 ____A C:\Users\Ken Fischer\Documents\Copy of kf OCC 7-12 invoice.xls
2012-06-22 03:42 - 2012-06-22 03:42 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{128513D5-3C1B-4517-BFC6-7EB0A800FF9C}
2012-06-18 18:44 - 2012-06-25 21:15 - 00000000 ____D C:\Windows\erdnt
2012-06-18 18:43 - 2012-06-25 20:32 - 00000000 ____D C:\Users\Ken Fischer\Downloads\ComboFix
2012-06-18 18:08 - 2012-06-18 18:08 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-18 18:08 - 2012-06-18 18:08 - 00000000 ____D C:\Users\Ken Fischer\AppData\Roaming\Malwarebytes
2012-06-18 18:08 - 2012-06-18 18:08 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-18 18:08 - 2012-06-18 18:08 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-18 18:08 - 2012-04-04 12:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-18 18:01 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-18 18:01 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-18 18:01 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-18 18:01 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-18 18:01 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-18 18:01 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-18 18:01 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-18 18:01 - 2012-06-02 12:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-18 18:01 - 2012-06-02 12:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-18 17:55 - 2012-06-18 17:55 - 00000000 ____A C:\Windows\System32\SET6B2E.tmp
2012-06-18 17:11 - 2012-06-18 17:11 - 00000000 ____A C:\Windows\System32\SET7E27.tmp
2012-06-18 17:11 - 2012-06-03 20:28 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-18 17:09 - 2012-05-04 03:00 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-06-18 17:09 - 2012-05-04 01:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-06-18 17:09 - 2012-04-27 19:55 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-18 17:09 - 2012-04-25 21:41 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-06-18 17:09 - 2012-04-25 21:41 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-06-18 17:09 - 2012-04-25 21:34 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-06-18 17:09 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-18 17:09 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-18 17:09 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-18 17:09 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-18 17:09 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-18 17:09 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-06-18 17:09 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-06-18 17:09 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-06-18 17:08 - 2012-05-14 17:32 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-18 17:08 - 2012-05-04 03:06 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-18 17:08 - 2012-05-04 02:03 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-06-18 17:08 - 2012-05-04 02:03 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-06-18 17:08 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-06-18 16:53 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-18 16:53 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-18 16:53 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-18 16:53 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-18 16:53 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-18 16:53 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-18 16:53 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-18 16:53 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-18 16:53 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-18 16:53 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-18 16:53 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-18 16:53 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-18 16:53 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-18 16:53 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-18 16:53 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-18 16:53 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-18 16:53 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-18 16:53 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-18 16:53 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-18 16:53 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-18 16:53 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-18 16:53 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-18 16:53 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-18 16:53 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-18 16:53 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-18 16:53 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-18 16:53 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-18 16:53 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-13 04:56 - 2012-06-13 04:56 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{E3055781-3C36-46CE-94D3-914717EA4292}
2012-06-13 04:56 - 2012-06-13 04:56 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{4CEDE4C1-5820-49F2-A684-EB87FE512225}
2012-06-12 13:58 - 2012-06-12 14:23 - 00012008 ____A C:\Users\Ken Fischer\Documents\Nick and Sams Enhancement Spreadsheet.xlsx
2012-06-12 11:43 - 2012-06-12 11:43 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{0955E29B-D9C0-4830-9D05-FE196C6C8C04}
2012-06-12 11:43 - 2012-06-12 11:43 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{062802CF-EBAA-4F44-99F8-BDD3955EE6D6}
2012-06-07 10:12 - 2012-06-07 10:12 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{DF1D9A00-9D29-485E-B3B8-A88C63A07E3D}
2012-06-07 10:12 - 2012-06-07 10:12 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{BC6624A5-FEBF-4046-AD12-26466F410B7B}
2012-06-06 18:14 - 2012-06-06 18:14 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{3238B456-C88F-411C-B4E3-ED91704B95D5}
2012-06-06 06:54 - 2012-06-06 06:54 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{D4A7AA14-625F-47AE-83EA-5818BFD453DE}
2012-06-06 06:54 - 2012-06-06 06:54 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{1693C961-C037-4568-AE9D-35FFF08D77DC}
2012-06-04 04:41 - 2012-06-04 04:42 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{536E3E3E-3BF5-4A62-B7E9-AB34BDB440A3}
2012-06-04 04:40 - 2012-06-04 04:41 - 00000000 ____D C:\Users\Ken Fischer\AppData\Local\{EEFCB955-221A-43B2-8ECF-B7B32FED14FE}


============ 3 Months Modified Files ========================

2012-07-01 11:56 - 2011-09-15 10:31 - 00314213 ____A C:\Windows\System32\fastboot.set
2012-07-01 11:56 - 2011-09-15 10:16 - 00499936 ____A C:\FaceProv.log
2012-07-01 11:55 - 2012-06-25 19:34 - 00001410 ____A C:\Windows\setupact.log
2012-07-01 11:55 - 2011-09-15 10:27 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-01 11:55 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-01 11:54 - 2011-09-15 10:27 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-01 11:54 - 2011-09-15 09:35 - 01545971 ____A C:\Windows\WindowsUpdate.log
2012-06-25 21:22 - 2009-07-13 20:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-25 21:22 - 2009-07-13 20:45 - 00021280 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-25 21:19 - 2009-07-13 21:13 - 00736940 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-25 21:18 - 2012-06-25 21:18 - 00019861 ____A C:\ComboFix.txt
2012-06-25 21:15 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-06-25 21:14 - 2012-06-25 19:34 - 00003354 ____A C:\Windows\PFRO.log
2012-06-25 19:34 - 2012-06-25 19:34 - 00000000 ____A C:\Windows\setuperr.log
2012-06-25 16:43 - 2012-06-25 16:43 - 00000822 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-06-25 13:51 - 2012-06-25 13:51 - 00001945 ____A C:\Windows\epplauncher.mif
2012-06-25 13:48 - 2012-01-22 09:06 - 00751090 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-25 12:58 - 2009-07-13 18:34 - 62390272 ____A C:\Windows\System32\config\SOFTWARE.bak
2012-06-25 12:58 - 2009-07-13 18:34 - 29884416 ____A C:\Windows\System32\config\SYSTEM.bak
2012-06-25 12:58 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\SECURITY.bak
2012-06-25 12:58 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\SAM.bak
2012-06-25 12:58 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\DEFAULT.bak
2012-06-25 12:52 - 2009-07-13 21:08 - 00032634 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-22 05:30 - 2012-06-22 04:55 - 00026624 ____A C:\Users\Ken Fischer\Documents\Copy of kf OCC 7-12 invoice.xls
2012-06-22 04:55 - 2012-05-22 10:23 - 00026624 ____A C:\Users\Ken Fischer\Documents\Copy of kf OCC 6-12 invoice.xls
2012-06-18 18:08 - 2012-06-18 18:08 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-18 17:55 - 2012-06-18 17:55 - 00000000 ____A C:\Windows\System32\SET6B2E.tmp
2012-06-18 17:17 - 2009-07-13 20:45 - 00431432 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-18 17:11 - 2012-06-18 17:11 - 00000000 ____A C:\Windows\System32\SET7E27.tmp
2012-06-18 17:01 - 2012-01-28 06:27 - 06121890 ____A C:\Windows\System32\PsBoot.log
2012-06-18 17:01 - 2012-01-28 06:27 - 00113058 ____A C:\Windows\System32\defragLog.log
2012-06-12 14:23 - 2012-06-12 13:58 - 00012008 ____A C:\Users\Ken Fischer\Documents\Nick and Sams Enhancement Spreadsheet.xlsx
2012-06-12 12:16 - 2012-05-07 06:26 - 00010164 ____A C:\Users\Ken Fischer\Desktop\NLH Daily Time Sheet.xlsx
2012-06-06 08:57 - 2012-05-23 04:36 - 00012012 ____A C:\Users\Ken Fischer\Documents\CCC Drainage Garden.xlsx
2012-06-03 20:28 - 2012-06-18 17:11 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-02 14:19 - 2012-06-18 18:01 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-18 18:01 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-18 18:01 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-18 18:01 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-18 18:01 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-18 18:01 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-18 18:01 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-18 18:01 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:15 - 2012-06-18 18:01 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-17 18:47 - 2012-06-18 16:53 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 18:16 - 2012-06-18 16:53 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 18:06 - 2012-06-18 16:53 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 17:59 - 2012-06-18 16:53 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 17:59 - 2012-06-18 16:53 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 17:58 - 2012-06-18 16:53 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 17:58 - 2012-06-18 16:53 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 17:56 - 2012-06-18 16:53 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 17:55 - 2012-06-18 16:53 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 17:55 - 2012-06-18 16:53 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 17:54 - 2012-06-18 16:53 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 17:51 - 2012-06-18 16:53 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 17:51 - 2012-06-18 16:53 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 17:47 - 2012-06-18 16:53 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 15:11 - 2012-06-18 16:53 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 14:48 - 2012-06-18 16:53 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 14:45 - 2012-06-18 16:53 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 14:36 - 2012-06-18 16:53 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 14:35 - 2012-06-18 16:53 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 14:35 - 2012-06-18 16:53 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 14:33 - 2012-06-18 16:53 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 14:31 - 2012-06-18 16:53 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 14:29 - 2012-06-18 16:53 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 14:29 - 2012-06-18 16:53 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 14:27 - 2012-06-18 16:53 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 14:25 - 2012-06-18 16:53 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 14:24 - 2012-06-18 16:53 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 14:20 - 2012-06-18 16:53 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-15 05:53 - 2012-05-15 05:53 - 00020480 ____A C:\Users\Ken Fischer\Documents\New Laef Expense report Ken 5-15-12.xls
2012-05-14 17:32 - 2012-06-18 17:08 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-10 04:41 - 2012-01-28 07:57 - 00028160 ____A C:\Users\Ken Fischer\Documents\Dorn landscape proposal pg. 2.xls
2012-05-10 04:39 - 2012-01-28 08:33 - 00028160 ____A C:\Users\Ken Fischer\Documents\Dorn Landscape Proposal Page 1.xls
2012-05-10 04:21 - 2012-04-23 09:05 - 00012301 ____A C:\Users\Ken Fischer\Documents\Dorn expense spreadsheet 4-23-12.xlsx
2012-05-04 03:06 - 2012-06-18 17:08 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 03:00 - 2012-06-18 17:09 - 00366592 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
2012-05-04 02:03 - 2012-06-18 17:08 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-18 17:08 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-05-04 01:59 - 2012-06-18 17:09 - 00514560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2012-05-03 14:17 - 2012-05-03 14:15 - 00020480 ____A C:\Users\Ken Fischer\Documents\New Leaf Expense Report Robert Garcia 5-2-12.xls
2012-04-30 21:40 - 2012-06-18 17:08 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:55 - 2012-06-18 17:09 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-27 03:58 - 2012-04-27 03:58 - 00702976 ____A C:\Users\Ken Fischer\Desktop\NDPS Price List Email (1).xls
2012-04-27 03:45 - 2012-04-27 03:45 - 01278652 ____A C:\Users\Ken Fischer\Desktop\PriceBook11733 (1).csv
2012-04-25 21:41 - 2012-06-18 17:09 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-04-25 21:41 - 2012-06-18 17:09 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-04-25 21:34 - 2012-06-18 17:09 - 00009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-04-25 13:27 - 2012-04-04 07:20 - 03511597 ____A C:\Users\Ken Fischer\Documents\CCC Proposal for Sensory Garden Pricing.xlsx
2012-04-25 13:25 - 2012-04-25 13:25 - 00002068 ____A C:\Users\Public\Desktop\WorkForce 545_645 User's Guide.lnk
2012-04-25 13:25 - 2012-04-09 05:54 - 00000079 ____A C:\Windows\EWF545.ini
2012-04-25 12:52 - 2012-04-25 11:41 - 00000930 ____A C:\Users\Public\Desktop\EPSON Scan.lnk
2012-04-25 04:46 - 2012-04-25 04:43 - 00026624 ____A C:\Users\Ken Fischer\Documents\Copy of kf OCC 5-12 invoice.xls
2012-04-23 21:37 - 2012-06-18 17:09 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 21:37 - 2012-06-18 17:09 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 21:37 - 2012-06-18 17:09 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 20:36 - 2012-06-18 17:09 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 20:36 - 2012-06-18 17:09 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 20:36 - 2012-06-18 17:09 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-23 08:24 - 2012-04-23 08:19 - 00020480 ____A C:\Users\Ken Fischer\Documents\New Leaf Expense Report Robert Garcia.xls
2012-04-07 04:31 - 2012-06-18 17:09 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-04-07 03:26 - 2012-06-18 17:09 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-04-05 05:50 - 2012-04-05 05:14 - 00013275 ____A C:\Users\Ken Fischer\Documents\Legacy Village Wish List.xlsx
2012-04-04 12:56 - 2012-06-18 18:08 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 4010.14 MB
Available physical RAM: 3395.56 MB
Total Pagefile: 4008.34 MB
Available Pagefile: 3393.58 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:421.81 GB) (Free:389.24 GB) NTFS
2 Drive d: (LENOVO) (Fixed) (Total:29 GB) (Free:26.8 GB) NTFS
4 Drive g: () (Removable) (Total:0.95 GB) (Free:0.95 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: () (Fixed) (Total:0.2 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 1024 KB
Disk 1 Online 977 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 200 MB 1024 KB
Partition 2 Primary 421 GB 201 MB
Partition 0 Extended 28 GB 422 GB
Partition 4 Logical 28 GB 422 GB
Partition 3 OEM 14 GB 451 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y NTFS Partition 200 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 421 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D LENOVO NTFS Partition 28 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 12
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 LENOVO_PART NTFS Partition 14 GB Healthy Hidden

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 976 MB 32 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 976 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-01 11:54

======================= End Of Log ==========================

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:21 PM

Posted 01 July 2012 - 03:44 PM

Both userinit.exe and services.exe are legit.

There is no sign of any malware on the computer.

I suggest download the latest Combofix, rename combofix.exe to uninstall.exe then double-click to run it. It will uninstall combofix.

Please tell me you have done so and then we run another scanner to make sure nothing is left behind.

#7 george_d

george_d
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 01 July 2012 - 09:20 PM

Combofix shows as uninstalled.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:21 PM

Posted 02 July 2012 - 03:13 AM

Good. We now run a scanner to check the whole system and make sure nothing is left behind.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista and Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats and the option Scan archives are checked.
  • Now click on Advanced Settings and select the following:
  • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this may take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Edited by Farbar, 02 July 2012 - 03:13 AM.


#9 george_d

george_d
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 02 July 2012 - 03:01 PM

Here is the Eset log which shows clean.

That kind of begs the question: was ComboFix reporting a false positive before when it twice told me that services.exe was infected?

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

Anything else to do except to put this laptop back into service. BTW, is there a paypal account that I can give you a contribution?

Your help is very much appreciated.

George_d

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:21 PM

Posted 02 July 2012 - 03:28 PM

The is good as we expected. :thumbup2:

was ComboFix reporting a false positive before when it twice told me that services.exe was infected?

This question probably could only be answered by the developer of ComboFix as nobody else knows the internal working of comboFix as the developer does. So anything from my part would be speculation.

In any case when we ran FRST, services.exe and userinit.exe were both clean. They could have been infected before. If you have asked this question before I could take a look at the ComboFix Quarantine folder to see if anything is removed.

is there a paypal account that I can give you a contribution?

Please see here: http://www.bleepingcomputer.com/download/publisher/farbar/

Anything else to do except to put this laptop back into service?

You have already run Malwarebytes. Let's take a look at the installed programs for possible vulnerabilities.

Please download MiniToolBox and save it to your desktop and run it.

Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List Winsock Entries
  • List installed programs.
  • List Devices (only check the box and let the default radio button as it is).
Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

Edited by Farbar, 02 July 2012 - 03:29 PM.


#11 george_d

george_d
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:21 PM

Posted 02 July 2012 - 08:28 PM

Here are the results from MiniToolBox...

MiniToolBox by Farbar Version: 25-06-2012
Ran by Ken Fischer (administrator) on 02-07-2012 at 20:26:13
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171392] (Microsoft Corp.)
x64-Catalog5 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171392] (Microsoft Corp.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

=========================== Installed Programs ============================

Update for Microsoft Office 2007 (KB2508958)
Adobe Flash Player 10 ActiveX (Version: 10.1.53.64)
Adobe Reader 9.4.0 (Version: 9.4.0)
Best Buy pc app (Version: 3.2.0.0)
Best Buy pc app (Version: 3.2.420.5)
BioExcess (Version: 7.0.67.0)
CCleaner (Version: 3.20)
CyberLink YouCam (Version: 3.1.3623)
D3DX10 (Version: 15.4.2368.0902)
EgisTec ES603 WDM Driver (Version: 3.0.10.4)
Energy Management (Version: 6.0.2.1)
Epson Connect
Epson Customer Participation (Version: 1.0.0.0)
Epson Download Navigator (Version: 1.0.1)
Epson Event Manager (Version: 2.50.0001)
Epson FAX Utility (Version: 1.20.00)
EPSON Scan
EPSON WorkForce 545 Series Printer Uninstall
EpsonNet Print (Version: 2.4j)
ESET Online Scanner v3
Google Chrome (Version: 19.0.1084.56)
Google Earth Plug-in (Version: 6.2.2.6613)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.3.2710.138)
Google Update Helper (Version: 1.3.21.111)
Intel® Control Center (Version: 1.2.1.1007)
Intel® Management Engine Components (Version: 7.0.0.1144)
Intel® Processor Graphics (Version: 8.15.10.2342)
Intel® Rapid Storage Technology (Version: 10.1.5.1001)
Junk Mail filter update (Version: 15.4.3502.0922)
Lenovo EasyCamera (Version: 1.11.0209.1)
Lenovo EE Boot Optimizer (Version: 0.0.1.6)
Lenovo OneKey Recovery (Version: 7.0.1628)
Lenovo Security Suite (Version: 2.0.11.0)
Lenovo_Wireless_Driver (Version: 1.02.01)
Malwarebytes Anti-Malware version 1.61.0.1400 (Version: 1.61.0.1400)
Mesh Runtime (Version: 15.4.5722.2)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office 2010 (Version: 14.0.4763.1000)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Click-to-Run 2010 (Version: 14.0.4763.1000)
Microsoft Office Enterprise 2007 (Version: 12.0.6612.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Security Client (Version: 4.0.1526.0)
Microsoft Security Essentials (Version: 4.0.1526.0)
Microsoft Silverlight (Version: 4.1.10329.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
Port Locker (Version: 1.0.5.24)
Power2Go (Version: 5.6.0.7303)
Realtek Ethernet Controller Driver For Windows 7 (Version: 7.21.531.2010)
Realtek High Definition Audio Driver (Version: 6.0.1.6282)
Realtek USB 2.0 Reader Driver (Version: 6.1.7600.10008)
Synaptics Pointing Device Driver (Version: 15.2.7.0)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687267) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VeriFace (Version: 4.0.0.1224)
Windows Driver Package - Lenovo (ACPIVPC) System (12/02/2010 6.1.0.1) (Version: 12/02/2010 6.1.0.1)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3538.0513)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3538.0513)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)
Windows Live Messenger (Version: 15.4.3538.0513)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)

========================= Devices: ================================


**** End of log ****

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:21 PM

Posted 03 July 2012 - 02:29 AM

Everything looks good and you are good to go. :thumbup2:

  • Please delete FRST tool as we don't need it any more. Also go to C:\FRST and delete the entire FRST folder.
  • You may delete any tool or log we used from your computer.
  • Remove the old restore points and create a new restore point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Setting a new restore point AFTER cleaning your system will enable your computer to "roll-back" to a clean working state if needed. :
  • Go to Start => Right-click "Computer" and select "Properties".
  • In the left pane select "System Protection".
  • Press "Configure".
  • Select "Delete". Then press "Continue" close and "OK".
  • Select your drive (drive C) and press "Create".
    Fill in a name for the restore point and press "Create".
    After finished press "Close".
Recommendations:
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
  • I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
  • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.
Happy surfing george_d :)

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:21 PM

Posted 09 July 2012 - 03:07 AM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a Private Message and I will reopen it for you.

If you should have a new issue, please start a new topic.

Every one else should start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users