Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A plethora of trouble after FBI Moneygram virus


  • This topic is locked This topic is locked
43 replies to this topic

#1 bmetay

bmetay

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 11 May 2014 - 09:50 AM

I caught the FBI Moneypak ransomeware virus on my win 7 box.  I was able to remove it with 
 
Kaspersky rescue disk. I rebooted normally and ran MalwareBytes and Hitman Pro.
It's been a losing battle since  then. I've  caught and removed one trojan after another with the 
 
above tools. As I ran them last , 4 trojans and a root kit dled and killed MWB and Hitman while 
 
they were running.
I started over and removed them with Kaspersky RD.
I'm no expert, but it looks like registry entries are downloading and executing malware.
I removed a couple from startup using msconfig, but they reappear.
I downloaded Autoruns and deleted some obviously bad entries.
Restarted in safe mode with networking, ran Kaspersky, MWB, and Hitman pro . All clean.
Rebooted normally, downloaded Mcaffee updated definitions and went  with an running.
When I woke up the box was  down. It would not boot. No  msg.
Restored the MBR with a win 7 recue disk and lo and behold everything works again in safe mode.
MWB,HMP,Kaspersky say clean.
 
Update. An adware popup asking to click their ads to contribute to cancer research appeared on 
 
chrome. While running scans later on the infected  box, the MBR got slammed again. It also 
 
appeared that malware jumped on my network. I have an xp  box on a kvm with the infected win7 
 
box. The mouse and keyboard stopped working. Rebootd it is safemode and MWB found adware and 
 
deleted. The chrome popup showed up on my ipad that is connected to the network via wifi.
 
Restored MBR on win7 box with rescue disk.
 
Ran dds but it only created one file, 'attach.txt', and as you can see, it is  empty.
 
So can you help me rid myself of this plague? 
 

Attached Files



BC AdBot (Login to Remove)

 


#2 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:29 AM

Posted 15 May 2014 - 11:05 PM

Hello bmetay,
 
My name is Cody and I'll be helping you clean up your computer. :)
 
I will reply as soon as possible (typically within 24 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, I just ask for notice ahead of time.
 
Please do note any time differences between us. If I do not respond within 48 hours, feel free to send me a private message.
 
==========================================================================
 
Some points for you to keep in mind:

  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • Periodically update me on the condition of your computer, and provide detail in every post.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end with some additional information on how to stay malware-free.
  • Lastly, I would like to remind you that most members here are volunteers, and sometimes "real life" can get in the way of our malware hunt. I will notify you if I know I will need to be away for longer than 48 hours.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.
 
==========================================================================
 
Farbar Recovery Scan Tool (FRST)

  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#3 bmetay

bmetay
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 16 May 2014 - 06:58 PM

Can I start in safe mode or will that mask the symptoms?

 



#4 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:29 AM

Posted 16 May 2014 - 08:42 PM

If you can boot into Windows normally to run FRST, I would prefer that. 

 

If you are unable to boot into Windows normally though, Safe Mode will do. :)

 

Note: for an internet connection you will need to boot into Safe Mode With Networking.


Edited by TheShooter93, 16 May 2014 - 08:42 PM.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#5 bmetay

bmetay
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 17 May 2014 - 08:27 PM

after normal startup, trying to copy frst from an attached external drive to my desktop, I get the error 0x80070718 'not enough quota is available to process this command



#6 bmetay

bmetay
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 17 May 2014 - 09:03 PM

same error in safe mode. I can copy to c:. Does the file have to be on the desktop?



#7 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:29 AM

Posted 18 May 2014 - 12:09 PM

I'm not sure about that error, but why are you copying from an external harddrive?

 

Are you not able to download it directly to your desktop within Windows normally or even Safe Mode With Networking?


CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#8 bmetay

bmetay
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 18 May 2014 - 02:38 PM

My bug has caused a lot of trouble when it had internet access so I was keeping it off unless needed. Why not dl it from an uninfected machine and copy it? Seemed like a good idea to me.

A quick google said malware could cause that error.

 

But you did not answer whether the software needed to be run from the desktop in order to function properly. If it does not I can run it from the c:\ folde.

If it does I can try and dl it to the desktop directly and report back to you,.



#9 bmetay

bmetay
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 18 May 2014 - 05:41 PM

Cody, attempted to dl FRST via safe mode with networking on the infected box. My win7 box downloads into my documents\downloads and I got the same error trying to copy it to the desktop.



#10 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:29 AM

Posted 18 May 2014 - 08:33 PM

My bug has caused a lot of trouble when it had internet access so I was keeping it off unless needed. Why not dl it from an uninfected machine and copy it? Seemed like a good idea to me.

A quick google said malware could cause that error.

 

It is usually perfectly fine to do this, I was just unsure why you were copying it from the external drive as it wasn't something we previously discussed.

 

Cody, attempted to dl FRST via safe mode with networking on the infected box. My win7 box downloads into my documents\downloads and I got the same error trying to copy it to the desktop.

 

You should be able to configure your web browser to download to a different location if you want.

 

It is not absolutely necessary that FRST is run from your Desktop, but I will likely have to write scripts for you to run through FRST which need to be saved in the same directory as the FRST application.

 

If you have issues running it from that location, please let me know. :)


CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#11 bmetay

bmetay
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 19 May 2014 - 06:55 PM

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-05-2014
Ran by bmetay at 2014-05-19 18:35:46
Running from C:\temp\New folder
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
 
==================== Installed Programs ======================
 
Adobe Flash Player 13 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 13.0.0.206 - Adobe Systems Incorporated)
Adobe Reader X (10.1.9) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.9 - Adobe Systems Incorporated)
AT&T Connect Participant Application v9.5.29 (HKLM-x32\...\{11442AA2-04EC-44A2-A7B4-4779E39CA71C}) (Version: 9.5.29 - AT&T Inc.)
Canon MF Toolbox 4.9.1.1.mf09 (HKLM-x32\...\{6767DFEE-8909-453A-B553-C7693912B2EB}) (Version: 3.2.0 - Canon)
Canon MF4320-4350 (HKLM\...\{99A5569D-9F86-4f32-A227-1538B731DA42}) (Version:  - )
Cisco AnyConnect Secure Mobility Client  (HKLM-x32\...\Cisco AnyConnect Secure Mobility Client) (Version: 3.1.02040 - Cisco Systems, Inc.)
Cisco AnyConnect Secure Mobility Client (x32 Version: 3.1.02040 - Cisco Systems, Inc.) Hidden
Click-N-Type (HKLM-x32\...\{C8983823-DCEA-4064-B7DA-FE3871F2231E}) (Version: 3.03.0412 - Lake Software)
Dropbox (HKCU\...\Dropbox) (Version: 2.6.31 - Dropbox, Inc.)
FileZilla Client 3.6.0.2 (HKLM-x32\...\FileZilla Client) (Version: 3.6.0.2 - FileZilla Project)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 34.0.1847.131 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.23.9 - Google Inc.) Hidden
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 15.4 - Intel)
Java 7 Update 17 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217017FF}) (Version: 7.0.170 - Oracle)
Java Auto Updater (x32 Version: 2.1.9.0 - Sun Microsystems, Inc.) Hidden
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
Juniper Networks Host Checker (HKCU\...\Neoteris_Host_Checker) (Version: 6.0.0.13075 - Juniper Networks)
Juniper Networks Network Connect 6.0.0 (HKLM-x32\...\Juniper Network Connect 6.0.0) (Version: 6.0.0.13075 - Juniper Networks)
Juniper Networks Setup Client (HKCU\...\JuniperSetupClient) (Version: 1.1.0.0 - Juniper Networks)
KeePass Password Safe 2.20 (HKLM-x32\...\KeePassPasswordSafe2_is1) (Version:  - Dominik Reichl)
LANDesk Advance Agent (x32 Version: 1.0.0 - LANDesk Software) Hidden
LANDesk® Common Base Agent 8 (x32 Version: 9.0.3.5 - LANDesk Software, Ltd) Hidden
Malwarebytes Anti-Malware version 2.0.1.1004 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.1.1004 - Malwarebytes Corporation)
McAfee Agent (HKLM-x32\...\{B639A4DE-A375-47D3-89C3-DDCF98D992F7}) (Version: 4.5.0.1270 - McAfee, Inc.)
McAfee VirusScan Enterprise (HKLM-x32\...\{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}) (Version: 8.7.00005 - McAfee, Inc.)
MetaFrame Presentation Server Client (HKLM-x32\...\{DF1D5FEC-D67C-43C8-9230-41F5DF350196}) (Version: 9.150.39151 - Citrix Systems, Inc.)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office 2003 Web Components (HKLM-x32\...\{90120000-00A4-0409-0000-0000000FF1CE}) (Version: 12.0.6213.1000 - Microsoft Corporation)
Microsoft Office Communicator 2005 (HKLM-x32\...\{BE5AD430-9E0C-4243-AB3F-593835869855}) (Version: 1.0.559.0 - Microsoft Corporation)
Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Standard 2010 (HKLM-x32\...\Office14.STANDARD) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Standard 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft redistributable runtime DLLs VS2005 SP1(x86) (HKLM-x32\...\{8E770F99-CF23-4BF9-BF4E-E3A2924FEB27}) (Version: 8.0.50727.762 - SAP)
Microsoft redistributable runtime DLLs VS2005 SP1(x86) (HKLM-x32\...\{CEC7A786-A9C8-4EF7-BB59-6518E3B3C878}) (Version: 8.0.50727.4053 - SAP)
Microsoft redistributable runtime DLLs VS2008 SP1(x86) (HKLM-x32\...\{A47A9101-6EB5-4314-BDA1-297880FBB908}) (Version: 9.0 - SAP AG)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20513.0 - Microsoft Corporation)
Microsoft SQL Server 2005 (HKLM-x32\...\Microsoft SQL Server 2005) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2005 Backward compatibility (HKLM\...\{62D2F823-0EAA-496D-B0F9-A869BFC51550}) (Version: 8.05.2312 - Microsoft Corporation)
Microsoft SQL Server 2005 Books Online (English) (HKLM-x32\...\{0B43A744-B1B8-4089-9BD1-9D41C7EC0AA3}) (Version: 9.00.1399.06 - Microsoft Corporation)
Microsoft SQL Server 2005 Tools (x32 Version: 9.4.5000.00 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 (64-bit) (HKLM\...\Microsoft SQL Server 10 Release) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2008 (64-bit) (Version:  - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 (HKLM-x32\...\Microsoft SQL Server 10 Release) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2008 (x32 Version:  - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 BI Development Studio (Version: 10.3.5500.0 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 BI Development Studio (x32 Version: 10.0.1600.22 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Books Online (English) (HKLM-x32\...\{3431A7A3-6287-46B0-8AF1-BE2452A1FE62}) (Version: 10.0.1600.22 - Microsoft Corporation)
Microsoft SQL Server 2008 Client Tools (Version: 10.3.5500.0 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Client Tools (x32 Version: 10.0.1600.22 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Common Files (Version: 10.3.5500.0 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Common Files (x32 Version: 10.0.1600.22 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Integration Services (Version: 10.3.5500.0 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Integration Services (x32 Version: 10.0.1600.22 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Management Studio (Version: 10.3.5500.0 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Management Studio (x32 Version: 10.0.1600.22 - Microsoft Corporation) Hidden
Microsoft SQL Server 2008 Native Client (HKLM\...\{2738C4AA-420E-4E13-ADEF-B5AB250E3EF1}) (Version: 10.3.5500.0 - Microsoft Corporation)
Microsoft SQL Server 2008 Policies (HKLM-x32\...\{01C5A10F-AD9B-405B-853A-6659841A1242}) (Version: 10.3.5500.0 - Microsoft Corporation)
Microsoft SQL Server 2008 Setup Support Files  (HKLM\...\{6292D514-17A4-403F-98F9-E150F10C043D}) (Version: 10.3.5500.0 - Microsoft Corporation)
Microsoft SQL Server 2008 Setup Support Files (English) (HKLM-x32\...\{9D6D76A6-4328-49E8-97A7-531A74841DA5}) (Version: 10.0.1600.22 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP1 English (HKLM-x32\...\{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}) (Version: 3.5.5692.0 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP1 Query Tools English (HKLM-x32\...\{64CDE8F2-3791-46F5-BAD2-72FFF5252FAB}) (Version: 3.5.5692.0 - Microsoft Corporation)
Microsoft SQL Server Native Client (HKLM\...\{9ACF3FDB-C8E6-444C-8C64-13A221F7BFFD}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft SQL Server Setup Support Files (English) (HKLM-x32\...\{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (HKLM\...\{8338783A-0968-3B85-AFC7-BAAE0A63DC50}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM-x32\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual Studio 2005 Premier Partner Edition - ENU (HKLM-x32\...\{C25EF637-BE7A-4761-9B45-9069989C319F}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual Studio 2008 Shell (integrated mode) - ENU (HKLM-x32\...\{BA0C9AAF-1327-3F06-B49C-349B4BE8F740}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual Studio Tools for Applications 2.0 - ENU (HKLM-x32\...\{AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB}) (Version: 9.0.30729 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML4.0 redistributable (HKLM-x32\...\{44D66AD9-AE19-4AFD-BE7E-A1B44C856697}) (Version: 4.0.0.0 - SAP)
NaturalPoint USB Drivers x64 (HKLM\...\{B408139D-04D6-4464-A979-D335E48F7063}) (Version: 2.50.0000 - NaturalPoint)
ODAC Documentation for Visual Studio 2008 (HKLM-x32\...\{EDE9119C-9D98-4866-9227-F00A2F441BD2}) (Version: 11.2.03 - Oracle Corporation)
Presto! PageManager 7.15.35 (HKLM-x32\...\{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}) (Version: 7.15.35 - NewSoft Technology Corporation)
RWD Info Pak - Help Launchpad ActiveX (HKLM-x32\...\RWD Info Pak - Help Launchpad ActiveX) (Version: 5.10 - RWD Technologies)
SAP Business Explorer (HKLM-x32\...\SAPBI) (Version: 7.20 - SAP AG)
SAP GUI for Windows 7.20 (HKLM-x32\...\SAPGUI710) (Version: 7.20 Compilation 3 - SAP)
Service Pack 3 for SQL Server 2008 (KB2546951) (64-bit) (HKLM\...\KB2546951) (Version: 10.3.5500.0 - Microsoft Corporation)
Service Pack 4 for SQL Server Tools and Workstation Components 2005 ENU (KB2463332) (HKLM-x32\...\KB2463332_SQLTools9) (Version: 9.4.5000 - Microsoft Corporation)
SmartNav (HKLM-x32\...\{519e374d-b0ee-4c2c-a630-4e940c11e55b}) (Version: 3.20.037 - NaturalPoint)
Snagit 11 (HKLM-x32\...\{F8E3C768-71F3-11E1-9DF7-70804824019B}) (Version: 11.0.1 - TechSmith Corporation)
SQL Server System CLR Types (HKLM\...\{F4264106-F90E-4076-98CF-1B878DB14513}) (Version: 10.3.5500.0 - Microsoft Corporation)
SQL Server System CLR Types (HKLM-x32\...\{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}) (Version: 10.0.1600.22 - Microsoft Corporation)
SQLXML4 (HKLM\...\{DEA9F247-F832-4E36-90BF-D8EDA206521A}) (Version: 9.00.5000.00 - Microsoft Corporation)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.0.24.0 - Synaptics Incorporated)
TeraTerm Install (HKLM-x32\...\{4496789F-1633-4777-881E-254FF2CA30CB}) (Version: 1.00 - Morris Communications)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2473228) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2533523) (Version: 1 - Microsoft Corporation)
WinSQL (HKLM-x32\...\{FDC6FB50-CC2E-4A29-8A4C-58C546644415}) (Version: 9.0 - Synametrics Technologies)
 
==================== Restore Points  =========================
 
Could not list Restore Points. Check "winmgmt" service or repair WMI.
 
 
==================== Hosts content: ==========================
 
2009-07-13 22:34 - 2013-03-21 09:29 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: {11B2B1F5-AE6B-4037-AE6E-E1166CC6E09B} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-11-13] (Google Inc.)
Task: {874CEBBA-EEDA-4097-876B-63D3E28AED1E} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-04-28] (Adobe Systems Incorporated)
Task: {B59445C5-0575-40E7-9C85-9DBF67FDA2B2} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-11-13] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2010-03-25 20:07 - 2010-03-25 20:07 - 00140288 _____ () C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\VsEvntUI.dll
2010-01-02 10:42 - 2010-01-02 10:42 - 00098304 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext_64.dll
2011-10-21 17:50 - 2011-10-21 17:50 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2013-01-24 13:34 - 2013-01-24 13:34 - 00063408 _____ () C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\zlib1.dll
2012-07-18 17:42 - 2011-10-14 05:29 - 00186880 _____ () C:\Program Files (x86)\LANDesk\LDClient\httprequest.dll
2012-07-18 17:42 - 2009-11-23 17:20 - 00043008 _____ () C:\Program Files (x86)\LANDesk\LDClient\rollinglog.dll
2012-07-18 17:42 - 2009-11-23 17:51 - 00433664 _____ () C:\Program Files (x86)\LANDesk\LDClient\sqlite3.dll
2012-07-18 17:42 - 2009-11-23 17:51 - 00024576 _____ () C:\Program Files (x86)\LANDesk\LDClient\ProcessRunner.dll
2012-07-18 17:42 - 2011-09-19 05:31 - 00073728 _____ () C:\Program Files (x86)\LANDesk\LDClient\policy.client.business.dll
2012-07-18 17:42 - 2011-11-21 21:44 - 00118272 _____ () C:\Program Files (x86)\LANDesk\LDClient\uncauthentication.dll
2007-04-18 21:30 - 2007-04-18 21:30 - 00393216 _____ () C:\Program Files (x86)\McAfee\Common Framework\cryptocme2.dll
2007-04-18 21:30 - 2007-04-18 21:30 - 00471040 _____ () C:\Program Files (x86)\McAfee\Common Framework\ccme_base.dll
2009-09-25 05:50 - 2009-09-25 05:50 - 00065536 _____ () C:\Program Files (x86)\McAfee\Common Framework\boost_thread-vc80-mt-1_32.dll
2012-07-18 17:42 - 2007-04-20 08:28 - 00106567 _____ () C:\Program Files (x86)\LANDesk\LDClient\ThinstallManageApi.dll
2013-02-21 10:40 - 2013-02-21 10:40 - 00030720 _____ () C:\Users\bmetay\AppData\Local\ATT Connect\Participant\IwRegVC90.dll
2013-02-21 10:22 - 2013-02-21 10:22 - 00010240 _____ () C:\Users\bmetay\AppData\Local\ATT Connect\Participant\exchndl.dll
2014-05-19 18:26 - 2014-05-19 18:26 - 00041984 _____ () c:\users\victor~1.rat\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp41cu67.dll
2013-10-18 19:55 - 2013-10-18 19:55 - 25100288 _____ () C:\Users\bmetay\AppData\Roaming\Dropbox\bin\libcef.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
AlternateDataStreams: C:\Windows\system32\OEMLOGO.bmp:AFP_AfpInfo
 
==================== Safe Mode (whitelisted) ===================
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService => ""="Service"
 
==================== EXE Association (whitelisted) =============
 
 
==================== Disabled items from MSCONFIG ==============
 
MSCONFIG\startupreg: makehone => C:\Windows\system32\clipdiag.exe
MSCONFIG\startupreg: swg => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
MSCONFIG\startupreg: WrtMon.exe => C:\Windows\system32\spool\drivers\x64\3\WrtMon.exe
 
==================== Faulty Device Manager Devices =============
 
Could not list Devices. Check "winmgmt" service or repair WMI.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (05/07/2014 09:43:54 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 512) (User: )
Description: The Cryptographic Services service failed to initialize the VSS backup "System Writer" object.
 
 
Details:
Could not query the status of the EventSystem service.
 
System Error:
A system shutdown is in progress.
.
 
Error: (05/02/2014 10:01:34 PM) (Source: Inventory Scanner) (EventID: 25) (User: )
Description: LDIScn32: Failed to resolve the Host Name.
 
Error: (05/02/2014 08:13:40 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 512) (User: )
Description: The Cryptographic Services service failed to initialize the VSS backup "System Writer" object.
 
 
Details:
Could not query the status of the EventSystem service.
 
System Error:
A system shutdown is in progress.
.
 
Error: (05/01/2014 09:25:46 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding; Description = Configured Microsoft Office Standard 2010; Error = 0x8007043c).
 
Error: (05/01/2014 09:25:43 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding; Description = Configured Microsoft Office Standard 2010; Error = 0x8007043c).
 
Error: (05/01/2014 09:25:15 PM) (Source: Outlook) (EventID: 35) (User: )
Description: Failed to determine if the store is in the crawl scope (error=0x8007043c).
 
Error: (05/01/2014 09:25:15 PM) (Source: Outlook) (EventID: 34) (User: )
Description: Failed to get the Crawl Scope Manager with error=0x8007043c.
 
Error: (05/01/2014 09:25:15 PM) (Source: Outlook) (EventID: 35) (User: )
Description: Failed to determine if the store is in the crawl scope (error=0x8007043c).
 
Error: (05/01/2014 09:25:15 PM) (Source: Outlook) (EventID: 34) (User: )
Description: Failed to get the Crawl Scope Manager with error=0x8007043c.
 
Error: (04/28/2014 09:04:52 PM) (Source: VSS) (EventID: 22) (User: )
Description: Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.
This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.
The error returned from CoCreateInstance on class with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and Name Coordinator is [0x80040154, Class not registered
].
 
 
System errors:
=============
Error: (05/19/2014 06:27:07 PM) (Source: TermService) (EventID: 1067) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.
 
Error: (05/19/2014 06:26:35 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: INTERNAL)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
 
Error: (05/19/2014 06:25:23 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
 
Error: (05/19/2014 06:24:50 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The IP Helper service depends the following service: winmgmt. This service might not be installed.
 
Error: (05/19/2014 06:24:49 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain INTERNAL due to the following: 
%%1311
 
This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.
 
 
 
ADDITIONAL INFO
 
If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.
 
Error: (05/19/2014 05:54:21 PM) (Source: TermService) (EventID: 1067) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.
 
Error: (05/19/2014 05:53:00 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: INTERNAL)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
 
Error: (05/19/2014 05:51:56 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
 
Error: (05/19/2014 05:51:34 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The IP Helper service depends the following service: winmgmt. This service might not be installed.
 
Error: (05/19/2014 05:51:30 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain INTERNAL due to the following: 
%%1311
 
This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.
 
 
 
ADDITIONAL INFO
 
If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.
 
 
Microsoft Office Sessions:
=========================
Error: (05/07/2014 09:43:54 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 512) (User: )
Description: 
Details:
Could not query the status of the EventSystem service.
 
System Error:
A system shutdown is in progress.
 
Error: (05/02/2014 10:01:34 PM) (Source: Inventory Scanner) (EventID: 25) (User: )
Description: LDIScn32
 
Error: (05/02/2014 08:13:40 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 512) (User: )
Description: 
Details:
Could not query the status of the EventSystem service.
 
System Error:
A system shutdown is in progress.
 
Error: (05/01/2014 09:25:46 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -EmbeddingConfigured Microsoft Office Standard 20100x8007043c
 
Error: (05/01/2014 09:25:43 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -EmbeddingConfigured Microsoft Office Standard 20100x8007043c
 
Error: (05/01/2014 09:25:15 PM) (Source: Outlook) (EventID: 35) (User: )
Description: 0x8007043c
 
Error: (05/01/2014 09:25:15 PM) (Source: Outlook) (EventID: 34) (User: )
Description: 0x8007043c
 
Error: (05/01/2014 09:25:15 PM) (Source: Outlook) (EventID: 35) (User: )
Description: 0x8007043c
 
Error: (05/01/2014 09:25:15 PM) (Source: Outlook) (EventID: 34) (User: )
Description: 0x8007043c
 
Error: (04/28/2014 09:04:52 PM) (Source: VSS) (EventID: 22) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}Coordinator0x80040154, Class not registered
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 36%
Total physical RAM: 4006.36 MB
Available physical RAM: 2532.71 MB
Total Pagefile: 8010.91 MB
Available Pagefile: 6417.29 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:465.66 GB) (Free:402.72 GB) NTFS
Drive e: (IcyDock) (Fixed) (Total:298.09 GB) (Free:38.05 GB) NTFS
Drive p: (Offline) (Network) (Total:465.66 GB) (Free:402.72 GB) CSC-CACHE
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 35CFDBA5)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=466 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 298 GB) (Disk ID: 4F7A063E)
Partition 1: (Not Active) - (Size=298 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
 
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-05-2014
Ran by bmetay (administrator) on MYCOMPUTER on 19-05-2014 18:35:02
Running from C:\temp\New folder
Platform: Windows 7 Enterprise Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Avocent Corporation) C:\Program Files (x86)\LANDesk\Shared Files\residentAgent.exe
(Juniper Networks) C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files (x86)\LANDesk\LDClient\LocalSch.EXE
(LANDesk Software, Inc. and its affiliates ) C:\Program Files (x86)\LANDesk\LDClient\collector.exe
(LANDesk Software Ltd.) C:\Windows\SysWOW64\cba\pds.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files (x86)\LANDesk\LDClient\issuser.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files (x86)\LANDesk\LDClient\policy.client.invoker.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files (x86)\LANDesk\LDClient\tmcsvc.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files (x86)\LANDesk\LDClient\amtmon.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files (x86)\LANDesk\LDClient\SoftMon.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mfeann.exe
(LANDesk Software, Inc. and its affiliates.) C:\Program Files (x86)\LANDesk\LDClient\rcgui.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(NaturalPoint) C:\Program Files (x86)\NaturalPoint\SmartNav\SmartNAV.exe
(AT&T Inc.) C:\Users\bmetay\AppData\Local\ATT Connect\Participant\pull.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
(Dropbox, Inc.) C:\Users\bmetay\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2174760 2010-06-03] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [835072 2011-01-27] (IDT, Inc.)
HKLM-x32\...\Run: [McAfeeUpdaterUI] => C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe [136512 2009-09-25] (McAfee, Inc.)
HKLM-x32\...\Run: [ShStatEXE] => C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE [124224 2011-02-04] (McAfee, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [KeePass 2 PreLoad] => C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [1911808 2012-09-08] (Dominik Reichl)
HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [701872 2013-01-24] (Cisco Systems, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-448539723-343818398-839522115-8651\...\Run: [COMMUNICATOR] => C:\Program Files (x86)\Microsoft Office Communicator\Communicator.exe [4167376 2005-05-12] (Microsoft Corporation)
HKU\S-1-5-21-448539723-343818398-839522115-8651\...\Run: [NaturalPoint] => C:\Program Files (x86)\NaturalPoint\SmartNav\SmartNAV.exe [394864 2012-07-30] (NaturalPoint)
HKU\S-1-5-21-448539723-343818398-839522115-8651\...\Run: [Push Client] => C:\Users\bmetay\AppData\Local\ATT Connect\Participant\pull.exe [983296 2013-02-21] (AT&T Inc.)
HKU\S-1-5-21-448539723-343818398-839522115-8651\...\Policies\Explorer: [DisablePersonalDirChange] 1
HKU\S-1-5-21-448539723-343818398-839522115-8651\...\Policies\Explorer: [ForceStartMenuLogOff] 1
HKU\S-1-5-21-448539723-343818398-839522115-8651\...\Policies\Explorer: [NoStartMenuMyGames] 1
HKU\S-1-5-21-448539723-343818398-839522115-8651\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKU\S-1-5-21-448539723-343818398-839522115-8651\...\Policies\Explorer: [TaskbarNoNotification] 0
HKU\S-1-5-21-448539723-343818398-839522115-8651\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-448539723-343818398-839522115-8651\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Users\VICTOR~1.RAT\AppData\Local\Temp\srmwmvc\spcvobs\wow.dll ATTENTION! ====> ZeroAccess?
Startup: C:\Users\bmetay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Click-N-Type.LNK
ShortcutTarget: Click-N-Type.LNK -> C:\Program Files (x86)\Click-N-Type\Click-N-Type.exe (Lake Software)
Startup: C:\Users\bmetay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\bmetay\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\bmetay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inside.morris.com
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Update_Check_Page = http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scriptsn.dll (McAfee, Inc.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {7A162288-DE78-473C-A6BA-23FF17F768E9} https://connect9.uc.att.com/EventEntry/Websites/res/Windows/AxWebInstaller.cab
DPF: HKLM-x32 {A4150320-98EC-4DB6-9BFB-EBF4B6FBEB16} http://71.203.78.145:88/codebase/DVM_IPCam2.ocx
DPF: HKLM-x32 {CC679CB8-DC4B-458B-B817-D447B3B6AC31} https://eastcoast.morris.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://outsidewest.morris.com/dana-cached/sc/JuniperSetupClient.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} -  No File
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} -  No File
Handler-x32: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf)
Handler-x32: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf)
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.17.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.17.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com/
CHR StartupUrls: "hxxp://www.google.com/", "hxxp://mysearch.avg.com?cid={D9CE5A2C-C9EE-4352-B84C-279A84DAA5B9}&mid=9a47fc36c91d47d2aba7d15053aef554-40f955af337fc7f04985b2701f69d33cfa6bcb06&lang=en&ds=gf011&coid=avgtbdisgf&cmpid=&pr=sa&d=2014-05-08 19:14:51&v=18.1.0.443&pid=safeguard&sg=&sap=hp"
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.131\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.131\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.131\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 7 U7) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Java Deployment Toolkit 7.0.70.10) - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
CHR Extension: (Microsoft OneNote Notebook) - C:\Users\bmetay\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla [2014-04-27]
CHR Extension: (Google Drive) - C:\Users\bmetay\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-11-04]
CHR Extension: (AVG Secure Search) - C:\Users\bmetay\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof [2014-05-10]
CHR Extension: (Google Wallet) - C:\Users\bmetay\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]
 
==================== Services (Whitelisted) =================
 
R2 CBA8; C:\Program Files (x86)\LANDesk\Shared Files\residentagent.exe [147456 2011-08-01] (Avocent Corporation)
R2 Intel Local Scheduler Service; C:\Program Files (x86)\LANDesk\LDClient\LocalSch.EXE [189952 2011-10-14] (LANDesk Software, Inc. and its affiliates.)
R2 Intel PDS; C:\Windows\SysWOW64\CBA\pds.exe [32825 2007-08-31] (LANDesk Software Ltd.)
R2 ISSUSER; C:\Program Files (x86)\LANDesk\LDClient\issuser.exe [1459200 2011-10-20] (LANDesk Software, Inc. and its affiliates.)
R2 LANDesk Policy Invoker; C:\Program Files (x86)\LANDesk\LDClient\policy.client.invoker.exe [207872 2011-09-29] (LANDesk Software, Inc. and its affiliates.)
R2 LANDesk Targeted Multicast; C:\Program Files (x86)\LANDesk\LDClient\tmcsvc.exe [179200 2011-10-19] (LANDesk Software, Inc. and its affiliates.)
R2 LANDesk® Out-of-Band Monitor Service; C:\Program Files (x86)\LANDesk\LDClient\amtmon.exe [1058304 2011-10-14] (LANDesk Software, Inc. and its affiliates.)
R2 McAfeeEngineService; C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe [20792 2011-02-04] (McAfee, Inc.)
R2 McAfeeFramework; C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [120128 2009-09-25] (McAfee, Inc.)
R2 McShield; C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe [181480 2011-02-04] (McAfee, Inc.)
R2 McTaskManager; C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe [66880 2011-02-04] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [77968 2011-02-04] (McAfee, Inc.)
R2 MsDtsServer100; C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [210792 2011-09-22] (Microsoft Corporation)
R2 Softmon; C:\Program Files (x86)\LANDesk\LDClient\softmon.exe [403632 2011-10-19] (LANDesk Software, Inc. and its affiliates.)
 
==================== Drivers (Whitelisted) ====================
 
R3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdX64.sys [29184 2008-04-30] (Juniper Networks)
R3 IFXTPM; C:\Windows\System32\DRIVERS\IFXTPM.SYS [58880 2008-07-23] (Infineon Technologies AG)
R3 johci; C:\Windows\System32\DRIVERS\johci.sys [26712 2011-02-09] (JMicron Technology Corp.)
S3 ldblank; C:\Windows\System32\DRIVERS\ldblank.sys [20992 2011-05-13] (LANDesk Software, Inc. and its affiliates.)
R3 ldmirror; C:\Windows\System32\DRIVERS\ldmirror.sys [5120 2011-05-13] (LANDesk Software, Inc. and its affiliates.)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [98216 2011-02-04] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [120352 2011-02-04] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [464384 2011-02-04] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [79536 2011-02-04] (McAfee, Inc.)
R1 mfetdik; C:\Windows\System32\drivers\mfetdik.sys [86368 2011-02-04] (McAfee, Inc.)
R3 mirrorflt; C:\Windows\System32\DRIVERS\mirrorflt.sys [7168 2011-05-13] (LANDesk Software, Inc. and its affiliates.)
S3 npusbio; C:\Windows\System32\Drivers\npusbio_x64.sys [38400 2012-07-09] ()
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-05-19 18:34 - 2014-05-19 18:35 - 00000000 ____D () C:\FRST
2014-05-18 17:14 - 2014-05-18 17:14 - 02067456 _____ (Farbar) C:\Users\bmetay\Downloads\FRST64.exe
2014-05-10 10:59 - 2014-05-10 10:59 - 00688992 ____R (Swearware) C:\Users\bmetay\Downloads\dds.com
2014-05-05 21:42 - 2014-05-05 21:44 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-05-02 22:17 - 2014-05-02 22:18 - 08266096 _____ (NaturalPoint) C:\Users\bmetay\Downloads\SmartNAV_3.30.039.Final.exe
2014-05-02 22:04 - 2014-05-02 22:04 - 00624656 _____ () C:\Users\bmetay\Downloads\flvplayer-setup.exe
2014-05-02 22:04 - 2014-05-02 22:04 - 00624656 _____ () C:\Users\bmetay\Downloads\flvplayer-setup (1).exe
2014-05-02 21:51 - 2014-05-02 21:51 - 00000000 ____D () C:\Users\bmetay\AppData\Roaming\DropboxMaster
2014-04-28 21:04 - 2014-04-30 17:29 - 00000000 ___HD () C:\a4ef189
2014-04-28 20:59 - 2014-04-28 21:01 - 10094400 _____ (SurfRight B.V.) C:\Users\bmetay\Downloads\HitmanPro.exe
2014-04-28 20:57 - 2014-04-28 20:58 - 10971424 _____ (SurfRight B.V.) C:\Users\bmetay\Downloads\HitmanPro_x64 (1).exe
2014-04-28 20:37 - 2014-04-28 20:37 - 17338544 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2014-04-28 20:16 - 2014-04-28 20:16 - 00001127 _____ () C:\mw.txt
2014-04-28 19:45 - 2014-04-28 19:45 - 00019824 ____N () C:\bootsqm.dat
2014-04-27 16:42 - 2014-04-27 21:09 - 00000000 ____D () C:\ProgramData\qme
2014-04-25 09:01 - 2014-04-25 09:02 - 10971424 _____ (SurfRight B.V.) C:\Users\bmetay\Downloads\hitmanpro_x64.exe
2014-04-25 08:52 - 2014-05-17 21:41 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-25 08:51 - 2014-04-25 08:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-04-25 08:51 - 2014-04-25 08:51 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-25 08:51 - 2014-04-25 08:51 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-04-25 08:51 - 2014-04-03 09:51 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-25 08:51 - 2014-04-03 09:51 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-25 08:51 - 2014-04-03 09:50 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-22 15:44 - 2014-05-05 14:47 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2014-04-20 16:55 - 2014-04-25 08:33 - 00000000 ____D () C:\ProgramData\2992199F9A
 
==================== One Month Modified Files and Folders =======
 
2014-05-19 18:35 - 2014-05-19 18:34 - 00000000 ____D () C:\FRST
2014-05-19 18:26 - 2012-11-13 08:51 - 00000910 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-05-19 18:26 - 2012-09-15 11:19 - 00000000 ____D () C:\Users\bmetay\AppData\Roaming\Dropbox
2014-05-19 18:24 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-19 18:24 - 2009-07-14 00:51 - 00075421 _____ () C:\Windows\setupact.log
2014-05-19 18:04 - 2009-07-14 00:45 - 00012288 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-19 18:04 - 2009-07-14 00:45 - 00012288 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-18 17:14 - 2014-05-18 17:14 - 02067456 _____ (Farbar) C:\Users\bmetay\Downloads\FRST64.exe
2014-05-17 21:41 - 2014-04-25 08:52 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-05-17 21:40 - 2012-08-27 16:33 - 00000000 ____D () C:\Local Files
2014-05-10 10:59 - 2014-05-10 10:59 - 00688992 ____R (Swearware) C:\Users\bmetay\Downloads\dds.com
2014-05-09 21:10 - 2012-07-18 17:43 - 00000000 ____D () C:\ProgramData\vulScan
2014-05-06 08:18 - 2013-08-30 20:23 - 00000000 ____D () C:\QUARANTINE
2014-05-05 21:44 - 2014-05-05 21:42 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-05-05 14:47 - 2014-04-22 15:44 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2014-05-02 22:44 - 2012-11-13 08:51 - 00000914 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-02 22:37 - 2012-07-18 15:14 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-05-02 22:20 - 2012-07-18 21:09 - 00000224 _____ () C:\Windows\system32\config\netlogon.ftl
2014-05-02 22:18 - 2014-05-02 22:17 - 08266096 _____ (NaturalPoint) C:\Users\bmetay\Downloads\SmartNAV_3.30.039.Final.exe
2014-05-02 22:04 - 2014-05-02 22:04 - 00624656 _____ () C:\Users\bmetay\Downloads\flvplayer-setup.exe
2014-05-02 22:04 - 2014-05-02 22:04 - 00624656 _____ () C:\Users\bmetay\Downloads\flvplayer-setup (1).exe
2014-05-02 21:51 - 2014-05-02 21:51 - 00000000 ____D () C:\Users\bmetay\AppData\Roaming\DropboxMaster
2014-05-02 21:51 - 2012-09-15 11:20 - 00000000 ____D () C:\Users\bmetay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-05-02 21:51 - 2012-08-22 09:35 - 00000000 ___RD () C:\Users\bmetay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-05-01 19:01 - 2011-05-23 12:42 - 00791596 _____ () C:\Windows\PFRO.log
2014-05-01 19:01 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\Help
2014-04-30 17:29 - 2014-04-28 21:04 - 00000000 ___HD () C:\a4ef189
2014-04-28 21:01 - 2014-04-28 20:59 - 10094400 _____ (SurfRight B.V.) C:\Users\bmetay\Downloads\HitmanPro.exe
2014-04-28 20:58 - 2014-04-28 20:57 - 10971424 _____ (SurfRight B.V.) C:\Users\bmetay\Downloads\HitmanPro_x64 (1).exe
2014-04-28 20:38 - 2012-07-18 15:14 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-04-28 20:38 - 2012-07-18 15:14 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-04-28 20:38 - 2012-07-18 15:14 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-04-28 20:37 - 2014-04-28 20:37 - 17338544 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2014-04-28 20:18 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\Resources
2014-04-28 20:16 - 2014-04-28 20:16 - 00001127 _____ () C:\mw.txt
2014-04-28 19:45 - 2014-04-28 19:45 - 00019824 ____N () C:\bootsqm.dat
2014-04-27 21:23 - 2012-07-18 17:38 - 01918628 _____ () C:\Windows\WindowsUpdate.log
2014-04-27 21:11 - 2012-09-15 22:33 - 00000000 ____D () C:\Users\bmetay\AppData\Roaming\KeePass
2014-04-27 21:11 - 2009-07-14 03:23 - 00000000 __SHD () C:\Windows\BitLockerDiscoveryVolumeContents
2014-04-27 21:09 - 2014-04-27 16:42 - 00000000 ____D () C:\ProgramData\qme
2014-04-27 11:21 - 2012-08-22 09:37 - 00000000 ____D () C:\Users\bmetay\AppData\Roaming\SAP
2014-04-27 11:21 - 2012-08-22 09:37 - 00000000 ____D () C:\Users\bmetay\AppData\Local\SAP
2014-04-27 11:09 - 2012-07-24 08:49 - 00000000 ____D () C:\Users\mdamour\SapWorkDir
2014-04-26 11:25 - 2009-07-14 01:08 - 00032614 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-04-25 09:02 - 2014-04-25 09:01 - 10971424 _____ (SurfRight B.V.) C:\Users\bmetay\Downloads\hitmanpro_x64.exe
2014-04-25 08:51 - 2014-04-25 08:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-04-25 08:51 - 2014-04-25 08:51 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-25 08:51 - 2014-04-25 08:51 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-04-25 08:33 - 2014-04-20 16:55 - 00000000 ____D () C:\ProgramData\2992199F9A
2014-04-20 16:18 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
 
Some content of TEMP:
====================
C:\Users\mdamour\AppData\Local\Temp\enuinst32.dll
C:\Users\mdamour\AppData\Local\Temp\inst32.exe
C:\Users\bmetay\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp41cu67.dll
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-04-19 17:29
 
==================== End Of Log ============================


#12 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:29 AM

Posted 20 May 2014 - 08:41 AM

Hello,

Please do the following:

ComboFix Download and Scan
  • Please go to the download page for ComboFix by sUBs.
  • Click the Download Now button pictured below and save the file to your desktop:

    download.png
  • Disable any anti-virus and/or firewall software you have installed.
    instructions can be found here if needed
  • Close all open windows including your web browser
    as mentioned in the first post, you may want to print out all instructions before starting
  • Double-click on the ComboFix icon on your desktop. cf-icon.jpg
  • Read the Disclaimer and click I Agree if you want to run the software, then you should see a window like the one below:

    cf-preparing.jpg
  • DO NOT use your computer while ComboFix is running. There are a lot of things going on behind the scenes and a single mouse click can cause the program to stall.
  • However, if you see the prompt below, please click Yes to download the Microsoft Windows Recovery Console.

    recovery-console-prompt.jpg

    If an Internet connection is not available or you choose not to install the recovery console, ComboFix will run in Reduced Functionality mode
  • Allow ComboFix to reboot the computer if necessary, it will run again after you log back in.
  • When complete, a log file will be displayed, please copy and paste the contents of this file into your next post.

    cf-log.jpg
More information about downloading and using ComboFix can be found here if needed.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#13 bmetay

bmetay
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 22 May 2014 - 06:29 PM

I thought the AV was off but it wasn't.

ComboFix 14-05-19.01 - bmetay 05/20/2014  20:02:36.1.4 - x64
Running from: c:\combofix\ComboFix.exe
 * Created a new restore point
 * Resident AV is active
.
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\bmetay\AppData\Local\assembly\tmp
c:\users\bmetay\AppData\Local\Microsoft\Windows\Temporary Internet Files\{CAEA6B38-8374-46E8-B902-CAD0D52B901D}.xps
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-21 to 2014-05-21  )))))))))))))))))))))))))))))))
.
.
2014-05-21 00:07 . 2014-05-21 00:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-05-21 00:07 . 2014-05-21 00:07 -------- d-----w- c:\users\james.taylor\AppData\Local\temp
2014-05-21 00:07 . 2014-05-21 00:07 -------- d-----w- c:\users\jtaylor\AppData\Local\temp
2014-05-21 00:07 . 2014-05-21 00:07 -------- d-----w- c:\users\MCCOwner\AppData\Local\temp
2014-05-19 22:34 . 2014-05-19 22:36 -------- d-----w- C:\FRST
2014-05-06 01:42 . 2014-05-06 01:44 -------- d-----w- c:\programdata\HitmanPro
2014-05-03 01:51 . 2014-05-03 01:51 -------- d-----w- c:\users\bmetay\AppData\Roaming\DropboxMaster
2014-04-29 01:04 . 2014-04-30 21:29 -------- d-----w- C:\a4ef189
2014-04-29 00:37 . 2014-04-29 00:37 17338544 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2014-04-27 20:42 . 2014-04-28 01:09 -------- d-----w- c:\programdata\qme
2014-04-26 15:07 . 2014-04-17 09:31 10651704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3CA9C881-85CC-422A-B7C2-6D69CAAFC96D}\mpengine.dll
2014-04-25 12:52 . 2014-05-18 01:41 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-25 12:51 . 2014-04-03 13:51 63192 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-25 12:51 . 2014-04-03 13:51 88280 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-25 12:51 . 2014-04-03 13:50 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-25 12:51 . 2014-04-25 12:51 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-04-25 12:51 . 2014-04-25 12:51 -------- d-----w- c:\programdata\Malwarebytes
2014-04-25 12:50 . 2014-04-25 12:50 -------- d-----w- c:\users\bmetay\AppData\Local\Programs
2014-04-22 19:44 . 2014-05-05 18:47 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-29 00:38 . 2012-07-18 19:14 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-29 00:38 . 2012-07-18 19:14 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-03-31 13:35 . 2011-02-11 18:50 270496 ------w- c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="c:\program files (x86)\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
"NaturalPoint"="c:\program files (x86)\NaturalPoint\SmartNav\SmartNAV.exe" [2012-07-30 394864]
"Push Client"="c:\users\bmetay\AppData\Local\ATT Connect\Participant\pull.exe" [2013-02-21 983296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files (x86)\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"ShStatEXE"="c:\program files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-02-05 124224]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"KeePass 2 PreLoad"="c:\program files (x86)\KeePass Password Safe 2\KeePass.exe" [2012-09-08 1911808]
"Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2013-01-24 701872]
.
c:\users\bmetay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Click-N-Type.LNK - c:\program files (x86)\Click-N-Type\Click-N-Type.exe [2012-3-10 921600]
Dropbox.lnk - c:\users\bmetay\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-4-18 33604728]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2010-3-29 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Program Neighborhood Agent.lnk - c:\program files (x86)\Citrix\ICA Client\pnagent.exe [2005-11-29 233744]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
"HideSCAHealth"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoStartMenuMyGames"= 1 (0x1)
"TaskbarNoNotification"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-343818398-839522115-8651\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\netlogon\SecCheck.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-343818398-839522115-8900\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\netlogon\SecCheck.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 acsock;acsock;c:\windows\system32\DRIVERS\acsock64.sys;c:\windows\SYSNATIVE\DRIVERS\acsock64.sys [x]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys;c:\windows\SYSNATIVE\drivers\dc3d.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys;c:\windows\SYSNATIVE\DRIVERS\e1k62x64.sys [x]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\DRIVERS\ldblank.sys;c:\windows\SYSNATIVE\DRIVERS\ldblank.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys;c:\windows\SYSNATIVE\drivers\mferkdet.sys [x]
R3 npusbio;npusbio;c:\windows\system32\Drivers\npusbio_x64.sys;c:\windows\SYSNATIVE\Drivers\npusbio_x64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys;c:\windows\SYSNATIVE\drivers\Synth3dVsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe;c:\program files\IDT\WDM\AESTSr64.exe [x]
S2 CBA8;LANDesk® Management Agent;c:\program files (x86)\LANDesk\Shared Files\residentagent.exe;c:\program files (x86)\LANDesk\Shared Files\residentagent.exe [x]
S2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files (x86)\LANDesk\LDClient\policy.client.invoker.exe;c:\program files (x86)\LANDesk\LDClient\policy.client.invoker.exe [x]
S2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;c:\program files (x86)\LANDesk\LDClient\tmcsvc.exe;c:\program files (x86)\LANDesk\LDClient\tmcsvc.exe [x]
S2 LANDesk® Out-of-Band Monitor Service;LANDesk® Out-of-Band Monitor Service;c:\program files (x86)\LANDesk\LDClient\amtmon.exe;c:\program files (x86)\LANDesk\LDClient\amtmon.exe [x]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
S2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [x]
S2 Softmon;LANDesk® Software Monitoring Service;c:\program files (x86)\LANDesk\LDClient\softmon.exe;c:\program files (x86)\LANDesk\LDClient\softmon.exe [x]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [x]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS;c:\windows\SYSNATIVE\DRIVERS\IFXTPM.SYS [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x]
S3 johci;JMicron 1394 Filter Driver;c:\windows\system32\DRIVERS\johci.sys;c:\windows\SYSNATIVE\DRIVERS\johci.sys [x]
S3 ldmirror;ldmirror;c:\windows\system32\DRIVERS\ldmirror.sys;c:\windows\SYSNATIVE\DRIVERS\ldmirror.sys [x]
S3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\DRIVERS\mirrorflt.sys;c:\windows\SYSNATIVE\DRIVERS\mirrorflt.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-05-03 02:42 1078088 ----a-w- c:\program files (x86)\Google\Chrome\Application\34.0.1847.131\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-18 00:38]
.
2014-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-13 12:50]
.
2014-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-13 12:50]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-05 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-05 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-05 418840]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-01-27 835072]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
DPF: {7A162288-DE78-473C-A6BA-23FF17F768E9} - hxxps://connect9.uc.att.com/EventEntry/Websites/res/Windows/AxWebInstaller.cab
DPF: {A4150320-98EC-4DB6-9BFB-EBF4B6FBEB16} - hxxp://71.203.78.145:88/codebase/DVM_IPCam2.ocx
DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} - hxxps://eastcoast.morris.com/CACHE/stc/1/binaries/vpnweb.cab
.
- - - - ORPHANS REMOVED - - - -
.
Notify-WgaLogon - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-KB2463332_SQLTools9 - c:\windows\SQLTools9_KB2463332_ENU\Hotfix.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.13"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Juniper Networks\Common Files\dsNcService.exe
c:\program files (x86)\LANDesk\LDClient\LocalSch.EXE
c:\progra~2\LANDesk\LDClient\collector.exe
c:\windows\SysWOW64\CBA\pds.exe
c:\progra~2\LANDesk\LDClient\issuser.exe
c:\program files (x86)\McAfee\Common Framework\FrameworkService.exe
c:\program files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files (x86)\McAfee\Common Framework\naPrdMgr.exe
c:\progra~2\LANDesk\LDClient\rcgui.exe
c:\users\bmetay\AppData\Roaming\Dropbox\bin\Dropbox.exe
c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
c:\program files (x86)\McAfee\Common Framework\McTray.exe
.
**************************************************************************
.
Completion time: 2014-05-20  20:13:36 - machine was rebooted
ComboFix-quarantined-files.txt  2014-05-21 00:13
.
Pre-Run: 432,279,158,784 bytes free
Post-Run: 432,963,047,424 bytes free
.
- - End Of File - - 3E062078C2DB548842AB6630112397C4
A36C5E4F47E84449FF07ED3517B43A31
c


#14 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:29 AM

Posted 23 May 2014 - 09:31 AM

Hi bmetay,

Please do the following:

ComboFix Script

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    
    
    Folder:: 
    C:\a4ef189 
    C:\programdata\qme
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    CFScriptB-4.gif
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    =====================================================================
     
  • What I'd like to see in your next post:  :thumbup2:
  • C:\ComboFix.txt
  • How is your computer running?

Edited by TheShooter93, 23 May 2014 - 09:31 AM.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#15 bmetay

bmetay
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 23 May 2014 - 09:47 PM

.Shortly aftrer running combofix, this msg popped up from mcaffee:
'..programfiles(x86)mcafee\virusscan enterprise\entvutil.exe
illegal operation attempted on a registry key that has been marked for deletion'
 
Isn't that some attempt by malware?

 

===combofix.txt======================

ComboFix 14-05-19.01 - bmetay 05/23/2014  20:07:55.2.4 - x64
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.4006.2553 [GMT -4:00]
Running from: e:\install\Malware\ComboFix\ComboFix.exe
Command switches used :: e:\install\Malware\ComboFix\CFScript.txt
AV: McAfee VirusScan Enterprise *Disabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\a4ef189
c:\programdata\qme
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-24 to 2014-05-24  )))))))))))))))))))))))))))))))
.
.
2014-05-24 00:11 . 2014-05-24 00:11 -------- d-----w- c:\users\michael.sipe\AppData\Local\temp
2014-05-24 00:11 . 2014-05-24 00:11 -------- d-----w- c:\users\msipe\AppData\Local\temp
2014-05-24 00:11 . 2014-05-24 00:11 -------- d-----w- c:\users\NFSOwner\AppData\Local\temp
2014-05-24 00:11 . 2014-05-24 00:11 -------- d-----w- c:\users\lelif\AppData\Local\temp
2014-05-24 00:11 . 2014-05-24 00:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-05-24 00:11 . 2014-05-24 00:11 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2014-05-19 22:34 . 2014-05-19 22:36 -------- d-----w- C:\FRST
2014-05-06 01:42 . 2014-05-06 01:44 -------- d-----w- c:\programdata\HitmanPro
2014-05-03 01:51 . 2014-05-03 01:51 -------- d-----w- c:\users\bmetay\AppData\Roaming\DropboxMaster
2014-04-29 00:37 . 2014-04-29 00:37 17338544 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2014-04-26 15:07 . 2014-04-17 09:31 10651704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3CA9C881-85CC-422A-B7C2-6D69CAAFC96D}\mpengine.dll
2014-04-25 12:52 . 2014-05-18 01:41 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-25 12:51 . 2014-04-03 13:51 63192 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-25 12:51 . 2014-04-03 13:51 88280 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-25 12:51 . 2014-04-03 13:50 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-25 12:51 . 2014-04-25 12:51 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-04-25 12:51 . 2014-04-25 12:51 -------- d-----w- c:\programdata\Malwarebytes
2014-04-25 12:50 . 2014-04-25 12:50 -------- d-----w- c:\users\bmetay\AppData\Local\Programs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-29 00:38 . 2012-07-18 19:14 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-29 00:38 . 2012-07-18 19:14 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-03-31 13:35 . 2011-02-11 18:50 270496 ------w- c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 131248 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="c:\program files (x86)\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
"NaturalPoint"="c:\program files (x86)\NaturalPoint\SmartNav\SmartNAV.exe" [2012-07-30 394864]
"Push Client"="c:\users\bmetay\AppData\Local\ATT Connect\Participant\pull.exe" [2013-02-21 983296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files (x86)\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"ShStatEXE"="c:\program files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-02-05 124224]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"KeePass 2 PreLoad"="c:\program files (x86)\KeePass Password Safe 2\KeePass.exe" [2012-09-08 1911808]
"Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2013-01-24 701872]
.
c:\users\bmetay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Click-N-Type.LNK - c:\program files (x86)\Click-N-Type\Click-N-Type.exe [2012-3-10 921600]
Dropbox.lnk - c:\users\bmetay\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-4-18 33604728]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2010-3-29 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Program Neighborhood Agent.lnk - c:\program files (x86)\Citrix\ICA Client\pnagent.exe [2005-11-29 233744]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
"HideSCAHealth"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoStartMenuMyGames"= 1 (0x1)
"TaskbarNoNotification"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-343818398-839522115-8651\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\netlogon\SecCheck.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-343818398-839522115-8900\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\netlogon\SecCheck.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 acsock;acsock;c:\windows\system32\DRIVERS\acsock64.sys;c:\windows\SYSNATIVE\DRIVERS\acsock64.sys [x]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys;c:\windows\SYSNATIVE\drivers\dc3d.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys;c:\windows\SYSNATIVE\DRIVERS\e1k62x64.sys [x]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\DRIVERS\ldblank.sys;c:\windows\SYSNATIVE\DRIVERS\ldblank.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys;c:\windows\SYSNATIVE\drivers\mferkdet.sys [x]
R3 npusbio;npusbio;c:\windows\system32\Drivers\npusbio_x64.sys;c:\windows\SYSNATIVE\Drivers\npusbio_x64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys;c:\windows\SYSNATIVE\drivers\Synth3dVsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe;c:\program files\IDT\WDM\AESTSr64.exe [x]
S2 CBA8;LANDesk® Management Agent;c:\program files (x86)\LANDesk\Shared Files\residentagent.exe;c:\program files (x86)\LANDesk\Shared Files\residentagent.exe [x]
S2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files (x86)\LANDesk\LDClient\policy.client.invoker.exe;c:\program files (x86)\LANDesk\LDClient\policy.client.invoker.exe [x]
S2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;c:\program files (x86)\LANDesk\LDClient\tmcsvc.exe;c:\program files (x86)\LANDesk\LDClient\tmcsvc.exe [x]
S2 LANDesk® Out-of-Band Monitor Service;LANDesk® Out-of-Band Monitor Service;c:\program files (x86)\LANDesk\LDClient\amtmon.exe;c:\program files (x86)\LANDesk\LDClient\amtmon.exe [x]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
S2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [x]
S2 Softmon;LANDesk® Software Monitoring Service;c:\program files (x86)\LANDesk\LDClient\softmon.exe;c:\program files (x86)\LANDesk\LDClient\softmon.exe [x]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [x]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS;c:\windows\SYSNATIVE\DRIVERS\IFXTPM.SYS [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x]
S3 johci;JMicron 1394 Filter Driver;c:\windows\system32\DRIVERS\johci.sys;c:\windows\SYSNATIVE\DRIVERS\johci.sys [x]
S3 ldmirror;ldmirror;c:\windows\system32\DRIVERS\ldmirror.sys;c:\windows\SYSNATIVE\DRIVERS\ldmirror.sys [x]
S3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\DRIVERS\mirrorflt.sys;c:\windows\SYSNATIVE\DRIVERS\mirrorflt.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-05-03 02:42 1078088 ----a-w- c:\program files (x86)\Google\Chrome\Application\34.0.1847.131\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-18 00:38]
.
2014-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-13 12:50]
.
2014-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-13 12:50]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09 164016 ----a-w- c:\users\bmetay\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-05 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-05 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-05 418840]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-01-27 835072]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
DPF: {7A162288-DE78-473C-A6BA-23FF17F768E9} - hxxps://connect9.uc.att.com/EventEntry/Websites/res/Windows/AxWebInstaller.cab
DPF: {A4150320-98EC-4DB6-9BFB-EBF4B6FBEB16} - hxxp://71.203.78.145:88/codebase/DVM_IPCam2.ocx
DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} - hxxps://eastcoast.morris.com/CACHE/stc/1/binaries/vpnweb.cab
.
- - - - ORPHANS REMOVED - - - -
.
Notify-WgaLogon - (no file)
AddRemove-KB2463332_SQLTools9 - c:\windows\SQLTools9_KB2463332_ENU\Hotfix.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.13"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-05-23  20:13:34
ComboFix-quarantined-files.txt  2014-05-24 00:13
.
Pre-Run: 432,942,882,816 bytes free
Post-Run: 432,727,359,488 bytes free
.
- - End Of File - - 5F25C04D7633939B7D871450A06DA736
A36C5E4F47E84449FF07ED3517B43A31





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users