Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection support elevation; Rootkit problem


  • Please log in to reply
23 replies to this topic

#1 Hunting.Targ

Hunting.Targ

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:11:30 AM

Posted 28 June 2013 - 08:28 PM

Previous action history and logs on this issue can be found here. The MalwareBytes' Anti-Rootkit Tool log should illuminate the issue (second to last log).

 

DDS log and attatch log attatchment follow.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16490  BrowserJavaVersion: 10.25.2
Run by Kari at 18:04:55 on 2013-06-28
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1918.917 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Malwarebytes\MWB\Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes\MWB\Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Malwarebytes\MWB\Anti-Malware\mbamgui.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Nuance\PaperPort\pptd40nt.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\SAMSUNG\Kies\KiesTrayAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SAMSUNG\Kies\Kies.exe
C:\Program Files\SAMSUNG\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\taskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k WindowsMobile
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: PlusIEEventHelper Class: {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - c:\program files\nuance\pdfviewerplus\bin\PlusIEContextMenu.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CatcherBHO Class: {9B4DF450-DCC7-4B07-935D-0CD757A64583} - c:\program files\moyea\youtube flv downloader pro\MoyeaCatcher.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
BHO: TSToolbarBHO: {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - c:\program files\trend micro\trendsecure\transactionprotector\TSToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Transaction Protector: {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - c:\program files\trend micro\trendsecure\transactionprotector\TSToolbar.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [KiesPreload] c:\program files\samsung\kies\Kies.exe /preload
uRun: [KiesAirMessage] c:\program files\samsung\kies\KiesAirMessage.exe -startup
uRun: [] c:\program files\samsung\kies\external\firmwareupdate\KiesPDLR.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PaperPort PTD] "c:\program files\nuance\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\nuance\paperport\IndexSearch.exe"
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [Conime] c:\windows\system32\conime.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [KiesTrayAgent] c:\program files\samsung\kies\KiesTrayAgent.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Open with PDF Viewer Plus - c:\program files\nuance\pdfviewerplus\bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{51528C4F-16C1-4022-82DB-286A6F480975} : DHCPNameServer = 192.168.1.254
Handler: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - c:\program files\common files\g7ps\shared files\g7psdll\G7PS.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\27.0.1453.116\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kari\appdata\roaming\mozilla\firefox\profiles\atszm9jw.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.startpage.com/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\0\NP_wtapp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2013-06-19 19:00; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
FF - ExtSQL: !HIDDEN! 2009-07-01 08:50; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-6-19 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-6-19 175176]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-6-19 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-6-19 369584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-6-19 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-6-19 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-6-19 46808]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-8-23 13672]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes\mwb\anti-malware\mbamscheduler.exe [2013-6-27 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes\mwb\anti-malware\mbamservice.exe [2013-6-27 701512]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2013-3-10 37344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-6-27 22856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2013-3-10 233472]
S2 gupdate1c9dd772928b470;Google Update Service (gupdate1c9dd772928b470);c:\program files\google\update\GoogleUpdate.exe [2009-5-25 133104]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2013-5-21 83864]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-30 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\futuremark\futuremark systeminfo\FMSISvc.exe [2013-6-13 137488]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 massfilter_hs;HS HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2013-4-24 15896]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 100328]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-1-27 295232]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2007-12-11 21280]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2013-5-21 181912]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 zghsdiag;ZTE General Handset Diagnostic Port;c:\windows\system32\drivers\zghsdiag.sys [2013-4-24 113688]
S3 zghsmdm;ZTE General Handset USB Modem Proprietary;c:\windows\system32\drivers\zghsmdm.sys [2013-4-24 113688]
S3 zghsnmea;ZTE General Handset NMEA Port;c:\windows\system32\drivers\zghsnmea.sys [2013-4-24 113688]
S4 g7bs_device;g7bs_device;c:\windows\system32\g7bscoms.exe -service --> c:\windows\system32\g7bscoms.exe -service [?]
S4 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\nuance\paperport\PDFProFiltSrvPP.exe [2009-8-27 144672]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2013-06-28 04:01:34    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-06-28 03:56:09    7068072    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{ba92e5aa-d018-4585-ba9c-90cd9816791b}\mpengine.dll
2013-06-28 03:18:00    --------    d-----w-    c:\users\kari\appdata\roaming\Malwarebytes
2013-06-28 03:17:24    --------    d-----w-    c:\programdata\Malwarebytes
2013-06-28 03:17:23    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-06-28 03:17:23    --------    d-----w-    c:\program files\Malwarebytes
2013-06-27 03:50:44    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-27 03:11:34    7068072    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-06-26 22:03:20    263576    ----a-w-    c:\program files\mozilla firefox\browser\components\browsercomps.dll
2013-06-20 02:01:17    770344    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-06-20 02:01:17    49376    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-06-20 02:01:17    175176    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-06-20 02:01:14    66336    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-06-20 02:00:09    41664    ----a-w-    c:\windows\avastSS.scr
2013-06-20 01:58:49    --------    d-----w-    c:\program files\AVAST Software
2013-06-20 01:57:25    --------    d-----w-    c:\programdata\AVAST Software
2013-06-18 23:28:20    3603832    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-06-18 23:28:18    3551096    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-06-16 06:21:20    914792    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-06-16 06:21:19    31232    ----a-w-    c:\windows\system32\drivers\tcpipreg.sys
2013-06-16 06:21:13    985600    ----a-w-    c:\windows\system32\crypt32.dll
2013-06-16 06:21:13    98304    ----a-w-    c:\windows\system32\cryptnet.dll
2013-06-16 06:21:13    812544    ----a-w-    c:\windows\system32\certutil.exe
2013-06-16 06:21:13    133120    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-06-16 06:21:12    41984    ----a-w-    c:\windows\system32\certenc.dll
2013-06-16 06:21:05    443904    ----a-w-    c:\windows\system32\win32spl.dll
2013-06-16 06:21:05    37376    ----a-w-    c:\windows\system32\printcom.dll
2013-06-16 06:20:58    24576    ----a-w-    c:\windows\system32\cryptdlg.dll
2013-06-15 02:54:21    26840    ----a-w-    c:\windows\system32\drivers\GEARAspiWDM.sys
2013-06-15 02:53:09    --------    d-----w-    c:\program files\iPod
2013-06-15 02:53:05    --------    d-----w-    c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-15 02:53:05    --------    d-----w-    c:\program files\iTunes
2013-06-15 01:58:50    724464    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{0cd90168-2321-4d4e-b16a-a6fa7a0290b9}\gapaengine.dll
2013-06-13 19:29:39    --------    d-----w-    c:\programdata\Futuremark
2013-06-13 19:27:44    --------    d-----w-    c:\program files\Futuremark
2013-06-13 09:10:58    --------    d-----w-    c:\users\kari\appdata\local\Proxure
2013-06-13 09:08:51    --------    d-----w-    c:\programdata\ClubSanDisk
2013-06-06 02:07:58    159744    ----a-w-    c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2013-06-06 02:07:58    159744    ----a-w-    c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2013-06-06 02:07:58    159744    ----a-w-    c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2013-06-06 02:07:58    159744    ----a-w-    c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2013-06-06 02:07:58    159744    ----a-w-    c:\program files\mozilla firefox\plugins\npqtplugin.dll
2013-06-06 02:07:58    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin5.dll
2013-06-06 02:07:58    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin4.dll
2013-06-06 02:07:58    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin3.dll
2013-06-06 02:07:58    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin2.dll
2013-06-06 02:07:58    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin.dll
2013-06-01 22:58:25    0    ----a-w-    c:\windows\system32\RENB30A.tmp
2013-06-01 22:58:25    0    ----a-w-    c:\windows\system32\RENB309.tmp
2013-06-01 22:58:25    0    ----a-w-    c:\windows\system32\RENB308.tmp
.
==================== Find3M  ====================
.
2013-06-27 03:50:32    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-06-27 03:50:32    789416    ----a-w-    c:\windows\system32\deployJava1.dll
2013-06-15 01:54:13    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-15 01:54:13    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-05-16 22:39:39    1800704    ----a-w-    c:\windows\system32\jscript9.dll
2013-05-16 22:28:26    1129472    ----a-w-    c:\windows\system32\wininet.dll
2013-05-16 22:27:30    1427968    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-05-16 22:21:37    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-05-16 22:20:30    420864    ----a-w-    c:\windows\system32\vbscript.dll
2013-05-16 22:16:57    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2013-05-02 09:06:08    238872    ------w-    c:\windows\system32\MpSigStub.exe
2013-05-01 10:59:12    94208    ----a-w-    c:\windows\system32\QuickTimeVR.qtx
2013-05-01 10:59:12    69632    ----a-w-    c:\windows\system32\QuickTime.qts
2013-04-15 14:20:04    638328    ----a-w-    c:\windows\system32\drivers\dxgkrnl.sys
2013-04-13 10:56:44    37376    ----a-w-    c:\windows\system32\cdd.dll
2013-04-09 01:36:18    2049024    ----a-w-    c:\windows\system32\win32k.sys
2013-04-03 07:58:16    83864    ----a-w-    c:\windows\system32\drivers\ssudbus.sys
2013-04-03 07:58:16    181912    ----a-w-    c:\windows\system32\drivers\ssudmdm.sys
.
============= FINISH: 18:06:16.90 ===============
 

Attached File  attach.txt   28.53KB   0 downloads

 

Machine has been on (no restarts, sleeps, or shutdowns) since Rkill was run.  In the event that it spontaneously shuts off (which has happened occasionally; it gets hot out here in the CA valley) I will post from my phone.  Thank you in advance for your time and attention.


Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:30 PM

Posted 28 June 2013 - 08:31 PM

Hi and welcome.

 

rkill.log was created in the root directory, usualy C:\ when the tool was ran. Post that report on your next reply

 

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt

    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Hunting.Targ

Hunting.Targ
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:11:30 AM

Posted 01 July 2013 - 12:01 PM

Important question; if I cannot enter the recovery boot environment, and the system boots up normally, should I run Rkill again?


Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 


#4 Hunting.Targ

Hunting.Targ
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:11:30 AM

Posted 01 July 2013 - 01:15 PM

Sorry, I'll start with this:

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.06.27.11

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Kari :: STEVESPC1 [administrator]

6/27/2013 9:01:45 PM
mbar-log-2013-06-27 (21-01-45).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 290421
Time elapsed: 32 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 7
c:\windows\$ntuninstallkb44918$\2009715026 (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884 (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884\l (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884\u (Backdoor.0Access) -> No action taken.
c:\$Recycle.Bin\S-1-5-21-43477858-2351918740-2162271900-1009\$15211f5ad641c7709d0451caca1c3a66\U (Trojan.Siredef.C) -> No action taken.
c:\$Recycle.Bin\S-1-5-21-43477858-2351918740-2162271900-1009\$15211f5ad641c7709d0451caca1c3a66\L (Trojan.Siredef.C) -> No action taken.
c:\$Recycle.Bin\S-1-5-21-43477858-2351918740-2162271900-1009\$15211f5ad641c7709d0451caca1c3a66 (Trojan.Siredef.C) -> No action taken.

Files Detected: 14
c:\windows\$ntuninstallkb44918$\2117783884\l\qnbwvoto (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884\u\00000001.@ (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884\u\00000002.@ (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884\u\00000004.@ (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884\u\80000000.@ (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884\u\80000004.@ (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884\u\80000032.@ (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884\@ (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884\bckfg.tmp (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884\cfg.ini (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884\desktop.ini (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884\keywords (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884\kwrd.dll (Backdoor.0Access) -> No action taken.
c:\windows\$ntuninstallkb44918$\2117783884\lsflt7.ver (Backdoor.0Access) -> No action taken.

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

---

 

Rkill Log 1

Rkill Run per support instructions from Broni

 

---

Rkill 2.5.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 06/27/2013 09:37:50 PM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Windows\system32\FsUsbExService.Exe (PID: 1696) [WD-HEUR]
 * C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (PID: 2972) [WD-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Reparse Point/Junctions Found (Most likely legitimate)!

     * C:\Windows\$NtUninstallKB44918$ => <Unknown Target> [Dir]
     * C:\Windows\System32\config\systemprofile\AppData\Local\Application Data => C:\Windows\system32\config\systemprofile\AppData\Local [Dir]
     * C:\Windows\System32\config\systemprofile\AppData\Local\History => C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History [Dir]
     * C:\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files => C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files [Dir]
     * C:\Windows\System32\config\systemprofile\Application Data => C:\Windows\system32\config\systemprofile\AppData\Roaming [Dir]
     * C:\Windows\System32\config\systemprofile\Cookies => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies [Dir]
     * C:\Windows\System32\config\systemprofile\Documents\My Music => C:\Windows\system32\config\systemprofile\Music [Dir]
     * C:\Windows\System32\config\systemprofile\Documents\My Pictures => C:\Windows\system32\config\systemprofile\Pictures [Dir]
     * C:\Windows\System32\config\systemprofile\Documents\My Videos => C:\Windows\system32\config\systemprofile\Videos [Dir]
     * C:\Windows\System32\config\systemprofile\Local Settings => C:\Windows\system32\config\systemprofile\AppData\Local [Dir]
     * C:\Windows\System32\config\systemprofile\My Documents => C:\Windows\system32\config\systemprofile\Documents [Dir]
     * C:\Windows\System32\config\systemprofile\NetHood => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts [Dir]
     * C:\Windows\System32\config\systemprofile\PrintHood => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts [Dir]
     * C:\Windows\System32\config\systemprofile\Recent => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent [Dir]
     * C:\Windows\System32\config\systemprofile\SendTo => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo [Dir]
     * C:\Windows\System32\config\systemprofile\Start Menu => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu [Dir]
     * C:\Windows\System32\config\systemprofile\Templates => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates [Dir]

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost
  ::1             localhost

Program finished at: 06/27/2013 09:41:17 PM
Execution time: 0 hours(s), 3 minute(s), and 26 seconds(s)
 

---

 

Rkill Log 2

Rkill run by user after symptoms returned while browsing.

 

---

 

Rkill 2.5.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 06/28/2013 07:32:38 PM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Reparse Point/Junctions Found (Most likely legitimate)!

     * C:\Windows\$NtUninstallKB44918$ => <Unknown Target> [Dir]
     * C:\Windows\System32\config\systemprofile\AppData\Local\Application Data => C:\Windows\system32\config\systemprofile\AppData\Local [Dir]
     * C:\Windows\System32\config\systemprofile\AppData\Local\History => C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History [Dir]
     * C:\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files => C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files [Dir]
     * C:\Windows\System32\config\systemprofile\Application Data => C:\Windows\system32\config\systemprofile\AppData\Roaming [Dir]
     * C:\Windows\System32\config\systemprofile\Cookies => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies [Dir]
     * C:\Windows\System32\config\systemprofile\Documents\My Music => C:\Windows\system32\config\systemprofile\Music [Dir]
     * C:\Windows\System32\config\systemprofile\Documents\My Pictures => C:\Windows\system32\config\systemprofile\Pictures [Dir]
     * C:\Windows\System32\config\systemprofile\Documents\My Videos => C:\Windows\system32\config\systemprofile\Videos [Dir]
     * C:\Windows\System32\config\systemprofile\Local Settings => C:\Windows\system32\config\systemprofile\AppData\Local [Dir]
     * C:\Windows\System32\config\systemprofile\My Documents => C:\Windows\system32\config\systemprofile\Documents [Dir]
     * C:\Windows\System32\config\systemprofile\NetHood => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts [Dir]
     * C:\Windows\System32\config\systemprofile\PrintHood => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts [Dir]
     * C:\Windows\System32\config\systemprofile\Recent => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent [Dir]
     * C:\Windows\System32\config\systemprofile\SendTo => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo [Dir]
     * C:\Windows\System32\config\systemprofile\Start Menu => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu [Dir]
     * C:\Windows\System32\config\systemprofile\Templates => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates [Dir]

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost
  ::1             localhost

Program finished at: 06/28/2013 07:33:50 PM
Execution time: 0 hours(s), 1 minute(s), and 11 seconds(s)
 


Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:30 PM

Posted 01 July 2013 - 04:04 PM

You can run Farbar Recovery Scan Tool in Normal Mode and post its report.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 Hunting.Targ

Hunting.Targ
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:11:30 AM

Posted 01 July 2013 - 05:12 PM

Recovery mode scan successful.  I couldn't get to this interface previously because the silly FunctionLock key was off!  (As John Wooden would say, the difference is in the details.)

Anyway, here is the log.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-07-2013 02
Ran by SYSTEM on 01-07-2013 14:50:23
Running from G:\
Windows Vista ™ Home Premium Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: []  [x]
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [PaperPort PTD] "C:\Program Files\Nuance\PaperPort\pptd40nt.exe" [29984 2009-08-27] (Nuance Communications, Inc.)
HKLM\...\Run: [IndexSearch] "C:\Program Files\Nuance\PaperPort\IndexSearch.exe" [46368 2009-08-27] (Nuance Communications, Inc.)
HKLM\...\Run: [EKIJ5000StatusMonitor] C:\Windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe [1638400 2010-09-02] (Eastman Kodak Company)
HKLM\...\Run: [Conime] %windir%\system32\conime.exe [69120 2009-04-10] (Microsoft Corporation)
HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947152 2013-01-27] (Microsoft Corporation)
HKLM\...\Run: [KiesTrayAgent] C:\Program Files\Samsung\Kies\KiesTrayAgent.exe [311152 2013-04-22] (Samsung Electronics Co., Ltd.)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [13539872 2008-05-22] (NVIDIA Corporation)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-05-31] (Apple Inc.)
HKLM\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4858968 2013-05-09] (AVAST Software)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [ 2009-08-05] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [ 2009-08-05] (Hewlett-Packard)
HKU\Guest\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [ 2009-08-05] (Hewlett-Packard)
HKU\Kari\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [ 2008-01-20] (Microsoft Corporation)
HKU\Kari\...\Run: [KiesPreload] C:\Program Files\Samsung\Kies\Kies.exe /preload [ 2013-04-22] (Samsung)
HKU\Kari\...\Run: [KiesAirMessage] C:\Program Files\Samsung\Kies\KiesAirMessage.exe -startup [x]
HKU\Kari\...\Run: [] C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [ 2013-05-21] (Samsung)
HKU\Kari\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2008-01-20] (Microsoft Corporation)
HKU\STEVE1\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY [ 2009-08-05] (Hewlett-Packard)
HKU\STEVE1\...\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2009-04-20] (Google Inc.)
HKU\STEVE1\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [ 2008-01-20] (Microsoft Corporation)
HKU\STEVE1\...\Run: [LMab1err] C:\Program Files\Lexmark\ErrorApp\LMab1err.EXE [ 2008-06-05] ( )
HKU\STEVE1\...\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler [ 2009-05-05] (Acresso Corporation)
HKU\STEVE1\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2008-01-20] (Microsoft Corporation)

========================== Services (Whitelisted) =================

S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [46808 2013-05-09] (AVAST Software)
S3 Futuremark SystemInfo Service; C:\Program Files\Futuremark\Futuremark SystemInfo\FMSISvc.exe [137488 2012-12-17] (Futuremark Corporation)
S4 g7bs_device; C:\Windows\system32\g7bscoms.exe [491520 2005-12-05] ( )
S2 gupdate1c9dd772928b470; C:\Program Files\Google\Update\GoogleUpdate.exe [133104 2009-05-25] (Google Inc.)
S4 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [65536 2007-09-19] (Hewlett-Packard)
S4 lmab_device; C:\Windows\system32\LMabcoms.exe [590504 2008-04-01] ( )
S2 MBAMScheduler; C:\Program Files\Malwarebytes\MWB\Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes\MWB\Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] (Microsoft Corporation)
S4 PDFProFiltSrvPP; C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2009-08-27] (Nuance Communications, Inc.)

==================== Drivers (Whitelisted) ====================

S2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [29816 2013-05-09] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [66336 2013-05-09] (AVAST Software)
S1 AswRdr; C:\Windows\System32\Drivers\AswRdr.sys [49760 2013-05-09] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49376 2013-05-09] ()
S1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [770344 2013-06-27] (AVAST Software)
S1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [369584 2013-06-27] (AVAST Software)
S1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [56080 2013-05-09] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [175176 2013-06-27] ()
S3 FsUsbExDisk; C:\Windows\system32\FsUsbExDisk.SYS [37344 2013-02-05] ()
S3 massfilter_hs; C:\Windows\System32\DRIVERS\massfilter_hs.sys [15896 2011-08-22] (HandSet Incorporated)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S0 SI3132; C:\Windows\System32\DRIVERS\SI3132.sys [80424 2007-10-03] (Silicon Image, Inc)
S0 SiFilter; C:\Windows\System32\DRIVERS\SiWinAcc.sys [19240 2007-10-03] (Silicon Image, Inc)
S0 SiRemFil; C:\Windows\System32\DRIVERS\SiRemFil.sys [15400 2007-10-03] (Silicon Image, Inc)
S3 zghsdiag; C:\Windows\System32\DRIVERS\zghsdiag.sys [113688 2011-08-22] (ZTE Incorporated)
S3 zghsmdm; C:\Windows\System32\DRIVERS\zghsmdm.sys [113688 2011-08-22] (ZTE Incorporated)
S3 zghsnmea; C:\Windows\System32\DRIVERS\zghsnmea.sys [113688 2011-08-22] (ZTE Incorporated)
S3 HTCAND32; System32\Drivers\ANDROIDUSB.sys [x]
S3 HtcVCom32; system32\DRIVERS\HtcVComV32.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 SymIM; system32\DRIVERS\SymIM.sys [x]
S3 SymIMMP; system32\DRIVERS\SymIM.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-07-01 14:49 - 2013-07-01 14:49 - 00000000 ____D C:\FRST
2013-07-01 08:36 - 2013-07-01 08:36 - 00000000 ____D C:\Users\Kari\My Documents\FileCase
2013-07-01 08:36 - 2013-07-01 08:36 - 00000000 ____D C:\Users\Kari\Documents\FileCase
2013-07-01 08:03 - 2013-07-01 08:03 - 00244094 ____A C:\Users\Kari\Desktop\Compaq Monthly Hardware Test 6`30`13.html
2013-06-28 17:57 - 2013-06-28 17:57 - 00019180 ____A C:\Users\Kari\Desktop\Anonymous releases private NSA documents regarding spying - Pastebin.com.htm
2013-06-28 17:06 - 2013-06-28 17:06 - 00029219 ____A C:\Users\Kari\Desktop\attach.txt
2013-06-28 17:06 - 2013-06-28 17:06 - 00019897 ____A C:\Users\Kari\Desktop\dds.txt
2013-06-28 17:01 - 2013-06-28 17:01 - 00688992 ____R (Swearware) C:\Users\Kari\Desktop\dds.com
2013-06-28 16:50 - 2013-06-28 16:50 - 00000131 ____A C:\Users\Kari\Desktop\BP Support Stage 2 scratchpad.txt
2013-06-28 16:47 - 2013-06-28 18:34 - 00000000 ____D C:\Users\Kari\Desktop\BP Support Stage 1
2013-06-27 20:01 - 2013-06-27 20:34 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-06-27 20:01 - 2013-06-27 20:34 - 00000000 ____D C:\ProgramData\Application Data\Malwarebytes' Anti-Malware (portable)
2013-06-27 19:18 - 2013-06-27 19:18 - 00000000 ____D C:\Users\Kari\Application Data\Malwarebytes
2013-06-27 19:18 - 2013-06-27 19:18 - 00000000 ____D C:\Users\Kari\AppData\Roaming\Malwarebytes
2013-06-27 19:17 - 2013-06-27 19:17 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-06-27 19:17 - 2013-06-27 19:17 - 00000000 ____D C:\ProgramData\Application Data\Malwarebytes
2013-06-27 19:17 - 2013-06-27 19:17 - 00000000 ____D C:\Program Files\Malwarebytes
2013-06-27 19:17 - 2013-04-04 13:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-06-27 18:07 - 2013-06-27 18:07 - 00000175 ____A C:\Windows\System32\Drivers\aswVmm.sys.sum
2013-06-26 19:50 - 2013-06-26 19:50 - 00263592 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-06-26 19:50 - 2013-06-26 19:50 - 00175016 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-06-26 19:50 - 2013-06-26 19:50 - 00175016 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-06-26 19:50 - 2013-06-26 19:50 - 00094632 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-06-26 14:01 - 2013-06-26 14:01 - 00000000 ____D C:\Users\Kari\Downloads\Mozilla
2013-06-26 13:55 - 2013-06-27 18:07 - 00000175 ____A C:\Windows\System32\Drivers\aswSP.sys.sum
2013-06-26 13:55 - 2013-06-27 18:07 - 00000175 ____A C:\Windows\System32\Drivers\aswSnx.sys.sum
2013-06-19 18:01 - 2013-06-27 18:07 - 00770344 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2013-06-19 18:01 - 2013-06-27 18:07 - 00369584 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2013-06-19 18:01 - 2013-06-27 18:07 - 00175176 ____A C:\Windows\System32\Drivers\aswVmm.sys
2013-06-19 18:01 - 2013-06-19 18:01 - 00001795 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2013-06-19 18:01 - 2013-06-19 18:01 - 00001795 ____A C:\ProgramData\Desktop\avast! Free Antivirus.lnk
2013-06-19 18:01 - 2013-06-19 18:01 - 00000000 ____A C:\Windows\setuperr.log
2013-06-19 18:01 - 2013-06-19 18:01 - 00000000 ____A C:\Windows\setupact.log
2013-06-19 18:01 - 2013-05-09 00:59 - 00066336 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2013-06-19 18:01 - 2013-05-09 00:59 - 00056080 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2013-06-19 18:01 - 2013-05-09 00:59 - 00049760 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
2013-06-19 18:01 - 2013-05-09 00:59 - 00049376 ____A C:\Windows\System32\Drivers\aswRvrt.sys
2013-06-19 18:01 - 2013-05-09 00:59 - 00029816 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2013-06-19 18:01 - 2013-05-09 00:58 - 00229648 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2013-06-19 18:00 - 2013-05-09 00:58 - 00041664 ____A (AVAST Software) C:\Windows\avastSS.scr
2013-06-19 17:58 - 2013-06-19 17:58 - 00000000 ____D C:\Program Files\AVAST Software
2013-06-19 17:57 - 2013-06-19 17:58 - 00000000 ____D C:\ProgramData\AVAST Software
2013-06-19 17:57 - 2013-06-19 17:58 - 00000000 ____D C:\ProgramData\Application Data\AVAST Software
2013-06-18 15:28 - 2013-05-02 14:03 - 03603832 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-06-18 15:28 - 2013-05-02 14:03 - 03551096 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-06-17 21:30 - 2013-06-17 21:29 - 290012084 ____A C:\Users\Kari\My Documents\FileCase.rar
2013-06-17 21:30 - 2013-06-17 21:29 - 290012084 ____A C:\Users\Kari\Documents\FileCase.rar
2013-06-17 21:20 - 2013-06-27 19:03 - 00000000 ____D C:\Users\Kari\Downloads\Security
2013-06-16 20:51 - 2013-06-16 20:51 - 00000000 ____D C:\Users\Guest\Local Settings\Hewlett-Packard
2013-06-16 20:51 - 2013-06-16 20:51 - 00000000 ____D C:\Users\Guest\Local Settings\Application Data\Hewlett-Packard
2013-06-16 20:51 - 2013-06-16 20:51 - 00000000 ____D C:\Users\Guest\Application Data\Hewlett-Packard
2013-06-16 20:51 - 2013-06-16 20:51 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Hewlett-Packard
2013-06-16 20:51 - 2013-06-16 20:51 - 00000000 ____D C:\Users\Guest\AppData\Local\Hewlett-Packard
2013-06-16 20:50 - 2013-06-16 20:50 - 00239616 ____A C:\Users\Guest\Local Settings\GDIPFONTCACHEV1.DAT
2013-06-16 20:50 - 2013-06-16 20:50 - 00239616 ____A C:\Users\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-06-16 20:50 - 2013-06-16 20:50 - 00239616 ____A C:\Users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2013-06-16 20:50 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\Local Settings\Mozilla
2013-06-16 20:50 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\Local Settings\Application Data\Mozilla
2013-06-16 20:50 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\Application Data\Mozilla
2013-06-16 20:50 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\Application Data\Apple Computer
2013-06-16 20:50 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Mozilla
2013-06-16 20:50 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Apple Computer
2013-06-16 20:50 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\AppData\Local\Mozilla
2013-06-16 20:49 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\Local Settings\VirtualStore
2013-06-16 20:49 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\Local Settings\Application Data\VirtualStore
2013-06-16 20:49 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\AppData\Local\VirtualStore
2013-06-16 20:49 - 2013-06-16 20:49 - 00000020 __ASH C:\Users\Guest\ntuser.ini
2013-06-16 20:49 - 2013-06-16 20:49 - 00000000 ____D C:\users\Guest
2013-06-16 20:49 - 2009-12-02 17:39 - 00000000 ____D C:\Users\Guest\Application Data\Macromedia
2013-06-16 20:49 - 2009-12-02 17:39 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Macromedia
2013-06-16 20:49 - 2008-10-23 08:26 - 00000000 ____D C:\Users\Guest\Local Settings\Microsoft Help
2013-06-16 20:49 - 2008-10-23 08:26 - 00000000 ____D C:\Users\Guest\Local Settings\Application Data\Microsoft Help
2013-06-16 20:49 - 2008-10-23 08:26 - 00000000 ____D C:\Users\Guest\AppData\Local\Microsoft Help
2013-06-16 01:52 - 2013-06-16 01:52 - 00000000 ____D C:\Users\Public\Documents\CrashDump
2013-06-16 01:52 - 2013-06-16 01:52 - 00000000 ____D C:\ProgramData\Documents\CrashDump
2013-06-15 22:27 - 2013-05-16 15:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-15 22:27 - 2013-05-16 14:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-15 22:27 - 2013-05-16 14:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-15 22:27 - 2013-05-16 14:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-15 22:27 - 2013-05-16 14:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-15 22:27 - 2013-05-16 14:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-06-15 22:27 - 2013-05-16 14:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-06-15 22:27 - 2013-05-16 14:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-15 22:27 - 2013-05-16 14:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-15 22:27 - 2013-05-16 14:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-06-15 22:27 - 2013-05-16 14:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-06-15 22:27 - 2013-05-16 14:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-15 22:27 - 2013-05-16 14:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-15 22:27 - 2013-05-16 14:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-06-15 22:27 - 2013-05-16 14:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-15 22:27 - 2013-05-16 14:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-15 22:21 - 2013-05-07 19:40 - 00914792 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-15 22:21 - 2013-05-07 17:58 - 00031232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2013-06-15 22:21 - 2013-05-01 20:04 - 00443904 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-15 22:21 - 2013-05-01 20:03 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\printcom.dll
2013-06-15 22:21 - 2013-04-23 20:00 - 00985600 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-15 22:21 - 2013-04-23 20:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-15 22:21 - 2013-04-23 20:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-15 22:21 - 2013-04-23 20:00 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-15 22:21 - 2013-04-23 17:46 - 00812544 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-15 22:20 - 2013-04-17 04:30 - 00024576 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-14 18:54 - 2013-06-14 18:54 - 00001630 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-06-14 18:54 - 2013-06-14 18:54 - 00001630 ____A C:\ProgramData\Desktop\iTunes.lnk
2013-06-14 18:54 - 2012-08-21 12:01 - 00026840 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2013-06-14 18:53 - 2013-06-14 18:54 - 00000000 ____D C:\ProgramData\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-14 18:53 - 2013-06-14 18:54 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-14 18:53 - 2013-06-14 18:54 - 00000000 ____D C:\Program Files\iTunes
2013-06-14 18:53 - 2013-06-14 18:53 - 00000000 ____D C:\Program Files\iPod
2013-06-13 11:30 - 2013-06-13 11:30 - 00000933 ____A C:\Users\Public\Desktop\PCMark Vantage.lnk
2013-06-13 11:30 - 2013-06-13 11:30 - 00000933 ____A C:\ProgramData\Desktop\PCMark Vantage.lnk
2013-06-13 11:29 - 2013-06-13 11:29 - 00000000 ____D C:\ProgramData\Futuremark
2013-06-13 11:29 - 2013-06-13 11:29 - 00000000 ____D C:\ProgramData\Application Data\Futuremark
2013-06-13 11:27 - 2013-06-13 11:29 - 00000000 ____D C:\Program Files\Futuremark
2013-06-13 11:24 - 2013-06-13 11:24 - 00052553 ____A C:\Users\Kari\My Documents\DxDiag_6`13`2013.txt
2013-06-13 11:24 - 2013-06-13 11:24 - 00052553 ____A C:\Users\Kari\Documents\DxDiag_6`13`2013.txt
2013-06-13 03:30 - 2013-06-13 03:30 - 00001186 ____A C:\Users\Kari\Desktop\PCMark_Vantage_v120_installer - Shortcut.lnk
2013-06-13 01:12 - 2013-06-13 01:12 - 00000288 ____A C:\Users\Kari\Application Data\.backup.dm
2013-06-13 01:12 - 2013-06-13 01:12 - 00000288 ____A C:\Users\Kari\AppData\Roaming\.backup.dm
2013-06-13 01:10 - 2013-06-13 01:10 - 00000000 ____D C:\Users\Kari\Local Settings\Proxure
2013-06-13 01:10 - 2013-06-13 01:10 - 00000000 ____D C:\Users\Kari\Local Settings\Application Data\Proxure
2013-06-13 01:10 - 2013-06-13 01:10 - 00000000 ____D C:\Users\Kari\AppData\Local\Proxure
2013-06-13 01:08 - 2013-06-13 01:08 - 00000000 ____D C:\ProgramData\ClubSanDisk
2013-06-13 01:08 - 2013-06-13 01:08 - 00000000 ____D C:\ProgramData\Application Data\ClubSanDisk
2013-06-06 19:06 - 2013-06-06 19:06 - 00000000 ____D C:\Users\Kari\Desktop\Steve
2013-06-05 18:07 - 2013-06-05 18:07 - 00001692 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2013-06-05 18:07 - 2013-06-05 18:07 - 00001692 ____A C:\ProgramData\Desktop\QuickTime Player.lnk
2013-06-05 18:07 - 2013-06-05 18:07 - 00000000 ____D C:\Program Files\QuickTime
2013-06-01 14:58 - 2013-06-01 14:58 - 00000000 ____A C:\Windows\System32\RENB30A.tmp
2013-06-01 14:58 - 2013-06-01 14:58 - 00000000 ____A C:\Windows\System32\RENB309.tmp
2013-06-01 14:58 - 2013-06-01 14:58 - 00000000 ____A C:\Windows\System32\RENB308.tmp
2013-06-01 14:55 - 2013-06-01 14:55 - 00000000 ____D C:\Users\Kari\Application Data\Oracle
2013-06-01 14:55 - 2013-06-01 14:55 - 00000000 ____D C:\Users\Kari\AppData\Roaming\Oracle
2013-06-01 14:14 - 2013-06-01 14:30 - 31666592 ____A (Oracle Corporation) C:\Users\Kari\Downloads\Java Offline Installer re-7u21-windows-i586.exe

==================== One Month Modified Files and Folders ========

2013-07-01 14:49 - 2013-07-01 14:49 - 00000000 ____D C:\FRST
2013-07-01 13:42 - 2009-05-26 07:47 - 00000012 ____A C:\Windows\bthservsdp.dat
2013-07-01 13:42 - 2008-10-21 17:42 - 01154454 ____A C:\Windows\WindowsUpdate.log
2013-07-01 13:42 - 2007-11-03 08:34 - 00189600 ____A C:\g7bs.log
2013-07-01 13:42 - 2006-11-02 05:01 - 00032534 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-07-01 13:42 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-01 13:40 - 2006-11-02 04:47 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-01 13:40 - 2006-11-02 04:47 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-01 08:36 - 2013-07-01 08:36 - 00000000 ____D C:\Users\Kari\My Documents\FileCase
2013-07-01 08:36 - 2013-07-01 08:36 - 00000000 ____D C:\Users\Kari\Documents\FileCase
2013-07-01 08:03 - 2013-07-01 08:03 - 00244094 ____A C:\Users\Kari\Desktop\Compaq Monthly Hardware Test 6`30`13.html
2013-06-30 18:23 - 2009-06-29 16:27 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-29 21:30 - 2009-06-29 16:27 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-28 18:34 - 2013-06-28 16:47 - 00000000 ____D C:\Users\Kari\Desktop\BP Support Stage 1
2013-06-28 17:57 - 2013-06-28 17:57 - 00019180 ____A C:\Users\Kari\Desktop\Anonymous releases private NSA documents regarding spying - Pastebin.com.htm
2013-06-28 17:06 - 2013-06-28 17:06 - 00029219 ____A C:\Users\Kari\Desktop\attach.txt
2013-06-28 17:06 - 2013-06-28 17:06 - 00019897 ____A C:\Users\Kari\Desktop\dds.txt
2013-06-28 17:01 - 2013-06-28 17:01 - 00688992 ____R (Swearware) C:\Users\Kari\Desktop\dds.com
2013-06-28 16:50 - 2013-06-28 16:50 - 00000131 ____A C:\Users\Kari\Desktop\BP Support Stage 2 scratchpad.txt
2013-06-27 20:34 - 2013-06-27 20:01 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-06-27 20:34 - 2013-06-27 20:01 - 00000000 ____D C:\ProgramData\Application Data\Malwarebytes' Anti-Malware (portable)
2013-06-27 19:18 - 2013-06-27 19:18 - 00000000 ____D C:\Users\Kari\Application Data\Malwarebytes
2013-06-27 19:18 - 2013-06-27 19:18 - 00000000 ____D C:\Users\Kari\AppData\Roaming\Malwarebytes
2013-06-27 19:17 - 2013-06-27 19:17 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-06-27 19:17 - 2013-06-27 19:17 - 00000000 ____D C:\ProgramData\Application Data\Malwarebytes
2013-06-27 19:17 - 2013-06-27 19:17 - 00000000 ____D C:\Program Files\Malwarebytes
2013-06-27 19:03 - 2013-06-17 21:20 - 00000000 ____D C:\Users\Kari\Downloads\Security
2013-06-27 18:07 - 2013-06-27 18:07 - 00000175 ____A C:\Windows\System32\Drivers\aswVmm.sys.sum
2013-06-27 18:07 - 2013-06-26 13:55 - 00000175 ____A C:\Windows\System32\Drivers\aswSP.sys.sum
2013-06-27 18:07 - 2013-06-26 13:55 - 00000175 ____A C:\Windows\System32\Drivers\aswSnx.sys.sum
2013-06-27 18:07 - 2013-06-19 18:01 - 00770344 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2013-06-27 18:07 - 2013-06-19 18:01 - 00369584 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2013-06-27 18:07 - 2013-06-19 18:01 - 00175176 ____A C:\Windows\System32\Drivers\aswVmm.sys
2013-06-26 22:31 - 2013-05-04 17:05 - 00001007 ____A C:\Users\Kari\Desktop\homeworld - Shortcut.lnk
2013-06-26 19:50 - 2013-06-26 19:50 - 00263592 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-06-26 19:50 - 2013-06-26 19:50 - 00175016 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-06-26 19:50 - 2013-06-26 19:50 - 00175016 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-06-26 19:50 - 2013-06-26 19:50 - 00094632 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-06-26 19:50 - 2012-06-30 13:11 - 00867240 ____A (Oracle Corporation) C:\Windows\System32\npdeployJava1.dll
2013-06-26 19:50 - 2010-06-08 07:08 - 00789416 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2013-06-26 19:32 - 2009-05-25 12:28 - 00001937 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-06-26 19:32 - 2009-05-25 12:28 - 00001937 ____A C:\ProgramData\Desktop\Google Chrome.lnk
2013-06-26 14:12 - 2012-05-25 23:58 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-06-26 14:03 - 2012-10-22 04:52 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-06-26 14:03 - 2009-04-20 09:33 - 00000812 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2013-06-26 14:03 - 2009-04-20 09:33 - 00000812 ____A C:\ProgramData\Desktop\Mozilla Firefox.lnk
2013-06-26 14:01 - 2013-06-26 14:01 - 00000000 ____D C:\Users\Kari\Downloads\Mozilla
2013-06-19 18:13 - 2010-06-01 08:43 - 00000000 ____D C:\Program Files\Common Files\Adobe AIR
2013-06-19 18:01 - 2013-06-19 18:01 - 00001795 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2013-06-19 18:01 - 2013-06-19 18:01 - 00001795 ____A C:\ProgramData\Desktop\avast! Free Antivirus.lnk
2013-06-19 18:01 - 2013-06-19 18:01 - 00000000 ____A C:\Windows\setuperr.log
2013-06-19 18:01 - 2013-06-19 18:01 - 00000000 ____A C:\Windows\setupact.log
2013-06-19 18:01 - 2006-11-02 02:23 - 00002577 ____A C:\Windows\System32\config.nt
2013-06-19 17:58 - 2013-06-19 17:58 - 00000000 ____D C:\Program Files\AVAST Software
2013-06-19 17:58 - 2013-06-19 17:57 - 00000000 ____D C:\ProgramData\AVAST Software
2013-06-19 17:58 - 2013-06-19 17:57 - 00000000 ____D C:\ProgramData\Application Data\AVAST Software
2013-06-19 16:57 - 2008-03-19 23:23 - 00000000 ____D C:\Program Files\Adobe
2013-06-19 16:52 - 2010-06-29 18:09 - 00000000 ____D C:\Program Files\HTC
2013-06-19 16:52 - 2009-11-17 16:24 - 00111966 ____A C:\Windows\DPINST.LOG
2013-06-19 16:42 - 2011-12-14 19:03 - 00000000 ____D C:\Users\Kari\Local Settings\Downloaded Installations
2013-06-19 16:42 - 2011-12-14 19:03 - 00000000 ____D C:\Users\Kari\Local Settings\Application Data\Downloaded Installations
2013-06-19 16:42 - 2011-12-14 19:03 - 00000000 ____D C:\Users\Kari\AppData\Local\Downloaded Installations
2013-06-19 16:39 - 2012-02-03 23:40 - 00000000 ____D C:\Users\Kari\Application Data\SanDisk
2013-06-19 16:39 - 2012-02-03 23:40 - 00000000 ____D C:\Users\Kari\AppData\Roaming\SanDisk
2013-06-19 16:35 - 2008-03-19 23:37 - 00000000 ____D C:\Program Files\Yahoo!
2013-06-18 16:40 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-06-18 16:33 - 2006-11-02 02:33 - 00778770 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-17 22:26 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\LogFiles
2013-06-17 21:29 - 2013-06-17 21:30 - 290012084 ____A C:\Users\Kari\My Documents\FileCase.rar
2013-06-17 21:29 - 2013-06-17 21:30 - 290012084 ____A C:\Users\Kari\Documents\FileCase.rar
2013-06-16 20:51 - 2013-06-16 20:51 - 00000000 ____D C:\Users\Guest\Local Settings\Hewlett-Packard
2013-06-16 20:51 - 2013-06-16 20:51 - 00000000 ____D C:\Users\Guest\Local Settings\Application Data\Hewlett-Packard
2013-06-16 20:51 - 2013-06-16 20:51 - 00000000 ____D C:\Users\Guest\Application Data\Hewlett-Packard
2013-06-16 20:51 - 2013-06-16 20:51 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Hewlett-Packard
2013-06-16 20:51 - 2013-06-16 20:51 - 00000000 ____D C:\Users\Guest\AppData\Local\Hewlett-Packard
2013-06-16 20:50 - 2013-06-16 20:50 - 00239616 ____A C:\Users\Guest\Local Settings\GDIPFONTCACHEV1.DAT
2013-06-16 20:50 - 2013-06-16 20:50 - 00239616 ____A C:\Users\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-06-16 20:50 - 2013-06-16 20:50 - 00239616 ____A C:\Users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2013-06-16 20:50 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\Local Settings\Mozilla
2013-06-16 20:50 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\Local Settings\Application Data\Mozilla
2013-06-16 20:50 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\Application Data\Mozilla
2013-06-16 20:50 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\Application Data\Apple Computer
2013-06-16 20:50 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Mozilla
2013-06-16 20:50 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Apple Computer
2013-06-16 20:50 - 2013-06-16 20:50 - 00000000 ____D C:\Users\Guest\AppData\Local\Mozilla
2013-06-16 20:50 - 2013-06-16 20:49 - 00000000 ____D C:\Users\Guest\Local Settings\VirtualStore
2013-06-16 20:50 - 2013-06-16 20:49 - 00000000 ____D C:\Users\Guest\Local Settings\Application Data\VirtualStore
2013-06-16 20:50 - 2013-06-16 20:49 - 00000000 ____D C:\Users\Guest\AppData\Local\VirtualStore
2013-06-16 20:49 - 2013-06-16 20:49 - 00000020 __ASH C:\Users\Guest\ntuser.ini
2013-06-16 20:49 - 2013-06-16 20:49 - 00000000 ____D C:\users\Guest
2013-06-16 01:57 - 2009-04-19 10:14 - 00000000 ____A C:\Users\Public\Documents\{499663EE-202C-4468-874C-198A9E0BC058}
2013-06-16 01:57 - 2009-04-19 10:14 - 00000000 ____A C:\ProgramData\Documents\{499663EE-202C-4468-874C-198A9E0BC058}
2013-06-16 01:52 - 2013-06-16 01:52 - 00000000 ____D C:\Users\Public\Documents\CrashDump
2013-06-16 01:52 - 2013-06-16 01:52 - 00000000 ____D C:\ProgramData\Documents\CrashDump
2013-06-15 23:07 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\rescache
2013-06-15 22:29 - 2008-10-22 20:21 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-06-15 22:29 - 2008-10-22 20:21 - 00000000 ____D C:\ProgramData\Application Data\Microsoft Help
2013-06-15 22:23 - 2006-11-02 02:24 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-06-14 18:54 - 2013-06-14 18:54 - 00001630 ____A C:\Users\Public\Desktop\iTunes.lnk
2013-06-14 18:54 - 2013-06-14 18:54 - 00001630 ____A C:\ProgramData\Desktop\iTunes.lnk
2013-06-14 18:54 - 2013-06-14 18:53 - 00000000 ____D C:\ProgramData\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-14 18:54 - 2013-06-14 18:53 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-14 18:54 - 2013-06-14 18:53 - 00000000 ____D C:\Program Files\iTunes
2013-06-14 18:53 - 2013-06-14 18:53 - 00000000 ____D C:\Program Files\iPod
2013-06-14 18:53 - 2009-12-06 15:48 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-06-14 18:53 - 2008-10-23 19:37 - 00000000 ____D C:\ProgramData\Application Data\Apple Computer
2013-06-14 18:53 - 2008-10-23 19:37 - 00000000 ____D C:\ProgramData\Apple Computer
2013-06-14 18:48 - 2011-11-07 15:19 - 00000000 ____D C:\users\Kari
2013-06-14 17:54 - 2013-01-20 15:58 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-14 17:54 - 2013-01-20 15:58 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-13 14:04 - 2011-12-22 17:11 - 00000000 ____D C:\Users\Kari\Local Settings\Application Data\Akamai
2013-06-13 14:04 - 2011-12-22 17:11 - 00000000 ____D C:\Users\Kari\Local Settings\Akamai
2013-06-13 14:04 - 2011-12-22 17:11 - 00000000 ____D C:\Users\Kari\AppData\Local\Akamai
2013-06-13 11:30 - 2013-06-13 11:30 - 00000933 ____A C:\Users\Public\Desktop\PCMark Vantage.lnk
2013-06-13 11:30 - 2013-06-13 11:30 - 00000933 ____A C:\ProgramData\Desktop\PCMark Vantage.lnk
2013-06-13 11:29 - 2013-06-13 11:29 - 00000000 ____D C:\ProgramData\Futuremark
2013-06-13 11:29 - 2013-06-13 11:29 - 00000000 ____D C:\ProgramData\Application Data\Futuremark
2013-06-13 11:29 - 2013-06-13 11:27 - 00000000 ____D C:\Program Files\Futuremark
2013-06-13 11:29 - 2008-03-19 23:13 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2013-06-13 11:24 - 2013-06-13 11:24 - 00052553 ____A C:\Users\Kari\My Documents\DxDiag_6`13`2013.txt
2013-06-13 11:24 - 2013-06-13 11:24 - 00052553 ____A C:\Users\Kari\Documents\DxDiag_6`13`2013.txt
2013-06-13 03:30 - 2013-06-13 03:30 - 00001186 ____A C:\Users\Kari\Desktop\PCMark_Vantage_v120_installer - Shortcut.lnk
2013-06-13 01:12 - 2013-06-13 01:12 - 00000288 ____A C:\Users\Kari\Application Data\.backup.dm
2013-06-13 01:12 - 2013-06-13 01:12 - 00000288 ____A C:\Users\Kari\AppData\Roaming\.backup.dm
2013-06-13 01:10 - 2013-06-13 01:10 - 00000000 ____D C:\Users\Kari\Local Settings\Proxure
2013-06-13 01:10 - 2013-06-13 01:10 - 00000000 ____D C:\Users\Kari\Local Settings\Application Data\Proxure
2013-06-13 01:10 - 2013-06-13 01:10 - 00000000 ____D C:\Users\Kari\AppData\Local\Proxure
2013-06-13 01:08 - 2013-06-13 01:08 - 00000000 ____D C:\ProgramData\ClubSanDisk
2013-06-13 01:08 - 2013-06-13 01:08 - 00000000 ____D C:\ProgramData\Application Data\ClubSanDisk
2013-06-06 19:06 - 2013-06-06 19:06 - 00000000 ____D C:\Users\Kari\Desktop\Steve
2013-06-05 18:07 - 2013-06-05 18:07 - 00001692 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2013-06-05 18:07 - 2013-06-05 18:07 - 00001692 ____A C:\ProgramData\Desktop\QuickTime Player.lnk
2013-06-05 18:07 - 2013-06-05 18:07 - 00000000 ____D C:\Program Files\QuickTime
2013-06-01 17:48 - 2011-11-07 15:21 - 00000000 ____D C:\Users\Kari\Local Settings\Application Data\Adobe
2013-06-01 17:48 - 2011-11-07 15:21 - 00000000 ____D C:\Users\Kari\Local Settings\Adobe
2013-06-01 17:48 - 2011-11-07 15:21 - 00000000 ____D C:\Users\Kari\AppData\Local\Adobe
2013-06-01 14:58 - 2013-06-01 14:58 - 00000000 ____A C:\Windows\System32\RENB30A.tmp
2013-06-01 14:58 - 2013-06-01 14:58 - 00000000 ____A C:\Windows\System32\RENB309.tmp
2013-06-01 14:58 - 2013-06-01 14:58 - 00000000 ____A C:\Windows\System32\RENB308.tmp
2013-06-01 14:58 - 2008-03-19 23:25 - 00000000 ____D C:\Program Files\Java
2013-06-01 14:58 - 2008-03-19 23:25 - 00000000 ____D C:\Program Files\Common Files\Java
2013-06-01 14:55 - 2013-06-01 14:55 - 00000000 ____D C:\Users\Kari\Application Data\Oracle
2013-06-01 14:55 - 2013-06-01 14:55 - 00000000 ____D C:\Users\Kari\AppData\Roaming\Oracle
2013-06-01 14:30 - 2013-06-01 14:14 - 31666592 ____A (Oracle Corporation) C:\Users\Kari\Downloads\Java Offline Installer re-7u21-windows-i586.exe

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-43477858-2351918740-2162271900-1009\$15211f5ad641c7709d0451caca1c3a66
C:\$Recycle.Bin\S-1-5-21-43477858-2351918740-2162271900-1009\$15211f5ad641c7709d0451caca1c3a66\L
C:\$Recycle.Bin\S-1-5-21-43477858-2351918740-2162271900-1009\$15211f5ad641c7709d0451caca1c3a66\U

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-06-13 11:27:38
Restore point made on: 2013-06-14 18:47:55
Restore point made on: 2013-06-14 18:48:47
Restore point made on: 2013-06-15 22:22:14
Restore point made on: 2013-06-18 15:29:18
Restore point made on: 2013-06-18 16:29:15
Restore point made on: 2013-06-19 16:39:31
Restore point made on: 2013-06-19 16:50:27
Restore point made on: 2013-06-19 16:51:18
Restore point made on: 2013-06-19 16:53:34
Restore point made on: 2013-06-19 16:57:22
Restore point made on: 2013-06-19 17:58:46
Restore point made on: 2013-06-25 19:53:54
Restore point made on: 2013-06-26 19:11:28
Restore point made on: 2013-06-26 19:49:13
Restore point made on: 2013-06-28 01:27:32
Restore point made on: 2013-06-29 01:35:42
Restore point made on: 2013-06-29 23:00:20

==================== Memory info ===========================

Percentage of memory in use: 25%
Total physical RAM: 1917.76 MB
Available physical RAM: 1422.31 MB
Total Pagefile: 1644.56 MB
Available Pagefile: 1499.66 MB
Total Virtual: 2047.88 MB
Available Virtual: 1964.1 MB

==================== Drives ================================

Drive c: (COMPAQ) (Fixed) (Total:223.59 GB) (Free:66.3 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (FACTORY_IMAGE) (Fixed) (Total:9.29 GB) (Free:0.9 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (HOMEWORLD) (CDROM) (Total:0.66 GB) (Free:0 GB) CDFS
Drive g: (WDO_Media32) (Removable) (Total:3.73 GB) (Free:3.39 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 233 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=224 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=9 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 4 GB) (Disk ID: 00000000)
Partition 1: (Active) - (Size=4 GB) - (Type=07 NTFS)


LastRegBack: 2013-07-01 08:07

==================== End Of Log ============================

 

 

Items I found of note:

 

...

==================== Registry (Whitelisted) ==================

HKLM\...\Run: []  [x]

...

==================== One Month Modified Files and Folders ========

...

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-43477858-2351918740-2162271900-1009\$15211f5ad641c7709d0451caca1c3a66
C:\$Recycle.Bin\S-1-5-21-43477858-2351918740-2162271900-1009\$15211f5ad641c7709d0451caca1c3a66\L
C:\$Recycle.Bin\S-1-5-21-43477858-2351918740-2162271900-1009\$15211f5ad641c7709d0451caca1c3a66\U

...

==================== Drives ================================

Drive c: (COMPAQ) (Fixed) (Total:223.59 GB) (Free:66.3 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (FACTORY_IMAGE) (Fixed) (Total:9.29 GB) (Free:0.9 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (HOMEWORLD) (CDROM) (Total:0.66 GB) (Free:0 GB) CDFS
Drive g: (WDO_Media32) (Removable) (Total:3.73 GB) (Free:3.39 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

 

I could speculate and ask a bunch of questions, but I'm here to fix my problem.  I await your reply.

 

My symptoms seem to have returned, so I will run Rkill again and keep the log in case it is needed.


Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:30 PM

Posted 01 July 2013 - 07:22 PM

Download the enclosed file.

 

Save it next to FRST.

 

Run FRST as you did before, except that this time around, click on the Fix button and wait.

 

The tool will make a log next to FRST (Fixlog.txt) please post it to your reply.

 

Restart in Normal Mode.

 

Please download Junkware Removal Tool to your Desktop.
 

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

 

 

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

AdwCleaner.GIF

Once done it will ask to reboot, allow this
On reboot a log will be produced at C:\ADWCleaner[XX].txt please post it in your next reply.

 

 

  • Launch and update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
 

 

 

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 Hunting.Targ

Hunting.Targ
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:11:30 AM

Posted 01 July 2013 - 08:48 PM

All items completed; I think something may have gone amiss.  The Farbar Recovery Tool did not seem to be completely successful, and Malwarebytes' Anti-Malware did not find anything to clean up.  I set all Avast services to be disabled until next restart, so they were enabled when I restarted the computer after running AdwCleaner.

 

Here are the logs:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 01-07-2013 02
Ran by SYSTEM at 2013-07-01 17:47:37 Run:1
Running from G:\
Boot Mode: Recovery

==============================================

C:\$Recycle.Bin\S-1-5-21-43477858-2351918740-2162271900-1009\$15211f5ad641c7709d0451caca1c3a66 => Moved successfully.
permissions for "C:\Windows\$NtUninstallKB44918$" were reset successfully

=========  fsutil reparsepoint delete "C:\Windows\$NtUninstallKB44918$" =========

'fsutil' is not recognized as an internal or external command,
operable program or batch file.

========= End of CMD: =========

C:\Windows\$NtUninstallKB44918$ => Moved successfully.
c:\windows\$ntuninstallkb44918$\2117783884 => File/Directory not found.
c:\windows\$ntuninstallkb44918$\2009715026 => File/Directory not found.
c:\windows\$ntuninstallkb44918$\2117783884 => File/Directory not found.
c:\windows\system32\RENB30A.tmp => Moved successfully.
c:\windows\system32\RENB309.tmp => Moved successfully.
c:\windows\system32\RENB308.tmp => Moved successfully.

==== End of Fixlog ====

 

---

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows Vista ™ Home Premium x86
Ran by Kari on Mon 07/01/2013 at 18:02:00.50
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-43477858-2351918740-2162271900-1009\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{4AD5529A-AF85-4E49-86EF-0A9DE468FB75}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}



~~~ Files

Successfully deleted: [File] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ebay.lnk"



~~~ Folders

Successfully deleted: [Folder] "C:\Program Files\registry mechanic"



~~~ FireFox

Successfully deleted: [File] C:\Users\Kari\AppData\Roaming\mozilla\firefox\profiles\atszm9jw.default\user.js
Emptied folder: C:\Users\Kari\AppData\Roaming\mozilla\firefox\profiles\atszm9jw.default\minidumps [92 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 07/01/2013 at 18:05:26.56
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

---

 

# AdwCleaner v2.303 - Logfile created 07/01/2013 at 18:07:44
# Updated 08/06/2013 by Xplode
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# User : Kari - STEVESPC1
# Boot Mode : Normal
# Running from : C:\Users\Kari\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Users\Public\Desktop\eBay.lnk
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\registry mechanic

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16490

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Users\STEVE1\AppData\Roaming\Mozilla\Firefox\Profiles\s939v3aj.default\prefs.js

[OK] File is clean.

File : C:\Users\Kari\AppData\Roaming\Mozilla\Firefox\Profiles\atszm9jw.default\prefs.js

Deleted : user_pref("browser.newtabpage.pinned", "[{\"url\":\"hxxp://mail.google.com/\",\"title\":null},{\"url[...]

-\\ Google Chrome v27.0.1453.116

File : C:\Users\STEVE1\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\Kari\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [2446 octets] - [01/07/2013 18:07:44]

########## EOF - C:\AdwCleaner[S1].txt - [2506 octets] ##########

 

---

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.01.08

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Kari :: STEVESPC1 [administrator]

Protection: Enabled

7/1/2013 6:20:23 PM
mbam-log-2013-07-01 (18-20-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 285904
Time elapsed: 12 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

---

 

Again, I could speculate, but I am here because I am NOT a security or system-level expert.  I gratefully and patiently await your reply.


Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:30 PM

Posted 01 July 2013 - 08:56 PM

I believe we got them all. Lets check for remnants:

 

Please run a free online scan with the ESET Online Scanner

Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.

Note: This scan works with Internet Explorer or Mozilla FireFox.

If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

  • Click the green ESET Online Scanner box
  • Tick the box next to YES, I accept the Terms of Use
     then click on: Start
  • You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, make sure you copy the logfile first!
  • Then click on: Finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Hunting.Targ

Hunting.Targ
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:11:30 AM

Posted 01 July 2013 - 09:36 PM

I am being notified in the scanner dialog box that Avast may affect the speed and "quality" of the scan.  Since this is an online tool, and I will (presumably) need to keep an active internet connection, which, if any, Avast services should be disabled?


Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:30 PM

Posted 01 July 2013 - 09:53 PM

Yes. As long as you let the scan run unhindered and do no browsing, it should be safe.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Hunting.Targ

Hunting.Targ
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:11:30 AM

Posted 02 July 2013 - 05:22 PM

Scan complete.  It quarantined a mod program that I never use anymore; the game's been revived in a recode so I don't care if it stays or goes.

Here's the log:

 

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=1d3dc4f01cbf3247b9670bf08f3ac294
# engine=14228
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-07-02 06:16:10
# local_time=2013-07-01 11:16:10 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=774 16777213 85 91 0 148534042 0 0
# compatibility_mode=5892 16776574 100 100 99959784 209353298 0 0
# scanned=313627
# found=2
# cleaned=2
# scan_time=11068
sh=D07CA232A228FD9D53B832B65EDC91CCB8608BC5 ft=0 fh=0000000000000000 vn="JS/SecurityDisabler.A.Gen application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Kari\AppData\Roaming\Mozilla\Firefox\Profiles\atszm9jw.default\prefs.js"
sh=1AE2ED7579E07E8A2B2F79AA7E51918742125B00 ft=1 fh=a44eae8475cce810 vn="Win32/Toolbar.Babylon application (cleaned by deleting - quarantined)" ac=C fn="C:\Users\Kari\Downloads\installer_x-com_hack_English.exe"
 

--- End log---

 

I'm still on step 4 on the ESET scanner, awaiting your reply.


Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:30 PM

Posted 02 July 2013 - 07:31 PM

Read here for instructions on how to handle ESET's quarantine.

 

 

How is the computer doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Hunting.Targ

Hunting.Targ
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California, USA
  • Local time:11:30 AM

Posted 02 July 2013 - 07:58 PM

While my user experience symptoms have not returned, the I/O read and I/O write stats in Task Manager are still raising my eyebrows (that is how I determined something was amiss in the first place).  I have one SYSTEM process listed in first place for reads (csrss.exe), one in first place for writes and second place for reads (lsass.exe), and the kernel process in second place for writes.  I do not know whether this is typical (they are not stats I normally look at), but these indications, associated with continuous hard drive activity and system sluggishness, is what led me to suspect a more serious problem.

Thus far, the computer has not spontaneously shut down, about which I am happy, and I have received more extensive assistance that I hoped for, about which I am ecstatic.

 

For some background, while I initially ran an Avast boot scan and found some illicit browser objects (java and Iframe exploits, I believe), I think the initial infection came from the other machine I was trying to diagnose, via a flash drive.  After the holiday I hope to get assistance with the other machine.  Since it exhibited the same symptoms as this machine and before it, it probably has a rootkit as well.


Furious activity is no substitute for understanding.

-H.H. Williams

 

In a networked world, trust is the most important currency.
    -Eric Schmidt, University of Pennsylvania Commencement Address, 2009

 


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:30 PM

Posted 02 July 2013 - 08:27 PM

The files you mention above are legit files of the Windows' System.

 

Your computer was infected with a backdoor Trojan, Zeroaccess. That some times also affected the services. Lets take a look at them:

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services

    • Windows Firewall

    • System Restore

    • Security Center

    • Windows Update


  • Press "Scan".

  • It will create a log (FSS.txt) in the same directory the tool is run.

  • Please copy and paste the log to your reply.

 

 

Download and run Security Check by screen317 and post its report.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users