Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Previous Zero Access Infection but still with problems


  • This topic is locked This topic is locked
6 replies to this topic

#1 HydroLar

HydroLar

  • Members
  • 454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Storrs, Connecticut USA
  • Local time:06:59 AM

Posted 06 October 2013 - 10:39 AM

Hello everyone

I have a work computer that previously was infected with Zero Access. It was cleaned by IT and I have no information how they cleaned it but I do believe they ran ComboFix. When it was returned I ran Rogue Killer to check for Zero Access traces as a learning tool and I find strange named drivers still being downloaded which to me means it may still be infected.

This is a Windows 7 Professional, 32 bit computer with 2 Gb RAM and running Service Pack 1. As a sidenote, you will notice Java 6 on this computer which we cannot update to Java 7 because our time management software will only work with Java 6 for the time being.

We run MSE with real-time protection turned on as well as on demand ESET, MBAM, SAS and various other utilities. Here are the DDS and Rogue Killer logs along with Attach.txt


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16686
Run by bridge at 11:28:51 on 2013-10-06
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1791.991 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE
C:\Program Files\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\Keystatus.exe
C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe
C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\explorer.exe
C:\Program Files\Microsoft Security Client\msseces.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.reliancehouse.org/rhhome.html
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - c:\program files\hewlett-packard\hp support framework\resources\hpnetworkcheck\HPNetworkCheckPlugin.dll
mRun: [hpsysdrv] c:\program files\hewlett-packard\hp odometer\hpsysdrv.exe
mRun: [HP KEYBOARDx] "c:\program files\hewlett-packard\hp desktop keyboard\HPKEYBOARDx.EXE"
mRun: [HP Remote Solution] c:\program files\hewlett-packard\hp remote solution\HP_Remote_Solution.exe
mRun: [BATINDICATOR] c:\program files\hewlett-packard\hp mainstream keyboard\BATINDICATOR.exe
mRun: [LaunchHPOSIAPP] c:\program files\hewlett-packard\hp mainstream keyboard\LaunchApp.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoAutoUpdate = dword:0
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - c:\program files\hewlett-packard\hp support framework\resources\hpnetworkcheck\NCLauncherFromIE.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 192.168.1.10 192.168.1.11 68.94.156.1
TCP: Interfaces\{0CE4D098-D4A8-4C9C-A122-0F6191D8275D} : DHCPNameServer = 192.168.1.10 192.168.1.11 68.94.156.1
TCP: Interfaces\{0CE4D098-D4A8-4C9C-A122-0F6191D8275D}\25840275962756C6563737 : DHCPNameServer = 192.168.1.10 192.168.1.7
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\30.0.1599.69\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]
R1 MpKsl1a11f14f;MpKsl1a11f14f;c:\programdata\microsoft\microsoft antimalware\definition updates\{4b7ca3c9-9905-4ee4-9e6d-8fc2387292f9}\MpKsl1a11f14f.sys [2013-10-6 40392]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-5-23 119056]
R2 cpextender;Check Point SSL Network Extender;c:\program files\checkpoint\ssl network extender\slimsvc.exe [2009-11-2 353672]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\hewlett-packard\hp support framework\HPSA_Service.exe [2012-9-27 86528]
R2 HPAuto;HP Auto;c:\program files\hewlett-packard\hp auto\HPAuto.exe [2011-2-17 579640]
R2 HPClientSvc;HP Client Services;c:\program files\hewlett-packard\hp client services\HPClientServices.exe [2010-10-11 246840]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-1-20 107392]
R3 netr28u;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\netr28u.sys [2012-11-12 1322784]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-6-20 295376]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2009-11-2 129304]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-7-13 20480]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 OxPPort;OxPPort;c:\windows\system32\drivers\OxPPort.sys [2011-5-18 82048]
S3 OxSer;OxSer;c:\windows\system32\drivers\OxSer.sys [2011-5-18 83888]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-7-10 14848]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-7-10 49664]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2013-7-10 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-7-10 1343400]
.
=============== Created Last 30 ================
.
2013-10-06 12:07:45 60872 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4b7ca3c9-9905-4ee4-9e6d-8fc2387292f9}\offreg.dll
2013-10-06 12:07:44 40392 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4b7ca3c9-9905-4ee4-9e6d-8fc2387292f9}\MpKsl1a11f14f.sys
2013-10-06 12:06:15 7328304 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4b7ca3c9-9905-4ee4-9e6d-8fc2387292f9}\mpengine.dll
2013-10-05 21:40:41 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-10-05 21:10:43 7328304 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-10-05 15:08:32 -------- d-sh--w- C:\$RECYCLE.BIN
2013-10-05 15:08:28 -------- d-----w- c:\users\bridge\appdata\local\temp
2013-10-05 15:00:42 98816 ----a-w- c:\windows\sed.exe
2013-10-05 15:00:42 256000 ----a-w- c:\windows\PEV.exe
2013-10-05 15:00:42 208896 ----a-w- c:\windows\MBR.exe
2013-09-16 18:24:13 -------- d-----w- C:\AdwCleaner
.
==================== Find3M ====================
.
2013-09-20 17:09:20 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-20 17:09:20 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-10 03:59:10 1767936 ----a-w- c:\windows\system32\wininet.dll
2013-08-10 03:58:09 2876928 ----a-w- c:\windows\system32\jscript9.dll
2013-08-10 03:58:06 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-08-10 03:58:06 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-08-10 03:07:50 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-08-10 02:17:19 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-08-08 01:03:07 2348544 ----a-w- c:\windows\system32\win32k.sys
2013-08-05 01:56:47 133056 ----a-w- c:\windows\system32\drivers\ataport.sys
2013-08-02 01:50:36 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-08-02 01:49:19 293376 ----a-w- c:\windows\system32\KernelBase.dll
2013-08-02 00:52:57 271360 ----a-w- c:\windows\system32\conhost.exe
2013-08-02 00:43:05 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-07-25 08:57:27 1620992 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-19 01:41:01 2048 ----a-w- c:\windows\system32\tzres.dll
2013-07-18 23:43:49 867240 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-07-18 23:43:49 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-07-11 07:02:26 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-07-09 05:03:34 3968960 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-07-09 05:03:34 3913664 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-09 04:53:46 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-07-09 04:52:10 175104 ----a-w- c:\windows\system32\wintrust.dll
2013-07-09 04:50:42 652800 ----a-w- c:\windows\system32\rpcrt4.dll
2013-07-09 04:46:31 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-07-09 04:46:31 1166848 ----a-w- c:\windows\system32\crypt32.dll
2013-07-09 04:46:31 103936 ----a-w- c:\windows\system32\cryptnet.dll
.
============= FINISH: 11:29:20.18 ===============




RogueKiller V8.7.1 [Oct 3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : bridge [Admin rights]
Mode : Scan -- Date : 10/06/2013 11:12:31
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] EAT @explorer.exe (?s_pClassInfo@AccessibleButton@DirectUI@@0PAUIClassInfo@2@A) : DUI70.dll -> HOOKED (Unknown @ 0x6CCB8E52)
[Inline] EAT @explorer.exe (?s_pClassInfo@CCBase@DirectUI@@0PAUIClassInfo@2@A) : DUI70.dll -> HOOKED (Unknown @ 0x6CCB8E73)
[Inline] EAT @explorer.exe (?s_pClassInfo@Expandable@DirectUI@@0PAUIClassInfo@2@A) : DUI70.dll -> HOOKED (Unknown @ 0xFCCB8998)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - WDC WD25 00AAJS-60Z0A SCSI Disk Device +++++
--- User ---
[MBR] e72c4fba943b4d29fceb10b8c468919d
[BSP] fcee75efa92b8d8030c2fca8c535960b : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 228878 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 468948992 | Size: 9495 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_10062013_111231.txt >>
Posted Image
 
"The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." - Marcus Aurelius

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:59 AM

Posted 07 October 2013 - 10:02 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Nothing suspicious was found on your logs.

Lets see what we can find.

Download correct tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

#3 HydroLar

HydroLar
  • Topic Starter

  • Members
  • 454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Storrs, Connecticut USA
  • Local time:06:59 AM

Posted 07 October 2013 - 04:50 PM

Hi nasdaq,

 

Thanks for replying.

 

I was mostly concerned with the weird named drivers RogueKiller found more than anything else, other than that I have no other concerns with this PC:

 

Anyway, here is the FRST report:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-10-2013
Ran by bridge (administrator) on RH-0146 on 07-10-2013 17:30:56
Running from C:\Users\bridge\Desktop\Larry
Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Check Point Software Technologies) C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
() C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
() C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
() C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
() C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\Keystatus.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [hpsysdrv] - c:\program files\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [HP KEYBOARDx] - C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE [710656 2010-02-11] (Hewlett-Packard)
HKLM\...\Run: [HP Remote Solution] - C:\Program Files\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-08-24] (Hewlett-Packard)
HKLM\...\Run: [BATINDICATOR] - C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe [2068992 2009-05-08] (Hewlett-Packard)
HKLM\...\Run: [LaunchHPOSIAPP] - C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe [385024 2009-04-03] (Hewlett-Packard)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [995176 2013-06-20] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
HKCU\...\Policies\Explorer: [NoAutoUpdate] 0
HKU\splum\...\Policies\system: [NoDispScrSavPage] 1

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reliancehouse.org/rhhome.html
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MIF5BA~1\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.1.10 192.168.1.11 68.94.156.1

Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: "hxxp://www.google.com"
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\30.0.1599.69\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\30.0.1599.69\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\30.0.1599.69\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MIF5BA~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 6 U37) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.370.6) - C:\Windows\system32\npdeployJava1.dll (Oracle Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
CHR Extension: (Google Docs) - C:\Users\bridge\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\Users\bridge\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\bridge\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\bridge\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Chrome In-App Payments service) - C:\Users\bridge\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
CHR Extension: (Gmail) - C:\Users\bridge\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0

========================== Services (Whitelisted) =================

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [119056 2013-05-23] (SUPERAntiSpyware.com)
R2 cpextender; C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe [353672 2009-11-02] (Check Point Software Technologies)
R2 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [370792 2010-03-04] ()
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-06-20] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295376 2013-06-20] (Microsoft Corporation)
R2 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [167528 2010-03-04] ()

==================== Drivers (Whitelisted) ====================

R0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-13] (Microsoft Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
R1 MpKsl50001fe0; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BF09B734-B804-452D-A824-F26DAE4DF242}\MpKsl50001fe0.sys [40392 2013-10-07] (Microsoft Corporation)
R3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [1322784 2012-11-12] (Ralink Technology Corp.)
S3 OxPPort; C:\Windows\system32\drivers\OxPPort.sys [82048 2008-07-31] (OEM)
S3 OxSer; C:\Windows\system32\drivers\OxSer.sys [83888 2009-09-16] (OEM)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 VNA; C:\Windows\System32\DRIVERS\vna.sys [129304 2009-11-02] (Check Point Software Technologies)
R3 vpcbus; C:\Windows\system32\drivers\vpchbus.sys [165376 2011-05-19] (Microsoft Corporation)
R1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [55040 2011-05-19] (Microsoft Corporation)
R3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2011-05-19] (Microsoft Corporation)
R1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [295128 2011-05-19] (Microsoft Corporation)
U3 catchme; \??\C:\Users\bridge\AppData\Local\Temp\catchme.sys [x]
U3 mbr; \??\C:\Users\bridge\AppData\Local\Temp\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-10-07 17:30 - 2013-10-07 17:30 - 00000000 ____D C:\FRST
2013-10-06 17:47 - 2013-10-06 17:47 - 00000000 ____D C:\Users\bridge\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Avatar 2011
2013-10-05 17:40 - 2013-10-05 17:49 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-10-05 11:08 - 2013-10-05 11:08 - 00014774 _____ C:\ComboFix.txt
2013-10-05 11:00 - 2013-10-05 11:08 - 00000000 ____D C:\Qoobox
2013-10-05 11:00 - 2013-10-05 11:07 - 00000000 ____D C:\Windows\erdnt
2013-10-05 11:00 - 2011-06-26 02:45 - 00256000 _____ C:\Windows\PEV.exe
2013-10-05 11:00 - 2010-11-07 13:20 - 00208896 _____ C:\Windows\MBR.exe
2013-10-05 11:00 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2013-10-05 11:00 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2013-10-05 11:00 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2013-10-05 11:00 - 2000-08-30 20:00 - 00098816 _____ C:\Windows\sed.exe
2013-10-05 11:00 - 2000-08-30 20:00 - 00080412 _____ C:\Windows\grep.exe
2013-10-05 11:00 - 2000-08-30 20:00 - 00068096 _____ C:\Windows\zip.exe
2013-09-16 14:24 - 2013-09-19 18:44 - 00000000 ____D C:\AdwCleaner
2013-09-13 03:04 - 2013-08-09 23:59 - 01767936 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-09-13 03:04 - 2013-08-09 23:59 - 01141248 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-09-13 03:04 - 2013-08-09 23:59 - 00042496 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-09-13 03:04 - 2013-08-09 23:58 - 14332928 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-09-13 03:04 - 2013-08-09 23:58 - 13761024 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-09-13 03:04 - 2013-08-09 23:58 - 02876928 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-09-13 03:04 - 2013-08-09 23:58 - 02048000 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-09-13 03:04 - 2013-08-09 23:58 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-09-13 03:04 - 2013-08-09 23:58 - 00493056 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-09-13 03:04 - 2013-08-09 23:58 - 00391168 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-09-13 03:04 - 2013-08-09 23:58 - 00109056 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-09-13 03:04 - 2013-08-09 23:58 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-09-13 03:04 - 2013-08-09 23:58 - 00039424 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-09-13 03:04 - 2013-08-09 23:58 - 00033280 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-09-13 03:04 - 2013-08-09 23:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-09-13 03:04 - 2013-08-09 22:17 - 00071680 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-09-12 14:07 - 2013-08-07 21:03 - 02348544 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-09-12 14:07 - 2013-08-04 21:56 - 00133056 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ataport.sys
2013-09-12 14:07 - 2013-08-01 21:50 - 00169984 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2013-09-12 14:07 - 2013-08-01 21:49 - 00868352 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2013-09-12 14:07 - 2013-08-01 21:49 - 00293376 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 20:52 - 00271360 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2013-09-12 14:07 - 2013-08-01 20:43 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 20:43 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 20:43 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-09-12 14:07 - 2013-08-01 20:43 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-09-12 14:07 - 2013-07-25 21:55 - 12872704 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2013-09-12 14:07 - 2013-07-25 21:55 - 00180224 _____ (Microsoft Corporation) C:\Windows\system32\shdocvw.dll

==================== One Month Modified Files and Folders =======

2013-10-07 17:30 - 2013-10-07 17:30 - 00000000 ____D C:\FRST
2013-10-07 17:29 - 2013-07-18 16:26 - 00000000 ___HD C:\Users\bridge\Desktop\Larry
2013-10-07 17:27 - 2013-07-18 16:22 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-07 17:27 - 2013-07-18 16:22 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-07 17:27 - 2013-07-11 09:00 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-07 17:27 - 2013-07-10 12:42 - 01741956 _____ C:\Windows\WindowsUpdate.log
2013-10-07 15:42 - 2013-07-11 09:19 - 00000136 _____ C:\Windows\system32\config\netlogon.ftl
2013-10-06 18:09 - 2013-07-11 14:31 - 00000000 ____D C:\Users\bridge\RADplus
2013-10-06 18:09 - 2013-07-11 12:00 - 00000000 ____D C:\Users\bridge
2013-10-06 17:48 - 2013-07-11 14:31 - 00000622 _____ C:\Users\bridge\rp.pk
2013-10-06 17:47 - 2013-10-06 17:47 - 00000000 ____D C:\Users\bridge\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Avatar 2011
2013-10-06 17:47 - 2013-07-11 14:31 - 00002077 _____ C:\Users\bridge\Desktop\Avatar 2011.lnk
2013-10-06 17:47 - 2013-07-11 14:20 - 00001832 _____ C:\Users\bridge\AppData\Local\SLC_bridge.prx
2013-10-06 11:29 - 2009-07-14 00:34 - 00027568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-06 11:29 - 2009-07-14 00:34 - 00027568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-05 17:49 - 2013-10-05 17:40 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-10-05 11:08 - 2013-10-05 11:08 - 00014774 _____ C:\ComboFix.txt
2013-10-05 11:08 - 2013-10-05 11:00 - 00000000 ____D C:\Qoobox
2013-10-05 11:08 - 2009-07-13 22:37 - 00000000 __RHD C:\Users\Default
2013-10-05 11:08 - 2009-07-13 22:37 - 00000000 ___RD C:\Users\Public
2013-10-05 11:07 - 2013-10-05 11:00 - 00000000 ____D C:\Windows\erdnt
2013-10-05 11:07 - 2009-07-13 22:04 - 00000215 _____ C:\Windows\system.ini
2013-10-05 07:37 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\system32\NDF
2013-10-04 13:19 - 2010-11-20 17:01 - 00778834 _____ C:\Windows\system32\PerfStringBackup.INI
2013-10-04 13:14 - 2013-07-19 18:39 - 00000000 ____D C:\Windows\Sun
2013-10-04 13:14 - 2010-11-20 17:48 - 00274800 _____ C:\Windows\PFRO.log
2013-10-04 13:14 - 2009-07-14 00:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-04 13:14 - 2009-07-14 00:39 - 00041242 _____ C:\Windows\setupact.log
2013-10-03 19:34 - 2013-07-18 19:59 - 00000324 _____ C:\Windows\Tasks\HPCeeScheduleForbridge.job
2013-10-03 19:31 - 2013-07-18 16:22 - 00000000 ____D C:\Users\bridge\AppData\Local\Google
2013-10-03 18:39 - 2013-07-25 20:05 - 00000000 _____ C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-10-03 18:39 - 2013-07-18 19:34 - 00000052 _____ C:\Windows\system32\DOErrors.log
2013-10-03 15:15 - 2013-07-18 16:22 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2013-09-20 13:09 - 2013-07-11 09:00 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-09-20 13:09 - 2013-07-11 09:00 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-09-19 18:44 - 2013-09-16 14:24 - 00000000 ____D C:\AdwCleaner
2013-09-13 08:10 - 2013-07-11 12:01 - 00000000 ___RD C:\Users\bridge\Virtual Machines
2013-09-13 08:10 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\rescache
2013-09-13 03:34 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-09-13 03:26 - 2009-07-14 00:33 - 00412784 _____ C:\Windows\system32\FNTCACHE.DAT
2013-09-13 03:09 - 2013-07-11 09:46 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-09-13 03:02 - 2013-07-10 15:22 - 00000000 ____D C:\Windows\system32\MRT
2013-09-13 03:00 - 2013-07-10 14:30 - 76725432 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-09-11 23:16 - 2013-08-27 20:09 - 00000000 ____D C:\Users\bridge\AppData\Local\Microsoft Games

Some content of TEMP:
====================
C:\Users\bridge\AppData\Local\temp\ntdll_dump.dll

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-10-01 06:57

==================== End Of Log ============================


Posted Image
 
"The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." - Marcus Aurelius

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:59 AM

Posted 08 October 2013 - 08:26 AM

Looking good.

DUI70.dll belongs to Windows DirectUI Engine. Nothing to worry about.

#5 HydroLar

HydroLar
  • Topic Starter

  • Members
  • 454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Storrs, Connecticut USA
  • Local time:06:59 AM

Posted 10 October 2013 - 02:21 PM

Then we all set and can close this, thanks nasdaq!
Posted Image
 
"The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." - Marcus Aurelius

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:59 AM

Posted 11 October 2013 - 08:15 AM

If all is well:

Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:
  • Click Start > Run and copy/paste the following bold text into the Run box and click OK:
  • ComboFix /Uninstall
===

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Having an effective antivirus is a must for everyone.
In addition to many excellent commercial products there are plenty of good free antivirus programs available. I can recommend:

If you are satisfied with your current protection programs you can ignore the instructions on Antivirus or Firewall listed below.In addition to an antivirus I recommend using a firewall. A software firewall is a software program that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. I can recommend one of the following free products:Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Malwarebytes Anti-Malware (MBAM)
The free version of MBAM can be used to scan the system for traces of malware. Scanning your system regularly will make it harder for malware to reside on your system.
A tutorial on using MBAM can be found here.
Please Note: Only the paid for version has real time capabilities.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please keep your programs up to date. This applies to Java, Adobe Flashplayer, Adobe Reader and your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC. Visiting a prepared web page suffices to infect your system.

In general Firefox, Opera and Google Chrome are considered to be more secure than Internet Explorer. In addition there are many useful addons that can protect you from possible risks:
  • WOT will warn you when you try to visit sites with poor reputation. The reputation is based on user ratings and is usually very accurate.
  • Script Blocker can help blocking many attempts to infect your system via malicious websites by only allowing scripts at sites you trust.
  • NoScript is a popular Firefox addon,
  • ScriptNo a popular Google Chrome addon.
For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
===

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:59 AM

Posted 17 October 2013 - 09:06 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users