BAhart

Honorary Members

View Profile See their activity

Posts
24
Joined
November 23, 2012
Last visited
December 8, 2012

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by BAhart

Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Jeff, thanks. I'll get to your most recent instructions over the weekend.
- December 8, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Jeff, yes still here. I went into safe mode and it uninstalled. So I was happy. But I later scanned my computer with Sophos and it was still finding NircmdB.exe. I poked around and have observed the following: C\Qoobox is still there. Isn't this where ComboFix was storing the quarantined items? It looks like the quarantined items are gone, but in C\Qoobox is a subfolder, and in that is 24 files, most of which have a .dat extension. Does that have anything to do with what we have done? C\Uninstall AND C\Uninstall2813U each have like 218 files in them and I'm pretty sure that they're associated with ComboFix. What do you think all this? Did something go wrong with the uninstall? Thanks
- December 5, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

OK, thanks, I'll give it a try either tonight or tomorrow AM.
- December 3, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Jeff, sorry for the slow response. I'm using Windows 7 and don't know how to get it to start in safe mode. Let me look into that. Bottom line though is that I don't think I'll be able to disable Sophos so unless you think it's a bad idea I'll try what you suggested, in safe mode, and see what happens. In the event that this all doesn't work...what's the harm in not uninstalling ComboFix? Do I have to take it off? Thanks
- December 3, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Jeff, when I tried to uninstall the following happened: It started up similar to how it does when I'm going to run a ComboFix scan It popped up a message indicating that there's a newer version available and asking me if I want to update, I said no Then nothing...again, at some point in there Sophos said that it had detected NircmdB and moved to quarantine
- November 29, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Here's the ComboFix log, after downloading it again: ComboFix 12-11-28.02 - brada 11/28/2012 19:46:28.4.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3685.1607 [GMT -7:00] Running from: c:\users\brada\Desktop\ComboFix.exe AV: Sophos Anti-Virus *Enabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A} SP: Sophos Anti-Virus *Enabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\Uninstall.exe c:\uninstall.exe\.Default.dump c:\uninstall.exe\023.dat c:\uninstall.exe\023v.dat c:\uninstall.exe\023w7.dat c:\uninstall.exe\ActiveDrv.vbs c:\uninstall.exe\AllDrivesFolders c:\uninstall.exe\APISvc c:\uninstall.exe\AppData.folder.dat c:\uninstall.exe\appinit.bad c:\uninstall.exe\asp.str c:\uninstall.exe\Assoc.cmd c:\uninstall.exe\attr.dat.tmp c:\uninstall.exe\ATTRIB.3XE c:\uninstall.exe\av.cmd c:\uninstall.exe\av.vbs c:\uninstall.exe\BCD.dump c:\uninstall.exe\BFE.dat c:\uninstall.exe\BHO.dat c:\uninstall.exe\BHOFiles.dat c:\uninstall.exe\BHOQuery.dat c:\uninstall.exe\BitsStr c:\uninstall.exe\Boot-Rk.cmd c:\uninstall.exe\Boot.bat c:\uninstall.exe\BootDrv.vbs c:\uninstall.exe\borlander_file.dat.tmp c:\uninstall.exe\borlander_folder.dat.tmp c:\uninstall.exe\brada.user.cf c:\uninstall.exe\c.mrk c:\uninstall.exe\Cache.folder.dat c:\uninstall.exe\Catch-sub.cmd c:\uninstall.exe\catch_k.dat c:\uninstall.exe\catchme.3XE c:\uninstall.exe\Catchme.tmp c:\uninstall.exe\CCS.bat c:\uninstall.exe\CF19451.3XE c:\uninstall.exe\cfdummy c:\uninstall.exe\Cfiles.dat.tmp c:\uninstall.exe\Cfolders.dat.tmp c:\uninstall.exe\cfrun c:\uninstall.exe\CHCP.bat c:\uninstall.exe\ClistB.dat c:\uninstall.exe\clsid.dat c:\uninstall.exe\ClsidDumped c:\uninstall.exe\ClsidFiles c:\uninstall.exe\ComboFix-Download.3XE c:\uninstall.exe\ComboFix.tmp c:\uninstall.exe\ComboFix.txt c:\uninstall.exe\ConEnv.sed c:\uninstall.exe\Creg.dat c:\uninstall.exe\CregB.dat c:\uninstall.exe\CregC.cmd c:\uninstall.exe\CregC.dat c:\uninstall.exe\CregCx64.dat c:\uninstall.exe\CSCRIPT.3XE c:\uninstall.exe\dd.3XE c:\uninstall.exe\ddsDo.sed c:\uninstall.exe\del00 c:\uninstall.exe\DelClsid.bat c:\uninstall.exe\DelClsid64.bat c:\uninstall.exe\DisclaimED.dat c:\uninstall.exe\dll_whitelist.dat c:\uninstall.exe\dll_whitelist.dat.tmp c:\uninstall.exe\dnd.dat c:\uninstall.exe\DPF.str c:\uninstall.exe\Drive.folder.dat c:\uninstall.exe\DriveFile.dat c:\uninstall.exe\DrivesB.dat c:\uninstall.exe\DrvRun.vbs c:\uninstall.exe\dumphive.3XE c:\uninstall.exe\embedded.sed c:\uninstall.exe\en-US\ATTRIB.3XE.mui c:\uninstall.exe\en-US\CF19451.3XE.mui c:\uninstall.exe\en-US\cmd.3XE.mui c:\uninstall.exe\en-US\CSCRIPT.3XE.mui c:\uninstall.exe\en-US\iexplore.exe c:\uninstall.exe\en-US\PING.3XE.mui c:\uninstall.exe\en-US\REGT.3XE.mui c:\uninstall.exe\en-US\ROUTE.3XE.mui c:\uninstall.exe\Env.sed c:\uninstall.exe\ERDNT.e_e c:\uninstall.exe\ERDNTDOS.LOC c:\uninstall.exe\ERDNTWIN.LOC c:\uninstall.exe\ErrTrap1 c:\uninstall.exe\ERUNT.3XE c:\uninstall.exe\erunt.dat c:\uninstall.exe\ERUNT.LOC c:\uninstall.exe\Exe.reg c:\uninstall.exe\extract.3XE c:\uninstall.exe\f_system c:\uninstall.exe\F3m.mrk c:\uninstall.exe\FavFolderD.dat c:\uninstall.exe\ffdefstr.dll c:\uninstall.exe\ffext.pif c:\uninstall.exe\FileKill.3XE c:\uninstall.exe\files.pif c:\uninstall.exe\Fin.dat c:\uninstall.exe\FIND3M.bat c:\uninstall.exe\FIXLSP.bat c:\uninstall.exe\FIXLSP64.cmd c:\uninstall.exe\FKMGen.cmd c:\uninstall.exe\ForeignWht c:\uninstall.exe\Gateway c:\uninstall.exe\GOLDUN.DAT.tmp c:\uninstall.exe\grep.3XE c:\uninstall.exe\gsar.3XE c:\uninstall.exe\handle.3XE c:\uninstall.exe\hidec.3XE c:\uninstall.exe\history.bat c:\uninstall.exe\History.folder.dat c:\uninstall.exe\iexplore.exe c:\uninstall.exe\image001.gif c:\uninstall.exe\Imefile.dat c:\uninstall.exe\katch.cmd c:\uninstall.exe\kmd.dat c:\uninstall.exe\KNetSvcs.vbs c:\uninstall.exe\L_Beep00 c:\uninstall.exe\Lang.bat c:\uninstall.exe\LegacyFull c:\uninstall.exe\LegacyNoSvc c:\uninstall.exe\lnkread.vbs c:\uninstall.exe\LocalAppData.folder.dat c:\uninstall.exe\LocalService.dat c:\uninstall.exe\LocalServiceNetworkRestricted.dat c:\uninstall.exe\LocalSettings.folder.dat c:\uninstall.exe\LocalSystemNetworkRestricted.dat c:\uninstall.exe\Look.dat c:\uninstall.exe\mbr.3XE c:\uninstall.exe\mbr.chk c:\uninstall.exe\md5sum.pif c:\uninstall.exe\MDWht.dat c:\uninstall.exe\MissingFiles.dat c:\uninstall.exe\Modules c:\uninstall.exe\MoveIt.bat c:\uninstall.exe\MpsSvc.dat c:\uninstall.exe\mtee.3XE c:\uninstall.exe\MUI c:\uninstall.exe\Music.folder.dat c:\uninstall.exe\MWindows.dat c:\uninstall.exe\mynul.dat c:\uninstall.exe\ncmd.com c:\uninstall.exe\ND_.bat c:\uninstall.exe\ND_64.bat c:\uninstall.exe\ndis_combofix.dat c:\uninstall.exe\NetHood.folder.dat c:\uninstall.exe\netsvc.bad.dat c:\uninstall.exe\netsvc.dat c:\uninstall.exe\netsvc_x86.dat c:\uninstall.exe\netsvc64.bad.dat c:\uninstall.exe\NetworkService.dat c:\uninstall.exe\NirCmd.3XE c:\uninstall.exe\NirCmdC.3XE c:\uninstall.exe\NIRKMD.3XE c:\uninstall.exe\NlsLanguageDefault c:\uninstall.exe\NoX2del c:\uninstall.exe\NT-OS.cmd c:\uninstall.exe\NULL c:\uninstall.exe\OriO4Files.dat c:\uninstall.exe\OriO4FilesB.dat c:\uninstall.exe\Orphans.dat c:\uninstall.exe\OsId.txt c:\uninstall.exe\OSid.vbs c:\uninstall.exe\patched.af c:\uninstall.exe\PathSearch c:\uninstall.exe\pausep.3XE c:\uninstall.exe\pend.txt c:\uninstall.exe\pev.3XE c:\uninstall.exe\PEV.exe c:\uninstall.exe\pevb.3XE c:\uninstall.exe\Pictures.folder.dat c:\uninstall.exe\PING.3XE c:\uninstall.exe\Policies.dat c:\uninstall.exe\powp.dat c:\uninstall.exe\PreDIR c:\uninstall.exe\Prep.inf c:\uninstall.exe\PrintHood.folder.dat c:\uninstall.exe\Profiles.Folder.dat c:\uninstall.exe\Profiles.Folder.folder.dat c:\uninstall.exe\Purity.dat c:\uninstall.exe\PV.3XE c:\uninstall.exe\pv.com c:\uninstall.exe\rar_sfx.cmd c:\uninstall.exe\raw_enum.dat c:\uninstall.exe\rawreg.dat c:\uninstall.exe\RCLink.dat c:\uninstall.exe\RcRdyList c:\uninstall.exe\RcVer00 c:\uninstall.exe\Recent.folder.dat c:\uninstall.exe\REGDACL.sed c:\uninstall.exe\RegDo.sed c:\uninstall.exe\region.dat c:\uninstall.exe\RegLocks.txt c:\uninstall.exe\RegRun01 c:\uninstall.exe\RegScan64.cmd c:\uninstall.exe\REGT.3XE c:\uninstall.exe\RenVDel.dat c:\uninstall.exe\RenVSuspect c:\uninstall.exe\Resident.txt c:\uninstall.exe\restore_pt.dat c:\uninstall.exe\Rkey.cmd c:\uninstall.exe\rmbr.3XE c:\uninstall.exe\rogues.dat c:\uninstall.exe\ROUTE.3XE c:\uninstall.exe\run.sed c:\uninstall.exe\run2.sed c:\uninstall.exe\Rust.str c:\uninstall.exe\s0rt.3XE c:\uninstall.exe\safeboot.dat c:\uninstall.exe\safeboot.def.dat c:\uninstall.exe\safeboot00 c:\uninstall.exe\sed.3XE c:\uninstall.exe\SendTo.folder.dat c:\uninstall.exe\ServiceFiles.dat c:\uninstall.exe\SetEnvmt.bat c:\uninstall.exe\setpath.3XE c:\uninstall.exe\SetPath.bat c:\uninstall.exe\setpath_N.cmd c:\uninstall.exe\SF.exe c:\uninstall.exe\sfx.cmd c:\uninstall.exe\ShAccess.dat c:\uninstall.exe\SnapShot.cmd c:\uninstall.exe\sqlite3.3XE c:\uninstall.exe\srizbi.md5 c:\uninstall.exe\Start_dat c:\uninstall.exe\StartUp.folder.dat c:\uninstall.exe\SuppScan_Completed c:\uninstall.exe\SuspectB_netsvc.dat c:\uninstall.exe\suspectSvc.dat c:\uninstall.exe\svc_wht.dat c:\uninstall.exe\SvcCovered c:\uninstall.exe\SvcDiff c:\uninstall.exe\SvcDrv.vbs c:\uninstall.exe\SvcDump c:\uninstall.exe\SvcDumpB c:\uninstall.exe\SvcDumpFull c:\uninstall.exe\SvcFull c:\uninstall.exe\svchost.dat c:\uninstall.exe\svclist.dat c:\uninstall.exe\SvcTarget.dat c:\uninstall.exe\SvcTempAa c:\uninstall.exe\swreg.3XE c:\uninstall.exe\swsc.3XE c:\uninstall.exe\swxcacls.3XE c:\uninstall.exe\sys_enum.dat c:\uninstall.exe\SysPath.dat c:\uninstall.exe\SYSTEM.dump c:\uninstall.exe\system_ini.dat c:\uninstall.exe\tail.3XE c:\uninstall.exe\temp00-X64 c:\uninstall.exe\temp01-X64 c:\uninstall.exe\temp02-X64 c:\uninstall.exe\temp0900 c:\uninstall.exe\temp2000 c:\uninstall.exe\temp4000 c:\uninstall.exe\temp5000 c:\uninstall.exe\time_.dat c:\uninstall.exe\ToolB-00-X64 c:\uninstall.exe\toolbar.sed c:\uninstall.exe\unhand.dat c:\uninstall.exe\Unhandled.dat c:\uninstall.exe\Update-CF.cmd c:\uninstall.exe\UploadThese c:\uninstall.exe\uWebBrowser01-X64 c:\uninstall.exe\uWebBrowser02-X64 c:\uninstall.exe\V-FilesB.dat c:\uninstall.exe\v-tmp.dat c:\uninstall.exe\v_str.dat c:\uninstall.exe\v_wht.dat c:\uninstall.exe\v_wht.dat.tmp c:\uninstall.exe\VBR.pif c:\uninstall.exe\VerCF.bat c:\uninstall.exe\Vfwall c:\uninstall.exe\VikPev00 c:\uninstall.exe\Vikpev01 c:\uninstall.exe\VInfo2 c:\uninstall.exe\VINFO3 c:\uninstall.exe\Vipev.dat c:\uninstall.exe\Vista.krl c:\uninstall.exe\vistaMcode.dat c:\uninstall.exe\vRun_DLL c:\uninstall.exe\vRun_DLL.tmp c:\uninstall.exe\vun.dat c:\uninstall.exe\vundonames.dat.tmp c:\uninstall.exe\VwinTemp.dacl c:\uninstall.exe\w_sock.dll c:\uninstall.exe\W6432.dat c:\uninstall.exe\W7.mac c:\uninstall.exe\w7Mcode.dat c:\uninstall.exe\whiteAll.dat c:\uninstall.exe\Wmi_rem.vbs c:\uninstall.exe\WrgNameDLL c:\uninstall.exe\xpmcode.dat c:\uninstall.exe\XPSBoot.reg c:\uninstall.exe\zDomain.dat c:\uninstall.exe\zip.3XE c:\users\administrator\Desktop\Internet Explorer.lnk . . ((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-29 ))))))))))))))))))))))))))))))) . . 2012-11-29 02:52 . 2012-11-29 02:52 -------- d-----w- c:\users\user\AppData\Local\temp 2012-11-29 02:52 . 2012-11-29 02:52 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-11-29 02:52 . 2012-11-29 02:52 -------- d-----w- c:\users\administrator\AppData\Local\temp 2012-11-23 15:44 . 2012-11-23 15:44 -------- d-----w- c:\users\brada\AppData\Local\Sophos 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\users\brada\AppData\Roaming\SUPERAntiSpyware.com 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\program files\SUPERAntiSpyware 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2012-11-14 12:22 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\mpengine.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll 2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\program files (x86)\QuickTime 2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\programdata\Apple Computer . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-11-28 16:26 . 2012-06-23 13:02 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll 2012-10-30 04:04 . 2012-06-23 04:42 66395536 ----a-w- c:\windows\system32\MRT.exe 2012-10-25 10:12 . 2012-10-25 10:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx 2012-10-25 10:12 . 2012-10-25 10:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts 2012-10-09 07:08 . 2012-06-23 12:57 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-10-09 07:08 . 2012-06-23 12:57 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-09-30 02:54 . 2012-07-09 05:16 25928 ----a-w- c:\windows\system32\drivers\mbam.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Akamai NetSession Interface"="c:\users\brada\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-01-04 291608] "PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2012-03-15 5935680] "Fastboot"="c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe" [2012-01-17 1091376] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152] "Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2012-08-13 900160] "Communicator"="c:\program files (x86)\Microsoft Office Communicator\communicator.exe" [2009-12-12 5114208] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] . c:\users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-6-25 576000] . c:\users\brada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Network Drives.bat [2012-9-26 72] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Microsoft Office Communicator 2007 R2.lnk - c:\windows\Installer\{E84D1C9D-6669-4156-992B-17557D64F1D3}\Comm.Ico [2012-7-10 26694] Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe [2012-6-23 845584] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "disablecad"= 1 (0x1) "LocalAccountTokenFilterPolicy"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) "AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\0\0] "Script"=FLlogon.cmd . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\1\0] "Script"=azlogon.cmd . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 HyperW7Svc;HyperW7 Service;c:\program files\Lenovo\RapidBoot\HyperW7Svc64.exe [2012-02-02 145472] R2 swi_update_64;Sophos Web Intelligence Update;c:\programdata\Sophos\Web Intelligence\swi_update_64.exe [2012-08-13 2009152] R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2012-01-09 195584] R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2012-02-22 1304912] R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_6.1.32700.0.sys [2012-05-01 17408] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2011-12-21 34200] R3 ManageEngine Desktop Central - Remote Control;ManageEngine Desktop Central 8 - Remote Control;c:\program files (x86)\DesktopCentral_Agent\bin\dcrdservice.exe [2012-03-21 605320] R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2012-02-26 273168] R3 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2012-03-15 165440] R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2012-06-25 36640] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-23 1255736] R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2012-06-25 25608] S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2011-11-09 14448] S0 Fastboot;Fastboot;c:\windows\System32\DRIVERS\Fastboot.sys [2012-01-17 70416] S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-01-04 16152] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2011-12-29 25416] S1 PHCORE;PHCORE;c:\program files\Lenovo\RapidBoot\PHCORE64.SYS [2012-01-31 33344] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368] S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2012-06-25 144672] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672] S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-01-09 659968] S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-02-22 1014096] S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2012-02-22 1104208] S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-01-17 135952] S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe [2010-12-17 198784] S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2011-11-09 8447848] S2 FastbootService;FastbootService;c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [2012-01-17 169776] S2 FPLService;TrueSuiteService;c:\program files\AuthenTec TrueSuite\TrueSuiteService.exe [2011-12-23 313672] S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2011-12-08 607456] S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2011-12-23 128280] S2 Intel® Small Business Advantage;Intel® Small Business Advantage;c:\program files (x86)\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe [2012-02-27 49376] S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [2011-12-23 161560] S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2012-04-11 58192] S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-07-12 101736] S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2012-04-11 61264] S2 LENOVO.TVTVCAM;ThinkVantage Virtual Camera Controller;c:\program files\Lenovo\Communications Utility\vcamsvc.exe [2012-04-11 175440] S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2011-07-12 133992] S2 ManageEngine Desktop Central - Agent;ManageEngine Desktop Central 8 - Agent;c:\program files (x86)\DesktopCentral_Agent\bin\dcagentservice.exe [2012-03-21 552072] S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe [x] S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-09-17 216640] S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2012-07-09 139840] S2 Sophos Web Control Service;Sophos Web Control Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [2012-06-25 357400] S2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-09-17 2863168] S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-07-12 145256] S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-12-29 144960] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-12-23 363800] S2 VIPAppService;VIPAppService;c:\program files (x86)\Symantec\VIP Access Client\VIPAppService.exe [2011-12-05 84080] S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [2012-02-26 2669840] S3 5U877;5U877;c:\windows\system32\DRIVERS\5U877.sys [2012-02-16 216064] S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2012-01-09 195584] S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2011-11-30 94720] S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-11-30 747008] S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2011-11-09 307824] S3 ibtfltcoex;ibtfltcoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2012-02-14 60928] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-06 331264] S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-01-04 355096] S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-01-04 786200] S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2011-12-21 25496] S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2012-03-15 1662528] S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys [2011-10-27 259688] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-23 565352] S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2011-05-29 40248] S3 tvtvcamd;ThinkVantage Virtual Camera;c:\windows\system32\DRIVERS\tvtvcamd.sys [2011-12-08 27432] . . Contents of the 'Scheduled Tasks' folder . 2012-11-29 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 07:08] . 2012-11-29 c:\windows\Tasks\DCAgentUpdater.job - c:\program files (x86)\DesktopCentral_Agent\bin\dcagentupgrader.exe [2012-03-21 17:23] . 2012-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02] . 2012-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02] . 2012-11-28 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job - c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41] . 2012-11-28 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job - c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp] @="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}" [HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending] @="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}" [HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot] @="{A759AFF6-5851-457D-A540-F4ECED148351}" [HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared] @="{1574C9EF-7D58-488F-B358-8B78C1538F51}" [HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BLEServicesCtrl"="c:\program files (x86)\Intel\Bluetooth\BleServicesCtrl.exe" [2012-02-17 177936] "TpShocks"="TpShocks.exe" [2012-02-17 382528] "LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2012-04-11 283984] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = <local> IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: fmwrdc.com TCP: DhcpNameServer = 192.168.2.1 TCP: Interfaces\{03FDA058-FDD0-468B-A48C-81D278A9AAD2}: NameServer = 10.72.201.210,192.168.100.7 DPF: {A00C0AFC-E004-4024-9D25-52952AC99A6A} - hxxps://mwr1nav.fmwrdc.com/NAV_nav1151/NAV1251.CAB . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) Wow6432Node-HKLM-Run-<NO NAME> - (no file) . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot] "ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00" -- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router] "ImagePath"="\"c:\program files (x86)\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot] "ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-11-28 19:54:21 ComboFix-quarantined-files.txt 2012-11-29 02:54 ComboFix2.txt 2012-11-28 20:27 . Pre-Run: 416,042,708,992 bytes free Post-Run: 415,998,484,480 bytes free . - - End Of File - - D7FE57EC0D6ED5C91609C82478A4A469
- November 29, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

I took the only version that was on my desktop, dumped it onto the Recycle bin, and emptied the recycle bin. Hopefull that's what you meant. I'll DL new ComboFix and run it later tonight. Thanks for all your help.
- November 28, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

It did what it was doing earlier: acts like it's starting up and then doesn't do anything. It's still installed. It didn't scan this time. Whenever ComboFix starts scanning (or pretty much doing anything) Sophos goes nuts telling me that it found NimcmdB and moved it to quarantine? Is that my problem?
- November 28, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

It didn't work...still installed. It's still called Uninstall.exe on my desktop. Was I supposed to rename it back to ComboFix.exe?
- November 28, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

I might have screwed this up. My desktop icon was called ComboFix, and I renamed it Uninstall.exe. When I double clicked it, it simply ran ComboFix. It's still installed on my computer. For kicks I have posted the log below. ComboFix 12-11-28.02 - brada 11/28/2012 13:02:35.3.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3685.1957 [GMT -7:00] Running from: c:\users\brada\Desktop\Uninstall.exe.exe AV: Sophos Anti-Virus *Enabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A} SP: Sophos Anti-Virus *Enabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-28 ))))))))))))))))))))))))))))))) . . 2012-11-28 20:09 . 2012-11-28 20:09 -------- d-----w- c:\users\user\AppData\Local\temp 2012-11-28 20:09 . 2012-11-28 20:09 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-11-28 20:09 . 2012-11-28 20:09 -------- d-----w- c:\users\administrator\AppData\Local\temp 2012-11-28 19:48 . 2012-11-28 20:01 -------- d-----w- C:\ComboFix 2012-11-28 16:27 . 2012-11-28 16:27 -------- d-----w- c:\program files (x86)\Common Files\Java 2012-11-28 16:27 . 2012-11-28 16:26 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll 2012-11-28 16:25 . 2012-11-28 16:25 -------- d-----w- c:\programdata\McAfee 2012-11-23 15:44 . 2012-11-23 15:44 -------- d-----w- c:\users\brada\AppData\Local\Sophos 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\users\brada\AppData\Roaming\SUPERAntiSpyware.com 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\program files\SUPERAntiSpyware 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2012-11-14 12:22 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\mpengine.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll 2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\program files (x86)\QuickTime 2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\programdata\Apple Computer . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-11-28 16:26 . 2012-06-23 13:02 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll 2012-10-30 04:04 . 2012-06-23 04:42 66395536 ----a-w- c:\windows\system32\MRT.exe 2012-10-25 10:12 . 2012-10-25 10:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx 2012-10-25 10:12 . 2012-10-25 10:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts 2012-10-09 07:08 . 2012-06-23 12:57 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-10-09 07:08 . 2012-06-23 12:57 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-09-30 02:54 . 2012-07-09 05:16 25928 ----a-w- c:\windows\system32\drivers\mbam.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Akamai NetSession Interface"="c:\users\brada\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-01-04 291608] "PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2012-03-15 5935680] "Fastboot"="c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe" [2012-01-17 1091376] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152] "Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2012-08-13 900160] "Communicator"="c:\program files (x86)\Microsoft Office Communicator\communicator.exe" [2009-12-12 5114208] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] . c:\users\brada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Network Drives.bat [2012-9-26 72] . c:\users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-6-25 576000] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Microsoft Office Communicator 2007 R2.lnk - c:\windows\Installer\{E84D1C9D-6669-4156-992B-17557D64F1D3}\Comm.Ico [2012-7-10 26694] Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe [2012-6-23 845584] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "disablecad"= 1 (0x1) "LocalAccountTokenFilterPolicy"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) "AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\0\0] "Script"=FLlogon.cmd . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\1\0] "Script"=azlogon.cmd . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 HyperW7Svc;HyperW7 Service;c:\program files\Lenovo\RapidBoot\HyperW7Svc64.exe [2012-02-02 145472] R2 swi_update_64;Sophos Web Intelligence Update;c:\programdata\Sophos\Web Intelligence\swi_update_64.exe [2012-08-13 2009152] R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2012-01-09 195584] R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2012-02-22 1304912] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2011-12-21 34200] R3 ManageEngine Desktop Central - Remote Control;ManageEngine Desktop Central 8 - Remote Control;c:\program files (x86)\DesktopCentral_Agent\bin\dcrdservice.exe [2012-03-21 605320] R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2012-02-26 273168] R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2012-03-15 1662528] R3 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2012-03-15 165440] R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2012-06-25 36640] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-23 1255736] R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2012-06-25 25608] S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2011-11-09 14448] S0 Fastboot;Fastboot;c:\windows\System32\DRIVERS\Fastboot.sys [2012-01-17 70416] S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-01-04 16152] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2011-12-29 25416] S1 PHCORE;PHCORE;c:\program files\Lenovo\RapidBoot\PHCORE64.SYS [2012-01-31 33344] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368] S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2012-06-25 144672] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672] S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-01-09 659968] S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-02-22 1014096] S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2012-02-22 1104208] S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-01-17 135952] S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe [2010-12-17 198784] S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2011-11-09 8447848] S2 FastbootService;FastbootService;c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [2012-01-17 169776] S2 FPLService;TrueSuiteService;c:\program files\AuthenTec TrueSuite\TrueSuiteService.exe [2011-12-23 313672] S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2011-12-08 607456] S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2011-12-23 128280] S2 Intel® Small Business Advantage;Intel® Small Business Advantage;c:\program files (x86)\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe [2012-02-27 49376] S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [2011-12-23 161560] S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2012-04-11 58192] S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-07-12 101736] S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2012-04-11 61264] S2 LENOVO.TVTVCAM;ThinkVantage Virtual Camera Controller;c:\program files\Lenovo\Communications Utility\vcamsvc.exe [2012-04-11 175440] S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2011-07-12 133992] S2 ManageEngine Desktop Central - Agent;ManageEngine Desktop Central 8 - Agent;c:\program files (x86)\DesktopCentral_Agent\bin\dcagentservice.exe [2012-03-21 552072] S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe [x] S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-09-17 216640] S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2012-07-09 139840] S2 Sophos Web Control Service;Sophos Web Control Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [2012-06-25 357400] S2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-09-17 2863168] S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-07-12 145256] S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-12-29 144960] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-12-23 363800] S2 VIPAppService;VIPAppService;c:\program files (x86)\Symantec\VIP Access Client\VIPAppService.exe [2011-12-05 84080] S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [2012-02-26 2669840] S3 5U877;5U877;c:\windows\system32\DRIVERS\5U877.sys [2012-02-16 216064] S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2012-01-09 195584] S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2011-11-30 94720] S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-11-30 747008] S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_6.1.32700.0.sys [2012-05-01 17408] S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2011-11-09 307824] S3 ibtfltcoex;ibtfltcoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2012-02-14 60928] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-06 331264] S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-01-04 355096] S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-01-04 786200] S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2011-12-21 25496] S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys [2011-10-27 259688] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-23 565352] S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2011-05-29 40248] S3 tvtvcamd;ThinkVantage Virtual Camera;c:\windows\system32\DRIVERS\tvtvcamd.sys [2011-12-08 27432] . . Contents of the 'Scheduled Tasks' folder . 2012-11-28 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 07:08] . 2012-11-28 c:\windows\Tasks\DCAgentUpdater.job - c:\program files (x86)\DesktopCentral_Agent\bin\dcagentupgrader.exe [2012-03-21 17:23] . 2012-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02] . 2012-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02] . 2012-11-28 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job - c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41] . 2012-11-28 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job - c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp] @="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}" [HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending] @="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}" [HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot] @="{A759AFF6-5851-457D-A540-F4ECED148351}" [HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared] @="{1574C9EF-7D58-488F-B358-8B78C1538F51}" [HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BLEServicesCtrl"="c:\program files (x86)\Intel\Bluetooth\BleServicesCtrl.exe" [2012-02-17 177936] "TpShocks"="TpShocks.exe" [2012-02-17 382528] "LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2012-04-11 283984] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = <local> IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: fmwrdc.com TCP: DhcpNameServer = 10.72.201.210 192.168.100.7 TCP: Interfaces\{03FDA058-FDD0-468B-A48C-81D278A9AAD2}: NameServer = 10.72.201.210,192.168.100.7 DPF: {A00C0AFC-E004-4024-9D25-52952AC99A6A} - hxxps://mwr1nav.fmwrdc.com/NAV_nav1151/NAV1251.CAB . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) Wow6432Node-HKLM-Run-<NO NAME> - (no file) . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot] "ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00" -- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router] "ImagePath"="\"c:\program files (x86)\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot] "ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-11-28 13:27:38 ComboFix-quarantined-files.txt 2012-11-28 20:27 ComboFix2.txt 2012-11-28 13:45 ComboFix3.txt 2012-11-27 15:27 . Pre-Run: 418,556,784,640 bytes free Post-Run: 418,268,872,704 bytes free . - - End Of File - - BC859CFEC7A6CB138B1AC5C6B6F2DCB0
- November 28, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Jeff, I can't seem to get ComboFix to uninstall. When I paste into the Run box what you gave me a couple posts ago my computer starts doing some stuff (it looks a lot like when I ran ComboFix and it was starting up) but then nothing happens and the icon stayed on my desktop. After a while I tried it again and it goes through the same process, which makes me think that it didn't uninstall the first time. Any ideas? Thanks
- November 28, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

OK, I did what you said in your most recent post and will now proceed with uninstalling ComboFix and whatever else we installed. What about the other two items that showed up in the ESET scan? Will they just sit in C:\Qoobox\Quarantine\C\Users\brada\AppData\Roaming forever? Are they harmless in there? Thanks a bunch
- November 28, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Jeff, I owed you an ESET log...here it is. After pasting this I am waiting to follow your insructions from the previous post until I hear back from you. Thanks C:\Qoobox\Quarantine\C\Users\brada\AppData\Roaming\vinsv.dll.vir a variant of Win32/Medfos.FJ trojan C:\Qoobox\Quarantine\C\Users\brada\AppData\Roaming\Ifser\yluxo.exe.vir a variant of Win32/Kryptik.APFX trojan C:\Users\brada\AppData\Local\4A616B0B-3124-11E2-8271-B8AC6F996F26.crx JS/Redirector.NCG trojan
- November 28, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Malwarebytes scan log below...ESET log to follow... Malwarebytes Anti-Malware 1.65.1.1000 www.malwarebytes.org Database version: v2012.11.23.05 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 8.0.7601.17514 BradA :: MP-0B03N [administrator] 11/28/2012 9:40:45 AM mbam-log-2012-11-28 (09-40-45).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 251260 Time elapsed: 3 minute(s), 15 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
- November 28, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Everything seems to be running good. No issues. Something that happened yesterday caused the redirect to stop and in at least a couple dozen searches since then I haven't been redirected at all, whereas I had been getting redirected on probably at least 70% of searches. I don't see any other issues, but, then again, I observed no other symptoms before you helped me. Two things: 1) When running ComboFix this AM Sophos was clearly still engaged and I think had moved nimcmdB.exe to quarantine, and as a result I twice (during the ComboFix scan) got a Windows message that Windows was unable to find nimcmdB.exe. Don't know if that caused issues but thought I'd mention it. 2) Whatever I was infected with, any idea was it up to? Simply redirecting my Google searches? Or more than that? If just redirecting, why? For what purpose? I mean why take the time to write this sneaky code that Malwarebytes and other programs can't detect if it's just going to redirect me? Thanks
- November 28, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Jeff, here is the log. Am I correct that it did not delete everything that it was supposed to? Thanks ComboFix 12-11-28.02 - BradA 11/28/2012 6:29.2.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3685.1549 [GMT -7:00] Running from: c:\users\brada\Desktop\ComboFix.exe Command switches used :: c:\users\brada\Desktop\CFScript.txt AV: Sophos Anti-Virus *Enabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A} SP: Sophos Anti-Virus *Enabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . FILE :: "c:\users\brada\AppData\Roaming\Ifser\yluxo.exe" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\brada\AppData\Roaming\Udugul c:\users\brada\AppData\Roaming\Udugul\zoyr.gol c:\users\brada\AppData\Roaming\Upcoof c:\users\brada\AppData\Roaming\Ydatt . . ((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-28 ))))))))))))))))))))))))))))))) . . 2012-11-28 13:42 . 2012-11-28 13:42 -------- d-----w- c:\users\user\AppData\Local\temp 2012-11-28 13:42 . 2012-11-28 13:42 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-11-28 13:42 . 2012-11-28 13:42 -------- d-----w- c:\users\administrator\AppData\Local\temp 2012-11-23 18:52 . 2012-11-27 18:42 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\offreg.dll 2012-11-23 15:44 . 2012-11-23 15:44 -------- d-----w- c:\users\brada\AppData\Local\Sophos 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\users\brada\AppData\Roaming\SUPERAntiSpyware.com 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\program files\SUPERAntiSpyware 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2012-11-14 12:22 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\mpengine.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll 2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\program files (x86)\QuickTime 2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\programdata\Apple Computer . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-10-30 04:04 . 2012-06-23 04:42 66395536 ----a-w- c:\windows\system32\MRT.exe 2012-10-25 10:12 . 2012-10-25 10:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx 2012-10-25 10:12 . 2012-10-25 10:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts 2012-10-09 07:08 . 2012-06-23 12:57 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-10-09 07:08 . 2012-06-23 12:57 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-09-30 02:54 . 2012-07-09 05:16 25928 ----a-w- c:\windows\system32\drivers\mbam.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Akamai NetSession Interface"="c:\users\brada\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-01-04 291608] "PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2012-03-15 5935680] "Fastboot"="c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe" [2012-01-17 1091376] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152] "Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2012-08-13 900160] "Communicator"="c:\program files (x86)\Microsoft Office Communicator\communicator.exe" [2009-12-12 5114208] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888] . c:\users\brada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Network Drives.bat [2012-9-26 72] . c:\users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-6-25 576000] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Microsoft Office Communicator 2007 R2.lnk - c:\windows\Installer\{E84D1C9D-6669-4156-992B-17557D64F1D3}\Comm.Ico [2012-7-10 26694] Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe [2012-6-23 845584] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "disablecad"= 1 (0x1) "LocalAccountTokenFilterPolicy"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) "AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\0\0] "Script"=FLlogon.cmd . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\1\0] "Script"=azlogon.cmd . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 HyperW7Svc;HyperW7 Service;c:\program files\Lenovo\RapidBoot\HyperW7Svc64.exe [2012-02-02 145472] R2 swi_update_64;Sophos Web Intelligence Update;c:\programdata\Sophos\Web Intelligence\swi_update_64.exe [2012-08-13 2009152] R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2012-01-09 195584] R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2012-02-22 1304912] R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_6.1.32700.0.sys [2012-05-01 17408] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2011-12-21 34200] R3 ManageEngine Desktop Central - Remote Control;ManageEngine Desktop Central 8 - Remote Control;c:\program files (x86)\DesktopCentral_Agent\bin\dcrdservice.exe [2012-03-21 605320] R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2012-02-26 273168] R3 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2012-03-15 165440] R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2012-06-25 36640] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-23 1255736] R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2012-06-25 25608] S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2011-11-09 14448] S0 Fastboot;Fastboot;c:\windows\System32\DRIVERS\Fastboot.sys [2012-01-17 70416] S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-01-04 16152] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2011-12-29 25416] S1 PHCORE;PHCORE;c:\program files\Lenovo\RapidBoot\PHCORE64.SYS [2012-01-31 33344] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368] S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2012-06-25 144672] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672] S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-01-09 659968] S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-02-22 1014096] S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2012-02-22 1104208] S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-01-17 135952] S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe [2010-12-17 198784] S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2011-11-09 8447848] S2 FastbootService;FastbootService;c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [2012-01-17 169776] S2 FPLService;TrueSuiteService;c:\program files\AuthenTec TrueSuite\TrueSuiteService.exe [2011-12-23 313672] S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2011-12-08 607456] S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2011-12-23 128280] S2 Intel® Small Business Advantage;Intel® Small Business Advantage;c:\program files (x86)\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe [2012-02-27 49376] S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [2011-12-23 161560] S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2012-04-11 58192] S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-07-12 101736] S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2012-04-11 61264] S2 LENOVO.TVTVCAM;ThinkVantage Virtual Camera Controller;c:\program files\Lenovo\Communications Utility\vcamsvc.exe [2012-04-11 175440] S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2011-07-12 133992] S2 ManageEngine Desktop Central - Agent;ManageEngine Desktop Central 8 - Agent;c:\program files (x86)\DesktopCentral_Agent\bin\dcagentservice.exe [2012-03-21 552072] S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe [x] S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-09-17 216640] S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2012-07-09 139840] S2 Sophos Web Control Service;Sophos Web Control Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [2012-06-25 357400] S2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-09-17 2863168] S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-07-12 145256] S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-12-29 144960] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-12-23 363800] S2 VIPAppService;VIPAppService;c:\program files (x86)\Symantec\VIP Access Client\VIPAppService.exe [2011-12-05 84080] S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [2012-02-26 2669840] S3 5U877;5U877;c:\windows\system32\DRIVERS\5U877.sys [2012-02-16 216064] S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2012-01-09 195584] S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2011-11-30 94720] S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-11-30 747008] S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2011-11-09 307824] S3 ibtfltcoex;ibtfltcoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2012-02-14 60928] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-06 331264] S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-01-04 355096] S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-01-04 786200] S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2011-12-21 25496] S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2012-03-15 1662528] S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys [2011-10-27 259688] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-23 565352] S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2011-05-29 40248] S3 tvtvcamd;ThinkVantage Virtual Camera;c:\windows\system32\DRIVERS\tvtvcamd.sys [2011-12-08 27432] . . Contents of the 'Scheduled Tasks' folder . 2012-11-28 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 07:08] . 2012-11-28 c:\windows\Tasks\DCAgentUpdater.job - c:\program files (x86)\DesktopCentral_Agent\bin\dcagentupgrader.exe [2012-03-21 17:23] . 2012-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02] . 2012-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02] . 2012-11-27 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job - c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41] . 2012-11-27 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job - c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp] @="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}" [HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending] @="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}" [HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot] @="{A759AFF6-5851-457D-A540-F4ECED148351}" [HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared] @="{1574C9EF-7D58-488F-B358-8B78C1538F51}" [HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BLEServicesCtrl"="c:\program files (x86)\Intel\Bluetooth\BleServicesCtrl.exe" [2012-02-17 177936] "TpShocks"="TpShocks.exe" [2012-02-17 382528] "LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2012-04-11 283984] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = <local> IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: fmwrdc.com TCP: DhcpNameServer = 192.168.2.1 TCP: Interfaces\{03FDA058-FDD0-468B-A48C-81D278A9AAD2}: NameServer = 10.72.201.210,192.168.100.7 DPF: {A00C0AFC-E004-4024-9D25-52952AC99A6A} - hxxps://mwr1nav.fmwrdc.com/NAV_nav1151/NAV1251.CAB . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) Wow6432Node-HKLM-Run-<NO NAME> - (no file) . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot] "ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00" -- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router] "ImagePath"="\"c:\program files (x86)\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot] "ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1660914278-1877020206-1681959549-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,66,13,94,63,14,d7,4a,9e,56,06,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,66,13,94,63,14,d7,4a,9e,56,06,\ . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-11-28 06:45:34 ComboFix-quarantined-files.txt 2012-11-28 13:45 ComboFix2.txt 2012-11-27 15:27 . Pre-Run: 420,225,269,760 bytes free Post-Run: 420,029,804,544 bytes free . - - End Of File - - 0EB918D60F9F877F09C6DCAF3D94EEA5
- November 28, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Jeff, a couple things: 1) Can you explain in a sentence or two what your most recent instructions will do when I execute them? 2) I am to copy the text you provided, paste it into Notepad, and save that file as CFScript.txt? 3) I don't think I can disable Sophos (not an administrator). I don't understand how Sophos works but I'm almost positive that if I'm not connected to my work network that it provides less protection that when I am connected to the network. I know/think this bc I'll see stuff get blocked when on the network that slides by when I'm at home. My plan is to follow your instructions from home and cross my fingers that it works. I don't know what else is on the computer in terms of anti-virus, script blocking or anti-malware realtime protection. a) what about not being able to disable Sophos? How risky is it that I carry out your instructions without getting it disabled? b) can you tell me what else I should be looking for in terms of other things to turn off? I don't have Norton or any other protection software that I've ever heard of, so I assume that all I would have is what comes on the computer (Windows Defender, etc.). Please provide me with a little guidance in terms of what else i should be looking for. Thanks!
- November 28, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Jeff, the redirect was not happening every time that I clicked on a search result, but at least half the time. Since running ComboFix I have run at least a dozen searches and have not been redirected, so things look good. I will run more searches over the course of the day and keep my fingers crossed.
- November 27, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Jeff, below is the ComboFix log. I saw that the report indicates that Windows Defender was still on...my bad, I didn't think to turn it off. The report also indicates that Sophos is still on. I know that when I'm not connected to my network at work Sophos doesn't really do its thing so I was hoping that Sophos would not interfere. So, I apologize if I messed this up by still having those things on. Thanks ComboFix 12-11-27.01 - brada 11/27/2012 8:15.1.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3685.1796 [GMT -7:00] Running from: c:\users\brada\Desktop\ComboFix.exe AV: Sophos Anti-Virus *Enabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A} SP: Sophos Anti-Virus *Enabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk c:\programdata\Roaming c:\users\brada\AppData\Roaming\Ifser c:\users\brada\AppData\Roaming\Ifser\yluxo.exe c:\users\brada\AppData\Roaming\Keehy c:\users\brada\AppData\Roaming\Keehy\ebge.unb c:\users\brada\AppData\Roaming\sisup.dll c:\users\brada\AppData\Roaming\Upti c:\users\brada\AppData\Roaming\Upti\ecge.lyo c:\users\brada\AppData\Roaming\vinsv.dll Q:\Autorun.inf . . ((((((((((((((((((((((((( Files Created from 2012-10-27 to 2012-11-27 ))))))))))))))))))))))))))))))) . . 2012-11-23 18:52 . 2012-11-26 16:03 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\offreg.dll 2012-11-23 15:44 . 2012-11-23 15:44 -------- d-----w- c:\users\brada\AppData\Local\Sophos 2012-11-23 15:07 . 2012-11-23 16:20 -------- d-----w- c:\users\brada\AppData\Roaming\Ydatt 2012-11-20 23:47 . 2012-11-26 21:01 -------- d-----w- c:\users\brada\AppData\Roaming\Upcoof 2012-11-20 23:47 . 2012-11-20 23:47 -------- d-----w- c:\users\brada\AppData\Roaming\Udugul 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\users\brada\AppData\Roaming\SUPERAntiSpyware.com 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\program files\SUPERAntiSpyware 2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2012-11-14 12:22 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\mpengine.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll 2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll 2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\program files (x86)\QuickTime 2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\programdata\Apple Computer . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-10-30 04:04 . 2012-06-23 04:42 66395536 ----a-w- c:\windows\system32\MRT.exe 2012-10-25 10:12 . 2012-10-25 10:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx 2012-10-25 10:12 . 2012-10-25 10:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts 2012-10-09 07:08 . 2012-06-23 12:57 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-10-09 07:08 . 2012-06-23 12:57 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-09-30 02:54 . 2012-07-09 05:16 25928 ----a-w- c:\windows\system32\drivers\mbam.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Akamai NetSession Interface"="c:\users\brada\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-01-04 291608] "PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2012-03-15 5935680] "Fastboot"="c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe" [2012-01-17 1091376] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152] "Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2012-08-13 900160] "Communicator"="c:\program files (x86)\Microsoft Office Communicator\communicator.exe" [2009-12-12 5114208] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888] . c:\users\brada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Network Drives.bat [2012-9-26 72] . c:\users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-6-25 576000] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Microsoft Office Communicator 2007 R2.lnk - c:\windows\Installer\{E84D1C9D-6669-4156-992B-17557D64F1D3}\Comm.Ico [2012-7-10 26694] Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe [2012-6-23 845584] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "disablecad"= 1 (0x1) "LocalAccountTokenFilterPolicy"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) "AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\0\0] "Script"=FLlogon.cmd . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\1\0] "Script"=azlogon.cmd . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 HyperW7Svc;HyperW7 Service;c:\program files\Lenovo\RapidBoot\HyperW7Svc64.exe [2012-02-02 145472] R2 swi_update_64;Sophos Web Intelligence Update;c:\programdata\Sophos\Web Intelligence\swi_update_64.exe [2012-08-13 2009152] R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2012-01-09 195584] R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2012-02-22 1304912] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168] R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2011-12-21 34200] R3 ManageEngine Desktop Central - Remote Control;ManageEngine Desktop Central 8 - Remote Control;c:\program files (x86)\DesktopCentral_Agent\bin\dcrdservice.exe [2012-03-21 605320] R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2012-02-26 273168] R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2012-03-15 1662528] R3 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2012-03-15 165440] R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2012-06-25 36640] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-23 1255736] R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2012-06-25 25608] S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2011-11-09 14448] S0 Fastboot;Fastboot;c:\windows\System32\DRIVERS\Fastboot.sys [2012-01-17 70416] S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-01-04 16152] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2011-12-29 25416] S1 PHCORE;PHCORE;c:\program files\Lenovo\RapidBoot\PHCORE64.SYS [2012-01-31 33344] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368] S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2012-06-25 144672] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672] S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-01-09 659968] S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-02-22 1014096] S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2012-02-22 1104208] S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-01-17 135952] S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe [2010-12-17 198784] S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2011-11-09 8447848] S2 FastbootService;FastbootService;c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [2012-01-17 169776] S2 FPLService;TrueSuiteService;c:\program files\AuthenTec TrueSuite\TrueSuiteService.exe [2011-12-23 313672] S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2011-12-08 607456] S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2011-12-23 128280] S2 Intel® Small Business Advantage;Intel® Small Business Advantage;c:\program files (x86)\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe [2012-02-27 49376] S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [2011-12-23 161560] S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2012-04-11 58192] S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-07-12 101736] S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2012-04-11 61264] S2 LENOVO.TVTVCAM;ThinkVantage Virtual Camera Controller;c:\program files\Lenovo\Communications Utility\vcamsvc.exe [2012-04-11 175440] S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2011-07-12 133992] S2 ManageEngine Desktop Central - Agent;ManageEngine Desktop Central 8 - Agent;c:\program files (x86)\DesktopCentral_Agent\bin\dcagentservice.exe [2012-03-21 552072] S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe [x] S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-09-17 216640] S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2012-07-09 139840] S2 Sophos Web Control Service;Sophos Web Control Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [2012-06-25 357400] S2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-09-17 2863168] S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-07-12 145256] S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-12-29 144960] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-12-23 363800] S2 VIPAppService;VIPAppService;c:\program files (x86)\Symantec\VIP Access Client\VIPAppService.exe [2011-12-05 84080] S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [2012-02-26 2669840] S3 5U877;5U877;c:\windows\system32\DRIVERS\5U877.sys [2012-02-16 216064] S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2012-01-09 195584] S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2011-11-30 94720] S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-11-30 747008] S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_6.1.32700.0.sys [2012-05-01 17408] S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2011-11-09 307824] S3 ibtfltcoex;ibtfltcoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2012-02-14 60928] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-06 331264] S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-01-04 355096] S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-01-04 786200] S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2011-12-21 25496] S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys [2011-10-27 259688] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-23 565352] S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2011-05-29 40248] S3 tvtvcamd;ThinkVantage Virtual Camera;c:\windows\system32\DRIVERS\tvtvcamd.sys [2011-12-08 27432] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . Contents of the 'Scheduled Tasks' folder . 2012-11-27 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 07:08] . 2012-11-27 c:\windows\Tasks\DCAgentUpdater.job - c:\program files (x86)\DesktopCentral_Agent\bin\dcagentupgrader.exe [2012-03-21 17:23] . 2012-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02] . 2012-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02] . 2012-11-27 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job - c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41] . 2012-11-26 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job - c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp] @="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}" [HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending] @="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}" [HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot] @="{A759AFF6-5851-457D-A540-F4ECED148351}" [HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared] @="{1574C9EF-7D58-488F-B358-8B78C1538F51}" [HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}] 2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BLEServicesCtrl"="c:\program files (x86)\Intel\Bluetooth\BleServicesCtrl.exe" [2012-02-17 177936] "TpShocks"="TpShocks.exe" [2012-02-17 382528] "LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2012-04-11 283984] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = <local> IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: fmwrdc.com TCP: DhcpNameServer = 10.72.201.210 192.168.100.7 TCP: Interfaces\{03FDA058-FDD0-468B-A48C-81D278A9AAD2}: NameServer = 10.72.201.210,192.168.100.7 DPF: {A00C0AFC-E004-4024-9D25-52952AC99A6A} - hxxps://mwr1nav.fmwrdc.com/NAV_nav1151/NAV1251.CAB . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) Wow6432Node-HKCU-Run-sisup - c:\users\brada\AppData\Roaming\sisup.dll Wow6432Node-HKCU-Run-vinsv - c:\users\brada\AppData\Roaming\vinsv.dll Wow6432Node-HKCU-Run-Yhetho - c:\users\brada\AppData\Roaming\Ifser\yluxo.exe Wow6432Node-HKLM-Run-<NO NAME> - (no file) HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start Toolbar-Locked - (no file) . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot] "ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00" -- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router] "ImagePath"="\"c:\program files (x86)\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot] "ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe c:\windows\SysWOW64\SAsrv.exe c:\program files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe c:\program files (x86)\Sophos\AutoUpdate\ALsvc.exe c:\program files (x86)\Sophos\Remote Management System\RouterNT.exe c:\program files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe c:\program files (x86)\DesktopCentral_Agent\bin\dcondemand.exe c:\program files (x86)\DesktopCentral_Agent\bin\dcswmeter.exe c:\progra~1\Lenovo\HOTKEY\TPONSCR.EXE c:\program files\AuthenTec TrueSuite\x86\BioMonitor.exe c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe c:\program files (x86)\Lenovo\System Update\SUService.exe . ************************************************************************** . Completion time: 2012-11-27 08:27:32 - machine was rebooted ComboFix-quarantined-files.txt 2012-11-27 15:27 . Pre-Run: 419,743,322,112 bytes free Post-Run: 420,489,736,192 bytes free . - - End Of File - - 1708E384A7F312206AA6C8488D282656
- November 27, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Gringo, thanks for the reply. I'm not sure exactly what happened but before I saw your reply I thought they had closed thread in which I initially asked you for help. Thinking that thread was closed I began a new thread and have been helped by Jeff. But thanks much for your willingness to help.
- November 27, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Below are the results from the aswMBR scan. I was however unable to download the adwCleaner. It tries for a minute or so to save and then I get a message box titled "File Acess Denied", with a message of "you'll need administrator permission to copy this file". I click continue and after another minute it gives me a similar message. aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software Run date: 2012-11-26 13:16:44 ----------------------------- 13:16:44.439 OS Version: Windows x64 6.1.7601 Service Pack 1 13:16:44.439 Number of processors: 4 586 0x2A07 13:16:44.439 ComputerName: MP-0B03N UserName: brada 13:16:45.406 Initialize success 13:29:09.299 AVAST engine defs: 12112600 13:30:07.295 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 13:30:07.295 Disk 0 Vendor: TOSHIBA_ MC10 Size: 476940MB BusType: 3 13:30:07.311 Disk 0 MBR read successfully 13:30:07.311 Disk 0 MBR scan 13:30:07.311 Disk 0 unknown MBR code 13:30:07.342 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1500 MB offset 2048 13:30:07.342 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 461438 MB offset 3074048 13:30:07.373 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 14000 MB offset 948099072 13:30:07.435 Disk 0 scanning C:\Windows\system32\drivers 13:30:18.074 Service scanning 13:30:50.569 Modules scanning 13:30:50.569 Disk 0 trace - called modules: 13:30:50.585 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll 13:30:50.585 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80036ac790] 13:30:50.585 3 CLASSPNP.SYS[fffff88001a0143f] -> nt!IofCallDriver -> [0xfffffa80045a1950] 13:30:50.585 5 ACPI.sys[fffff88000f967a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005936050] 13:30:51.630 AVAST engine scan C:\Windows 13:30:53.970 AVAST engine scan C:\Windows\system32 13:35:20.008 AVAST engine scan C:\Windows\system32\drivers 13:35:34.282 AVAST engine scan C:\Users\brada 13:39:09.841 File: C:\Users\brada\AppData\Roaming\Ifser\yluxo.exe **INFECTED** Win32:Malware-gen 13:43:42.420 AVAST engine scan C:\ProgramData 13:45:34.164 Scan finished successfully 13:46:00.715 Disk 0 MBR has been saved successfully to "C:\Users\brada\Desktop\MBR.dat" 13:46:00.715 The log file has been saved successfully to "C:\Users\brada\Desktop\aswMBR.txt"
- November 26, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Thanks so much. Here are the two logs from DDS...will now work on the others. DDS: DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.5.1 Run by brada at 13:08:18 on 2012-11-26 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3685.2187 [GMT -7:00] . AV: Sophos Anti-Virus *Enabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: Sophos Anti-Virus *Enabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337} . ============== Running Processes =============== . C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Program Files\AuthenTec TrueSuite\TrueSuiteService.exe C:\Windows\system32\ibmpmsvc.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe C:\Windows\system32\WUDFHost.exe C:\Windows\system32\WLANExt.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\System32\svchost.exe -k NetworkService C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe C:\Windows\system32\svchost.exe -k bthsvcs C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe C:\Windows\system32\CxAudMsg64.exe C:\Program Files\Intel\WiFi\bin\EvtEng.exe C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files\Intel\iCLS Client\HeciServer.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe C:\Program Files (x86)\DesktopCentral_Agent\bin\dcagentservice.exe C:\Windows\System32\svchost.exe -k HPZ12 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe C:\Windows\SysWOW64\SAsrv.exe C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\wbem\unsecapp.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Program Files (x86)\DesktopCentral_Agent\bin\dcondemand.exe C:\Program Files (x86)\DesktopCentral_Agent\bin\dcswmeter.exe C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\taskhost.exe C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe C:\Windows\system32\rundll32.exe C:\PROGRA~1\Lenovo\HOTKEY\MKRMSG.EXE C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe C:\Windows\system32\wbem\unsecapp.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\igfxext.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe C:\Windows\System32\TpShocks.exe C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe C:\Users\brada\AppData\Local\Akamai\netsession_win.exe C:\Windows\System32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe C:\Users\brada\AppData\Local\Akamai\netsession_win.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\brada\AppData\Roaming\Ifser\yluxo.exe C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files (x86)\Symantec\VIP Access Client\VIPUIManager.exe C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe C:\Program Files (x86)\Lenovo\System Update\SUService.exe C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe C:\Program Files (x86)\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE C:\Windows\splwow64.exe C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE C:\Program Files\AuthenTec TrueSuite\TouchControl.exe C:\Windows\system32\svchost.exe -k WbioSvcGroup C:\Program Files\AuthenTec TrueSuite\x86\BioMonitor.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\system32\taskeng.exe C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe C:\Windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.yahoo.com/ uWindow Title = Microsoft Internet Explorer provided by Stearns Bank NA uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LENP&bmod=LENP uProxyOverride = <local> mWinlogon: Userinit = userinit.exe, BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll BHO: TrueSuite Browser Helper Object: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files\AuthenTec TrueSuite\x86\IEBHO.dll BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll BHO: Symantec VIP Access Add-On: {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} - C:\Program Files (x86)\Symantec\VIP Access Client\VIPAddOnForIE.dll BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll TB: TrueSuite Toolbar: {C98EE38D-21E4-4A50-907D-2B56FEC7013E} - C:\Program Files\AuthenTec TrueSuite\x86\IEBHO.dll TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll uRun: [Akamai NetSession Interface] "C:\Users\brada\AppData\Local\Akamai\netsession_win.exe" uRun: [sisup] rundll32.exe "C:\Users\brada\AppData\Roaming\sisup.dll",IDrawText uRun: [vinsv] "C:\Windows\System32\rundll32.exe" "C:\Users\brada\AppData\Roaming\vinsv.dll",Clear uRun: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe uRun: [Yhetho] C:\Users\brada\AppData\Roaming\Ifser\yluxo.exe mRun: [uSB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor mRun: [Fastboot] C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" mRun: [sophos AutoUpdate Monitor] C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe mRun: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe" /fromrunkey mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime StartupFolder: C:\Users\brada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network Drives.bat StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~2.LNK - C:\Windows\Installer\{E84D1C9D-6669-4156-992B-17557D64F1D3}\Comm.Ico StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 mPolicies-Explorer: NoActiveDesktop = dword:1 mPolicies-Explorer: NoActiveDesktopChanges = dword:1 mPolicies-System: ConsentPromptBehaviorAdmin = dword:5 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableUIADesktopToggle = dword:0 mPolicies-System: disablecad = dword:1 mPolicies-System: LocalAccountTokenFilterPolicy = dword:1 IE: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000 IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204 Trusted Zone: fmwrdc.com DPF: {51A1CDAB-573D-45A4-B69F-B44791DFF60A} - hxxp://gis.pima.gov/pictometry/viewer/ver30b/PictImageCtrl30.cab DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://gis.pinellascounty.org/ActiveX/ver6.5/mgaxctrl.cab DPF: {A00C0AFC-E004-4024-9D25-52952AC99A6A} - hxxps://mwr1nav.fmwrdc.com/NAV_nav1151/NAV1251.CAB TCP: NameServer = 10.72.201.210 192.168.100.7 TCP: Interfaces\{03FDA058-FDD0-468B-A48C-81D278A9AAD2} : NameServer = 10.72.201.210,192.168.100.7 TCP: Interfaces\{03FDA058-FDD0-468B-A48C-81D278A9AAD2} : DHCPNameServer = 10.72.201.210 192.168.100.7 TCP: Interfaces\{5C3D3A91-0A2F-4E4A-BB7F-E897055A9211}\2656C6B696E6534376 : DHCPNameServer = 192.168.2.1 TCP: Interfaces\{5C3D3A91-0A2F-4E4A-BB7F-E897055A9211}\2656C6B696E6E2836356 : DHCPNameServer = 74.117.240.3 74.117.240.4 TCP: Interfaces\{5C3D3A91-0A2F-4E4A-BB7F-E897055A9211}\A45627723702D202960586F6E656 : DHCPNameServer = 8.8.8.8 TCP: Interfaces\{5C3D3A91-0A2F-4E4A-BB7F-E897055A9211}\E4544574541425 : DHCPNameServer = 192.168.1.1 AppInit_DLLs= C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL SSODL: WebCheck - <orphaned> x64-BHO: TrueSuite Browser Helper Object: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files\AuthenTec TrueSuite\IEBHO.dll x64-BHO: Symantec VIP Access Add-On: {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} - C:\Program Files (x86)\Symantec\VIP Access Client\64bit\VIPAddOnForIE64.dll x64-TB: TrueSuite Toolbar: {C98EE38D-21E4-4A50-907D-2B56FEC7013E} - C:\Program Files\AuthenTec TrueSuite\IEBHO.dll x64-Run: [bLEServicesCtrl] C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe x64-Run: [TpShocks] TpShocks.exe x64-Run: [LENOVO.TPKNRRES] C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe x64-Notify: igfxcui - igfxdev.dll x64-SSODL: WebCheck - <orphaned> . ============= SERVICES / DRIVERS =============== . R0 dlkmdldr;dlkmdldr;C:\Windows\System32\drivers\dlkmdldr.sys [2012-7-9 14448] R0 Fastboot;Fastboot;C:\Windows\System32\drivers\Fastboot.sys [2012-5-1 70416] R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-5-1 16152] R0 TPDIGIMN;TPDIGIMN;C:\Windows\System32\drivers\ApsHM64.sys [2011-12-28 25416] R1 PHCORE;PHCORE;C:\Program Files\Lenovo\RapidBoot\PHCORE64.sys [2012-1-30 33344] R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928] R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368] R1 SAVOnAccess;SAVOnAccess;C:\Windows\System32\drivers\savonaccess.sys [2012-6-25 144672] R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672] R2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-1-9 659968] R2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-2-21 1014096] R2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2012-2-21 1104208] R2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-1-17 135952] R2 CxAudMsg;Conexant Audio Message Service;C:\Windows\System32\CxAudMsg64.exe [2012-5-1 198784] R2 DisplayLinkService;DisplayLinkManager;C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [2011-11-9 8447848] R2 FastbootService;FastbootService;C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [2012-5-1 169776] R2 FPLService;TrueSuiteService;C:\Program Files\AuthenTec TrueSuite\TrueSuiteService.exe [2011-12-22 313672] R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2011-12-8 607456] R2 Intel® ME Service;Intel® ME Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2012-5-1 128280] R2 Intel® Small Business Advantage;Intel® Small Business Advantage;C:\Program Files (x86)\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe [2012-5-1 49376] R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2012-5-1 161560] R2 LENOVO.CAMMUTE;Lenovo Camera Mute;C:\Program Files\Lenovo\Communications Utility\CamMute.exe [2012-6-23 58192] R2 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2012-2-15 101736] R2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe [2012-6-23 61264] R2 LENOVO.TVTVCAM;ThinkVantage Virtual Camera Controller;C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe [2012-6-23 175440] R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe [2012-2-15 133992] R2 ManageEngine Desktop Central - Agent;ManageEngine Desktop Central 8 - Agent;C:\Program Files (x86)\DesktopCentral_Agent\bin\dcagentservice.exe [2012-3-21 552072] R2 SAService;Conexant SmartAudio service;C:\Windows\System32\SAsrv.exe --> C:\Windows\System32\SAsrv.exe [?] R2 SAVAdminService;Sophos Anti-Virus status reporter;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-9-17 216640] R2 SAVService;Sophos Anti-Virus;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2012-7-9 139840] R2 Sophos Agent;Sophos Agent;C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe [2012-9-17 289856] R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe [2012-8-13 232512] R2 Sophos Message Router;Sophos Message Router;C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe [2012-9-17 818240] R2 Sophos Web Control Service;Sophos Web Control Service;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [2012-6-25 357400] R2 swi_service;Sophos Web Intelligence Service;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-9-17 2863168] R2 TPHKLOAD;Lenovo Hotkey Client Loader;C:\Program Files\Lenovo\HOTKEY\tphkload.exe [2012-2-15 145256] R2 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2012-2-15 144960] R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-5-1 363800] R2 VIPAppService;VIPAppService;C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe [2011-12-5 84080] R2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2012-2-26 2669840] R3 5U877;5U877;C:\Windows\System32\drivers\5U877.sys [2012-5-1 216064] R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;C:\Windows\System32\drivers\AmpPal.sys [2012-1-9 195584] R3 btmaux;Intel Bluetooth Auxiliary Service;C:\Windows\System32\drivers\btmaux.sys [2011-11-30 94720] R3 btmhsf;btmhsf;C:\Windows\System32\drivers\btmhsf.sys [2011-11-30 747008] R3 DisplayLinkUsbPort;DisplayLink USB Device;C:\Windows\System32\drivers\DisplayLinkUsbPort_6.1.32700.0.sys [2012-5-1 17408] R3 dlkmd;dlkmd;C:\Windows\System32\drivers\dlkmd.sys [2012-7-9 307824] R3 ibtfltcoex;ibtfltcoex;C:\Windows\System32\drivers\iBtFltCoex.sys [2012-2-14 60928] R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-5-1 331264] R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-5-1 355096] R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-5-1 786200] R3 iwdbus;IWD Bus Enumerator;C:\Windows\System32\drivers\iwdbus.sys [2011-12-20 25496] R3 RSP2STOR;Realtek PCIE CardReader Driver - P2;C:\Windows\System32\drivers\RtsP2Stor.sys [2012-5-1 259688] R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-5-1 565352] R3 TVTI2C;Lenovo SM bus driver;C:\Windows\System32\drivers\tvti2c.sys [2012-2-6 40248] R3 tvtvcamd;ThinkVantage Virtual Camera;C:\Windows\System32\drivers\tvtvcamd.sys [2012-5-1 27432] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 HyperW7Svc;HyperW7 Service;C:\Program Files\Lenovo\RapidBoot\HyperW7Svc64.exe [2012-2-2 145472] S2 swi_update_64;Sophos Web Intelligence Update;C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe [2012-6-25 2009152] S3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;C:\Windows\System32\drivers\AmpPal.sys [2012-1-9 195584] S3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2012-2-21 1304912] S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-20 71168] S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\Windows\System32\drivers\intelaud.sys [2011-12-20 34200] S3 ManageEngine Desktop Central - Remote Control;ManageEngine Desktop Central 8 - Remote Control;C:\Program Files (x86)\DesktopCentral_Agent\bin\dcrdservice.exe [2012-3-21 605320] S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2012-2-26 273168] S3 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe [2012-5-1 1662528] S3 PwmEWSvc;Cisco EnergyWise Enabler;C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.exe [2012-5-1 165440] S3 sdcfilter;sdcfilter;C:\Windows\System32\drivers\sdcfilter.sys [2012-6-25 36640] S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136] S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392] S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-6-23 1255736] S4 SophosBootDriver;SophosBootDriver;C:\Windows\System32\drivers\SophosBootDriver.sys [2012-6-25 25608] . =============== Created Last 30 ================ . 2012-11-23 18:52:49 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\offreg.dll 2012-11-23 15:44:32 -------- d-----w- C:\Users\brada\AppData\Local\Sophos 2012-11-23 15:07:33 -------- d-----w- C:\Users\brada\AppData\Roaming\Ydatt 2012-11-23 15:07:33 -------- d-----w- C:\Users\brada\AppData\Roaming\Upti 2012-11-23 15:07:33 -------- d-----w- C:\Users\brada\AppData\Roaming\Keehy 2012-11-20 23:47:39 -------- d-----w- C:\Users\brada\AppData\Roaming\Upcoof 2012-11-20 23:47:39 -------- d-----w- C:\Users\brada\AppData\Roaming\Udugul 2012-11-20 23:47:39 -------- d-----w- C:\Users\brada\AppData\Roaming\Ifser 2012-11-19 22:13:17 -------- d-----w- C:\Users\brada\AppData\Roaming\SUPERAntiSpyware.com 2012-11-19 22:13:13 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com 2012-11-19 22:13:13 -------- d-----w- C:\Program Files\SUPERAntiSpyware 2012-11-18 02:04:31 536064 ----a-w- C:\Users\brada\AppData\Roaming\vinsv.dll 2012-11-15 22:11:51 162816 ----a-w- C:\Users\brada\AppData\Roaming\sisup.dll 2012-11-14 12:22:57 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\mpengine.dll 2012-11-13 15:19:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll 2012-11-13 15:19:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll 2012-11-13 15:19:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll 2012-11-13 15:19:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll 2012-11-13 15:19:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll 2012-11-13 15:19:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll 2012-11-13 15:19:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll . ==================== Find3M ==================== . 2012-10-25 10:12:26 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx 2012-10-25 10:12:26 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts 2012-10-09 07:08:16 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2012-10-09 07:08:16 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe 2012-09-30 02:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys . ============= FINISH: 13:08:57.13 =============== ATTACH: . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . Microsoft Windows 7 Professional Boot Device: \Device\HarddiskVolume1 Install Date: 6/22/2012 4:26:45 AM System Uptime: 11/26/2012 8:11:32 AM (5 hours ago) . Motherboard: LENOVO | | 32597AU Processor: Intel® Core i5-2450M CPU @ 2.50GHz | CPU Socket - U3E1 | 2501/100mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 451 GiB total, 390.448 GiB free. D: is CDROM () E: is CDROM () F: is NetworkDisk (NTFS) - 300 GiB total, 26.746 GiB free. I: is NetworkDisk (NTFS) - 200 GiB total, 100.919 GiB free. Q: is FIXED (NTFS) - 14 GiB total, 1.418 GiB free. R: is NetworkDisk (NTFS) - 400 GiB total, 271.722 GiB free. U: is NetworkDisk (NTFS) - 300 GiB total, 26.746 GiB free. . ==== Disabled Device Manager Items ============= . Class GUID: {4d36e967-e325-11ce-bfc1-08002be10318} Description: Disk drive Device ID: USBSTOR\DISK&VEN_HP&PROD_USB_DOCK&REV_8.01\4KZ4U1W9&0 Manufacturer: (Standard disk drives) Name: HP USB DOCK USB Device PNP Device ID: USBSTOR\DISK&VEN_HP&PROD_USB_DOCK&REV_8.01\4KZ4U1W9&0 Service: disk . Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318} Description: Cisco Systems VPN Adapter for 64-bit Windows Device ID: ROOT\NET\0000 Manufacturer: Cisco Systems Name: Cisco Systems VPN Adapter for 64-bit Windows PNP Device ID: ROOT\NET\0000 Service: CVirtA . ==== System Restore Points =================== . RP70: 11/26/2012 9:07:21 AM - Scheduled Checkpoint . ==== Installed Programs ====================== . Update for Microsoft Office 2007 (KB2508958) 2007 Microsoft Office system Absolute Reminder Adobe Acrobat 8 Standard Adobe AIR Adobe Flash Player 11 ActiveX Adobe Reader 9.5.1 Akamai NetSession Interface Alchemy Apple Application Support Apple Software Update AuthenTec TrueSuite Burn.Now 4.5 Cisco Systems VPN Client 5.0.07.0290 Conexant HD Audio Corel Burn.Now Lenovo Edition Corel DVD MovieFactory 7 Corel DVD MovieFactory Lenovo Edition Corel WinDVD Create Recovery Media Direct DiscRecorder DisplayLink Core Software Evernote v. 4.2.3 Get IP Google Earth Google Update Helper GooReader Integrated Camera Driver Installer Package Ver.1.2.1.16 Intel PROSet Wireless Intel® Control Center Intel® Manageability Engine Firmware Recovery Agent Intel® Management Engine Components Intel® OpenCL CPU Runtime Intel® Processor Graphics Intel® PROSet/Wireless for Bluetooth® + High Speed Intel® PROSet/Wireless Software for Bluetooth® Technology Intel® Update Manager Intel® USB 3.0 eXtensible Host Controller Driver Intel® WiDi Intel® Wireless Display Intel® PROSet/Wireless WiFi Software Intel® Trusted Connect Service Client Java Auto Updater Java 7 Update 5 JavaFX 2.1.1 Lenovo Auto Scroll Utility Lenovo Graphics Software Lenovo Patch Utility Lenovo Patch Utility 64 bit Lenovo SimpleTap Lenovo Solution Center Lenovo Solutions for Small Business Lenovo Solutions for Small Business Customizations MagicDisc 2.7.106 Malwarebytes Anti-Malware version 1.65.1.1000 ManageEngine Desktop Central 8 - Agent Microsoft .NET Framework 4 Client Profile Microsoft Office 2007 Service Pack 3 (SP3) Microsoft Office Access MUI (English) 2007 Microsoft Office Access Setup Metadata MUI (English) 2007 Microsoft Office Communicator 2007 R2 Microsoft Office Excel MUI (English) 2007 Microsoft Office File Validation Add-In Microsoft Office Office 64-bit Components 2007 Microsoft Office Outlook MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Professional Hybrid 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) Microsoft Office Publisher MUI (English) 2007 Microsoft Office Shared 64-bit MUI (English) 2007 Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Word MUI (English) 2007 Microsoft Silverlight Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) MSXML4SP2 On Screen Display Power Manager PrimoPDF -- brought to you by Nitro PDF Software QuickTime RapidBoot RapidBoot HDD Accelerator Realtek Ethernet Controller Driver Realtek PCIE Card Reader ScreenPrint32 v3.5 Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition Sophos Anti-Virus Sophos AutoUpdate Sophos Remote Management System SugarSync Manager SUPERAntiSpyware System Update ThinkPad Power Management Driver ThinkPad UltraNav Driver ThinkVantage Active Protection System ThinkVantage Communications Utility Update for 2007 Microsoft Office System (KB967642) Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) Update for Microsoft Office 2007 Help for Common Features (KB963673) Update for Microsoft Office Access 2007 Help (KB963663) Update for Microsoft Office Excel 2007 Help (KB963678) Update for Microsoft Office Outlook 2007 Help (KB963677) Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687267) 32-Bit Edition Update for Microsoft Office Powerpoint 2007 Help (KB963669) Update for Microsoft Office Publisher 2007 Help (KB963667) Update for Microsoft Office Script Editor Help (KB963671) Update for Microsoft Office Word 2007 Help (KB963665) VIP Access Windows Driver Package - Intel (iaStor) hdc (11/29/2011 11.0.0.1032) Windows Driver Package - Lenovo 1.65.04.00 (01/11/2012 1.65.04.00) Windows Driver Package - Synaptics (SynTP) Mouse (12/23/2011 15.3.39.1) Zan Image Printer . ==== Event Viewer Messages From Past Week ======== . 11/26/2012 8:15:55 AM, Error: volsnap [25] - The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time. Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied. 11/26/2012 8:12:40 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aspi32 11/26/2012 8:12:32 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the DNS Client service to connect. 11/26/2012 8:12:32 AM, Error: Service Control Manager [7000] - The DNS Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 11/26/2012 8:11:41 AM, Error: Application Popup [1060] - \SystemRoot\SysWow64\Drivers\Aspi32.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver. 11/26/2012 8:10:40 AM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator. 11/26/2012 8:10:38 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain SFSI due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain. 11/26/2012 8:10:33 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ManageEngine Desktop Central - Agent service. 11/23/2012 9:23:35 AM, Error: Microsoft-Windows-GroupPolicy [1055] - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). 11/23/2012 7:58:50 AM, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067] - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. . 11/23/2012 5:03:05 PM, Error: AX88772 [17] - . ==== End Of File ===========================
- November 26, 2012
- 49 replies
Redirect Issues

BAhart replied to BAhart's topic in Resolved Malware Removal Logs

Hello, I am getting redirected to 63.209.69.107 when I click on search results from Google searches. I researched this a bit and see that this is a nasty bit of malware, and I'm looking for help in getting rid of it. I have scanned with Malwarebytes and Super AntiSpyware. Neither finds anything. I haven't really seen any other effects from this infection but those redirects can't be good. When I try to scan with Sophos, Sophos scans for a minute or two and then tells me that I need to remove Troj/ZbotMem-B before it can continue scanning. I assume that these this is related to my current infection. There is a good thread located at [url="http://forums.malwarebytes.org/index.php?showtopic=118110&st=20"]http://forums.malwarebytes.org/index.php?showtopic=118110&st=20[/url] in which the OP was able to get his issue resolved. I am tempted to simply follow the steps that he was instructed to follow, but first wanted to see if anyone had any better ideas or help to offer. Thanks in advance for any replies, I do appreciate it.
- November 26, 2012
- 49 replies
Redirect Issues

BAhart posted a topic in Resolved Malware Removal Logs

Gringo, any chance you can help me? I have a problem very similar to if not exactly the same as the user you helped a couple days ago. When I click a google search result it frequently tries to re-direct me to something else. It's a bit weird in that if I click the same link a second time it will then let me go to the page I was trying to get to. I have scanned with Malwarebytes and Super AntiSpyware, neither finds anything. Actually, today Malwarebtes found something but not whatever is causing problems. This is my work computer and Sophos monitors the computer. It has seemingly identified some issues but I don't have rights to do anything in Sophos and the IT guys basically just have me scan with Malwarebytes. I was going to just follow the steps that you had set out for the original poster but ultimately decided to ask for help in order to increase my chances of success. Any help you can give me would be very much appreciated. Thanks
- November 23, 2012
- 49 replies

Events

Profiles

Forums

Everything posted by BAhart

Important Information