Jump to content

Search links getting redirected


Zick

Recommended Posts

So I had some previous bugs that I was able to squash and now neither Symantec nor Malware Antibytes finds any problems but I'm still having some of my search links redirected to different spam sites.

Here is the DDS result;

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.5.1

Run by zick at 8:07:54 on 2012-08-17

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4030.1149 [GMT -5:00]

.

AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\nvwmi64.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Seagull\BarTender\8.00\CmdrSrv.exe

C:\Windows\SysWOW64\DWRCS.EXE

C:\Program Files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe

C:\Program Files\Hewlett-Packard\Web Jetadmin 10\HPWSProAdapter\FileSystems\Core\bin\XP-x86\release\HP.Dss.App.WinService.exe

C:\Windows\system32\inetsrv\inetinfo.exe

C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe

C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe

C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Microsoft SQL Server\MSSQL10.HPWJA\MSSQL\Binn\sqlservr.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\SysWOW64\NLSSRV32.EXE

C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\Seagull\License Server\8.0\SLSSrv.exe

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe

C:\Windows\System32\tcpsvcs.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe

C:\Windows\SysWOW64\vmnat.exe

C:\Windows\SysWOW64\CCM\CcmExec.exe

C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe

C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\nvwmi64.exe

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\Smc.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\SearchIndexer.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Program Files (x86)\Citrix\ICA Client\ssonsvr.exe

C:\Windows\system32\taskhost.exe

C:\Windows\SysWOW64\DWRCST.exe

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Citrix\ICA Client\concentr.exe

C:\Program Files (x86)\Citrix\ICA Client\PNAMAIN.EXE

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Citrix\ICA Client\WFCRUN32.EXE

C:\Novell\GroupWise\grpwise.exe

C:\Novell\GroupWise\Notify.exe

C:\Windows\SysWOW64\mmc.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\DameWare Development\DameWare NT Utilities\DNTU.exe

C:\Program Files (x86)\SolarWinds\DameWare NT Utilities 8.0\DWRCC.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Windows\system32\StikyNot.exe

K:\apps\CallTracking\CallTracking.exe

\\oak\data\apps\BOARD\InOutBoard64.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

.

============== Pseudo HJT Report ===============

.

uWindow Title = Windows Internet Explorer provided by RC

uStart Page = hxxp://earth/joomla

uDefault_Page_URL = hxxp://earth/joomla

uInternet Settings,ProxyOverride = <local>

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\bin\IPS\IPSBHO.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [Wootalyzer] "C:\Program Files (x86)\Wootalyzer\woot.exe" /boot

uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart

uRun: [RESTART_STICKY_NOTES] C:\Windows\system32\StikyNot.exe

mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup

mRun: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [DameWare MRC Agent] C:\Windows\SysWOW64\DWRCST.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ONLINE~1.LNK - C:\Windows\Installer\{B8A2256E-6225-4D9E-B1C9-C26CA1E22FEB}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe

uPolicies-explorer: NoStartMenuMyGames = 1 (0x1)

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-explorer: NoDisconnect = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

mPolicies-system: HideStartupScripts = 1 (0x1)

IE: &ieSpell Options - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

IE: Lookup on Merriam Webster - file://C:\Program Files (x86)\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://C:\Program Files (x86)\ieSpell\wikipedia.HTM

IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL

LSP: mswsock.dll

LSP: %SystemRoot%\system32\vsocklib.dll

DPF: iLO 2 Remote Console Applet - hxxps://ilo-hog/dvc.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {08E0B9F3-4FB8-43A6-BAE6-0996E9F5453B} - file://oak/eWis/ocx.cab

DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UpdateCenter/applets/sync.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxps://a248.e.akamai.net/f/248/14778/2h/dlmanager.download.akamai.com/14778/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab

DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxps://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP28EP2-12243/event/ieatgpc1.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com//activex/ractrl.cab?lmi=928

TCP: DhcpNameServer = 172.25.30.219 172.25.30.200

TCP: Interfaces\{8CC2564A-E21B-4EE9-9530-AB00D46B0E7F} : DhcpNameServer = 172.25.30.219 172.25.30.200

Notify: SEP - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\WinLogoutNotifier.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\bin\IPS\IPSBHO.DLL

BHO-X64: Symantec Intrusion Prevention - No File

BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

mRun-x64: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup

mRun-x64: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [DameWare MRC Agent] C:\Windows\SysWOW64\DWRCST.exe

IE-X64: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM

IE-X64: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMDS64.SYS --> C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMDS64.SYS [?]

R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMEFA64.SYS --> C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMEFA64.SYS [?]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\BASHDefs\20120803.011\BHDrvx64.sys [2012-8-14 1161376]

R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\system32\DRIVERS\ctxusbm.sys --> C:\Windows\system32\DRIVERS\ctxusbm.sys [?]

R1 dwvkbd;DameWare Virtual Keyboard 64 bit Driver;C:\Windows\system32\DRIVERS\dwvkbd64.sys --> C:\Windows\system32\DRIVERS\dwvkbd64.sys [?]

R1 IDSVia64;IDSVia64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\IPSDefs\20120815.002\IDSviA64.sys [2012-8-16 509088]

R1 nm3;Microsoft Network Monitor 3 Driver;C:\Windows\system32\DRIVERS\nm3.sys --> C:\Windows\system32\DRIVERS\nm3.sys [?]

R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\Ironx64.SYS --> C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\Ironx64.SYS [?]

R1 SYMNETS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMNETS.SYS --> C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMNETS.SYS [?]

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]

R2 Commander Service;Commander Service;C:\Program Files (x86)\Seagull\BarTender\8.00\CmdrSrv.exe [2007-3-20 2164344]

R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]

R2 HPWJAService;HPWJA Service;C:\Program Files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe [2012-1-18 45056]

R2 HPWSProAdapter;HPWSProAdapter;C:\Program Files\Hewlett-Packard\Web Jetadmin 10\HPWSProAdapter\FileSystems\Core\bin\XP-x86\release\HP.Dss.App.WinService.exe [2012-1-9 9728]

R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2010-9-27 375208]

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2010-5-31 15928]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\Windows\system32\drivers\LMIRfsDriver.sys --> C:\Windows\system32\drivers\LMIRfsDriver.sys [?]

R2 MSSQL$HPWJA;SQL Server (HPWJA);C:\Program Files\Microsoft SQL Server\MSSQL10.HPWJA\MSSQL\Binn\sqlservr.exe [2011-9-22 58345832]

R2 nlsX86cc;Nalpeiron Licensing Service;C:\Windows\SysWOW64\NLSSRV32.EXE [2012-5-16 69640]

R2 NVWMI;NVIDIA WMI Provider;C:\Windows\system32\nvwmi64.exe --> C:\Windows\system32\nvwmi64.exe [?]

R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2010-9-16 80896]

R2 Seagull License Server;Seagull License Server;C:\Program Files (x86)\Seagull\License Server\8.0\SLSSrv.exe [2007-8-30 2585992]

R2 SepMasterService;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe [2012-4-19 137208]

R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2011-8-29 846448]

R2 VMwareHostd;VMware Workstation Server;C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [2012-1-18 11839488]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-15 138912]

R3 radpms;Driver for RADPMS Device;C:\Windows\system32\DRIVERS\radpms.sys --> C:\Windows\system32\DRIVERS\radpms.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-6-1 116648]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-12 250056]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-6-1 116648]

S3 HTCAND64;HTC Device Driver;C:\Windows\system32\Drivers\ANDROIDUSB.sys --> C:\Windows\system32\Drivers\ANDROIDUSB.sys [?]

S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\system32\DRIVERS\htcnprot.sys --> C:\Windows\system32\DRIVERS\htcnprot.sys [?]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-3-31 61976]

S4 RsFx0105;RsFx0105 Driver;C:\Windows\system32\DRIVERS\RsFx0105.sys --> C:\Windows\system32\DRIVERS\RsFx0105.sys [?]

S4 SQLAgent$HPWJA;SQL Server Agent (HPWJA);C:\Program Files\Microsoft SQL Server\MSSQL10.HPWJA\MSSQL\Binn\SQLAGENT.EXE [2011-9-22 431464]

.

=============== Created Last 30 ================

.

2012-08-15 20:30:41 0 ----a-w- C:\DA86.tmp

2012-08-15 20:29:56 0 ----a-w- C:\2A86.tmp

2012-08-15 18:14:54 0 ----a-w- C:\8B14.tmp

2012-08-15 17:04:01 0 ----a-w- C:\A577.tmp

2012-08-15 15:13:07 0 ----a-w- C:\1CAD.tmp

2012-08-15 15:12:23 0 ----a-w- C:\6E34.tmp

2012-08-15 15:09:38 0 ----a-w- C:\EBC9.tmp

2012-08-15 14:54:42 0 ----a-w- C:\3C7F.tmp

2012-08-15 14:47:07 0 ----a-w- C:\4A5B.tmp

2012-08-15 14:44:45 0 ----a-w- C:\1FD0.tmp

2012-08-15 14:40:32 0 ----a-w- C:\43C2.tmp

2012-08-15 14:39:59 0 ----a-w- C:\C37A.tmp

2012-08-15 14:39:59 0 ----a-w- C:\C31A.tmp

2012-08-15 14:39:43 0 ----a-w- C:\858F.tmp

2012-08-14 22:12:10 930160 ----a-w- C:\Windows\System32\ccmcore.dll

2012-08-14 22:12:10 26464 ----a-w- C:\Windows\System32\xprslib.dll

2012-08-14 22:11:26 -------- d-----w- C:\Windows\ms

2012-08-14 21:39:56 0 ----a-w- C:\DD48.tmp

2012-08-14 21:38:40 0 ----a-w- C:\B310.tmp

2012-08-14 17:18:46 0 ----a-w- C:\BEBF.tmp

2012-08-14 15:26:09 175736 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS

2012-08-14 15:26:09 -------- d-----w- C:\Program Files\Symantec

2012-08-14 15:26:09 -------- d-----w- C:\Program Files\Common Files\Symantec Shared

2012-08-14 15:24:40 58288 ----a-w- C:\Windows\SysWow64\snacnp.dll

2012-08-14 15:24:40 58288 ----a-w- C:\Windows\System32\snacnp.dll

2012-08-14 15:24:40 42632 ----a-w- C:\Windows\System32\drivers\WGX64.SYS

2012-08-14 15:24:39 81840 ----a-w- C:\Windows\System32\FwsVpn.dll

2012-08-14 15:24:39 288176 ----a-w- C:\Windows\System32\SymVPN.dll

2012-08-14 15:24:13 -------- d-----w- C:\ProgramData\regid.1992_12.com.symantec

2012-08-14 15:23:45 -------- d-----w- C:\Windows\System32\drivers\SEP\0C01044D\0191.105\x64

2012-08-14 15:23:45 -------- d-----w- C:\Windows\System32\drivers\SEP\0C01044D\0191.105

2012-08-14 15:23:45 -------- d-----w- C:\Windows\System32\drivers\SEP\0C01044D

2012-08-14 15:23:45 -------- d-----w- C:\Windows\System32\drivers\SEP

2012-08-14 14:31:50 772544 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2012-08-13 19:10:40 -------- d-----w- C:\Windows\dwrcs

2012-08-10 17:33:29 -------- d-----w- C:\Users\zick\AppData\Local\NPE

2012-08-10 17:33:29 -------- d-----w- C:\ProgramData\Norton

2012-08-10 17:20:10 27256 ----a-w- C:\Windows\System32\drivers\FixZeroAccess.sys

2012-08-09 13:49:41 450048 ----a-w- C:\Users\zick\AppData\Roaming\oracog.dll

2012-08-02 20:14:59 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll

2012-08-02 20:14:59 143360 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msjro.dll

2012-08-02 20:14:59 1133568 ----a-w- C:\Windows\System32\cdosys.dll

2012-08-02 20:02:59 -------- d-----w- C:\Program Files (x86)\ESET

2012-08-01 19:43:42 -------- d-----w- C:\temp

2012-08-01 19:11:19 -------- d-----w- C:\Program Files (x86)\Windows Resource Kits

2012-07-25 19:32:47 -------- d-----w- C:\Program Files (x86)\Audacity

.

==================== Find3M ====================

.

2012-08-15 20:30:35 0 ----a-w- C:\C4A4.tmp

2012-08-15 20:29:51 0 ----a-w- C:\17B0.tmp

2012-08-15 18:14:54 0 ----a-w- C:\8A95.tmp

2012-08-15 17:03:41 0 ----a-w- C:\5727.tmp

2012-08-15 15:13:03 0 ----a-w- C:\A82.tmp

2012-08-15 15:11:31 0 ----a-w- C:\A411.tmp

2012-08-15 15:09:34 0 ----a-w- C:\D99E.tmp

2012-08-15 14:54:38 0 ----a-w- C:\2C28.tmp

2012-08-15 14:47:03 0 ----a-w- C:\3E09.tmp

2012-08-15 14:43:20 0 ----a-w- C:\D631.tmp

2012-08-15 14:40:32 0 ----a-w- C:\4353.tmp

2012-08-14 23:10:08 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-14 23:10:08 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-08-14 21:39:09 0 ----a-w- C:\22BE.tmp

2012-08-14 17:20:47 0 ----a-w- C:\975E.tmp

2012-07-11 16:52:23 87488 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll

2012-07-11 16:52:23 80800 ----a-w- C:\Windows\System32\LMIinit.dll

2012-07-11 16:52:23 34720 ----a-w- C:\Windows\System32\LMIport.dll

2012-07-03 18:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-06-25 21:04:24 1394248 ----a-w- C:\Windows\SysWow64\msxml4.dll

2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll

2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll

2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll

2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll

2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-06-02 20:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-06-02 20:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe

2012-05-21 21:37:15 87456 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll.000.bak

.

============= FINISH: 8:09:19.57 ===============

Here is the Attach log;

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 10/1/2010 2:32:36 PM

System Uptime: 8/15/2012 4:33:10 PM (40 hours ago)

.

Motherboard: Dell Inc. | | 0DN075

Processor: Intel® Core2 CPU 6300 @ 1.86GHz | Microprocessor | 1862/1066mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 149 GiB total, 61.91 GiB free.

D: is CDROM ()

E: is FIXED (NTFS) - 72 GiB total, 31.068 GiB free.

F: is FIXED (NTFS) - 2 GiB total, 1.409 GiB free.

G: is NetworkDisk (NTFS) - 1000 GiB total, 597.154 GiB free.

H: is NetworkDisk (NTFS) - 1000 GiB total, 597.154 GiB free.

I: is Removable

K: is NetworkDisk (NTFS) - 1000 GiB total, 597.154 GiB free.

L: is NetworkDisk (NTFS) - 1000 GiB total, 597.154 GiB free.

V: is NetworkDisk (NTFS) - 279 GiB total, 90.703 GiB free.

W: is NetworkDisk (NTFS) - 500 GiB total, 36.767 GiB free.

X: is NetworkDisk (NTFS) - 250 GiB total, 99.723 GiB free.

Y: is NetworkDisk (NTFS) - 1000 GiB total, 597.154 GiB free.

Z: is NetworkDisk (NTFS) - 500 GiB total, 77.581 GiB free.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

.NET Framework Machine Code Access Security Policy

Adobe AIR

Adobe Connect Add-in

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.3)

Apple Application Support

Apple Software Update

Audacity 2.0

BarTender

BarTender 8.0.2092

BarTender Enterprise International 7.10.1056

Belkin F5D5055 Driver

CallTrackingSetup

CDBurnerXP

Cisco Network Assistant

Citrix online plug-in

Citrix online plug-in (DV)

Citrix online plug-in (HDX)

Citrix online plug-in (PNA)

Citrix online plug-in (SSON)

Citrix online plug-in (USB)

Citrix online plug-in (Web)

Compatibility Pack for the 2007 Office system

Computer Services Inventory

Configuration Manager Client

Convert

Creating Custom Reports by Using Configuration Manager 2007 SQL Views

Crystal Reports for .NET Framework 2.0 (x86)

DameWare NT Utilities

DameWare NT Utilities 8.0

ESET Online Scanner v3

Google Drive

Google Earth

Google SketchUp 8

Google Update Helper

GoToMeeting 5.0.0.799

GroupWise

HP USB Disk Storage Format Tool

hppFonts

hppQFolderP2050

HTC BMP USB Driver

HTC Driver Installer

ieSpell

Image Plugin

InOutBoard

INVEN

Java Auto Updater

Java 7 Update 5

JavaFX 2.1.1

LogMeIn

Malwarebytes Anti-Malware version 1.62.0.1300

Microsoft .NET Framework 4 Multi-Targeting Pack

Microsoft Interop Forms Redistributable Package 2.0a

Microsoft Office 2007 Primary Interop Assemblies

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office Live Meeting 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Professional Plus 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Visio 2007 Service Pack 3 (SP3)

Microsoft Office Visio MUI (English) 2007

Microsoft Office Visio Professional 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft SQL Server 2008 Browser

Microsoft Visio Viewer 2010

Microsoft Visual C++ Compilers 2010 Standard - enu - x86

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft WSE 3.0 Runtime

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 Parser and SDK

MSXML 4.0 SP3 Parser

MSXML 4.0 SP3 Parser (KB2721691)

MSXML 4.0 SP3 Parser (KB973685)

Notepad++

NVIDIA 3D Vision Controller Driver

QuickTime

ScanPal 2 Software

Seagull License Server 8.01.2179

Seagull License Server 9.4

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft Office 2007 suites (KB2596666) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition

SHARP MX/DX Series PCL/PS Printer Driver

SMS 2003 Toolkit 2

SolarWinds Permissions Analyzer for Active Directory

swMSM

Symantec Endpoint Protection Mgr

tools-freebsd

tools-linux

tools-netware

tools-solaris

tools-windows

tools-winPre2k

Universal Extractor 1.6.1

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office Access 2007 Help (KB963663)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office Infopath 2007 Help (KB963662)

Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition

Update for Microsoft Office Outlook 2007 Help (KB963677)

Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687310) 32-Bit Edition

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Publisher 2007 Help (KB963667)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Visio 2007 Help (KB963666)

Update for Microsoft Office Word 2007 Help (KB963665)

VMware Workstation

Volume Activation Management Tool 2.0

WebEx

WebReg

What's Running 3.0

Windows 7 USB/DVD Download Tool

Windows NT Messaging

Windows Resource Kit Tools - LockoutStatus.exe

Windows SDK IntellisenseNFX

Windows Server 2003 Service Pack 2 Administration Tools Pack

Wootalyzer!

WRQ Reflection for HP with NS/VT 11.0

Zebra Setup Utilities

.

==== Event Viewer Messages From Past Week ========

.

8/17/2012 2:33:22 AM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

8/15/2012 4:39:45 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48} and APPID {B292921D-AF50-400C-9B75-0C57A7F29BA1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

8/15/2012 4:36:23 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.

8/15/2012 4:34:28 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891

8/15/2012 4:34:16 PM, Error: Microsoft-Windows-HttpEvent [15021] - An error occured while using SSL configuration for socket address 0.0.0.0:8000. The error status code is contained within the returned data.

8/14/2012 9:58:05 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {1CCB96F4-B8AD-4B43-9688-B273F58E0910} and APPID {AD65A69D-3831-40D7-9629-9B0B50A93843} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

8/14/2012 9:57:53 AM, Error: Service Control Manager [7034] - The LogMeIn service terminated unexpectedly. It has done this 1 time(s).

8/14/2012 9:57:11 AM, Error: Service Control Manager [7001] - The IPsec Policy Agent service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.

8/14/2012 9:56:56 AM, Error: Service Control Manager [7001] - The IKE and AuthIP IPsec Keying Modules service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.

8/14/2012 9:50:56 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR3.

8/14/2012 9:35:55 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Seagull License Server service to connect.

8/14/2012 9:35:55 AM, Error: Service Control Manager [7000] - The Seagull License Server service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

8/14/2012 9:35:19 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

8/14/2012 9:35:07 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

8/14/2012 10:13:29 AM, Error: Service Control Manager [7023] - The Base Filtering Engine service terminated with the following error: Access is denied.

8/10/2012 12:24:43 PM, Error: Service Control Manager [7034] - The LiveUpdate service terminated unexpectedly. It has done this 1 time(s).

.

==== End Of File ===========================

Link to post
Share on other sites

Hello Zick and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 2

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • aswMBR log
  • a new fresh DDS log

Link to post
Share on other sites

Sorry for the delay, for some reason I didn't get notified of your new post.

I don't have the paid version of Malwarebytes, just the free.

Here is a full scan of Malwarebytes;

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.20.07

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

zick :: zick[administrator]

8/20/2012 8:59:41 AM

mbam-log-2012-08-20 (08-59-41).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 248630

Time elapsed: 10 minute(s), 24 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Here is the aswMBR log;

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-08-20 08:56:15

-----------------------------

08:56:15.593 OS Version: Windows x64 6.1.7601 Service Pack 1

08:56:15.593 Number of processors: 2 586 0xF02

08:56:15.593 ComputerName: ZICK UserName: zick

08:56:19.524 Initialize success

08:56:56.775 AVAST engine defs: 12082000

08:57:04.512 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2

08:57:04.512 Disk 0 Vendor: ST3160318AS CC38 Size: 152627MB BusType: 11

08:57:04.528 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-4

08:57:04.528 Disk 1 Vendor: ST380815AS 3.CHF Size: 76319MB BusType: 11

08:57:04.543 Disk 0 MBR read successfully

08:57:04.559 Disk 0 MBR scan

08:57:04.559 Disk 0 Windows 7 default MBR code

08:57:04.559 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048

08:57:04.575 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 152525 MB offset 206848

08:57:04.731 Disk 0 scanning C:\Windows\system32\drivers

08:57:20.923 Service scanning

08:57:54.603 Modules scanning

08:57:54.603 Disk 0 trace - called modules:

08:57:55.134 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys

08:57:55.134 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800458e060]

08:57:55.134 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-2[0xfffffa8003fe3060]

08:57:58.238 AVAST engine scan C:\Windows

08:58:01.951 AVAST engine scan C:\Windows\system32

09:09:42.491 AVAST engine scan C:\Windows\system32\drivers

09:10:16.312 AVAST engine scan C:\Users\zickert

09:17:47.103 File: C:\Users\zick\AppData\Roaming\oracog.dll **INFECTED** Win32:Medfos [Trj]

09:18:25.448 AVAST engine scan C:\ProgramData

09:20:29.062 Scan finished successfully

09:23:53.070 Disk 0 MBR has been saved successfully to "C:\Users\zick\Desktop\MBR.dat"

09:23:53.086 The log file has been saved successfully to "C:\Users\zick\Desktop\aswMBR.txt"

Here is a fresh DDS log;

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.5.1

Run by zick at 9:27:07 on 2012-08-20

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4030.840 [GMT -5:00]

.

AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\nvwmi64.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Seagull\BarTender\8.00\CmdrSrv.exe

C:\Windows\SysWOW64\DWRCS.EXE

C:\Program Files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe

C:\Program Files\Hewlett-Packard\Web Jetadmin 10\HPWSProAdapter\FileSystems\Core\bin\XP-x86\release\HP.Dss.App.WinService.exe

C:\Windows\system32\inetsrv\inetinfo.exe

C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe

C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe

C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Microsoft SQL Server\MSSQL10.HPWJA\MSSQL\Binn\sqlservr.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\SysWOW64\NLSSRV32.EXE

C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\Seagull\License Server\8.0\SLSSrv.exe

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe

C:\Windows\System32\tcpsvcs.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe

C:\Windows\SysWOW64\vmnat.exe

C:\Windows\SysWOW64\CCM\CcmExec.exe

C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe

C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\nvwmi64.exe

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin64\Smc.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\SearchIndexer.exe

C:\Windows\sysWOW64\wbem\wmiprvse.exe

C:\Program Files (x86)\Citrix\ICA Client\ssonsvr.exe

C:\Windows\system32\taskhost.exe

C:\Windows\SysWOW64\DWRCST.exe

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\Citrix\ICA Client\concentr.exe

C:\Program Files (x86)\Citrix\ICA Client\PNAMAIN.EXE

C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Citrix\ICA Client\WFCRUN32.EXE

C:\Novell\GroupWise\grpwise.exe

C:\Novell\GroupWise\Notify.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\SolarWinds\DameWare NT Utilities 8.0\DWRCC.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Windows\system32\StikyNot.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\SolarWinds\DameWare NT Utilities 8.0\DNTU.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\taskhost.exe

C:\Novell\GroupWise\GWSync.exe

K:\apps\CallTracking\CallTracking.exe

\\oak\data\apps\BOARD\InOutBoard64.exe

C:\Users\zick\Desktop\aswMBR.exe

C:\Windows\notepad.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

.

============== Pseudo HJT Report ===============

.

uWindow Title = Windows Internet Explorer

uStart Page = hxxp://earth/joomla

uDefault_Page_URL = hxxp://earth/joomla

uInternet Settings,ProxyOverride = <local>

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\bin\IPS\IPSBHO.DLL

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [Wootalyzer] "C:\Program Files (x86)\Wootalyzer\woot.exe" /boot

uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart

uRun: [RESTART_STICKY_NOTES] C:\Windows\system32\StikyNot.exe

mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup

mRun: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [DameWare MRC Agent] C:\Windows\SysWOW64\DWRCST.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ONLINE~1.LNK - C:\Windows\Installer\{B8A2256E-6225-4D9E-B1C9-C26CA1E22FEB}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe

uPolicies-explorer: NoStartMenuMyGames = 1 (0x1)

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-explorer: NoDisconnect = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

mPolicies-system: HideStartupScripts = 1 (0x1)

IE: &ieSpell Options - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

IE: Lookup on Merriam Webster - file://C:\Program Files (x86)\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://C:\Program Files (x86)\ieSpell\wikipedia.HTM

IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL

LSP: mswsock.dll

LSP: %SystemRoot%\system32\vsocklib.dll

DPF: iLO 2 Remote Console Applet - hxxps://ilo-hog/dvc.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {08E0B9F3-4FB8-43A6-BAE6-0996E9F5453B} - file://oak/eWis/ocx.cab

DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UpdateCenter/applets/sync.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxps://a248.e.akamai.net/f/248/14778/2h/dlmanager.download.akamai.com/14778/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab

DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxps://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP28EP2-12243/event/ieatgpc1.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com//activex/ractrl.cab?lmi=928

TCP: DhcpNameServer = 172.25.30.219 172.25.30.200

TCP: Interfaces\{8CC2564A-E21B-4EE9-9530-AB00D46B0E7F} : DhcpNameServer = 172.25.30.219 172.25.30.200

Notify: SEP - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\WinLogoutNotifier.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\bin\IPS\IPSBHO.DLL

BHO-X64: Symantec Intrusion Prevention - No File

BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

mRun-x64: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup

mRun-x64: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [DameWare MRC Agent] C:\Windows\SysWOW64\DWRCST.exe

IE-X64: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM

IE-X64: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMDS64.SYS --> C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMDS64.SYS [?]

R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMEFA64.SYS --> C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMEFA64.SYS [?]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\BASHDefs\20120803.011\BHDrvx64.sys [2012-8-14 1161376]

R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\system32\DRIVERS\ctxusbm.sys --> C:\Windows\system32\DRIVERS\ctxusbm.sys [?]

R1 dwvkbd;DameWare Virtual Keyboard 64 bit Driver;C:\Windows\system32\DRIVERS\dwvkbd64.sys --> C:\Windows\system32\DRIVERS\dwvkbd64.sys [?]

R1 IDSVia64;IDSVia64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Data\Definitions\IPSDefs\20120817.001\IDSviA64.sys [2012-8-18 509088]

R1 nm3;Microsoft Network Monitor 3 Driver;C:\Windows\system32\DRIVERS\nm3.sys --> C:\Windows\system32\DRIVERS\nm3.sys [?]

R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\Ironx64.SYS --> C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\Ironx64.SYS [?]

R1 SYMNETS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMNETS.SYS --> C:\Windows\system32\Drivers\SEP\0C01044D\0191.105\x64\SYMNETS.SYS [?]

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]

R2 Commander Service;Commander Service;C:\Program Files (x86)\Seagull\BarTender\8.00\CmdrSrv.exe [2007-3-20 2164344]

R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]

R2 HPWJAService;HPWJA Service;C:\Program Files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe [2012-1-18 45056]

R2 HPWSProAdapter;HPWSProAdapter;C:\Program Files\Hewlett-Packard\Web Jetadmin 10\HPWSProAdapter\FileSystems\Core\bin\XP-x86\release\HP.Dss.App.WinService.exe [2012-1-9 9728]

R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2010-9-27 375208]

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2010-5-31 15928]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\Windows\system32\drivers\LMIRfsDriver.sys --> C:\Windows\system32\drivers\LMIRfsDriver.sys [?]

R2 MSSQL$HPWJA;SQL Server (HPWJA);C:\Program Files\Microsoft SQL Server\MSSQL10.HPWJA\MSSQL\Binn\sqlservr.exe [2011-9-22 58345832]

R2 nlsX86cc;Nalpeiron Licensing Service;C:\Windows\SysWOW64\NLSSRV32.EXE [2012-5-16 69640]

R2 NVWMI;NVIDIA WMI Provider;C:\Windows\system32\nvwmi64.exe --> C:\Windows\system32\nvwmi64.exe [?]

R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2010-9-16 80896]

R2 Seagull License Server;Seagull License Server;C:\Program Files (x86)\Seagull\License Server\8.0\SLSSrv.exe [2007-8-30 2585992]

R2 SepMasterService;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe [2012-4-19 137208]

R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2011-8-29 846448]

R2 VMwareHostd;VMware Workstation Server;C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [2012-1-18 11839488]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-15 138912]

R3 radpms;Driver for RADPMS Device;C:\Windows\system32\DRIVERS\radpms.sys --> C:\Windows\system32\DRIVERS\radpms.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-6-1 116648]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-12 250056]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-6-1 116648]

S3 HTCAND64;HTC Device Driver;C:\Windows\system32\Drivers\ANDROIDUSB.sys --> C:\Windows\system32\Drivers\ANDROIDUSB.sys [?]

S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\system32\DRIVERS\htcnprot.sys --> C:\Windows\system32\DRIVERS\htcnprot.sys [?]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-3-31 61976]

S4 RsFx0105;RsFx0105 Driver;C:\Windows\system32\DRIVERS\RsFx0105.sys --> C:\Windows\system32\DRIVERS\RsFx0105.sys [?]

S4 SQLAgent$HPWJA;SQL Server Agent (HPWJA);C:\Program Files\Microsoft SQL Server\MSSQL10.HPWJA\MSSQL\Binn\SQLAGENT.EXE [2011-9-22 431464]

.

=============== Created Last 30 ================

.

2012-08-15 20:30:41 0 ----a-w- C:\DA86.tmp

2012-08-15 20:29:56 0 ----a-w- C:\2A86.tmp

2012-08-15 18:14:54 0 ----a-w- C:\8B14.tmp

2012-08-15 17:04:01 0 ----a-w- C:\A577.tmp

2012-08-15 15:13:07 0 ----a-w- C:\1CAD.tmp

2012-08-15 15:12:23 0 ----a-w- C:\6E34.tmp

2012-08-15 15:09:38 0 ----a-w- C:\EBC9.tmp

2012-08-15 14:54:42 0 ----a-w- C:\3C7F.tmp

2012-08-15 14:47:07 0 ----a-w- C:\4A5B.tmp

2012-08-15 14:44:45 0 ----a-w- C:\1FD0.tmp

2012-08-15 14:40:32 0 ----a-w- C:\43C2.tmp

2012-08-15 14:39:59 0 ----a-w- C:\C37A.tmp

2012-08-15 14:39:59 0 ----a-w- C:\C31A.tmp

2012-08-15 14:39:43 0 ----a-w- C:\858F.tmp

2012-08-14 22:12:10 930160 ----a-w- C:\Windows\System32\ccmcore.dll

2012-08-14 22:12:10 26464 ----a-w- C:\Windows\System32\xprslib.dll

2012-08-14 22:11:26 -------- d-----w- C:\Windows\ms

2012-08-14 21:39:56 0 ----a-w- C:\DD48.tmp

2012-08-14 21:38:40 0 ----a-w- C:\B310.tmp

2012-08-14 17:18:46 0 ----a-w- C:\BEBF.tmp

2012-08-14 15:26:09 175736 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS

2012-08-14 15:26:09 -------- d-----w- C:\Program Files\Symantec

2012-08-14 15:26:09 -------- d-----w- C:\Program Files\Common Files\Symantec Shared

2012-08-14 15:24:40 58288 ----a-w- C:\Windows\SysWow64\snacnp.dll

2012-08-14 15:24:40 58288 ----a-w- C:\Windows\System32\snacnp.dll

2012-08-14 15:24:40 42632 ----a-w- C:\Windows\System32\drivers\WGX64.SYS

2012-08-14 15:24:39 81840 ----a-w- C:\Windows\System32\FwsVpn.dll

2012-08-14 15:24:39 288176 ----a-w- C:\Windows\System32\SymVPN.dll

2012-08-14 15:24:13 -------- d-----w- C:\ProgramData\regid.1992_12.com.symantec

2012-08-14 15:23:45 -------- d-----w- C:\Windows\System32\drivers\SEP\0C01044D\0191.105\x64

2012-08-14 15:23:45 -------- d-----w- C:\Windows\System32\drivers\SEP\0C01044D\0191.105

2012-08-14 15:23:45 -------- d-----w- C:\Windows\System32\drivers\SEP\0C01044D

2012-08-14 15:23:45 -------- d-----w- C:\Windows\System32\drivers\SEP

2012-08-14 14:31:50 772544 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2012-08-13 19:10:40 -------- d-----w- C:\Windows\dwrcs

2012-08-10 17:33:29 -------- d-----w- C:\Users\zick\AppData\Local\NPE

2012-08-10 17:33:29 -------- d-----w- C:\ProgramData\Norton

2012-08-10 17:20:10 27256 ----a-w- C:\Windows\System32\drivers\FixZeroAccess.sys

2012-08-09 13:49:41 450048 ----a-w- C:\Users\zick\AppData\Roaming\oracog.dll

2012-08-02 20:14:59 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll

2012-08-02 20:14:59 143360 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msjro.dll

2012-08-02 20:14:59 1133568 ----a-w- C:\Windows\System32\cdosys.dll

2012-08-02 20:02:59 -------- d-----w- C:\Program Files (x86)\ESET

2012-08-01 19:43:42 -------- d-----w- C:\temp

2012-08-01 19:11:19 -------- d-----w- C:\Program Files (x86)\Windows Resource Kits

2012-07-25 19:32:47 -------- d-----w- C:\Program Files (x86)\Audacity

.

==================== Find3M ====================

.

2012-08-15 20:30:35 0 ----a-w- C:\C4A4.tmp

2012-08-15 20:29:51 0 ----a-w- C:\17B0.tmp

2012-08-15 18:14:54 0 ----a-w- C:\8A95.tmp

2012-08-15 17:03:41 0 ----a-w- C:\5727.tmp

2012-08-15 15:13:03 0 ----a-w- C:\A82.tmp

2012-08-15 15:11:31 0 ----a-w- C:\A411.tmp

2012-08-15 15:09:34 0 ----a-w- C:\D99E.tmp

2012-08-15 14:54:38 0 ----a-w- C:\2C28.tmp

2012-08-15 14:47:03 0 ----a-w- C:\3E09.tmp

2012-08-15 14:43:20 0 ----a-w- C:\D631.tmp

2012-08-15 14:40:32 0 ----a-w- C:\4353.tmp

2012-08-14 23:10:08 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-14 23:10:08 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-08-14 21:39:09 0 ----a-w- C:\22BE.tmp

2012-08-14 17:20:47 0 ----a-w- C:\975E.tmp

2012-07-11 16:52:23 87488 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll

2012-07-11 16:52:23 80800 ----a-w- C:\Windows\System32\LMIinit.dll

2012-07-11 16:52:23 34720 ----a-w- C:\Windows\System32\LMIport.dll

2012-07-03 18:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-06-25 21:04:24 1394248 ----a-w- C:\Windows\SysWow64\msxml4.dll

2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll

2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll

2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll

2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll

2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll

2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll

2012-06-02 20:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll

2012-06-02 20:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe

.

============= FINISH: 9:28:30.17 ===============

Link to post
Share on other sites

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

Sorry I thought I had Symantec completely shut down but Combofix said it was still enabled and ended up running anyways. If you need me to do another scan I can.

Here is the Combofix log;

ComboFix 12-08-20.01 - zick 08/20/2012 9:48.1.2 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4030.1615 [GMT -5:00]

Running from: c:\users\zick\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\102E.tmp

C:\109D.tmp

C:\10ED.tmp

C:\114D.tmp

C:\11BC.tmp

C:\11D9.tmp

C:\11E.tmp

C:\11FD.tmp

C:\126C.tmp

C:\12DB.tmp

C:\1369.tmp

C:\13E8.tmp

C:\1467.tmp

C:\14D6.tmp

C:\1534.tmp

C:\1565.tmp

C:\15E3.tmp

C:\15F1.tmp

C:\1662.tmp

C:\16D1.tmp

C:\171B.tmp

C:\173D.tmp

C:\1741.tmp

C:\17B0.tmp

C:\17FA.tmp

C:\183A.tmp

C:\18A.tmp

C:\18A9.tmp

C:\18E.tmp

C:\1919.tmp

C:\1978.tmp

C:\19D8.tmp

C:\19F.tmp

C:\1A28.tmp

C:\1A97.tmp

C:\1B06.tmp

C:\1B56.tmp

C:\1C13.tmp

C:\1C83.tmp

C:\1CAD.tmp

C:\1D8E.tmp

C:\1E0D.tmp

C:\1E8B.tmp

C:\1F0A.tmp

C:\1FD0.tmp

C:\1FF.tmp

C:\2035.tmp

C:\20C3.tmp

C:\2142.tmp

C:\21C1.tmp

C:\224F.tmp

C:\22BE.tmp

C:\22C4.tmp

C:\2343.tmp

C:\2364.tmp

C:\23E3.tmp

C:\2443.tmp

C:\24A2.tmp

C:\24E3.tmp

C:\24F.tmp

C:\2533.tmp

C:\2592.tmp

C:\25D3.tmp

C:\2642.tmp

C:\26A1.tmp

C:\26E2.tmp

C:\2751.tmp

C:\27C0.tmp

C:\283F.tmp

C:\28AE.tmp

C:\292D.tmp

C:\299C.tmp

C:\2A0B.tmp

C:\2A7B.tmp

C:\2A86.tmp

C:\2AE.tmp

C:\2AEA.tmp

C:\2B59.tmp

C:\2BC8.tmp

C:\2C28.tmp

C:\2EF.tmp

C:\32F.tmp

C:\34A6.tmp

C:\3525.tmp

C:\3546.tmp

C:\35B5.tmp

C:\3605.tmp

C:\3674.tmp

C:\36B5.tmp

C:\36F5.tmp

C:\3755.tmp

C:\37A5.tmp

C:\3823.tmp

C:\3883.tmp

C:\38B4.tmp

C:\38F.tmp

C:\3923.tmp

C:\39A2.tmp

C:\3A11.tmp

C:\3A80.tmp

C:\3A9D.tmp

C:\3AEF.tmp

C:\3AFC.tmp

C:\3B1E.tmp

C:\3B5F.tmp

C:\3B7D.tmp

C:\3BBE.tmp

C:\3BDD.tmp

C:\3C1D.tmp

C:\3C4D.tmp

C:\3C6D.tmp

C:\3C7F.tmp

C:\3CAE.tmp

C:\3CCB.tmp

C:\3D0D.tmp

C:\3D3B.tmp

C:\3D5D.tmp

C:\3D9A.tmp

C:\3DCC.tmp

C:\3DF.tmp

C:\3E09.tmp

C:\3E2C.tmp

C:\3E6C.tmp

C:\3EDC.tmp

C:\3F4B.tmp

C:\3FBA.tmp

C:\4029.tmp

C:\4098.tmp

C:\4117.tmp

C:\4186.tmp

C:\41F6.tmp

C:\4274.tmp

C:\42DB.tmp

C:\42F3.tmp

C:\4353.tmp

C:\43C2.tmp

C:\43E.tmp

C:\49E.tmp

C:\4A5B.tmp

C:\4A6B.tmp

C:\4C70.tmp

C:\4D6C.tmp

C:\4DCB.tmp

C:\4DE.tmp

C:\4E98.tmp

C:\4EE8.tmp

C:\4F38.tmp

C:\4FA7.tmp

C:\4FF7.tmp

C:\5057.tmp

C:\50B7.tmp

C:\50F7.tmp

C:\51F3.tmp

C:\5271.tmp

C:\52E1.tmp

C:\5350.tmp

C:\53DE.tmp

C:\544D.tmp

C:\54CC.tmp

C:\553B.tmp

C:\557A.tmp

C:\55AB.tmp

C:\55CA.tmp

C:\55CC.tmp

C:\55D.tmp

C:\5649.tmp

C:\564B.tmp

C:\56A8.tmp

C:\56BA.tmp

C:\5727.tmp

C:\5787.tmp

C:\57E7.tmp

C:\5856.tmp

C:\58C5.tmp

C:\5906.tmp

C:\5984.tmp

C:\5A32.tmp

C:\5A72.tmp

C:\5ADF.tmp

C:\5B10.tmp

C:\5B20.tmp

C:\5B22.tmp

C:\5B91.tmp

C:\5BAE.tmp

C:\5BE1.tmp

C:\5C4C.tmp

C:\5C50.tmp

C:\5C90.tmp

C:\5CC.tmp

C:\5CCB.tmp

C:\5CD1.tmp

C:\5D40.tmp

C:\5D5A.tmp

C:\5D80.tmp

C:\5DD8.tmp

C:\5DF0.tmp

C:\5E5F.tmp

C:\5E76.tmp

C:\5E9F.tmp

C:\5EF5.tmp

C:\5F0E.tmp

C:\5F64.tmp

C:\5F7E.tmp

C:\5FD4.tmp

C:\5FFC.tmp

C:\606C.tmp

C:\60EA.tmp

C:\610E.tmp

C:\615A.tmp

C:\616D.tmp

C:\61C9.tmp

C:\6248.tmp

C:\62B7.tmp

C:\6336.tmp

C:\6395.tmp

C:\63C.tmp

C:\6404.tmp

C:\6AB.tmp

C:\6E34.tmp

C:\71A.tmp

C:\789.tmp

C:\7FDD.tmp

C:\800E.tmp

C:\80B9.tmp

C:\8109.tmp

C:\8178.tmp

C:\818.tmp

C:\81C8.tmp

C:\8237.tmp

C:\8287.tmp

C:\82C8.tmp

C:\8327.tmp

C:\8377.tmp

C:\83E7.tmp

C:\8446.tmp

C:\8487.tmp

C:\8505.tmp

C:\858F.tmp

C:\8594.tmp

C:\8632.tmp

C:\86DF.tmp

C:\876E.tmp

C:\880C.tmp

C:\888B.tmp

C:\88FA.tmp

C:\896.tmp

C:\8979.tmp

C:\8A07.tmp

C:\8A95.tmp

C:\8B14.tmp

C:\8B4C.tmp

C:\8C38.tmp

C:\8C5A.tmp

C:\8DB3.tmp

C:\8E22.tmp

C:\8EA1.tmp

C:\8EE1.tmp

C:\8F22.tmp

C:\8F91.tmp

C:\8FE1.tmp

C:\906F.tmp

C:\90DE.tmp

C:\911F.tmp

C:\915.tmp

C:\918E.tmp

C:\920D.tmp

C:\92AB.tmp

C:\9339.tmp

C:\93A8.tmp

C:\9437.tmp

C:\94F4.tmp

C:\9582.tmp

C:\9601.tmp

C:\9602.tmp

C:\9627.tmp

C:\9680.tmp

C:\96EF.tmp

C:\975E.tmp

C:\9A4.tmp

C:\9AEB.tmp

C:\9B5B.tmp

C:\9B7C.tmp

C:\9BEB.tmp

C:\9C2B.tmp

C:\9C8B.tmp

C:\9CCB.tmp

C:\9D0C.tmp

C:\9D6B.tmp

C:\9DBB.tmp

C:\9E1B.tmp

C:\9E7B.tmp

C:\9EBB.tmp

C:\9F2A.tmp

C:\9F99.tmp

C:\A009.tmp

C:\A03.tmp

C:\A078.tmp

C:\A0E7.tmp

C:\A156.tmp

C:\A1D5.tmp

C:\A254.tmp

C:\A2C3.tmp

C:\A342.tmp

C:\A3A1.tmp

C:\A411.tmp

C:\A577.tmp

C:\A7F0.tmp

C:\A82.tmp

C:\A85F.tmp

C:\A880.tmp

C:\A8F0.tmp

C:\A940.tmp

C:\A99F.tmp

C:\A9E0.tmp

C:\AA30.tmp

C:\AA9F.tmp

C:\AADF.tmp

C:\AB3F.tmp

C:\ABBE.tmp

C:\ABFE.tmp

C:\AC7D.tmp

C:\ACEC.tmp

C:\AD7A.tmp

C:\AE09.tmp

C:\AE88.tmp

C:\AF06.tmp

C:\AF85.tmp

C:\AFF4.tmp

C:\B073.tmp

C:\B0E2.tmp

C:\B142.tmp

C:\B1B1.tmp

C:\B310.tmp

C:\BB8E.tmp

C:\BBAF.tmp

C:\BBC1.tmp

C:\BC07.tmp

C:\BC30.tmp

C:\BC71.tmp

C:\BC76.tmp

C:\BCB7.tmp

C:\BCE0.tmp

C:\BD30.tmp

C:\BD35.tmp

C:\BD70.tmp

C:\BD76.tmp

C:\BDD0.tmp

C:\BDE5.tmp

C:\BE20.tmp

C:\BE25.tmp

C:\BE66.tmp

C:\BE7F.tmp

C:\BEBF.tmp

C:\BED5.tmp

C:\BEDF.tmp

C:\BF15.tmp

C:\BF1F.tmp

C:\BF8F.tmp

C:\BF94.tmp

C:\BFF4.tmp

C:\C00D.tmp

C:\C034.tmp

C:\C07D.tmp

C:\C081.tmp

C:\C0C3.tmp

C:\C0D0.tmp

C:\C0EC.tmp

C:\C132.tmp

C:\C16B.tmp

C:\C18D.tmp

C:\C1AE.tmp

C:\C1B1.tmp

C:\C1E9.tmp

C:\C23F.tmp

C:\C259.tmp

C:\C2BE.tmp

C:\C2D7.tmp

C:\C31A.tmp

C:\C326.tmp

C:\C33D.tmp

C:\C356.tmp

C:\C376.tmp

C:\C37A.tmp

C:\C3AC.tmp

C:\C3C5.tmp

C:\C3D6.tmp

C:\C426.tmp

C:\C435.tmp

C:\C44A.tmp

C:\C466.tmp

C:\C4A4.tmp

C:\C4B9.tmp

C:\C4C6.tmp

C:\C525.tmp

C:\C538.tmp

C:\C550.tmp

C:\C595.tmp

C:\C5B7.tmp

C:\C5CF.tmp

C:\C5F4.tmp

C:\C60F.tmp

C:\C635.tmp

C:\C645.tmp

C:\C67E.tmp

C:\C6CE.tmp

C:\C6F2.tmp

C:\C70F.tmp

C:\C761.tmp

C:\C76E.tmp

C:\C7BE.tmp

C:\C7E0.tmp

C:\C81E.tmp

C:\C84F.tmp

C:\C87E.tmp

C:\C8BE.tmp

C:\C8ED.tmp

C:\C94C.tmp

C:\C95C.tmp

C:\C9CB.tmp

C:\C9DB.tmp

C:\CA3A.tmp

C:\CA5A.tmp

C:\CAC9.tmp

C:\CAD9.tmp

C:\CB57.tmp

C:\CBB7.tmp

C:\CC26.tmp

C:\CCED.tmp

C:\CD1C.tmp

C:\CD6C.tmp

C:\CD7D.tmp

C:\CD8B.tmp

C:\CDEC.tmp

C:\CE0A.tmp

C:\CE3C.tmp

C:\CE88.tmp

C:\CE9C.tmp

C:\CEDC.tmp

C:\CEF8.tmp

C:\CF1D.tmp

C:\CF76.tmp

C:\CF8C.tmp

C:\CFCC.tmp

C:\CFD6.tmp

C:\D03C.tmp

C:\D045.tmp

C:\D079.tmp

C:\D0AB.tmp

C:\D0D9.tmp

C:\D0EB.tmp

C:\D10A.tmp

C:\D15A.tmp

C:\D179.tmp

C:\D1C9.tmp

C:\D1CA.tmp

C:\D228.tmp

C:\D239.tmp

C:\D278.tmp

C:\D2A8.tmp

C:\D2B9.tmp

C:\D318.tmp

C:\D327.tmp

C:\D359.tmp

C:\D396.tmp

C:\D3B8.tmp

C:\D415.tmp

C:\D418.tmp

C:\D458.tmp

C:\D484.tmp

C:\D4C8.tmp

C:\D4F3.tmp

C:\D537.tmp

C:\D562.tmp

C:\D5C2.tmp

C:\D5C5.tmp

C:\D631.tmp

C:\D634.tmp

C:\D6A4.tmp

C:\D713.tmp

C:\D782.tmp

C:\D7F1.tmp

C:\D860.tmp

C:\D8D0.tmp

C:\D92F.tmp

C:\D99E.tmp

C:\DA86.tmp

C:\DD48.tmp

C:\E1D.tmp

C:\E5E.tmp

C:\E7F.tmp

C:\EBC9.tmp

C:\EEE.tmp

C:\F2F.tmp

C:\FAD.tmp

C:\FEE.tmp

c:\program files (x86)\Common Files\EXCEL.ico

c:\program files (x86)\Common Files\HHelp.ico

c:\program files (x86)\Common Files\VISIO.ico

c:\program files (x86)\Common Files\WINWORD.ico

c:\users\zick\AppData\Roaming\oracog.dll

c:\windows\SysWow64\SETCCD8.tmp

.

.

((((((((((((((((((((((((( Files Created from 2012-07-20 to 2012-08-20 )))))))))))))))))))))))))))))))

.

.

2012-08-14 22:12 . 2009-09-18 09:00 930160 ----a-w- c:\windows\system32\ccmcore.dll

2012-08-14 22:12 . 2009-09-18 09:00 26464 ----a-w- c:\windows\system32\xprslib.dll

2012-08-14 22:11 . 2012-08-14 22:11 -------- d-----w- c:\windows\ms

2012-08-14 15:24 . 2012-08-14 15:24 58288 ----a-w- c:\windows\system32\snacnp.dll

2012-08-14 14:33 . 2012-08-14 14:33 -------- d-----w- c:\program files (x86)\Common Files\Java

2012-08-14 14:31 . 2012-07-06 03:06 772544 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2012-08-13 19:10 . 2012-08-13 19:10 -------- d-----w- c:\windows\dwrcs

2012-08-10 17:33 . 2012-08-10 17:56 -------- d-----w- c:\users\zick\AppData\Local\NPE

2012-08-10 17:33 . 2012-08-10 17:33 -------- d-----w- c:\programdata\Norton

2012-08-10 17:20 . 2012-08-10 17:23 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys

2012-08-03 18:56 . 2012-08-03 18:56 -------- d-----w- c:\users\Default\AppData\Local\Google

2012-08-02 20:14 . 2012-06-06 06:02 1133568 ----a-w- c:\windows\system32\cdosys.dll

2012-08-02 20:14 . 2012-06-06 05:05 143360 ----a-w- c:\program files (x86)\Common Files\System\ado

\msjro.dll

2012-08-02 20:14 . 2012-06-06 05:05 372736 ----a-w- c:\program files (x86)\Common Files\System\ado

\msadox.dll

2012-08-02 20:02 . 2012-08-02 20:02 -------- d-----w- c:\program files (x86)\ESET

2012-08-01 19:43 . 2012-08-01 20:14 -------- d-----w- C:\temp

2012-08-01 19:11 . 2012-08-01 19:42 -------- d-----w- c:\program files (x86)\Windows Resource

Kits

2012-07-25 19:33 . 2012-07-25 21:22 -------- d-----w- c:\users\zick\AppData\Roaming\Audacity

2012-07-25 19:32 . 2012-07-25 19:32 -------- d-----w- c:\program files (x86)\Audacity

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-14 23:10 . 2012-04-12 18:34 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-08-14 23:10 . 2011-05-18 17:01 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-02 21:22 . 2010-10-01 20:12 59701280 ----a-w- c:\windows\system32\MRT.exe

2012-07-11 16:52 . 2010-10-05 13:23 34720 ----a-w- c:\windows\system32\LMIport.dll

2012-07-11 16:52 . 2010-10-05 13:23 87488 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2012-07-11 16:52 . 2010-10-05 13:23 80800 ----a-w- c:\windows\system32\LMIinit.dll

2012-07-10 21:33 . 2012-07-10 21:33 119808 ----a-r- c:\users\zick\AppData\Roaming\Microsoft\Installer

\{CCF298AF-9CE1-4B26-B251-486E98A34789}\icons.exe

2012-07-03 18:46 . 2011-07-26 13:13 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-25 21:04 . 2012-06-25 21:04 1394248 ----a-w- c:\windows\SysWow64\msxml4.dll

2012-06-02 22:19 . 2012-07-05 16:59 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-07-05 17:00 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:19 . 2012-07-05 17:00 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-07-05 17:00 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-07-05 16:59 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:15 . 2012-07-05 17:00 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:15 . 2012-07-05 16:59 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 20:19 . 2012-07-05 16:59 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 20:15 . 2012-07-05 16:59 36864 ----a-w- c:\windows\system32\wuapp.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]

"Wootalyzer"="c:\program files (x86)\Wootalyzer\woot.exe" [2009-03-26 374272]

"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2012-07-20 12218904]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"QuickTime Task"="c:\program files (x86)\QuickTime\qttask.exe" [2011-03-10 421888]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"vmware-tray"="c:\program files (x86)\VMware\VMware Workstation\vmware-tray.exe" [2012-01-18 103536]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"DameWare MRC Agent"="c:\windows\SysWOW64\DWRCST.exe" [2010-04-07 85528]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Online plug-in.lnk - c:\windows\Installer\{B8A2256E-6225-4D9E-B1C9-

C26CA1E22FEB}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2011-7-28 73728]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoDisconnect"= 1 (0x1)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoStartMenuMyGames"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-143500889-1487260227-

3505867911-1139\Scripts\Logon\0\0]

"Script"=logonscript.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-143500889-1487260227-

3505867911-3348\Scripts\Logon\0\0]

"Script"=logonscript.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET

\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-06-01

116648]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash

\FlashPlayerUpdateService.exe [2012-08-14 250056]

R3 cpuz134;cpuz134;c:\program files (x86)\CPUID\PC Wizard 2010\pcwiz_x64.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-06-01

116648]

R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-02 33736]

R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-24

1255736]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared

\SQLADHLP.EXE [2009-03-31 61976]

R4 RsFx0105;RsFx0105 Driver;c:\windows\system32\DRIVERS\RsFx0105.sys [2011-09-23 311144]

R4 SQLAgent$HPWJA;SQL Server Agent (HPWJA);c:\program files\Microsoft SQL Server\MSSQL10.HPWJA\MSSQL\Binn

\SQLAGENT.EXE [2011-09-23 431464]

S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [2011-08-08 116336]

S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 87600]

S1 dwvkbd;DameWare Virtual Keyboard 64 bit Driver;c:\windows\system32\DRIVERS\dwvkbd64.sys [2007-02-15 30720]

S1 nm3;Microsoft Network Monitor 3 Driver;c:\windows\system32\DRIVERS\nm3.sys [2010-06-09 46392]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

[2012-01-03 63928]

S2 Commander Service;Commander Service;c:\program files (x86)\Seagull\BarTender\8.00\CmdrSrv.exe [2007-03-20

2164344]

S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2011-09-21 21992]

S2 HPWJAService;HPWJA Service;c:\program files\Hewlett-Packard\Web Jetadmin 10\bin\HPWJAService.exe [2012-01-18

45056]

S2 HPWSProAdapter;HPWSProAdapter;c:\program files\Hewlett-Packard\Web Jetadmin 10\HPWSProAdapter\FileSystems\Core

\bin\XP-x86\release\HP.Dss.App.WinService.exe [2012-01-09 9728]

S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-07-11 375208]

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2010-05-31 15928]

S2 MSSQL$HPWJA;SQL Server (HPWJA);c:\program files\Microsoft SQL Server\MSSQL10.HPWJA\MSSQL\Binn\sqlservr.exe

[2011-09-23 58345832]

S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\NLSSRV32.EXE [2012-05-16 69640]

S2 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi64.exe [2011-05-26 588392]

S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe

[2010-09-16 80896]

S2 Seagull License Server;Seagull License Server;c:\program files (x86)\Seagull\License Server\8.0\SLSSrv.exe

[2007-08-31 2585992]

S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-

usbarbitrator64.exe [2011-08-30 846448]

S2 VMwareHostd;VMware Workstation Server;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe [2012-

01-18 11839488]

S2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);SysWOW64\drivers\vstor2-mntapi10-shared.sys [x]

S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys [2010-12-08 14944]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-20 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 23:10]

.

2012-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-06-01 19:46]

.

2012-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-06-01 19:46]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers

\GDriveBlacklistedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]

2012-07-20 20:17 755544 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers

\GDriveSharedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]

2012-07-20 20:17 755544 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers

\GDriveSyncedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]

2012-07-20 20:17 755544 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers

\GDriveSyncingOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]

2012-07-20 20:17 755544 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2010-05-31 57928]

"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1692264]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://earth/joomla

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = <local>

IE: &ieSpell Options - c:\program files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000

IE: Lookup on Merriam Webster - file://c:\program files (x86)\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files (x86)\ieSpell\wikipedia.HTM

LSP: %SystemRoot%\system32\vsocklib.dll

TCP: DhcpNameServer = 172.25.30.219 172.25.30.200

DPF: iLO 2 Remote Console Applet - hxxps://ilo-hog/dvc.cab

DPF: {08E0B9F3-4FB8-43A6-BAE6-0996E9F5453B} - file://oak/eWis/ocx.cab

DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UpdateCenter/applets/sync.cab

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe

HKLM-Run-oracog - c:\users\zick\AppData\Roaming\oracog.dll

AddRemove-Symantec Endpoint Protection Mgr - c:\windows\system32\javaws.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-143500889-1487260227-3505867911-3348\Software\Microsoft\Windows\CurrentVersion\Explorer

\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"

.

[HKEY_USERS\S-1-5-21-143500889-1487260227-3505867911-3348\Software\Microsoft\Windows\CurrentVersion\Explorer

\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-

444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-

444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-

7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\windows\SysWOW64\DWRCS.EXE

c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\windows\SysWOW64\vmnat.exe

c:\windows\SysWOW64\CCM\CcmExec.exe

c:\program files (x86)\VMware\VMware Workstation\vmware-authd.exe

c:\program files (x86)\Citrix\ICA Client\ssonsvr.exe

c:\program files (x86)\Citrix\ICA Client\wfcrun32.exe

c:\program files (x86)\Citrix\ICA Client\PNAMain.exe

.

**************************************************************************

.

Completion time: 2012-08-20 10:08:03 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-20 15:08

.

Pre-Run: 65,143,541,760 bytes free

Post-Run: 66,430,152,704 bytes free

.

- - End Of File - - 74874A65A1350D536BF61DD6FBDDC78F

Link to post
Share on other sites

Thanks a lot! :)

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Here is the ESET log;

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=1da1f79b571f174498cc1f0680c87a19

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2012-08-20 07:54:46

# local_time=2012-08-20 02:54:46 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=5893 16776574 100 94 24752280 97024637 0 0

# compatibility_mode=8192 67108863 100 0 1457008 1457008 0 0

# scanned=287967

# found=4

# cleaned=4

# scan_time=11298

C:\Qoobox\Quarantine.zip a variant of Win32/Medfos.CD trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Users\zick\AppData\Roaming\oracog.dll.vir a variant of Win32/Medfos.CD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\zick\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\292dffcf-116f2fb4 Java/Exploit.CVE-2012-1723.AP trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Users\zick\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\36c1e8aa-2738e154 Java/Exploit.CVE-2012-1723.AP trojan (deleted - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older versions of Java components and upgrade the application.

Upgrading Java :

Please download JavaRa to your desktop and unzip it to its own folder

  • Run JavaRa.exe, then click Remove JRE.
  • Run the built-in uninstallers for all copies of java listed
  • Click the Next button
  • Click the Next button again
  • Click the Java Manual Download link
  • A browser window will open with the Java download page
  • Click the Windows Offline (32-bit) or Windows Offline (64-bit) link to download Java (based on your system's version)
  • Run the installer
  • Close JavaRa

Link to post
Share on other sites

I found that this is malware and our research found that it is: Trojan.Medhos . Now Malwarebytes' Anti-Malware successfully detect and remove it.

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Link to post
Share on other sites

Updated Malwarebytes and ran quick scan;

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.08.21.08

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

zick :: ZICK [administrator]

8/21/2012 10:34:33 AM

mbam-log-2012-08-21 (10-34-33).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 255167

Time elapsed: 7 minute(s), 5 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *oracog*

    :folderfind
    *oracog*

    :regfind
    oracog


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

SystemLook log;

SystemLook 30.07.11 by jpshortstuff

Log created at 10:53 on 21/08/2012 by zick

(Limited User)

WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "*oracog* "

C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-oracog.reg.dat --a---- 80 bytes [15:06 20/08/2012] [15:06 20/08/2012] CFD9C5961316EF99F641BDDB62D9105A

Searching for " "

No files found.

========== folderfind ==========

Searching for "*oracog* "

No folders found.

Searching for " "

No folders found.

========== regfind ==========

Searching for "oracog"

No data found.

-= EOF =-

Link to post
Share on other sites

Yes, I want to send you some last instructions.

Please uninstall ComboFix:

www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

Next, uninstall ESET Online Scanner and then manually delete DDS, aswMBR and SystemLook.

Some malware prevention tips:

http://forums.malwarebytes.org/index.php?showtopic=104379

Now you are good to go! :)

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.