NotThatGood

Done. It was the Ask Toolbar. Uninstalled easily. Thanks again. Seems to be running good. Since I posted last no MWB notices of blocked outgoing IPs. Anything else?

Thanks for the reply! Done all above as instructed. I am not an admin on my laptop so I ran ComboFix even though the Symantec Endpoint Protection could not be disabled. I said OK anyway and the machine went through the steps just fine. On reboot the Symantec Endpoint came back up and running with no ill effects. Machine hasn't been running long enough to see whether I am still getting the attempts to reach out to the bad IP addresses. I will post an update later. Thanks again for your help! Here is the Combofix log: ComboFix 11-11-04.03 - schonber 11/04/2011 12:52:32.1.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2932.1857 [GMT -5:00] Running from: c:\documents and settings\schonber\Desktop\ComboFix.exe AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\schonber\My Documents\~WRL4049.tmp c:\program files\Mozilla Firefox\searchplugins\google_search.xml c:\temp\pdk-schonber-3592\056721307e354d83addd03bdfc5c4d54.dll c:\temp\pdk-schonber-3592\1a657931d78ddcfa584e65d2115500be.dll c:\temp\pdk-schonber-3592\2e5a00f9dfa5669114c8b2487150f455.dll c:\temp\pdk-schonber-3592\5e9e2e4123d3551eb996e59309fa72be.dll c:\temp\pdk-schonber-3592\5fe6bfdd9ebfc4d9f299a7fecd62734f.dll c:\temp\pdk-schonber-3592\7c25e6ddb9add833c6d2e714f0a99e0c.dll c:\temp\pdk-schonber-3592\804319663a3a667d3033c7ecbea8ea01.dll c:\temp\pdk-schonber-3592\8612c76b263c50ffe05699a364490c25.dll c:\temp\pdk-schonber-3592\c90822ad6dd37b9e2abcbd53e66d86df.dll c:\temp\pdk-schonber-3592\cee32c6d5ab6f3b6d650de77ac58a019.dll c:\temp\pdk-schonber-3592\perl58.dll c:\windows\system32\ccrpTmr6.dll c:\windows\system32\default_user_class.dat.LOG c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job . . ((((((((((((((((((((((((( Files Created from 2011-10-04 to 2011-11-04 ))))))))))))))))))))))))))))))) . . 2011-11-04 16:15 . 2011-11-04 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations 2011-10-25 19:18 . 2011-10-25 19:18 -------- d-----w- c:\documents and settings\schonber\Application Data\Malwarebytes 2011-10-25 19:18 . 2011-10-25 19:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-10-25 19:18 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-10-25 19:18 . 2011-10-25 19:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-10-20 19:48 . 2011-10-20 19:48 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xerox 2011-10-17 18:12 . 2011-10-17 18:12 -------- d-----w- c:\documents and settings\schonber\Application Data\LiveNote 2011-10-09 20:37 . 2011-10-09 20:37 -------- d-----w- c:\program files\Common Files\xing shared . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-10-30 05:00 . 2011-06-03 20:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-09-26 16:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 16:41 . 2007-10-09 18:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 16:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-13 23:50 . 2011-09-15 18:35 98304 ----a-w- c:\windows\system32\SN0ELMON.dll 2011-09-13 23:50 . 2011-09-15 18:35 45056 ----a-w- c:\windows\system32\SN0EMTNT.dll 2011-09-13 23:45 . 2011-09-15 18:35 49152 ----a-w- c:\windows\system32\SF0ELMON.DLL 2011-09-09 09:12 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-06 13:20 . 2008-04-14 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-08-17 21:32 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll 2011-08-17 21:32 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2011-08-17 21:32 . 2008-04-14 12:00 1830912 ------w- c:\windows\system32\inetcpl.cpl 2011-08-17 21:32 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll 2011-08-17 13:49 . 2008-04-14 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys 2011-08-17 12:22 . 2008-04-14 12:00 389120 ----a-w- c:\windows\system32\html.iec . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688] . [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}] . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}] 2011-08-24 02:20 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688] . [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1] [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}] [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-09 39408] "\\maincomputer\EPSON Stylus Photo RX580 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBPA.EXE" [2006-05-23 139264] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] "NPDTRAY"="c:\progra~1\Lenovo\NPDIRECT\NPDTray.exe" [2010-04-21 218472] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424] "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568] "RotateImage"="c:\program files\Integrated Camera Driver\RCIMGDIR.exe" [2008-10-30 31744] "PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2009-12-01 55048] "TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2010-04-21 62312] "IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2009-10-01 111640] "IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2010-01-19 1392640] "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-01-19 1206544] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-03-12 115560] "tktray"="c:\program files\tklaw\tktray.exe" [2011-08-03 2318405] "Workshare3GW"="c:\program files\Workshare\Modules\WPConfigAssistant.exe" [2005-05-06 599056] "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-17 307768] "PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-03-03 513384] "ImanPurge"="c:\program files\iManage\portbl32.exe" [2004-12-09 1257472] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe" [2009-07-24 240112] "CPMonitor"="c:\program files\Roxio 2010\5.0\CPMonitor.exe" [2009-07-21 84464] "Desktop Disc Tool"="c:\program files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe" [2009-06-23 494064] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-03 1594664] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624] "BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-09-17 615696] "AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2010-07-28 883272] "NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2010-10-26 487680] "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-29 136472] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-29 170264] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-29 145688] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] "ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-08-24 887976] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888] "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-10-09 273528] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608] "RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-05-10 83288] . c:\documents and settings\schonber\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2010-2-25 607584] McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.189\SSScheduler.exe [2010-9-2 255536] . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceStartMenuLogOff"= 1 (0x1) "NoTaskGrouping"= 1 (0x1) "NoSimpleStartMenu"= 1 (0x1) "NoRecentDocsNetHood"= 1 (0x1) "NoWelcomeScreen"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au] "NoAutoUpdate"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2009-12-01 18:41 100104 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\eps.sys] @="Driver" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Documents and Settings\\schonber\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"= "c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [6/17/2010 3:22 PM 24304] R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [5/17/2010 3:54 PM 21504] R1 EPS;EPS;c:\windows\system32\drivers\eps.sys [7/2/2010 10:49 AM 127856] R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [5/17/2010 2:48 PM 13480] R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [6/23/2009 5:40 PM 127352] R2 cron;cron;c:\progra~1\cron\cron.exe [5/18/2010 11:29 AM 168960] R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [10/22/2010 3:48 PM 269544] R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [6/17/2010 3:22 PM 132456] R2 LEMSS Agent;LEMSS Agent;c:\program files\Lumension\LEMSSAgent\LMAgent.exe [4/28/2010 11:03 AM 261960] R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CamMute.exe [9/28/2011 10:22 PM 41320] R2 Lenovo.micmute;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [5/17/2010 2:48 PM 44984] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/25/2011 2:18 PM 366152] R2 MSSQL$WESTLIVENOTE;SQL Server (WESTLIVENOTE);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/25/2008 1:31 AM 29263712] R2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [10/26/2010 6:56 PM 1050880] R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [6/17/2010 3:22 PM 53248] R2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [3/13/2009 1:47 PM 12560] R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [5/17/2010 2:48 PM 63928] R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [5/17/2010 3:58 PM 2320920] R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [5/23/2011 12:54 PM 465872] R3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [5/17/2010 2:51 PM 127232] R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [5/17/2010 11:22 AM 167080] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/28/2011 9:53 AM 105592] R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [5/17/2010 11:56 AM 132480] R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [5/17/2010 11:56 AM 260864] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/25/2011 2:18 PM 22216] R3 Patch Agent;Patch Agent;c:\program files\Lumension\Patch Agent\GravitixService.exe [11/1/2010 4:28 PM 95584] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/9/2010 6:21 PM 135664] S2 HitmanPro35CrusaderBoot;Hitman Pro 3.5 Crusader (Boot);"e:\hitmanpro35.exe" /crusader:boot --> e:\HitmanPro35.exe [?] S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [7/24/2009 8:33 AM 219632] S3 acsint;acsint;c:\windows\system32\drivers\acsint.sys [8/8/2011 8:34 PM 36624] S3 acsmux;acsmux;c:\windows\system32\drivers\acsmux.sys [8/8/2011 8:34 PM 46480] S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [7/27/2010 7:19 PM 121416] S3 bpenum;bpenum;c:\windows\system32\drivers\bpenum.sys [9/15/2009 9:46 PM 189568] S3 bpmp;bpmp;c:\windows\system32\drivers\bpmp.sys [9/15/2009 9:47 PM 136192] S3 bpusb;bpusb;c:\windows\system32\drivers\bpusb.sys [9/15/2009 9:46 PM 69504] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [3/12/2010 2:36 PM 23888] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/9/2010 6:21 PM 135664] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.189\McCHSvc.exe [9/2/2010 2:18 PM 227232] S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/25/2008 8:15 AM 1120752] S3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [7/24/2009 8:33 AM 1116656] S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [3/31/2009 1:45 PM 197504] S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [5/4/2009 2:57 PM 148992] S4 SessionLauncher;SessionLauncher;c:\temp\DX9\SessionLauncher.exe --> c:\temp\DX9\SessionLauncher.exe [?] . --- Other Services/Drivers In Memory --- . *Deregistered* - BMLoad *Deregistered* - uphcleanhlp . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder . 2011-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-09 23:21] . 2011-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-09 23:21] . 2011-11-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-74332156-101786063-1848903544-1215Core.job - c:\documents and settings\schonber\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-21 15:39] . 2011-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-74332156-101786063-1848903544-1215UA.job - c:\documents and settings\schonber\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-21 15:39] . 2011-11-04 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-06-17 06:20] . 2011-11-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-08-11 20:22] . 2011-11-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-74332156-101786063-1848903544-1215.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-08-11 20:22] . 2011-10-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-08-11 20:22] . 2011-11-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-74332156-101786063-1848903544-1215.job - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-08-11 20:22] . 2011-11-04 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job - c:\program files\Ask.com\UpdateTask.exe [2011-08-24 02:20] . 2011-11-04 c:\windows\Tasks\User_Feed_Synchronization-{65926286-2460-4A8B-B41E-16C433914026}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 23:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://rembert.tklaw.com/index.html uInternet Connection Wizard,ShellNext = hxxp://rembert.tklaw.com/index.html uInternet Settings,ProxyOverride = *.local IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm LSP: bmnet.dll TCP: DhcpNameServer = 10.20.3.10 10.1.3.70 DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://dal-nas.tklaw.corp/auth/taweb.cab DPF: {832BF1DE-74EE-4FA6-AC05-63EA5D374403} - hxxp://relativity.tklaw.corp/Relativity/ActiveX/webclientmanager.cab DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} - hxxps://dal-nas.tklaw.corp/auth/CCALogin.CAB . - - - - ORPHANS REMOVED - - - - . SafeBoot-Symantec Antvirus HKLM_ActiveSetup-{7C06A405-7A69-4600-8C4C-1873A5AF800F}-RefreshHKCU - reg.exe DELETE HKCU\Software\Microsoft\Office\11.0\Outlook HKLM_ActiveSetup-{7C06A405-7A69-4600-8C4C-1873A5AF800F}-RefreshHKLM - reg.exe ADD HKLM\SOFTWARE\Microsoft\Exchange\Client\Extensions . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-11-04 12:59 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HitmanPro35CrusaderBoot] "ImagePath"="\"e:\hitmanpro35.exe\" /crusader:boot" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(992) c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll c:\program files\ThinkVantage Fingerprint Software\homefus2.dll c:\program files\ThinkVantage Fingerprint Software\infql2.dll c:\program files\ThinkVantage Fingerprint Software\homepass.dll c:\program files\ThinkVantage Fingerprint Software\bio.dll c:\program files\ThinkVantage Fingerprint Software\qlbase.dll c:\windows\system32\bmnet.dll . - - - - - - - > 'lsass.exe'(1048) c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll c:\program files\ThinkVantage Fingerprint Software\homefus2.dll c:\program files\ThinkVantage Fingerprint Software\infql2.dll c:\windows\system32\bmnet.dll . - - - - - - - > 'explorer.exe'(4344) c:\windows\system32\WININET.dll c:\windows\system32\btmmhook.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\btncopy.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ibmpmsvc.exe c:\program files\Intel\WiFi\bin\S24EvMon.exe c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe c:\program files\Common Files\Symantec Shared\ccSvcHst.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CCM\CcmExec.exe c:\progra~1\Lenovo\HOTKEY\tpnumlk.exe c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE c:\program files\Intel\WiFi\bin\EvtEng.exe c:\program files\Flip Video\FlipShare\FlipShareService.exe c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe c:\lotus\Notes\ntmulti.exe c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\Lenovo\System Update\SUService.exe c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe c:\program files\UPHClean\uphclean.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe c:\windows\system32\msiexec.exe c:\progra~1\Lenovo\HOTKEY\tpnumlkd.exe c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe c:\program files\Lenovo\HOTKEY\TPONSCR.exe c:\windows\system32\rundll32.exe c:\program files\Lenovo\Zoom\TpScrex.exe c:\program files\Lumension\Patch Agent\pddm.exe c:\windows\system32\igfxext.exe c:\windows\system32\igfxsrvc.exe c:\program files\Citrix\ICA Client\wfcrun32.exe c:\program files\Synaptics\SynTP\SynTPLpr.exe c:\windows\system32\wbem\unsecapp.exe c:\progra~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2011-11-04 13:02:01 - machine was rebooted ComboFix-quarantined-files.txt 2011-11-04 18:01 . Pre-Run: 71,556,767,744 bytes free Post-Run: 72,576,225,280 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - A0515F796C9E2D22D7BF6A5B232895BF

IP-BLOCK 91.188.59.17 (Type: outgoing) This IP Block keeps showing up in my MalwareBytes window. After some googling I realize the IP address is not good. I am simply working on the computer at the office. Can you please help me clean it? I attach the two logs I am supposed to I think. Anything else you need from me? Oh - I ran TDSSKiller and it found no infections. Malware Bytes says I am clean too. Thanks Here is the Text file: . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 7.0.5730.13 Run by schonber at 15:53:38 on 2011-10-31 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2932.1546 [GMT -5:00] . AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . ============== Running Processes =============== . C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\WiFi\bin\S24EvMon.exe c:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe svchost.exe svchost.exe C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CCM\CcmExec.exe C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe c:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe C:\PROGRA~1\cron\cron.exe C:\WINDOWS\system32\CSHelper.exe C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE C:\Program Files\Intel\WiFi\bin\EvtEng.exe C:\Program Files\Flip Video\FlipShare\FlipShareService.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Lumension\LEMSSAgent\LMAgent.exe C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Lotus\Notes\ntmulti.exe c:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Lenovo\System Update\SUService.exe c:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe C:\Program Files\UPHClean\uphclean.exe C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe C:\WINDOWS\Explorer.EXE c:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe C:\Program Files\Lenovo\Zoom\TpScrex.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\tklaw\tktray.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Roxio 2010\5.0\CPMonitor.exe C:\WINDOWS\system32\igfxext.exe C:\Program Files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe c:\WINDOWS\system32\VxBlockServer.exe C:\Program Files\Citrix\ICA Client\concentr.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe c:\Program Files\Citrix\ICA Client\wfcrun32.exe C:\Program Files\Ask.com\Updater\Updater.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBPA.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBPA.EXE C:\PROGRA~1\Lenovo\NPDIRECT\NPDTray.exe C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Lumension\Patch Agent\GravitixService.exe C:\Program Files\Lumension\Patch Agent\pddm.exe C:\Documents and Settings\schonber\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\schonber\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\schonber\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\Common Files\Java\Java Update\jucheck.exe C:\program files\real\realplayer\update\realsched.exe C:\Documents and Settings\schonber\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Documents and Settings\schonber\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\WINDOWS\System32\mshta.exe C:\WINDOWS\System32\mshta.exe C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE C:\Program Files\Adobe\Acrobat\Acrobat.exe C:\WINDOWS\System32\mshta.exe C:\WINDOWS\System32\mshta.exe C:\Documents and Settings\schonber\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\WINDOWS\System32\mshta.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\schonber\Local Settings\Application Data\Google\Chrome\Application\chrome.exe C:\Documents and Settings\schonber\Local Settings\Application Data\Google\Chrome\Application\chrome.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://rembert.tklaw.com/index.html uInternet Connection Wizard,ShellNext = hxxp://rembert.tklaw.com/index.html uInternet Settings,ProxyOverride = *.local uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: LookUp Precision: {3df1974f-9a93-4ef8-9e52-1f93b7fa6765} - c:\progra~1\aps\lookup\client\webtrack.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat\AcroIEFavClient.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat\AcroIEFavClient.dll TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat\AcroIEFavClient.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [EPSON Stylus Photo RX580 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibpa.exe /fu "c:\windows\temp\E_S92.tmp" /EF "HKCU" uRun: [\\maincomputer\EPSON Stylus Photo RX580 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibpa.exe /fu "c:\temp\E_S95.tmp" /EF "HKCU" uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [Google Update] "c:\documents and settings\schonber\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [NPDTRAY] c:\progra~1\lenovo\npdirect\NPDTray.exe mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe mRun: [RotateImage] c:\program files\integrated camera driver\RCIMGDIR.exe mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup mRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /r mRun: [iMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe" mRun: [intelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe" mRun: [intelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [tktray] "%programfiles%\tklaw\tktray.exe" mRun: [Workshare3GW] c:\program files\workshare\modules\WPConfigAssistant.exe /userinit mRun: [smartAudio] c:\program files\conexant\saii\SAIICpl.exe /t mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor mRun: [imanPurge] c:\program files\imanage\portbl32.exe -PS14 mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatchTray12.exe" mRun: [CPMonitor] "c:\program files\roxio 2010\5.0\CPMonitor.exe" mRun: [Desktop Disc Tool] "c:\program files\roxio 2010\roxio burn\RoxioBurnLauncher.exe" mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background mRun: [<NO NAME>] mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray StartupFolder: c:\docume~1\schonber\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1) uPolicies-explorer: NoTaskGrouping = 1 (0x1) uPolicies-explorer: NoSimpleStartMenu = 1 (0x1) uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1) uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1) uPolicies-explorer: NoWelcomeScreen = 1 (0x1) uPolicies-explorer: NoActiveDesktop = 1 (0x1) uPolicies-system: SetVisualStyle = IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\adobe\acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll LSP: bmnet.dll DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://dal-nas.tklaw.corp/auth/taweb.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1274136597937 DPF: {832BF1DE-74EE-4FA6-AC05-63EA5D374403} - hxxp://relativity.tklaw.corp/Relativity/ActiveX/webclientmanager.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {C9D7D239-B502-48B3-BA25-9DF8C7264073} - hxxps://dal-nas.tklaw.corp/auth/CCALogin.CAB DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://veritasag.webex.com/client/T27LB/webex/ieatgpc.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 10.20.3.10 10.1.3.70 TCP: Interfaces\{EF15555D-E40F-4981-A085-6E96BE87FA88} : DhcpNameServer = 10.20.3.10 10.1.3.70 Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll LSA: Notification Packages = scecli c:\program files\thinkvantage fingerprint software\psqlpwd.dll mASetup: {7C06A405-7A69-4600-8C4C-1873A5AF800F}-RefreshHKCU - reg.exe DELETE "HKCU\Software\Microsoft\Office\11.0\Outlook" /v "Exchange Client Extension" /f mASetup: {7C06A405-7A69-4600-8C4C-1873A5AF800F}-RefreshHKLM - reg.exe ADD "HKLM\SOFTWARE\Microsoft\Exchange\Client\Extensions" /v "Outlook Setup Extension" /d "4.0;Outxxx.dll;7;000000000000000;0000000000;OutXXX" /f . ============= SERVICES / DRIVERS =============== . R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-6-17 24304] R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [2010-5-17 21504] R1 EPS;EPS;c:\windows\system32\drivers\eps.sys [2010-7-2 127856] R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-5-17 13480] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-3-12 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-3-12 108392] R2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352] R2 cron;cron;c:\progra~1\cron\cron.exe [2010-5-18 168960] R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-10-22 269544] R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-6-17 132456] R2 LEMSS Agent;LEMSS Agent;c:\program files\lumension\lemssagent\LMAgent.exe [2010-4-28 261960] R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\lenovo\communications utility\CamMute.exe [2011-9-28 41320] R2 Lenovo.micmute;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-5-17 44984] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-25 366152] R2 MSSQL$WESTLIVENOTE;SQL Server (WESTLIVENOTE);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-25 29263712] R2 NACAgent;Cisco NAC Agent;c:\program files\cisco\cisco nac agent\NACAgent.exe [2010-10-26 1050880] R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-6-17 53248] R2 smihlp;SMI Helper Driver (smihlp);c:\program files\thinkvantage fingerprint software\smihlp.sys [2009-3-13 12560] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-3-12 2477304] R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2010-5-17 63928] R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-5-17 2320920] R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\cisco\cisco anyconnect secure mobility client\vpnagent.exe [2011-5-23 465872] R3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [2010-5-17 127232] R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-5-17 167080] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-28 105592] R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-5-17 132480] R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-5-17 260864] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-25 22216] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111031.002\NAVENG.SYS [2011-10-31 86136] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111031.002\NAVEX15.SYS [2011-10-31 1576312] R3 Patch Agent;Patch Agent;c:\program files\lumension\patch agent\GravitixService.exe [2010-11-1 95584] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-9 135664] S2 HitmanPro35CrusaderBoot;Hitman Pro 3.5 Crusader (Boot);"e:\hitmanpro35.exe" /crusader:boot --> e:\HitmanPro35.exe [?] S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632] S3 acsint;acsint;c:\windows\system32\drivers\acsint.sys [2011-8-8 36624] S3 acsmux;acsmux;c:\windows\system32\drivers\acsmux.sys [2011-8-8 46480] S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2010-7-27 121416] S3 bpenum;bpenum;c:\windows\system32\drivers\bpenum.sys [2009-9-15 189568] S3 bpmp;bpmp;c:\windows\system32\drivers\bpmp.sys [2009-9-15 136192] S3 bpusb;bpusb;c:\windows\system32\drivers\bpusb.sys [2009-9-15 69504] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-3-12 23888] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-9 135664] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-10-31 41272] S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232] S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-25 1120752] S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656] S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2009-3-31 197504] S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2009-5-4 148992] S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?] S4 SessionLauncher;SessionLauncher;c:\temp\dx9\sessionlauncher.exe --> c:\temp\dx9\SessionLauncher.exe [?] . =============== Created Last 30 ================ . 2011-10-31 20:32:06 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-10-25 19:18:53 -------- d-----w- c:\documents and settings\schonber\application data\Malwarebytes 2011-10-25 19:18:35 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2011-10-25 19:18:29 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-10-25 19:18:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-10-17 18:12:05 -------- d-----w- c:\documents and settings\schonber\application data\LiveNote 2011-10-09 20:37:59 -------- d-----w- c:\program files\common files\xing shared . ==================== Find3M ==================== . 2011-10-30 05:00:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll 2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll 2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll 2011-09-13 23:50:22 98304 ----a-w- c:\windows\system32\SN0ELMON.dll 2011-09-13 23:50:22 45056 ----a-w- c:\windows\system32\SN0EMTNT.dll 2011-09-13 23:45:10 49152 ----a-w- c:\windows\system32\SF0ELMON.DLL 2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll 2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys 2011-08-17 21:32:17 832512 ----a-w- c:\windows\system32\wininet.dll 2011-08-17 21:32:16 78336 ----a-w- c:\windows\system32\ieencode.dll 2011-08-17 21:32:16 1830912 ------w- c:\windows\system32\inetcpl.cpl 2011-08-17 21:32:15 17408 ----a-w- c:\windows\system32\corpol.dll 2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys 2011-08-17 12:22:23 389120 ----a-w- c:\windows\system32\html.iec . ============= FINISH: 15:53:55.22 =============== attach.txt dds.txt