Jump to content

BAhart

Honorary Members
 View Profile  See their activity

  • Posts

    24

  • Joined

  • Last visited

Reputation

0 Neutral
  1. BAhart
    Jeff, thanks. I'll get to your most recent instructions over the weekend.
  2. BAhart
    Jeff, yes still here. I went into safe mode and it uninstalled. So I was happy. But I later scanned my computer with Sophos and it was still finding NircmdB.exe. I poked around and have observed the following: C\Qoobox is still there. Isn't this where ComboFix was storing the quarantined items? It looks like the quarantined items are gone, but in C\Qoobox is a subfolder, and in that is 24 files, most of which have a .dat extension. Does that have anything to do with what we have done? C\Uninstall AND C\Uninstall2813U each have like 218 files in them and I'm pretty sure that they're associated with ComboFix. What do you think all this? Did something go wrong with the uninstall? Thanks
  3. BAhart
    OK, thanks, I'll give it a try either tonight or tomorrow AM.
  4. BAhart
    Jeff, sorry for the slow response. I'm using Windows 7 and don't know how to get it to start in safe mode. Let me look into that. Bottom line though is that I don't think I'll be able to disable Sophos so unless you think it's a bad idea I'll try what you suggested, in safe mode, and see what happens. In the event that this all doesn't work...what's the harm in not uninstalling ComboFix? Do I have to take it off? Thanks
  5. BAhart
    Jeff, when I tried to uninstall the following happened: It started up similar to how it does when I'm going to run a ComboFix scan It popped up a message indicating that there's a newer version available and asking me if I want to update, I said no Then nothing...again, at some point in there Sophos said that it had detected NircmdB and moved to quarantine
  6. BAhart
    Here's the ComboFix log, after downloading it again: ComboFix 12-11-28.02 - brada 11/28/2012 19:46:28.4.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3685.1607 [GMT -7:00] Running from: c:\users\brada\Desktop\ComboFix.exe AV: Sophos Anti-Virus *Enabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A} SP: Sophos Anti-Virus *Enabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\Uninstall.exe c:\uninstall.exe\.Default.dump c:\uninstall.exe\023.dat c:\uninstall.exe\023v.dat c:\uninstall.exe\023w7.dat c:\uninstall.exe\ActiveDrv.vbs c:\uninstall.exe\AllDrivesFolders c:\uninstall.exe\APISvc c:\uninstall.exe\AppData.folder.dat c:\uninstall.exe\appinit.bad c:\uninstall.exe\asp.str c:\uninstall.exe\Assoc.cmd c:\uninstall.exe\attr.dat.tmp c:\uninstall.exe\ATTRIB.3XE c:\uninstall.exe\av.cmd c:\uninstall.exe\av.vbs c:\uninstall.exe\BCD.dump c:\uninstall.exe\BFE.dat c:\uninstall.exe\BHO.dat c:\uninstall.exe\BHOFiles.dat c:\uninstall.exe\BHOQuery.dat c:\uninstall.exe\BitsStr c:\uninstall.exe\Boot-Rk.cmd c:\uninstall.exe\Boot.bat c:\uninstall.exe\BootDrv.vbs c:\uninstall.exe\borlander_file.dat.tmp c:\uninstall.exe\borlander_folder.dat.tmp c:\uninstall.exe\brada.user.cf c:\uninstall.exe\c.mrk c:\uninstall.exe\Cache.folder.dat c:\uninstall.exe\Catch-sub.cmd c:\uninstall.exe\catch_k.dat c:\uninstall.exe\catchme.3XE c:\uninstall.exe\Catchme.tmp c:\uninstall.exe\CCS.bat c:\uninstall.exe\CF19451.3XE c:\uninstall.exe\cfdummy c:\uninstall.exe\Cfiles.dat.tmp c:\uninstall.exe\Cfolders.dat.tmp c:\uninstall.exe\cfrun c:\uninstall.exe\CHCP.bat c:\uninstall.exe\ClistB.dat c:\uninstall.exe\clsid.dat c:\uninstall.exe\ClsidDumped c:\uninstall.exe\ClsidFiles c:\uninstall.exe\ComboFix-Download.3XE c:\uninstall.exe\ComboFix.tmp c:\uninstall.exe\ComboFix.txt c:\uninstall.exe\ConEnv.sed c:\uninstall.exe\Creg.dat c:\uninstall.exe\CregB.dat c:\uninstall.exe\CregC.cmd c:\uninstall.exe\CregC.dat c:\uninstall.exe\CregCx64.dat c:\uninstall.exe\CSCRIPT.3XE c:\uninstall.exe\dd.3XE c:\uninstall.exe\ddsDo.sed c:\uninstall.exe\del00 c:\uninstall.exe\DelClsid.bat c:\uninstall.exe\DelClsid64.bat c:\uninstall.exe\DisclaimED.dat c:\uninstall.exe\dll_whitelist.dat c:\uninstall.exe\dll_whitelist.dat.tmp c:\uninstall.exe\dnd.dat c:\uninstall.exe\DPF.str c:\uninstall.exe\Drive.folder.dat c:\uninstall.exe\DriveFile.dat c:\uninstall.exe\DrivesB.dat c:\uninstall.exe\DrvRun.vbs c:\uninstall.exe\dumphive.3XE c:\uninstall.exe\embedded.sed c:\uninstall.exe\en-US\ATTRIB.3XE.mui c:\uninstall.exe\en-US\CF19451.3XE.mui c:\uninstall.exe\en-US\cmd.3XE.mui c:\uninstall.exe\en-US\CSCRIPT.3XE.mui c:\uninstall.exe\en-US\iexplore.exe c:\uninstall.exe\en-US\PING.3XE.mui c:\uninstall.exe\en-US\REGT.3XE.mui c:\uninstall.exe\en-US\ROUTE.3XE.mui c:\uninstall.exe\Env.sed c:\uninstall.exe\ERDNT.e_e c:\uninstall.exe\ERDNTDOS.LOC c:\uninstall.exe\ERDNTWIN.LOC c:\uninstall.exe\ErrTrap1 c:\uninstall.exe\ERUNT.3XE c:\uninstall.exe\erunt.dat c:\uninstall.exe\ERUNT.LOC c:\uninstall.exe\Exe.reg c:\uninstall.exe\extract.3XE c:\uninstall.exe\f_system c:\uninstall.exe\F3m.mrk c:\uninstall.exe\FavFolderD.dat c:\uninstall.exe\ffdefstr.dll c:\uninstall.exe\ffext.pif c:\uninstall.exe\FileKill.3XE c:\uninstall.exe\files.pif c:\uninstall.exe\Fin.dat c:\uninstall.exe\FIND3M.bat c:\uninstall.exe\FIXLSP.bat c:\uninstall.exe\FIXLSP64.cmd c:\uninstall.exe\FKMGen.cmd c:\uninstall.exe\ForeignWht c:\uninstall.exe\Gateway c:\uninstall.exe\GOLDUN.DAT.tmp c:\uninstall.exe\grep.3XE c:\uninstall.exe\gsar.3XE c:\uninstall.exe\handle.3XE c:\uninstall.exe\hidec.3XE c:\uninstall.exe\history.bat c:\uninstall.exe\History.folder.dat c:\uninstall.exe\iexplore.exe c:\uninstall.exe\image001.gif c:\uninstall.exe\Imefile.dat c:\uninstall.exe\katch.cmd c:\uninstall.exe\kmd.dat c:\uninstall.exe\KNetSvcs.vbs c:\uninstall.exe\L_Beep00 c:\uninstall.exe\Lang.bat c:\uninstall.exe\LegacyFull c:\uninstall.exe\LegacyNoSvc c:\uninstall.exe\lnkread.vbs c:\uninstall.exe\LocalAppData.folder.dat c:\uninstall.exe\LocalService.dat c:\uninstall.exe\LocalServiceNetworkRestricted.dat c:\uninstall.exe\LocalSettings.folder.dat c:\uninstall.exe\LocalSystemNetworkRestricted.dat c:\uninstall.exe\Look.dat c:\uninstall.exe\mbr.3XE c:\uninstall.exe\mbr.chk c:\uninstall.exe\md5sum.pif c:\uninstall.exe\MDWht.dat c:\uninstall.exe\MissingFiles.dat c:\uninstall.exe\Modules c:\uninstall.exe\MoveIt.bat c:\uninstall.exe\MpsSvc.dat c:\uninstall.exe\mtee.3XE c:\uninstall.exe\MUI c:\uninstall.exe\Music.folder.dat c:\uninstall.exe\MWindows.dat c:\uninstall.exe\mynul.dat c:\uninstall.exe\ncmd.com c:\uninstall.exe\ND_.bat c:\uninstall.exe\ND_64.bat c:\uninstall.exe\ndis_combofix.dat c:\uninstall.exe\NetHood.folder.dat c:\uninstall.exe\netsvc.bad.dat c:\uninstall.exe\netsvc.dat c:\uninstall.exe\netsvc_x86.dat c:\uninstall.exe\netsvc64.bad.dat c:\uninstall.exe\NetworkService.dat c:\uninstall.exe\NirCmd.3XE c:\uninstall.exe\NirCmdC.3XE c:\uninstall.exe\NIRKMD.3XE c:\uninstall.exe\NlsLanguageDefault c:\uninstall.exe\NoX2del c:\uninstall.exe\NT-OS.cmd c:\uninstall.exe\NULL c:\uninstall.exe\OriO4Files.dat c:\uninstall.exe\OriO4FilesB.dat c:\uninstall.exe\Orphans.dat c:\uninstall.exe\OsId.txt c:\uninstall.exe\OSid.vbs c:\uninstall.exe\patched.af c:\uninstall.exe\PathSearch c:\uninstall.exe\pausep.3XE c:\uninstall.exe\pend.txt c:\uninstall.exe\pev.3XE c:\uninstall.exe\PEV.exe c:\uninstall.exe\pevb.3XE c:\uninstall.exe\Pictures.folder.dat c:\uninstall.exe\PING.3XE c:\uninstall.exe\Policies.dat c:\uninstall.exe\powp.dat c:\uninstall.exe\PreDIR c:\uninstall.exe\Prep.inf c:\uninstall.exe\PrintHood.folder.dat c:\uninstall.exe\Profiles.Folder.dat c:\uninstall.exe\Profiles.Folder.folder.dat c:\uninstall.exe\Purity.dat c:\uninstall.exe\PV.3XE c:\uninstall.exe\pv.com c:\uninstall.exe\rar_sfx.cmd c:\uninstall.exe\raw_enum.dat c:\uninstall.exe\rawreg.dat c:\uninstall.exe\RCLink.dat c:\uninstall.exe\RcRdyList c:\uninstall.exe\RcVer00 c:\uninstall.exe\Recent.folder.dat c:\uninstall.exe\REGDACL.sed c:\uninstall.exe\RegDo.sed c:\uninstall.exe\region.dat c:\uninstall.exe\RegLocks.txt c:\uninstall.exe\RegRun01 c:\uninstall.exe\RegScan64.cmd c:\uninstall.exe\REGT.3XE c:\uninstall.exe\RenVDel.dat c:\uninstall.exe\RenVSuspect c:\uninstall.exe\Resident.txt c:\uninstall.exe\restore_pt.dat c:\uninstall.exe\Rkey.cmd c:\uninstall.exe\rmbr.3XE c:\uninstall.exe\rogues.dat c:\uninstall.exe\ROUTE.3XE c:\uninstall.exe\run.sed c:\uninstall.exe\run2.sed c:\uninstall.exe\Rust.str c:\uninstall.exe\s0rt.3XE c:\uninstall.exe\safeboot.dat c:\uninstall.exe\safeboot.def.dat c:\uninstall.exe\safeboot00 c:\uninstall.exe\sed.3XE c:\uninstall.exe\SendTo.folder.dat c:\uninstall.exe\ServiceFiles.dat c:\uninstall.exe\SetEnvmt.bat c:\uninstall.exe\setpath.3XE c:\uninstall.exe\SetPath.bat c:\uninstall.exe\setpath_N.cmd c:\uninstall.exe\SF.exe c:\uninstall.exe\sfx.cmd c:\uninstall.exe\ShAccess.dat c:\uninstall.exe\SnapShot.cmd c:\uninstall.exe\sqlite3.3XE c:\uninstall.exe\srizbi.md5 c:\uninstall.exe\Start_dat c:\uninstall.exe\StartUp.folder.dat c:\uninstall.exe\SuppScan_Completed c:\uninstall.exe\SuspectB_netsvc.dat c:\uninstall.exe\suspectSvc.dat c:\uninstall.exe\svc_wht.dat c:\uninstall.exe\SvcCovered c:\uninstall.exe\SvcDiff c:\uninstall.exe\SvcDrv.vbs c:\uninstall.exe\SvcDump c:\uninstall.exe\SvcDumpB c:\uninstall.exe\SvcDumpFull c:\uninstall.exe\SvcFull c:\uninstall.exe\svchost.dat c:\uninstall.exe\svclist.dat c:\uninstall.exe\SvcTarget.dat c:\uninstall.exe\SvcTempAa c:\uninstall.exe\swreg.3XE c:\uninstall.exe\swsc.3XE c:\uninstall.exe\swxcacls.3XE c:\uninstall.exe\sys_enum.dat c:\uninstall.exe\SysPath.dat c:\uninstall.exe\SYSTEM.dump c:\uninstall.exe\system_ini.dat c:\uninstall.exe\tail.3XE c:\uninstall.exe\temp00-X64 c:\uninstall.exe\temp01-X64 c:\uninstall.exe\temp02-X64 c:\uninstall.exe\temp0900 c:\uninstall.exe\temp2000 c:\uninstall.exe\temp4000 c:\uninstall.exe\temp5000 c:\uninstall.exe\time_.dat c:\uninstall.exe\ToolB-00-X64 c:\uninstall.exe\toolbar.sed c:\uninstall.exe\unhand.dat c:\uninstall.exe\Unhandled.dat c:\uninstall.exe\Update-CF.cmd c:\uninstall.exe\UploadThese c:\uninstall.exe\uWebBrowser01-X64 c:\uninstall.exe\uWebBrowser02-X64 c:\uninstall.exe\V-FilesB.dat c:\uninstall.exe\v-tmp.dat c:\uninstall.exe\v_str.dat c:\uninstall.exe\v_wht.dat c:\uninstall.exe\v_wht.dat.tmp c:\uninstall.exe\VBR.pif c:\uninstall.exe\VerCF.bat c:\uninstall.exe\Vfwall c:\uninstall.exe\VikPev00 c:\uninstall.exe\Vikpev01 c:\uninstall.exe\VInfo2 c:\uninstall.exe\VINFO3 c:\uninstall.exe\Vipev.dat c:\uninstall.exe\Vista.krl c:\uninstall.exe\vistaMcode.dat c:\uninstall.exe\vRun_DLL c:\uninstall.exe\vRun_DLL.tmp c:\uninstall.exe\vun.dat c:\uninstall.exe\vundonames.dat.tmp c:\uninstall.exe\VwinTemp.dacl c:\uninstall.exe\w_sock.dll c:\uninstall.exe\W6432.dat c:\uninstall.exe\W7.mac c:\uninstall.exe\w7Mcode.dat c:\uninstall.exe\whiteAll.dat c:\uninstall.exe\Wmi_rem.vbs c:\uninstall.exe\WrgNameDLL c:\uninstall.exe\xpmcode.dat c:\uninstall.exe\XPSBoot.reg c:\uninstall.exe\zDomain.dat c:\uninstall.exe\zip.3XE c:\users\administrator\Desktop\Internet Explorer.lnk . . ((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-29 ))))))))))))))))))))))))))))))) . . 2012-11-29 02:52 . 2012-11-29 02:52 -------- d-----w- c:\users\user\AppData\Local\temp 2012-11-29 02:52 . 2012-11-29 02:52 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-11-29 02:52 . 2012-11-29 02:52 -------- d-----w- c:\users\administrator\AppData\Local\temp 2012-11-23 15:44 . 2012-11-23 15:44 -------- d-----w- c:\users\brada\AppData\Local\Sophos 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\users\brada\AppData\Roaming\SUPERAntiSpyware.com 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\program files\SUPERAntiSpyware 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2012-11-14 12:22 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\mpengine.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll 2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\program files (x86)\QuickTime 2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\programdata\Apple Computer . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-11-28 16:26 . 2012-06-23 13:02 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll 2012-10-30 04:04 . 2012-06-23 04:42 66395536 ----a-w- c:\windows\system32\MRT.exe 2012-10-25 10:12 . 2012-10-25 10:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx 2012-10-25 10:12 . 2012-10-25 10:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts 2012-10-09 07:08 . 2012-06-23 12:57 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-10-09 07:08 . 2012-06-23 12:57 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-09-30 02:54 . 2012-07-09 05:16 25928 ----a-w- c:\windows\system32\drivers\mbam.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Akamai NetSession Interface"="c:\users\brada\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-01-04 291608] "PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2012-03-15 5935680] "Fastboot"="c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe" [2012-01-17 1091376] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152] "Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2012-08-13 900160] "Communicator"="c:\program files (x86)\Microsoft Office Communicator\communicator.exe" [2009-12-12 5114208] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] . c:\users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-6-25 576000] . c:\users\brada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Network Drives.bat [2012-9-26 72] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Microsoft Office Communicator 2007 R2.lnk - c:\windows\Installer\{E84D1C9D-6669-4156-992B-17557D64F1D3}\Comm.Ico [2012-7-10 26694] Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe [2012-6-23 845584] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "disablecad"= 1 (0x1) "LocalAccountTokenFilterPolicy"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) "AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\0\0] "Script"=FLlogon.cmd . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\1\0] "Script"=azlogon.cmd . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 HyperW7Svc;HyperW7 Service;c:\program files\Lenovo\RapidBoot\HyperW7Svc64.exe [2012-02-02 145472] R2 swi_update_64;Sophos Web Intelligence Update;c:\programdata\Sophos\Web Intelligence\swi_update_64.exe [2012-08-13 2009152] R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2012-01-09 195584] R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2012-02-22 1304912] R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_6.1.32700.0.sys [2012-05-01 17408] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2011-12-21 34200] R3 ManageEngine Desktop Central - Remote Control;ManageEngine Desktop Central 8 - Remote Control;c:\program files (x86)\DesktopCentral_Agent\bin\dcrdservice.exe [2012-03-21 605320] R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2012-02-26 273168] R3 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2012-03-15 165440] R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2012-06-25 36640] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-23 1255736] R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2012-06-25 25608] S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2011-11-09 14448] S0 Fastboot;Fastboot;c:\windows\System32\DRIVERS\Fastboot.sys [2012-01-17 70416] S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-01-04 16152] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2011-12-29 25416] S1 PHCORE;PHCORE;c:\program files\Lenovo\RapidBoot\PHCORE64.SYS [2012-01-31 33344] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368] S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2012-06-25 144672] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672] S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-01-09 659968] S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-02-22 1014096] S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2012-02-22 1104208] S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-01-17 135952] S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe [2010-12-17 198784] S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2011-11-09 8447848] S2 FastbootService;FastbootService;c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [2012-01-17 169776] S2 FPLService;TrueSuiteService;c:\program files\AuthenTec TrueSuite\TrueSuiteService.exe [2011-12-23 313672] S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2011-12-08 607456] S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2011-12-23 128280] S2 Intel® Small Business Advantage;Intel® Small Business Advantage;c:\program files (x86)\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe [2012-02-27 49376] S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [2011-12-23 161560] S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2012-04-11 58192] S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-07-12 101736] S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2012-04-11 61264] S2 LENOVO.TVTVCAM;ThinkVantage Virtual Camera Controller;c:\program files\Lenovo\Communications Utility\vcamsvc.exe [2012-04-11 175440] S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2011-07-12 133992] S2 ManageEngine Desktop Central - Agent;ManageEngine Desktop Central 8 - Agent;c:\program files (x86)\DesktopCentral_Agent\bin\dcagentservice.exe [2012-03-21 552072] S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe [x] S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-09-17 216640] S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2012-07-09 139840] S2 Sophos Web Control Service;Sophos Web Control Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [2012-06-25 357400] S2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-09-17 2863168] S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-07-12 145256] S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-12-29 144960] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-12-23 363800] S2 VIPAppService;VIPAppService;c:\program files (x86)\Symantec\VIP Access Client\VIPAppService.exe [2011-12-05 84080] S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [2012-02-26 2669840] S3 5U877;5U877;c:\windows\system32\DRIVERS\5U877.sys [2012-02-16 216064] S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2012-01-09 195584] S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2011-11-30 94720] S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-11-30 747008] S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2011-11-09 307824] S3 ibtfltcoex;ibtfltcoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2012-02-14 60928] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-06 331264] S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-01-04 355096] S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-01-04 786200] S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2011-12-21 25496] S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2012-03-15 1662528] S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys [2011-10-27 259688] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-23 565352] S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2011-05-29 40248] S3 tvtvcamd;ThinkVantage Virtual Camera;c:\windows\system32\DRIVERS\tvtvcamd.sys [2011-12-08 27432] . . Contents of the 'Scheduled Tasks' folder . 2012-11-29 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 07:08] . 2012-11-29 c:\windows\Tasks\DCAgentUpdater.job - c:\program files (x86)\DesktopCentral_Agent\bin\dcagentupgrader.exe [2012-03-21 17:23] . 2012-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02] . 2012-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02] . 2012-11-28 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job - c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41] . 2012-11-28 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job - c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp] @="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}" [HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending] @="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}" [HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot] @="{A759AFF6-5851-457D-A540-F4ECED148351}" [HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared] @="{1574C9EF-7D58-488F-B358-8B78C1538F51}" [HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BLEServicesCtrl"="c:\program files (x86)\Intel\Bluetooth\BleServicesCtrl.exe" [2012-02-17 177936] "TpShocks"="TpShocks.exe" [2012-02-17 382528] "LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2012-04-11 283984] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = <local> IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: fmwrdc.com TCP: DhcpNameServer = 192.168.2.1 TCP: Interfaces\{03FDA058-FDD0-468B-A48C-81D278A9AAD2}: NameServer = 10.72.201.210,192.168.100.7 DPF: {A00C0AFC-E004-4024-9D25-52952AC99A6A} - hxxps://mwr1nav.fmwrdc.com/NAV_nav1151/NAV1251.CAB . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) Wow6432Node-HKLM-Run-<NO NAME> - (no file) . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot] "ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00" -- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router] "ImagePath"="\"c:\program files (x86)\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot] "ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-11-28 19:54:21 ComboFix-quarantined-files.txt 2012-11-29 02:54 ComboFix2.txt 2012-11-28 20:27 . Pre-Run: 416,042,708,992 bytes free Post-Run: 415,998,484,480 bytes free . - - End Of File - - D7FE57EC0D6ED5C91609C82478A4A469
  7. BAhart
    I took the only version that was on my desktop, dumped it onto the Recycle bin, and emptied the recycle bin. Hopefull that's what you meant. I'll DL new ComboFix and run it later tonight. Thanks for all your help.
  8. BAhart
    It did what it was doing earlier: acts like it's starting up and then doesn't do anything. It's still installed. It didn't scan this time. Whenever ComboFix starts scanning (or pretty much doing anything) Sophos goes nuts telling me that it found NimcmdB and moved it to quarantine? Is that my problem?
  9. BAhart
    It didn't work...still installed. It's still called Uninstall.exe on my desktop. Was I supposed to rename it back to ComboFix.exe?
  10. BAhart
    I might have screwed this up. My desktop icon was called ComboFix, and I renamed it Uninstall.exe. When I double clicked it, it simply ran ComboFix. It's still installed on my computer. For kicks I have posted the log below. ComboFix 12-11-28.02 - brada 11/28/2012 13:02:35.3.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3685.1957 [GMT -7:00] Running from: c:\users\brada\Desktop\Uninstall.exe.exe AV: Sophos Anti-Virus *Enabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A} SP: Sophos Anti-Virus *Enabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-28 ))))))))))))))))))))))))))))))) . . 2012-11-28 20:09 . 2012-11-28 20:09 -------- d-----w- c:\users\user\AppData\Local\temp 2012-11-28 20:09 . 2012-11-28 20:09 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-11-28 20:09 . 2012-11-28 20:09 -------- d-----w- c:\users\administrator\AppData\Local\temp 2012-11-28 19:48 . 2012-11-28 20:01 -------- d-----w- C:\ComboFix 2012-11-28 16:27 . 2012-11-28 16:27 -------- d-----w- c:\program files (x86)\Common Files\Java 2012-11-28 16:27 . 2012-11-28 16:26 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll 2012-11-28 16:25 . 2012-11-28 16:25 -------- d-----w- c:\programdata\McAfee 2012-11-23 15:44 . 2012-11-23 15:44 -------- d-----w- c:\users\brada\AppData\Local\Sophos 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\users\brada\AppData\Roaming\SUPERAntiSpyware.com 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\program files\SUPERAntiSpyware 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2012-11-14 12:22 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\mpengine.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll 2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\program files (x86)\QuickTime 2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\programdata\Apple Computer . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-11-28 16:26 . 2012-06-23 13:02 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll 2012-10-30 04:04 . 2012-06-23 04:42 66395536 ----a-w- c:\windows\system32\MRT.exe 2012-10-25 10:12 . 2012-10-25 10:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx 2012-10-25 10:12 . 2012-10-25 10:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts 2012-10-09 07:08 . 2012-06-23 12:57 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-10-09 07:08 . 2012-06-23 12:57 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-09-30 02:54 . 2012-07-09 05:16 25928 ----a-w- c:\windows\system32\drivers\mbam.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Akamai NetSession Interface"="c:\users\brada\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-01-04 291608] "PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2012-03-15 5935680] "Fastboot"="c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe" [2012-01-17 1091376] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152] "Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2012-08-13 900160] "Communicator"="c:\program files (x86)\Microsoft Office Communicator\communicator.exe" [2009-12-12 5114208] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] . c:\users\brada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Network Drives.bat [2012-9-26 72] . c:\users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-6-25 576000] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Microsoft Office Communicator 2007 R2.lnk - c:\windows\Installer\{E84D1C9D-6669-4156-992B-17557D64F1D3}\Comm.Ico [2012-7-10 26694] Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe [2012-6-23 845584] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "disablecad"= 1 (0x1) "LocalAccountTokenFilterPolicy"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) "AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\0\0] "Script"=FLlogon.cmd . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\1\0] "Script"=azlogon.cmd . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 HyperW7Svc;HyperW7 Service;c:\program files\Lenovo\RapidBoot\HyperW7Svc64.exe [2012-02-02 145472] R2 swi_update_64;Sophos Web Intelligence Update;c:\programdata\Sophos\Web Intelligence\swi_update_64.exe [2012-08-13 2009152] R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2012-01-09 195584] R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2012-02-22 1304912] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2011-12-21 34200] R3 ManageEngine Desktop Central - Remote Control;ManageEngine Desktop Central 8 - Remote Control;c:\program files (x86)\DesktopCentral_Agent\bin\dcrdservice.exe [2012-03-21 605320] R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2012-02-26 273168] R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2012-03-15 1662528] R3 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2012-03-15 165440] R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2012-06-25 36640] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-23 1255736] R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2012-06-25 25608] S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2011-11-09 14448] S0 Fastboot;Fastboot;c:\windows\System32\DRIVERS\Fastboot.sys [2012-01-17 70416] S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-01-04 16152] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2011-12-29 25416] S1 PHCORE;PHCORE;c:\program files\Lenovo\RapidBoot\PHCORE64.SYS [2012-01-31 33344] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368] S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2012-06-25 144672] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672] S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-01-09 659968] S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-02-22 1014096] S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2012-02-22 1104208] S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-01-17 135952] S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe [2010-12-17 198784] S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2011-11-09 8447848] S2 FastbootService;FastbootService;c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [2012-01-17 169776] S2 FPLService;TrueSuiteService;c:\program files\AuthenTec TrueSuite\TrueSuiteService.exe [2011-12-23 313672] S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2011-12-08 607456] S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2011-12-23 128280] S2 Intel® Small Business Advantage;Intel® Small Business Advantage;c:\program files (x86)\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe [2012-02-27 49376] S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [2011-12-23 161560] S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2012-04-11 58192] S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-07-12 101736] S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2012-04-11 61264] S2 LENOVO.TVTVCAM;ThinkVantage Virtual Camera Controller;c:\program files\Lenovo\Communications Utility\vcamsvc.exe [2012-04-11 175440] S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2011-07-12 133992] S2 ManageEngine Desktop Central - Agent;ManageEngine Desktop Central 8 - Agent;c:\program files (x86)\DesktopCentral_Agent\bin\dcagentservice.exe [2012-03-21 552072] S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe [x] S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-09-17 216640] S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2012-07-09 139840] S2 Sophos Web Control Service;Sophos Web Control Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [2012-06-25 357400] S2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-09-17 2863168] S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-07-12 145256] S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-12-29 144960] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-12-23 363800] S2 VIPAppService;VIPAppService;c:\program files (x86)\Symantec\VIP Access Client\VIPAppService.exe [2011-12-05 84080] S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [2012-02-26 2669840] S3 5U877;5U877;c:\windows\system32\DRIVERS\5U877.sys [2012-02-16 216064] S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2012-01-09 195584] S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2011-11-30 94720] S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-11-30 747008] S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_6.1.32700.0.sys [2012-05-01 17408] S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2011-11-09 307824] S3 ibtfltcoex;ibtfltcoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2012-02-14 60928] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-06 331264] S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-01-04 355096] S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-01-04 786200] S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2011-12-21 25496] S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys [2011-10-27 259688] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-23 565352] S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2011-05-29 40248] S3 tvtvcamd;ThinkVantage Virtual Camera;c:\windows\system32\DRIVERS\tvtvcamd.sys [2011-12-08 27432] . . Contents of the 'Scheduled Tasks' folder . 2012-11-28 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 07:08] . 2012-11-28 c:\windows\Tasks\DCAgentUpdater.job - c:\program files (x86)\DesktopCentral_Agent\bin\dcagentupgrader.exe [2012-03-21 17:23] . 2012-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02] . 2012-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02] . 2012-11-28 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job - c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41] . 2012-11-28 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job - c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp] @="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}" [HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending] @="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}" [HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot] @="{A759AFF6-5851-457D-A540-F4ECED148351}" [HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared] @="{1574C9EF-7D58-488F-B358-8B78C1538F51}" [HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BLEServicesCtrl"="c:\program files (x86)\Intel\Bluetooth\BleServicesCtrl.exe" [2012-02-17 177936] "TpShocks"="TpShocks.exe" [2012-02-17 382528] "LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2012-04-11 283984] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = <local> IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: fmwrdc.com TCP: DhcpNameServer = 10.72.201.210 192.168.100.7 TCP: Interfaces\{03FDA058-FDD0-468B-A48C-81D278A9AAD2}: NameServer = 10.72.201.210,192.168.100.7 DPF: {A00C0AFC-E004-4024-9D25-52952AC99A6A} - hxxps://mwr1nav.fmwrdc.com/NAV_nav1151/NAV1251.CAB . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) Wow6432Node-HKLM-Run-<NO NAME> - (no file) . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot] "ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00" -- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router] "ImagePath"="\"c:\program files (x86)\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot] "ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-11-28 13:27:38 ComboFix-quarantined-files.txt 2012-11-28 20:27 ComboFix2.txt 2012-11-28 13:45 ComboFix3.txt 2012-11-27 15:27 . Pre-Run: 418,556,784,640 bytes free Post-Run: 418,268,872,704 bytes free . - - End Of File - - BC859CFEC7A6CB138B1AC5C6B6F2DCB0
  11. BAhart
    Jeff, I can't seem to get ComboFix to uninstall. When I paste into the Run box what you gave me a couple posts ago my computer starts doing some stuff (it looks a lot like when I ran ComboFix and it was starting up) but then nothing happens and the icon stayed on my desktop. After a while I tried it again and it goes through the same process, which makes me think that it didn't uninstall the first time. Any ideas? Thanks
  12. BAhart
    OK, I did what you said in your most recent post and will now proceed with uninstalling ComboFix and whatever else we installed. What about the other two items that showed up in the ESET scan? Will they just sit in C:\Qoobox\Quarantine\C\Users\brada\AppData\Roaming forever? Are they harmless in there? Thanks a bunch
  13. BAhart
    Jeff, I owed you an ESET log...here it is. After pasting this I am waiting to follow your insructions from the previous post until I hear back from you. Thanks C:\Qoobox\Quarantine\C\Users\brada\AppData\Roaming\vinsv.dll.vir a variant of Win32/Medfos.FJ trojan C:\Qoobox\Quarantine\C\Users\brada\AppData\Roaming\Ifser\yluxo.exe.vir a variant of Win32/Kryptik.APFX trojan C:\Users\brada\AppData\Local\4A616B0B-3124-11E2-8271-B8AC6F996F26.crx JS/Redirector.NCG trojan
  14. BAhart
    Malwarebytes scan log below...ESET log to follow... Malwarebytes Anti-Malware 1.65.1.1000 www.malwarebytes.org Database version: v2012.11.23.05 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 8.0.7601.17514 BradA :: MP-0B03N [administrator] 11/28/2012 9:40:45 AM mbam-log-2012-11-28 (09-40-45).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 251260 Time elapsed: 3 minute(s), 15 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
  15. BAhart
    Everything seems to be running good. No issues. Something that happened yesterday caused the redirect to stop and in at least a couple dozen searches since then I haven't been redirected at all, whereas I had been getting redirected on probably at least 70% of searches. I don't see any other issues, but, then again, I observed no other symptoms before you helped me. Two things: 1) When running ComboFix this AM Sophos was clearly still engaged and I think had moved nimcmdB.exe to quarantine, and as a result I twice (during the ComboFix scan) got a Windows message that Windows was unable to find nimcmdB.exe. Don't know if that caused issues but thought I'd mention it. 2) Whatever I was infected with, any idea was it up to? Simply redirecting my Google searches? Or more than that? If just redirecting, why? For what purpose? I mean why take the time to write this sneaky code that Malwarebytes and other programs can't detect if it's just going to redirect me? Thanks
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.