TechSpot

Firefox redirect and sluggishness

By nicmatth
Jun 30, 2011
  1. Hi All,

    I'm pretty good about viruses - this is my first in 8 years or so. I've done the basics - go to msconfig, remove all the programs/services I don't know in safe mode, run a few antivirus, etc. This one has eluded me. I either accidentally clicked on one of those activex screens or it used a vulnerability to allow itself on the computer. It happened very quickly.

    My firefox results show up normally, but the first click to websites is being redirected. The computer also feels a little more sluggish than it should. SpyNoMore found keyloggers and trojans, but wanted money to remove.

    Here are the logs:

    MBAM:
    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6986

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    6/30/2011 9:53:47 AM
    mbam-log-2011-06-30 (09-53-47).txt

    Scan type: Quick scan
    Objects scanned: 180815
    Time elapsed: 2 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\program files (x86)\mozilla firefox\0.2928573401180692.exe (Exploit.Dropper) -> Quarantined and deleted successfully.
    c:\program files (x86)\mozilla firefox\0.4473215236219442.exe (Exploit.Dropper) -> Quarantined and deleted successfully.



    GMER:
    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit scan 2011-06-30 10:05:31
    Windows 6.1.7600
    Running: gmer.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffaf73100
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffaf73100 (not active ControlSet)

    ---- Files - GMER 1.0.15 ----

    File C:\Users\nicmatth\AppData\Local\Microsoft\Outlook\~outlook.ost.tmp 65536 bytes
    File C:\Users\nicmatth\AppData\Local\Temp\plugtmp-2 0 bytes
    File C:\Users\nicmatth\AppData\Local\Temp\plugtmp-2\plugin-298939.pdf 79094 bytes
    File C:\Users\nicmatth\AppData\Local\Temp\etilqs_HwIGzqVcLoxm6fN 262176 bytes
    File C:\Users\nicmatth\AppData\Local\Temp\How_to_Build_a_ASR_9000.ppt 1136640 bytes
    File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\addons.sqlite-journal 0 bytes
    File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\cookies.sqlite-shm 0 bytes
    File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\cookies.sqlite-wal 0 bytes
    File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\extensions.sqlite-journal 0 bytes
    File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\parent.lock 0 bytes
    File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\places.sqlite-shm 0 bytes
    File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\places.sqlite-wal 0 bytes
    File C:\Users\nicmatth\AppData\Roaming\Thunderbird\Profiles\trq05g59.default\cookies.sqlite-journal 0 bytes

    ---- EOF - GMER 1.0.15 ----




    Attach.txt:
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows 7 Enterprise
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/26/2011 10:19:56 PM
    System Uptime: 6/29/2011 3:12:28 AM (31 hours ago)
    .
    Motherboard: LENOVO | | 4389BB4
    Processor: Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz | None | 1600/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 119 GiB total, 16.97 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e965-e325-11ce-bfc1-08002be10318}
    Description: CD-ROM Drive
    Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GT30N___________________LT10____\5&1C50C5D9&0&1.0.0
    Manufacturer: (Standard CD-ROM drives)
    Name: HL-DT-ST DVDRAM GT30N ATA Device
    PNP Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GT30N___________________LT10____\5&1C50C5D9&0&1.0.0
    Service: cdrom
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Bluetooth Device (Personal Area Network)
    Device ID: BTH\MS_BTHPAN\7&2D98A6FB&0&2
    Manufacturer: Microsoft
    Name: Bluetooth Device (Personal Area Network)
    PNP Device ID: BTH\MS_BTHPAN\7&2D98A6FB&0&2
    Service: BthPan
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: VMware Virtual Ethernet Adapter for VMnet1
    Device ID: ROOT\VMWARE\0000
    Manufacturer: VMware, Inc.
    Name: VMware Virtual Ethernet Adapter for VMnet1
    PNP Device ID: ROOT\VMWARE\0000
    Service: VMnetAdapter
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: VMware Virtual Ethernet Adapter for VMnet8
    Device ID: ROOT\VMWARE\0001
    Manufacturer: VMware, Inc.
    Name: VMware Virtual Ethernet Adapter for VMnet8
    PNP Device ID: ROOT\VMWARE\0001
    Service: VMnetAdapter
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Intel(R) Centrino(R) Ultimate-N 6300 AGN
    Device ID: PCI\VEN_8086&DEV_4238&SUBSYS_11118086&REV_35\4&C36BE82&0&00E1
    Manufacturer: Intel Corporation
    Name: Intel(R) Centrino(R) Ultimate-N 6300 AGN
    PNP Device ID: PCI\VEN_8086&DEV_4238&SUBSYS_11118086&REV_35\4&C36BE82&0&00E1
    Service: NETw5s64
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Teredo Tunneling Adapter
    Device ID: ROOT\*TEREDO\0000
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TEREDO\0000
    Service: tunnel
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Cisco Systems VPN Adapter for 64-bit Windows
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco Systems VPN Adapter for 64-bit Windows
    PNP Device ID: ROOT\NET\0000
    Service: CVirtA
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
    Device ID: ROOT\NET\0001
    Manufacturer: Cisco Systems
    Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
    PNP Device ID: ROOT\NET\0001
    Service: vpnva
    .
    ==== System Restore Points ===================
    .
    RP67: 6/8/2011 12:05:05 PM - Scheduled Checkpoint
    RP68: 6/14/2011 11:14:07 AM - Installed DesignXpert
    RP69: 6/15/2011 3:00:12 PM - Windows Update
    RP70: 6/23/2011 2:34:16 PM - Scheduled Checkpoint
    RP71: 6/23/2011 3:00:10 PM - Windows Update
    .
    ==== Installed Programs ======================
    .
    .
    2007 Microsoft Office Suite Service Pack 1 (SP1)
    7-Zip 9.20
    Adobe Audition 1.5
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3.4
    Adobe Shockwave Player 11.5
    Altiris Agent
    Altiris Application Metering Agent
    Altiris Inventory Rule Agent
    Altiris Local Security Agent
    Altiris Patch Management Agent
    Altiris Software Delivery Solution Agent
    Altiris Task Synchronization Agent
    Altiris_PCTransplant
    Applications_Win32_Cisco_AltirisAgentRedirector
    Applications_Win32_Cisco_PCSetupGuide
    CEPS Print Client
    Chinese Simplified Fonts Support For Adobe Reader 9
    Chinese Traditional Fonts Support For Adobe Reader 9
    Cisco AnyConnect VPN Client
    Cisco DART
    Cisco Direct Printing
    Cisco IP Communicator
    Cisco WebEx Connect
    CiscoITw7blizzardwpa1
    Citrix Presentation Server Client
    DesignXpert
    eSupport UndeletePlus 3.0.2.406
    Evernote v. 4.3
    FileZilla Client 3.4.0
    FileZilla Server (remove only)
    GIMP 2.6.11
    Google Calendar Sync
    Google Talk Plugin
    GSplit 3
    GTRC Support Central
    HiJackThis
    Integrated Camera Driver Installer Package Ver.1.1.0.42
    iPassConnect
    IPTV Viewer
    Japanese Fonts Support For Adobe Reader 9
    Java(TM) 6 Update 13
    Keyspan USB Serial Adapter
    Korean Fonts Support For Adobe Reader 9
    Malwarebytes' Anti-Malware version 1.51.0.1200
    McAfee Agent
    McAfee AntiSpyware Enterprise Module
    McAfee VirusScan Enterprise
    Microsoft Office Access database engine 2007 (English)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Visio 2010
    Microsoft Office Visio MUI (English) 2010
    Microsoft Office Word MUI (English) 2007
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Silverlight
    Microsoft Visio Standard 2010
    Microsoft Visio Viewer 2010
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft_VC90_CRT_x86
    Mozilla Firefox 5.0 (x86 en-US)
    Mozilla Thunderbird (3.1.11)
    MSXML 4.0 SP3 Parser
    MSXML 4.0 SP3 Parser (KB973685)
    MultiMon TaskBar 2.1
    Netformx Updater
    Network Recording Player
    Notepad++
    ooVoo
    OS_Winx64_Windows7_Drivers_Lenovo_ThinkPad_W510
    Pidgin
    QuickTime 7.5
    Real-Time Monitoring Tool 8.5
    Real-Time Monitoring Tool 8.7
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    SofToken II
    SpyNoMore 2.98
    Tftpd32 Standalone Edition
    ThinkPad Power Manager
    tools-linux
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    ViewMail for Outlook 7.0(2)
    VirtualCloneDrive
    VMware Player
    VMware vCenter Converter Standalone
    VMware vSphere Client 4.0
    VMware vSphere Client 4.1
    WebEx
    WebEx Document Suite
    WebEx Productivity Tools
    WinPcap 4.1.2
    Wireshark 1.6.0
    Xobni
    Xobni Core
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/29/2011 8:41:50 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
    6/29/2011 1:39:20 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain CISCO due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
    6/27/2011 9:04:52 AM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
    6/27/2011 8:58:56 AM, Error: Service Control Manager [7000] - The CMGShield service failed to start due to the following error: The system cannot find the file specified.
    6/27/2011 8:57:35 AM, Error: Service Control Manager [7000] - The Altiris Agent service failed to start due to the following error: The system cannot find the file specified.
    6/27/2011 8:57:23 AM, Error: Application Popup [1060] - \SystemRoot\SysWow64\drivers\pfc.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    .
    ==== End Of File ===========================


    DDS.txt:
    .
    DDS (Ver_2011-06-23.01) - NTFSAMD64
    Internet Explorer: 8.0.7600.16385
    Run by nicmatth at 10:06:29 on 2011-06-30
    Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.4028.2194 [GMT -4:00]
    .
    AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\ibmpmsvc.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
    C:\Windows\SysWOW64\atashost.exe
    C:\Program Files (x86)\WebEx\Connect\apUpdate.exe
    C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
    C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files (x86)\iPass\iPassConnect\iPassPeriodicUpdateService.exe
    C:\Program Files\LENOVO\HOTKEY\CAMMUTE.exe
    C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
    C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe
    C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Windows\system32\mfevtps.exe
    C:\Program Files (x86)\NetFormx\updater\NfxUpdaterEngine.exe
    C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
    C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
    C:\Windows\SysWOW64\vmnat.exe
    C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
    C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
    C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
    C:\Program Files (x86)\Xobni\XobniService.exe
    C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
    C:\Windows\SysWOW64\vmnetdhcp.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files (x86)\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\taskhost.exe
    C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files (x86)\WebEx\Connect\connect.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
    C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
    C:\Program Files (x86)\MMTaskbar\MultiMon.exe
    C:\Program Files\Lenovo\Zoom\TpScrex.exe
    C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
    C:\Program Files (x86)\Java\jre6\bin\jusched.exe
    C:\Program Files (x86)\Pidgin\pidgin.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files (x86)\VMware\VMware Player\hqtray.exe
    C:\Program Files (x86)\Texter\texter.exe
    C:\Program Files (x86)\NetFormx\updater\NfxUpdaterUI.exe
    C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe
    C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
    C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
    C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files (x86)\WebEx\Connect\wbxcOIEx.exe
    C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files (x86)\Java\jre6\bin\jucheck.exe
    C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe
    C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mfeann.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files (x86)\Evernote\Evernote\Evernote.exe
    C:\Program Files (x86)\Evernote\Evernote\EvernoteTray.exe
    C:\Windows\SysWOW64\NOTEPAD.EXE
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://wwwin.cisco.com
    uWindow Title = Windows Internet Explorer provided by Cisco
    uDefault_Page_URL = hxxp://wwwin.cisco.com
    uInternet Settings,ProxyOverride = <local>
    mWinlogon: Userinit=userinit.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
    uRun: [Google Update] "C:\Users\nicmatth\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [Cisco WebEx Connect] "C:\Program Files (x86)\WebEx\Connect\connect.exe"
    mRun: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
    mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
    mRun: [VMware hqtray] "C:\Program Files (x86)\VMware\VMware Player\hqtray.exe"
    mRun: [Netformx Updater] "C:\Program Files (x86)\NetFormx\updater\NfxUpdaterUI.exe" -hide
    mRun: [Cisco AnyConnect VPN Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe" -autolaunched
    mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    mRun: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
    mRun: [FileZilla Server Interface] "C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe"
    mRun: [SNM] C:\Program Files (x86)\SpyNoMore\SNM.exe /startup
    mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\CISCOW~1.LNK - C:\Program Files (x86)\WebEx\Connect\connect.exe
    StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
    StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
    StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pidgin.lnk - C:\Program Files (x86)\Pidgin\pidgin.exe
    StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\TEXTER~1.LNK - C:\Program Files (x86)\Texter\texter.exe
    StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Texter.lnk - C:\Program Files (x86)\Texter\texter.exe
    StartupFolder: C:\ALLUSE~1\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
    StartupFolder: C:\ALLUSE~1\MICROS~1\Windows\STARTM~1\Programs\Startup\MULTIM~1.LNK - C:\Program Files (x86)\MMTaskbar\MultiMon.exe
    StartupFolder: C:\ALLUSE~1\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    mPolicies-system: HideFastUserSwitching = 1 (0x1)
    IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    LSP: C:\Program Files (x86)\VMware\VMware Player\vsocklib.dll
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://provision-sjc.cisco.com/CACHE/webvpn/stc/1/binaries/vpnweb.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    TCP: DhcpNameServer = 64.102.6.247 161.44.124.122
    TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F} : DhcpNameServer = 64.102.6.247 161.44.124.122
    TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\26F6F6D6 : DhcpNameServer = 8.8.8.8
    TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\357494D26596379647F62737 : DhcpNameServer = 172.30.3.100 172.30.3.101
    TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\44D4D21393130333D27455543545 : DhcpNameServer = 12.127.17.77 12.127.16.77
    TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\65562796A7F6E60214442563430303C40223646424 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\65562796A7F6E602D496649623230303029383445402355636572756 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\7657563747 : DhcpNameServer = 192.168.2.254 8.8.4.4 4.2.2.1
    TCP: Interfaces\{55484E21-3916-4300-8A03-B4966AE796CC} : DhcpNameServer = 172.20.23.254
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    AppInit_DLLs: AMINIT32.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: WebEx Productivity Tools: {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: WebEx Productivity Tools: {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
    mRun-x64: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    mRun-x64: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
    mRun-x64: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
    mRun-x64: [VMware hqtray] "C:\Program Files (x86)\VMware\VMware Player\hqtray.exe"
    mRun-x64: [Netformx Updater] "C:\Program Files (x86)\NetFormx\updater\NfxUpdaterUI.exe" -hide
    mRun-x64: [Cisco AnyConnect VPN Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe" -autolaunched
    mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    mRun-x64: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
    mRun-x64: [FileZilla Server Interface] "C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe"
    mRun-x64: [SNM] C:\Program Files (x86)\SpyNoMore\SNM.exe /startup
    mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRun-x64: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    AppInit_DLLs-X64: AMINIT32.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\
    FF - component: C:\Program Files (x86)\WebEx\Productivity Tools\components\OCFF.dll
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: C:\Program Files (x86)\QuickTime\Plugins\npatgpc.dll
    FF - plugin: C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
    FF - plugin: C:\Users\nicmatth\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: C:\Users\nicmatth\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
    FF - plugin: C:\Users\nicmatth\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.negotiate-auth.delegation-uris - .cisco.com
    .
    FF - user.js: network.negotiate-auth.trusted-uris - .cisco.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 CmgHiber;CmgHiber;C:\Windows\system32\DRIVERS\CmgHiber.sys --> C:\Windows\system32\DRIVERS\CmgHiber.sys [?]
    R0 CmgShieldCEF;CmgShieldCEF;C:\Windows\system32\DRIVERS\CMGShCEF.sys --> C:\Windows\system32\DRIVERS\CMGShCEF.sys [?]
    R0 CMGShieldReg;CMGShieldReg;C:\Windows\system32\DRIVERS\CmgShREG.sys --> C:\Windows\system32\DRIVERS\CmgShREG.sys [?]
    R0 DzHDD64;DzHDD64;C:\Windows\system32\DRIVERS\DzHDD64.sys --> C:\Windows\system32\DRIVERS\DzHDD64.sys [?]
    R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
    R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiifx64.sys --> C:\Windows\system32\DRIVERS\smiifx64.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 atashost;WebEx Service Host for Support Center;C:\Windows\SysWOW64\atashost.exe [2011-2-24 43912]
    R2 CipcCdp;Cisco IP Communicator driver for CDP;C:\Windows\system32\DRIVERS\CipcCdp.sys --> C:\Windows\system32\DRIVERS\CipcCdp.sys [?]
    R2 Cisco WebEx Connect Upgrade Service;Cisco WebEx Connect Upgrade Service;C:\Program Files (x86)\WebEx\Connect\apUpdate.exe [2011-4-11 824120]
    R2 LENOVO.CAMMUTE;Lenovo Camera Mute;C:\Program Files\Lenovo\HOTKEY\cammute.exe [2010-3-18 54632]
    R2 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2010-3-18 44984]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-6-7 366640]
    R2 McAfeeEngineService;McAfee Engine Service;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [2011-2-4 20792]
    R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2011-1-12 120128]
    R2 McShield;McAfee McShield;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe [2011-2-4 181480]
    R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe [2011-2-4 66880]
    R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\system32\mfevtps.exe --> C:\Windows\system32\mfevtps.exe [?]
    R2 NfxUpdaterService;NfxUpdaterService;C:\Program Files (x86)\NetFormx\updater\NfxUpdaterEngine.exe [2011-4-6 20376]
    R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2010-4-30 6237800]
    R2 rimspci;rimspci;C:\Windows\system32\DRIVERS\rimspe64.sys --> C:\Windows\system32\DRIVERS\rimspe64.sys [?]
    R2 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2010-3-18 63928]
    R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-11-11 539248]
    R2 vmware-converter-agent;VMware vCenter Converter Standalone Agent;C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [2010-8-24 444976]
    R2 vmware-converter-server;VMware vCenter Converter Standalone Server;C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-8-24 444976]
    R2 vmware-converter-worker;VMware vCenter Converter Standalone Worker;C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-8-24 444976]
    R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-11-15 592120]
    R2 XobniService;XobniService;C:\Program Files (x86)\Xobni\XobniService.exe [2011-4-29 62184]
    R3 5U877;USB Video Device;C:\Windows\system32\DRIVERS\5U877.sys --> C:\Windows\system32\DRIVERS\5U877.sys [?]
    R3 connctfyMP;connctfyMP;C:\Windows\system32\DRIVERS\connctfy.sys --> C:\Windows\system32\DRIVERS\connctfy.sys [?]
    R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
    R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
    R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
    R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
    R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
    R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
    R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
    R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
    R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
    R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 CMGShield;CMGShield;C:\Windows\system32\CmgShieldSvc.exe --> C:\Windows\system32\CmgShieldSvc.exe [?]
    S3 connctfy;Connectify Service;C:\Windows\system32\DRIVERS\connctfy.sys --> C:\Windows\system32\DRIVERS\connctfy.sys [?]
    S3 DozeSvc;Lenovo Doze Mode Service;C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2011-2-7 164200]
    S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe [2011-2-7 75112]
    S3 rixdpcie;rixdpcie;C:\Windows\system32\DRIVERS\rixdpe64.sys --> C:\Windows\system32\DRIVERS\rixdpe64.sys [?]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 USA19H;USA19H;C:\Windows\system32\DRIVERS\USA19Hx64.sys --> C:\Windows\system32\DRIVERS\USA19Hx64.sys [?]
    S3 USA19HP;USA19HP;C:\Windows\system32\DRIVERS\USA19Hx64p.SYS --> C:\Windows\system32\DRIVERS\USA19Hx64p.SYS [?]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S4 Connectify;Connectify;C:\Program Files (x86)\Connectify\Connectifyd.exe [2011-3-9 892992]
    S4 EMS;EMS;EMSService.exe --> EMSService.exe [?]
    .
    =============== File Associations ===============
    .
    vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
    vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
    jsefile\shell\open2\command=C:\Windows\System32\CScript.exe "%1" %*
    .
    =============== Created Last 30 ================
    .
    2011-06-30 14:05:52 2106216 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
    2011-06-30 14:05:52 1998168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\d3dx9_43.dll
    2011-06-24 19:55:14 -------- d-----w- C:\Users\nicmatth\AppData\Roaming\Wireshark
    2011-06-17 12:47:55 -------- d-----w- C:\Program Files (x86)\WinPcap
    2011-06-17 12:46:51 -------- d-----w- C:\Program Files\Wireshark
    2011-06-15 15:44:01 482816 ----a-w- C:\Windows\System32\html.iec
    2011-06-15 15:43:38 386048 ----a-w- C:\Windows\SysWow64\html.iec
    2011-06-15 15:42:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-06-15 15:42:51 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-06-15 15:33:39 976896 ----a-w- C:\Windows\System32\inetcomm.dll
    2011-06-15 15:32:53 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll
    2011-06-15 15:28:04 102400 ----a-w- C:\Windows\System32\drivers\dfsc.sys
    2011-06-15 15:28:02 499712 ----a-w- C:\Windows\System32\drivers\afd.sys
    2011-06-15 15:28:02 1896832 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2011-06-15 15:28:01 1110528 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
    2011-06-15 15:27:15 759296 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
    2011-06-15 15:27:14 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
    2011-06-15 15:27:13 157696 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
    2011-06-15 15:27:13 126464 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
    2011-06-15 15:27:09 3133952 ----a-w- C:\Windows\System32\win32k.sys
    2011-06-15 15:22:35 461312 ----a-w- C:\Windows\System32\drivers\srv.sys
    2011-06-15 15:22:35 399872 ----a-w- C:\Windows\System32\drivers\srv2.sys
    2011-06-15 15:22:35 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
    2011-06-15 15:18:19 861184 ----a-w- C:\Windows\System32\oleaut32.dll
    2011-06-15 15:18:07 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
    2011-06-13 15:41:26 -------- d-----w- C:\Program Files (x86)\eSupport.com
    2011-06-13 14:46:26 230400 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\hpzppw71.dll
    2011-06-08 14:47:52 -------- d-----w- C:\Users\nicmatth\DoctorWeb
    2011-06-07 17:39:23 -------- d-----w- C:\Users\nicmatth\AppData\Roaming\Malwarebytes
    2011-06-07 17:39:16 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    2011-06-07 17:39:14 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-06-07 17:39:10 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-06-07 17:39:09 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-06-07 16:38:26 1152 ----a-w- C:\Windows\SysWow64\windrv.sys
    2011-06-07 16:37:58 -------- d-----w- C:\Program Files (x86)\SpyNoMore
    2011-06-06 14:37:05 23864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\Scriptff.dll
    2011-06-02 15:45:20 -------- d-----w- C:\Users\nicmatth\.cisco
    .
    ==================== Find3M ====================
    .
    2011-04-22 20:18:28 1197056 ----a-w- C:\Windows\System32\wininet.dll
    2011-04-22 20:14:08 57856 ----a-w- C:\Windows\System32\licmgr10.dll
    2011-04-22 19:31:50 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-04-22 19:31:26 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
    2011-04-09 06:58:56 142336 ----a-w- C:\Windows\System32\poqexec.exe
    2011-04-09 06:45:48 5509504 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2011-04-09 06:13:06 3957632 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2011-04-09 06:13:06 3901824 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2011-04-09 05:56:38 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
    .
    ============= FINISH: 10:07:30.50 ===============


    Thanks!
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Apparently you didn't read this when you downloaded SpyNoMore:
    I would recommend that you remove this program. I can help you find full function programs.
    ===============================================
    As for "sluggish" there can be many reasons for this. Malware is only one of them. Others are not enough RAM or bad RAM, too many processes starting on boot and running in the background , etc. For Malware to be the cause, the system would usually have to be heavily infected\ and so far, I'm not seeing that.
    ===================================
    Malwarebytes removed malware named ExploitDropper from Firefox. These are usually found in the Java cache and are frequently because outdated versions of Java remain on the system which cause vulnerabilities: You have Java v6u13 on the system. The current version is v6u26. Please update Java now:
    Java Updates . Then uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    ==================================
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    Please reboot the computer before going on
    =================================================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
     
  3. nicmatth

    nicmatth TS Rookie Topic Starter

    Combofix log

    ComboFix 11-07-03.04 - nicmatth 07/05/2011 11:08:11.1.8 - x64
    Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.4028.1830 [GMT -4:00]
    Running from: c:\download\ComboFix.exe
    AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\nicmatth\AppData\Local\{556114CE-6FF4-4AC8-A1CD-336AD7733FB4}
    c:\users\nicmatth\AppData\Local\{556114CE-6FF4-4AC8-A1CD-336AD7733FB4}\chrome.manifest
    c:\users\nicmatth\AppData\Local\{556114CE-6FF4-4AC8-A1CD-336AD7733FB4}\chrome\content\_cfg.js
    c:\users\nicmatth\AppData\Local\{556114CE-6FF4-4AC8-A1CD-336AD7733FB4}\chrome\content\overlay.xul
    c:\users\nicmatth\AppData\Local\{556114CE-6FF4-4AC8-A1CD-336AD7733FB4}\install.rdf
    c:\users\nicmatth\AppData\Roaming\Adobe\plugs
    c:\users\nicmatth\AppData\Roaming\Adobe\shed
    c:\windows\system32\blat.exe
    c:\windows\system32\ZoomIt.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-05 to 2011-07-05 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-05 15:14 . 2011-07-05 15:14 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-07-05 15:14 . 2011-07-05 15:14 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2011-07-05 14:52 . 2011-07-05 14:52 525544 ----a-w- c:\windows\system32\deployJava1.dll
    2011-07-05 14:52 . 2011-07-05 14:52 -------- d-----w- c:\program files\Java
    2011-06-30 14:05 . 2011-06-30 14:05 2106216 ----a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
    2011-06-30 14:05 . 2011-06-30 14:05 1998168 ----a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
    2011-06-30 00:52 . 2011-05-24 11:21 404992 ----a-w- c:\windows\system32\umpnpmgr.dll
    2011-06-30 00:52 . 2011-05-24 10:34 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
    2011-06-30 00:52 . 2011-05-24 10:32 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
    2011-06-30 00:52 . 2011-05-24 10:34 64512 ----a-w- c:\windows\SysWow64\devobj.dll
    2011-06-30 00:52 . 2011-05-24 10:34 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
    2011-06-24 19:55 . 2011-06-24 19:55 -------- d-----w- c:\users\nicmatth\AppData\Roaming\Wireshark
    2011-06-17 12:47 . 2011-06-17 12:47 -------- d-----w- c:\program files (x86)\WinPcap
    2011-06-17 12:46 . 2011-06-17 12:47 -------- d-----w- c:\program files\Wireshark
    2011-06-15 15:44 . 2011-04-22 18:49 482816 ----a-w- c:\windows\system32\html.iec
    2011-06-15 15:43 . 2011-04-22 18:23 386048 ----a-w- c:\windows\SysWow64\html.iec
    2011-06-15 15:42 . 2011-05-28 03:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-06-15 15:42 . 2011-05-28 03:00 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2011-06-15 15:33 . 2011-05-03 05:21 976896 ----a-w- c:\windows\system32\inetcomm.dll
    2011-06-15 15:32 . 2011-05-03 04:50 740864 ----a-w- c:\windows\SysWow64\inetcomm.dll
    2011-06-15 15:28 . 2011-04-27 02:57 102400 ----a-w- c:\windows\system32\drivers\dfsc.sys
    2011-06-15 15:28 . 2011-04-25 05:32 1896832 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-06-15 15:28 . 2011-04-25 02:44 499712 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-06-15 15:28 . 2011-04-29 05:47 1110528 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
    2011-06-15 15:27 . 2011-04-29 05:08 759296 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
    2011-06-15 15:27 . 2011-05-04 02:51 287744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-06-15 15:27 . 2011-05-04 02:51 157696 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-06-15 15:27 . 2011-05-04 02:51 126464 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-06-15 15:27 . 2011-05-28 03:07 3133952 ----a-w- c:\windows\system32\win32k.sys
    2011-06-15 15:22 . 2011-04-29 03:13 461312 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-06-15 15:22 . 2011-04-29 03:12 399872 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-06-15 15:22 . 2011-04-29 03:12 161792 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-06-15 15:18 . 2010-12-18 06:13 861184 ----a-w- c:\windows\system32\oleaut32.dll
    2011-06-15 15:18 . 2010-12-18 05:31 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
    2011-06-13 15:41 . 2011-06-13 15:41 -------- d-----w- c:\program files (x86)\eSupport.com
    2011-06-13 14:46 . 2009-07-14 01:41 230400 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpzppw71.dll
    2011-06-08 14:47 . 2011-06-08 14:47 -------- d-----w- c:\users\nicmatth\DoctorWeb
    2011-06-07 17:39 . 2011-06-07 17:39 -------- d-----w- c:\users\nicmatth\AppData\Roaming\Malwarebytes
    2011-06-07 17:39 . 2011-05-29 13:11 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-06-07 17:39 . 2011-06-07 17:39 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-07 17:39 . 2011-05-29 13:11 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-07 17:39 . 2011-06-07 17:39 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-06-07 16:38 . 2011-06-07 16:38 1152 ----a-w- c:\windows\SysWow64\windrv.sys
    2011-06-06 14:37 . 2011-02-05 00:07 23864 ----a-w- c:\program files (x86)\Mozilla Firefox\components\Scriptff.dll
    2011-06-06 14:36 . 2011-06-06 14:36 -------- d-----w- c:\users\Default\AppData\Roaming\McAfee
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-23 19:17 . 2011-05-23 19:17 388096 ----a-r- c:\users\nicmatth\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-04-09 06:58 . 2011-05-12 23:54 142336 ----a-w- c:\windows\system32\poqexec.exe
    2011-04-09 06:45 . 2011-05-11 20:27 5509504 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-04-09 06:13 . 2011-05-11 20:27 3957632 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2011-04-09 06:13 . 2011-05-11 20:27 3901824 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2011-04-09 05:56 . 2011-05-12 23:54 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Cisco WebEx Connect"="c:\program files (x86)\WebEx\Connect\connect.exe" [2011-04-11 1934648]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "ShStatEXE"="c:\program files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-02-05 124224]
    "McAfeeUpdaterUI"="c:\program files (x86)\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2010-05-12 1128296]
    "VMware hqtray"="c:\program files (x86)\VMware\VMware Player\hqtray.exe" [2010-11-11 64112]
    "Netformx Updater"="c:\program files (x86)\NetFormx\updater\NfxUpdaterUI.exe" [2011-03-28 127888]
    "Cisco AnyConnect VPN Agent for Windows"="c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe" [2010-11-15 194808]
    "VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
    "RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]
    "FileZilla Server Interface"="c:\program files (x86)\FileZilla Server\FileZilla Server Interface.exe" [2010-10-17 1259008]
    .
    c:\users\nicmatth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Cisco WebEx Connect.lnk - c:\program files (x86)\WebEx\Connect\connect.exe [2011-4-11 1934648]
    EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2011-4-12 973824]
    GoogleCalendarSync.exe - Shortcut.lnk - c:\program files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
    Pidgin.lnk - c:\program files (x86)\Pidgin\pidgin.exe [2011-2-6 48618]
    texter.exe - Shortcut.lnk - c:\program files (x86)\Texter\texter.exe [2007-11-6 377303]
    Texter.lnk - c:\program files (x86)\Texter\texter.exe [2007-11-6 377303]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Google Calendar Sync.lnk - c:\program files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
    MultiMon Taskbar.lnk - c:\program files (x86)\MMTaskbar\MultiMon.exe [2011-2-18 294912]
    vpngui.exe.lnk - c:\windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe [2010-9-21 5120]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    "HideFastUserSwitching"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 CMGShield;CMGShield;c:\windows\system32\CmgShieldSvc.exe [x]
    R3 bmdrvr;Modified Clusters Tracking Driver;SysWOW64\drivers\bmdrvr.sys [x]
    R3 connctfy;Connectify Service;c:\windows\system32\DRIVERS\connctfy.sys [x]
    R3 DozeSvc;Lenovo Doze Mode Service;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2010-05-12 164200]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2010-05-12 75112]
    R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [x]
    R3 USA19H;USA19H;c:\windows\system32\DRIVERS\USA19Hx64.sys [x]
    R3 USA19HP;USA19HP;c:\windows\system32\DRIVERS\USA19Hx64p.SYS [x]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 Connectify;Connectify;c:\program files (x86)\Connectify\Connectifyd.exe [2011-03-09 892992]
    R4 EMS;EMS;EMSService.exe [x]
    R4 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
    R4 XobniService;XobniService;c:\program files (x86)\Xobni\XobniService.exe [2011-04-30 62184]
    S0 CmgHiber;CmgHiber;c:\windows\system32\DRIVERS\CmgHiber.sys [x]
    S0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\DRIVERS\CMGShCEF.sys [x]
    S0 CMGShieldReg;CMGShieldReg;c:\windows\system32\DRIVERS\CmgShREG.sys [x]
    S0 DzHDD64;DzHDD64;c:\windows\System32\DRIVERS\DzHDD64.sys [x]
    S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 atashost;WebEx Service Host for Support Center;c:\windows\SysWOW64\atashost.exe [2011-02-24 43912]
    S2 CipcCdp;Cisco IP Communicator driver for CDP;c:\windows\system32\DRIVERS\CipcCdp.sys [x]
    S2 Cisco WebEx Connect Upgrade Service;Cisco WebEx Connect Upgrade Service;c:\program files (x86)\WebEx\Connect\apUpdate.exe [2011-04-11 824120]
    S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\LENOVO\HOTKEY\CAMMUTE.exe [2009-11-09 54632]
    S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2009-11-17 44984]
    S2 McAfeeEngineService;McAfee Engine Service;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [2011-02-05 20792]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]
    S2 NfxUpdaterService;NfxUpdaterService;c:\program files (x86)\NetFormx\updater\NfxUpdaterEngine.exe [2011-03-28 20376]
    S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
    S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2010-04-30 6237800]
    S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [x]
    S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2010-01-18 63928]
    S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [x]
    S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-11-11 539248]
    S2 vmware-converter-agent;VMware vCenter Converter Standalone Agent;c:\program files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [2010-08-24 444976]
    S2 vmware-converter-server;VMware vCenter Converter Standalone Server;c:\program files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-08-24 444976]
    S2 vmware-converter-worker;VMware vCenter Converter Standalone Worker;c:\program files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-08-24 444976]
    S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-11-15 592120]
    S2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);SysWOW64\drivers\vstor2-mntapi10-shared.sys [x]
    S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [x]
    S3 connctfyMP;connctfyMP;c:\windows\system32\DRIVERS\connctfy.sys [x]
    S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [x]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
    S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
    S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
    S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1303643608-725345543-210157Core.job
    - c:\users\nicmatth\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-11 16:51]
    .
    2011-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1303643608-725345543-210157UA.job
    - c:\users\nicmatth\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-11 16:51]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    "AppInit_DLLs"=c:\windows\System32\AMInit64.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://wwwin.cisco.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = <local>
    IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    LSP: c:\program files (x86)\VMware\VMware Player\vsocklib.dll
    TCP: DhcpNameServer = 64.102.6.247 171.70.168.183 171.68.226.120
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://provision-sjc.cisco.com/CACHE/webvpn/stc/1/binaries/vpnweb.cab
    FF - ProfilePath - c:\users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\
    FF - user.js: network.negotiate-auth.delegation-uris - .cisco.com
    FF - user.js: network.negotiate-auth.trusted-uris - .cisco.com
    .
    .
    ------- File Associations -------
    .
    vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
    vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
    jsefile\shell\open2\command=c:\windows\System32\CScript.exe "%1" %*
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    AddRemove-Altiris PCTransplant - c:\program files\Altiris\PCT\PCTUninstaller.exe
    AddRemove-AltirisAgent - c:\program files (x86)\Altiris\Altiris Agent\AeXNSAgent.exe
    AddRemove-Cisco Direct Printing - c:\ciscodirectprinting\CiscoDirectPrinting.exe
    AddRemove-{92F2A534-C3E4-4B18-BEBD-329F5E848C8B} - c:\program files (x86)\Altiris\Altiris Agent\AeXNSAgent.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker3"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-07-05 11:17:00
    ComboFix-quarantined-files.txt 2011-07-05 15:16
    .
    Pre-Run: 27,103,358,976 bytes free
    Post-Run: 26,734,227,456 bytes free
    .
    - - End Of File - - 97B3B3EF2D4B8D6A0E6B3CDD7C23ABE5
     
  4. nicmatth

    nicmatth TS Rookie Topic Starter

    After testing a bit, this seems to have fixed it.

    What actually looks like it fixed it - clearing the java cache or was there something deeper?

    Thanks for the help.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'd like you to run this online virus scan:

    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  6. nicmatth

    nicmatth TS Rookie Topic Starter

    C:\Users\nicmatth\AppData\Local\Mozilla\Firefox\Profiles\muw3urqn.default\Cache\D\BB\A9C10d01 JS/Kryptik.AQ.Gen trojan

    What do you think?
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I think you are running a work computer on the Cisco network that has less than the basic security protection- no firewall, only McAfee antimalware. I think you hoped that I could wave my magic hand and make everything okay!

    I think you are slow because of things like this:
    ==============================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Users\nicmatth\AppData\Local\Mozilla\Firefox\Profiles\muw3urqn.default\Cache\D\BB\A9C10d01
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ==============================================
    The Firefox cache temporarily stores images, scripts, and other parts of websites while you are browsing.
    Clear the cache
    1. Open Firefox> Click on Tools> Options
    2. Click on Advanced> Network tab
    3. Offline Storage> click on Clear Now
    -----------------------------------
    Clear Private Data
    1. Open Firefox> Click on Tools> Click on Clear recent History
      or
    2. Open Firefox> Tools> Options> Privacy> History>
    3. Set 'use custom setting' in dialog box> Set days to keep HX (as few as possible- I have 3)
    4. Cookies> Check 'accept Cookies from Websites> Uncheck '3rd party Cookies> Click on 'Clean HX when Firefox closes.> Click on Settings
    5. In Settings, Check Browsing HX Forms & Search
    6. In Data> Check Offline Web Pages

    Use any of the above or a combination of the above.
    =====================================
    I suggest you put a bi-directional firewall on the system and add antimalware programs such as Spywareblaster.
    I think there is too much work-related software installed for me to try and remove entries.
    =====================================
    Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
      [o] Click START> then RUN
      [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
      [o] Double click OTCleanIt.exe.
      [o] Click the CleanUp! button.
      [o] If you are prompted to Reboot during the cleanup, select Yes.
      [o]The tool will delete itself once it finishes.
      Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • Set a new, clean Restore Point
      [o] Click on Start> right click on Computer> Properties
      [o] Select System Protection
      [o] Click on the Create button (near bottom)
      [o] Type a name for the Restore Point
      [o] Click on Create again to save the restore point.
    • Deleting all but the most recent System Protection point in Windows 7
      [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
      [o] Click Disk Cleanup from there.
      [​IMG]
      [o] Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
      [o] Click the More Options tab
      [​IMG]
      [o] Click the Clean up under System Restore and Shadow Copies.
      [o] Click OK.
      [o] You will get a confirmation screen> Just click Delete.
      [o] Click OK on the Disk Cleanup Screen.
      [o] Click Delete Files on the Confirmation screen.
    [​IMG]
    This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin

    Please update the Java to v6u26 .Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
     
  8. nicmatth

    nicmatth TS Rookie Topic Starter

    Wasn't really expecting a magic solution - was actually just kind of curious which of the steps had fixed the problem. My computer has been running fine since running combofix. Thanks for help, I'll do all this stuff.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay. Sometimes we can't pin down the exact entries that were the cause. Combofix removed some, OTM removed some and emptying the Java cache removed some.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...