Jump to content

Recommended Posts

Gringo, any chance you can help me? I have a problem very similar to if not exactly the same as the user you helped a couple days ago. When I click a google search result it frequently tries to re-direct me to something else. It's a bit weird in that if I click the same link a second time it will then let me go to the page I was trying to get to. I have scanned with Malwarebytes and Super AntiSpyware, neither finds anything. Actually, today Malwarebtes found something but not whatever is causing problems. This is my work computer and Sophos monitors the computer. It has seemingly identified some issues but I don't have rights to do anything in Sophos and the IT guys basically just have me scan with Malwarebytes.

I was going to just follow the steps that you had set out for the original poster but ultimately decided to ask for help in order to increase my chances of success. Any help you can give me would be very much appreciated.

Thanks

Link to post
Share on other sites
  • Staff

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

    [*]Please do not attach logs or use code boxes, just copy and paste the text.

    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

    [*]Please read every post completely before doing anything.

    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

    [*]Please provide feedback about your experience as we go.

    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I need to get some reports to get a base to start from so I need you to run these programs first.

-DeFogger-

  • Please download
DeFogger to your desktop.
Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

-Security Check-

  • Download Security Check by screen317 from
here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-Download DDS-

  • Please download DDS from one of the links below and save it to your desktop:
    dds_scr.gif
    Download DDS and save it to your desktop
Link1
Link2
Link3
  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt

    [*]A window will open instructing you save & post the logs

    [*]Save the logs to a convenient place such as your desktop

    [*]Copy the contents of both logs & post in your next reply

information and logs

  • In your next post I need the following
  1. both reports from DDS
  2. report from security check
  3. let me know of any problems you may have had

Gringo

Link to post
Share on other sites

Hello,

I am getting redirected to 63.209.69.107 when I click on search results from Google searches. I researched this a bit and see that this is a nasty bit of malware, and I'm looking for help in getting rid of it. I have scanned with Malwarebytes and Super AntiSpyware. Neither finds anything. I haven't really seen any other effects from this infection but those redirects can't be good. When I try to scan with Sophos, Sophos scans for a minute or two and then tells me that I need to remove Troj/ZbotMem-B before it can continue scanning. I assume that these this is related to my current infection.

There is a good thread located at

[url="http://forums.malwarebytes.org/index.php?showtopic=118110&st=20"]http://forums.malwarebytes.org/index.php?showtopic=118110&st=20[/url]

in which the OP was able to get his issue resolved. I am tempted to simply follow the steps that he was instructed to follow, but first wanted to see if anyone had any better ideas or help to offer.

Thanks in advance for any replies, I do appreciate it.

Link to post
Share on other sites

Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Having said that....Let's get going!!

----------

Please download DDS from either of these links

LINK 1

LINK 2

and save it to your desktop.

  • Disable any script blocking protection
  • Right-click and Run as Administrator dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt

----------

Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

aswmbrscan.jpg

Click the image to enlarge it

----------

AdwCleaner

Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

----------

Link to post
Share on other sites

Thanks so much. Here are the two logs from DDS...will now work on the others.

DDS:

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.5.1

Run by brada at 13:08:18 on 2012-11-26

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3685.2187 [GMT -7:00]

.

AV: Sophos Anti-Virus *Enabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Sophos Anti-Virus *Enabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Program Files\AuthenTec TrueSuite\TrueSuiteService.exe

C:\Windows\system32\ibmpmsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe

C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe

C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\System32\svchost.exe -k NetworkService

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe

C:\Windows\system32\CxAudMsg64.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Intel\iCLS Client\HeciServer.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe

C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe

C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe

C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe

C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe

C:\Program Files (x86)\DesktopCentral_Agent\bin\dcagentservice.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Windows\SysWOW64\SAsrv.exe

C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe

C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe

C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe

C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe

C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe

C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe

C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe

C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe

C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\DesktopCentral_Agent\bin\dcondemand.exe

C:\Program Files (x86)\DesktopCentral_Agent\bin\dcswmeter.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\taskhost.exe

C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe

C:\Windows\system32\rundll32.exe

C:\PROGRA~1\Lenovo\HOTKEY\MKRMSG.EXE

C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE

C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe

C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\igfxext.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe

C:\Windows\System32\TpShocks.exe

C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe

C:\Users\brada\AppData\Local\Akamai\netsession_win.exe

C:\Windows\System32\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Users\brada\AppData\Local\Akamai\netsession_win.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\brada\AppData\Roaming\Ifser\yluxo.exe

C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe

C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe

C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files (x86)\Symantec\VIP Access Client\VIPUIManager.exe

C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe

C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files (x86)\Lenovo\System Update\SUService.exe

C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\Program Files (x86)\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe

C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE

C:\Windows\splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE

C:\Program Files\AuthenTec TrueSuite\TouchControl.exe

C:\Windows\system32\svchost.exe -k WbioSvcGroup

C:\Program Files\AuthenTec TrueSuite\x86\BioMonitor.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\taskeng.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uWindow Title = Microsoft Internet Explorer provided by Stearns Bank NA

uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LENP&bmod=LENP

uProxyOverride = <local>

mWinlogon: Userinit = userinit.exe,

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO: TrueSuite Browser Helper Object: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files\AuthenTec TrueSuite\x86\IEBHO.dll

BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

BHO: Symantec VIP Access Add-On: {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} - C:\Program Files (x86)\Symantec\VIP Access Client\VIPAddOnForIE.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

TB: TrueSuite Toolbar: {C98EE38D-21E4-4A50-907D-2B56FEC7013E} - C:\Program Files\AuthenTec TrueSuite\x86\IEBHO.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

uRun: [Akamai NetSession Interface] "C:\Users\brada\AppData\Local\Akamai\netsession_win.exe"

uRun: [sisup] rundll32.exe "C:\Users\brada\AppData\Roaming\sisup.dll",IDrawText

uRun: [vinsv] "C:\Windows\System32\rundll32.exe" "C:\Users\brada\AppData\Roaming\vinsv.dll",Clear

uRun: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

uRun: [Yhetho] C:\Users\brada\AppData\Roaming\Ifser\yluxo.exe

mRun: [uSB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"

mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor

mRun: [Fastboot] C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

mRun: [sophos AutoUpdate Monitor] C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe

mRun: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe" /fromrunkey

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

StartupFolder: C:\Users\brada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network Drives.bat

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~2.LNK - C:\Windows\Installer\{E84D1C9D-6669-4156-992B-17557D64F1D3}\Comm.Ico

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: disablecad = dword:1

mPolicies-System: LocalAccountTokenFilterPolicy = dword:1

IE: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

Trusted Zone: fmwrdc.com

DPF: {51A1CDAB-573D-45A4-B69F-B44791DFF60A} - hxxp://gis.pima.gov/pictometry/viewer/ver30b/PictImageCtrl30.cab

DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://gis.pinellascounty.org/ActiveX/ver6.5/mgaxctrl.cab

DPF: {A00C0AFC-E004-4024-9D25-52952AC99A6A} - hxxps://mwr1nav.fmwrdc.com/NAV_nav1151/NAV1251.CAB

TCP: NameServer = 10.72.201.210 192.168.100.7

TCP: Interfaces\{03FDA058-FDD0-468B-A48C-81D278A9AAD2} : NameServer = 10.72.201.210,192.168.100.7

TCP: Interfaces\{03FDA058-FDD0-468B-A48C-81D278A9AAD2} : DHCPNameServer = 10.72.201.210 192.168.100.7

TCP: Interfaces\{5C3D3A91-0A2F-4E4A-BB7F-E897055A9211}\2656C6B696E6534376 : DHCPNameServer = 192.168.2.1

TCP: Interfaces\{5C3D3A91-0A2F-4E4A-BB7F-E897055A9211}\2656C6B696E6E2836356 : DHCPNameServer = 74.117.240.3 74.117.240.4

TCP: Interfaces\{5C3D3A91-0A2F-4E4A-BB7F-E897055A9211}\A45627723702D202960586F6E656 : DHCPNameServer = 8.8.8.8

TCP: Interfaces\{5C3D3A91-0A2F-4E4A-BB7F-E897055A9211}\E4544574541425 : DHCPNameServer = 192.168.1.1

AppInit_DLLs= C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL

SSODL: WebCheck - <orphaned>

x64-BHO: TrueSuite Browser Helper Object: {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files\AuthenTec TrueSuite\IEBHO.dll

x64-BHO: Symantec VIP Access Add-On: {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} - C:\Program Files (x86)\Symantec\VIP Access Client\64bit\VIPAddOnForIE64.dll

x64-TB: TrueSuite Toolbar: {C98EE38D-21E4-4A50-907D-2B56FEC7013E} - C:\Program Files\AuthenTec TrueSuite\IEBHO.dll

x64-Run: [bLEServicesCtrl] C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe

x64-Run: [TpShocks] TpShocks.exe

x64-Run: [LENOVO.TPKNRRES] C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

R0 dlkmdldr;dlkmdldr;C:\Windows\System32\drivers\dlkmdldr.sys [2012-7-9 14448]

R0 Fastboot;Fastboot;C:\Windows\System32\drivers\Fastboot.sys [2012-5-1 70416]

R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-5-1 16152]

R0 TPDIGIMN;TPDIGIMN;C:\Windows\System32\drivers\ApsHM64.sys [2011-12-28 25416]

R1 PHCORE;PHCORE;C:\Program Files\Lenovo\RapidBoot\PHCORE64.sys [2012-1-30 33344]

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]

R1 SAVOnAccess;SAVOnAccess;C:\Windows\System32\drivers\savonaccess.sys [2012-6-25 144672]

R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]

R2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-1-9 659968]

R2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-2-21 1014096]

R2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2012-2-21 1104208]

R2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-1-17 135952]

R2 CxAudMsg;Conexant Audio Message Service;C:\Windows\System32\CxAudMsg64.exe [2012-5-1 198784]

R2 DisplayLinkService;DisplayLinkManager;C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [2011-11-9 8447848]

R2 FastbootService;FastbootService;C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [2012-5-1 169776]

R2 FPLService;TrueSuiteService;C:\Program Files\AuthenTec TrueSuite\TrueSuiteService.exe [2011-12-22 313672]

R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2011-12-8 607456]

R2 Intel® ME Service;Intel® ME Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2012-5-1 128280]

R2 Intel® Small Business Advantage;Intel® Small Business Advantage;C:\Program Files (x86)\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe [2012-5-1 49376]

R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2012-5-1 161560]

R2 LENOVO.CAMMUTE;Lenovo Camera Mute;C:\Program Files\Lenovo\Communications Utility\CamMute.exe [2012-6-23 58192]

R2 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2012-2-15 101736]

R2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe [2012-6-23 61264]

R2 LENOVO.TVTVCAM;ThinkVantage Virtual Camera Controller;C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe [2012-6-23 175440]

R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe [2012-2-15 133992]

R2 ManageEngine Desktop Central - Agent;ManageEngine Desktop Central 8 - Agent;C:\Program Files (x86)\DesktopCentral_Agent\bin\dcagentservice.exe [2012-3-21 552072]

R2 SAService;Conexant SmartAudio service;C:\Windows\System32\SAsrv.exe --> C:\Windows\System32\SAsrv.exe [?]

R2 SAVAdminService;Sophos Anti-Virus status reporter;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-9-17 216640]

R2 SAVService;Sophos Anti-Virus;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2012-7-9 139840]

R2 Sophos Agent;Sophos Agent;C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe [2012-9-17 289856]

R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe [2012-8-13 232512]

R2 Sophos Message Router;Sophos Message Router;C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe [2012-9-17 818240]

R2 Sophos Web Control Service;Sophos Web Control Service;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [2012-6-25 357400]

R2 swi_service;Sophos Web Intelligence Service;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-9-17 2863168]

R2 TPHKLOAD;Lenovo Hotkey Client Loader;C:\Program Files\Lenovo\HOTKEY\tphkload.exe [2012-2-15 145256]

R2 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2012-2-15 144960]

R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-5-1 363800]

R2 VIPAppService;VIPAppService;C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe [2011-12-5 84080]

R2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2012-2-26 2669840]

R3 5U877;5U877;C:\Windows\System32\drivers\5U877.sys [2012-5-1 216064]

R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;C:\Windows\System32\drivers\AmpPal.sys [2012-1-9 195584]

R3 btmaux;Intel Bluetooth Auxiliary Service;C:\Windows\System32\drivers\btmaux.sys [2011-11-30 94720]

R3 btmhsf;btmhsf;C:\Windows\System32\drivers\btmhsf.sys [2011-11-30 747008]

R3 DisplayLinkUsbPort;DisplayLink USB Device;C:\Windows\System32\drivers\DisplayLinkUsbPort_6.1.32700.0.sys [2012-5-1 17408]

R3 dlkmd;dlkmd;C:\Windows\System32\drivers\dlkmd.sys [2012-7-9 307824]

R3 ibtfltcoex;ibtfltcoex;C:\Windows\System32\drivers\iBtFltCoex.sys [2012-2-14 60928]

R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-5-1 331264]

R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-5-1 355096]

R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-5-1 786200]

R3 iwdbus;IWD Bus Enumerator;C:\Windows\System32\drivers\iwdbus.sys [2011-12-20 25496]

R3 RSP2STOR;Realtek PCIE CardReader Driver - P2;C:\Windows\System32\drivers\RtsP2Stor.sys [2012-5-1 259688]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-5-1 565352]

R3 TVTI2C;Lenovo SM bus driver;C:\Windows\System32\drivers\tvti2c.sys [2012-2-6 40248]

R3 tvtvcamd;ThinkVantage Virtual Camera;C:\Windows\System32\drivers\tvtvcamd.sys [2012-5-1 27432]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 HyperW7Svc;HyperW7 Service;C:\Program Files\Lenovo\RapidBoot\HyperW7Svc64.exe [2012-2-2 145472]

S2 swi_update_64;Sophos Web Intelligence Update;C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe [2012-6-25 2009152]

S3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;C:\Windows\System32\drivers\AmpPal.sys [2012-1-9 195584]

S3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2012-2-21 1304912]

S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-20 71168]

S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\Windows\System32\drivers\intelaud.sys [2011-12-20 34200]

S3 ManageEngine Desktop Central - Remote Control;ManageEngine Desktop Central 8 - Remote Control;C:\Program Files (x86)\DesktopCentral_Agent\bin\dcrdservice.exe [2012-3-21 605320]

S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2012-2-26 273168]

S3 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe [2012-5-1 1662528]

S3 PwmEWSvc;Cisco EnergyWise Enabler;C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.exe [2012-5-1 165440]

S3 sdcfilter;sdcfilter;C:\Windows\System32\drivers\sdcfilter.sys [2012-6-25 36640]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-6-23 1255736]

S4 SophosBootDriver;SophosBootDriver;C:\Windows\System32\drivers\SophosBootDriver.sys [2012-6-25 25608]

.

=============== Created Last 30 ================

.

2012-11-23 18:52:49 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\offreg.dll

2012-11-23 15:44:32 -------- d-----w- C:\Users\brada\AppData\Local\Sophos

2012-11-23 15:07:33 -------- d-----w- C:\Users\brada\AppData\Roaming\Ydatt

2012-11-23 15:07:33 -------- d-----w- C:\Users\brada\AppData\Roaming\Upti

2012-11-23 15:07:33 -------- d-----w- C:\Users\brada\AppData\Roaming\Keehy

2012-11-20 23:47:39 -------- d-----w- C:\Users\brada\AppData\Roaming\Upcoof

2012-11-20 23:47:39 -------- d-----w- C:\Users\brada\AppData\Roaming\Udugul

2012-11-20 23:47:39 -------- d-----w- C:\Users\brada\AppData\Roaming\Ifser

2012-11-19 22:13:17 -------- d-----w- C:\Users\brada\AppData\Roaming\SUPERAntiSpyware.com

2012-11-19 22:13:13 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com

2012-11-19 22:13:13 -------- d-----w- C:\Program Files\SUPERAntiSpyware

2012-11-18 02:04:31 536064 ----a-w- C:\Users\brada\AppData\Roaming\vinsv.dll

2012-11-15 22:11:51 162816 ----a-w- C:\Users\brada\AppData\Roaming\sisup.dll

2012-11-14 12:22:57 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\mpengine.dll

2012-11-13 15:19:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll

2012-11-13 15:19:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll

2012-11-13 15:19:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll

2012-11-13 15:19:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll

2012-11-13 15:19:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll

2012-11-13 15:19:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll

2012-11-13 15:19:45 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll

.

==================== Find3M ====================

.

2012-10-25 10:12:26 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx

2012-10-25 10:12:26 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts

2012-10-09 07:08:16 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-10-09 07:08:16 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-09-30 02:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

.

============= FINISH: 13:08:57.13 ===============

ATTACH:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 6/22/2012 4:26:45 AM

System Uptime: 11/26/2012 8:11:32 AM (5 hours ago)

.

Motherboard: LENOVO | | 32597AU

Processor: Intel® Core i5-2450M CPU @ 2.50GHz | CPU Socket - U3E1 | 2501/100mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 451 GiB total, 390.448 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is NetworkDisk (NTFS) - 300 GiB total, 26.746 GiB free.

I: is NetworkDisk (NTFS) - 200 GiB total, 100.919 GiB free.

Q: is FIXED (NTFS) - 14 GiB total, 1.418 GiB free.

R: is NetworkDisk (NTFS) - 400 GiB total, 271.722 GiB free.

U: is NetworkDisk (NTFS) - 300 GiB total, 26.746 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e967-e325-11ce-bfc1-08002be10318}

Description: Disk drive

Device ID: USBSTOR\DISK&VEN_HP&PROD_USB_DOCK&REV_8.01\4KZ4U1W9&0

Manufacturer: (Standard disk drives)

Name: HP USB DOCK USB Device

PNP Device ID: USBSTOR\DISK&VEN_HP&PROD_USB_DOCK&REV_8.01\4KZ4U1W9&0

Service: disk

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Cisco Systems VPN Adapter for 64-bit Windows

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco Systems VPN Adapter for 64-bit Windows

PNP Device ID: ROOT\NET\0000

Service: CVirtA

.

==== System Restore Points ===================

.

RP70: 11/26/2012 9:07:21 AM - Scheduled Checkpoint

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

2007 Microsoft Office system

Absolute Reminder

Adobe Acrobat 8 Standard

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader 9.5.1

Akamai NetSession Interface

Alchemy

Apple Application Support

Apple Software Update

AuthenTec TrueSuite

Burn.Now 4.5

Cisco Systems VPN Client 5.0.07.0290

Conexant HD Audio

Corel Burn.Now Lenovo Edition

Corel DVD MovieFactory 7

Corel DVD MovieFactory Lenovo Edition

Corel WinDVD

Create Recovery Media

Direct DiscRecorder

DisplayLink Core Software

Evernote v. 4.2.3

Get IP

Google Earth

Google Update Helper

GooReader

Integrated Camera Driver Installer Package Ver.1.2.1.16

Intel PROSet Wireless

Intel® Control Center

Intel® Manageability Engine Firmware Recovery Agent

Intel® Management Engine Components

Intel® OpenCL CPU Runtime

Intel® Processor Graphics

Intel® PROSet/Wireless for Bluetooth® + High Speed

Intel® PROSet/Wireless Software for Bluetooth® Technology

Intel® Update Manager

Intel® USB 3.0 eXtensible Host Controller Driver

Intel® WiDi

Intel® Wireless Display

Intel® PROSet/Wireless WiFi Software

Intel® Trusted Connect Service Client

Java Auto Updater

Java 7 Update 5

JavaFX 2.1.1

Lenovo Auto Scroll Utility

Lenovo Graphics Software

Lenovo Patch Utility

Lenovo Patch Utility 64 bit

Lenovo SimpleTap

Lenovo Solution Center

Lenovo Solutions for Small Business

Lenovo Solutions for Small Business Customizations

MagicDisc 2.7.106

Malwarebytes Anti-Malware version 1.65.1.1000

ManageEngine Desktop Central 8 - Agent

Microsoft .NET Framework 4 Client Profile

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Communicator 2007 R2

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office Office 64-bit Components 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Professional Hybrid 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared 64-bit MUI (English) 2007

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable (x64)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML4SP2

On Screen Display

Power Manager

PrimoPDF -- brought to you by Nitro PDF Software

QuickTime

RapidBoot

RapidBoot HDD Accelerator

Realtek Ethernet Controller Driver

Realtek PCIE Card Reader

ScreenPrint32 v3.5

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition

Sophos Anti-Virus

Sophos AutoUpdate

Sophos Remote Management System

SugarSync Manager

SUPERAntiSpyware

System Update

ThinkPad Power Management Driver

ThinkPad UltraNav Driver

ThinkVantage Active Protection System

ThinkVantage Communications Utility

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office Access 2007 Help (KB963663)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office Outlook 2007 Help (KB963677)

Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687267) 32-Bit Edition

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Publisher 2007 Help (KB963667)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

VIP Access

Windows Driver Package - Intel (iaStor) hdc (11/29/2011 11.0.0.1032)

Windows Driver Package - Lenovo 1.65.04.00 (01/11/2012 1.65.04.00)

Windows Driver Package - Synaptics (SynTP) Mouse (12/23/2011 15.3.39.1)

Zan Image Printer

.

==== Event Viewer Messages From Past Week ========

.

11/26/2012 8:15:55 AM, Error: volsnap [25] - The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time. Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.

11/26/2012 8:12:40 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aspi32

11/26/2012 8:12:32 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the DNS Client service to connect.

11/26/2012 8:12:32 AM, Error: Service Control Manager [7000] - The DNS Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

11/26/2012 8:11:41 AM, Error: Application Popup [1060] - \SystemRoot\SysWow64\Drivers\Aspi32.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

11/26/2012 8:10:40 AM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

11/26/2012 8:10:38 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain SFSI due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

11/26/2012 8:10:33 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ManageEngine Desktop Central - Agent service.

11/23/2012 9:23:35 AM, Error: Microsoft-Windows-GroupPolicy [1055] - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

11/23/2012 7:58:50 AM, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067] - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. .

11/23/2012 5:03:05 PM, Error: AX88772 [17] -

.

==== End Of File ===========================

Link to post
Share on other sites

Below are the results from the aswMBR scan. I was however unable to download the adwCleaner. It tries for a minute or so to save and then I get a message box titled "File Acess Denied", with a message of "you'll need administrator permission to copy this file". I click continue and after another minute it gives me a similar message.

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software

Run date: 2012-11-26 13:16:44

-----------------------------

13:16:44.439 OS Version: Windows x64 6.1.7601 Service Pack 1

13:16:44.439 Number of processors: 4 586 0x2A07

13:16:44.439 ComputerName: MP-0B03N UserName: brada

13:16:45.406 Initialize success

13:29:09.299 AVAST engine defs: 12112600

13:30:07.295 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

13:30:07.295 Disk 0 Vendor: TOSHIBA_ MC10 Size: 476940MB BusType: 3

13:30:07.311 Disk 0 MBR read successfully

13:30:07.311 Disk 0 MBR scan

13:30:07.311 Disk 0 unknown MBR code

13:30:07.342 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1500 MB offset 2048

13:30:07.342 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 461438 MB offset 3074048

13:30:07.373 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 14000 MB offset 948099072

13:30:07.435 Disk 0 scanning C:\Windows\system32\drivers

13:30:18.074 Service scanning

13:30:50.569 Modules scanning

13:30:50.569 Disk 0 trace - called modules:

13:30:50.585 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll

13:30:50.585 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80036ac790]

13:30:50.585 3 CLASSPNP.SYS[fffff88001a0143f] -> nt!IofCallDriver -> [0xfffffa80045a1950]

13:30:50.585 5 ACPI.sys[fffff88000f967a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005936050]

13:30:51.630 AVAST engine scan C:\Windows

13:30:53.970 AVAST engine scan C:\Windows\system32

13:35:20.008 AVAST engine scan C:\Windows\system32\drivers

13:35:34.282 AVAST engine scan C:\Users\brada

13:39:09.841 File: C:\Users\brada\AppData\Roaming\Ifser\yluxo.exe **INFECTED** Win32:Malware-gen

13:43:42.420 AVAST engine scan C:\ProgramData

13:45:34.164 Scan finished successfully

13:46:00.715 Disk 0 MBR has been saved successfully to "C:\Users\brada\Desktop\MBR.dat"

13:46:00.715 The log file has been saved successfully to "C:\Users\brada\Desktop\aswMBR.txt"

Link to post
Share on other sites

Download Combofix from the link below, and save it to your desktop.

Link

**Note: It is important that it is saved directly to your desktop**

If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.


  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

----------

Link to post
Share on other sites

Gringo, thanks for the reply. I'm not sure exactly what happened but before I saw your reply I thought they had closed thread in which I initially asked you for help. Thinking that thread was closed I began a new thread and have been helped by Jeff. But thanks much for your willingness to help.

Link to post
Share on other sites

Jeff, below is the ComboFix log. I saw that the report indicates that Windows Defender was still on...my bad, I didn't think to turn it off. The report also indicates that Sophos is still on. I know that when I'm not connected to my network at work Sophos doesn't really do its thing so I was hoping that Sophos would not interfere. So, I apologize if I messed this up by still having those things on. Thanks

ComboFix 12-11-27.01 - brada 11/27/2012 8:15.1.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3685.1796 [GMT -7:00]

Running from: c:\users\brada\Desktop\ComboFix.exe

AV: Sophos Anti-Virus *Enabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A}

SP: Sophos Anti-Virus *Enabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk

c:\programdata\Roaming

c:\users\brada\AppData\Roaming\Ifser

c:\users\brada\AppData\Roaming\Ifser\yluxo.exe

c:\users\brada\AppData\Roaming\Keehy

c:\users\brada\AppData\Roaming\Keehy\ebge.unb

c:\users\brada\AppData\Roaming\sisup.dll

c:\users\brada\AppData\Roaming\Upti

c:\users\brada\AppData\Roaming\Upti\ecge.lyo

c:\users\brada\AppData\Roaming\vinsv.dll

Q:\Autorun.inf

.

.

((((((((((((((((((((((((( Files Created from 2012-10-27 to 2012-11-27 )))))))))))))))))))))))))))))))

.

.

2012-11-23 18:52 . 2012-11-26 16:03 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\offreg.dll

2012-11-23 15:44 . 2012-11-23 15:44 -------- d-----w- c:\users\brada\AppData\Local\Sophos

2012-11-23 15:07 . 2012-11-23 16:20 -------- d-----w- c:\users\brada\AppData\Roaming\Ydatt

2012-11-20 23:47 . 2012-11-26 21:01 -------- d-----w- c:\users\brada\AppData\Roaming\Upcoof

2012-11-20 23:47 . 2012-11-20 23:47 -------- d-----w- c:\users\brada\AppData\Roaming\Udugul

2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\users\brada\AppData\Roaming\SUPERAntiSpyware.com

2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-11-14 12:22 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\mpengine.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll

2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\program files (x86)\QuickTime

2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\programdata\Apple Computer

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-30 04:04 . 2012-06-23 04:42 66395536 ----a-w- c:\windows\system32\MRT.exe

2012-10-25 10:12 . 2012-10-25 10:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx

2012-10-25 10:12 . 2012-10-25 10:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts

2012-10-09 07:08 . 2012-06-23 12:57 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-10-09 07:08 . 2012-06-23 12:57 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-09-30 02:54 . 2012-07-09 05:16 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Akamai NetSession Interface"="c:\users\brada\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-01-04 291608]

"PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2012-03-15 5935680]

"Fastboot"="c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe" [2012-01-17 1091376]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]

"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]

"Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2012-08-13 900160]

"Communicator"="c:\program files (x86)\Microsoft Office Communicator\communicator.exe" [2009-12-12 5114208]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]

.

c:\users\brada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Network Drives.bat [2012-9-26 72]

.

c:\users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-6-25 576000]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Microsoft Office Communicator 2007 R2.lnk - c:\windows\Installer\{E84D1C9D-6669-4156-992B-17557D64F1D3}\Comm.Ico [2012-7-10 26694]

Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe [2012-6-23 845584]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"disablecad"= 1 (0x1)

"LocalAccountTokenFilterPolicy"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\0\0]

"Script"=FLlogon.cmd

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\1\0]

"Script"=azlogon.cmd

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]

@="service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 HyperW7Svc;HyperW7 Service;c:\program files\Lenovo\RapidBoot\HyperW7Svc64.exe [2012-02-02 145472]

R2 swi_update_64;Sophos Web Intelligence Update;c:\programdata\Sophos\Web Intelligence\swi_update_64.exe [2012-08-13 2009152]

R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2012-01-09 195584]

R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2012-02-22 1304912]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]

R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2011-12-21 34200]

R3 ManageEngine Desktop Central - Remote Control;ManageEngine Desktop Central 8 - Remote Control;c:\program files (x86)\DesktopCentral_Agent\bin\dcrdservice.exe [2012-03-21 605320]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2012-02-26 273168]

R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2012-03-15 1662528]

R3 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2012-03-15 165440]

R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2012-06-25 36640]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-23 1255736]

R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2012-06-25 25608]

S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2011-11-09 14448]

S0 Fastboot;Fastboot;c:\windows\System32\DRIVERS\Fastboot.sys [2012-01-17 70416]

S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-01-04 16152]

S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2011-12-29 25416]

S1 PHCORE;PHCORE;c:\program files\Lenovo\RapidBoot\PHCORE64.SYS [2012-01-31 33344]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2012-06-25 144672]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]

S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-01-09 659968]

S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-02-22 1014096]

S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2012-02-22 1104208]

S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-01-17 135952]

S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe [2010-12-17 198784]

S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2011-11-09 8447848]

S2 FastbootService;FastbootService;c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [2012-01-17 169776]

S2 FPLService;TrueSuiteService;c:\program files\AuthenTec TrueSuite\TrueSuiteService.exe [2011-12-23 313672]

S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2011-12-08 607456]

S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2011-12-23 128280]

S2 Intel® Small Business Advantage;Intel® Small Business Advantage;c:\program files (x86)\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe [2012-02-27 49376]

S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [2011-12-23 161560]

S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2012-04-11 58192]

S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-07-12 101736]

S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2012-04-11 61264]

S2 LENOVO.TVTVCAM;ThinkVantage Virtual Camera Controller;c:\program files\Lenovo\Communications Utility\vcamsvc.exe [2012-04-11 175440]

S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2011-07-12 133992]

S2 ManageEngine Desktop Central - Agent;ManageEngine Desktop Central 8 - Agent;c:\program files (x86)\DesktopCentral_Agent\bin\dcagentservice.exe [2012-03-21 552072]

S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe [x]

S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-09-17 216640]

S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2012-07-09 139840]

S2 Sophos Web Control Service;Sophos Web Control Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [2012-06-25 357400]

S2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-09-17 2863168]

S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-07-12 145256]

S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-12-29 144960]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-12-23 363800]

S2 VIPAppService;VIPAppService;c:\program files (x86)\Symantec\VIP Access Client\VIPAppService.exe [2011-12-05 84080]

S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [2012-02-26 2669840]

S3 5U877;5U877;c:\windows\system32\DRIVERS\5U877.sys [2012-02-16 216064]

S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2012-01-09 195584]

S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2011-11-30 94720]

S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-11-30 747008]

S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_6.1.32700.0.sys [2012-05-01 17408]

S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2011-11-09 307824]

S3 ibtfltcoex;ibtfltcoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2012-02-14 60928]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-06 331264]

S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-01-04 355096]

S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-01-04 786200]

S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2011-12-21 25496]

S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys [2011-10-27 259688]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-23 565352]

S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2011-05-29 40248]

S3 tvtvcamd;ThinkVantage Virtual Camera;c:\windows\system32\DRIVERS\tvtvcamd.sys [2011-12-08 27432]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-27 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 07:08]

.

2012-11-27 c:\windows\Tasks\DCAgentUpdater.job

- c:\program files (x86)\DesktopCentral_Agent\bin\dcagentupgrader.exe [2012-03-21 17:23]

.

2012-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02]

.

2012-11-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02]

.

2012-11-27 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job

- c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]

.

2012-11-26 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job

- c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]

@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"

[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]

2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]

@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"

[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]

2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]

@="{A759AFF6-5851-457D-A540-F4ECED148351}"

[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]

2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]

@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"

[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]

2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BLEServicesCtrl"="c:\program files (x86)\Intel\Bluetooth\BleServicesCtrl.exe" [2012-02-17 177936]

"TpShocks"="TpShocks.exe" [2012-02-17 382528]

"LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2012-04-11 283984]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = <local>

IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: fmwrdc.com

TCP: DhcpNameServer = 10.72.201.210 192.168.100.7

TCP: Interfaces\{03FDA058-FDD0-468B-A48C-81D278A9AAD2}: NameServer = 10.72.201.210,192.168.100.7

DPF: {A00C0AFC-E004-4024-9D25-52952AC99A6A} - hxxps://mwr1nav.fmwrdc.com/NAV_nav1151/NAV1251.CAB

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKCU-Run-sisup - c:\users\brada\AppData\Roaming\sisup.dll

Wow6432Node-HKCU-Run-vinsv - c:\users\brada\AppData\Roaming\vinsv.dll

Wow6432Node-HKCU-Run-Yhetho - c:\users\brada\AppData\Roaming\Ifser\yluxo.exe

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start

Toolbar-Locked - (no file)

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot]

"ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00"

--

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router]

"ImagePath"="\"c:\program files (x86)\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot]

"ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe

c:\windows\SysWOW64\SAsrv.exe

c:\program files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe

c:\program files (x86)\Sophos\AutoUpdate\ALsvc.exe

c:\program files (x86)\Sophos\Remote Management System\RouterNT.exe

c:\program files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\program files (x86)\DesktopCentral_Agent\bin\dcondemand.exe

c:\program files (x86)\DesktopCentral_Agent\bin\dcswmeter.exe

c:\progra~1\Lenovo\HOTKEY\TPONSCR.EXE

c:\program files\AuthenTec TrueSuite\x86\BioMonitor.exe

c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files (x86)\Lenovo\System Update\SUService.exe

.

**************************************************************************

.

Completion time: 2012-11-27 08:27:32 - machine was rebooted

ComboFix-quarantined-files.txt 2012-11-27 15:27

.

Pre-Run: 419,743,322,112 bytes free

Post-Run: 420,489,736,192 bytes free

.

- - End Of File - - 1708E384A7F312206AA6C8488D282656

Link to post
Share on other sites

Jeff, the redirect was not happening every time that I clicked on a search result, but at least half the time. Since running ComboFix I have run at least a dozen searches and have not been redirected, so things look good. I will run more searches over the course of the day and keep my fingers crossed.

Link to post
Share on other sites

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the box below:

ClearJavaCache::

DDS::

uRun: [Yhetho] C:\Users\brada\AppData\Roaming\Ifser\yluxo.exe

File::

C:\Users\brada\AppData\Roaming\Ifser\yluxo.exe

Folder::

C:\Users\brada\AppData\Roaming\Ydatt

C:\Users\brada\AppData\Roaming\Upti

C:\Users\brada\AppData\Roaming\Keehy

C:\Users\brada\AppData\Roaming\Upcoof

C:\Users\brada\AppData\Roaming\Udugul

C:\Users\brada\AppData\Roaming\Ifser

C:\Users\brada\AppData\Roaming\vinsv.dll

C:\Users\brada\AppData\Roaming\sisup.dll

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 0 (0x0)

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
    CFScriptB-4.gif
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Post the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

----------

Please post the new ComboFix log and let me know how your system is running. :)

Link to post
Share on other sites

Jeff, a couple things:

1) Can you explain in a sentence or two what your most recent instructions will do when I execute them?

2) I am to copy the text you provided, paste it into Notepad, and save that file as CFScript.txt?

3) I don't think I can disable Sophos (not an administrator). I don't understand how Sophos works but I'm almost positive that if I'm not connected to my work network that it provides less protection that when I am connected to the network. I know/think this bc I'll see stuff get blocked when on the network that slides by when I'm at home. My plan is to follow your instructions from home and cross my fingers that it works. I don't know what else is on the computer in terms of anti-virus, script blocking or anti-malware realtime protection.

a) what about not being able to disable Sophos? How risky is it that I carry out your instructions without getting it disabled?

b) can you tell me what else I should be looking for in terms of other things to turn off? I don't have Norton or any other protection software that I've ever heard of, so I assume that all I would have is what comes on the computer (Windows Defender, etc.). Please provide me with a little guidance in terms of what else i should be looking for.

Thanks!

Link to post
Share on other sites

Hi,

Of course....

Can you explain in a sentence or two what your most recent instructions will do when I execute them?
This is the list of entries that I have found still on your system that need to be removed by ComboFix.

----------

I am to copy the text you provided, paste it into Notepad, and save that file as CFScript.txt
Yes. Then once you have it...drag it on top of the ComboFix icon and it will run automatically.

---------

3) I don't think I can disable Sophos (not an administrator). I don't understand how Sophos works but I'm almost positive that if I'm not connected to my work network that it provides less protection that when I am connected to the network. I know/think this bc I'll see stuff get blocked when on the network that slides by when I'm at home. My plan is to follow your instructions from home and cross my fingers that it works. I don't know what else is on the computer in terms of anti-virus, script blocking or anti-malware realtime protection.

a) what about not being able to disable Sophos? How risky is it that I carry out your instructions without getting it...

Do your best to disable it...if you get a warning that it is still running, go ahead and continue past it. If you have problems, go ahead and boot to Safe Mode and run the ComboFix instructions from there.
Link to post
Share on other sites

Jeff, here is the log. Am I correct that it did not delete everything that it was supposed to? Thanks

ComboFix 12-11-28.02 - BradA 11/28/2012 6:29.2.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3685.1549 [GMT -7:00]

Running from: c:\users\brada\Desktop\ComboFix.exe

Command switches used :: c:\users\brada\Desktop\CFScript.txt

AV: Sophos Anti-Virus *Enabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A}

SP: Sophos Anti-Virus *Enabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

FILE ::

"c:\users\brada\AppData\Roaming\Ifser\yluxo.exe"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\brada\AppData\Roaming\Udugul

c:\users\brada\AppData\Roaming\Udugul\zoyr.gol

c:\users\brada\AppData\Roaming\Upcoof

c:\users\brada\AppData\Roaming\Ydatt

.

.

((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-28 )))))))))))))))))))))))))))))))

.

.

2012-11-28 13:42 . 2012-11-28 13:42 -------- d-----w- c:\users\user\AppData\Local\temp

2012-11-28 13:42 . 2012-11-28 13:42 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-11-28 13:42 . 2012-11-28 13:42 -------- d-----w- c:\users\administrator\AppData\Local\temp

2012-11-23 18:52 . 2012-11-27 18:42 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\offreg.dll

2012-11-23 15:44 . 2012-11-23 15:44 -------- d-----w- c:\users\brada\AppData\Local\Sophos

2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\users\brada\AppData\Roaming\SUPERAntiSpyware.com

2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-11-14 12:22 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\mpengine.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll

2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\program files (x86)\QuickTime

2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\programdata\Apple Computer

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-30 04:04 . 2012-06-23 04:42 66395536 ----a-w- c:\windows\system32\MRT.exe

2012-10-25 10:12 . 2012-10-25 10:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx

2012-10-25 10:12 . 2012-10-25 10:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts

2012-10-09 07:08 . 2012-06-23 12:57 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-10-09 07:08 . 2012-06-23 12:57 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-09-30 02:54 . 2012-07-09 05:16 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Akamai NetSession Interface"="c:\users\brada\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-01-04 291608]

"PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2012-03-15 5935680]

"Fastboot"="c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe" [2012-01-17 1091376]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]

"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]

"Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2012-08-13 900160]

"Communicator"="c:\program files (x86)\Microsoft Office Communicator\communicator.exe" [2009-12-12 5114208]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]

.

c:\users\brada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Network Drives.bat [2012-9-26 72]

.

c:\users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-6-25 576000]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Microsoft Office Communicator 2007 R2.lnk - c:\windows\Installer\{E84D1C9D-6669-4156-992B-17557D64F1D3}\Comm.Ico [2012-7-10 26694]

Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe [2012-6-23 845584]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

"disablecad"= 1 (0x1)

"LocalAccountTokenFilterPolicy"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\0\0]

"Script"=FLlogon.cmd

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\1\0]

"Script"=azlogon.cmd

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]

@="service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 HyperW7Svc;HyperW7 Service;c:\program files\Lenovo\RapidBoot\HyperW7Svc64.exe [2012-02-02 145472]

R2 swi_update_64;Sophos Web Intelligence Update;c:\programdata\Sophos\Web Intelligence\swi_update_64.exe [2012-08-13 2009152]

R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2012-01-09 195584]

R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2012-02-22 1304912]

R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_6.1.32700.0.sys [2012-05-01 17408]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]

R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2011-12-21 34200]

R3 ManageEngine Desktop Central - Remote Control;ManageEngine Desktop Central 8 - Remote Control;c:\program files (x86)\DesktopCentral_Agent\bin\dcrdservice.exe [2012-03-21 605320]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2012-02-26 273168]

R3 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2012-03-15 165440]

R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2012-06-25 36640]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-23 1255736]

R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2012-06-25 25608]

S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2011-11-09 14448]

S0 Fastboot;Fastboot;c:\windows\System32\DRIVERS\Fastboot.sys [2012-01-17 70416]

S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-01-04 16152]

S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2011-12-29 25416]

S1 PHCORE;PHCORE;c:\program files\Lenovo\RapidBoot\PHCORE64.SYS [2012-01-31 33344]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2012-06-25 144672]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]

S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-01-09 659968]

S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-02-22 1014096]

S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2012-02-22 1104208]

S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-01-17 135952]

S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe [2010-12-17 198784]

S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2011-11-09 8447848]

S2 FastbootService;FastbootService;c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [2012-01-17 169776]

S2 FPLService;TrueSuiteService;c:\program files\AuthenTec TrueSuite\TrueSuiteService.exe [2011-12-23 313672]

S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2011-12-08 607456]

S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2011-12-23 128280]

S2 Intel® Small Business Advantage;Intel® Small Business Advantage;c:\program files (x86)\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe [2012-02-27 49376]

S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [2011-12-23 161560]

S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2012-04-11 58192]

S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-07-12 101736]

S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2012-04-11 61264]

S2 LENOVO.TVTVCAM;ThinkVantage Virtual Camera Controller;c:\program files\Lenovo\Communications Utility\vcamsvc.exe [2012-04-11 175440]

S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2011-07-12 133992]

S2 ManageEngine Desktop Central - Agent;ManageEngine Desktop Central 8 - Agent;c:\program files (x86)\DesktopCentral_Agent\bin\dcagentservice.exe [2012-03-21 552072]

S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe [x]

S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-09-17 216640]

S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2012-07-09 139840]

S2 Sophos Web Control Service;Sophos Web Control Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [2012-06-25 357400]

S2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-09-17 2863168]

S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-07-12 145256]

S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-12-29 144960]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-12-23 363800]

S2 VIPAppService;VIPAppService;c:\program files (x86)\Symantec\VIP Access Client\VIPAppService.exe [2011-12-05 84080]

S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [2012-02-26 2669840]

S3 5U877;5U877;c:\windows\system32\DRIVERS\5U877.sys [2012-02-16 216064]

S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2012-01-09 195584]

S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2011-11-30 94720]

S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-11-30 747008]

S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2011-11-09 307824]

S3 ibtfltcoex;ibtfltcoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2012-02-14 60928]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-06 331264]

S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-01-04 355096]

S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-01-04 786200]

S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2011-12-21 25496]

S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2012-03-15 1662528]

S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys [2011-10-27 259688]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-23 565352]

S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2011-05-29 40248]

S3 tvtvcamd;ThinkVantage Virtual Camera;c:\windows\system32\DRIVERS\tvtvcamd.sys [2011-12-08 27432]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-28 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 07:08]

.

2012-11-28 c:\windows\Tasks\DCAgentUpdater.job

- c:\program files (x86)\DesktopCentral_Agent\bin\dcagentupgrader.exe [2012-03-21 17:23]

.

2012-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02]

.

2012-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02]

.

2012-11-27 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job

- c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]

.

2012-11-27 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job

- c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]

@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"

[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]

2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]

@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"

[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]

2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]

@="{A759AFF6-5851-457D-A540-F4ECED148351}"

[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]

2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]

@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"

[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]

2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BLEServicesCtrl"="c:\program files (x86)\Intel\Bluetooth\BleServicesCtrl.exe" [2012-02-17 177936]

"TpShocks"="TpShocks.exe" [2012-02-17 382528]

"LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2012-04-11 283984]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = <local>

IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: fmwrdc.com

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{03FDA058-FDD0-468B-A48C-81D278A9AAD2}: NameServer = 10.72.201.210,192.168.100.7

DPF: {A00C0AFC-E004-4024-9D25-52952AC99A6A} - hxxps://mwr1nav.fmwrdc.com/NAV_nav1151/NAV1251.CAB

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot]

"ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00"

--

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router]

"ImagePath"="\"c:\program files (x86)\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot]

"ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1660914278-1877020206-1681959549-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,66,13,94,63,14,d7,4a,9e,56,06,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,66,13,94,63,14,d7,4a,9e,56,06,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-11-28 06:45:34

ComboFix-quarantined-files.txt 2012-11-28 13:45

ComboFix2.txt 2012-11-27 15:27

.

Pre-Run: 420,225,269,760 bytes free

Post-Run: 420,029,804,544 bytes free

.

- - End Of File - - 0EB918D60F9F877F09C6DCAF3D94EEA5

Link to post
Share on other sites

Everything seems to be running good. No issues. Something that happened yesterday caused the redirect to stop and in at least a couple dozen searches since then I haven't been redirected at all, whereas I had been getting redirected on probably at least 70% of searches. I don't see any other issues, but, then again, I observed no other symptoms before you helped me.

Two things:

1) When running ComboFix this AM Sophos was clearly still engaged and I think had moved nimcmdB.exe to quarantine, and as a result I twice (during the ComboFix scan) got a Windows message that Windows was unable to find nimcmdB.exe. Don't know if that caused issues but thought I'd mention it.

2) Whatever I was infected with, any idea was it up to? Simply redirecting my Google searches? Or more than that? If just redirecting, why? For what purpose? I mean why take the time to write this sneaky code that Malwarebytes and other programs can't detect if it's just going to redirect me?

Thanks

Link to post
Share on other sites

Thanks for letting me know about nimcmdB.exe. :)

--------

As for what the infection was up to it is really hard to say. It could have been part of something larger that was to come but we caught it first.

----------

Java

Please go to Start > Control Panel > Programs and Features > uninstall all the Java Programs you see, now download the latest Java from the following link and install it:

http://java.com/en/download/index.jsp

----------

See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked

    • Downloaded Applets
      Downloaded Applications
      Installed Applications and Applets

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*]Click OK to leave the Java Control Panel.

----------

Malwarebytes

Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

----------

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.

----------

Link to post
Share on other sites

Malwarebytes scan log below...ESET log to follow...

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.23.05

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 8.0.7601.17514

BradA :: MP-0B03N [administrator]

11/28/2012 9:40:45 AM

mbam-log-2012-11-28 (09-40-45).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 251260

Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Providing there are no other malware related problems...

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN :D SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!! :D

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

----------

The following will implement some cleanup procedures as well as reset System Restore points:

Press the Windows key + R and this will open the Run text box. Copy/paste the following text into the Run box as shown and click OK.

Combofix /Uninstall

(Note: There is a space between the ..X and the /U that needs to be there.)

CF.jpg

----------

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop. If you did not have Malwarebytes Antimalware before, I would keep it and run it weekly.

----------

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer more secure - This can be done by following these simple instructions:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

2. FireFox If you use Firefox, I recommend installing the following add-ons to help make your Firefox browser more secure:

NoScript

AdBlock Plus

3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

4. Firewall

Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. **There are firewalls that could be downloaded and used but I would personally only recommend using one of the following two below:

Online Armor Free

Agnitum Outpost Firewall Free

5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

6. WOT (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

7. Finally, I strongly recommend that you read Miekiemoes' great advice How to prevent malware.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Link to post
Share on other sites

Jeff, I owed you an ESET log...here it is. After pasting this I am waiting to follow your insructions from the previous post until I hear back from you. Thanks

C:\Qoobox\Quarantine\C\Users\brada\AppData\Roaming\vinsv.dll.vir a variant of Win32/Medfos.FJ trojan

C:\Qoobox\Quarantine\C\Users\brada\AppData\Roaming\Ifser\yluxo.exe.vir a variant of Win32/Kryptik.APFX trojan

C:\Users\brada\AppData\Local\4A616B0B-3124-11E2-8271-B8AC6F996F26.crx JS/Redirector.NCG trojan

Link to post
Share on other sites

I apologize...I misread what you posted earlier. :blush:

First open an elevated command prompt > Click Start and type cmd in Start Search.

When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.

Copy the contents of the code box > right click in the command window and select paste


del C:\Users\brada\AppData\Local\4A616B0B-3124-11E2-8271-B8AC6F996F26.crx

Press Enter

Close the Command Prompt window.

That should remove that file and you should be good to go with my final instructions I posted for you.

Link to post
Share on other sites

OK, I did what you said in your most recent post and will now proceed with uninstalling ComboFix and whatever else we installed.

What about the other two items that showed up in the ESET scan? Will they just sit in C:\Qoobox\Quarantine\C\Users\brada\AppData\Roaming forever? Are they harmless in there?

Thanks a bunch

Link to post
Share on other sites

Jeff, I can't seem to get ComboFix to uninstall. When I paste into the Run box what you gave me a couple posts ago my computer starts doing some stuff (it looks a lot like when I ran ComboFix and it was starting up) but then nothing happens and the icon stayed on my desktop. After a while I tried it again and it goes through the same process, which makes me think that it didn't uninstall the first time. Any ideas?

Thanks

Link to post
Share on other sites

Hi,

The other two entries are already quarantined by ComboFix and will be removed with it.

Try to rename Combofix.exe to Uninstall.exe and double-click it. Let me know if it works for you. :)

Link to post
Share on other sites

I might have screwed this up. My desktop icon was called ComboFix, and I renamed it Uninstall.exe. When I double clicked it, it simply ran ComboFix. It's still installed on my computer. For kicks I have posted the log below.

ComboFix 12-11-28.02 - brada 11/28/2012 13:02:35.3.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3685.1957 [GMT -7:00]

Running from: c:\users\brada\Desktop\Uninstall.exe.exe

AV: Sophos Anti-Virus *Enabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A}

SP: Sophos Anti-Virus *Enabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-28 )))))))))))))))))))))))))))))))

.

.

2012-11-28 20:09 . 2012-11-28 20:09 -------- d-----w- c:\users\user\AppData\Local\temp

2012-11-28 20:09 . 2012-11-28 20:09 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-11-28 20:09 . 2012-11-28 20:09 -------- d-----w- c:\users\administrator\AppData\Local\temp

2012-11-28 19:48 . 2012-11-28 20:01 -------- d-----w- C:\ComboFix

2012-11-28 16:27 . 2012-11-28 16:27 -------- d-----w- c:\program files (x86)\Common Files\Java

2012-11-28 16:27 . 2012-11-28 16:26 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll

2012-11-28 16:25 . 2012-11-28 16:25 -------- d-----w- c:\programdata\McAfee

2012-11-23 15:44 . 2012-11-23 15:44 -------- d-----w- c:\users\brada\AppData\Local\Sophos

2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\users\brada\AppData\Roaming\SUPERAntiSpyware.com

2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-11-19 22:13 . 2012-11-19 22:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-11-14 12:22 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E91C04EB-03B2-4943-8C0B-9E4C92AD13B6}\mpengine.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll

2012-11-13 15:19 . 2012-11-13 15:19 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll

2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\program files (x86)\QuickTime

2012-11-13 15:19 . 2012-11-13 15:19 -------- d-----w- c:\programdata\Apple Computer

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-11-28 16:26 . 2012-06-23 13:02 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2012-10-30 04:04 . 2012-06-23 04:42 66395536 ----a-w- c:\windows\system32\MRT.exe

2012-10-25 10:12 . 2012-10-25 10:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx

2012-10-25 10:12 . 2012-10-25 10:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts

2012-10-09 07:08 . 2012-06-23 12:57 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-10-09 07:08 . 2012-06-23 12:57 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-09-30 02:54 . 2012-07-09 05:16 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Akamai NetSession Interface"="c:\users\brada\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-01-04 291608]

"PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2012-03-15 5935680]

"Fastboot"="c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBConsole.exe" [2012-01-17 1091376]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]

"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]

"Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2012-08-13 900160]

"Communicator"="c:\program files (x86)\Microsoft Office Communicator\communicator.exe" [2009-12-12 5114208]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

c:\users\brada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Network Drives.bat [2012-9-26 72]

.

c:\users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-6-25 576000]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Microsoft Office Communicator 2007 R2.lnk - c:\windows\Installer\{E84D1C9D-6669-4156-992B-17557D64F1D3}\Comm.Ico [2012-7-10 26694]

Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe [2012-6-23 845584]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

"disablecad"= 1 (0x1)

"LocalAccountTokenFilterPolicy"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\0\0]

"Script"=FLlogon.cmd

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1660914278-1877020206-1681959549-2289\Scripts\Logon\1\0]

"Script"=azlogon.cmd

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]

@="service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 HyperW7Svc;HyperW7 Service;c:\program files\Lenovo\RapidBoot\HyperW7Svc64.exe [2012-02-02 145472]

R2 swi_update_64;Sophos Web Intelligence Update;c:\programdata\Sophos\Web Intelligence\swi_update_64.exe [2012-08-13 2009152]

R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2012-01-09 195584]

R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2012-02-22 1304912]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]

R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2011-12-21 34200]

R3 ManageEngine Desktop Central - Remote Control;ManageEngine Desktop Central 8 - Remote Control;c:\program files (x86)\DesktopCentral_Agent\bin\dcrdservice.exe [2012-03-21 605320]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2012-02-26 273168]

R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2012-03-15 1662528]

R3 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2012-03-15 165440]

R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2012-06-25 36640]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-23 1255736]

R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2012-06-25 25608]

S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2011-11-09 14448]

S0 Fastboot;Fastboot;c:\windows\System32\DRIVERS\Fastboot.sys [2012-01-17 70416]

S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-01-04 16152]

S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2011-12-29 25416]

S1 PHCORE;PHCORE;c:\program files\Lenovo\RapidBoot\PHCORE64.SYS [2012-01-31 33344]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2012-06-25 144672]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]

S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2012-01-09 659968]

S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-02-22 1014096]

S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2012-02-22 1104208]

S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2012-01-17 135952]

S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe [2010-12-17 198784]

S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2011-11-09 8447848]

S2 FastbootService;FastbootService;c:\program files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe [2012-01-17 169776]

S2 FPLService;TrueSuiteService;c:\program files\AuthenTec TrueSuite\TrueSuiteService.exe [2011-12-23 313672]

S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2011-12-08 607456]

S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2011-12-23 128280]

S2 Intel® Small Business Advantage;Intel® Small Business Advantage;c:\program files (x86)\Intel\Intel® Small Business Advantage\Service\Intel.SmallBusinessAdvantage.WindowsService.exe [2012-02-27 49376]

S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [2011-12-23 161560]

S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2012-04-11 58192]

S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2011-07-12 101736]

S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2012-04-11 61264]

S2 LENOVO.TVTVCAM;ThinkVantage Virtual Camera Controller;c:\program files\Lenovo\Communications Utility\vcamsvc.exe [2012-04-11 175440]

S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2011-07-12 133992]

S2 ManageEngine Desktop Central - Agent;ManageEngine Desktop Central 8 - Agent;c:\program files (x86)\DesktopCentral_Agent\bin\dcagentservice.exe [2012-03-21 552072]

S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe [x]

S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-09-17 216640]

S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2012-07-09 139840]

S2 Sophos Web Control Service;Sophos Web Control Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Control\swc_service.exe [2012-06-25 357400]

S2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-09-17 2863168]

S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2011-07-12 145256]

S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2011-12-29 144960]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-12-23 363800]

S2 VIPAppService;VIPAppService;c:\program files (x86)\Symantec\VIP Access Client\VIPAppService.exe [2011-12-05 84080]

S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [2012-02-26 2669840]

S3 5U877;5U877;c:\windows\system32\DRIVERS\5U877.sys [2012-02-16 216064]

S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2012-01-09 195584]

S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2011-11-30 94720]

S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-11-30 747008]

S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_6.1.32700.0.sys [2012-05-01 17408]

S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2011-11-09 307824]

S3 ibtfltcoex;ibtfltcoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2012-02-14 60928]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-06 331264]

S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-01-04 355096]

S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-01-04 786200]

S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2011-12-21 25496]

S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys [2011-10-27 259688]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-08-23 565352]

S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2011-05-29 40248]

S3 tvtvcamd;ThinkVantage Virtual Camera;c:\windows\system32\DRIVERS\tvtvcamd.sys [2011-12-08 27432]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-28 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-23 07:08]

.

2012-11-28 c:\windows\Tasks\DCAgentUpdater.job

- c:\program files (x86)\DesktopCentral_Agent\bin\dcagentupgrader.exe [2012-03-21 17:23]

.

2012-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02]

.

2012-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-02 22:02]

.

2012-11-28 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job

- c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]

.

2012-11-28 c:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job

- c:\program files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25 20:41]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]

@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"

[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]

2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]

@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"

[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]

2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]

@="{A759AFF6-5851-457D-A540-F4ECED148351}"

[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]

2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]

@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"

[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]

2012-02-29 06:38 463952 ----a-w- c:\program files (x86)\SugarSync\SugarSyncShellExt_x64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BLEServicesCtrl"="c:\program files (x86)\Intel\Bluetooth\BleServicesCtrl.exe" [2012-02-17 177936]

"TpShocks"="TpShocks.exe" [2012-02-17 382528]

"LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2012-04-11 283984]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = <local>

IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: fmwrdc.com

TCP: DhcpNameServer = 10.72.201.210 192.168.100.7

TCP: Interfaces\{03FDA058-FDD0-468B-A48C-81D278A9AAD2}: NameServer = 10.72.201.210,192.168.100.7

DPF: {A00C0AFC-E004-4024-9D25-52952AC99A6A} - hxxps://mwr1nav.fmwrdc.com/NAV_nav1151/NAV1251.CAB

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot]

"ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00"

--

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router]

"ImagePath"="\"c:\program files (x86)\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Fastboot]

"ImagePath"=multi:"System32\DRIVERS\Fastboot.sys\00"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-11-28 13:27:38

ComboFix-quarantined-files.txt 2012-11-28 20:27

ComboFix2.txt 2012-11-28 13:45

ComboFix3.txt 2012-11-27 15:27

.

Pre-Run: 418,556,784,640 bytes free

Post-Run: 418,268,872,704 bytes free

.

- - End Of File - - BC859CFEC7A6CB138B1AC5C6B6F2DCB0

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.