Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

spyware / monitoring web activity reported to 3rd party


  • Please log in to reply
9 replies to this topic

#1 clabrown

clabrown

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 28 September 2015 - 12:39 PM

Here's a link to the original topic in the Am I Infected forum

 

http://www.bleepingcomputer.com/forums/t/591162/spyware-monitoring-web-activity-reported-to-3rd-party/#entry3824595

 

Basically the problem is there seems to be a program that is reporting his activity on his work pc to his live-in girl friend, including screen shots, at least from web browsing. If he looks at a questionable image, she seems to know almost in real time, and will later ream him out and describe the image. Obviously he's concerned that she may get other screen shots, like business account info, bank accounts etc. There is no obvious problem with the PC, it seems to respond normally. It's a Windows 7 Pro 32bit on a very small family business network with Windows Server 2012 Essentials as the server.

 

From my point of view, I'll eventually save his data, nuke and rebuild that PC. But If possible I'd like to know what she installed on his PC, how it probably got there once it's identified, and ensuring it doesn't happen  again. It's probably just a physical access problem because they do have a garage on site, car lifts etc, and she may have had to use the bathroom in the office if she were with him one weekend or evening when he was working on his car in the garage.

 

The steps I took was to have him update his malwarebytes and run a scan which also should have processed everything through his AVG Cloud Care Antivirus real time protection. Quite a few trojan objects were found and removed. I will Paste the FRST.TXT log below and attach the ADDITION.TXT file. I will also attach the MalwareBytes log and AVG resident shield logs as well which include the info on what was removed.

 

Thanks for your help.

 

START PASTE SECTION ....

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:23-09-2015
Ran by mgerber (administrator) on MGERBER02 (28-09-2015 11:22:10)
Running from E:\
Loaded Profiles: Administrator & mgerber (Available Profiles: Administrator & mgerber)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgcsrvx.exe
(AVG Technologies, Inc.) C:\Program Files\AVG\CloudCare\AvgApiWrapper.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgidsagent.exe
(AVG Technologies, Inc.) C:\Program Files\AVG\CloudCare\AvgRemote\AvgRemote.exe
(AVG Technologies, Inc.) C:\Program Files\AVG\CloudCare\AvgUpgrade.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgwdsvc.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(InterVideo) C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\ramaint.exe
(PDF Complete Inc) C:\Program Files\PDF Complete\pdfsvc.exe
(Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(AVG Technologies, Inc.) C:\Program Files\AVG\CloudCare\AvgRemote\raserver.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgnsx.exe
(Microsoft Corporation) C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(AVG Technologies, Inc.) C:\Program Files\AVG\CloudCare\XmppAuth.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeIn.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(VMware, Inc.) C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Microsoft Corporation) C:\Windows\System32\Essentials\EssentialsTrayApp.exe
(AVG Technologies, Inc.) C:\Program Files\AVG\CloudCare\AvgTrayApp.exe
(AVG Technologies, Inc.) C:\Program Files\AVG\CloudCare\AvgRemote\raserver.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgui.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\2.0.181\mcuicnt.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [8555040 2010-03-31] (Realtek Semiconductor)
HKLM\...\Run: [hpsysdrv] => c:\program files\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [IMSS] => C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [112152 2011-02-01] (Intel Corporation)
HKLM\...\Run: [Microsoft Default Manager] => C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [63048 2011-09-16] (LogMeIn, Inc.)
HKLM\...\Run: [PDF Complete] => C:\Program Files\PDF Complete\pdfsty.exe [658424 2011-05-06] (PDF Complete Inc)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [EssentialsTrayApp] => C:\Windows\System32\Essentials\EssentialsTrayApp.exe [257024 2013-08-21] (Microsoft Corporation)
HKLM\...\Run: [AVG CloudCare] => C:\Program Files\AVG\CloudCare\AvgTrayApp.exe [116504 2015-03-30] (AVG Technologies, Inc.)
HKLM\...\Run: [racontrol] => C:\Program Files\AVG\CloudCare\AvgRemote\raserver.exe [1401712 2015-03-19] (AVG Technologies, Inc.)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2015\avgui.exe [3745744 2015-05-18] (AVG Technologies CZ, s.r.o.)
HKLM\...\runonceex: [ContentMerger] => C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\ContentMerger10.exe [19952 2010-03-19] (Sonic Solutions)
HKU\S-1-5-21-1542939376-976841989-3569917708-1143\...\Run: [LightScribe Control Panel] => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2009-05-18] (Hewlett-Packard Company)
HKU\S-1-5-21-2118722120-3392476721-2803926804-1001\...\Run: [LightScribe Control Panel] => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2009-05-18] (Hewlett-Packard Company)
HKU\S-1-5-21-2118722120-3392476721-2803926804-1001\...\RunOnce: [spchecker] => "C:\Program Files\AVG\AVG10\Notification\SPCheckerTE.exe"
HKU\S-1-5-21-2118722120-3392476721-2803926804-500\...\Run: [LightScribe Control Panel] => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2009-05-18] (Hewlett-Packard Company)
HKU\S-1-5-21-3116539935-2131418972-497152321-1001\...\Run: [LightScribe Control Panel] => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2009-05-18] (Hewlett-Packard Company)
HKU\S-1-5-21-3116539935-2131418972-497152321-1117\...\Run: [LightScribe Control Panel] => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2009-05-18] (Hewlett-Packard Company)
HKU\S-1-5-21-3116539935-2131418972-497152321-1117\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [10240 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2013-06-26] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2011-11-30]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{B0FD0DDA-CEE0-450F-ADF1-88EDEF0B1AB2}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKU\S-1-5-21-1542939376-976841989-3569917708-1143\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPCOM/1
HKU\S-1-5-21-1542939376-976841989-3569917708-1143\Software\Microsoft\Internet Explorer\Main,First Home Page = hxxp://g.msn.com/HPCOM/1
HKU\S-1-5-21-1542939376-976841989-3569917708-1143\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPCOM/1
HKU\S-1-5-21-2118722120-3392476721-2803926804-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPCOM/1
HKU\S-1-5-21-2118722120-3392476721-2803926804-1001\Software\Microsoft\Internet Explorer\Main,First Home Page = hxxp://g.msn.com/HPCOM/1
HKU\S-1-5-21-2118722120-3392476721-2803926804-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPCOM/1
HKU\S-1-5-21-2118722120-3392476721-2803926804-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPCOM/1
HKU\S-1-5-21-2118722120-3392476721-2803926804-500\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPCOM/1
HKU\S-1-5-21-3116539935-2131418972-497152321-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPCOM/1
HKU\S-1-5-21-3116539935-2131418972-497152321-1001\Software\Microsoft\Internet Explorer\Main,First Home Page = hxxp://g.msn.com/HPCOM/1
HKU\S-1-5-21-3116539935-2131418972-497152321-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPCOM/1
HKU\S-1-5-21-3116539935-2131418972-497152321-1117\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPCOM/1
HKU\S-1-5-21-3116539935-2131418972-497152321-1117\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPCOM/1
SearchScopes: HKLM -> DefaultScope {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://search.ask.com/web?q={searchterms}&l=dis&o=CMDTDF
SearchScopes: HKLM -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CMDTDF
SearchScopes: HKLM -> {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2118722120-3392476721-2803926804-500 -> DefaultScope {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL =
SearchScopes: HKU\S-1-5-21-3116539935-2131418972-497152321-1117 -> DefaultScope {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL =
SearchScopes: HKU\S-1-5-21-3116539935-2131418972-497152321-1117 -> {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL =
BHO: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2010-07-27] (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO: Bing Bar BHO -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll [2010-08-13] (Microsoft Corporation)
Toolbar: HKLM - @C:\Program Files\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll [2010-08-13] (Microsoft Corporation)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_60-windows-i586.cab
DPF: {917458B4-57C3-4A76-AE30-1B634F52210B} hxxp://192.168.1.10:7000/DVRWebViewer.cab
DPF: {CAFEEFAC-0017-0000-0060-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_60-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_60-windows-i586.cab

FireFox:
========
FF ProfilePath: C:\Users\mgerber\AppData\Roaming\Mozilla\Firefox\Profiles\2vsvqrgx.default-1413812855842
FF Homepage: hxxps://www.google.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-12] ()
FF Plugin: @java.com/DTPlugin,version=10.60.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-07-15] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.60.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-07-15] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-04-01] ( Microsoft Corporation)
FF Plugin: @Microsoft.com/NpWinExt,version=5.0 -> C:\Program Files\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll [2010-08-13] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin: @vmware.com/vmrc,version=5.5.0.00000 -> C:\Program Files\Common Files\VMware\VMware Remote Console Plug-in 5.5\Firefox\np-vmware-vmrc.dll [2014-06-12] (VMware, Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2013-05-10] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [msntoolbar@msn.com] - C:\Program Files\MSN Toolbar\Platform\6.0.2282.0\Firefox
FF Extension: Bing Bar - C:\Program Files\MSN Toolbar\Platform\6.0.2282.0\Firefox [2011-06-09]
FF HKLM\...\Firefox\Extensions: [{27182e60-b5f3-411c-b545-b44205977502}] - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension
FF Extension: Search Helper Extension - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension [2011-06-09]
FF HKLM\...\Firefox\Extensions: [{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}] - C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension
FF Extension: Default Manager - C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension [2011-06-09]

Chrome:
=======
CHR Profile: C:\Users\mgerber\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\mgerber\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-06-26]
CHR Extension: (Google Drive) - C:\Users\mgerber\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-06-26]
CHR Extension: (YouTube) - C:\Users\mgerber\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-06-26]
CHR Extension: (Google Search) - C:\Users\mgerber\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-06-26]
CHR Extension: (Google Docs Offline) - C:\Users\mgerber\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-11]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\mgerber\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-07-27]
CHR Extension: (Google Wallet) - C:\Users\mgerber\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-11]
CHR Extension: (Gmail) - C:\Users\mgerber\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-06-26]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AvgApiWrapper; C:\Program Files\AVG\CloudCare\AvgApiWrapper.exe [156952 2015-03-30] (AVG Technologies, Inc.)
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3438544 2015-05-18] (AVG Technologies CZ, s.r.o.)
R2 AvgRemote; C:\Program Files\AVG\CloudCare\AvgRemote\AvgRemote.exe [252784 2015-03-19] (AVG Technologies, Inc.)
R2 AvgUpgrade; C:\Program Files\AVG\CloudCare\AvgUpgrade.exe [59160 2015-03-30] (AVG Technologies, Inc.)
R2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [311792 2015-05-18] (AVG Technologies CZ, s.r.o.)
R2 HP Health Check Service; C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [126520 2010-11-15] (Hewlett-Packard Company)
S3 HP Port Resolver; C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE [81920 2005-05-03] (Hewlett-Packard Company) [File not signed]
S3 HP Status Server; C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE [73728 2004-06-10] (Hewlett-Packard Company) [File not signed]
R2 Intel® PROSet Monitoring Service; C:\Windows\system32\IProsetMonitor.exe [110752 2010-09-22] (Intel Corporation)
S3 KIIFAGUOSZF; C:\Users\a\AppData\Local\Temp\KIIFAGUOSZF.exe [482176 2011-11-11] (Sysinternals - www.sysinternals.com) [File not signed]
R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2009-05-18] (Hewlett-Packard Company) [File not signed]
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe [227232 2010-01-15] (McAfee, Inc.)
R2 pdfcDispatcher; C:\Program Files\PDF Complete\pdfsvc.exe [1128952 2011-05-06] (PDF Complete Inc)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [52736 2006-05-11] (Hewlett-Packard) [File not signed]
R2 raserver; C:\Program Files\AVG\CloudCare\AvgRemote\raserver.exe [1401712 2015-03-19] (AVG Technologies, Inc.)
S3 ServiceProviderRegistry; C:\Windows\System32\Essentials\ProviderRegistryService.exe [34816 2013-08-22] (Microsoft Corporation)
R2 VMUSBArbService; C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe [714832 2013-08-05] (VMware, Inc.)
S3 WCEQSP; C:\Users\a\AppData\Local\Temp\WCEQSP.exe [465792 2011-11-11] (Sysinternals - www.sysinternals.com) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
S3 WseClientMgmtSvc; C:\Windows\System32\Essentials\SharedServiceHost.exe [24576 2013-08-22] (Microsoft Corporation)
S3 WseClientMonitorSvc; C:\Windows\System32\Essentials\WseClientMonitorSvc.exe [39936 2013-08-22] (Microsoft Corporation)
S3 WseHealthSvc; C:\Windows\System32\Essentials\SharedServiceHost.exe [24576 2013-08-22] (Microsoft Corporation)
S3 WseNtfSvc; C:\Windows\System32\Essentials\SharedServiceHost.exe [24576 2013-08-22] (Microsoft Corporation)
R2 XmppAuth; C:\Program Files\AVG\CloudCare\XmppAuth.exe [296728 2015-03-30] (AVG Technologies, Inc.)
S2 avgagent; avgagent.exe /srvfsys [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [226784 2015-04-27] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [191968 2015-05-07] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [29664 2015-05-14] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [206816 2015-04-15] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [290272 2015-05-07] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [166880 2015-05-07] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [35808 2015-03-20] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [213984 2015-05-04] (AVG Technologies CZ, s.r.o.)
R3 BackupReader; C:\Windows\System32\DRIVERS\BackupReader.sys [54784 2013-06-18] (Microsoft Corporation)
R3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [238760 2010-12-21] (Intel Corporation)
R2 hcmon; C:\Windows\system32\drivers\hcmon.sys [41936 2013-08-05] (VMware, Inc.)
S3 IFCoEMP; C:\Windows\system32\DRIVERS\ifM52x32.sys [264464 2010-08-13] (Intel® Corporation)
S3 IFCoEVB; C:\Windows\system32\DRIVERS\ifP52X32.sys [57616 2010-08-13] (Intel® Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-06-18] (Malwarebytes Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)
R2 npf; C:\Windows\System32\drivers\npf.sys [35088 2011-02-11] (CACE Technologies, Inc.)
S4 LMIRfsClientNP; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-28 11:21 - 2015-09-28 11:22 - 00000000 ____D C:\FRST
2015-09-21 09:27 - 2015-09-21 10:20 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-09-21 09:27 - 2015-09-21 09:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-09-21 09:27 - 2015-09-21 09:27 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-09-21 09:27 - 2015-06-18 08:41 - 00094936 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-09-21 09:27 - 2015-06-18 08:41 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-09-09 08:09 - 2015-09-01 22:48 - 00070656 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2015-09-09 08:09 - 2015-09-01 22:48 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-09-09 08:09 - 2015-09-01 22:48 - 00026624 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2015-09-09 08:09 - 2015-09-01 22:48 - 00010240 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2015-09-09 08:09 - 2015-09-01 21:36 - 02384896 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-09-09 08:09 - 2015-09-01 21:33 - 00299520 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-09-09 08:09 - 2015-08-27 13:58 - 01391104 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2015-09-09 08:09 - 2015-08-27 13:58 - 01241088 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2015-09-09 08:09 - 2015-08-27 13:51 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml6r.dll
2015-09-09 08:09 - 2015-08-27 13:51 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2015-09-09 08:09 - 2015-08-05 13:41 - 00751104 _____ (Microsoft Corporation) C:\Windows\system32\schedsvc.dll
2015-09-09 08:09 - 2015-08-05 13:40 - 00216064 _____ (Microsoft Corporation) C:\Windows\system32\InkEd.dll
2015-09-09 08:09 - 2015-08-05 13:40 - 00019968 _____ (Microsoft Corporation) C:\Windows\system32\jnwmon.dll
2015-09-09 08:09 - 2015-08-04 13:48 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-09-09 08:09 - 2015-08-04 13:47 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-09-09 08:09 - 2015-08-04 13:47 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-09-09 08:09 - 2015-08-04 13:46 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2015-09-09 08:09 - 2015-08-04 13:46 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2015-09-09 08:09 - 2015-08-04 12:53 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2015-09-09 08:09 - 2015-07-22 13:57 - 03989952 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-09-09 08:09 - 2015-07-22 13:57 - 03934656 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-09-09 08:09 - 2015-07-22 13:57 - 00137664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-09-09 08:09 - 2015-07-22 13:57 - 00067520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-09-09 08:09 - 2015-07-22 13:54 - 01308160 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 01061376 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00937984 _____ (Microsoft Corporation) C:\Windows\system32\diagtrack.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00641536 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00635392 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00552960 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-09-09 08:09 - 2015-07-22 13:53 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-09-09 08:09 - 2015-07-22 13:52 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-09-09 08:09 - 2015-07-22 13:52 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-09-09 08:09 - 2015-07-22 13:52 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-09-09 08:09 - 2015-07-22 13:52 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-09-09 08:09 - 2015-07-22 13:47 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-09-09 08:09 - 2015-07-22 13:46 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-09-09 08:09 - 2015-07-22 13:42 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-09-09 08:09 - 2015-07-22 13:42 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-09-09 08:09 - 2015-07-22 12:38 - 00041984 _____ (Microsoft Corporation) C:\Windows\system32\UtcResources.dll
2015-09-09 08:09 - 2015-07-22 12:34 - 00225792 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-09-09 08:09 - 2015-07-22 12:34 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-09-09 08:09 - 2015-07-22 12:33 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-09-09 08:08 - 2015-08-26 13:56 - 02953728 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-09-09 08:08 - 2015-08-26 13:56 - 02061824 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-09-09 08:08 - 2015-08-26 13:56 - 00566784 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-09-09 08:08 - 2015-08-26 13:56 - 00173056 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-09-09 08:08 - 2015-08-26 13:56 - 00093184 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-09-09 08:08 - 2015-08-26 13:56 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-09-09 08:08 - 2015-08-26 13:56 - 00030208 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-09-09 08:08 - 2015-08-26 13:55 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-09-09 08:08 - 2015-08-26 13:55 - 00073728 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-09-09 08:08 - 2015-08-26 13:55 - 00034816 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-09-09 08:08 - 2015-08-26 13:55 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-09-09 08:08 - 2015-08-17 21:14 - 00344168 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-09-09 08:08 - 2015-08-15 02:06 - 19856896 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-09-09 08:08 - 2015-08-15 01:53 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-09-09 08:08 - 2015-08-15 01:53 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-09-09 08:08 - 2015-08-15 01:40 - 00504832 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-09-09 08:08 - 2015-08-15 01:40 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-09-09 08:08 - 2015-08-15 01:39 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-09-09 08:08 - 2015-08-15 01:39 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-09-09 08:08 - 2015-08-15 01:38 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-09-09 08:08 - 2015-08-15 01:35 - 02279424 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-09-09 08:08 - 2015-08-15 01:33 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-09-09 08:08 - 2015-08-15 01:32 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-09-09 08:08 - 2015-08-15 01:30 - 00479232 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-09-09 08:08 - 2015-08-15 01:29 - 00665600 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-09-09 08:08 - 2015-08-15 01:29 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-09-09 08:08 - 2015-08-15 01:29 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-09-09 08:08 - 2015-08-15 01:29 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-09-09 08:08 - 2015-08-15 01:24 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-09-09 08:08 - 2015-08-15 01:21 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-09-09 08:08 - 2015-08-15 01:16 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-09-09 08:08 - 2015-08-15 01:14 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-09-09 08:08 - 2015-08-15 01:12 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-09-09 08:08 - 2015-08-15 01:11 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-09-09 08:08 - 2015-08-15 01:10 - 04520448 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-09-09 08:08 - 2015-08-15 01:04 - 12857344 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-09-09 08:08 - 2015-08-15 01:02 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-09-09 08:08 - 2015-08-15 01:02 - 00685568 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-09-09 08:08 - 2015-08-15 01:01 - 02052608 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-09-09 08:08 - 2015-08-15 01:01 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-09-09 08:08 - 2015-08-15 00:43 - 01951232 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-09-09 08:08 - 2015-08-15 00:39 - 01310720 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-09-09 08:08 - 2015-08-15 00:37 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-09-09 08:08 - 2015-07-09 13:42 - 01372160 _____ (Microsoft Corporation) C:\Windows\system32\dwmcore.dll
2015-09-09 08:08 - 2015-07-09 13:42 - 00067584 _____ (Microsoft Corporation) C:\Windows\system32\dwmapi.dll
2015-09-09 08:08 - 2015-06-25 05:48 - 00105408 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2015-09-09 08:08 - 2015-06-25 05:44 - 01805824 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2015-09-09 08:08 - 2015-06-25 05:44 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\appinfo.dll
2015-09-09 08:07 - 2015-07-14 22:54 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-28 11:22 - 2013-06-26 09:51 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-09-28 11:10 - 2011-11-13 23:07 - 00000000 ____D C:\ProgramData\MFAData
2015-09-28 10:39 - 2012-04-07 10:20 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-09-28 10:21 - 2011-06-09 12:46 - 01614476 _____ C:\Windows\WindowsUpdate.log
2015-09-28 00:01 - 2011-11-11 17:25 - 00000000 ____D C:\ProgramData\LogMeIn
2015-09-27 16:22 - 2013-06-26 09:51 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-09-26 11:18 - 2011-06-09 12:53 - 00000000 ____D C:\ProgramData\PDFC
2015-09-25 14:41 - 2009-07-14 00:34 - 00009920 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-09-25 14:41 - 2009-07-14 00:34 - 00009920 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-09-25 14:09 - 2009-07-25 08:54 - 00785322 _____ C:\Windows\system32\PerfStringBackup.INI
2015-09-25 14:08 - 2009-07-14 00:39 - 00033967 _____ C:\Windows\setupact.log
2015-09-21 10:18 - 2015-05-07 11:27 - 00000000 ____D C:\ProgramData\AVGRemoteIT
2015-09-21 10:18 - 2014-01-21 09:15 - 00000976 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2015-09-21 10:18 - 2014-01-21 09:15 - 00000960 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2015-09-21 10:18 - 2011-11-11 19:04 - 00122766 _____ C:\Windows\PFRO.log
2015-09-21 10:18 - 2009-07-14 00:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-09-21 09:27 - 2013-06-26 09:48 - 00001062 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-09-21 09:27 - 2013-06-26 09:48 - 00000000 ____D C:\Users\mgerber\AppData\Roaming\Malwarebytes
2015-09-21 09:27 - 2013-06-26 09:48 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-09-21 09:27 - 2013-06-26 09:48 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2015-09-21 09:16 - 2015-05-07 11:27 - 00000000 ____D C:\Users\mgerber\AppData\Local\Avg2015
2015-09-20 01:31 - 2011-11-11 17:52 - 00000128 _____ C:\Windows\system32\config\netlogon.ftl
2015-09-19 10:10 - 2011-11-11 18:01 - 00000410 _____ C:\Windows\BRWMARK.INI
2015-09-17 17:01 - 2011-11-25 09:40 - 00000052 _____ C:\Windows\system32\DOErrors.log
2015-09-15 15:18 - 2013-06-26 09:52 - 00002131 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-09-10 04:15 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\rescache
2015-09-10 03:37 - 2009-07-14 00:33 - 00363792 _____ C:\Windows\system32\FNTCACHE.DAT
2015-09-10 03:35 - 2009-07-14 03:50 - 00000000 ____D C:\Program Files\Windows Journal
2015-09-10 03:19 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\Microsoft.NET
2015-09-10 03:13 - 2015-05-07 10:44 - 00000000 ____D C:\Windows\system32\MRT

==================== Files in the root of some directories =======

2015-04-25 10:49 - 2015-04-25 10:49 - 0507352 _____ (ForensiT Limited) C:\ProgramData\UserProfileMigrationService.exe

Some files in TEMP:
====================
C:\Users\a\AppData\Local\Temp\KIIFAGUOSZF.exe
C:\Users\a\AppData\Local\Temp\WCEQSP.exe
C:\Users\Administrator\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\mgerber\AppData\Local\Temp\ApplnchConfig.exe
C:\Users\mgerber\AppData\Local\Temp\ApplnchInstall.exe
C:\Users\mgerber\AppData\Local\Temp\contentDATs.exe
C:\Users\mgerber\AppData\Local\Temp\SecurityScan_Release.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-09-21 00:13

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:12 PM

Posted 28 September 2015 - 05:34 PM

hi,


The exe below looks like a culprit.
Usually online only once or twice per day so you may not get a reply back from me until the next day.

We will use FRST to remove some items. you can copy/paste whats below between the two lines into notepad.

Save it as fixlist.txt in the same location you have FRST.

Last: start FRST like you did before except this time click on the fix button once. Machine may reboot to finish the process. Upon reboot it will display a fixlog.txt in the same location as FRST.

Copy/paste in the fixlog.txt results in your reply.


------------------------------------------------


S3 KIIFAGUOSZF; C:\Users\a\AppData\Local\Temp\KIIFAGUOSZF.exe [482176 2011-11-11] (Sysinternals - www.sysinternals.com) [File not signed]
C:\Users\a\AppData\Local\Temp\KIIFAGUOSZF.exe
AlternateDataStreams: C:\ProgramData\TEMP:223BB3A1
AlternateDataStreams: C:\Users\mgerber\Documents\THE BIN WAS REMOVED AT 11100 McCormick Rd.eml:OECustomProperty
AlternateDataStreams: C:\Users\mgerber\Documents\THE DAILY PRESSURE AT 11100 McCormick Rd IS 21% FULL.eml:OECustomProperty
EmptyTemp:


-------------------------------------------------
 


How Can I Reduce My Risk to Malware?


#3 clabrown

clabrown
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 29 September 2015 - 11:38 AM

Thanks for the response! It may take me a day or so to get this done, not on site. Just curious if you could explain what points to these items in particular? I see where they are listed in the log files. Also curious if you could guess how they got on the PC.

 

Thanks again.



#4 shelf life

shelf life

  • Malware Response Team
  • 2,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:12 PM

Posted 29 September 2015 - 05:04 PM

ok no problem. Sysinternals is a real website thats been around for awhile offering excellent freeware for download, but this:

 

KIIFAGUOSZF.exe

 

Is not one of them, and its also running out of a temp directory and is a installed service, more clues.


How Can I Reduce My Risk to Malware?


#5 clabrown

clabrown
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 29 September 2015 - 05:43 PM

OK, Thanks for explanation about KIIFAGUOSZF.exe, not understanding the log output the sysinternals portion is supposed to indicate who the owner / developer of the file is .... or at least that's what I'm assuming. I'm very familiar with SysInternals ... since before MS bought them. There are times their utilities are indispensable ... but now I see it's in the services section ... yup, that's suspicious. Is there documentation / tutorials on the output of FRST so I can learn more.

 

How about the other ADS files .... I know that ADS can be used to save extra stufff for various legitimate reasons, and Microsoft office sometimes uses it ... those ADS files seem like they are named in accordance with other documents, but seem to be lacking extensions ... What draws them out as targets?

 

Hopefully I'll be able to complete the next step tomorrow and have new logs.

 

Any conjecture on an infection vector?

 

Thanks again, Cla.


Edited by clabrown, 29 September 2015 - 05:47 PM.


#6 shelf life

shelf life

  • Malware Response Team
  • 2,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:12 PM

Posted 29 September 2015 - 07:33 PM

 

the log output the sysinternals portion is supposed to indicate who the owner / developer of the file is

this can be anything the malware author wants it to be. ADS optional to remove. The first one with the temp I would remove the others optional.

 

ADS:

http://www.irongeek.com/i.php?page=security/altds

 

FRST:

http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

Vector? E-mail, links, physical access, file sharing, just guessing.

 

 


How Can I Reduce My Risk to Malware?


#7 clabrown

clabrown
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 01 October 2015 - 03:58 PM

Finally got a chance to run FRST with fixlist.txt. It seemed to have worked, or that's what it reports.

 

Here's fixlog.txt :

 

Fix result of Farbar Recovery Scan Tool (x86) Version:23-09-2015
Ran by mgerber (2015-10-01 16:40:10) Run:1
Running from E:\
Loaded Profiles: Administrator & mgerber (Available Profiles: Administrator & mgerber)
Boot Mode: Normal

==============================================

fixlist content:
*****************
S3 KIIFAGUOSZF; C:\Users\a\AppData\Local\Temp\KIIFAGUOSZF.exe [482176 2011-11-11] (Sysinternals - www.sysinternals.com) [File not signed]
C:\Users\a\AppData\Local\Temp\KIIFAGUOSZF.exe
AlternateDataStreams: C:\ProgramData\TEMP:223BB3A1
AlternateDataStreams: C:\Users\mgerber\Documents\THE BIN WAS REMOVED AT 11100 McCormick Rd.eml:OECustomProperty
AlternateDataStreams: C:\Users\mgerber\Documents\THE DAILY PRESSURE AT 11100 McCormick Rd IS 21% FULL.eml:OECustomProperty
EmptyTemp:
*****************

KIIFAGUOSZF => service removed successfully.
C:\Users\a\AppData\Local\Temp\KIIFAGUOSZF.exe => moved successfully
C:\ProgramData\TEMP => ":223BB3A1" ADS removed successfully..
C:\Users\mgerber\Documents\THE BIN WAS REMOVED AT 11100 McCormick Rd.eml => ":OECustomProperty" ADS removed successfully..
C:\Users\mgerber\Documents\THE DAILY PRESSURE AT 11100 McCormick Rd IS 21% FULL.eml => ":OECustomProperty" ADS removed successfully..
EmptyTemp: => 1.8 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 16:43:27 ====



#8 shelf life

shelf life

  • Malware Response Team
  • 2,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:12 PM

Posted 01 October 2015 - 06:08 PM

That all looks good.

 

Did computer owner also install nmap and WinPcap? These are legit networking tools , but could be used by malware but then again if they came with malware they probably wouldnt be listed in the add/reomve programs panel.

 


How Can I Reduce My Risk to Malware?


#9 clabrown

clabrown
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 01 October 2015 - 09:25 PM

nmap and WinPCap are valid. I would probably have installed them to scan IP addresses, especially useful if you can't remember the IP of something, but aren't on site to actually poke at it.



#10 shelf life

shelf life

  • Malware Response Team
  • 2,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:12 PM

Posted 03 October 2015 - 10:14 AM

Ok. I guess we are done then. You can delete the FRST icon and any associated log files. There is also a FRST folder located in your root drive usually C:

which can also be deleted.


How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users