Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

got fake AV propmt killed ie but have had memroy errors since


  • This topic is locked This topic is locked
10 replies to this topic

#1 ciscoman

ciscoman

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 14 April 2011 - 10:54 AM

I have had a lot of memory eeros where application cant run or open ever since i got a fake AV propmt. I killed the IE session, but looks like I still need help rooting out anything else. I am runing windows 7 64 bt so i cant run the GMER tool.

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by me at 9:01:40.01 on Thu 04/14/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.3951.1164 [GMT -6:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Security 360 *Disabled/Outdated* {FAE2835A-B90A-9E7A-85DA-82DBDA7C1E3A}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_2223a6b19a4f4233\STacSV64.exe
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\companyservice.exe
C:\windows\system32\nvvsvc.exe
C:\windows\system32\vcsFPService.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
C:\windows\system32\WLANExt.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\windows\system32\conhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\taskhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k NetworkService
C:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_2223a6b19a4f4233\AESTSr64.exe
C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\company\CM\AUM Agent\bin\AUMService.exe
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files (x86)\IObit\IObit Security 360\IS360srv.exe
C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe
C:\windows\System32\svchost.exe -k companyZ12
C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe
C:\windows\system32\rundll32.exe
C:\windows\SysWOW64\rundll32.exe
C:\windows\SysWOW64\PGPserv.exe
C:\windows\System32\svchost.exe -k companyZ12
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\company\CM\Agent\radexecd.exe
C:\Program Files (x86)\company\CM\Agent\radsched.exe
C:\PROGRA~2\HEWLET~1\CM\Agent\radalert.exe
C:\Program Files (x86)\company\CM\Agent\Radstgms.exe
C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\company\adci\adcist.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Program Files (x86)\TightVNC\tvnserver.exe
C:\windows\system32\UI0Detect.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\WebEx\Connect\connect.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Users\me\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Qlock\qlock.exe
C:\Program Files (x86)\company\CM\AUM Agent\bin\AUMStatus.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\company\company Quick Launch Buttons\QLBCtrl.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\company\company Quick Launch Buttons\VolCtrl.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\CrSSL\bin\crssl-client.exe
C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files (x86)\TightVNC\tvnserver.exe
C:\Program Files (x86)\IObit\IObit Security 360\is360tray.exe
C:\Program Files (x86)\company\Shared\companyqwmiex.exe
C:\Program Files (x86)\company\company Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPcbt64.exe
C:\Program Files (x86)\WebEx\Connect\wbxcOIEx.exe
C:\Program Files (x86)\WebEx\Connect\widget.exe
C:\Program Files\company\company Wireless Assistant\companyWA_Main.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\company\company Wireless Assistant\companyWA_Service.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\RSA SecurID Software Token\SecurID.exe
C:\Users\me\AppData\Roaming\Juniper Networks\Host Checker\dsHostChecker.exe
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\SysWOW64\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\system32\SearccompanyrotocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\Users\me\Downloads\dds.scr
C:\windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = be.company.com
uURLSearchHooks: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - C:\Program Files (x86)\IObit Toolbar\IE\4.3\iobitToolbarIE.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
mWinlogon: Userinit=userinit.exe
BHO: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - C:\Program Files (x86)\IObit Toolbar\IE\4.3\iobitToolbarIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
TB: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - C:\Program Files (x86)\IObit Toolbar\IE\4.3\iobitToolbarIE.dll
uRun: [adcist.exe] c:\company\adci\adcist.exe
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [Cisco WebEx Connect] "C:\Program Files (x86)\WebEx\Connect\connect.exe"
uRun: [Google Update] "C:\Users\me\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [WatchDog] C:\Program Files (x86)\InterVideo\DVD8SESD\DVDCheck.exe
mRun: [!AUMStatus] C:\Program Files (x86)\company\CM\AUM Agent\bin\AUMStatus.exe
mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
mRun: [QlbCtrl.exe] C:\Program Files (x86)\company\company Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [NUSB3MON] "c:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [adcius.exe] c:\company\adci\adcius.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [crssl-client] C:\Program Files (x86)\CrSSL\bin\crssl-client.exe
mRun: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
mRun: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
mRun: [tvncontrol] "C:\Program Files (x86)\TightVNC\tvnserver.exe" -controlservice -slave
mRun: [IObit Security 360] "C:\Program Files (x86)\IObit\IObit Security 360\IS360tray.exe" /autostart
dRun: [adcist.exe] c:\company\adci\adcist.exe
dRun: [Cisco WebEx Connect] "C:\Program Files (x86)\WebEx\Connect\connect.exe"
StartupFolder: C:\Users\me\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\me\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\me\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\qlock.lnk - C:\Program Files (x86)\Qlock\qlock.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PGPTRA~1.LNK - C:\windows\Installer\{AC3F133F-79DC-4B7A-B0AD-68F502055FDB}\Icon6560581611.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: NoWebServices = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: disablecad = 1 (0x1)
mPolicies-system: SoftwareSASGeneration = 1 (0x1)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
LSP: C:\windows\system32\PGPlsp.dll
Trusted Zone: company.com\collaborate.supplychain
Trusted Zone: company.com\eroom.service
Trusted Zone: company.com\meidas.hr
Trusted Zone: company.com\wcsviper.cos
Trusted Zone: apply2jobs.com\company
Trusted Zone: assessmentplus.com
Trusted Zone: edcor.com\ww6
Trusted Zone: fidelity.com\workplaceservices100
Trusted Zone: company.com
Trusted Zone: company.com\gsd-agent.atlsmi.co-lo
Trusted Zone: knowledgeplanet.com
Trusted Zone: mymeetingplace.net\gc30gw1
Trusted Zone: mzinga.com
Trusted Zone: virtualedge.com
Trusted Zone: webex.com\collaborate
DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.company.com/vRoom_Cab/WebcompanyVCInstall35.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxps://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://company.webex.com/client/T27L10NSP17EP4/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://scssslvpn.net.americas.company.com/dana-cached/sc/JuniperSetupClient.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
AppInit_DLLs: PGPmapih.dll
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - C:\Windows\SysWOW64\ieframe.dll
LSA: Notification Packages = scecli PGPpwflt
mASetup: {69703D29-8BA4-482C-90CC-7432C6AEF414} - msiexec.exe /fup {69703D29-8BA4-482C-90CC-7432C6AEF414} /qb!
mASetup: {EFDF9138-E80E-46FA-8AC0-B8818EB8617A} - msiexec.exe /fu {EFDF9138-E80E-46FA-8AC0-B8818EB8617A} /qb!
mASetup: >{F68D3BCB-E0D4-4E62-B16C-CAA794081E26} - wscript //b "C:\Program Files (x86)\companyIE6Settings\ConfigureIE6.vbs"
mASetup: >{F6CBDE3D-3200-41A9-B22D-C7ED922A7B16} - wscript //b "C:\Program Files (x86)\company MS Office Templates\UserSetup.vbs"
mASetup: >{F82A802F-470C-4882-BD2A-6B7CD8C1D6BC} - wscript //b "C:\Program Files (x86)\companyIE7Settings\ConfigureIE7.vbs"
mASetup: >{FAEF8561-BE54-4373-8BDB-D5751C0410B9} - wscript //b "C:\Program Files\companyIE8Settings\ConfigureIE8.vbs"
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll
mRun-x64: [IgfxTray] C:\windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] C:\windows\system32\hkcmd.exe
mRun-x64: [Persistence] C:\windows\system32\igfxpers.exe
mRun-x64: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
mRun-x64: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [companyWirelessAssistant] C:\Program Files\company\company Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\company\company Wireless Assistant\companyWA_Main.exe /hidden
mRun-x64: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
mRun-x64: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\me\AppData\Roaming\Mozilla\Firefox\Profiles\ty26n7xx.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=685749&p=
FF - component: C:\Program Files (x86)\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npeRoom7.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFF12.DLL
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: C:\Users\me\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - C:\Program Files (x86)\McAfee\SiteAdvisor
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
.
============= SERVICES / DRIVERS ===============
.
R0 pgpfs;PGP File Sharing;C:\Windows\System32\drivers\PGPfsfd.sys [2010-5-24 169592]
R0 Pgpwdefs;Pgpwdefs;C:\Windows\System32\drivers\PGPwdefs.sys [2010-5-24 14456]
R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\System32\drivers\SmartDefragDriver.sys [2011-3-29 18232]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_2223a6b19a4f4233\AESTSr64.exe [2011-1-11 89600]
R2 Application Updater;Application Updater;C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe [2011-1-28 387072]
R2 AUMService;companyCA Application Usage Manager Agent Service;C:\Program Files (x86)\company\CM\AUM Agent\bin\AUMService.exe [2009-9-30 235064]
R2 CipcCdp;Cisco IP Communicator driver for CDP;C:\Windows\System32\drivers\CipcCdp.sys [2011-3-15 27200]
R2 company Wireless Assistant Service;company Wireless Assistant Service;C:\Program Files\company\company Wireless Assistant\companyWA_Service.exe [2010-1-27 102968]
R2 companysrv;company Service;C:\Windows\System32\companyservice.exe [2010-7-16 30520]
R2 IS360service;IS360service;C:\Program Files (x86)\IObit\IObit Security 360\is360srv.exe [2011-4-13 312152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [2011-4-7 101048]
R2 radexecd;companyCA Notify Daemon;C:\Program Files (x86)\company\CM\Agent\radexecd.exe [2010-2-12 300776]
R2 radsched;companyCA Scheduler Daemon;C:\Program Files (x86)\company\CM\Agent\radsched.exe [2010-2-12 190184]
R2 Radstgms;companyCA MSI Redirector;C:\Program Files (x86)\company\CM\Agent\radstgms.exe [2010-2-12 333544]
R2 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2011-2-23 1839776]
R2 tvnserver;TightVNC Server;C:\Program Files (x86)\TightVNC\tvnserver.exe [2010-7-8 815704]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-1-11 2320920]
R2 vcsFPService;Validity VCS Fingerprint Service;C:\Windows\System32\vcsFPService.exe [2009-12-30 2019120]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\company\company Quick Launch Buttons\Com4QLBEx.exe [2011-1-11 227896]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2011-1-11 295088]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-4-5 132656]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-17 56344]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2011-2-24 7680512]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2009-11-20 75776]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2009-11-20 177152]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\System32\drivers\nvhda64v.sys [2010-1-28 86120]
R3 rismcx64;RICOH Smart Card Reader;C:\Windows\System32\drivers\rismcx64.sys [2011-1-11 59008]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\System32\drivers\WSDPrint.sys [2009-7-13 23040]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-4 136176]
S2 Trustwave-Application-Server;Trustwave Application Server;C:\Program Files (x86)\Trustwave\Trustwave Application Server.exe [2011-2-4 109568]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2011-1-11 35104]
S3 CrSSLService;CrSSL Service;C:\Program Files (x86)\CrSSL\bin\crsslservice.exe [2010-9-9 34304]
S3 StorSvc;Storage Service;C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-4-23 1255736]
.
=============== Created Last 30 ================
.
2011-04-08 19:00:44 -------- d-----w- C:\Users\me\AppData\Roaming\TightVNC
2011-04-08 18:58:32 -------- d-----w- C:\Program Files (x86)\TightVNC
2011-04-08 14:21:19 -------- d-----w- C:\Program Files (x86)\Common Files\PS
2011-04-07 16:37:13 4608 ----a-w- C:\windows\SysWow64\W95Inf32.DLL
2011-04-07 16:37:13 2272 ----a-w- C:\windows\SysWow64\W95Inf16.DLL
2011-04-06 21:29:28 -------- d-----w- C:\Program Files (x86)\Investintech.com Inc
2011-04-06 15:08:36 -------- d-----w- C:\Program Files (x86)\Trustwave
2011-04-05 22:59:47 -------- d-----r- C:\Users\me\Dropbox
2011-04-05 22:55:44 -------- d-----w- C:\Users\me\AppData\Roaming\Dropbox
2011-03-31 14:24:17 902656 ----a-w- C:\windows\System32\d2d1.dll
2011-03-31 14:24:17 739840 ----a-w- C:\windows\SysWow64\d2d1.dll
2011-03-31 14:24:17 1540608 ----a-w- C:\windows\System32\DWrite.dll
2011-03-31 14:24:17 1135104 ----a-w- C:\windows\System32\FntCache.dll
2011-03-31 14:24:17 1074176 ----a-w- C:\windows\SysWow64\DWrite.dll
2011-03-31 14:23:52 662528 ----a-w- C:\windows\System32\XpsPrint.dll
2011-03-31 14:23:52 475648 ----a-w- C:\windows\System32\XpsGdiConverter.dll
2011-03-31 14:23:52 442880 ----a-w- C:\windows\SysWow64\XpsPrint.dll
2011-03-31 14:23:52 288256 ----a-w- C:\windows\SysWow64\XpsGdiConverter.dll
2011-03-31 14:23:21 197120 ----a-w- C:\windows\System32\d3d10_1.dll
2011-03-31 14:23:21 161792 ----a-w- C:\windows\SysWow64\d3d10_1.dll
2011-03-31 14:22:17 367104 ----a-w- C:\windows\System32\wcncsvc.dll
2011-03-31 14:22:17 276992 ----a-w- C:\windows\SysWow64\wcncsvc.dll
2011-03-29 18:38:49 32136 ----a-w- C:\windows\System32\SmartDefragBootTime.exe
2011-03-29 18:38:49 18232 ----a-w- C:\windows\System32\drivers\SmartDefragDriver.sys
2011-03-29 18:38:42 -------- d-----w- C:\PROGRA~3\IObit
2011-03-29 18:38:36 -------- d-----w- C:\Program Files (x86)\IObit Toolbar
2011-03-29 18:38:36 -------- d-----w- C:\Program Files (x86)\Common Files\Spigot
2011-03-29 18:38:36 -------- d-----w- C:\Program Files (x86)\Application Updater
2011-03-25 16:18:26 -------- d-----w- C:\Share
2011-03-24 06:51:04 961024 ----a-w- C:\windows\System32\CPFilters.dll
2011-03-24 06:51:04 723968 ----a-w- C:\windows\System32\EncDec.dll
2011-03-24 06:51:03 534528 ----a-w- C:\windows\SysWow64\EncDec.dll
2011-03-24 06:51:02 642048 ----a-w- C:\windows\SysWow64\CPFilters.dll
2011-03-24 06:51:01 259072 ----a-w- C:\windows\System32\mpg2splt.ax
2011-03-24 06:51:00 199680 ----a-w- C:\windows\SysWow64\mpg2splt.ax
2011-03-24 06:50:55 850432 ----a-w- C:\windows\SysWow64\sbe.dll
2011-03-24 06:50:54 1118720 ----a-w- C:\windows\System32\sbe.dll
2011-03-24 06:50:29 1034240 ----a-w- C:\windows\SysWow64\mstsc.exe
2011-03-24 06:50:28 1097216 ----a-w- C:\windows\System32\mstsc.exe
2011-03-24 06:50:27 2690560 ----a-w- C:\windows\SysWow64\mstscax.dll
2011-03-24 06:50:26 3138048 ----a-w- C:\windows\System32\mstscax.dll
2011-03-15 17:37:55 27200 ----a-r- C:\windows\System32\drivers\CipcCdp.sys
2011-03-15 17:37:55 1919968 ----a-r- C:\windows\System32\wdfcoinstaller01005.dll
2011-03-15 17:36:49 -------- d-----w- C:\Program Files (x86)\Common Files\Cisco Systems
2011-03-15 17:36:49 -------- d-----w- C:\Program Files (x86)\Cisco Systems
2011-03-15 17:36:49 -------- d-----w- C:\PROGRA~3\Cisco
2011-03-15 17:36:49 -------- d-----w- C:\Local Settings
.
==================== Find3M ====================
.
2011-03-23 16:58:49 173616 ----a-w- C:\windows\System32\drivers\SYMEVENT64x86.SYS
2011-02-23 19:33:14 87408 ----a-w- C:\windows\SysWow64\FwsVpn.dll
2011-02-23 19:33:14 53808 ----a-w- C:\windows\System32\drivers\WPSDRVnt.sys
2011-02-23 19:33:14 482352 ----a-w- C:\windows\System32\drivers\srtspl64.sys
2011-02-23 19:33:14 449072 ----a-w- C:\windows\System32\drivers\srtsp64.sys
2011-02-23 19:33:14 32304 ----a-w- C:\windows\System32\drivers\srtspx64.sys
2011-02-23 19:33:14 20336 ----a-w- C:\windows\System32\SnacNp.dll
2011-02-23 19:33:14 18288 ----a-w- C:\windows\SysWow64\SnacNp.dll
2011-02-23 19:33:14 137584 ----a-w- C:\windows\SysWow64\SymVPN.dll
2011-02-23 19:33:14 137584 ----a-w- C:\windows\System32\SymVPN.dll
2011-02-23 19:33:12 64048 ----a-w- C:\windows\System32\drivers\Teefer2.sys
2011-02-03 04:40:23 472808 ----a-w- C:\windows\SysWow64\deployJava1.dll
2011-01-26 06:53:10 982912 ----a-w- C:\windows\System32\drivers\dxgkrnl.sys
2011-01-26 06:53:10 265088 ----a-w- C:\windows\System32\drivers\dxgmms1.sys
2011-01-26 06:31:20 144384 ----a-w- C:\windows\System32\cdd.dll
.
============= FINISH: 9:02:32.75 ===============

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:15 AM

Posted 23 April 2011 - 03:37 PM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 ciscoman

ciscoman
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 25 April 2011 - 10:57 AM

Further investigation show I have large calls going out to the intenet using UNS.exe and LMS.exe, I also have logs showing incoming conections to my PC through my firewall using high ports like [LAN access from remote] from 75.69.61.116:8790 to 192.168.1.8:37605 Monday, Apr 25,2011 09:29:25

DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by me at 11:37:40.01 on Mon 04/25/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.3951.1164 [GMT -6:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Security 360 *Disabled/Outdated* {FAE2835A-B90A-9E7A-85DA-82DBDA7C1E3A}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_2223a6b19a4f4233\STacSV64.exe
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\companyservice.exe
C:\windows\system32\nvvsvc.exe
C:\windows\system32\vcsFPService.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
C:\windows\system32\WLANExt.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\windows\system32\conhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\taskhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k NetworkService
C:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_2223a6b19a4f4233\AESTSr64.exe
C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\company\CM\AUM Agent\bin\AUMService.exe
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files (x86)\IObit\IObit Security 360\IS360srv.exe
C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe
C:\windows\System32\svchost.exe -k companyZ12
C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe
C:\windows\system32\rundll32.exe
C:\windows\SysWOW64\rundll32.exe
C:\windows\SysWOW64\PGPserv.exe
C:\windows\System32\svchost.exe -k companyZ12
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\company\CM\Agent\radexecd.exe
C:\Program Files (x86)\company\CM\Agent\radsched.exe
C:\PROGRA~2\HEWLET~1\CM\Agent\radalert.exe
C:\Program Files (x86)\company\CM\Agent\Radstgms.exe
C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\company\adci\adcist.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Program Files (x86)\TightVNC\tvnserver.exe
C:\windows\system32\UI0Detect.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\WebEx\Connect\connect.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Users\me\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Qlock\qlock.exe
C:\Program Files (x86)\company\CM\AUM Agent\bin\AUMStatus.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\company\company Quick Launch Buttons\QLBCtrl.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\company\company Quick Launch Buttons\VolCtrl.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\CrSSL\bin\crssl-client.exe
C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files (x86)\TightVNC\tvnserver.exe
C:\Program Files (x86)\IObit\IObit Security 360\is360tray.exe
C:\Program Files (x86)\company\Shared\companyqwmiex.exe
C:\Program Files (x86)\company\company Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPcbt64.exe
C:\Program Files (x86)\WebEx\Connect\wbxcOIEx.exe
C:\Program Files (x86)\WebEx\Connect\widget.exe
C:\Program Files\company\company Wireless Assistant\companyWA_Main.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\company\company Wireless Assistant\companyWA_Service.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\RSA SecurID Software Token\SecurID.exe
C:\Users\me\AppData\Roaming\Juniper Networks\Host Checker\dsHostChecker.exe
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\SysWOW64\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\system32\SearccompanyrotocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\Users\me\Downloads\dds.scr
C:\windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = be.company.com
uURLSearchHooks: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - C:\Program Files (x86)\IObit Toolbar\IE\4.3\iobitToolbarIE.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
mWinlogon: Userinit=userinit.exe
BHO: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - C:\Program Files (x86)\IObit Toolbar\IE\4.3\iobitToolbarIE.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
TB: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
TB: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - C:\Program Files (x86)\IObit Toolbar\IE\4.3\iobitToolbarIE.dll
uRun: [adcist.exe] c:\company\adci\adcist.exe
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [Cisco WebEx Connect] "C:\Program Files (x86)\WebEx\Connect\connect.exe"
uRun: [Google Update] "C:\Users\me\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [WatchDog] C:\Program Files (x86)\InterVideo\DVD8SESD\DVDCheck.exe
mRun: [!AUMStatus] C:\Program Files (x86)\company\CM\AUM Agent\bin\AUMStatus.exe
mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
mRun: [QlbCtrl.exe] C:\Program Files (x86)\company\company Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [NUSB3MON] "c:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [adcius.exe] c:\company\adci\adcius.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [crssl-client] C:\Program Files (x86)\CrSSL\bin\crssl-client.exe
mRun: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
mRun: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
mRun: [tvncontrol] "C:\Program Files (x86)\TightVNC\tvnserver.exe" -controlservice -slave
mRun: [IObit Security 360] "C:\Program Files (x86)\IObit\IObit Security 360\IS360tray.exe" /autostart
dRun: [adcist.exe] c:\company\adci\adcist.exe
dRun: [Cisco WebEx Connect] "C:\Program Files (x86)\WebEx\Connect\connect.exe"
StartupFolder: C:\Users\me\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\me\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\me\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\qlock.lnk - C:\Program Files (x86)\Qlock\qlock.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PGPTRA~1.LNK - C:\windows\Installer\{AC3F133F-79DC-4B7A-B0AD-68F502055FDB}\Icon6560581611.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: NoWebServices = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: disablecad = 1 (0x1)
mPolicies-system: SoftwareSASGeneration = 1 (0x1)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
LSP: C:\windows\system32\PGPlsp.dll
Trusted Zone: company.com\collaborate.supplychain
Trusted Zone: company.com\eroom.service
Trusted Zone: company.com\meidas.hr
Trusted Zone: company.com\wcsviper.cos
Trusted Zone: apply2jobs.com\company
Trusted Zone: assessmentplus.com
Trusted Zone: edcor.com\ww6
Trusted Zone: fidelity.com\workplaceservices100
Trusted Zone: company.com
Trusted Zone: company.com\gsd-agent.atlsmi.co-lo
Trusted Zone: knowledgeplanet.com
Trusted Zone: mymeetingplace.net\gc30gw1
Trusted Zone: mzinga.com
Trusted Zone: virtualedge.com
Trusted Zone: webex.com\collaborate
DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.company.com/vRoom_Cab/WebcompanyVCInstall35.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxps://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://company.webex.com/client/T27L10NSP17EP4/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://scssslvpn.net.americas.company.com/dana-cached/sc/JuniperSetupClient.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
AppInit_DLLs: PGPmapih.dll
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - C:\Windows\SysWOW64\ieframe.dll
LSA: Notification Packages = scecli PGPpwflt
mASetup: {69703D29-8BA4-482C-90CC-7432C6AEF414} - msiexec.exe /fup {69703D29-8BA4-482C-90CC-7432C6AEF414} /qb!
mASetup: {EFDF9138-E80E-46FA-8AC0-B8818EB8617A} - msiexec.exe /fu {EFDF9138-E80E-46FA-8AC0-B8818EB8617A} /qb!
mASetup: >{F68D3BCB-E0D4-4E62-B16C-CAA794081E26} - wscript //b "C:\Program Files (x86)\companyIE6Settings\ConfigureIE6.vbs"
mASetup: >{F6CBDE3D-3200-41A9-B22D-C7ED922A7B16} - wscript //b "C:\Program Files (x86)\company MS Office Templates\UserSetup.vbs"
mASetup: >{F82A802F-470C-4882-BD2A-6B7CD8C1D6BC} - wscript //b "C:\Program Files (x86)\companyIE7Settings\ConfigureIE7.vbs"
mASetup: >{FAEF8561-BE54-4373-8BDB-D5751C0410B9} - wscript //b "C:\Program Files\companyIE8Settings\ConfigureIE8.vbs"
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll
mRun-x64: [IgfxTray] C:\windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] C:\windows\system32\hkcmd.exe
mRun-x64: [Persistence] C:\windows\system32\igfxpers.exe
mRun-x64: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
mRun-x64: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [companyWirelessAssistant] C:\Program Files\company\company Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\company\company Wireless Assistant\companyWA_Main.exe /hidden
mRun-x64: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
mRun-x64: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\me\AppData\Roaming\Mozilla\Firefox\Profiles\ty26n7xx.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=685749&p=
FF - component: C:\Program Files (x86)\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npeRoom7.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFF12.DLL
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: C:\Users\me\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - C:\Program Files (x86)\McAfee\SiteAdvisor
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
.
============= SERVICES / DRIVERS ===============
.
R0 pgpfs;PGP File Sharing;C:\Windows\System32\drivers\PGPfsfd.sys [2010-5-24 169592]
R0 Pgpwdefs;Pgpwdefs;C:\Windows\System32\drivers\PGPwdefs.sys [2010-5-24 14456]
R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\System32\drivers\SmartDefragDriver.sys [2011-3-29 18232]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_2223a6b19a4f4233\AESTSr64.exe [2011-1-11 89600]
R2 Application Updater;Application Updater;C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe [2011-1-28 387072]
R2 AUMService;companyCA Application Usage Manager Agent Service;C:\Program Files (x86)\company\CM\AUM Agent\bin\AUMService.exe [2009-9-30 235064]
R2 CipcCdp;Cisco IP Communicator driver for CDP;C:\Windows\System32\drivers\CipcCdp.sys [2011-3-15 27200]
R2 company Wireless Assistant Service;company Wireless Assistant Service;C:\Program Files\company\company Wireless Assistant\companyWA_Service.exe [2010-1-27 102968]
R2 companysrv;company Service;C:\Windows\System32\companyservice.exe [2010-7-16 30520]
R2 IS360service;IS360service;C:\Program Files (x86)\IObit\IObit Security 360\is360srv.exe [2011-4-13 312152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [2011-4-7 101048]
R2 radexecd;companyCA Notify Daemon;C:\Program Files (x86)\company\CM\Agent\radexecd.exe [2010-2-12 300776]
R2 radsched;companyCA Scheduler Daemon;C:\Program Files (x86)\company\CM\Agent\radsched.exe [2010-2-12 190184]
R2 Radstgms;companyCA MSI Redirector;C:\Program Files (x86)\company\CM\Agent\radstgms.exe [2010-2-12 333544]
R2 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2011-2-23 1839776]
R2 tvnserver;TightVNC Server;C:\Program Files (x86)\TightVNC\tvnserver.exe [2010-7-8 815704]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-1-11 2320920]
R2 vcsFPService;Validity VCS Fingerprint Service;C:\Windows\System32\vcsFPService.exe [2009-12-30 2019120]
R3 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\company\company Quick Launch Buttons\Com4QLBEx.exe [2011-1-11 227896]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2011-1-11 295088]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-4-5 132656]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-17 56344]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2011-2-24 7680512]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2009-11-20 75776]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2009-11-20 177152]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\System32\drivers\nvhda64v.sys [2010-1-28 86120]
R3 rismcx64;RICOH Smart Card Reader;C:\Windows\System32\drivers\rismcx64.sys [2011-1-11 59008]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\System32\drivers\WSDPrint.sys [2009-7-13 23040]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-4 136176]
S2 Trustwave-Application-Server;Trustwave Application Server;C:\Program Files (x86)\Trustwave\Trustwave Application Server.exe [2011-2-4 109568]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2011-1-11 35104]
S3 CrSSLService;CrSSL Service;C:\Program Files (x86)\CrSSL\bin\crsslservice.exe [2010-9-9 34304]
S3 StorSvc;Storage Service;C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-4-23 1255736]
.
=============== Created Last 30 ================
.
2011-04-08 19:00:44 -------- d-----w- C:\Users\me\AppData\Roaming\TightVNC
2011-04-08 18:58:32 -------- d-----w- C:\Program Files (x86)\TightVNC
2011-04-08 14:21:19 -------- d-----w- C:\Program Files (x86)\Common Files\PS
2011-04-07 16:37:13 4608 ----a-w- C:\windows\SysWow64\W95Inf32.DLL
2011-04-07 16:37:13 2272 ----a-w- C:\windows\SysWow64\W95Inf16.DLL
2011-04-06 21:29:28 -------- d-----w- C:\Program Files (x86)\Investintech.com Inc
2011-04-06 15:08:36 -------- d-----w- C:\Program Files (x86)\Trustwave
2011-04-05 22:59:47 -------- d-----r- C:\Users\me\Dropbox
2011-04-05 22:55:44 -------- d-----w- C:\Users\me\AppData\Roaming\Dropbox
2011-03-31 14:24:17 902656 ----a-w- C:\windows\System32\d2d1.dll
2011-03-31 14:24:17 739840 ----a-w- C:\windows\SysWow64\d2d1.dll
2011-03-31 14:24:17 1540608 ----a-w- C:\windows\System32\DWrite.dll
2011-03-31 14:24:17 1135104 ----a-w- C:\windows\System32\FntCache.dll
2011-03-31 14:24:17 1074176 ----a-w- C:\windows\SysWow64\DWrite.dll
2011-03-31 14:23:52 662528 ----a-w- C:\windows\System32\XpsPrint.dll
2011-03-31 14:23:52 475648 ----a-w- C:\windows\System32\XpsGdiConverter.dll
2011-03-31 14:23:52 442880 ----a-w- C:\windows\SysWow64\XpsPrint.dll
2011-03-31 14:23:52 288256 ----a-w- C:\windows\SysWow64\XpsGdiConverter.dll
2011-03-31 14:23:21 197120 ----a-w- C:\windows\System32\d3d10_1.dll
2011-03-31 14:23:21 161792 ----a-w- C:\windows\SysWow64\d3d10_1.dll
2011-03-31 14:22:17 367104 ----a-w- C:\windows\System32\wcncsvc.dll
2011-03-31 14:22:17 276992 ----a-w- C:\windows\SysWow64\wcncsvc.dll
2011-03-29 18:38:49 32136 ----a-w- C:\windows\System32\SmartDefragBootTime.exe
2011-03-29 18:38:49 18232 ----a-w- C:\windows\System32\drivers\SmartDefragDriver.sys
2011-03-29 18:38:42 -------- d-----w- C:\PROGRA~3\IObit
2011-03-29 18:38:36 -------- d-----w- C:\Program Files (x86)\IObit Toolbar
2011-03-29 18:38:36 -------- d-----w- C:\Program Files (x86)\Common Files\Spigot
2011-03-29 18:38:36 -------- d-----w- C:\Program Files (x86)\Application Updater
2011-03-25 16:18:26 -------- d-----w- C:\Share
2011-03-24 06:51:04 961024 ----a-w- C:\windows\System32\CPFilters.dll
2011-03-24 06:51:04 723968 ----a-w- C:\windows\System32\EncDec.dll
2011-03-24 06:51:03 534528 ----a-w- C:\windows\SysWow64\EncDec.dll
2011-03-24 06:51:02 642048 ----a-w- C:\windows\SysWow64\CPFilters.dll
2011-03-24 06:51:01 259072 ----a-w- C:\windows\System32\mpg2splt.ax
2011-03-24 06:51:00 199680 ----a-w- C:\windows\SysWow64\mpg2splt.ax
2011-03-24 06:50:55 850432 ----a-w- C:\windows\SysWow64\sbe.dll
2011-03-24 06:50:54 1118720 ----a-w- C:\windows\System32\sbe.dll
2011-03-24 06:50:29 1034240 ----a-w- C:\windows\SysWow64\mstsc.exe
2011-03-24 06:50:28 1097216 ----a-w- C:\windows\System32\mstsc.exe
2011-03-24 06:50:27 2690560 ----a-w- C:\windows\SysWow64\mstscax.dll
2011-03-24 06:50:26 3138048 ----a-w- C:\windows\System32\mstscax.dll
2011-03-15 17:37:55 27200 ----a-r- C:\windows\System32\drivers\CipcCdp.sys
2011-03-15 17:37:55 1919968 ----a-r- C:\windows\System32\wdfcoinstaller01005.dll
2011-03-15 17:36:49 -------- d-----w- C:\Program Files (x86)\Common Files\Cisco Systems
2011-03-15 17:36:49 -------- d-----w- C:\Program Files (x86)\Cisco Systems
2011-03-15 17:36:49 -------- d-----w- C:\PROGRA~3\Cisco
2011-03-15 17:36:49 -------- d-----w- C:\Local Settings
.
==================== Find3M ====================
.
2011-03-23 16:58:49 173616 ----a-w- C:\windows\System32\drivers\SYMEVENT64x86.SYS
2011-02-23 19:33:14 87408 ----a-w- C:\windows\SysWow64\FwsVpn.dll
2011-02-23 19:33:14 53808 ----a-w- C:\windows\System32\drivers\WPSDRVnt.sys
2011-02-23 19:33:14 482352 ----a-w- C:\windows\System32\drivers\srtspl64.sys
2011-02-23 19:33:14 449072 ----a-w- C:\windows\System32\drivers\srtsp64.sys
2011-02-23 19:33:14 32304 ----a-w- C:\windows\System32\drivers\srtspx64.sys
2011-02-23 19:33:14 20336 ----a-w- C:\windows\System32\SnacNp.dll
2011-02-23 19:33:14 18288 ----a-w- C:\windows\SysWow64\SnacNp.dll
2011-02-23 19:33:14 137584 ----a-w- C:\windows\SysWow64\SymVPN.dll
2011-02-23 19:33:14 137584 ----a-w- C:\windows\System32\SymVPN.dll
2011-02-23 19:33:12 64048 ----a-w- C:\windows\System32\drivers\Teefer2.sys
2011-02-03 04:40:23 472808 ----a-w- C:\windows\SysWow64\deployJava1.dll
2011-01-26 06:53:10 982912 ----a-w- C:\windows\System32\drivers\dxgkrnl.sys
2011-01-26 06:53:10 265088 ----a-w- C:\windows\System32\drivers\dxgmms1.sys
2011-01-26 06:31:20 144384 ----a-w- C:\windows\System32\cdd.dll

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:15 AM

Posted 25 April 2011 - 12:47 PM

Hi again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 ciscoman

ciscoman
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 25 April 2011 - 01:55 PM

Thanks for the help Elise!

ComboFix 11-04-25.01 - me 04/25/2011 12:34:01.1.4 - x64
Running from: c:\users\me\Downloads\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\IObit Toolbar\IE\4.3\ioBIttoolbarie.dll
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
.
----- BITS: Possible infected sites -----
.
hxxp://cos-us-cas03.company.com
.
((((((((((((((((((((((((( Files Created from 2011-03-25 to 2011-04-25 )))))))))))))))))))))))))))))))
.
.
2011-04-25 18:24 . 2011-04-25 18:31 -------- d-----w- C:\32788R22FWJFW
2011-04-25 17:37 . 2010-05-26 16:45 18816 ------w- c:\windows\SysWow64\SAVRKBootTasks.sys
2011-04-25 17:05 . 2010-05-26 16:39 6144 ------w- c:\windows\system32\EC91.tmp
2011-04-25 17:02 . 2010-05-26 16:39 6144 ------w- c:\windows\system32\8B2F.tmp
2011-04-25 17:01 . 2011-04-25 17:01 -------- d-----w- c:\program files (x86)\Sophos
2011-04-24 05:49 . 2011-04-24 05:49 -------- d-----w- c:\users\me\AppData\Local\ElevatedDiagnostics
2011-04-22 03:41 . 2011-04-22 03:41 -------- d-----w- c:\users\me\AppData\Roaming\Malwarebytes
2011-04-22 01:03 . 2011-04-22 01:03 -------- d-----w- c:\programdata\Malwarebytes
2011-04-22 01:03 . 2010-12-21 00:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-04-22 01:03 . 2011-04-22 01:03 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-04-22 01:03 . 2010-12-21 00:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-21 22:27 . 2011-04-22 19:40 -------- d-----w- c:\programdata\Kaspersky Lab
2011-04-21 22:25 . 2009-10-22 19:54 40464 ----a-w- c:\windows\system32\drivers\06005922.sys
2011-04-21 22:25 . 2009-10-10 05:30 352784 ----a-w- c:\windows\system32\drivers\0600592.sys
2011-04-21 22:25 . 2009-09-25 23:59 157712 ----a-w- c:\windows\system32\drivers\06005921.sys
2011-04-21 22:22 . 2010-09-06 09:26 189520 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2011-04-21 18:45 . 2011-02-18 05:36 428032 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-04-21 18:45 . 2011-02-18 06:37 612352 ----a-w- c:\windows\system32\vbscript.dll
2011-04-21 18:45 . 2011-03-03 03:58 3133440 ----a-w- c:\windows\system32\win32k.sys
2011-04-21 18:44 . 2011-03-11 06:19 1395712 ----a-w- c:\windows\system32\mfc42.dll
2011-04-21 18:44 . 2011-03-11 06:19 1359872 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-21 18:44 . 2011-03-11 05:40 1164288 ----a-w- c:\windows\SysWow64\mfc42u.dll
2011-04-21 18:44 . 2011-03-11 05:40 1137664 ----a-w- c:\windows\SysWow64\mfc42.dll
2011-04-21 18:43 . 2011-02-23 05:15 161792 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-21 18:43 . 2011-02-23 05:16 401920 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-21 18:43 . 2011-02-23 05:16 461312 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-21 18:43 . 2011-02-19 06:36 46080 ----a-w- c:\windows\system32\atmlib.dll
2011-04-21 18:43 . 2011-02-19 05:32 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2011-04-21 18:43 . 2011-02-19 04:13 367104 ----a-w- c:\windows\system32\atmfd.dll
2011-04-21 18:43 . 2011-02-19 03:37 294912 ----a-w- c:\windows\SysWow64\atmfd.dll
2011-04-21 18:39 . 2011-03-08 05:38 740864 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-04-21 18:39 . 2011-03-08 06:14 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-21 18:39 . 2011-04-21 18:39 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2011-04-21 18:38 . 2011-02-12 06:14 267776 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-04-21 18:38 . 2011-02-23 05:15 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-21 18:38 . 2011-02-23 05:15 157696 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-21 18:38 . 2011-02-23 05:15 126464 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-21 18:38 . 2011-02-23 05:15 286720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-19 06:49 . 2011-04-19 06:49 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2011-04-19 06:49 . 2011-04-19 06:49 -------- d-----w- c:\users\Default\AppData\Local\Adobe
2011-04-18 04:41 . 2011-04-18 04:41 -------- d-----w- c:\users\me\AppData\Roaming\Wireshark
2011-04-18 04:30 . 2011-04-18 04:30 -------- d-----w- c:\program files (x86)\WinPcap
2011-04-18 04:29 . 2011-04-18 04:30 -------- d-----w- c:\program files\Wireshark
2011-04-08 19:00 . 2011-04-08 19:00 -------- d-----w- c:\users\me\AppData\Roaming\TightVNC
2011-04-08 18:58 . 2011-04-08 18:58 -------- d-----w- c:\program files (x86)\TightVNC
2011-04-08 14:21 . 2011-04-08 14:21 -------- d-----w- c:\program files (x86)\Common Files\PS
2011-04-07 16:37 . 2011-04-07 16:37 4608 ----a-w- c:\windows\SysWow64\W95Inf32.DLL
2011-04-07 16:37 . 2011-04-07 16:37 2272 ----a-w- c:\windows\SysWow64\W95Inf16.DLL
2011-04-06 21:29 . 2011-04-07 19:28 -------- d-----w- c:\program files (x86)\Investintech.com Inc
2011-04-06 15:08 . 2011-04-06 16:03 -------- d-----w- c:\program files (x86)\Trustwave
2011-04-05 22:59 . 2011-04-19 12:55 -------- d-----r- c:\users\me\Dropbox
2011-04-05 22:55 . 2011-04-19 15:09 -------- d-----w- c:\users\me\AppData\Roaming\Dropbox
2011-03-31 14:24 . 2011-03-31 14:24 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-03-31 14:24 . 2011-03-31 14:24 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-03-31 14:24 . 2011-03-31 14:24 1540608 ----a-w- c:\windows\system32\DWrite.dll
2011-03-31 14:24 . 2011-03-31 14:24 1135104 ----a-w- c:\windows\system32\FntCache.dll
2011-03-31 14:24 . 2011-03-31 14:24 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-03-31 14:23 . 2011-03-31 14:23 662528 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-31 14:23 . 2011-03-31 14:23 475648 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-31 14:23 . 2011-03-31 14:23 442880 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2011-03-31 14:23 . 2011-03-31 14:23 288256 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2011-03-31 14:23 . 2011-03-31 14:23 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2011-03-31 14:23 . 2011-03-31 14:23 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2011-03-31 14:22 . 2011-03-31 14:22 367104 ----a-w- c:\windows\system32\wcncsvc.dll
2011-03-31 14:22 . 2011-03-31 14:22 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll
2011-03-29 18:38 . 2011-02-23 22:50 18232 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-03-29 18:38 . 2011-02-23 22:50 32136 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-03-29 18:38 . 2011-03-29 18:38 -------- d-----w- c:\programdata\IObit
2011-03-29 18:38 . 2011-03-29 18:38 -------- d-----w- c:\program files (x86)\IObit Toolbar
2011-03-29 18:38 . 2011-03-29 18:38 -------- d-----w- c:\program files (x86)\Application Updater
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-23 16:58 . 2010-05-04 15:57 173616 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-02-23 19:33 . 2011-02-23 19:33 87408 ----a-w- c:\windows\SysWow64\FwsVpn.dll
2011-02-23 19:33 . 2011-02-23 19:33 53808 ----a-w- c:\windows\system32\drivers\WPSDRVnt.sys
2011-02-23 19:33 . 2011-02-23 19:33 482352 ----a-w- c:\windows\SysWow64\drivers\srtspl64.sys
2011-02-23 19:33 . 2011-02-23 19:33 482352 ----a-w- c:\windows\system32\drivers\srtspl64.sys
2011-02-23 19:33 . 2011-02-23 19:33 449072 ----a-w- c:\windows\SysWow64\drivers\srtsp64.sys
2011-02-23 19:33 . 2011-02-23 19:33 449072 ----a-w- c:\windows\system32\drivers\srtsp64.sys
2011-02-23 19:33 . 2011-02-23 19:33 32304 ----a-w- c:\windows\SysWow64\drivers\srtspx64.sys
2011-02-23 19:33 . 2011-02-23 19:33 32304 ----a-w- c:\windows\system32\drivers\srtspx64.sys
2011-02-23 19:33 . 2011-02-23 19:33 20336 ----a-w- c:\windows\system32\SnacNp.dll
2011-02-23 19:33 . 2011-02-23 19:33 18288 ----a-w- c:\windows\SysWow64\SnacNp.dll
2011-02-23 19:33 . 2011-02-23 19:33 137584 ----a-w- c:\windows\SysWow64\SymVPN.dll
2011-02-23 19:33 . 2011-02-23 19:33 137584 ----a-w- c:\windows\system32\SymVPN.dll
2011-02-23 19:33 . 2011-02-23 19:33 64048 ----a-w- c:\windows\system32\drivers\Teefer2.sys
2011-02-03 04:40 . 2011-01-18 16:47 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-01-26 06:53 . 2011-02-14 21:18 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-26 06:53 . 2011-02-14 21:18 265088 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-01-26 06:31 . 2011-02-14 21:18 144384 ----a-w- c:\windows\system32\cdd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\me\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\me\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\me\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2010-05-24 23:19 613496 ----a-w- c:\windows\SysWOW64\PGPfsshl.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cisco WebEx Connect"="c:\program files (x86)\WebEx\Connect\connect.exe" [2010-11-12 3687224]
"adcist.exe"="c:\company\adci\adcist.exe" [2003-12-11 69632]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WatchDog"="c:\program files (x86)\InterVideo\DVD8SESD\DVDCheck.exe" [2009-03-05 200848]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2011-02-23 115560]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-11-21 106496]
"adcius.exe"="c:\company\adci\adcius.exe" [2007-07-05 49152]
"KeePass 2 PreLoad"="c:\program files (x86)\KeePass Password Safe 2\KeePass.exe" [2011-01-02 1670656]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Cisco WebEx Connect"="c:\program files (x86)\WebEx\Connect\connect.exe" [2010-11-12 3687224]
.
c:\users\me\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
qlock.lnk - c:\program files (x86)\Qlock\qlock.exe [2009-2-14 4142080]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-29 1082656]
PGPtray.exe.lnk - c:\windows\Installer\{AC3F133F-79DC-4B7A-B0AD-68F502055FDB}\Icon6560581611.exe [2011-1-11 55296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"disablecad"= 1 (0x1)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-01-27 102968]
R2 Trustwave-Application-Server;Trustwave Application Server;c:\program files (x86)\Trustwave\Trustwave Application Server.exe [2011-02-04 109568]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 CrSSLService;CrSSL Service;c:\program files (x86)\CrSSL\bin\crsslservice.exe [2010-09-09 34304]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\EC91.tmp [x]
R3 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
S0 06005922;06005922 Boot Guard Driver;c:\windows\system32\DRIVERS\06005922.sys [x]
S0 pgpfs;PGP File Sharing;c:\windows\System32\Drivers\PGPfsfd.sys [x]
S0 Pgpwdefs;Pgpwdefs;c:\windows\system32\DRIVERS\Pgpwdefs.sys [x]
S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys [x]
S1 06005921;06005921;c:\windows\system32\DRIVERS\06005921.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_2223a6b19a4f4233\AESTSr64.exe [2009-03-03 89600]
S2 Application Updater;Application Updater;c:\program files (x86)\Application Updater\ApplicationUpdater.exe [2011-01-28 387072]
S2 AUMService;HPCA Application Usage Manager Agent Service;c:\program files (x86)\Hewlett-Packard\CM\AUM Agent\bin\AUMService.exe [2009-09-30 235064]
S2 CipcCdp;Cisco IP Communicator driver for CDP;c:\windows\system32\DRIVERS\CipcCdp.sys [2010-07-21 27200]
S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-04 136176]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~2\mcafee\SITEAD~1\mcsacore.exe [2011-02-16 101048]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
S2 radexecd;HPCA Notify Daemon;c:\program files (x86)\Hewlett-Packard\CM\Agent\radexecd.exe [2010-02-12 300776]
S2 radsched;HPCA Scheduler Daemon;c:\program files (x86)\Hewlett-Packard\CM\Agent\radsched.exe [2010-02-12 190184]
S2 Radstgms;HPCA MSI Redirector;c:\program files (x86)\Hewlett-Packard\CM\Agent\Radstgms.exe [2010-02-12 333544]
S2 tvnserver;TightVNC Server;c:\program files (x86)\TightVNC\tvnserver.exe [2010-07-08 815704]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-12-30 2019120]
S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2010-01-12 227896]
S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-02-15 132656]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 HPAUMDriver;HPAUMDriver;SysWOW64\Drivers\HPAUMDriver.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 rismcx64;RICOH Smart Card Reader;c:\windows\system32\DRIVERS\rismcx64.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{69703D29-8BA4-482C-90CC-7432C6AEF414}]
2009-07-14 01:14 73216 ----a-w- c:\windows\System32\msiexec.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{EFDF9138-E80E-46FA-8AC0-B8818EB8617A}]
2009-07-14 01:14 73216 ----a-w- c:\windows\System32\msiexec.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-04 17:52]
.
2011-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-04 17:52]
.
2011-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-198358228-527928863-167192953-476351Core.job
- c:\users\me\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-10 17:52]
.
2011-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-198358228-527928863-167192953-476351UA.job
- c:\users\me\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-10 17:52]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\me\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\me\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\me\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\me\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\combofix\CF4788.cfxxe" [X]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-01-21 487424]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2010-01-08 186904]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-01-27 8192]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1875048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = be.company.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: c:\windows\system32\PGPlsp.dll
Trusted Zone: company.com\collaborate.supplychain
Trusted Zone: company.com\eroom.service
Trusted Zone: company.com\meidas.hr
Trusted Zone: company.com\wcsviper.cos
Trusted Zone: apply2jobs.com\company
Trusted Zone: assessmentplus.com
Trusted Zone: edcor.com\ww6
Trusted Zone: fidelity.com\workplaceservices100
Trusted Zone: hp.com
Trusted Zone: hp.com\gsd-agent.atlsmi.co-lo
Trusted Zone: knowledgeplanet.com
Trusted Zone: mymeetingplace.net\gc30gw1
Trusted Zone: mzinga.com
Trusted Zone: virtualedge.com
Trusted Zone: webex.com\collaborate
FF - ProfilePath - c:\users\me\AppData\Roaming\Mozilla\Firefox\Profiles\ty26n7xx.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=685749&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox 4.0 Beta 12\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files (x86)\McAfee\SiteAdvisor
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Symantec Antvirus
HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\EC91.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,55,c2,21,a2,c5,96,4a,8a,b9,b3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,55,c2,21,a2,c5,96,4a,8a,b9,b3,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files (x86)\Juniper Networks\Common Files\dsNcService.exe
c:\program files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files (x86)\CDBurnerXP\NMSAccessU.exe
c:\windows\SysWOW64\rundll32.exe
c:\windows\SysWOW64\PGPserv.exe
c:\progra~2\HEWLET~1\CM\Agent\radalert.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
c:\program files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe
c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files (x86)\WebEx\Connect\wbxcOIEx.exe
.
**************************************************************************
.
Completion time: 2011-04-25 12:47:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-25 18:47
.
Pre-Run: 169,183,416,320 bytes free
Post-Run: 168,715,591,680 bytes free
.
- - End Of File - - 13F605CEA6AD0A2C82122C2851DBC015

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:15 AM

Posted 25 April 2011 - 02:08 PM

That looks better. How are things running now?

Can you please rerun DDS and post me attach.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 ciscoman

ciscoman
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 25 April 2011 - 04:34 PM

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 1/11/2011 3:49:58 PM
System Uptime: 4/25/2011 3:24:00 PM (0 hours ago)
.
Motherboard: Hewlett-Packard | | 1521
Processor: Intel® Core™ i7 CPU M 620 @ 2.67GHz | CPU 1 | 2667/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 157.582 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP37: 4/6/2011 9:07:41 AM - Installed Trustwave GRC
RP38: 4/8/2011 8:21:37 AM - Installed Microsoft Visual C++ 2005 Redistributable
RP39: 4/15/2011 10:07:10 PM - Scheduled Checkpoint
RP40: 4/21/2011 12:31:38 PM - Windows Update
RP41: 4/25/2011 12:31:49 PM - ComboFix created restore point
RP42: 4/25/2011 3:02:11 PM - Removed Trustwave GRC
RP43: 4/25/2011 3:08:08 PM - Removed IObit Toolbar v4.3.
.
==== Installed Programs ======================
.
Able2Extract Professional 7.0
Able2Extract v5.0
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.0.1)
Company CA Certificates
Company Internet Explorer 6 Settings
Company Internet Explorer 7 Settings
Company Internet Explorer 8 Settings
Company MS Office Templates & Fonts
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 2.1
CDBurnerXP
Chinese Simplified Fonts Support For Adobe Reader X
Chinese Traditional Fonts Support For Adobe Reader X
Cisco IP Communicator
Cisco MeetingPlace for Outlook
Cisco WebEx Connect
Cisco WebEx Meeting Center for Firefox or Chrome
CrSSL
Crystal Reports Basic Runtime for Visual Studio 2008
Dropbox
eRoom 7
Google Chrome
Google Earth Plug-in
Google Update Helper
GoToMeeting 4.5.0.457
HP Client Automation Application Manager Agent
HP Client Automation Application Usage Manager Agent 7.80
HP ESupport 1.0
HP Quick Launch Buttons
HP Webcam
HP Webcam Driver
IDT Audio
Intel® Management Engine Components
InterVideo WinDVD 8
Japanese Fonts Support For Adobe Reader X
Java Auto Updater
Java™ 6 Update 24
Juniper Networks Host Checker
Juniper Networks Network Connect 7.0.0
Juniper Networks Setup Client
KeePass Password Safe 2.14
Korean Fonts Support For Adobe Reader X
LANDesk Service Desk
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes' Anti-Malware
McAfee SiteAdvisor
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Standard 2003
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF Add-in for 2007 Microsoft Office programs
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Microsoft WSE 2.0 SP3 Runtime
Mozilla Firefox 4.0b12 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NEC Electronics USB 3.0 Host Controller Driver
PuTTY
QLBCASL
Qlock Lite
RICOH Media Driver
RSA SecurID Software Token
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype Toolbars
Skype™ 5.1
Smart Defrag 2
Sophos Anti-Rootkit 1.5.4
Spelling Dictionaries Support For Adobe Reader 9
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2492475)
WebEx
WebEx Productivity Tools
Windows Media Player Firefox Plugin
WinPcap 4.1.2
WinZip 15.0
Wireshark 1.4.5
.
==== Event Viewer Messages From Past Week ========
.
4/25/2011 9:57:29 AM, Error: Service Control Manager [7031] - The Intel® Management and Security Application Local Management Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
4/25/2011 9:52:36 AM, Error: Service Control Manager [7034] - The Intel® Management & Security Application User Notification Service service terminated unexpectedly. It has done this 2 time(s).
4/25/2011 9:34:49 AM, Error: Service Control Manager [7034] - The Intel® Management & Security Application User Notification Service service terminated unexpectedly. It has done this 1 time(s).
4/25/2011 8:37:48 AM, Error: Microsoft-Windows-GroupPolicy [1110] - The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.
4/25/2011 8:24:52 AM, Error: Service Control Manager [7034] - The Protexis Licensing V2 service terminated unexpectedly. It has done this 1 time(s).
4/25/2011 8:02:34 AM, Error: Service Control Manager [7034] - The IS360service service terminated unexpectedly. It has done this 1 time(s).
4/25/2011 3:27:33 PM, Error: Service Control Manager [7023] - The Windows Time service terminated with the following error: An attempt was made to logon, but the network logon service was not started.
4/25/2011 3:27:33 PM, Error: Microsoft-Windows-Time-Service [46] - The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.
4/25/2011 3:27:26 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SAVRKBootTasks
4/25/2011 3:27:23 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
4/25/2011 3:25:38 PM, Error: Microsoft-Windows-GroupPolicy [1053] - The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. B) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
4/25/2011 3:25:29 PM, Error: Microsoft-Windows-GroupPolicy [1055] - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. B) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
4/25/2011 3:24:46 PM, Error: volmgr [46] - Crash dump initialization failed!
4/25/2011 12:45:55 PM, Error: Service Control Manager [7000] - The HP Wireless Assistant Service service failed to start due to the following error: A device attached to the system is not functioning.
4/25/2011 12:45:47 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: After starting, the service hung in a start-pending state.
4/25/2011 12:45:43 PM, Error: Service Control Manager [7022] - The Windows Font Cache Service service hung on starting.
4/25/2011 12:45:40 PM, Error: Service Control Manager [7022] - The Function Discovery Resource Publication service hung on starting.
4/25/2011 12:43:17 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
4/25/2011 12:40:03 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
4/25/2011 12:39:11 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
4/25/2011 11:41:13 AM, Error: Service Control Manager [7000] - The hpqwmiex service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/25/2011 11:41:13 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service hpqwmiex with arguments "" in order to run the server: {F5539356-2F02-40D4-999E-FA61F45FE12E}
4/25/2011 11:41:12 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the hpqwmiex service to connect.
4/25/2011 11:32:51 AM, Error: Service Control Manager [7000] - The MEMSWEEP2 service failed to start due to the following error: This driver has been blocked from loading
4/25/2011 11:32:51 AM, Error: Application Popup [1060] - \??\C:\windows\system32\EC91.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
4/25/2011 11:03:18 AM, Error: Application Popup [1060] - \??\C:\windows\system32\8B2F.tmp has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
4/25/2011 10:31:51 AM, Error: Service Control Manager [7000] - The Intel® Management & Security Application User Notification Service service failed to start due to the following error: The system cannot find the file specified.
4/25/2011 10:27:20 AM, Error: Service Control Manager [7000] - The Protexis Licensing V2 service failed to start due to the following error: The system cannot find the file specified.
4/23/2011 11:26:56 PM, Error: Service Control Manager [7034] - The hpqwmiex service terminated unexpectedly. It has done this 1 time(s).
4/22/2011 12:27:46 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HP Wireless Assistant Service service.
4/21/2011 8:24:48 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Intel® PROSet/Wireless Event Log service to connect.
4/21/2011 8:24:48 AM, Error: Service Control Manager [7000] - The Intel® PROSet/Wireless Event Log service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/20/2011 3:30:52 PM, Error: Schannel [36887] - The following fatal alert was received: 47.
4/20/2011 2:55:38 PM, Error: Schannel [36887] - The following fatal alert was received: 40.
4/18/2011 4:44:47 AM, Error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.10 with the system having network hardware address 00-1E-C2-C8-33-12. Network operations on this system may be disrupted as a result.
.
==== End Of File ===========================

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:15 AM

Posted 26 April 2011 - 01:28 AM

Hi again, do you have any problem left?

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 6.
  • Look for "JDK 6 Update 25 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".

    • Select "Windows x86 Offline" and click on jre-6u25-windows-i586.exe
    • Select "Windows x64" and click on jre-6u25-windows-x64.exe
    • Select "Windows Intel Itanium" and click on jre-6u25-windows-ia64.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 ciscoman

ciscoman
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 26 April 2011 - 01:14 PM

Thanks Elise,

No still showing massive use of my memmory and I still see the logs showing someone connecting to me with a UDP connection. Any idea what I have?

Malwarebytes' Anti-Malware 1.50.1.1100

Database version: 6448

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

4/26/2011 11:50:23 AM
mbam-log-2011-04-26 (11-50-23).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 402927
Time elapsed: 51 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:15 AM

Posted 26 April 2011 - 01:18 PM

Hi, lets see if we can find out more about those connections.


Download TCPView from http://live.sysinternals.com/tcpview.exe

Once the file is downloaded, double-click on it to execute the program.

When the program starts, click on the Options menu option and uncheck Resolve addresses.

Then click on the File menu option and select Save as....

A window will open asking where you would like to save the log file. Save it to your desktop as tcpview.txt

Please post its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:15 AM

Posted 07 May 2011 - 10:28 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users