Hi All,
I'm pretty good about viruses - this is my first in 8 years or so. I've done the basics - go to msconfig, remove all the programs/services I don't know in safe mode, run a few antivirus, etc. This one has eluded me. I either accidentally clicked on one of those activex screens or it used a vulnerability to allow itself on the computer. It happened very quickly.
My firefox results show up normally, but the first click to websites is being redirected. The computer also feels a little more sluggish than it should. SpyNoMore found keyloggers and trojans, but wanted money to remove.
Here are the logs:
MBAM:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org
Database version: 6986
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
6/30/2011 9:53:47 AM
mbam-log-2011-06-30 (09-53-47).txt
Scan type: Quick scan
Objects scanned: 180815
Time elapsed: 2 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\program files (x86)\mozilla firefox\0.2928573401180692.exe (Exploit.Dropper) -> Quarantined and deleted successfully.
c:\program files (x86)\mozilla firefox\0.4473215236219442.exe (Exploit.Dropper) -> Quarantined and deleted successfully.
GMER:
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-30 10:05:31
Windows 6.1.7600
Running: gmer.exe
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffaf73100
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffaf73100 (not active ControlSet)
---- Files - GMER 1.0.15 ----
File C:\Users\nicmatth\AppData\Local\Microsoft\Outlook\~outlook.ost.tmp 65536 bytes
File C:\Users\nicmatth\AppData\Local\Temp\plugtmp-2 0 bytes
File C:\Users\nicmatth\AppData\Local\Temp\plugtmp-2\plugin-298939.pdf 79094 bytes
File C:\Users\nicmatth\AppData\Local\Temp\etilqs_HwIGzqVcLoxm6fN 262176 bytes
File C:\Users\nicmatth\AppData\Local\Temp\How_to_Build_a_ASR_9000.ppt 1136640 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\addons.sqlite-journal 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\cookies.sqlite-shm 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\cookies.sqlite-wal 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\extensions.sqlite-journal 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\parent.lock 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\places.sqlite-shm 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\places.sqlite-wal 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Thunderbird\Profiles\trq05g59.default\cookies.sqlite-journal 0 bytes
---- EOF - GMER 1.0.15 ----
Attach.txt:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 1/26/2011 10:19:56 PM
System Uptime: 6/29/2011 3:12:28 AM (31 hours ago)
.
Motherboard: LENOVO | | 4389BB4
Processor: Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz | None | 1600/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 119 GiB total, 16.97 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e965-e325-11ce-bfc1-08002be10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GT30N___________________LT10____\5&1C50C5D9&0&1.0.0
Manufacturer: (Standard CD-ROM drives)
Name: HL-DT-ST DVDRAM GT30N ATA Device
PNP Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GT30N___________________LT10____\5&1C50C5D9&0&1.0.0
Service: cdrom
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Bluetooth Device (Personal Area Network)
Device ID: BTH\MS_BTHPAN\7&2D98A6FB&0&2
Manufacturer: Microsoft
Name: Bluetooth Device (Personal Area Network)
PNP Device ID: BTH\MS_BTHPAN\7&2D98A6FB&0&2
Service: BthPan
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: VMware Virtual Ethernet Adapter for VMnet1
Device ID: ROOT\VMWARE\0000
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet1
PNP Device ID: ROOT\VMWARE\0000
Service: VMnetAdapter
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: VMware Virtual Ethernet Adapter for VMnet8
Device ID: ROOT\VMWARE\0001
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet8
PNP Device ID: ROOT\VMWARE\0001
Service: VMnetAdapter
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Intel(R) Centrino(R) Ultimate-N 6300 AGN
Device ID: PCI\VEN_8086&DEV_4238&SUBSYS_11118086&REV_35\4&C36BE82&0&00E1
Manufacturer: Intel Corporation
Name: Intel(R) Centrino(R) Ultimate-N 6300 AGN
PNP Device ID: PCI\VEN_8086&DEV_4238&SUBSYS_11118086&REV_35\4&C36BE82&0&00E1
Service: NETw5s64
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Teredo Tunneling Adapter
Device ID: ROOT\*TEREDO\0000
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TEREDO\0000
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter for 64-bit Windows
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter for 64-bit Windows
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
PNP Device ID: ROOT\NET\0001
Service: vpnva
.
==== System Restore Points ===================
.
RP67: 6/8/2011 12:05:05 PM - Scheduled Checkpoint
RP68: 6/14/2011 11:14:07 AM - Installed DesignXpert
RP69: 6/15/2011 3:00:12 PM - Windows Update
RP70: 6/23/2011 2:34:16 PM - Scheduled Checkpoint
RP71: 6/23/2011 3:00:10 PM - Windows Update
.
==== Installed Programs ======================
.
.
2007 Microsoft Office Suite Service Pack 1 (SP1)
7-Zip 9.20
Adobe Audition 1.5
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.4
Adobe Shockwave Player 11.5
Altiris Agent
Altiris Application Metering Agent
Altiris Inventory Rule Agent
Altiris Local Security Agent
Altiris Patch Management Agent
Altiris Software Delivery Solution Agent
Altiris Task Synchronization Agent
Altiris_PCTransplant
Applications_Win32_Cisco_AltirisAgentRedirector
Applications_Win32_Cisco_PCSetupGuide
CEPS Print Client
Chinese Simplified Fonts Support For Adobe Reader 9
Chinese Traditional Fonts Support For Adobe Reader 9
Cisco AnyConnect VPN Client
Cisco DART
Cisco Direct Printing
Cisco IP Communicator
Cisco WebEx Connect
CiscoITw7blizzardwpa1
Citrix Presentation Server Client
DesignXpert
eSupport UndeletePlus 3.0.2.406
Evernote v. 4.3
FileZilla Client 3.4.0
FileZilla Server (remove only)
GIMP 2.6.11
Google Calendar Sync
Google Talk Plugin
GSplit 3
GTRC Support Central
HiJackThis
Integrated Camera Driver Installer Package Ver.1.1.0.42
iPassConnect
IPTV Viewer
Japanese Fonts Support For Adobe Reader 9
Java(TM) 6 Update 13
Keyspan USB Serial Adapter
Korean Fonts Support For Adobe Reader 9
Malwarebytes' Anti-Malware version 1.51.0.1200
McAfee Agent
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Microsoft Office Access database engine 2007 (English)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2007
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Visio 2010
Microsoft Office Visio MUI (English) 2010
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Visio Standard 2010
Microsoft Visio Viewer 2010
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft_VC90_CRT_x86
Mozilla Firefox 5.0 (x86 en-US)
Mozilla Thunderbird (3.1.11)
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
MultiMon TaskBar 2.1
Netformx Updater
Network Recording Player
Notepad++
ooVoo
OS_Winx64_Windows7_Drivers_Lenovo_ThinkPad_W510
Pidgin
QuickTime 7.5
Real-Time Monitoring Tool 8.5
Real-Time Monitoring Tool 8.7
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
SofToken II
SpyNoMore 2.98
Tftpd32 Standalone Edition
ThinkPad Power Manager
tools-linux
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
ViewMail for Outlook 7.0(2)
VirtualCloneDrive
VMware Player
VMware vCenter Converter Standalone
VMware vSphere Client 4.0
VMware vSphere Client 4.1
WebEx
WebEx Document Suite
WebEx Productivity Tools
WinPcap 4.1.2
Wireshark 1.6.0
Xobni
Xobni Core
.
==== Event Viewer Messages From Past Week ========
.
6/29/2011 8:41:50 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
6/29/2011 1:39:20 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain CISCO due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
6/27/2011 9:04:52 AM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
6/27/2011 8:58:56 AM, Error: Service Control Manager [7000] - The CMGShield service failed to start due to the following error: The system cannot find the file specified.
6/27/2011 8:57:35 AM, Error: Service Control Manager [7000] - The Altiris Agent service failed to start due to the following error: The system cannot find the file specified.
6/27/2011 8:57:23 AM, Error: Application Popup [1060] - \SystemRoot\SysWow64\drivers\pfc.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
.
==== End Of File ===========================
DDS.txt:
.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by nicmatth at 10:06:29 on 2011-06-30
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.4028.2194 [GMT -4:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Windows\SysWOW64\atashost.exe
C:\Program Files (x86)\WebEx\Connect\apUpdate.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\LENOVO\HOTKEY\CAMMUTE.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe
C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\NetFormx\updater\NfxUpdaterEngine.exe
C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
C:\Program Files (x86)\Xobni\XobniService.exe
C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\WebEx\Connect\connect.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files (x86)\MMTaskbar\MultiMon.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Pidgin\pidgin.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files (x86)\VMware\VMware Player\hqtray.exe
C:\Program Files (x86)\Texter\texter.exe
C:\Program Files (x86)\NetFormx\updater\NfxUpdaterUI.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files (x86)\WebEx\Connect\wbxcOIEx.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Java\jre6\bin\jucheck.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Evernote\Evernote\Evernote.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteTray.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://wwwin.cisco.com
uWindow Title = Windows Internet Explorer provided by Cisco
uDefault_Page_URL = hxxp://wwwin.cisco.com
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
uRun: [Google Update] "C:\Users\nicmatth\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Cisco WebEx Connect] "C:\Program Files (x86)\WebEx\Connect\connect.exe"
mRun: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
mRun: [VMware hqtray] "C:\Program Files (x86)\VMware\VMware Player\hqtray.exe"
mRun: [Netformx Updater] "C:\Program Files (x86)\NetFormx\updater\NfxUpdaterUI.exe" -hide
mRun: [Cisco AnyConnect VPN Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe" -autolaunched
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
mRun: [FileZilla Server Interface] "C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe"
mRun: [SNM] C:\Program Files (x86)\SpyNoMore\SNM.exe /startup
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\CISCOW~1.LNK - C:\Program Files (x86)\WebEx\Connect\connect.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pidgin.lnk - C:\Program Files (x86)\Pidgin\pidgin.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\TEXTER~1.LNK - C:\Program Files (x86)\Texter\texter.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Texter.lnk - C:\Program Files (x86)\Texter\texter.exe
StartupFolder: C:\ALLUSE~1\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
StartupFolder: C:\ALLUSE~1\MICROS~1\Windows\STARTM~1\Programs\Startup\MULTIM~1.LNK - C:\Program Files (x86)\MMTaskbar\MultiMon.exe
StartupFolder: C:\ALLUSE~1\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
LSP: C:\Program Files (x86)\VMware\VMware Player\vsocklib.dll
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://provision-sjc.cisco.com/CACHE/webvpn/stc/1/binaries/vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: DhcpNameServer = 64.102.6.247 161.44.124.122
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F} : DhcpNameServer = 64.102.6.247 161.44.124.122
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\26F6F6D6 : DhcpNameServer = 8.8.8.8
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\357494D26596379647F62737 : DhcpNameServer = 172.30.3.100 172.30.3.101
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\44D4D21393130333D27455543545 : DhcpNameServer = 12.127.17.77 12.127.16.77
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\65562796A7F6E60214442563430303C40223646424 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\65562796A7F6E602D496649623230303029383445402355636572756 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\7657563747 : DhcpNameServer = 192.168.2.254 8.8.4.4 4.2.2.1
TCP: Interfaces\{55484E21-3916-4300-8A03-B4966AE796CC} : DhcpNameServer = 172.20.23.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
AppInit_DLLs: AMINIT32.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: WebEx Productivity Tools: {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: WebEx Productivity Tools: {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
mRun-x64: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun-x64: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
mRun-x64: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
mRun-x64: [VMware hqtray] "C:\Program Files (x86)\VMware\VMware Player\hqtray.exe"
mRun-x64: [Netformx Updater] "C:\Program Files (x86)\NetFormx\updater\NfxUpdaterUI.exe" -hide
mRun-x64: [Cisco AnyConnect VPN Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe" -autolaunched
mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun-x64: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
mRun-x64: [FileZilla Server Interface] "C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe"
mRun-x64: [SNM] C:\Program Files (x86)\SpyNoMore\SNM.exe /startup
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
AppInit_DLLs-X64: AMINIT32.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\
FF - component: C:\Program Files (x86)\WebEx\Productivity Tools\components\OCFF.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: C:\Program Files (x86)\QuickTime\Plugins\npatgpc.dll
FF - plugin: C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
FF - plugin: C:\Users\nicmatth\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Users\nicmatth\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\nicmatth\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.negotiate-auth.delegation-uris - .cisco.com
.
FF - user.js: network.negotiate-auth.trusted-uris - .cisco.com
.
============= SERVICES / DRIVERS ===============
.
R0 CmgHiber;CmgHiber;C:\Windows\system32\DRIVERS\CmgHiber.sys --> C:\Windows\system32\DRIVERS\CmgHiber.sys [?]
R0 CmgShieldCEF;CmgShieldCEF;C:\Windows\system32\DRIVERS\CMGShCEF.sys --> C:\Windows\system32\DRIVERS\CMGShCEF.sys [?]
R0 CMGShieldReg;CMGShieldReg;C:\Windows\system32\DRIVERS\CmgShREG.sys --> C:\Windows\system32\DRIVERS\CmgShREG.sys [?]
R0 DzHDD64;DzHDD64;C:\Windows\system32\DRIVERS\DzHDD64.sys --> C:\Windows\system32\DRIVERS\DzHDD64.sys [?]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiifx64.sys --> C:\Windows\system32\DRIVERS\smiifx64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 atashost;WebEx Service Host for Support Center;C:\Windows\SysWOW64\atashost.exe [2011-2-24 43912]
R2 CipcCdp;Cisco IP Communicator driver for CDP;C:\Windows\system32\DRIVERS\CipcCdp.sys --> C:\Windows\system32\DRIVERS\CipcCdp.sys [?]
R2 Cisco WebEx Connect Upgrade Service;Cisco WebEx Connect Upgrade Service;C:\Program Files (x86)\WebEx\Connect\apUpdate.exe [2011-4-11 824120]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;C:\Program Files\Lenovo\HOTKEY\cammute.exe [2010-3-18 54632]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2010-3-18 44984]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-6-7 366640]
R2 McAfeeEngineService;McAfee Engine Service;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [2011-2-4 20792]
R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2011-1-12 120128]
R2 McShield;McAfee McShield;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe [2011-2-4 181480]
R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe [2011-2-4 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\system32\mfevtps.exe --> C:\Windows\system32\mfevtps.exe [?]
R2 NfxUpdaterService;NfxUpdaterService;C:\Program Files (x86)\NetFormx\updater\NfxUpdaterEngine.exe [2011-4-6 20376]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2010-4-30 6237800]
R2 rimspci;rimspci;C:\Windows\system32\DRIVERS\rimspe64.sys --> C:\Windows\system32\DRIVERS\rimspe64.sys [?]
R2 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2010-3-18 63928]
R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-11-11 539248]
R2 vmware-converter-agent;VMware vCenter Converter Standalone Agent;C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [2010-8-24 444976]
R2 vmware-converter-server;VMware vCenter Converter Standalone Server;C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-8-24 444976]
R2 vmware-converter-worker;VMware vCenter Converter Standalone Worker;C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-8-24 444976]
R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-11-15 592120]
R2 XobniService;XobniService;C:\Program Files (x86)\Xobni\XobniService.exe [2011-4-29 62184]
R3 5U877;USB Video Device;C:\Windows\system32\DRIVERS\5U877.sys --> C:\Windows\system32\DRIVERS\5U877.sys [?]
R3 connctfyMP;connctfyMP;C:\Windows\system32\DRIVERS\connctfy.sys --> C:\Windows\system32\DRIVERS\connctfy.sys [?]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 CMGShield;CMGShield;C:\Windows\system32\CmgShieldSvc.exe --> C:\Windows\system32\CmgShieldSvc.exe [?]
S3 connctfy;Connectify Service;C:\Windows\system32\DRIVERS\connctfy.sys --> C:\Windows\system32\DRIVERS\connctfy.sys [?]
S3 DozeSvc;Lenovo Doze Mode Service;C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2011-2-7 164200]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe [2011-2-7 75112]
S3 rixdpcie;rixdpcie;C:\Windows\system32\DRIVERS\rixdpe64.sys --> C:\Windows\system32\DRIVERS\rixdpe64.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 USA19H;USA19H;C:\Windows\system32\DRIVERS\USA19Hx64.sys --> C:\Windows\system32\DRIVERS\USA19Hx64.sys [?]
S3 USA19HP;USA19HP;C:\Windows\system32\DRIVERS\USA19Hx64p.SYS --> C:\Windows\system32\DRIVERS\USA19Hx64p.SYS [?]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 Connectify;Connectify;C:\Program Files (x86)\Connectify\Connectifyd.exe [2011-3-9 892992]
S4 EMS;EMS;EMSService.exe --> EMSService.exe [?]
.
=============== File Associations ===============
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=C:\Windows\System32\CScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-06-30 14:05:52 2106216 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-06-30 14:05:52 1998168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-06-24 19:55:14 -------- d-----w- C:\Users\nicmatth\AppData\Roaming\Wireshark
2011-06-17 12:47:55 -------- d-----w- C:\Program Files (x86)\WinPcap
2011-06-17 12:46:51 -------- d-----w- C:\Program Files\Wireshark
2011-06-15 15:44:01 482816 ----a-w- C:\Windows\System32\html.iec
2011-06-15 15:43:38 386048 ----a-w- C:\Windows\SysWow64\html.iec
2011-06-15 15:42:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-06-15 15:42:51 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-06-15 15:33:39 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-06-15 15:32:53 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-06-15 15:28:04 102400 ----a-w- C:\Windows\System32\drivers\dfsc.sys
2011-06-15 15:28:02 499712 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-06-15 15:28:02 1896832 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-15 15:28:01 1110528 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2011-06-15 15:27:15 759296 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2011-06-15 15:27:14 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-06-15 15:27:13 157696 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-06-15 15:27:13 126464 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-06-15 15:27:09 3133952 ----a-w- C:\Windows\System32\win32k.sys
2011-06-15 15:22:35 461312 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-06-15 15:22:35 399872 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-06-15 15:22:35 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-06-15 15:18:19 861184 ----a-w- C:\Windows\System32\oleaut32.dll
2011-06-15 15:18:07 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-06-13 15:41:26 -------- d-----w- C:\Program Files (x86)\eSupport.com
2011-06-13 14:46:26 230400 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\hpzppw71.dll
2011-06-08 14:47:52 -------- d-----w- C:\Users\nicmatth\DoctorWeb
2011-06-07 17:39:23 -------- d-----w- C:\Users\nicmatth\AppData\Roaming\Malwarebytes
2011-06-07 17:39:16 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-07 17:39:14 -------- d-----w- C:\ProgramData\Malwarebytes
2011-06-07 17:39:10 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-06-07 17:39:09 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-06-07 16:38:26 1152 ----a-w- C:\Windows\SysWow64\windrv.sys
2011-06-07 16:37:58 -------- d-----w- C:\Program Files (x86)\SpyNoMore
2011-06-06 14:37:05 23864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\Scriptff.dll
2011-06-02 15:45:20 -------- d-----w- C:\Users\nicmatth\.cisco
.
==================== Find3M ====================
.
2011-04-22 20:18:28 1197056 ----a-w- C:\Windows\System32\wininet.dll
2011-04-22 20:14:08 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2011-04-22 19:31:50 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-04-22 19:31:26 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-04-09 06:58:56 142336 ----a-w- C:\Windows\System32\poqexec.exe
2011-04-09 06:45:48 5509504 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-04-09 06:13:06 3957632 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:13:06 3901824 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-04-09 05:56:38 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
.
============= FINISH: 10:07:30.50 ===============
Thanks!
I'm pretty good about viruses - this is my first in 8 years or so. I've done the basics - go to msconfig, remove all the programs/services I don't know in safe mode, run a few antivirus, etc. This one has eluded me. I either accidentally clicked on one of those activex screens or it used a vulnerability to allow itself on the computer. It happened very quickly.
My firefox results show up normally, but the first click to websites is being redirected. The computer also feels a little more sluggish than it should. SpyNoMore found keyloggers and trojans, but wanted money to remove.
Here are the logs:
MBAM:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org
Database version: 6986
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
6/30/2011 9:53:47 AM
mbam-log-2011-06-30 (09-53-47).txt
Scan type: Quick scan
Objects scanned: 180815
Time elapsed: 2 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\program files (x86)\mozilla firefox\0.2928573401180692.exe (Exploit.Dropper) -> Quarantined and deleted successfully.
c:\program files (x86)\mozilla firefox\0.4473215236219442.exe (Exploit.Dropper) -> Quarantined and deleted successfully.
GMER:
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-30 10:05:31
Windows 6.1.7600
Running: gmer.exe
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffaf73100
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffaf73100 (not active ControlSet)
---- Files - GMER 1.0.15 ----
File C:\Users\nicmatth\AppData\Local\Microsoft\Outlook\~outlook.ost.tmp 65536 bytes
File C:\Users\nicmatth\AppData\Local\Temp\plugtmp-2 0 bytes
File C:\Users\nicmatth\AppData\Local\Temp\plugtmp-2\plugin-298939.pdf 79094 bytes
File C:\Users\nicmatth\AppData\Local\Temp\etilqs_HwIGzqVcLoxm6fN 262176 bytes
File C:\Users\nicmatth\AppData\Local\Temp\How_to_Build_a_ASR_9000.ppt 1136640 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\addons.sqlite-journal 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\cookies.sqlite-shm 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\cookies.sqlite-wal 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\extensions.sqlite-journal 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\parent.lock 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\places.sqlite-shm 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\places.sqlite-wal 0 bytes
File C:\Users\nicmatth\AppData\Roaming\Thunderbird\Profiles\trq05g59.default\cookies.sqlite-journal 0 bytes
---- EOF - GMER 1.0.15 ----
Attach.txt:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 1/26/2011 10:19:56 PM
System Uptime: 6/29/2011 3:12:28 AM (31 hours ago)
.
Motherboard: LENOVO | | 4389BB4
Processor: Intel(R) Core(TM) i7 CPU Q 720 @ 1.60GHz | None | 1600/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 119 GiB total, 16.97 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e965-e325-11ce-bfc1-08002be10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GT30N___________________LT10____\5&1C50C5D9&0&1.0.0
Manufacturer: (Standard CD-ROM drives)
Name: HL-DT-ST DVDRAM GT30N ATA Device
PNP Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GT30N___________________LT10____\5&1C50C5D9&0&1.0.0
Service: cdrom
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Bluetooth Device (Personal Area Network)
Device ID: BTH\MS_BTHPAN\7&2D98A6FB&0&2
Manufacturer: Microsoft
Name: Bluetooth Device (Personal Area Network)
PNP Device ID: BTH\MS_BTHPAN\7&2D98A6FB&0&2
Service: BthPan
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: VMware Virtual Ethernet Adapter for VMnet1
Device ID: ROOT\VMWARE\0000
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet1
PNP Device ID: ROOT\VMWARE\0000
Service: VMnetAdapter
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: VMware Virtual Ethernet Adapter for VMnet8
Device ID: ROOT\VMWARE\0001
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet8
PNP Device ID: ROOT\VMWARE\0001
Service: VMnetAdapter
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Intel(R) Centrino(R) Ultimate-N 6300 AGN
Device ID: PCI\VEN_8086&DEV_4238&SUBSYS_11118086&REV_35\4&C36BE82&0&00E1
Manufacturer: Intel Corporation
Name: Intel(R) Centrino(R) Ultimate-N 6300 AGN
PNP Device ID: PCI\VEN_8086&DEV_4238&SUBSYS_11118086&REV_35\4&C36BE82&0&00E1
Service: NETw5s64
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Teredo Tunneling Adapter
Device ID: ROOT\*TEREDO\0000
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TEREDO\0000
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter for 64-bit Windows
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter for 64-bit Windows
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
PNP Device ID: ROOT\NET\0001
Service: vpnva
.
==== System Restore Points ===================
.
RP67: 6/8/2011 12:05:05 PM - Scheduled Checkpoint
RP68: 6/14/2011 11:14:07 AM - Installed DesignXpert
RP69: 6/15/2011 3:00:12 PM - Windows Update
RP70: 6/23/2011 2:34:16 PM - Scheduled Checkpoint
RP71: 6/23/2011 3:00:10 PM - Windows Update
.
==== Installed Programs ======================
.
.
2007 Microsoft Office Suite Service Pack 1 (SP1)
7-Zip 9.20
Adobe Audition 1.5
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.4
Adobe Shockwave Player 11.5
Altiris Agent
Altiris Application Metering Agent
Altiris Inventory Rule Agent
Altiris Local Security Agent
Altiris Patch Management Agent
Altiris Software Delivery Solution Agent
Altiris Task Synchronization Agent
Altiris_PCTransplant
Applications_Win32_Cisco_AltirisAgentRedirector
Applications_Win32_Cisco_PCSetupGuide
CEPS Print Client
Chinese Simplified Fonts Support For Adobe Reader 9
Chinese Traditional Fonts Support For Adobe Reader 9
Cisco AnyConnect VPN Client
Cisco DART
Cisco Direct Printing
Cisco IP Communicator
Cisco WebEx Connect
CiscoITw7blizzardwpa1
Citrix Presentation Server Client
DesignXpert
eSupport UndeletePlus 3.0.2.406
Evernote v. 4.3
FileZilla Client 3.4.0
FileZilla Server (remove only)
GIMP 2.6.11
Google Calendar Sync
Google Talk Plugin
GSplit 3
GTRC Support Central
HiJackThis
Integrated Camera Driver Installer Package Ver.1.1.0.42
iPassConnect
IPTV Viewer
Japanese Fonts Support For Adobe Reader 9
Java(TM) 6 Update 13
Keyspan USB Serial Adapter
Korean Fonts Support For Adobe Reader 9
Malwarebytes' Anti-Malware version 1.51.0.1200
McAfee Agent
McAfee AntiSpyware Enterprise Module
McAfee VirusScan Enterprise
Microsoft Office Access database engine 2007 (English)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2007
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Visio 2010
Microsoft Office Visio MUI (English) 2010
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Visio Standard 2010
Microsoft Visio Viewer 2010
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft_VC90_CRT_x86
Mozilla Firefox 5.0 (x86 en-US)
Mozilla Thunderbird (3.1.11)
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
MultiMon TaskBar 2.1
Netformx Updater
Network Recording Player
Notepad++
ooVoo
OS_Winx64_Windows7_Drivers_Lenovo_ThinkPad_W510
Pidgin
QuickTime 7.5
Real-Time Monitoring Tool 8.5
Real-Time Monitoring Tool 8.7
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
SofToken II
SpyNoMore 2.98
Tftpd32 Standalone Edition
ThinkPad Power Manager
tools-linux
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
ViewMail for Outlook 7.0(2)
VirtualCloneDrive
VMware Player
VMware vCenter Converter Standalone
VMware vSphere Client 4.0
VMware vSphere Client 4.1
WebEx
WebEx Document Suite
WebEx Productivity Tools
WinPcap 4.1.2
Wireshark 1.6.0
Xobni
Xobni Core
.
==== Event Viewer Messages From Past Week ========
.
6/29/2011 8:41:50 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
6/29/2011 1:39:20 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain CISCO due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
6/27/2011 9:04:52 AM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
6/27/2011 8:58:56 AM, Error: Service Control Manager [7000] - The CMGShield service failed to start due to the following error: The system cannot find the file specified.
6/27/2011 8:57:35 AM, Error: Service Control Manager [7000] - The Altiris Agent service failed to start due to the following error: The system cannot find the file specified.
6/27/2011 8:57:23 AM, Error: Application Popup [1060] - \SystemRoot\SysWow64\drivers\pfc.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
.
==== End Of File ===========================
DDS.txt:
.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by nicmatth at 10:06:29 on 2011-06-30
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.4028.2194 [GMT -4:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Windows\SysWOW64\atashost.exe
C:\Program Files (x86)\WebEx\Connect\apUpdate.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\LENOVO\HOTKEY\CAMMUTE.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe
C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\NetFormx\updater\NfxUpdaterEngine.exe
C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
C:\Program Files (x86)\Xobni\XobniService.exe
C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\WebEx\Connect\connect.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files (x86)\MMTaskbar\MultiMon.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Pidgin\pidgin.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files (x86)\VMware\VMware Player\hqtray.exe
C:\Program Files (x86)\Texter\texter.exe
C:\Program Files (x86)\NetFormx\updater\NfxUpdaterUI.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files (x86)\WebEx\Connect\wbxcOIEx.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Java\jre6\bin\jucheck.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Evernote\Evernote\Evernote.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteTray.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://wwwin.cisco.com
uWindow Title = Windows Internet Explorer provided by Cisco
uDefault_Page_URL = hxxp://wwwin.cisco.com
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
uRun: [Google Update] "C:\Users\nicmatth\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Cisco WebEx Connect] "C:\Program Files (x86)\WebEx\Connect\connect.exe"
mRun: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
mRun: [VMware hqtray] "C:\Program Files (x86)\VMware\VMware Player\hqtray.exe"
mRun: [Netformx Updater] "C:\Program Files (x86)\NetFormx\updater\NfxUpdaterUI.exe" -hide
mRun: [Cisco AnyConnect VPN Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe" -autolaunched
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
mRun: [FileZilla Server Interface] "C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe"
mRun: [SNM] C:\Program Files (x86)\SpyNoMore\SNM.exe /startup
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\CISCOW~1.LNK - C:\Program Files (x86)\WebEx\Connect\connect.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pidgin.lnk - C:\Program Files (x86)\Pidgin\pidgin.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\TEXTER~1.LNK - C:\Program Files (x86)\Texter\texter.exe
StartupFolder: C:\Users\nicmatth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Texter.lnk - C:\Program Files (x86)\Texter\texter.exe
StartupFolder: C:\ALLUSE~1\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
StartupFolder: C:\ALLUSE~1\MICROS~1\Windows\STARTM~1\Programs\Startup\MULTIM~1.LNK - C:\Program Files (x86)\MMTaskbar\MultiMon.exe
StartupFolder: C:\ALLUSE~1\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
IE: Add to Evernote 4.0 - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
LSP: C:\Program Files (x86)\VMware\VMware Player\vsocklib.dll
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://provision-sjc.cisco.com/CACHE/webvpn/stc/1/binaries/vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: DhcpNameServer = 64.102.6.247 161.44.124.122
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F} : DhcpNameServer = 64.102.6.247 161.44.124.122
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\26F6F6D6 : DhcpNameServer = 8.8.8.8
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\357494D26596379647F62737 : DhcpNameServer = 172.30.3.100 172.30.3.101
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\44D4D21393130333D27455543545 : DhcpNameServer = 12.127.17.77 12.127.16.77
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\65562796A7F6E60214442563430303C40223646424 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\65562796A7F6E602D496649623230303029383445402355636572756 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{36CE8603-84EA-4B46-99DA-CC894FCD920F}\7657563747 : DhcpNameServer = 192.168.2.254 8.8.4.4 4.2.2.1
TCP: Interfaces\{55484E21-3916-4300-8A03-B4966AE796CC} : DhcpNameServer = 172.20.23.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
AppInit_DLLs: AMINIT32.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: WebEx Productivity Tools: {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: WebEx Productivity Tools: {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
mRun-x64: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun-x64: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
mRun-x64: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
mRun-x64: [VMware hqtray] "C:\Program Files (x86)\VMware\VMware Player\hqtray.exe"
mRun-x64: [Netformx Updater] "C:\Program Files (x86)\NetFormx\updater\NfxUpdaterUI.exe" -hide
mRun-x64: [Cisco AnyConnect VPN Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe" -autolaunched
mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun-x64: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
mRun-x64: [FileZilla Server Interface] "C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe"
mRun-x64: [SNM] C:\Program Files (x86)\SpyNoMore\SNM.exe /startup
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
IE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204
AppInit_DLLs-X64: AMINIT32.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\nicmatth\AppData\Roaming\Mozilla\Firefox\Profiles\muw3urqn.default\
FF - component: C:\Program Files (x86)\WebEx\Productivity Tools\components\OCFF.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: C:\Program Files (x86)\QuickTime\Plugins\npatgpc.dll
FF - plugin: C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
FF - plugin: C:\Users\nicmatth\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Users\nicmatth\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\nicmatth\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.negotiate-auth.delegation-uris - .cisco.com
.
FF - user.js: network.negotiate-auth.trusted-uris - .cisco.com
.
============= SERVICES / DRIVERS ===============
.
R0 CmgHiber;CmgHiber;C:\Windows\system32\DRIVERS\CmgHiber.sys --> C:\Windows\system32\DRIVERS\CmgHiber.sys [?]
R0 CmgShieldCEF;CmgShieldCEF;C:\Windows\system32\DRIVERS\CMGShCEF.sys --> C:\Windows\system32\DRIVERS\CMGShCEF.sys [?]
R0 CMGShieldReg;CMGShieldReg;C:\Windows\system32\DRIVERS\CmgShREG.sys --> C:\Windows\system32\DRIVERS\CmgShREG.sys [?]
R0 DzHDD64;DzHDD64;C:\Windows\system32\DRIVERS\DzHDD64.sys --> C:\Windows\system32\DRIVERS\DzHDD64.sys [?]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiifx64.sys --> C:\Windows\system32\DRIVERS\smiifx64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 atashost;WebEx Service Host for Support Center;C:\Windows\SysWOW64\atashost.exe [2011-2-24 43912]
R2 CipcCdp;Cisco IP Communicator driver for CDP;C:\Windows\system32\DRIVERS\CipcCdp.sys --> C:\Windows\system32\DRIVERS\CipcCdp.sys [?]
R2 Cisco WebEx Connect Upgrade Service;Cisco WebEx Connect Upgrade Service;C:\Program Files (x86)\WebEx\Connect\apUpdate.exe [2011-4-11 824120]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;C:\Program Files\Lenovo\HOTKEY\cammute.exe [2010-3-18 54632]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2010-3-18 44984]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-6-7 366640]
R2 McAfeeEngineService;McAfee Engine Service;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [2011-2-4 20792]
R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2011-1-12 120128]
R2 McShield;McAfee McShield;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe [2011-2-4 181480]
R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe [2011-2-4 66880]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\system32\mfevtps.exe --> C:\Windows\system32\mfevtps.exe [?]
R2 NfxUpdaterService;NfxUpdaterService;C:\Program Files (x86)\NetFormx\updater\NfxUpdaterEngine.exe [2011-4-6 20376]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2010-4-30 6237800]
R2 rimspci;rimspci;C:\Windows\system32\DRIVERS\rimspe64.sys --> C:\Windows\system32\DRIVERS\rimspe64.sys [?]
R2 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2010-3-18 63928]
R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-11-11 539248]
R2 vmware-converter-agent;VMware vCenter Converter Standalone Agent;C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [2010-8-24 444976]
R2 vmware-converter-server;VMware vCenter Converter Standalone Server;C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-8-24 444976]
R2 vmware-converter-worker;VMware vCenter Converter Standalone Worker;C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2010-8-24 444976]
R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-11-15 592120]
R2 XobniService;XobniService;C:\Program Files (x86)\Xobni\XobniService.exe [2011-4-29 62184]
R3 5U877;USB Video Device;C:\Windows\system32\DRIVERS\5U877.sys --> C:\Windows\system32\DRIVERS\5U877.sys [?]
R3 connctfyMP;connctfyMP;C:\Windows\system32\DRIVERS\connctfy.sys --> C:\Windows\system32\DRIVERS\connctfy.sys [?]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 CMGShield;CMGShield;C:\Windows\system32\CmgShieldSvc.exe --> C:\Windows\system32\CmgShieldSvc.exe [?]
S3 connctfy;Connectify Service;C:\Windows\system32\DRIVERS\connctfy.sys --> C:\Windows\system32\DRIVERS\connctfy.sys [?]
S3 DozeSvc;Lenovo Doze Mode Service;C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2011-2-7 164200]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe [2011-2-7 75112]
S3 rixdpcie;rixdpcie;C:\Windows\system32\DRIVERS\rixdpe64.sys --> C:\Windows\system32\DRIVERS\rixdpe64.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 USA19H;USA19H;C:\Windows\system32\DRIVERS\USA19Hx64.sys --> C:\Windows\system32\DRIVERS\USA19Hx64.sys [?]
S3 USA19HP;USA19HP;C:\Windows\system32\DRIVERS\USA19Hx64p.SYS --> C:\Windows\system32\DRIVERS\USA19Hx64p.SYS [?]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 Connectify;Connectify;C:\Program Files (x86)\Connectify\Connectifyd.exe [2011-3-9 892992]
S4 EMS;EMS;EMSService.exe --> EMSService.exe [?]
.
=============== File Associations ===============
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=C:\Windows\System32\CScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-06-30 14:05:52 2106216 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-06-30 14:05:52 1998168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-06-24 19:55:14 -------- d-----w- C:\Users\nicmatth\AppData\Roaming\Wireshark
2011-06-17 12:47:55 -------- d-----w- C:\Program Files (x86)\WinPcap
2011-06-17 12:46:51 -------- d-----w- C:\Program Files\Wireshark
2011-06-15 15:44:01 482816 ----a-w- C:\Windows\System32\html.iec
2011-06-15 15:43:38 386048 ----a-w- C:\Windows\SysWow64\html.iec
2011-06-15 15:42:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-06-15 15:42:51 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-06-15 15:33:39 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-06-15 15:32:53 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-06-15 15:28:04 102400 ----a-w- C:\Windows\System32\drivers\dfsc.sys
2011-06-15 15:28:02 499712 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-06-15 15:28:02 1896832 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-15 15:28:01 1110528 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2011-06-15 15:27:15 759296 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2011-06-15 15:27:14 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-06-15 15:27:13 157696 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-06-15 15:27:13 126464 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-06-15 15:27:09 3133952 ----a-w- C:\Windows\System32\win32k.sys
2011-06-15 15:22:35 461312 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-06-15 15:22:35 399872 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-06-15 15:22:35 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-06-15 15:18:19 861184 ----a-w- C:\Windows\System32\oleaut32.dll
2011-06-15 15:18:07 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-06-13 15:41:26 -------- d-----w- C:\Program Files (x86)\eSupport.com
2011-06-13 14:46:26 230400 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\hpzppw71.dll
2011-06-08 14:47:52 -------- d-----w- C:\Users\nicmatth\DoctorWeb
2011-06-07 17:39:23 -------- d-----w- C:\Users\nicmatth\AppData\Roaming\Malwarebytes
2011-06-07 17:39:16 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-07 17:39:14 -------- d-----w- C:\ProgramData\Malwarebytes
2011-06-07 17:39:10 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-06-07 17:39:09 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-06-07 16:38:26 1152 ----a-w- C:\Windows\SysWow64\windrv.sys
2011-06-07 16:37:58 -------- d-----w- C:\Program Files (x86)\SpyNoMore
2011-06-06 14:37:05 23864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\Scriptff.dll
2011-06-02 15:45:20 -------- d-----w- C:\Users\nicmatth\.cisco
.
==================== Find3M ====================
.
2011-04-22 20:18:28 1197056 ----a-w- C:\Windows\System32\wininet.dll
2011-04-22 20:14:08 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2011-04-22 19:31:50 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-04-22 19:31:26 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-04-09 06:58:56 142336 ----a-w- C:\Windows\System32\poqexec.exe
2011-04-09 06:45:48 5509504 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-04-09 06:13:06 3957632 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:13:06 3901824 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-04-09 05:56:38 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
.
============= FINISH: 10:07:30.50 ===============
Thanks!