Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Redirect


  • This topic is locked This topic is locked
22 replies to this topic

#1 bhasky

bhasky

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 17 January 2013 - 06:43 PM

I have been infected by a search redirect virus . Please help me , I have tried Super AntiSpyware, tdssKiller. eset Virus removal based on some inputs in some internet sites but that did not help.
The search redirect takes me to click.livesearch.now.
Following is the DDS.txt :
-----------------------------------

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7600.17153 BrowserJavaVersion: 1.6.0_33
Run by bchatter at 15:30:57 on 2013-01-17
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.16316.12175 [GMT -8:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\IFMpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files (x86)\MANDIANT\MANDIANT Intelligent Response Agent\miragent.exe
C:\Windows\system32\taskhost.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files (x86)\C4ebreg\c4ebreg.exe
c:\sdwork\issimsvc.exe
C:\Program Files\LENOVO\HOTKEY\CAMMUTE.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
c:\notes\nsd.exe
c:\notes\ntmulti.exe
C:\Program Files (x86)\AT&T Network Client\netcfgsvr.exe
C:\Program Files (x86)\AT&T Network Client\NetClientSvc.exe
C:\Program Files (x86)\AT&T Network Client\NetLogSvc.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\Program Files (x86)\Novatel Wireless\Verizon\Drivers\NWHelper_001.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Windows\wrtService.exe
C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Users\IFM_ADMIN\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\C4ebreg\isamtray.exe
C:\Program Files (x86)\IFM\Lotus\Symphony\framework\rcp\eclipse\plugins\com.IFM.rcp.base_6.2.1.20101013-2236\win32\x86\symphony.exe
C:\Windows\system32\rundll32.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\IFM\Infoprint Select\ipnotify.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ThinkPad\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\IFM\Lotus\Symphony\framework\shared\eclipse\plugins\com.IFM.symphony.brand.win32_3.0.0.20101015-2340\program\soffice.bin
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClientUI.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\AT&T Network Client\NetClient.exe
C:\Program Files (x86)\AT&T Network Client\NetMsg.exe
C:\Program Files (x86)\AT&T Network Client\SwiApiMux.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
c:\sdwork\issimgui.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://w3b.IFM.com/
uSearch Bar = Preserve
uProxyServer = hxxp.webproxyuk.com:10724
BHO: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll
uRun: [NetSP - restore settings on power failure] "C:\Program Files (x86)\AT&T Network Client\NetSP.exe" -show
uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [Spotify Web Helper] "C:\Users\IFM_ADMIN\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
uRun: [SymphonyPreLoad] "C:\Program Files (x86)\IFM\Lotus\Symphony\framework\shared\eclipse\plugins\com.IFM.symphony.standard.launcher.win32.x86_3.0.0.20101015-2340\IFM Lotus Symphony" -nogui -nosplash
mRun: [ALTOOLS] AccessL.exe
mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
mRun: [C4EBReg] "C:\Program Files (x86)\C4ebreg\c4ebreg.exe" /q
mRun: [Isamtray] "C:\Program Files (x86)\C4ebreg\isamtray.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
mRun: [stgclean] c:\sdwork\w32maing.exe /cleanup
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce: [1] C:\HijackThis\mbam-chameleon-1.62.1.1000\mbam-chameleon.exe /r /p
StartupFolder: C:\Users\IFM_AD~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AT&TGL~1.LNK - C:\Windows\Installer\{007AAB7C-E893-48BD-9DA2-7F417CA16322}\NetGM1_89563E53ECF44E868145468A128BDC83.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INFOPR~1.LNK - C:\Program Files\IFM\Infoprint Select\ipnotify.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: FilterAdministratorToken = dword:1
mPolicies-System: SoftwareSASGeneration = dword:3
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
LSP: C:\Program Files (x86)\VMware\VMware Workstation\vsocklib.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1ACECAFE-0016-0000-0000-ABCDEFFEDCBA} - hxxp://
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} - hxxps://vpn.cos.tec.ihost.com/CACHE/stc/2/binaries/vpnweb.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{7D3B0A18-F911-4935-8BFA-C3149C1CF46D} : NameServer = 8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
TCP: Interfaces\{916A13DD-6E53-4B34-AF18-83C85FACD1EF} : DHCPNameServer = 69.78.96.14 66.174.92.14
TCP: Interfaces\{96D58186-8700-4FAD-B2C3-A3B2F6FDB6D7} : NameServer = 8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
TCP: Interfaces\{B5AF41FB-D8C3-4F19-9C97-AAA0662FF5B1} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{B5AF41FB-D8C3-4F19-9C97-AAA0662FF5B1}\16474777966696 : DHCPNameServer = 192.168.4.1 64.134.255.2 64.134.255.10
TCP: Interfaces\{B5AF41FB-D8C3-4F19-9C97-AAA0662FF5B1}\4496769626F6F602355414E483 : DHCPNameServer = 192.168.82.1
TCP: Interfaces\{B5AF41FB-D8C3-4F19-9C97-AAA0662FF5B1}\6596C6C6167656F53547164796F6E6 : DHCPNameServer = 205.171.3.65 205.171.2.65
TCP: Interfaces\{B5AF41FB-D8C3-4F19-9C97-AAA0662FF5B1}\76F676F696E666C696768647 : DHCPNameServer = 172.19.134.2
TCP: Interfaces\{B5AF41FB-D8C3-4F19-9C97-AAA0662FF5B1}\8707F636F6E6E6563647 : DHCPNameServer = 8.8.8.8 198.6.100.194
TCP: Interfaces\{C314FA86-A8D8-4892-B662-C6A7A4D7A534} : NameServer = 9.0.128.50,9.0.130.50
TCP: Interfaces\{DD84E211-B602-4331-A7D1-1AFF7B46D9DF} : DHCPNameServer = 198.224.152.119 198.224.154.135
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
AppInit_DLLs= C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll, C:\ProgramData\FXSXP3232.dll
SSODL: WebCheck - <orphaned>
LSA: Notification Packages = scecli ACGina
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitBHO64.dll
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\IFM\Java60\jre\bin\ssv.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\IFM\Java60\jre\bin\jp2ssv.dll
x64-TB: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitIEAddin64.dll
x64-Run: [nwiz] nwiz.exe /installquiet
x64-Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\System32\NvCpl.dll,NvStartup
x64-Run: [TpShocks] TpShocks.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
x64-Run: [AcWin7Hlpr] C:\Program Files (x86)\Lenovo\Access Connections\AcTBenabler.exe
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
x64-DPF: {1ACECAFE-0016-0000-0000-ABCDEFFEDCBA} - hxxp://
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
x64-DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\IFM_ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\2ziq4yrx.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin1017325.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.129\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\IFM\Java60\jre\bin\new_plugin\npjp2.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npcpsweb.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwdplugin821.dll
FF - plugin: C:\Users\IFM_ADMIN\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - plugin: C:\Users\IFM_ADMIN\AppData\Roaming\Mozilla\plugins\npMeetingJoinPluginAOCUser.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 DzHDD64;DzHDD64;C:\Windows\System32\drivers\DZHDD64.SYS [2010-12-28 30320]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-12-28 55280]
R0 TPDIGIMN;TPDIGIMN;C:\Windows\System32\drivers\ApsHM64.sys [2010-6-16 23664]
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\System32\drivers\smiifx64.sys [2010-12-28 15400]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [2011-8-11 140672]
R2 HsfXAudioService;HsfXAudioService;C:\Windows\System32\svchost.exe -k HsfXAudioService [2009-7-13 27136]
R2 Intelligent Response Agent;Intelligent Response Agent;C:\Program Files (x86)\MANDIANT\MANDIANT Intelligent Response Agent\miragent.exe -service -servicename Intelligent Response Agent --> C:\Program Files (x86)\MANDIANT\MANDIANT Intelligent Response Agent\miragent.exe -service -servicename Intelligent Response Agent [?]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;C:\Program Files\Lenovo\HOTKEY\cammute.exe [2010-12-28 54632]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2010-12-28 44984]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\notes\nsd.exe -svcinvoke -ini "c:\notes\notes.ini" --> c:\notes\nsd.exe -svcinvoke -ini c:\notes\notes.ini [?]
R2 NetClientSvc;AT&T Global Network Client Service;C:\Program Files (x86)\AT&T Network Client\NetClientSvc.exe [2010-9-9 349536]
R2 NetLogSvc;AT&T Global Network Client Logging Service;C:\Program Files (x86)\AT&T Network Client\NetLogSvc.exe [2010-9-9 79200]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2009-10-27 6807656]
R2 NWVZHelper;Novatel Wireless Verizon Device Helper;C:\Program Files (x86)\Novatel Wireless\Verizon\Drivers\NWHelper_001.exe [2010-6-14 270848]
R2 rimspci;rimspci;C:\Windows\System32\drivers\rimspe64.sys [2010-12-27 61952]
R2 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2011-11-10 1839776]
R2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-12-2 2848168]
R2 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2010-12-28 63928]
R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-3-25 539248]
R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2011-8-3 645048]
R2 WRTService;WRT Service;C:\Windows\wrtService.exe [2011-9-6 122880]
R3 5U877;USB Video Device;C:\Windows\System32\drivers\5U877.sys [2010-12-27 161664]
R3 btusbflt;Bluetooth USB Filter;C:\Windows\System32\drivers\btusbflt.sys [2010-12-27 54824]
R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2010-12-28 35104]
R3 CAXHWAZL;CAXHWAZL;C:\Windows\System32\drivers\CAXHWAZL.sys [2010-12-27 292864]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2010-12-27 294064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-9 138912]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-12-27 56344]
R3 Mandiant_Tools;Mandiant_Tools;C:\ProgramData\MANDIANT\MANDIANT Intelligent Response Agent\mktools.sys [2012-10-31 25168]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2010-3-17 7680512]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-12-27 75776]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-12-27 177152]
S2 AcSvc32;AcSvc ;C:\ProgramData\wer32.exe [2011-8-27 706560]
S2 AdobeARMservice32;Adobe Acrobat Update Service ;C:\ProgramData\UXInit32.exe [2011-8-27 706560]
S2 AdobeARMservice3232;Adobe Acrobat Update Service ;C:\ProgramData\NlsLexicons004a32.exe [2011-8-27 706560]
S2 AeLookupSvc32;Application Experience ;C:\ProgramData\rdpcore32.exe [2011-8-27 706560]
S2 AppMgmt32;Application Management ;C:\ProgramData\dpmodemx32.exe [2011-8-27 706560]
S2 BDESVC32;BitLocker Drive Encryption Service ;C:\ProgramData\MediaMetadataHandler32.exe [2011-8-27 706560]
S2 BESClient32;BES Client ;C:\ProgramData\spwizres32.exe [2011-8-27 706560]
S2 BFE32;Base Filtering Engine ;C:\ProgramData\ws2help32.exe [2011-8-27 706560]
S2 BFE3232;Base Filtering Engine ;C:\ProgramData\cdosys32.exe [2011-8-27 706560]
S2 BITS32;Background Intelligent Transfer Service ;C:\ProgramData\MFC71ENU32.exe [2011-8-27 706560]
S2 BITS3232;Background Intelligent Transfer Service ;C:\ProgramData\AuthFWGP32.exe [2011-8-27 706560]
S2 btwdins32;Bluetooth Service ;C:\ProgramData\fltLib32.exe [2011-8-27 706560]
S2 CertPropSvc32;Certificate Propagation ;C:\ProgramData\ir50_qcx32.exe [2011-8-27 706560]
S2 clr_optimization_v2.0.50727_3232;Microsoft .NET Framework NGEN v2.0.50727_X86 ;C:\ProgramData\devobj32.exe [2011-8-27 706560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_3232;Microsoft .NET Framework NGEN v4.0.30319_X86 ;C:\ProgramData\drtprov32.exe [2011-8-27 706560]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 clr_optimization_v4.0.30319_6432;Microsoft .NET Framework NGEN v4.0.30319_X64 ;C:\ProgramData\mscpx32r32.exe [2011-8-27 706560]
S2 COMSysApp32;COM+ System Application ;C:\ProgramData\mscms32.exe [2011-8-27 706560]
S2 CryptSvc32;Cryptographic Services ;C:\ProgramData\dmusic32.exe [2011-8-27 706560]
S2 CryptSvc3232;Cryptographic Services ;C:\ProgramData\WcsPlugInService32.exe [2011-8-27 706560]
S2 CryptSvc323232;Cryptographic Services ;C:\ProgramData\udhisapi32.exe [2011-8-27 706560]
S2 CscService32;Offline Files ;C:\ProgramData\QSHVHOST32.exe [2011-8-27 706560]
S2 CscService3232;Offline Files ;C:\ProgramData\VBAME32.exe [2011-8-27 706560]
S2 CVPND32;Cisco Systems, Inc. VPN Service ;C:\ProgramData\ir50_3232.exe [2011-8-27 706560]
S2 DcomLaunch32;DCOM Server Process Launcher ;C:\ProgramData\mscories32.exe [2011-8-27 706560]
S2 DcomLaunch3232;DCOM Server Process Launcher ;C:\ProgramData\WfHC32.exe [2011-8-27 706560]
S2 Dnscache32;DNS Client ;C:\ProgramData\sppcomapi32.exe [2011-8-27 706560]
S2 Dnscache3232;DNS Client ;C:\ProgramData\dsdmo32.exe [2011-8-27 706560]
S2 EapHost32;Extensible Authentication Protocol ;C:\ProgramData\cryptbase32.exe [2011-8-27 706560]
S2 EFS32;Encrypting File System (EFS) ;C:\ProgramData\mscorier32.exe [2011-8-27 706560]
S2 EFS3232;Encrypting File System (EFS) ;C:\ProgramData\KBDYAK32.exe [2011-8-27 706560]
S2 ehSched32;Windows Media Center Scheduler Service ;C:\ProgramData\Sens32.exe [2011-8-27 706560]
S2 EraserSvc1111332;Symantec Eraser Service ;C:\ProgramData\DDOIProxy32.exe [2011-8-27 706560]
S2 fdPHost32;Function Discovery Provider Host ;C:\ProgramData\ir50_qc32.exe [2011-8-27 706560]
S2 FontCache3.0.0.032;Windows Presentation Foundation Font Cache 3.0.0.0 ;C:\ProgramData\OobeFldr32.exe [2011-8-27 706560]
S2 FontCache3.0.0.03232;Windows Presentation Foundation Font Cache 3.0.0.0 ;C:\ProgramData\KBDARME32.exe [2011-8-27 706560]
S2 FontCache32;Windows Font Cache Service ;C:\ProgramData\NVWRSSV32.exe [2011-8-27 706560]
S2 gupdate32;Google Update Service (gupdate) ;C:\ProgramData\netshell32.exe [2011-8-27 706560]
S2 gupdate3232;Google Update Service (gupdate) ;C:\ProgramData\dmvdsitf32.exe [2011-8-27 706560]
S2 hidserv32;Human Interface Device Access ;C:\ProgramData\dsprop32.exe [2011-8-27 706560]
S2 HomeGroupListener32;HomeGroup Listener ;C:\ProgramData\PhotoMetadataHandler32.exe [2011-8-27 706560]
S2 HomeGroupListener3232;HomeGroup Listener ;C:\ProgramData\chsbrkr32.exe [2011-8-27 706560]
S2 HomeGroupProvider32;HomeGroup Provider ;C:\ProgramData\mcicda32.exe [2011-8-27 706560]
S2 HomeGroupProvider3232;HomeGroup Provider ;C:\ProgramData\rdprefdrvapi32.exe [2011-8-27 706560]
S2 IKEEXT32;IKE and AuthIP IPsec Keying Modules ;C:\ProgramData\eventcls32.exe [2011-8-27 706560]
S2 IPBusEnum32;PnP-X IP Bus Enumerator ;C:\ProgramData\msvcrt2032.exe [2011-8-27 706560]
S2 IPBusEnum3232;PnP-X IP Bus Enumerator ;C:\ProgramData\ndproxystub32.exe [2011-8-27 706560]
S2 iphlpsvc32;IP Helper ;C:\ProgramData\FirewallControlPanel32.exe [2011-8-27 706560]
S2 ISAMSvc32;IFM Standard Asset Manager Service ;C:\ProgramData\wiavideo32.exe [2011-8-27 706560]
S2 ISAMSvc3232;IFM Standard Asset Manager Service ;C:\ProgramData\scecli32.exe [2011-8-27 706560]
S2 KeyIso32;CNG Key Isolation ;C:\ProgramData\pnidui32.exe [2011-8-27 706560]
S2 LENOVO.CAMMUTE32;Lenovo Camera Mute ;C:\ProgramData\actxprxy32.exe [2011-8-27 706560]
S2 LENOVO.CAMMUTE3232;Lenovo Camera Mute ;C:\ProgramData\stclient32.exe [2011-8-27 706560]
S2 LENOVO.CAMMUTE323232;Lenovo Camera Mute ;C:\ProgramData\avrt32.exe [2011-8-27 706560]
S2 LENOVO.CAMMUTE32323232;Lenovo Camera Mute ;C:\ProgramData\ole2disp32.exe [2011-8-27 706560]
S2 LENOVO.CAMMUTE3232323232;Lenovo Camera Mute ;C:\ProgramData\WsmRes32.exe [2011-8-27 706560]
S2 lmhosts32;TCP/IP NetBIOS Helper ;C:\ProgramData\NlsData004532.exe [2011-8-27 706560]
S2 lmhosts3232;TCP/IP NetBIOS Helper ;C:\ProgramData\xwizards32.exe [2011-8-27 706560]
S2 Mcx2Svc32;Media Center Extender Service ;C:\ProgramData\KBDUSA32.exe [2011-8-27 706560]
S2 Mcx2Svc3232;Media Center Extender Service ;C:\ProgramData\ig4icd3232.exe [2011-8-27 706560]
S2 MSDTC32;Distributed Transaction Coordinator ;C:\ProgramData\api-ms-win-core-sysinfo-l1-1-032.exe [2011-8-27 706560]
S2 MSiSCSI32;Microsoft iSCSI Initiator Service ;C:\ProgramData\rastls32.exe [2011-8-27 706560]
S2 msiserver32;Windows Installer ;C:\ProgramData\keymgr32.exe [2011-8-27 706560]
S2 napagent32;Network Access Protection Agent ;C:\ProgramData\profapi32.exe [2011-8-27 706560]
S2 Netlogon32;Netlogon ;C:\ProgramData\hlink32.exe [2011-8-27 706560]
S2 Netlogon3232;Netlogon ;C:\ProgramData\NlsData000c32.exe [2011-8-27 706560]
S2 NetLogSvc32;AT&T Global Network Client Logging Service ;C:\ProgramData\msxml3r32.exe [2011-8-27 706560]
S2 NetTcpPortSharing32;Net.Tcp Port Sharing Service ;C:\ProgramData\netapi3232.exe [2011-8-27 706560]
S2 NlaSvc32;Network Location Awareness ;C:\ProgramData\wzcdlg32.exe [2011-8-27 706560]
S2 NlaSvc3232;Network Location Awareness ;C:\ProgramData\msdart32.exe [2011-8-27 706560]
S2 nsi32;Network Store Interface Service ;C:\ProgramData\qmgrprxy32.exe [2011-8-27 706560]
S2 NVIDIA Performance Driver Service32;NVIDIA Performance Driver Service ;C:\ProgramData\nshwfp32.exe [2011-8-27 706560]
S2 NVIDIA Performance Driver Service3232;NVIDIA Performance Driver Service ;C:\ProgramData\sud32.exe [2011-8-27 706560]
S2 p2psvc32;Peer Networking Grouping ;C:\ProgramData\cmdial3232.exe [2011-8-27 706560]
S2 PcaSvc32;Program Compatibility Assistant Service ;C:\ProgramData\msiltcfg32.exe [2011-8-27 706560]
S2 PNRPAutoReg32;PNRP Machine Name Publication Service ;C:\ProgramData\nvcuvenc32.exe [2011-8-27 706560]
S2 PolicyAgent32;IPsec Policy Agent ;C:\ProgramData\NVWRSDE32.exe [2011-8-27 706560]
S2 PolicyAgent3232;IPsec Policy Agent ;C:\ProgramData\WMVENCOD32.exe [2011-8-27 706560]
S2 PolicyAgent323232;IPsec Policy Agent ;C:\ProgramData\ulib32.exe [2011-8-27 706560]
S2 ProtectedStorage32;Protected Storage ;C:\ProgramData\InkEd32.exe [2011-8-27 706560]
S2 QWAVE32;Quality Windows Audio Video Experience ;C:\ProgramData\hid32.exe [2011-8-27 706560]
S2 RasMan32;Remote Access Connection Manager ;C:\ProgramData\setupcln32.exe [2011-8-27 706560]
S2 RegSrvc32;Intel® PROSet/Wireless Registry Service ;C:\ProgramData\Wldap3232.exe [2011-8-27 706560]
S2 RpcEptMapper32;RPC Endpoint Mapper ;C:\ProgramData\dot3msm32.exe [2011-8-27 706560]
S2 seclogon32;Secondary Logon ;C:\ProgramData\cmutil32.exe [2011-8-27 706560]
S2 seclogon3232;Secondary Logon ;C:\ProgramData\KBDFI32.exe [2011-8-27 706560]
S2 SENS32;System Event Notification Service ;C:\ProgramData\qedwipes32.exe [2011-8-27 706560]
S2 SENS3232;System Event Notification Service ;C:\ProgramData\Sensor32.exe [2011-8-27 706560]
S2 SessionEnv32;Remote Desktop Configuration ;C:\ProgramData\NetPLAP6432.exe [2011-8-27 706560]
S2 SharedAccess3232;Internet Connection Sharing (ICS) ;C:\ProgramData\mpr32.exe [2011-8-27 706560]
S2 ShellHWDetection32;Shell Hardware Detection ;C:\ProgramData\advapi3232.exe [2011-8-27 706560]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-3 160944]
S2 SmcService32;Symantec Management Client ;C:\Windows\System32\NVWRSZHT32.exe --> C:\Windows\System32\NVWRSZHT32.exe [?]
S2 SmcService3232;Symantec Management Client ;C:\ProgramData\racpldlg32.exe [2011-8-27 706560]
S2 SmcService323232;Symantec Management Client ;C:\ProgramData\KBDHAU32.exe [2011-8-27 706560]
S2 SNMPTRAP32;SNMP Trap ;C:\ProgramData\uexfat32.exe [2011-8-27 706560]
S2 Spooler32;Print Spooler ;C:\ProgramData\mstext4032.exe [2011-8-27 706560]
S2 sppsvc32;Software Protection ;C:\ProgramData\vpncategories32.exe [2011-8-27 706560]
S2 sppsvc3232;Software Protection ;C:\ProgramData\KBDINGUJ32.exe [2011-8-27 706560]
S2 sppuinotify32;SPP Notification Service ;C:\ProgramData\NVWRSNL32.exe [2011-8-27 706560]
S2 sppuinotify3232;SPP Notification Service ;C:\ProgramData\api-ms-win-service-management-l1-1-032.exe [2011-8-27 706560]
S2 stllssvr32;stllssvr ;C:\ProgramData\iasdatastore32.exe [2011-8-27 706560]
S2 StorSvc32;Storage Service ;C:\ProgramData\DDACLSys32.exe [2011-8-27 706560]
S2 StorSvc3232;Storage Service ;C:\ProgramData\hnetcfg32.exe [2011-8-27 706560]
S2 Symantec AntiVirus32;Symantec Endpoint Protection ;C:\ProgramData\bitsprx432.exe [2011-8-27 706560]
S2 Symantec AntiVirus3232;Symantec Endpoint Protection ;C:\ProgramData\adsmsext32.exe [2011-8-27 706560]
S2 TabletInputService32;Tablet PC Input Service ;C:\ProgramData\NlsLexicons004732.exe [2011-8-27 706560]
S2 TabletInputService3232;Tablet PC Input Service ;C:\ProgramData\rasapi3232.exe [2011-8-27 706560]
S2 TabletInputService323232;Tablet PC Input Service ;C:\ProgramData\XAudio6432.exe [2011-8-27 706560]
S2 TapiSrv32;Telephony ;C:\ProgramData\dot3gpclnt32.exe [2011-8-27 706560]
S2 TPHDEXLGSVC32;ThinkPad HDD APS Logging Service ;C:\ProgramData\KBDSW0932.exe [2011-8-27 706560]
S2 TPHKSVC32;On Screen Display ;C:\ProgramData\nvdecodemft32.exe [2011-8-27 706560]
S2 TPHKSVC3232;On Screen Display ;C:\ProgramData\NlsData000a32.exe [2011-8-27 706560]
S2 TrustedInstaller32;Windows Modules Installer ;C:\ProgramData\MSMPEG2ENC32.exe [2011-8-27 706560]
S2 UI0Detect32;Interactive Services Detection ;C:\ProgramData\WebClnt32.exe [2011-8-27 706560]
S2 UmRdpService32;Remote Desktop Services UserMode Port Redirector ;C:\ProgramData\NlsLexicons081632.exe [2011-8-27 706560]
S2 upnphost32;UPnP Device Host ;C:\ProgramData\KBDBGPH132.exe [2011-8-27 706560]
S2 upnphost3232;UPnP Device Host ;C:\ProgramData\mciwave32.exe [2011-8-27 706560]
S2 UxSms32;Desktop Window Manager Session Manager ;C:\ProgramData\srhelper32.exe [2011-8-27 706560]
S2 VaultSvc32;Credential Manager ;C:\ProgramData\SortServer2003Compat32.exe [2011-8-27 706560]
S2 VaultSvc3232;Credential Manager ;C:\ProgramData\PortableDeviceWiaCompat32.exe [2011-8-27 706560]
S2 VaultSvc323232;Credential Manager ;C:\ProgramData\cngprovider32.exe [2011-8-27 706560]
S2 vds32;Virtual Disk ;C:\ProgramData\KBDDA32.exe [2011-8-27 706560]
S2 VMnetDHCP32;VMware DHCP Service ;C:\ProgramData\imgutil32.exe [2011-8-27 706560]
S2 VMnetDHCP3232;VMware DHCP Service ;C:\ProgramData\authz32.exe [2011-8-27 706560]
S2 VMnetDHCP323232;VMware DHCP Service ;C:\ProgramData\fdSSDP32.exe [2011-8-27 706560]
S2 VMnetDHCP32323232;VMware DHCP Service ;C:\ProgramData\KBDFO32.exe [2011-8-27 706560]
S2 VMUSBArbService32;VMware USB Arbitration Service ;C:\ProgramData\spbcd32.exe [2011-8-27 706560]
S2 VMUSBArbService3232;VMware USB Arbitration Service ;C:\ProgramData\WinSATAPI32.exe [2011-8-27 706560]
S2 VSS32;Volume Shadow Copy ;C:\ProgramData\dpnhpast32.exe [2011-8-27 706560]
S2 WatAdminSvc32;Windows Activation Technologies Service ;C:\ProgramData\SSShim32.exe [2011-8-27 706560]
S2 wcncsvc32;Windows Connect Now - Config Registrar ;C:\ProgramData\qedit32.exe [2011-8-27 706560]
S2 WcsPlugInService32;Windows Color System ;C:\ProgramData\AzSqlExt32.exe [2011-8-27 706560]
S2 WdiServiceHost32;Diagnostic Service Host ;C:\ProgramData\nvencodemft32.exe [2011-8-27 706560]
S2 WebClient32;WebClient ;C:\ProgramData\storage32.exe [2011-8-27 706560]
S2 Wecsvc32;Windows Event Collector ;C:\ProgramData\Faultrep32.exe [2011-8-27 706560]
S2 Wecsvc3232;Windows Event Collector ;C:\ProgramData\ole232.exe [2011-8-27 706560]
S2 WerSvc32;Windows Error Reporting Service ;C:\ProgramData\C_ISCII32.exe [2011-8-27 706560]
S2 WinHttpAutoProxySvc32;WinHTTP Web Proxy Auto-Discovery Service ;C:\ProgramData\msjet4032.exe [2011-8-27 706560]
S2 WinHttpAutoProxySvc3232;WinHTTP Web Proxy Auto-Discovery Service ;C:\ProgramData\nvcuvid32.exe [2011-8-27 706560]
S2 Winmgmt32;Windows Management Instrumentation ;C:\ProgramData\ftlx041132.exe [2011-8-27 706560]
S2 Winmgmt3232;Windows Management Instrumentation ;C:\ProgramData\DeviceMetadataParsers32.exe [2011-8-27 706560]
S2 Wlansvc32;WLAN AutoConfig ;C:\ProgramData\api-ms-win-core-memory-l1-1-032.exe [2011-8-27 706560]
S2 WPCSvc32;Parental Controls ;C:\ProgramData\IasMigPlugin32.exe [2011-8-27 706560]
S2 WPCSvc3232;Parental Controls ;C:\ProgramData\nlmsprep32.exe [2011-8-27 706560]
S2 wscsvc32;Security Center ;C:\ProgramData\NVWRSESM32.exe [2011-8-27 706560]
S2 WwanSvc32;WWAN AutoConfig ;C:\ProgramData\networkexplorer32.exe [2011-8-27 706560]
S3 cstrcser;IFM Command Line Trace;C:\Windows\SysWOW64\drivers\cstrcser.exe [2010-5-26 36864]
S3 DozeSvc;Lenovo Doze Mode Service;C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2010-12-28 164200]
S3 iaNvStor;iaNvStor;C:\Windows\System32\drivers\iaNvStor.sys [2010-12-27 344600]
S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2010-12-27 151936]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\System32\drivers\netaapl64.sys [2011-5-10 22528]
S3 OXSDIDRV_x64;Oxford Semi eSATA Filter (x64);C:\Windows\System32\drivers\OXSDIDRV_x64.sys [2009-9-28 51760]
S3 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe [2010-12-28 75112]
S3 qcfilterlno2k;Gobi 2000 USB Composite Device Filter Driver(05C6-9205);C:\Windows\System32\drivers\qcfilterlno2k.sys [2010-12-27 5248]
S3 qcusbserlno2k;Gobi 2000 USB Device for Legacy Serial Communication(05C6-9205);C:\Windows\System32\drivers\qcusbserlno2k.sys [2010-12-27 106368]
S3 rixdpcie;rixdpcie;C:\Windows\System32\drivers\rixdpe64.sys [2010-12-27 55808]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TRCTARGET;Tivoli Endpoint Manager for Remote Control - Target;C:\Program Files (x86)\IFM\Tivoli\Remote Control\Target\trc_base.exe [2012-2-9 745472]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-6-29 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2011-2-16 14464]
.
=============== File Associations ===============
.
FileExt: .chm: chm.file="C:\Windows\hh.exe" %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-01-16 23:39:15 710504 ----a-w- C:\Windows\isRS-000.tmp
2013-01-16 23:38:16 -------- d-----w- C:\Users\IFM_ADMIN\AppData\Local\Programs
2013-01-16 23:13:45 -------- d-----w- C:\Windows\pss
2013-01-16 19:10:14 -------- d-----w- C:\HijackThis
2013-01-15 18:22:37 -------- d-----w- C:\Program Files\Enigma Software Group
2013-01-15 18:21:58 -------- d-----w- C:\Windows\83B952C7F8F34CA3B4C533C85B24E478.TMP
2013-01-15 18:21:57 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2013-01-15 18:14:21 -------- d-----w- C:\Users\IFM_ADMIN\AppData\Roaming\TestApp
2013-01-04 22:01:26 -------- d-----w- C:\Users\IFM_ADMIN\SametimeRooms
2012-12-31 19:20:17 478208 ----a-w- C:\Windows\System32\dpnet.dll
2012-12-31 19:20:16 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll
2012-12-29 06:59:37 -------- d-----w- C:\Users\IFM_ADMIN\AppData\Roaming\TeamViewer
2012-12-28 20:16:10 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-12-28 20:16:10 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-12-28 20:12:59 5120 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
2012-12-28 20:06:05 3147264 ----a-w- C:\Windows\System32\win32k.sys
2012-12-28 19:45:50 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
.
==================== Find3M ====================
.
2012-12-31 19:18:25 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-12-31 19:18:24 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-15 00:49:28 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-11-12 12:18:53 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2012-11-12 11:51:11 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-11-07 16:28:35 68920 ----a-w- C:\Windows\isamunin.exe
2012-10-30 22:43:17 60304 ----a-w- C:\Users\IFM_ADMIN\g2mdlhlpx.exe
2012-10-27 05:36:37 1197568 ----a-w- C:\Windows\System32\wininet.dll
2012-10-27 05:36:08 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2012-10-27 05:00:40 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-10-27 04:23:06 482816 ----a-w- C:\Windows\System32\html.iec
2012-10-27 03:52:14 386048 ----a-w- C:\Windows\SysWow64\html.iec
.
============= FINISH: 15:31:28.20 ===============

Edited by bloopie, 17 January 2013 - 07:07 PM.
Topic moved to MRL forum due to DDS log being posted. ~bloopie


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:33 AM

Posted 17 January 2013 - 07:53 PM

Hello bhasky,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions.

1.
Do you have a USb Flash Drive you can use?

2.
Download AdwCleaner
  • Double click on AdwCleaner.exe to run the tool.
    ***Note: Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select
    Posted Image
  • Click the Search button.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your next reply.
  • Or you can find the logfile at C:\AdwCleaner[R1].txt.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 bhasky

bhasky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 18 January 2013 - 12:28 PM

(1) Yes I have a USB Flash Drive I can use
(2) Log file as follows :
---------------------------------------------------------

# AdwCleaner v2.106 - Logfile created 01/18/2013 at 09:25:08
# Updated 17/01/2013 by Xplode
# Operating system : Windows 7 Professional (64 bits)
# User : bchatter - IFM-CWTKHU7QIXU
# Boot Mode : Normal
# Running from : C:\HijackThis\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Users\IFM_ADMIN\AppData\Local\OpenCandy
Folder Found : C:\Users\IFM_ADMIN\AppData\Roaming\OpenCandy

***** [Registry] *****

Key Found : HKLM\SOFTWARE\Classes\S

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.17153

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0 (en-US)

File : C:\Users\IFM_ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\2ziq4yrx.default\prefs.js

[OK] File is clean.

File : C:\Users\IFM_ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\2ziq4yrx.default\prefs.js

[OK] File is clean.

File : C:\Users\IFM_ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\2ziq4yrx.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v24.0.1312.52

File : C:\Users\IFM_ADMIN\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\IFM_ADMIN\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\IFM_ADMIN\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1418 octets] - [18/01/2013 09:25:08]

########## EOF - C:\AdwCleaner[R1].txt - [1478 octets] ##########
----------------------------------------

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:33 AM

Posted 18 January 2013 - 12:41 PM

This may get way worse before it gets better just so you know.


1.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

2.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

Edited by fireman4it, 18 January 2013 - 12:58 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 bhasky

bhasky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 18 January 2013 - 01:31 PM

Please see below :
(1)
# AdwCleaner v2.106 - Logfile created 01/18/2013 at 09:48:06
# Updated 17/01/2013 by Xplode
# Operating system : Windows 7 Professional (64 bits)
# User : bchatter - IFM-CWTKHU7QIXU
# Boot Mode : Normal
# Running from : C:\HijackThis\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\IFM_ADMIN\AppData\Local\OpenCandy
Folder Deleted : C:\Users\IFM_ADMIN\AppData\Roaming\OpenCandy

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Classes\S

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.17153

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0 (en-US)

File : C:\Users\IFM_ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\2ziq4yrx.default\prefs.js

C:\Users\IFM_ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\2ziq4yrx.default\user.js ... Deleted !

[OK] File is clean.

File : C:\Users\IFM_ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\2ziq4yrx.default\prefs.js

[OK] File is clean.

File : C:\Users\IFM_ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\2ziq4yrx.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v24.0.1312.52

File : C:\Users\IFM_ADMIN\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\IFM_ADMIN\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\IFM_ADMIN\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1547 octets] - [18/01/2013 09:25:08]
AdwCleaner[S1].txt - [1586 octets] - [18/01/2013 09:48:06]

########## EOF - C:\AdwCleaner[S1].txt - [1646 octets] ##########


(2)
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-01-2013
Ran by SYSTEM at 18-01-2013 10:17:46
Running from E:\
Windows 7 Professional (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [nwiz] nwiz.exe /installquiet [x]
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16414312 2009-12-03] (NVIDIA Corporation)
HKLM\...\Run: [TpShocks] TpShocks.exe [x]
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2097960 2010-04-21] (Synaptics Incorporated)
HKLM\...\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [69568 2009-12-21] (Lenovo Group Limited)
HKLM\...\Run: [AcWin7Hlpr] C:\Program Files (x86)\Lenovo\Access Connections\AcTBenabler.exe [36864 2009-10-13] ()
HKLM-x32\...\Run: [ALTOOLS] AccessL.exe [x]
HKLM-x32\...\Run: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor [1129832 2010-08-24] (Lenovo Group Limited)
HKLM-x32\...\Run: [C4EBReg] "C:\Program Files (x86)\C4ebreg\c4ebreg.exe" /q [511288 2012-11-07] (IFM Corp.)
HKLM-x32\...\Run: [Isamtray] "C:\Program Files (x86)\C4ebreg\isamtray.exe" [326968 2012-11-07] (IFM Corp.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe" [129648 2011-03-25] (VMware, Inc.)
HKLM-x32\...\Run: [stgclean] c:\sdwork\w32maing.exe /cleanup [291840 2012-11-28] (IFM Corp.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKLM-x32\...\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe" [115560 2011-11-10] (Symantec Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKU\IFM_ADMIN\...\Run: [NetSP - restore settings on power failure] "C:\Program Files (x86)\AT&T Network Client\NetSP.exe" -show [53600 2010-09-09] (AT&T)
HKU\IFM_ADMIN\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5252408 2010-06-01] (Yahoo! Inc.)
HKU\IFM_ADMIN\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5664640 2012-10-11] (SUPERAntiSpyware.com)
HKU\IFM_ADMIN\...\Run: [Spotify Web Helper] "C:\Users\IFM_ADMIN\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [1199576 2012-11-30] (Spotify Ltd)
HKU\IFM_ADMIN\...\Run: [SymphonyPreLoad] "C:\Program Files (x86)\IFM\Lotus\Symphony\framework\shared\eclipse\plugins\com.IFM.symphony.standard.launcher.win32.x86_3.0.0.20101015-2340\IFM Lotus Symphony" -nogui -nosplash [x]
Tcpip\..\Interfaces\{7D3B0A18-F911-4935-8BFA-C3149C1CF46D}: [NameServer]8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
Tcpip\..\Interfaces\{96D58186-8700-4FAD-B2C3-A3B2F6FDB6D7}: [NameServer]8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
Tcpip\..\Interfaces\{C314FA86-A8D8-4892-B662-C6A7A4D7A534}: [NameServer]9.0.128.50,9.0.130.50
Lsa: [Notification Packages] scecli ACGina
Startup: C:\Users\All Users\Start Menu\Programs\Startup\AT&T Global Network Client Monitor.lnk
ShortcutTarget: AT&T Global Network Client Monitor.lnk -> C:\Windows\Installer\{007AAB7C-E893-48BD-9DA2-7F417CA16322}\NetGM1_89563E53ECF44E868145468A128BDC83.exe (Acresso Software Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\InfoPrint Select Notification.lnk
ShortcutTarget: InfoPrint Select Notification.lnk -> C:\Program Files\IFM\Infoprint Select\ipnotify.exe ()
Startup: C:\Users\IFM_ADMIN\Start Menu\Programs\Startup\EvernoteClipper.lnk
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)

==================== Services (Whitelisted) ===================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2012-10-11] (SUPERAntiSpyware.com)
2 AcSvc32; C:\ProgramData\wer32.exe [706560 2011-08-16] ()
2 AdobeARMservice32; C:\ProgramData\UXInit32.exe [706560 2011-08-16] ()
2 AdobeARMservice3232; C:\ProgramData\NlsLexicons004a32.exe [706560 2011-08-16] ()
2 AeLookupSvc32; C:\ProgramData\rdpcore32.exe [706560 2011-08-16] ()
2 AppMgmt32; C:\ProgramData\dpmodemx32.exe [706560 2011-08-16] ()
2 BDESVC32; C:\ProgramData\MediaMetadataHandler32.exe [706560 2011-08-16] ()
2 BESClient; "C:\Program Files (x86)\BigFix Enterprise\BES Client\BESClient.exe" [4678552 2011-12-05] (IFM Corp.)
2 BESClient32; C:\ProgramData\spwizres32.exe [706560 2011-08-16] ()
2 BFE32; C:\ProgramData\ws2help32.exe [706560 2011-08-16] ()
2 BFE3232; C:\ProgramData\cdosys32.exe [706560 2011-08-16] ()
2 BITS32; C:\ProgramData\MFC71ENU32.exe [706560 2011-08-16] ()
2 BITS3232; C:\ProgramData\AuthFWGP32.exe [706560 2011-08-16] ()
2 btwdins32; C:\ProgramData\fltLib32.exe [706560 2011-08-16] ()
2 ccEvtMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2011-11-10] (Symantec Corporation)
2 ccSetMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2011-11-10] (Symantec Corporation)
2 CertPropSvc32; C:\ProgramData\ir50_qcx32.exe [706560 2011-08-16] ()
2 clr_optimization_v2.0.50727_3232; C:\ProgramData\devobj32.exe [706560 2011-08-16] ()
2 clr_optimization_v4.0.30319_3232; C:\ProgramData\drtprov32.exe [706560 2011-08-16] ()
2 clr_optimization_v4.0.30319_6432; C:\ProgramData\mscpx32r32.exe [706560 2011-08-16] ()
2 COMSysApp32; C:\ProgramData\mscms32.exe [706560 2011-08-16] ()
2 CryptSvc32; C:\ProgramData\dmusic32.exe [706560 2011-08-16] ()
2 CryptSvc3232; C:\ProgramData\WcsPlugInService32.exe [706560 2011-08-16] ()
2 CryptSvc323232; C:\ProgramData\udhisapi32.exe [706560 2011-08-16] ()
2 CscService32; C:\ProgramData\QSHVHOST32.exe [706560 2011-08-16] ()
2 CscService3232; C:\ProgramData\VBAME32.exe [706560 2011-08-16] ()
3 cstrcser; C:\Windows\SysWOW64\drivers\cstrcser.exe [36864 2010-05-26] (IFM Corporation)
2 CVPND32; C:\ProgramData\ir50_3232.exe [706560 2011-08-16] ()
2 DcomLaunch32; C:\ProgramData\mscories32.exe [706560 2011-08-16] ()
2 DcomLaunch3232; C:\ProgramData\WfHC32.exe [706560 2011-08-16] ()
2 Dnscache32; C:\ProgramData\sppcomapi32.exe [706560 2011-08-16] ()
2 Dnscache3232; C:\ProgramData\dsdmo32.exe [706560 2011-08-16] ()
3 DozeSvc; C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [164200 2010-08-24] (Lenovo.)
2 EapHost32; C:\ProgramData\cryptbase32.exe [706560 2011-08-16] ()
2 EFS32; C:\ProgramData\mscorier32.exe [706560 2011-08-16] ()
2 EFS3232; C:\ProgramData\KBDYAK32.exe [706560 2011-08-16] ()
2 ehSched32; C:\ProgramData\Sens32.exe [706560 2011-08-16] ()
2 EraserSvc1111332; C:\ProgramData\DDOIProxy32.exe [706560 2011-08-16] ()
2 fdPHost32; C:\ProgramData\ir50_qc32.exe [706560 2011-08-16] ()
2 FontCache3.0.0.032; C:\ProgramData\OobeFldr32.exe [706560 2011-08-16] ()
2 FontCache3.0.0.03232; C:\ProgramData\KBDARME32.exe [706560 2011-08-16] ()
2 FontCache32; C:\ProgramData\NVWRSSV32.exe [706560 2011-08-16] ()
2 gupdate32; C:\ProgramData\netshell32.exe [706560 2011-08-16] ()
2 gupdate3232; C:\ProgramData\dmvdsitf32.exe [706560 2011-08-16] ()
2 hidserv32; C:\ProgramData\dsprop32.exe [706560 2011-08-16] ()
2 HomeGroupListener32; C:\ProgramData\PhotoMetadataHandler32.exe [706560 2011-08-16] ()
2 HomeGroupListener3232; C:\ProgramData\chsbrkr32.exe [706560 2011-08-16] ()
2 HomeGroupProvider32; C:\ProgramData\mcicda32.exe [706560 2011-08-16] ()
2 HomeGroupProvider3232; C:\ProgramData\rdprefdrvapi32.exe [706560 2011-08-16] ()
2 IKEEXT32; C:\ProgramData\eventcls32.exe [706560 2011-08-16] ()
2 Intelligent Response Agent; C:\Program Files (x86)\MANDIANT\MANDIANT Intelligent Response Agent\miragent.exe -service -servicename Intelligent Response Agent [13387128 2012-09-25] ()
2 IPBusEnum32; C:\ProgramData\msvcrt2032.exe [706560 2011-08-16] ()
2 IPBusEnum3232; C:\ProgramData\ndproxystub32.exe [706560 2011-08-16] ()
2 iphlpsvc32; C:\ProgramData\FirewallControlPanel32.exe [706560 2011-08-16] ()
2 ISAMSvc; "C:\Program Files (x86)\C4ebreg\c4ebreg.exe" [511288 2012-11-07] (IFM Corp.)
2 ISAMSvc32; C:\ProgramData\wiavideo32.exe [706560 2011-08-16] ()
2 ISAMSvc3232; C:\ProgramData\scecli32.exe [706560 2011-08-16] ()
2 ISSIMon; "C:\sdwork\issimsvc.exe" [184088 2012-09-10] (IFM Corp.)
2 KeyIso32; C:\ProgramData\pnidui32.exe [706560 2011-08-16] ()
2 LENOVO.CAMMUTE32; C:\ProgramData\actxprxy32.exe [706560 2011-08-16] ()
2 LENOVO.CAMMUTE3232; C:\ProgramData\stclient32.exe [706560 2011-08-16] ()
2 LENOVO.CAMMUTE323232; C:\ProgramData\avrt32.exe [706560 2011-08-16] ()
2 LENOVO.CAMMUTE32323232; C:\ProgramData\ole2disp32.exe [706560 2011-08-16] ()
2 LENOVO.CAMMUTE3232323232; C:\ProgramData\WsmRes32.exe [706560 2011-08-16] ()
3 LiveUpdate; "C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE" [3093880 2010-09-07] (Symantec Corporation)
2 lmhosts32; C:\ProgramData\NlsData004532.exe [706560 2011-08-16] ()
2 lmhosts3232; C:\ProgramData\xwizards32.exe [706560 2011-08-16] ()
2 Lotus Notes Diagnostics; C:\notes\nsd.exe -svcinvoke -ini "C:\notes\notes.ini" [12929 2013-01-18] ()
2 Mcx2Svc32; C:\ProgramData\KBDUSA32.exe [706560 2011-08-16] ()
2 Mcx2Svc3232; C:\ProgramData\ig4icd3232.exe [706560 2011-08-16] ()
2 MSDTC32; C:\ProgramData\api-ms-win-core-sysinfo-l1-1-032.exe [706560 2011-08-16] ()
2 MSiSCSI32; C:\ProgramData\rastls32.exe [706560 2011-08-16] ()
2 msiserver32; C:\ProgramData\keymgr32.exe [706560 2011-08-16] ()
2 Multi-user Cleanup Service; C:\notes\ntmulti.exe [58760 2009-09-29] (IFM Corp)
2 napagent32; C:\ProgramData\profapi32.exe [706560 2011-08-16] ()
2 netcfgsvr; "C:\Program Files (x86)\AT&T Network Client\netcfgsvr.exe" [476000 2010-09-09] (AT&T)
2 NetClientSvc; "C:\Program Files (x86)\AT&T Network Client\NetClientSvc.exe" [349536 2010-09-09] (AT&T)
2 Netlogon32; C:\ProgramData\hlink32.exe [706560 2011-08-16] ()
2 Netlogon3232; C:\ProgramData\NlsData000c32.exe [706560 2011-08-16] ()
2 NetLogSvc; "C:\Program Files (x86)\AT&T Network Client\NetLogSvc.exe" [79200 2010-09-09] (AT&T)
2 NetLogSvc32; C:\ProgramData\msxml3r32.exe [706560 2011-08-16] ()
2 NetTcpPortSharing32; C:\ProgramData\netapi3232.exe [706560 2011-08-16] ()
2 NlaSvc32; C:\ProgramData\wzcdlg32.exe [706560 2011-08-16] ()
2 NlaSvc3232; C:\ProgramData\msdart32.exe [706560 2011-08-16] ()
2 nsi32; C:\ProgramData\qmgrprxy32.exe [706560 2011-08-16] ()
2 NVIDIA Performance Driver Service; "C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe" [6807656 2009-10-27] ()
2 NVIDIA Performance Driver Service32; C:\ProgramData\nshwfp32.exe [706560 2011-08-16] ()
2 NVIDIA Performance Driver Service3232; C:\ProgramData\sud32.exe [706560 2011-08-16] ()
2 NWVZHelper; C:\Program Files (x86)\Novatel Wireless\Verizon\Drivers\NWHelper_001.exe [270848 2010-06-14] (Novatel Wireless Inc.)
2 p2psvc32; C:\ProgramData\cmdial3232.exe [706560 2011-08-16] ()
2 PcaSvc32; C:\ProgramData\msiltcfg32.exe [706560 2011-08-16] ()
2 PNRPAutoReg32; C:\ProgramData\nvcuvenc32.exe [706560 2011-08-16] ()
2 PolicyAgent32; C:\ProgramData\NVWRSDE32.exe [706560 2011-08-16] ()
2 PolicyAgent3232; C:\ProgramData\WMVENCOD32.exe [706560 2011-08-16] ()
2 PolicyAgent323232; C:\ProgramData\ulib32.exe [706560 2011-08-16] ()
2 ProtectedStorage32; C:\ProgramData\InkEd32.exe [706560 2011-08-16] ()
2 QWAVE32; C:\ProgramData\hid32.exe [706560 2011-08-16] ()
2 RasMan32; C:\ProgramData\setupcln32.exe [706560 2011-08-16] ()
2 RegSrvc32; C:\ProgramData\Wldap3232.exe [706560 2011-08-16] ()
2 RpcEptMapper32; C:\ProgramData\dot3msm32.exe [706560 2011-08-16] ()
2 seclogon32; C:\ProgramData\cmutil32.exe [706560 2011-08-16] ()
2 seclogon3232; C:\ProgramData\KBDFI32.exe [706560 2011-08-16] ()
2 SENS32; C:\ProgramData\qedwipes32.exe [706560 2011-08-16] ()
2 SENS3232; C:\ProgramData\Sensor32.exe [706560 2011-08-16] ()
2 SessionEnv32; C:\ProgramData\NetPLAP6432.exe [706560 2011-08-16] ()
2 SharedAccess3232; C:\ProgramData\mpr32.exe [706560 2011-08-16] ()
2 ShellHWDetection32; C:\ProgramData\advapi3232.exe [706560 2011-08-16] ()
2 SmcService; "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe" [3249768 2011-11-10] (Symantec Corporation)
2 SmcService32; C:\Windows\SysWow64\NVWRSZHT32.exe [706560 2011-08-16] ()
2 SmcService3232; C:\ProgramData\racpldlg32.exe [706560 2011-08-16] ()
2 SmcService323232; C:\ProgramData\KBDHAU32.exe [706560 2011-08-16] ()
4 SNAC; "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE" [428912 2011-11-10] (Symantec Corporation)
2 SNMPTRAP32; C:\ProgramData\uexfat32.exe [706560 2011-08-16] ()
2 Spooler32; C:\ProgramData\mstext4032.exe [706560 2011-08-16] ()
2 sppsvc32; C:\ProgramData\vpncategories32.exe [706560 2011-08-16] ()
2 sppsvc3232; C:\ProgramData\KBDINGUJ32.exe [706560 2011-08-16] ()
2 sppuinotify32; C:\ProgramData\NVWRSNL32.exe [706560 2011-08-16] ()
2 sppuinotify3232; C:\ProgramData\api-ms-win-service-management-l1-1-032.exe [706560 2011-08-16] ()
2 stllssvr32; C:\ProgramData\iasdatastore32.exe [706560 2011-08-16] ()
2 StorSvc32; C:\ProgramData\DDACLSys32.exe [706560 2011-08-16] ()
2 StorSvc3232; C:\ProgramData\hnetcfg32.exe [706560 2011-08-16] ()
2 Symantec AntiVirus; "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe" [1839776 2011-11-10] (Symantec Corporation)
2 Symantec AntiVirus32; C:\ProgramData\bitsprx432.exe [706560 2011-08-16] ()
2 Symantec AntiVirus3232; C:\ProgramData\adsmsext32.exe [706560 2011-08-16] ()
2 TabletInputService32; C:\ProgramData\NlsLexicons004732.exe [706560 2011-08-16] ()
2 TabletInputService3232; C:\ProgramData\rasapi3232.exe [706560 2011-08-16] ()
2 TabletInputService323232; C:\ProgramData\XAudio6432.exe [706560 2011-08-16] ()
2 TapiSrv32; C:\ProgramData\dot3gpclnt32.exe [706560 2011-08-16] ()
2 TPHDEXLGSVC32; C:\ProgramData\KBDSW0932.exe [706560 2011-08-16] ()
2 TPHKSVC32; C:\ProgramData\nvdecodemft32.exe [706560 2011-08-16] ()
2 TPHKSVC3232; C:\ProgramData\NlsData000a32.exe [706560 2011-08-16] ()
3 TRCTARGET; "C:\Program Files (x86)\IFM\Tivoli\Remote Control\Target\trc_base.exe" -s [745472 2012-02-09] (IFM Corporation)
2 TrustedInstaller32; C:\ProgramData\MSMPEG2ENC32.exe [706560 2011-08-16] ()
2 UI0Detect32; C:\ProgramData\WebClnt32.exe [706560 2011-08-16] ()
2 UmRdpService32; C:\ProgramData\NlsLexicons081632.exe [706560 2011-08-16] ()
2 upnphost32; C:\ProgramData\KBDBGPH132.exe [706560 2011-08-16] ()
2 upnphost3232; C:\ProgramData\mciwave32.exe [706560 2011-08-16] ()
2 UxSms32; C:\ProgramData\srhelper32.exe [706560 2011-08-16] ()
2 VaultSvc32; C:\ProgramData\SortServer2003Compat32.exe [706560 2011-08-16] ()
2 VaultSvc3232; C:\ProgramData\PortableDeviceWiaCompat32.exe [706560 2011-08-16] ()
2 VaultSvc323232; C:\ProgramData\cngprovider32.exe [706560 2011-08-16] ()
2 vds32; C:\ProgramData\KBDDA32.exe [706560 2011-08-16] ()
2 VMnetDHCP32; C:\ProgramData\imgutil32.exe [706560 2011-08-16] ()
2 VMnetDHCP3232; C:\ProgramData\authz32.exe [706560 2011-08-16] ()
2 VMnetDHCP323232; C:\ProgramData\fdSSDP32.exe [706560 2011-08-16] ()
2 VMnetDHCP32323232; C:\ProgramData\KBDFO32.exe [706560 2011-08-16] ()
2 VMUSBArbService32; C:\ProgramData\spbcd32.exe [706560 2011-08-16] ()
2 VMUSBArbService3232; C:\ProgramData\WinSATAPI32.exe [706560 2011-08-16] ()
2 VSS32; C:\ProgramData\dpnhpast32.exe [706560 2011-08-16] ()
2 WatAdminSvc32; C:\ProgramData\SSShim32.exe [706560 2011-08-16] ()
2 wcncsvc32; C:\ProgramData\qedit32.exe [706560 2011-08-16] ()
2 WcsPlugInService32; C:\ProgramData\AzSqlExt32.exe [706560 2011-08-16] ()
2 WdiServiceHost32; C:\ProgramData\nvencodemft32.exe [706560 2011-08-16] ()
2 WebClient32; C:\ProgramData\storage32.exe [706560 2011-08-16] ()
2 Wecsvc32; C:\ProgramData\Faultrep32.exe [706560 2011-08-16] ()
2 Wecsvc3232; C:\ProgramData\ole232.exe [706560 2011-08-16] ()
2 WerSvc32; C:\ProgramData\C_ISCII32.exe [706560 2011-08-16] ()
2 WinHttpAutoProxySvc32; C:\ProgramData\msjet4032.exe [706560 2011-08-16] ()
2 WinHttpAutoProxySvc3232; C:\ProgramData\nvcuvid32.exe [706560 2011-08-16] ()
2 Winmgmt32; C:\ProgramData\ftlx041132.exe [706560 2011-08-16] ()
2 Winmgmt3232; C:\ProgramData\DeviceMetadataParsers32.exe [706560 2011-08-16] ()
2 Wlansvc32; C:\ProgramData\api-ms-win-core-memory-l1-1-032.exe [706560 2011-08-16] ()
2 WPCSvc32; C:\ProgramData\IasMigPlugin32.exe [706560 2011-08-16] ()
2 WPCSvc3232; C:\ProgramData\nlmsprep32.exe [706560 2011-08-16] ()
2 WRTService; C:\Windows\wrtService.exe [122880 2008-09-18] ()
2 wscsvc32; C:\ProgramData\NVWRSESM32.exe [706560 2011-08-16] ()
2 WwanSvc32; C:\ProgramData\networkexplorer32.exe [706560 2011-08-16] ()
3 ufad-ws60; "C:\Program Files (x86)\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files (x86)\VMware\VMware Workstation\\" -s ufad-p2v.xml [x]

==================== Drivers (Whitelisted) =====================

1 agnfilt; C:\Windows\System32\Drivers\agnfilt.sys [190464 2010-09-09] (AT&T)
3 avpnnic; C:\Windows\System32\Drivers\avpnnic.sys [14848 2010-06-29] (AT&T)
3 CVPNDRVA; C:\Windows\System32\Drivers\CVPNDRVA.sys [304784 2010-02-16] ()
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-09] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-09] (Symantec Corporation)
3 iaNvStor; C:\Windows\System32\Drivers\iaNvStor.sys [344600 2009-08-20] (Intel Corporation)
3 Mandiant_Tools; \??\C:\ProgramData\MANDIANT\MANDIANT Intelligent Response Agent\mktools.sys [25168 2012-10-31] ()
3 NAVENG; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130117.025\ENG64.SYS [126192 2013-01-16] (Symantec Corporation)
3 NAVEX15; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130117.025\EX64.SYS [2087664 2013-01-16] (Symantec Corporation)
3 OXSDIDRV_x64; C:\Windows\System32\Drivers\OXSDIDRV_x64.sys [51760 2009-09-28] ()
3 qcfilterlno2k; C:\Windows\System32\Drivers\qcfilterlno2k.sys [5248 2009-12-17] (QUALCOMM Incorporated)
3 qcusbserlno2k; C:\Windows\System32\Drivers\qcusbserlno2k.sys [106368 2009-12-17] (QUALCOMM Incorporated)
1 RxFilter; C:\Windows\SysWow64\Drivers\RxFilter.sys [65520 2009-09-16] (Sonic Solutions)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [449072 2011-11-10] (Symantec Corporation)
3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [482352 2011-11-10] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [32304 2011-11-10] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [173616 2012-02-13] (Symantec Corporation)
3 Teefer2; C:\Windows\System32\Drivers\Teefer2.sys [64048 2011-11-10] (Symantec Corporation)
1 TPPWRIF; C:\Windows\System32\drivers\Tppwr64v.sys [13104 2010-08-24] ()
1 WPS; \??\C:\Windows\system32\drivers\wpsdrvnt.sys [53808 2011-11-10] (Symantec Corporation)
3 WpsHelper; C:\Windows\System32\Drivers\WpsHelper.sys [233120 2012-09-30] (Symantec Corporation)
2 PMEM; \??\C:\Windows\system32\drivers\PMEMNT.SYS [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-01-18 09:48 - 2013-01-18 09:48 - 00001715 ____A C:\AdwCleaner[S1].txt
2013-01-18 09:25 - 2013-01-18 09:30 - 00001547 ____A C:\AdwCleaner[R1].txt
2013-01-17 15:31 - 2013-01-17 15:31 - 00038553 ____A C:\Users\IFM_ADMIN\Desktop\dds.txt
2013-01-17 15:31 - 2013-01-17 15:31 - 00011192 ____A C:\Users\IFM_ADMIN\Desktop\attach.txt
2013-01-17 15:28 - 2013-01-17 15:28 - 00688992 ____R (Swearware) C:\Users\IFM_ADMIN\Desktop\dds.com
2013-01-16 15:13 - 2013-01-16 15:13 - 00000000 ____D C:\Windows\pss
2013-01-16 11:10 - 2013-01-18 10:01 - 00000000 ____D C:\HijackThis
2013-01-16 11:06 - 2013-01-16 11:06 - 00318740 ____A C:\html.txt
2013-01-15 10:24 - 2013-01-15 10:24 - 00000000 ____A C:\autoexec.bat
2013-01-15 10:22 - 2013-01-15 10:22 - 00000000 ____D C:\Program Files\Enigma Software Group
2013-01-15 10:21 - 2013-01-15 10:34 - 00000000 ____D C:\Windows\83B952C7F8F34CA3B4C533C85B24E478.TMP
2013-01-15 10:14 - 2013-01-15 10:14 - 00000000 ____D C:\Users\IFM_ADMIN\AppData\Roaming\TestApp
2013-01-14 15:56 - 2013-01-14 16:23 - 00000130 ____A C:\Users\IFM_ADMIN\Desktop\dinesh_options.txt
2013-01-11 12:46 - 2013-01-11 12:46 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-01-07 15:42 - 2013-01-09 10:56 - 00001432 ____A C:\Users\IFM_ADMIN\Documents\India_career.txt
2013-01-07 07:59 - 2013-01-08 11:57 - 12808565 ____A C:\Users\IFM_ADMIN\Desktop\Forever 21 20130108.pptx
2013-01-04 14:01 - 2013-01-04 14:01 - 00000000 ____D C:\Users\IFM_ADMIN\SametimeRooms
2013-01-04 13:09 - 2013-01-07 07:31 - 07904256 ____A C:\Users\IFM_ADMIN\Desktop\2013 07 01 - FE21 OMS Overview.ppt
2013-01-03 15:55 - 2013-01-03 15:55 - 00000056 ____A C:\Users\IFM_ADMIN\Desktop\architect.txt
2013-01-03 13:57 - 2013-01-04 10:01 - 03092655 ____A C:\Users\IFM_ADMIN\Desktop\Affinion - Use Case Overview v2.2.pptx
2013-01-02 08:29 - 2013-01-02 08:29 - 00298552 ____A C:\Windows\Minidump\010213-59514-01.dmp
2012-12-31 11:20 - 2012-11-01 21:27 - 00478208 ____A (Microsoft Corporation) C:\Windows\System32\dpnet.dll
2012-12-31 11:20 - 2012-11-01 20:48 - 00376832 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dpnet.dll
2012-12-28 23:15 - 2012-12-29 00:45 - 00000017 ____A C:\Users\IFM_ADMIN\Desktop\Baba_teamviewer.txt
2012-12-28 22:59 - 2012-12-28 23:16 - 00000000 ____D C:\Users\IFM_ADMIN\AppData\Roaming\TeamViewer
2012-12-28 12:16 - 2012-10-04 09:35 - 00016384 ____A (Microsoft Corporation) C:\Windows\System32\ntvdm64.dll
2012-12-28 12:16 - 2012-10-04 06:49 - 00014336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2012-12-28 12:13 - 2012-10-04 09:28 - 00005120 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 09:28 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 09:28 - 00004608 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 08:45 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2012-12-28 12:13 - 2012-10-04 06:44 - 00004608 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:38 - 00362496 ____A (Microsoft Corporation) C:\Windows\System32\wow64win.dll
2012-12-28 12:12 - 2012-10-04 09:38 - 00243200 ____A (Microsoft Corporation) C:\Windows\System32\wow64.dll
2012-12-28 12:12 - 2012-10-04 09:38 - 00215040 ____A (Microsoft Corporation) C:\Windows\System32\winsrv.dll
2012-12-28 12:12 - 2012-10-04 09:38 - 00013312 ____A (Microsoft Corporation) C:\Windows\System32\wow64cpu.dll
2012-12-28 12:12 - 2012-10-04 09:32 - 01161216 ____A (Microsoft Corporation) C:\Windows\System32\kernel32.dll
2012-12-28 12:12 - 2012-10-04 09:32 - 00425984 ____A (Microsoft Corporation) C:\Windows\System32\KernelBase.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00006144 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00004096 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00003584 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 09:28 - 00003072 ___AH (Microsoft Corporation) C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 08:54 - 01114112 ____A (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2012-12-28 12:12 - 2012-10-04 08:54 - 00274944 ____A (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2012-12-28 12:12 - 2012-10-04 08:54 - 00005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2012-12-28 12:12 - 2012-10-04 08:45 - 00005120 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 08:45 - 00004096 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 08:45 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 08:45 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 07:19 - 00338432 ____A (Microsoft Corporation) C:\Windows\System32\conhost.exe
2012-12-28 12:12 - 2012-10-04 06:49 - 00025600 ____A (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2012-12-28 12:12 - 2012-10-04 06:49 - 00007680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2012-12-28 12:12 - 2012-10-04 06:49 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2012-12-28 12:12 - 2012-10-04 06:44 - 00006144 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 06:44 - 00003584 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2012-12-28 12:12 - 2012-10-04 06:44 - 00003072 ___AH (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2012-12-28 12:06 - 2012-11-22 00:20 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-12-28 11:47 - 2012-11-12 05:24 - 06029824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-12-28 11:47 - 2012-11-12 04:18 - 01638912 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-12-28 11:47 - 2012-11-12 03:51 - 01638912 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-12-28 11:47 - 2012-10-26 21:36 - 01197568 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-12-28 11:47 - 2012-10-26 21:36 - 01026560 ____A (Microsoft Corporation) C:\Windows\System32\mstime.dll
2012-12-28 11:47 - 2012-10-26 21:36 - 00736256 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2012-12-28 11:47 - 2012-10-26 21:36 - 00097792 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-12-28 11:47 - 2012-10-26 21:36 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-12-28 11:47 - 2012-10-26 21:35 - 02458624 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-12-28 11:47 - 2012-10-26 21:00 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-12-28 11:47 - 2012-10-26 21:00 - 00627200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2012-12-28 11:47 - 2012-10-26 21:00 - 00606208 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mstime.dll
2012-12-28 11:47 - 2012-10-26 21:00 - 00067584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-12-28 11:47 - 2012-10-26 21:00 - 00064512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2012-12-28 11:47 - 2012-10-26 20:59 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-12-28 11:46 - 2012-11-12 06:11 - 09375232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-12-28 11:46 - 2012-10-26 21:36 - 00134144 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-12-28 11:46 - 2012-10-26 21:36 - 00082944 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2012-12-28 11:46 - 2012-10-26 21:36 - 00057856 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2012-12-28 11:46 - 2012-10-26 21:35 - 00445952 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2012-12-28 11:46 - 2012-10-26 21:35 - 00256000 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2012-12-28 11:46 - 2012-10-26 21:35 - 00247808 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-12-28 11:46 - 2012-10-26 21:33 - 00012288 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2012-12-28 11:46 - 2012-10-26 21:00 - 00132096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-12-28 11:46 - 2012-10-26 20:59 - 02072576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-12-28 11:46 - 2012-10-26 20:59 - 00381440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2012-12-28 11:46 - 2012-10-26 20:59 - 00185856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2012-12-28 11:46 - 2012-10-26 20:59 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-12-28 11:46 - 2012-10-26 20:57 - 00012800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2012-12-28 11:46 - 2012-10-26 20:23 - 00482816 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2012-12-28 11:46 - 2012-10-26 19:52 - 00386048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2012-12-28 11:45 - 2012-10-26 21:36 - 01501696 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-12-28 11:45 - 2012-10-26 21:35 - 12404736 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-12-28 11:45 - 2012-10-26 21:00 - 01230848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-12-28 11:45 - 2012-10-26 20:59 - 11019776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-12-28 11:45 - 2012-10-26 20:59 - 00044544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll


==================== One Month Modified Files and Folders =======

2013-01-18 10:13 - 2009-07-13 21:13 - 00730528 ____A C:\Windows\System32\PerfStringBackup.INI
2013-01-18 10:07 - 2009-07-13 20:45 - 00016528 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-01-18 10:07 - 2009-07-13 20:45 - 00016528 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-01-18 10:01 - 2013-01-16 11:10 - 00000000 ____D C:\HijackThis
2013-01-18 10:01 - 2011-07-05 12:44 - 00089373 ____A C:\Users\IFM_ADMIN\seditor.launcher.log
2013-01-18 10:00 - 2011-08-26 09:44 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-18 10:00 - 2011-03-25 11:08 - 00000000 ____D C:\Users\All Users\VMware
2013-01-18 09:59 - 2010-11-11 17:38 - 00000000 ____D C:\Program Files (x86)\C4ebreg
2013-01-18 09:59 - 2010-11-11 17:35 - 00000000 ____D C:\sdwork
2013-01-18 09:59 - 2010-07-13 15:37 - 00099840 ____A C:\Windows\PFRO.log
2013-01-18 09:59 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-18 09:59 - 2009-07-13 20:51 - 00069461 ____A C:\Windows\setupact.log
2013-01-18 09:48 - 2013-01-18 09:48 - 00001715 ____A C:\AdwCleaner[S1].txt
2013-01-18 09:42 - 2012-04-12 19:42 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-18 09:40 - 2011-08-26 09:44 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-01-18 09:35 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\Registration
2013-01-18 09:30 - 2013-01-18 09:25 - 00001547 ____A C:\AdwCleaner[R1].txt
2013-01-18 08:37 - 2011-04-29 14:25 - 00011410 ____A C:\cpsweb.log
2013-01-17 15:31 - 2013-01-17 15:31 - 00038553 ____A C:\Users\IFM_ADMIN\Desktop\dds.txt
2013-01-17 15:31 - 2013-01-17 15:31 - 00011192 ____A C:\Users\IFM_ADMIN\Desktop\attach.txt
2013-01-17 15:28 - 2013-01-17 15:28 - 00688992 ____R (Swearware) C:\Users\IFM_ADMIN\Desktop\dds.com
2013-01-17 14:46 - 2010-11-11 17:08 - 00000000 ____D C:\Program Files (x86)\WST
2013-01-16 15:40 - 2011-09-01 15:05 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-01-16 15:15 - 2012-05-07 14:11 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-01-16 15:13 - 2013-01-16 15:13 - 00000000 ____D C:\Windows\pss
2013-01-16 15:13 - 2011-09-14 07:39 - 00000000 ____D C:\Users\IFM_ADMIN\AppData\Roaming\Spotify
2013-01-16 11:10 - 2010-06-28 20:27 - 00000000 ____D C:\Users\IFM_ADMIN\AppData\Local\VirtualStore
2013-01-16 11:06 - 2013-01-16 11:06 - 00318740 ____A C:\html.txt
2013-01-16 09:33 - 2011-09-14 07:39 - 00000000 ____D C:\Users\IFM_ADMIN\AppData\Local\Spotify
2013-01-15 10:34 - 2013-01-15 10:21 - 00000000 ____D C:\Windows\83B952C7F8F34CA3B4C533C85B24E478.TMP
2013-01-15 10:24 - 2013-01-15 10:24 - 00000000 ____A C:\autoexec.bat
2013-01-15 10:22 - 2013-01-15 10:22 - 00000000 ____D C:\Program Files\Enigma Software Group
2013-01-15 10:14 - 2013-01-15 10:14 - 00000000 ____D C:\Users\IFM_ADMIN\AppData\Roaming\TestApp
2013-01-14 16:23 - 2013-01-14 15:56 - 00000130 ____A C:\Users\IFM_ADMIN\Desktop\dinesh_options.txt
2013-01-11 12:46 - 2013-01-11 12:46 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-01-11 12:21 - 2011-05-01 05:21 - 00000000 ____D C:\Users\IFM_ADMIN\Desktop\expenses
2013-01-11 12:21 - 2011-05-01 05:21 - 00000000 ____D C:\Users\IFM_ADMIN\AppData\Roaming\PrimoPDF
2013-01-09 10:56 - 2013-01-07 15:42 - 00001432 ____A C:\Users\IFM_ADMIN\Documents\India_career.txt
2013-01-09 06:38 - 2012-10-06 23:17 - 00000000 ____D C:\Users\IFM_ADMIN\Desktop\Bhaskar_resume
2013-01-08 12:00 - 2011-03-25 11:19 - 00000000 ____D C:\Users\IFM_ADMIN\AppData\Roaming\VMware
2013-01-08 12:00 - 2011-03-25 11:19 - 00000000 ____D C:\Users\IFM_ADMIN\AppData\Local\VMware
2013-01-08 11:57 - 2013-01-07 07:59 - 12808565 ____A C:\Users\IFM_ADMIN\Desktop\Forever 21 20130108.pptx
2013-01-07 07:31 - 2013-01-04 13:09 - 07904256 ____A C:\Users\IFM_ADMIN\Desktop\2013 07 01 - FE21 OMS Overview.ppt
2013-01-07 00:39 - 2012-06-25 07:24 - 00000000 ____D C:\Users\IFM_ADMIN\Documents\SametimeFileTransfers
2013-01-04 14:01 - 2013-01-04 14:01 - 00000000 ____D C:\Users\IFM_ADMIN\SametimeRooms
2013-01-04 14:01 - 2010-06-28 20:27 - 00000000 ____D C:\users\IFM_ADMIN
2013-01-04 10:01 - 2013-01-03 13:57 - 03092655 ____A C:\Users\IFM_ADMIN\Desktop\Affinion - Use Case Overview v2.2.pptx
2013-01-03 15:55 - 2013-01-03 15:55 - 00000056 ____A C:\Users\IFM_ADMIN\Desktop\architect.txt
2013-01-03 06:32 - 2011-06-14 08:53 - 00000000 ____D C:\sterlingdnlds
2013-01-02 08:29 - 2013-01-02 08:29 - 00298552 ____A C:\Windows\Minidump\010213-59514-01.dmp
2013-01-02 08:29 - 2011-03-18 17:57 - 1174322935 ____A C:\Windows\MEMORY.DMP
2013-01-02 08:29 - 2010-07-14 08:01 - 00000000 ____D C:\Windows\Minidump
2012-12-31 11:21 - 2011-03-17 06:12 - 01957697 ____A C:\Windows\WindowsUpdate.log
2012-12-31 11:18 - 2012-04-12 19:42 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-12-31 11:18 - 2011-07-20 15:17 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-12-29 10:34 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2012-12-29 09:53 - 2009-07-13 20:45 - 00464960 ____A C:\Windows\System32\FNTCACHE.DAT
2012-12-29 00:45 - 2012-12-28 23:15 - 00000017 ____A C:\Users\IFM_ADMIN\Desktop\Baba_teamviewer.txt
2012-12-28 23:16 - 2012-12-28 22:59 - 00000000 ____D C:\Users\IFM_ADMIN\AppData\Roaming\TeamViewer
2012-12-28 12:02 - 2011-04-22 12:52 - 00000000 ____D C:\Users\All Users\Microsoft Help


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-01-14 13:42:57
Restore point made on: 2013-01-15 10:22:14
Restore point made on: 2013-01-15 10:33:37

==================== Memory info ===========================

Percentage of memory in use: 6%
Total physical RAM: 16315.52 MB
Available physical RAM: 15177.89 MB
Total Pagefile: 16313.66 MB
Available Pagefile: 15168.57 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Partitions =============================

1 Drive c: (Windows7_c4eb) (Fixed) (Total:465.76 GB) (Free:132.75 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (2009_03_05_09H03M_PM) (CDROM) (Total:1.13 GB) (Free:0 GB) UDF
3 Drive e: () (Removable) (Total:0.49 GB) (Free:0.48 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 498 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 465 GB 1024 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C Windows7_c4 NTFS Partition 465 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 497 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E FAT Removable 497 MB Healthy

=========================================================

Last Boot: 2013-01-14 13:35

==================== End Of Log =============================

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:33 AM

Posted 18 January 2013 - 03:28 PM

1.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 bhasky

bhasky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 18 January 2013 - 05:52 PM

I tried disabling Symantec and did do it as per instructions but it turned on by itself (probably based on a timer) and I had to disable it again. While running ComboFix it gave me some warnings that Symantec endpoint protection was running so it may be that this was not done completely right..I have the log for you below. Thanks a ton for your assistance :

--------------------

ComboFix 13-01-17.04 - bchatter 01/18/2013 13:18:27.1.8 - x64
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.16316.13012 [GMT -8:00]
Running from: c:\hijackthis\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\5e9a442e
c:\programdata\cryptbase32.exe
c:\programdata\hlink32.exe
c:\users\IFM_ADMIN\AppData\Local\assembly\tmp
c:\users\IFM_ADMIN\g2mdlhlpx.exe
c:\windows\security\Database\tmp.edb
c:\windows\SysWow64\NeW
c:\windows\SysWow64\NeW\IFMMenu.dll
.
----- File Replicators -----
.
c:\programdata\actxprxy32.exe
c:\programdata\adsmsext32.exe
c:\programdata\advapi3232.exe
c:\programdata\api-ms-win-core-io-l1-1-032.exe
c:\programdata\api-ms-win-core-memory-l1-1-032.exe
c:\programdata\api-ms-win-core-sysinfo-l1-1-032.exe
c:\programdata\api-ms-win-service-management-l1-1-032.exe
c:\programdata\apilogen32.exe
c:\programdata\AuthFWGP32.exe
c:\programdata\authz32.exe
c:\programdata\avrt32.exe
c:\programdata\AzSqlExt32.exe
c:\programdata\batmeter32.exe
c:\programdata\bitsprx432.exe
c:\programdata\bitsprx632.exe
c:\programdata\C_ISCII32.exe
c:\programdata\cdosys32.exe
c:\programdata\chsbrkr32.exe
c:\programdata\cmdial3232.exe
c:\programdata\cmutil32.exe
c:\programdata\cngprovider32.exe
c:\programdata\cryptbase32.exe
c:\programdata\DDACLSys32.exe
c:\programdata\DDOIProxy32.exe
c:\programdata\DeviceMetadataParsers32.exe
c:\programdata\devmgr32.exe
c:\programdata\devobj32.exe
c:\programdata\dfscli32.exe
c:\programdata\dmusic32.exe
c:\programdata\dmvdsitf32.exe
c:\programdata\dot3gpclnt32.exe
c:\programdata\dot3msm32.exe
c:\programdata\dpmodemx32.exe
c:\programdata\dpnhpast32.exe
c:\programdata\drtprov32.exe
c:\programdata\dsdmo32.exe
c:\programdata\dsprop32.exe
c:\programdata\eventcls32.exe
c:\programdata\Faultrep32.exe
c:\programdata\fdSSDP32.exe
c:\programdata\FirewallControlPanel32.exe
c:\programdata\fltLib32.exe
c:\programdata\ftlx041132.exe
c:\programdata\FXSCOM32.exe
c:\programdata\hid32.exe
c:\programdata\hlink32.exe
c:\programdata\hnetcfg32.exe
c:\programdata\iasdatastore32.exe
c:\programdata\IasMigPlugin32.exe
c:\programdata\idndl32.exe
c:\programdata\ieframe32.exe
c:\programdata\ig4icd3232.exe
c:\programdata\imgutil32.exe
c:\programdata\InkEd32.exe
c:\programdata\ir50_3232.exe
c:\programdata\ir50_qc32.exe
c:\programdata\ir50_qcx32.exe
c:\programdata\KBDARME32.exe
c:\programdata\KBDBGPH132.exe
c:\programdata\KBDBHC32.exe
c:\programdata\KBDDA32.exe
c:\programdata\KBDFI32.exe
c:\programdata\KBDFO32.exe
c:\programdata\KBDHAU32.exe
c:\programdata\KBDINGUJ32.exe
c:\programdata\KBDLT132.exe
c:\programdata\KBDMAC32.exe
c:\programdata\KBDSW0932.exe
c:\programdata\KBDUSA32.exe
c:\programdata\KBDYAK32.exe
c:\programdata\keymgr32.exe
c:\programdata\mcicda32.exe
c:\programdata\mciwave32.exe
c:\programdata\MediaMetadataHandler32.exe
c:\programdata\MFC71ENU32.exe
c:\programdata\mfh264enc32.exe
c:\programdata\mpr32.exe
c:\programdata\mprddm32.exe
c:\programdata\mscms32.exe
c:\programdata\mscorier32.exe
c:\programdata\mscories32.exe
c:\programdata\mscpx32r32.exe
c:\programdata\msdart32.exe
c:\programdata\msihnd32.exe
c:\programdata\msiltcfg32.exe
c:\programdata\msjet4032.exe
c:\programdata\MSMPEG2ENC32.exe
c:\programdata\msrd2x4032.exe
c:\programdata\mstext4032.exe
c:\programdata\msvcrt2032.exe
c:\programdata\msxml3r32.exe
c:\programdata\ndproxystub32.exe
c:\programdata\netapi3232.exe
c:\programdata\NetPLAP6432.exe
c:\programdata\netshell32.exe
c:\programdata\networkexplorer32.exe
c:\programdata\nlmsprep32.exe
c:\programdata\NlsData000a32.exe
c:\programdata\NlsData000c32.exe
c:\programdata\NlsData004532.exe
c:\programdata\NlsData004a32.exe
c:\programdata\NlsLexicons004732.exe
c:\programdata\NlsLexicons004932.exe
c:\programdata\NlsLexicons004a32.exe
c:\programdata\NlsLexicons081632.exe
c:\programdata\NlsLexicons0c1a32.exe
c:\programdata\nshwfp32.exe
c:\programdata\ntdll32.exe
c:\programdata\nvcuvenc32.exe
c:\programdata\nvcuvid32.exe
c:\programdata\nvdecodemft32.exe
c:\programdata\nvencodemft32.exe
c:\programdata\NVWRSDE32.exe
c:\programdata\NVWRSESM32.exe
c:\programdata\NVWRSNL32.exe
c:\programdata\NVWRSSV32.exe
c:\programdata\ole232.exe
c:\programdata\ole2disp32.exe
c:\programdata\OobeFldr32.exe
c:\programdata\osbaseln32.exe
c:\programdata\pdh32.exe
c:\programdata\PhotoMetadataHandler32.exe
c:\programdata\pid32.exe
c:\programdata\pnidui32.exe
c:\programdata\PortableDeviceWiaCompat32.exe
c:\programdata\profapi32.exe
c:\programdata\qedit32.exe
c:\programdata\qedwipes32.exe
c:\programdata\qmgrprxy32.exe
c:\programdata\QSHVHOST32.exe
c:\programdata\racpldlg32.exe
c:\programdata\rasapi3232.exe
c:\programdata\rasgcw32.exe
c:\programdata\rastls32.exe
c:\programdata\rdpcore32.exe
c:\programdata\rdprefdrvapi32.exe
c:\programdata\scansetting32.exe
c:\programdata\scecli32.exe
c:\programdata\Sens32.exe
c:\programdata\Sensor32.exe
c:\programdata\setupcln32.exe
c:\programdata\shsetup32.exe
c:\programdata\SortServer2003Compat32.exe
c:\programdata\spbcd32.exe
c:\programdata\sppcomapi32.exe
c:\programdata\spwizres32.exe
c:\programdata\srhelper32.exe
c:\programdata\SSShim32.exe
c:\programdata\stclient32.exe
c:\programdata\stobject32.exe
c:\programdata\storage32.exe
c:\programdata\sud32.exe
c:\programdata\tsgqec32.exe
c:\programdata\TSWorkspace32.exe
c:\programdata\udhisapi32.exe
c:\programdata\uexfat32.exe
c:\programdata\ulib32.exe
c:\programdata\usbceip32.exe
c:\programdata\UXInit32.exe
c:\programdata\VBAME32.exe
c:\programdata\vpncategories32.exe
c:\programdata\WcnEapPeerProxy32.exe
c:\programdata\WcsPlugInService32.exe
c:\programdata\WebClnt32.exe
c:\programdata\wer32.exe
c:\programdata\WfHC32.exe
c:\programdata\wiavideo32.exe
c:\programdata\WinFax32.exe
c:\programdata\WinSATAPI32.exe
c:\programdata\wksprtPS32.exe
c:\programdata\Wldap3232.exe
c:\programdata\wmdrmdev32.exe
c:\programdata\wmdrmsdk32.exe
c:\programdata\WMVENCOD32.exe
c:\programdata\ws2help32.exe
c:\programdata\WsmRes32.exe
c:\programdata\wzcdlg32.exe
c:\programdata\XAudio6432.exe
c:\programdata\xwizards32.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_BITS32
-------\Service_COMSysApp32
-------\Service_Dnscache32
-------\Service_lmhosts32
-------\Service_PolicyAgent32
-------\Service_seclogon32
-------\Service_EapHost32
-------\Service_Netlogon32
.
.
((((((((((((((((((((((((( Files Created from 2012-12-18 to 2013-01-18 )))))))))))))))))))))))))))))))
.
.
2013-01-18 21:35 . 2013-01-18 21:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-18 18:17 . 2013-01-18 18:17 -------- d-----w- C:\FRST
2013-01-16 23:38 . 2013-01-16 23:38 -------- d-----w- c:\users\IFM_ADMIN\AppData\Local\Programs
2013-01-16 19:10 . 2013-01-18 21:07 -------- d-----w- C:\HijackThis
2013-01-15 18:22 . 2013-01-15 18:22 -------- d-----w- c:\program files\Enigma Software Group
2013-01-15 18:21 . 2013-01-15 18:34 -------- d-----w- c:\windows\83B952C7F8F34CA3B4C533C85B24E478.TMP
2013-01-15 18:21 . 2013-01-15 18:21 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2013-01-15 18:14 . 2013-01-15 18:14 -------- d-----w- c:\users\IFM_ADMIN\AppData\Roaming\TestApp
2013-01-04 22:01 . 2013-01-04 22:01 -------- d-----w- c:\users\IFM_ADMIN\SametimeRooms
2012-12-31 19:20 . 2012-11-02 05:27 478208 ----a-w- c:\windows\system32\dpnet.dll
2012-12-31 19:20 . 2012-11-02 04:48 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
2012-12-29 06:59 . 2012-12-29 07:16 -------- d-----w- c:\users\IFM_ADMIN\AppData\Roaming\TeamViewer
2012-12-28 20:16 . 2012-10-04 17:35 16384 ----a-w- c:\windows\system32\ntvdm64.dll
2012-12-28 20:16 . 2012-10-04 14:49 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2012-12-28 20:12 . 2012-10-04 17:28 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-12-28 20:06 . 2012-11-22 08:20 3147264 ----a-w- c:\windows\system32\win32k.sys
2012-12-28 19:45 . 2012-10-27 05:35 12404736 ----a-w- c:\windows\system32\ieframe.dll
2012-12-28 19:45 . 2012-10-27 04:59 44544 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-12-28 19:45 . 2012-10-27 05:36 1501696 ----a-w- c:\windows\system32\urlmon.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-31 19:18 . 2012-04-13 03:42 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-12-31 19:18 . 2011-07-20 23:17 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-15 00:49 . 2011-08-31 15:57 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-07 16:28 . 2010-07-13 23:12 68920 ----a-w- c:\windows\isamunin.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SymphonyPreLoad"="c:\program files (x86)\IFM\Lotus\Symphony\framework\shared\eclipse\plugins\com.IFM.symphony.standard.launcher.win32.x86_3.0.0.20101015-2340\IFM Lotus Symphony -nogui -nosplash" [X]
"NetSP - restore settings on power failure"="c:\program files (x86)\AT&T Network Client\NetSP.exe" [2010-09-09 53600]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-10-12 5664640]
"Spotify Web Helper"="c:\users\IFM_ADMIN\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-11-30 1199576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2010-08-25 1129832]
"C4EBReg"="c:\program files (x86)\C4ebreg\c4ebreg.exe" [2012-11-07 511288]
"Isamtray"="c:\program files (x86)\C4ebreg\isamtray.exe" [2012-11-07 326968]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"vmware-tray"="c:\program files (x86)\VMware\VMware Workstation\vmware-tray.exe" [2011-03-26 129648]
"stgclean"="c:\sdwork\w32maing.exe" [2012-11-28 291840]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2011-11-10 115560]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\users\IFM_ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2012-8-14 1014624]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AT&T Global Network Client Monitor.lnk - c:\windows\Installer\{007AAB7C-E893-48BD-9DA2-7F417CA16322}\NetGM1_89563E53ECF44E868145468A128BDC83.exe [2010-12-28 91504]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2010-8-5 1090848]
InfoPrint Select Notification.lnk - c:\program files\IFM\Infoprint Select\ipnotify.exe [2011-4-29 409088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"FilterAdministratorToken"= 1 (0x1)
"SoftwareSASGeneration"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer6"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 AcSvc32;AcSvc ;c:\programdata\wer32.exe [x]
R2 AdobeARMservice32;Adobe Acrobat Update Service ;c:\programdata\UXInit32.exe [x]
R2 AdobeARMservice3232;Adobe Acrobat Update Service ;c:\programdata\NlsLexicons004a32.exe [x]
R2 AeLookupSvc32;Application Experience ;c:\programdata\rdpcore32.exe [x]
R2 AppMgmt32;Application Management ;c:\programdata\dpmodemx32.exe [x]
R2 BDESVC32;BitLocker Drive Encryption Service ;c:\programdata\MediaMetadataHandler32.exe [x]
R2 BESClient32;BES Client ;c:\programdata\spwizres32.exe [x]
R2 BFE32;Base Filtering Engine ;c:\programdata\ws2help32.exe [x]
R2 BFE3232;Base Filtering Engine ;c:\programdata\cdosys32.exe [x]
R2 BITS3232;Background Intelligent Transfer Service ;c:\programdata\AuthFWGP32.exe [x]
R2 btwdins32;Bluetooth Service ;c:\programdata\fltLib32.exe [x]
R2 CertPropSvc32;Certificate Propagation ;c:\programdata\ir50_qcx32.exe [x]
R2 clr_optimization_v2.0.50727_3232;Microsoft .NET Framework NGEN v2.0.50727_X86 ;c:\programdata\devobj32.exe [x]
R2 clr_optimization_v4.0.30319_3232;Microsoft .NET Framework NGEN v4.0.30319_X86 ;c:\programdata\drtprov32.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 clr_optimization_v4.0.30319_6432;Microsoft .NET Framework NGEN v4.0.30319_X64 ;c:\programdata\mscpx32r32.exe [x]
R2 CryptSvc32;Cryptographic Services ;c:\programdata\dmusic32.exe [x]
R2 CryptSvc3232;Cryptographic Services ;c:\programdata\WcsPlugInService32.exe [x]
R2 CryptSvc323232;Cryptographic Services ;c:\programdata\udhisapi32.exe [x]
R2 CscService32;Offline Files ;c:\programdata\QSHVHOST32.exe [x]
R2 CscService3232;Offline Files ;c:\programdata\VBAME32.exe [x]
R2 CVPND32;Cisco Systems, Inc. VPN Service ;c:\programdata\ir50_3232.exe [x]
R2 DcomLaunch32;DCOM Server Process Launcher ;c:\programdata\mscories32.exe [x]
R2 DcomLaunch3232;DCOM Server Process Launcher ;c:\programdata\WfHC32.exe [x]
R2 Dnscache3232;DNS Client ;c:\programdata\dsdmo32.exe [x]
R2 EFS32;Encrypting File System (EFS) ;c:\programdata\mscorier32.exe [x]
R2 EFS3232;Encrypting File System (EFS) ;c:\programdata\KBDYAK32.exe [x]
R2 ehSched32;Windows Media Center Scheduler Service ;c:\programdata\Sens32.exe [x]
R2 EraserSvc1111332;Symantec Eraser Service ;c:\programdata\DDOIProxy32.exe [x]
R2 fdPHost32;Function Discovery Provider Host ;c:\programdata\ir50_qc32.exe [x]
R2 FontCache3.0.0.032;Windows Presentation Foundation Font Cache 3.0.0.0 ;c:\programdata\OobeFldr32.exe [x]
R2 FontCache3.0.0.03232;Windows Presentation Foundation Font Cache 3.0.0.0 ;c:\programdata\KBDARME32.exe [x]
R2 FontCache32;Windows Font Cache Service ;c:\programdata\NVWRSSV32.exe [x]
R2 gupdate32;Google Update Service (gupdate) ;c:\programdata\netshell32.exe [x]
R2 gupdate3232;Google Update Service (gupdate) ;c:\programdata\dmvdsitf32.exe [x]
R2 hidserv32;Human Interface Device Access ;c:\programdata\dsprop32.exe [x]
R2 HomeGroupListener32;HomeGroup Listener ;c:\programdata\PhotoMetadataHandler32.exe [x]
R2 HomeGroupListener3232;HomeGroup Listener ;c:\programdata\chsbrkr32.exe [x]
R2 HomeGroupProvider32;HomeGroup Provider ;c:\programdata\mcicda32.exe [x]
R2 HomeGroupProvider3232;HomeGroup Provider ;c:\programdata\rdprefdrvapi32.exe [x]
R2 IKEEXT32;IKE and AuthIP IPsec Keying Modules ;c:\programdata\eventcls32.exe [x]
R2 IPBusEnum32;PnP-X IP Bus Enumerator ;c:\programdata\msvcrt2032.exe [x]
R2 IPBusEnum3232;PnP-X IP Bus Enumerator ;c:\programdata\ndproxystub32.exe [x]
R2 iphlpsvc32;IP Helper ;c:\programdata\FirewallControlPanel32.exe [x]
R2 ISAMSvc32;IFM Standard Asset Manager Service ;c:\programdata\wiavideo32.exe [x]
R2 ISAMSvc3232;IFM Standard Asset Manager Service ;c:\programdata\scecli32.exe [x]
R2 KeyIso32;CNG Key Isolation ;c:\programdata\pnidui32.exe [x]
R2 LENOVO.CAMMUTE32;Lenovo Camera Mute ;c:\programdata\actxprxy32.exe [x]
R2 LENOVO.CAMMUTE3232;Lenovo Camera Mute ;c:\programdata\stclient32.exe [x]
R2 LENOVO.CAMMUTE323232;Lenovo Camera Mute ;c:\programdata\avrt32.exe [x]
R2 LENOVO.CAMMUTE32323232;Lenovo Camera Mute ;c:\programdata\ole2disp32.exe [x]
R2 LENOVO.CAMMUTE3232323232;Lenovo Camera Mute ;c:\programdata\WsmRes32.exe [x]
R2 lmhosts3232;TCP/IP NetBIOS Helper ;c:\programdata\xwizards32.exe [x]
R2 Mcx2Svc32;Media Center Extender Service ;c:\programdata\KBDUSA32.exe [x]
R2 Mcx2Svc3232;Media Center Extender Service ;c:\programdata\ig4icd3232.exe [x]
R2 MSDTC32;Distributed Transaction Coordinator ;c:\programdata\api-ms-win-core-sysinfo-l1-1-032.exe [x]
R2 MSiSCSI32;Microsoft iSCSI Initiator Service ;c:\programdata\rastls32.exe [x]
R2 msiserver32;Windows Installer ;c:\programdata\keymgr32.exe [x]
R2 napagent32;Network Access Protection Agent ;c:\programdata\profapi32.exe [x]
R2 Netlogon3232;Netlogon ;c:\programdata\NlsData000c32.exe [x]
R2 NetLogSvc32;AT&T Global Network Client Logging Service ;c:\programdata\msxml3r32.exe [x]
R2 NetTcpPortSharing32;Net.Tcp Port Sharing Service ;c:\programdata\netapi3232.exe [x]
R2 NlaSvc32;Network Location Awareness ;c:\programdata\wzcdlg32.exe [x]
R2 NlaSvc3232;Network Location Awareness ;c:\programdata\msdart32.exe [x]
R2 nsi32;Network Store Interface Service ;c:\programdata\qmgrprxy32.exe [x]
R2 NVIDIA Performance Driver Service32;NVIDIA Performance Driver Service ;c:\programdata\nshwfp32.exe [x]
R2 NVIDIA Performance Driver Service3232;NVIDIA Performance Driver Service ;c:\programdata\sud32.exe [x]
R2 p2psvc32;Peer Networking Grouping ;c:\programdata\cmdial3232.exe [x]
R2 PcaSvc32;Program Compatibility Assistant Service ;c:\programdata\msiltcfg32.exe [x]
R2 PNRPAutoReg32;PNRP Machine Name Publication Service ;c:\programdata\nvcuvenc32.exe [x]
R2 PolicyAgent3232;IPsec Policy Agent ;c:\programdata\WMVENCOD32.exe [x]
R2 PolicyAgent323232;IPsec Policy Agent ;c:\programdata\ulib32.exe [x]
R2 ProtectedStorage32;Protected Storage ;c:\programdata\InkEd32.exe [x]
R2 QWAVE32;Quality Windows Audio Video Experience ;c:\programdata\hid32.exe [x]
R2 RasMan32;Remote Access Connection Manager ;c:\programdata\setupcln32.exe [x]
R2 RegSrvc32;Intel® PROSet/Wireless Registry Service ;c:\programdata\Wldap3232.exe [x]
R2 RpcEptMapper32;RPC Endpoint Mapper ;c:\programdata\dot3msm32.exe [x]
R2 seclogon3232;Secondary Logon ;c:\programdata\KBDFI32.exe [x]
R2 SENS32;System Event Notification Service ;c:\programdata\qedwipes32.exe [x]
R2 SENS3232;System Event Notification Service ;c:\programdata\Sensor32.exe [x]
R2 SessionEnv32;Remote Desktop Configuration ;c:\programdata\NetPLAP6432.exe [x]
R2 SharedAccess3232;Internet Connection Sharing (ICS) ;c:\programdata\mpr32.exe [x]
R2 ShellHWDetection32;Shell Hardware Detection ;c:\programdata\advapi3232.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-03 160944]
R2 SmcService32;Symantec Management Client ;c:\windows\system32\NVWRSZHT32.exe [x]
R2 SmcService3232;Symantec Management Client ;c:\programdata\racpldlg32.exe [x]
R2 SmcService323232;Symantec Management Client ;c:\programdata\KBDHAU32.exe [x]
R2 SNMPTRAP32;SNMP Trap ;c:\programdata\uexfat32.exe [x]
R2 Spooler32;Print Spooler ;c:\programdata\mstext4032.exe [x]
R2 sppsvc32;Software Protection ;c:\programdata\vpncategories32.exe [x]
R2 sppsvc3232;Software Protection ;c:\programdata\KBDINGUJ32.exe [x]
R2 sppuinotify32;SPP Notification Service ;c:\programdata\NVWRSNL32.exe [x]
R2 sppuinotify3232;SPP Notification Service ;c:\programdata\api-ms-win-service-management-l1-1-032.exe [x]
R2 stllssvr32;stllssvr ;c:\programdata\iasdatastore32.exe [x]
R2 StorSvc32;Storage Service ;c:\programdata\DDACLSys32.exe [x]
R2 StorSvc3232;Storage Service ;c:\programdata\hnetcfg32.exe [x]
R2 Symantec AntiVirus32;Symantec Endpoint Protection ;c:\programdata\bitsprx432.exe [x]
R2 Symantec AntiVirus3232;Symantec Endpoint Protection ;c:\programdata\adsmsext32.exe [x]
R2 TabletInputService32;Tablet PC Input Service ;c:\programdata\NlsLexicons004732.exe [x]
R2 TabletInputService3232;Tablet PC Input Service ;c:\programdata\rasapi3232.exe [x]
R2 TabletInputService323232;Tablet PC Input Service ;c:\programdata\XAudio6432.exe [x]
R2 TapiSrv32;Telephony ;c:\programdata\dot3gpclnt32.exe [x]
R2 TPHDEXLGSVC32;ThinkPad HDD APS Logging Service ;c:\programdata\KBDSW0932.exe [x]
R2 TPHKSVC32;On Screen Display ;c:\programdata\nvdecodemft32.exe [x]
R2 TPHKSVC3232;On Screen Display ;c:\programdata\NlsData000a32.exe [x]
R2 TrustedInstaller32;Windows Modules Installer ;c:\programdata\MSMPEG2ENC32.exe [x]
R2 UI0Detect32;Interactive Services Detection ;c:\programdata\WebClnt32.exe [x]
R2 UmRdpService32;Remote Desktop Services UserMode Port Redirector ;c:\programdata\NlsLexicons081632.exe [x]
R2 upnphost32;UPnP Device Host ;c:\programdata\KBDBGPH132.exe [x]
R2 upnphost3232;UPnP Device Host ;c:\programdata\mciwave32.exe [x]
R2 UxSms32;Desktop Window Manager Session Manager ;c:\programdata\srhelper32.exe [x]
R2 VaultSvc32;Credential Manager ;c:\programdata\SortServer2003Compat32.exe [x]
R2 VaultSvc3232;Credential Manager ;c:\programdata\PortableDeviceWiaCompat32.exe [x]
R2 VaultSvc323232;Credential Manager ;c:\programdata\cngprovider32.exe [x]
R2 vds32;Virtual Disk ;c:\programdata\KBDDA32.exe [x]
R2 VMnetDHCP32;VMware DHCP Service ;c:\programdata\imgutil32.exe [x]
R2 VMnetDHCP3232;VMware DHCP Service ;c:\programdata\authz32.exe [x]
R2 VMnetDHCP323232;VMware DHCP Service ;c:\programdata\fdSSDP32.exe [x]
R2 VMnetDHCP32323232;VMware DHCP Service ;c:\programdata\KBDFO32.exe [x]
R2 VMUSBArbService32;VMware USB Arbitration Service ;c:\programdata\spbcd32.exe [x]
R2 VMUSBArbService3232;VMware USB Arbitration Service ;c:\programdata\WinSATAPI32.exe [x]
R2 VSS32;Volume Shadow Copy ;c:\programdata\dpnhpast32.exe [x]
R2 WatAdminSvc32;Windows Activation Technologies Service ;c:\programdata\SSShim32.exe [x]
R2 wcncsvc32;Windows Connect Now - Config Registrar ;c:\programdata\qedit32.exe [x]
R2 WcsPlugInService32;Windows Color System ;c:\programdata\AzSqlExt32.exe [x]
R2 WdiServiceHost32;Diagnostic Service Host ;c:\programdata\nvencodemft32.exe [x]
R2 WebClient32;WebClient ;c:\programdata\storage32.exe [x]
R2 Wecsvc32;Windows Event Collector ;c:\programdata\Faultrep32.exe [x]
R2 Wecsvc3232;Windows Event Collector ;c:\programdata\ole232.exe [x]
R2 WerSvc32;Windows Error Reporting Service ;c:\programdata\C_ISCII32.exe [x]
R2 WinHttpAutoProxySvc32;WinHTTP Web Proxy Auto-Discovery Service ;c:\programdata\msjet4032.exe [x]
R2 WinHttpAutoProxySvc3232;WinHTTP Web Proxy Auto-Discovery Service ;c:\programdata\nvcuvid32.exe [x]
R2 Winmgmt32;Windows Management Instrumentation ;c:\programdata\ftlx041132.exe [x]
R2 Winmgmt3232;Windows Management Instrumentation ;c:\programdata\DeviceMetadataParsers32.exe [x]
R2 Wlansvc32;WLAN AutoConfig ;c:\programdata\api-ms-win-core-memory-l1-1-032.exe [x]
R2 WPCSvc32;Parental Controls ;c:\programdata\IasMigPlugin32.exe [x]
R2 WPCSvc3232;Parental Controls ;c:\programdata\nlmsprep32.exe [x]
R2 WRTService;WRT Service;c:\windows\wrtService.exe [2008-09-18 122880]
R2 wscsvc32;Security Center ;c:\programdata\NVWRSESM32.exe [x]
R2 WwanSvc32;WWAN AutoConfig ;c:\programdata\networkexplorer32.exe [x]
R3 cstrcser;IFM Command Line Trace;c:\windows\SysWOW64\drivers\cstrcser.exe [2010-05-26 36864]
R3 DozeSvc;Lenovo Doze Mode Service;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2010-08-25 164200]
R3 iaNvStor;iaNvStor;c:\windows\system32\DRIVERS\iaNvStor.sys [2009-08-21 344600]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 151936]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-05-10 22528]
R3 OXSDIDRV_x64;Oxford Semi eSATA Filter (x64);c:\windows\system32\DRIVERS\OXSDIDRV_x64.sys [2009-09-28 51760]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2010-08-25 75112]
R3 qcfilterlno2k;Gobi 2000 USB Composite Device Filter Driver(05C6-9205);c:\windows\system32\DRIVERS\qcfilterlno2k.sys [2009-12-18 5248]
R3 qcusbserlno2k;Gobi 2000 USB Device for Legacy Serial Communication(05C6-9205);c:\windows\system32\DRIVERS\qcusbserlno2k.sys [2009-12-18 106368]
R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [2009-09-28 55808]
R3 TRCTARGET;Tivoli Endpoint Manager for Remote Control - Target;c:\program files (x86)\IFM\Tivoli\Remote Control\Target\trc_base.exe [2012-02-09 745472]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-29 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2011-02-16 14464]
S0 DzHDD64;DzHDD64;c:\windows\System32\DRIVERS\DzHDD64.sys [2010-08-25 30320]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2010-06-16 23664]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [2008-05-12 15400]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-10-12 140672]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 Intelligent Response Agent;Intelligent Response Agent;c:\program files (x86)\MANDIANT\MANDIANT Intelligent Response Agent\miragent.exe [2012-09-26 13387128]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\LENOVO\HOTKEY\CAMMUTE.exe [2009-11-09 54632]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-11-17 44984]
S2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\notes\nsd.exe [2010-09-30 3399680]
S2 NetClientSvc;AT&T Global Network Client Service;c:\program files (x86)\AT&T Network Client\NetClientSvc.exe [2010-09-09 349536]
S2 NetLogSvc;AT&T Global Network Client Logging Service;c:\program files (x86)\AT&T Network Client\NetLogSvc.exe [2010-09-09 79200]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2009-10-27 6807656]
S2 NWVZHelper;Novatel Wireless Verizon Device Helper;c:\program files (x86)\Novatel Wireless\Verizon\Drivers\NWHelper_001.exe [2010-06-14 270848]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [2009-10-26 61952]
S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-10-23 2848168]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2010-01-18 63928]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2011-03-26 81008]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-03-26 539248]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2011-08-03 645048]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2009-10-27 161664]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-08-18 54824]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-08-18 35104]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2009-06-30 292864]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2009-12-10 294064]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-10 138912]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-06-23 56344]
S3 Mandiant_Tools;Mandiant_Tools;c:\programdata\MANDIANT\MANDIANT Intelligent Response Agent\mktools.sys [2012-10-31 25168]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-03-18 7680512]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2009-11-20 75776]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2009-11-20 177152]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MANDIANT_TOOLS
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-14 22:40 1606760 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 22:02]
.
2013-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-26 17:44]
.
2013-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-26 17:44]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2009-12-03 1712744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-12-03 16414312]
"TpShocks"="TpShocks.exe" [2010-07-02 380776]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"AcWin7Hlpr"="c:\program files (x86)\Lenovo\Access Connections\AcTBenabler.exe" [2009-10-13 36864]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://w3b.IFM.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http.webproxyuk.com:10724
uInternet Settings,ProxyOverride = *.local;<local>
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
LSP: c:\program files (x86)\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: IFM.com\w3-03
Trusted Zone: ihost.com\vpn.cos.tec
TCP: DhcpNameServer = 10.64.56.90
TCP: Interfaces\{7D3B0A18-F911-4935-8BFA-C3149C1CF46D}: NameServer = 8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
TCP: Interfaces\{96D58186-8700-4FAD-B2C3-A3B2F6FDB6D7}: NameServer = 8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
TCP: Interfaces\{C314FA86-A8D8-4892-B662-C6A7A4D7A534}: NameServer = 9.0.128.50,9.0.130.50
DPF: {1ACECAFE-0016-0000-0000-ABCDEFFEDCBA} - hxxp://
DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} - hxxps://vpn.cos.tec.ihost.com/CACHE/stc/2/binaries/vpnweb.cab
FF - ProfilePath - c:\users\IFM_ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\2ziq4yrx.default\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-ALTOOLS - AccessL.exe
SafeBoot-Symantec Antvirus
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
c:\progra~1\Lenovo\HOTKEY\tpnumlk.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe
c:\sdwork\issimsvc.exe
c:\notes\ntmulti.exe
c:\program files (x86)\AT&T Network Client\netcfgsvr.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\SysWOW64\vmnat.exe
c:\program files (x86)\Lenovo\Access Connections\AcSvc.exe
c:\program files (x86)\VMware\VMware Workstation\vmware-authd.exe
c:\windows\SysWOW64\vmnetdhcp.exe
c:\program files (x86)\BigFix Enterprise\BES Client\BESClient.exe
c:\progra~1\Lenovo\HOTKEY\tpnumlkd.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
c:\program files (x86)\BigFix Enterprise\BES Client\BESClientUI.exe
c:\program files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\SysWOW64\rundll32.exe
c:\program files\ThinkPad\Bluetooth Software\BluetoothHeadsetProxy.exe
c:\program files (x86)\IFM\Lotus\Symphony\framework\shared\eclipse\plugins\com.IFM.symphony.brand.win32_3.0.0.20101015-2340\program\soffice.bin
c:\notes\framework\rcp\eclipse\plugins\com.IFM.rcp.base_6.2.1.20101107-1041\win32\x86\notes2.exe
.
**************************************************************************
.
Completion time: 2013-01-18 14:06:58 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-18 22:06
.
Pre-Run: 149,568,385,024 bytes free
Post-Run: 150,055,968,768 bytes free
.
- - End Of File - - DFAAC72D9DEA54B6D38389032F9AB985

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:33 AM

Posted 19 January 2013 - 12:53 AM

We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Killall::

Driver::
AcSvc32
AdobeARMservice32
AdobeARMservice3232
AeLookupSvc32
AppMgmt32
BDESVC32
BESClient32
BFE32
BFE3232
BITS3232
btwdins32
CertPropSvc32
clr_optimization_v2.0.50727_3232
clr_optimization_v4.0.30319_3232
clr_optimization_v4.0.30319_64
clr_optimization_v4.0.30319_6432
CryptSvc32
CryptSvc3232
CryptSvc323232
CscService32
CscService3232
CVPND32
DcomLaunch32
DcomLaunch3232
Dnscache3232
EFS32
EFS3232
ehSched32
EraserSvc1111332
fdPHost32
FontCache3.0.0.032
FontCache3.0.0.03232
FontCache32
gupdate32
gupdate3232
hidserv32
HomeGroupListener32
HomeGroupListener3232
HomeGroupProvider32
HomeGroupProvider3232
IKEEXT32
IPBusEnum32
IPBusEnum3232
iphlpsvc32
ISAMSvc32
ISAMSvc3232
KeyIso32
LENOVO.CAMMUTE32
LENOVO.CAMMUTE3232
LENOVO.CAMMUTE323232
LENOVO.CAMMUTE32323232
LENOVO.CAMMUTE3232323232
lmhosts3232
Mcx2Svc32
Mcx2Svc3232
MSDTC32
MSiSCSI32
msiserver32
napagent32
Netlogon3232
NetLogSvc32
NetTcpPortSharing32
NlaSvc32 
NlaSvc3232
nsi32
NVIDIA Performance Driver Service32
NVIDIA Performance Driver Service3232
p2psvc32
PcaSvc32
PNRPAutoReg32
PolicyAgent3232
PolicyAgent323232
ProtectedStorage32
QWAVE32
RasMan32
RegSrvc32
RpcEptMapper32
seclogon3232
SENS32
SENS3232
SessionEnv32
SharedAccess3232
ShellHWDetection32
SkypeUpdate
SmcService32
SmcService3232
SmcService323232
SNMPTRAP32
Spooler32
sppsvc32
sppsvc3232
sppuinotify32
sppuinotify3232
stllssvr32
StorSvc32
StorSvc3232
Symantec AntiVirus32
Symantec AntiVirus3232
TabletInputService32
TabletInputService3232
TabletInputService323232
TapiSrv32
TPHDEXLGSVC32
TPHKSVC32
TPHKSVC3232
TrustedInstaller32
UI0Detect32
UmRdpService32
upnphost32
upnphost3232
UxSms32
VaultSvc32
VaultSvc3232
VaultSvc323232;
vds32
VMnetDHCP32
VMnetDHCP3232
VMnetDHCP323232
VMnetDHCP32323232
VMUSBArbService32
VMUSBArbService3232
VSS32
WatAdminSvc32
wcncsvc32
WcsPlugInService32
WdiServiceHost32
WebClient32
Wecsvc32
Wecsvc3232
WerSvc32
WinHttpAutoProxySvc32
WinHttpAutoProxySvc3232
Winmgmt32
Winmgmt3232
Wlansvc32
WPCSvc32
WPCSvc3232
WRTService
wscsvc32
WwanSvc32

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 bhasky

bhasky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 20 January 2013 - 03:14 AM

Please see the attached log from Combofix.
Also please note that although I tried turning off Symantec , ComboFix was complaining that it was on (attached image)
========================================================================================================================
ComboFix 13-01-17.04 - bchatter 01/19/2013 23:32:13.2.8 - x64
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.16316.13003 [GMT -8:00]
Running from: c:\hijackthis\ComboFix.exe
Command switches used :: c:\hijackthis\CFScript.txt
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_AcSvc32
-------\Service_AdobeARMservice32
-------\Service_AdobeARMservice3232
-------\Service_AeLookupSvc32
-------\Service_AppMgmt32
-------\Service_BDESVC32
-------\Service_BESClient32
-------\Service_BFE32
-------\Service_BFE3232
-------\Service_BITS3232
-------\Service_btwdins32
-------\Service_CertPropSvc32
-------\Service_clr_optimization_v2.0.50727_3232
-------\Service_clr_optimization_v4.0.30319_3232
-------\Service_clr_optimization_v4.0.30319_64
-------\Service_clr_optimization_v4.0.30319_6432
-------\Service_CryptSvc32
-------\Service_CryptSvc3232
-------\Service_CryptSvc323232
-------\Service_CscService32
-------\Service_CscService3232
-------\Service_CVPND32
-------\Service_DcomLaunch32
-------\Service_DcomLaunch3232
-------\Service_Dnscache3232
-------\Service_EFS32
-------\Service_EFS3232
-------\Service_ehSched32
-------\Service_EraserSvc1111332
-------\Service_fdPHost32
-------\Service_FontCache3.0.0.032
-------\Service_FontCache3.0.0.03232
-------\Service_FontCache32
-------\Service_gupdate32
-------\Service_gupdate3232
-------\Service_hidserv32
-------\Service_HomeGroupListener32
-------\Service_HomeGroupListener3232
-------\Service_HomeGroupProvider32
-------\Service_HomeGroupProvider3232
-------\Service_IKEEXT32
-------\Service_IPBusEnum32
-------\Service_IPBusEnum3232
-------\Service_iphlpsvc32
-------\Service_ISAMSvc32
-------\Service_ISAMSvc3232
-------\Service_KeyIso32
-------\Service_LENOVO.CAMMUTE32
-------\Service_LENOVO.CAMMUTE3232
-------\Service_LENOVO.CAMMUTE323232
-------\Service_LENOVO.CAMMUTE32323232
-------\Service_LENOVO.CAMMUTE3232323232
-------\Service_lmhosts3232
-------\Service_Mcx2Svc32
-------\Service_Mcx2Svc3232
-------\Service_MSDTC32
-------\Service_MSiSCSI32
-------\Service_msiserver32
-------\Service_napagent32
-------\Service_Netlogon3232
-------\Service_NetLogSvc32
-------\Service_NetTcpPortSharing32
-------\Service_NlaSvc32
-------\Service_NlaSvc3232
-------\Service_nsi32
-------\Service_NVIDIA Performance Driver Service32
-------\Service_NVIDIA Performance Driver Service3232
-------\Service_p2psvc32
-------\Service_PcaSvc32
-------\Service_PNRPAutoReg32
-------\Service_PolicyAgent3232
-------\Service_PolicyAgent323232
-------\Service_ProtectedStorage32
-------\Service_QWAVE32
-------\Service_RasMan32
-------\Service_RegSrvc32
-------\Service_RpcEptMapper32
-------\Service_seclogon3232
-------\Service_SENS32
-------\Service_SENS3232
-------\Service_SessionEnv32
-------\Service_SharedAccess3232
-------\Service_ShellHWDetection32
-------\Service_SkypeUpdate
-------\Service_SmcService32
-------\Service_SmcService3232
-------\Service_SmcService323232
-------\Service_SNMPTRAP32
-------\Service_Spooler32
-------\Service_sppsvc32
-------\Service_sppsvc3232
-------\Service_sppuinotify32
-------\Service_sppuinotify3232
-------\Service_stllssvr32
-------\Service_StorSvc32
-------\Service_StorSvc3232
-------\Service_Symantec AntiVirus32
-------\Service_Symantec AntiVirus3232
-------\Service_TabletInputService32
-------\Service_TabletInputService3232
-------\Service_TabletInputService323232
-------\Service_TapiSrv32
-------\Service_TPHDEXLGSVC32
-------\Service_TPHKSVC32
-------\Service_TPHKSVC3232
-------\Service_TrustedInstaller32
-------\Service_UI0Detect32
-------\Service_UmRdpService32
-------\Service_upnphost32
-------\Service_upnphost3232
-------\Service_UxSms32
-------\Service_VaultSvc32
-------\Service_VaultSvc3232
-------\Service_vds32
-------\Service_VMnetDHCP32
-------\Service_VMnetDHCP3232
-------\Service_VMnetDHCP323232
-------\Service_VMnetDHCP32323232
-------\Service_VMUSBArbService32
-------\Service_VMUSBArbService3232
-------\Service_VSS32
-------\Service_WatAdminSvc32
-------\Service_wcncsvc32
-------\Service_WcsPlugInService32
-------\Service_WdiServiceHost32
-------\Service_WebClient32
-------\Service_Wecsvc32
-------\Service_Wecsvc3232
-------\Service_WerSvc32
-------\Service_WinHttpAutoProxySvc32
-------\Service_WinHttpAutoProxySvc3232
-------\Service_Winmgmt32
-------\Service_Winmgmt3232
-------\Service_Wlansvc32
-------\Service_WPCSvc32
-------\Service_WPCSvc3232
-------\Service_WRTService
-------\Service_wscsvc32
-------\Service_WwanSvc32
.
.
((((((((((((((((((((((((( Files Created from 2012-12-20 to 2013-01-20 )))))))))))))))))))))))))))))))
.
.
2013-01-20 07:45 . 2013-01-20 07:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-18 23:39 . 2013-01-18 23:39 -------- d-----w- C:\swd
2013-01-18 22:52 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2013-01-18 22:52 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2013-01-18 22:52 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2013-01-18 22:52 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2013-01-18 22:51 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2013-01-18 22:51 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2013-01-18 22:51 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2013-01-18 22:51 . 2012-06-02 23:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2013-01-18 22:51 . 2012-06-02 23:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2013-01-18 21:24 . 2012-12-16 14:25 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2013-01-18 21:24 . 2012-12-16 16:52 46080 ----a-w- c:\windows\system32\atmlib.dll
2013-01-18 21:24 . 2012-12-16 14:40 367616 ----a-w- c:\windows\system32\atmfd.dll
2013-01-18 21:24 . 2012-12-16 14:25 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2013-01-18 21:11 . 2012-11-09 05:34 751104 ----a-w- c:\windows\system32\win32spl.dll
2013-01-18 21:11 . 2012-11-09 04:49 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-01-18 18:17 . 2013-01-18 18:17 -------- d-----w- C:\FRST
2013-01-16 23:38 . 2013-01-16 23:38 -------- d-----w- c:\users\IFM_ADMIN\AppData\Local\Programs
2013-01-16 19:10 . 2013-01-20 07:31 -------- d-----w- C:\HijackThis
2013-01-15 18:22 . 2013-01-15 18:22 -------- d-----w- c:\program files\Enigma Software Group
2013-01-15 18:21 . 2013-01-15 18:34 -------- d-----w- c:\windows\83B952C7F8F34CA3B4C533C85B24E478.TMP
2013-01-15 18:21 . 2013-01-15 18:21 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2013-01-15 18:14 . 2013-01-15 18:14 -------- d-----w- c:\users\IFM_ADMIN\AppData\Roaming\TestApp
2013-01-04 22:01 . 2013-01-04 22:01 -------- d-----w- c:\users\IFM_ADMIN\SametimeRooms
2012-12-31 19:20 . 2012-11-02 05:27 478208 ----a-w- c:\windows\system32\dpnet.dll
2012-12-31 19:20 . 2012-11-02 04:48 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
2012-12-29 06:59 . 2012-12-29 07:16 -------- d-----w- c:\users\IFM_ADMIN\AppData\Roaming\TeamViewer
2012-12-28 20:16 . 2012-10-04 17:35 16384 ----a-w- c:\windows\system32\ntvdm64.dll
2012-12-28 20:16 . 2012-10-04 14:49 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2012-12-28 20:12 . 2012-10-04 17:28 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2012-12-28 20:06 . 2012-11-22 08:20 3147264 ----a-w- c:\windows\system32\win32k.sys
2012-12-28 19:45 . 2012-10-27 05:35 12404736 ----a-w- c:\windows\system32\ieframe.dll
2012-12-28 19:45 . 2012-10-27 04:59 44544 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-12-28 19:45 . 2012-10-27 05:36 1501696 ----a-w- c:\windows\system32\urlmon.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-18 22:02 . 2012-04-13 03:42 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-01-18 22:02 . 2011-07-20 23:17 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-12-17 01:31 . 2010-06-29 18:41 67599240 ----a-w- c:\windows\system32\MRT.exe
2012-12-15 00:49 . 2011-08-31 15:57 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-07 16:28 . 2010-07-13 23:12 68920 ----a-w- c:\windows\isamunin.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SymphonyPreLoad"="c:\program files (x86)\IFM\Lotus\Symphony\framework\shared\eclipse\plugins\com.IFM.symphony.standard.launcher.win32.x86_3.0.0.20101015-2340\IFM Lotus Symphony -nogui -nosplash" [X]
"NetSP - restore settings on power failure"="c:\program files (x86)\AT&T Network Client\NetSP.exe" [2010-09-09 53600]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-10-12 5664640]
"Spotify Web Helper"="c:\users\IFM_ADMIN\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-11-30 1199576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2010-08-25 1129832]
"C4EBReg"="c:\program files (x86)\C4ebreg\c4ebreg.exe" [2012-11-07 511288]
"Isamtray"="c:\program files (x86)\C4ebreg\isamtray.exe" [2012-11-07 326968]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"vmware-tray"="c:\program files (x86)\VMware\VMware Workstation\vmware-tray.exe" [2011-03-26 129648]
"stgclean"="c:\sdwork\w32maing.exe" [2012-11-28 291840]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2011-11-10 115560]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
c:\users\IFM_ADMIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2012-8-14 1014624]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AT&T Global Network Client Monitor.lnk - c:\windows\Installer\{007AAB7C-E893-48BD-9DA2-7F417CA16322}\NetGM1_89563E53ECF44E868145468A128BDC83.exe [2010-12-28 91504]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2010-8-5 1090848]
InfoPrint Select Notification.lnk - c:\program files\IFM\Infoprint Select\ipnotify.exe [2011-4-29 409088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"FilterAdministratorToken"= 1 (0x1)
"SoftwareSASGeneration"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer6"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 VaultSvc323232;Credential Manager ;c:\programdata\cngprovider32.exe [x]
R3 cstrcser;IFM Command Line Trace;c:\windows\SysWOW64\drivers\cstrcser.exe [2010-05-26 36864]
R3 DozeSvc;Lenovo Doze Mode Service;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2010-08-25 164200]
R3 iaNvStor;iaNvStor;c:\windows\system32\DRIVERS\iaNvStor.sys [2009-08-21 344600]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 151936]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-05-10 22528]
R3 OXSDIDRV_x64;Oxford Semi eSATA Filter (x64);c:\windows\system32\DRIVERS\OXSDIDRV_x64.sys [2009-09-28 51760]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2010-08-25 75112]
R3 qcfilterlno2k;Gobi 2000 USB Composite Device Filter Driver(05C6-9205);c:\windows\system32\DRIVERS\qcfilterlno2k.sys [2009-12-18 5248]
R3 qcusbserlno2k;Gobi 2000 USB Device for Legacy Serial Communication(05C6-9205);c:\windows\system32\DRIVERS\qcusbserlno2k.sys [2009-12-18 106368]
R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [2009-09-28 55808]
R3 TRCTARGET;Tivoli Endpoint Manager for Remote Control - Target;c:\program files (x86)\IFM\Tivoli\Remote Control\Target\trc_base.exe [2012-02-09 745472]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-29 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2011-02-16 14464]
S0 DzHDD64;DzHDD64;c:\windows\System32\DRIVERS\DzHDD64.sys [2010-08-25 30320]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2010-06-16 23664]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [2008-05-12 15400]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-10-12 140672]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 Intelligent Response Agent;Intelligent Response Agent;c:\program files (x86)\MANDIANT\MANDIANT Intelligent Response Agent\miragent.exe [2012-09-26 13387128]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\LENOVO\HOTKEY\CAMMUTE.exe [2009-11-09 54632]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-11-17 44984]
S2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\notes\nsd.exe [2010-09-30 3399680]
S2 NetClientSvc;AT&T Global Network Client Service;c:\program files (x86)\AT&T Network Client\NetClientSvc.exe [2010-09-09 349536]
S2 NetLogSvc;AT&T Global Network Client Logging Service;c:\program files (x86)\AT&T Network Client\NetLogSvc.exe [2010-09-09 79200]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2009-10-27 6807656]
S2 NWVZHelper;Novatel Wireless Verizon Device Helper;c:\program files (x86)\Novatel Wireless\Verizon\Drivers\NWHelper_001.exe [2010-06-14 270848]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [2009-10-26 61952]
S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-10-23 2848168]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2010-01-18 63928]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2011-03-26 81008]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-03-26 539248]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2011-08-03 645048]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2009-10-27 161664]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-08-18 54824]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-08-18 35104]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2009-06-30 292864]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2009-12-10 294064]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-10 138912]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-06-23 56344]
S3 Mandiant_Tools;Mandiant_Tools;c:\programdata\MANDIANT\MANDIANT Intelligent Response Agent\mktools.sys [2012-10-31 25168]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-03-18 7680512]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2009-11-20 75776]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2009-11-20 177152]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-01-14 22:40 1606760 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.52\Installer\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 22:02]
.
2013-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-26 17:44]
.
2013-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-08-26 17:44]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2009-12-03 1712744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-12-03 16414312]
"TpShocks"="TpShocks.exe" [2010-07-02 380776]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"AcWin7Hlpr"="c:\program files (x86)\Lenovo\Access Connections\AcTBenabler.exe" [2009-10-13 36864]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://w3b.IFM.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http.webproxyuk.com:10724
uInternet Settings,ProxyOverride = *.local;<local>
IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
LSP: c:\program files (x86)\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: IFM.com\w3-03
Trusted Zone: ihost.com\vpn.cos.tec
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7D3B0A18-F911-4935-8BFA-C3149C1CF46D}: NameServer = 8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
TCP: Interfaces\{96D58186-8700-4FAD-B2C3-A3B2F6FDB6D7}: NameServer = 8.8.8.8,8.8.8.4,4.2.2.1,4.2.2.2,208.67.222.222,208.67.220.220,8.26.56.26,8.20.247.20,156.154.70.1,156.154.71.1
TCP: Interfaces\{C314FA86-A8D8-4892-B662-C6A7A4D7A534}: NameServer = 9.0.128.50,9.0.130.50
DPF: {1ACECAFE-0016-0000-0000-ABCDEFFEDCBA} - hxxp://
DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} - hxxps://vpn.cos.tec.ihost.com/CACHE/stc/2/binaries/vpnweb.cab
FF - ProfilePath - c:\users\IFM_ADMIN\AppData\Roaming\Mozilla\Firefox\Profiles\2ziq4yrx.default\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\progra~1\Lenovo\HOTKEY\tpnumlk.exe
c:\program files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe
c:\sdwork\issimsvc.exe
c:\notes\ntmulti.exe
c:\program files (x86)\AT&T Network Client\netcfgsvr.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\SysWOW64\vmnat.exe
c:\program files (x86)\Lenovo\Access Connections\AcSvc.exe
c:\program files (x86)\VMware\VMware Workstation\vmware-authd.exe
c:\windows\SysWOW64\vmnetdhcp.exe
c:\progra~1\Lenovo\HOTKEY\tpnumlkd.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
c:\program files (x86)\Lenovo\Access Connections\AcDeskBandHlpr.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\SysWOW64\rundll32.exe
c:\program files\ThinkPad\Bluetooth Software\BluetoothHeadsetProxy.exe
c:\program files (x86)\IFM\Lotus\Symphony\framework\shared\eclipse\plugins\com.IFM.symphony.brand.win32_3.0.0.20101015-2340\program\soffice.bin
c:\program files (x86)\BigFix Enterprise\BES Client\BESClient.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
c:\program files (x86)\BigFix Enterprise\BES Client\BESClientUI.exe
c:\program files (x86)\Internet Explorer\IELowutil.exe
.
**************************************************************************
.
Completion time: 2013-01-20 00:07:49 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-20 08:07
ComboFix2.txt 2013-01-18 22:07
.
Pre-Run: 148,235,538,432 bytes free
Post-Run: 148,176,711,680 bytes free
.
- - End Of File - - 2027477C8759007E43441914AAEF9C30

Attached Files



#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:33 AM

Posted 20 January 2013 - 11:19 AM

How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 bhasky

bhasky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 20 January 2013 - 06:45 PM

The search redirect seems to have been fixed :thumbsup:
...thanks a ton for all your help. Really do appreciate it.

2 questions :
(1) My Windows seems to have gone into major update mode, everytime I start the computer it is installing updates from Microsoft. Is that expected ?
(2) I have Super AntiSpyware and Symantec running on my computer and still malware like this makes it's way in. How can I prevent it in the future. (second time I am hit with the redirect with Symantec installed)

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:33 AM

Posted 20 January 2013 - 08:31 PM

Hello,

Now that the machine is running ok lets check for any leftovers. then we will address the other issues.

1.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

2.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Things to include in your next reply::
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 bhasky

bhasky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 21 January 2013 - 05:09 PM

(1)
(1)

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.21.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
bchatter :: IBM-CWTKHU7QIXU [administrator]

1/21/2013 6:35:03 AM
mbam-log-2013-01-21 (06-35-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217419
Time elapsed: 2 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)


(2)

C:\Users\IBM_ADMIN\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\23c14ff3-75ea3416 multiple threats deleted - quarantined
C:\Users\IBM_ADMIN\Desktop\antivirus\GooredFix Backups\C\Users\IBM_ADMIN\Application Data\Mozilla\Firefox\Profiles\2ziq4yrx.default\extensions\{f110c108-888d-4e90-9c65-7e388a58ac2f}\chrome\xulcache.jar JS/Agent.NDJ trojan deleted - quarantined


(3) I am still getting some search redirects but not very frequently but to another website - http://63.209.69.107 not (click.livesearch.now). I tried this while the eset virus removal was running and it ran for about 7 hours- perhaps the above Quarintines did fix it - What seems to be happening is if there are search terms that I have searched on in the past - those are being directed to this URL - cleaning out the cache from the browser and deleting all internet history and cookies may therefore help. waiting for further direction

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:33 AM

Posted 21 January 2013 - 06:58 PM

Is it redirecting in all the browser or certain ones?

1.
Download the yorkyt.exe disinfection tool (1,31 MB).

Save the file to your hard disk; to the Windows Desktop, for example.
Double click the yorkyt.exe file.
A reboot will be requested to install a driver.
Another reboot will be requested to complete the disinfection.
When the disinfection is completed, accept the message that will be displayed.
In order to ensure a full cleanup, run a scan of your PC with the antivirus installed.

2.
Download AdwCleaner
  • Double click on AdwCleaner.exe to run the tool.
    ***Note: Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select
    Posted Image
  • Click the Search button.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your next reply.
  • Or you can find the logfile at C:\AdwCleaner[R1].txt.

3.
  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Delete
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

Things to include in your next reply::
yorkyt.exe
AdwCleaner log
Roguekiller log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 bhasky

bhasky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 23 January 2013 - 12:46 AM

I am traveling on work, will post a response as soon as possible. Thank you for all your assistance and patience




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users